Hunting all around for TA397 RATs

Name:
Hunting all around for TA397 RATs

TTP:
T1071.001 Application Layer Protocol: Web Protocols, T1566 Phishing, T1082 System Information Discovery, T1204 User Execution

Hypothesis:

Attackers are using phishing emails to deliver malicious attachments that gather system information and exfiltrate it to a remote server.

Campaign Type:
Data Driven

Data Sources:

• Windows Security Event Log (Process Creation, Process Termination)
• Sysmon Event Log (Process Creation, Process Access)
• Network Traffic Logs

Tools:

• PowerShell
• Splunk
• Sysmon
• Wireshark

Scenario:

• Initial Access: Attacker sends phishing emails with malicious attachments. Execution: Victim opens the attachment, executing the malicious code.
• Defense Evasion: Attacker may use obfuscation techniques to evade detection.
• Discovery: Malware gathers system information, such as OS version, installed software, and network configuration.
• Command and Control: Malware establishes communication with a C2 server.
• Exfiltration: Sensitive data is exfiltrated to the C2 server.
• Impact: Attacker gains access to sensitive information, potentially leading to further attacks or data breaches.

Hunting Strategy:

1. Analyze Windows Security Event Log and Sysmon Event Log for any process creation or process access events related to suspicious executables.
2. Correlate the events and identify any patterns or anomalies.
3. Investigate any outliers or suspicious events.
4. Analyze network traffic logs for any communication with known malicious IP addresses or domains.
5. Validate potential threats by checking for known malicious file hashes or signatures.
6. Remediate by removing the attacker’s access and patching any vulnerabilities that were exploited.
7. Report findings and recommendations to the organization.

Recommendations:

• Implement strong password policies and multi-factor authentication.
• Monitor for any unauthorized access to sensitive data.
• Keep systems and applications up-to-date with the latest security patches.
• Educate users about phishing attacks and how to identify suspicious emails.

Step-by-Step Guide to Emulate a Threat Hunt

Prepare the Environment

1. Set up a test environment with necessary security monitoring tools installed.
2. Enable relevant auditing policies for the operating system and applications.
3. Configure a centralized log management system for collecting and storing security events.

Emulate the Attack Techniques

1. Execute commands and actions that simulate the suspected attack techniques.
2. Use relevant attack tools or scripts to generate representative security events.

Emulate Post-Compromise Activities

1. Simulate post-compromise activities, such as privilege escalation, lateral movement, and data exfiltration, to generate corresponding security events.
2. Use appropriate tools and techniques to emulate these activities in a controlled manner.

Collect and Analyze Logs

1. Collect the generated security event logs from your centralized log management system.
2. Use analysis tools to search for events related to the emulated attack techniques.
3. Filter events based on relevant criteria, such as process names, command-line parameters, network connections, and registry activity.

Refine Detections

1. Analyze the collected logs to identify patterns and refine your detection rules.
2. Consider using threat detection frameworks like YARA or SIGMA to create more robust detection rules.
3. Document your analysis and findings to improve future threat hunting efforts.

False Positive Consideration:

• Legitimate applications may exhibit similar behavior to the malware.
• Network traffic to legitimate websites may be flagged as suspicious.

D3 Diagram: