One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1734470 |
| Date de publication | 2020-05-26 11:00:00 (vue: 2020-05-26 12:01:20) |
| Titre | Stories from the SOC - System compromise with ateral movement |
| Texte |
Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Malicious network traffic from foreign IPs was observed trying to establish communication to a compromised internal system. The internal system was then observed trying to execute lateral movement to other internal systems by undertaking nefarious actions that were essentially blocked by the on-premises Host Intrusion Detection System (HIDS).
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
Image 1 - Initial Alarm
Observing the initial alarm, the first event captured was an internal IP out-calling to a known malicious C2 IP (208[.]100[.]26[.]245). This simple event is an initial clue into the internal system potentially being compromised. A hasty review could suggest that the alarm could be closed out as auto-mitigated, given that we’re observing that the session had been denied. But, a good analyst should dig a little deeper in order to confirm that no persistent threat remains within the internal system that tried to out-call the malicious C2 IP.
Expanded Investigation
Events Search
Image 2 - Pivot on IP/Events
In order to further investigate the alarm, we dropped down to the child server/customer deployment to pivot on events logged by internal IP (asset 1), in order to correlate/identify any suspicious activity observed within the internal system.
The analyst should take full advantage of the visibility into the different data sources compatible with USM Anywhere in order to build a more complete profile of the traffic being generated by the asset in question. In the alarm/event, we observed firewall and endpoint events associated with the internal IP. This obviously indicates that the internal IP/asset was undertaking activities that are being blocked/denied by these two security tools. Further investigation should be undertaken.
IOC - Malicious C2 server:
Reviewing the different endpoint and firewall logs, we confirmed that the internal system was in fact compromised and observed an attacker attempting malicious lateral movement. Specifically, they were trying to access port 445 SMB and attempt a brute force authentication against another internal asset. As seen in the screenshot below, event ID 6045 was generated and indicates an "SMB Brute Force Attack" with threat severity "Critical”.
Image 3 - Lateral Movement
Reviewing for Additional Indicators
The agent installed on the compromised endpoint was able to give deeper insights into the actual system such as services running, open ports, and installed software.
By analyzing the enriched data reporting back from the agent and previous scans, the compromised system had SMB port 445 open and was running an EOL version of Windows XP. This indicates that no Microsoft security updates have been installed and some of the most exploitable vulnerabilities, such as Bluekeep, affecting SMB over IP were surely to be found on the compromised system. This evidence further confirmed the asset as a probable entry point for the compromise and built the beginnings of our remediation and containment recommendations.
Referencing the |
| Envoyé | Oui |
| Condensat | 100 208 245 445 6045 able access actions activities activity actor actual additional advantage affecting after against agent alarm alarm/event all allowed always analyst analyzing another any anywhere are asap asset associated at&t ateral attack attacker attempt attempting authentication authorized auto back backdoors bad been beginnings being below best blocked blocked/denied blog bluekeep brought brute build building built but call calling came can capability captured chain® change child closed clue communication compatible complete completely compromise compromise/lateral compromised conducted confirm confirmed confirming containment correlate/identify could critical” customer customer’s customers cyber data date deeper delivery denied depicting deployment describes details detection different dig digital done down dropped encountered end endpoint enriched entry eol essentially establish event events evidence execute executive existing expanded exploitable exploitation fact finally find firewall first followed force foreign foremost forensics found fresh from full further future generated give given goes good grab had hard has hasty have hids highly host how ideally image incident indicates indicators inform initial insights install installation installed instruct instructed interaction internal intrusion investigate investigation investigations ioc ip/asset ip/events ips kill known lack lateral left life limitations little live logged login logs look malicious malware managed microsoft migrated mitigated mitigation monitoring more most movement multiple nefarious network next note notify numerous observed observes observing obviously occurred offline one online open open/unneeded opportunities order other out over password perform performing persistent pivot plan point port ports potentially practice practices premises previous probable probing profile proper provide provided quarantine question reach real reason recent recommendations recommended reconnaissance referencing remaining remains remediation remotely reported reporting response review reviewing rootkits run running scanning scans screenshot search security see seen series server/customer server: service services session severity should simple small smb soc software some sources specifically start stories strategies such suggest summary sure surely suspicious system systems tactics take targeting team techniques telling them then these threat told took tools traffic tried trying two undertaken undertaking updates used user username usm version visibility vulnerabilities vulnerability vulnerable way we’re well when where who will windows within without world would |
| Tags | Malware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2020-05-26 11:00:00 | (Déjà vu) Stories from the SOC - System compromise with lateral movement (lien direct) |
Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Malicious network traffic from foreign IPs was observed trying to establish communication to a compromised internal system. The internal system was then observed trying to execute lateral movement to other internal systems by undertaking nefarious actions that were essentially blocked by the on-premises Host Intrusion Detection System (HIDS).
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
Image 1 - Initial Alarm
Observing the initial alarm, the first event captured was an internal IP out-calling to a known malicious C2 IP (208[.]100[.]26[.]245). This simple event is an initial clue into the internal system potentially being compromised. A hasty review could suggest that the alarm could be closed out as auto-mitigated, given that we’re observing that the session had been denied. But, a good analyst should dig a little deeper in order to confirm that no persistent threat remains within the internal system that tried to out-call the malicious C2 IP.
Expanded Investigation
Events Search
Image 2 - Pivot on IP/Events
In order to further investigate the alarm, we dropped down to the child server/customer deployment to pivot on events logged by internal IP (asset 1), in order to correlate/identify any suspicious activity observed within the internal system.
The analyst should take full advantage of the visibility into the different data sources compatible with USM Anywhere in order to build a more complete profile of the traffic being generated by the asset in question. In the alarm/event, we observed firewall and endpoint events associated with the internal IP. This obviously indicates that the internal IP/asset was undertaking activities that are being blocked/denied by these two security tools. Further investigation should be undertaken.
IOC - Malicious C2 server:
Reviewing the different endpoint and firewall logs, we confirmed that the internal system was in fact compromised and observed an attacker attempting malicious lateral movement. Specifically, they were trying to access port 445 SMB and attempt a brute force authentication against another internal asset. As seen in the screenshot below, event ID 6045 was generated and indicates an "SMB Brute Force Attack" with threat severity "Critical”.
Image 3 - Lateral Movement
Reviewing for Additional Indicators
The agent installed on the compromised endpoint was able to give deeper insights into the actual system such as services running, open ports, and installed software.
By analyzing the enriched data reporting back from the agent and previous scans, the compromised system had SMB port 445 open and was running an EOL version of Windows XP. This indicates that no Microsoft security updates have been installed and some of the most exploitable vulnerabilities, such as Bluekeep, affecting SMB over IP were surely to be found on the compromised system. This evidence further confirmed the asset as a probable entry point for the compromise and built the beginnings of our remediation and containment recommendations.
Referencing the |
Malware Threat |