Threat Hunting Scenario based on the Cyber Anarchy Squad (C.A.S) Attacks

C.A.S actors gain initial access through the exploitation of public-facing applications, establish persistence, escalate privileges, and utilize various tools and techniques to achieve their objectives, including data exfiltration, encryption, and destruction.

Name:
Threat Hunting Scenario based on the Cyber Anarchy Squad (C.A.S) Attacks

TTP:
T1098 Account Manipulation, T1071 Application Layer Protocol, T1543 Create or Modify System Process, T1485 Data Destruction, T1486 Data Encrypted for Impact, T1190 Exploit Public-Facing Application, T1562 Impair Defenses, T1003 OS Credential Dumping, T1082 System Information Discovery

Hypothesis:

C.A.S actors gain initial access through the exploitation of public-facing applications, establish persistence, escalate privileges, and utilize various tools and techniques to achieve their objectives, including data exfiltration, encryption, and destruction.

Campaign Type:
Hybrid

Data Sources:

  • Windows Security Event Logs
  • Sysmon Logs
  • Network Traffic Logs
  • Endpoint Detection and Response (EDR) Telemetry
  • Antivirus Logs
  • Firewall Logs
  • Web Server Logs
  • Database Logs

Tools:

  • SIEM (e.g., Splunk, QRadar, Elastic Stack)
  • EDR Solution
  • Network Analysis Tools (e.g., Wireshark, tcpdump)
  • Malware Analysis Tools (e.g., VirusTotal, Any.Run)

Scenario:

  1. Initial Access: Attackers exploit vulnerabilities in public-facing applications such as Jira, Confluence, and Microsoft SQL Server to gain initial access to the target network.

  2. Execution: Attackers execute commands and scripts using compromised services and tools like PowerShell to establish a foothold and gain further control.

  3. Persistence: Attackers create new user accounts, modify registry keys, and utilize the Startup folder to maintain persistence within the compromised systems.

  4. Privilege Escalation: Attackers leverage privilege escalation techniques to gain higher-level permissions and access sensitive resources.

  5. Defense Evasion: Attackers disable security tools and endpoint protection agents to avoid detection and hinder incident response efforts.

  6. Credential Access: Attackers employ tools like Mimikatz, XenAllPassword Pro, and Browser Thief to steal credentials and gain access to additional accounts and systems.

  7. Discovery: Attackers conduct system information discovery activities to gather information about the network, systems, and users, aiding in lateral movement and target selection.

  8. Lateral Movement: Attackers move laterally within the network, compromising additional systems and expanding their access.

  9. Command and Control: Attackers establish C2 communication channels using reverse shells, RATs like Revenge RAT and Spark RAT, and Meterpreter to control compromised systems and exfiltrate data.

  10. Data Encrypted for Impact: Attackers deploy ransomware payloads like leaked LockBit and Babuk builders to encrypt critical data and disrupt operations.

  11. Data Destruction: Attackers utilize the dd system utility to destroy data on specific servers and further damage the victim’s infrastructure.

Suspected TTP

  • Exploitation of vulnerable Jira, Confluence, and Microsoft SQL Server services.
  • Use of open-source remote access Trojans (RATs) like Revenge RAT and Spark RAT.
  • Execution of commands via compromised MS SQL services and PowerShell.
  • Creation of new user accounts.
  • Persistence via registry keys and Startup folder.
  • Creation of watchdog timer files and services.
  • Disabling of security tools and endpoint protection agents.
  • Use of Mimikatz, XenAllPassword Pro, and Browser Thief for credential theft.
  • Collection of system information via various commands and WMI queries.
  • Use of reverse shells, Revenge RAT, Spark RAT, and Meterpreter for C2 communication.
  • Data encryption using leaked LockBit and Babuk ransomware builders.
  • Data destruction using the dd system utility.

Hunting Strategy:

  1. Data Collection: Collect relevant data from various sources, including Windows Security Event Logs, Sysmon logs, network traffic logs, EDR telemetry, antivirus logs, firewall logs, web server logs, and database logs.

  2. Log Analysis: Analyze the collected logs for indicators of compromise related to C.A.S TTPs, such as:

    • Exploitation attempts targeting public-facing applications.
    • Suspicious process creation and execution events.
    • Account creation and privilege escalation activities.
    • Defense evasion techniques like disabling security tools.
    • Credential dumping and system information discovery commands.
    • Network connections to known C2 servers.
    • Ransomware execution and data encryption events.
    • Data destruction activities.

  3. Threat Intelligence Enrichment: Leverage threat intelligence feeds and C.A.S-related indicators of compromise (IOCs) to identify potentially malicious activity.

  4. Correlation and Pattern Analysis: Correlate events from different data sources to identify patterns and anomalies indicative of C.A.S attacks.

  5. Investigation and Validation: Investigate suspicious events and outliers to validate potential threats and determine the extent of compromise.

