One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1054429 |
| Date de publication | 2019-03-05 15:36:00 (vue: 2019-03-05 17:02:39) |
| Titre | Mapping TrickBot and RevengeRAT with MITRE ATT&CK and AlienVault USM Anywhere |
| Texte |
MITRE ATT&CK™ (Adversarial Tactics, Techniques and Common Knowledge) is a framework for understanding attackers’ behaviors and actions.
We are pleased to announce that AlienVault USM Anywhere and Open Threat Exchange (OTX) now include MITRE ATT&CK™ information. By mapping alarms to their corresponding ATT&CK techniques, we are assisting in prioritizing analysis work by understanding the context and scope of an attack.
Below we’ve outlined how this new capability can help you investigate two threats - TrickBot and RevengeRat.
Mapping a Trickbot infection with ATT&CK
Trickbot is a malware family that was discovered a few years ago targeting the banking industry, but following some investigations, it is still active and evolving. The malware is usually delivered using attached Office documents via spear-phishing emails.
This particular sample works by running a PowerShell script via command line from the malicious Excel document. The script will load the code that needs to be executed in memory and run the payload. In order to run the payload without being detected, the malware will try to disable and evade anti-malware protection. Once that is done, it will copy itself to another location and will run from there. It also spawns instances of the svchost.exe process to perform several tasks such as downloading config files and injecting into browsers to steal user credentials.
AlienVault USM Anywhere detects and tracks the previous malware behavior and maps all different behaviors to ATT&CK definitions. This provides a clean understanding of the attack’s stage and tactics, and makes the analysis work easier.
Running the sample in our environment we can observe different alarms that USM Anywhere is automatically triggering once the malicious Office document is opened by the user:
Suspicious Process Created by Microsoft Office Application
Suspicious Powershell Encoded Command Executed
Windows Defender Disabled
Windows Unusual Process Parent
Tor
Malicious SSL Certificate
Now it’s possible to see those alarms mapped to the ATT&CK matrix:
As we can observe, the ATT&CK matrix provides visibility of the techniques and tactics that Trickbot uses. Starting with Execution tactics, Defense Evasion mechanisms and finishing with Command and Control activity.
The first alarm in the kill chain is the Suspicious Process Created by Microsoft Office Application. After opening the malicious document, the process EXCEL.EXE creates a new process to run a PowerShell command and load code in memory using the IO.MemoryStream class. We can see how the alarm Suspicious Powershell Encoded Command Executed detected the malicious activity and the encoded command trying to evade detection.
|
| Envoyé | Oui |
| Condensat | alienvault anywhere att&ck mapping mitre revengerat trickbot usm |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.