  6. Remediation: Isolate compromised systems, remove malware, and patch vulnerabilities to contain the attack and prevent further damage.

  7. Reporting: Document findings, create comprehensive reports, and share information with relevant stakeholders to improve security posture and prevent future attacks.

 

 

Threat Emulation Scenario for C.A.S Attacks

This scenario outlines the steps to emulate the tactics, techniques, and procedures (TTPs) employed by the Cyber Anarchy Squad (C.A.S) group, based on the provided analysis report.

Objective:

To emulate C.A.S attack techniques to generate representative security events and evaluate the effectiveness of your detection and response capabilities.

Target Techniques:

  • Exploit Public-Facing Application [T1190]
  • Create or Modify System Process [T1543]
  • Account Manipulation [T1098]
  • New Service [T1050]
  • Impair Defenses [T1562]
  • OS Credential Dumping [T1003]
  • System Information Discovery [T1082]
  • Command and Control [T1071]
  • Data Encrypted for Impact [T1486]
  • Data Destruction [T1485]

Environment:

  • A controlled test environment that mirrors your production environment as closely as possible.
  • Relevant security monitoring tools (e.g., SIEM, EDR) configured to collect logs and events.
  • Necessary auditing policies enabled for operating systems and applications.

Emulation Steps:

  1. Initial Access:

    • Choose a representative public-facing application (e.g., web server, database) to simulate exploitation.
    • Utilize a publicly available exploit tool (e.g., Metasploit) or a proof-of-concept exploit code to simulate the compromise.
    • Ensure the chosen exploit matches the vulnerability profile of C.A.S attacks (e.g., vulnerable Jira, Confluence, or MS SQL Server).

  2. Execution:

    • Simulate command execution via compromised services (e.g., MS SQL Server) or tools like PowerShell.
    • Execute benign commands or scripts that mimic C.A.S post-exploitation activities (e.g., system information gathering, file manipulation).

  3. Persistence:

    • Create a new user account with a weak password (e.g., “cas”).
    • Add registry keys to HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun to simulate persistence.
    • Copy a benign executable to the Startup folder.

  4. Privilege Escalation:

    • If applicable, simulate privilege escalation techniques to gain higher-level permissions.
    • Use publicly available tools or scripts that mimic C.A.S privilege escalation methods.

  5. Defense Evasion:

    • Simulate disabling or impairing security tools (e.g., antivirus, endpoint protection).
    • Modify Windows Defender exclusion lists to include system directories.
    • Use obfuscation or encryption techniques to hide malicious activity.

  6. Credential Access:

    • Utilize tools like Mimikatz, XenAllPassword Pro, or Browser Thief to simulate credential theft.
    • Capture and exfiltrate dummy credentials or hashes.

  7. Discovery:

    • Execute various commands and scripts to simulate system information discovery.
    • Collect information about the operating system, network configuration, and installed software.

  8. Lateral Movement:

    • If applicable, simulate lateral movement techniques to access other systems within the network.
    • Use compromised credentials or exploit lateral movement vulnerabilities.

  9. Command and Control:

    • Establish a connection to a controlled C2 server using tools like Revenge RAT, Spark RAT, or Meterpreter.
    • Simulate C2 communication and data exfiltration.

  10. Data Encrypted for Impact:

    • Deploy a benign ransomware simulator or modify a publicly available ransomware builder (e.g., LockBit, Babuk) to encrypt dummy files.
    • Create a ransom note mimicking C.A.S ransom note format.

  11. Data Destruction:

    • Utilize the dd system utility to overwrite dummy data on a designated drive or partition.
    • Simulate data destruction activities observed in C.A.S attacks.

Evaluation:

  • Monitor security alerts and events generated during the emulation.
  • Analyze the effectiveness of your detection rules and security controls in identifying C.A.S TTPs.
  • Identify gaps in your defenses and areas for improvement.
  • Refine your detection rules and response procedures based on the emulation results.

Note:

  • Ensure all emulation activities are conducted in a controlled environment and do not impact production systems.
  • Use benign tools and scripts to avoid causing actual damage or disruption.
  • Document all emulation steps and findings for future reference and improvement.

False Positive Consideration:

  • Legitimate use of system administration tools and commands.
  • Normal network traffic patterns that may resemble C2 communication.
  • Benign software or scripts that exhibit similar behavior to C.A.S tools.

Recommendations:

  • Regularly update and patch public-facing applications to mitigate vulnerabilities exploited by C.A.S.
  • Implement strong password policies, multi-factor authentication, and least privilege principles to prevent unauthorized access.
  • Maintain comprehensive security monitoring and logging capabilities to detect and respond to suspicious activity.
  • Utilize threat intelligence feeds and IOCs to proactively identify C.A.S-related threats.
  • Conduct regular security awareness training to educate users about phishing and other social engineering tactics.
  • Develop and test incident response plans to ensure effective handling of C.A.S attacks.

D3 Diagram:

Leave a Reply