One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 5489966 |
| Date de publication | 2022-06-27 10:00:00 (vue: 2022-07-01 11:17:02) |
| Titre | Stories from the SOC - Detecting internal reconnaissance |
| Texte | Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Executive summary
Internal Reconnaissance, step one of the Cyber Kill Chain, is the process of collecting internal information about a target network to identify vulnerabilities that can potentially be exploited. Threat actors use the information gained from this activity to decide the most effective way to compromise the target network. Vulnerable services can be exploited by threat actors and potentially lead to a network breach. A network breach puts the company in the hands of cybercriminals. This can lead to ransomware attacks costing the company millions of dollars to remediate along with a tarnished public image.
The Managed Extended Detection and Response (MXDR) analyst team received two alarms regarding an asset performing network scans within a customer's environment. Further investigation into these alarms revealed that the source asset was able to scan 60 unique IPs within the environment and successfully detected numerous open ports with known vulnerabilities.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
The initial alarm that prompted this investigation was a Darktrace Cyber Intelligence Platform event that was ingested by USM Anywhere. The priority level associated with this alarm was High, one level below the maximum priority of Critical. Network scanning is often one of the first steps a threat actor takes when attempting to compromise a network, so it is a red flag any time an unknown device is scanning the network without permission. From here, the SOC went deeper into associated events to see what activity was taking place in the customer’s environment. The image shown below is the Darktrace alarm that initiated the investigation.
Expanded investigation
Events search
Utilizing the filters built into USM Anywhere , the events were narrowed down to the specific source asset IP address and Host Name to only query events associated to that specific asset. The following events were found that provide more information about the reconnaissance activity that was being observed.
Event deep dive
Upon reviewing the logs from the events shown above, the SOC was able to determine that the source asset scanned two separate Classless Inter-Domain Routing (CIDR) blocks, detecting, and scanning 60 unique internal devices for open ports. As shown in the log snippets below, the scans revealed multiple open ports with known vulnerabilities, most notable is Server Message Block (SMB) port 445 which is the key attack vector for the infamous WannaCry malware. Looking at the logs we can also see that the source asset detected port 5985, the port utilized by Windows Remote Management (WinRM). WinRM can be used by threat actors to move laterally in environments by executing remote commands on other assets from the compromised host. These remote commands are typically batch files performing malicious activity or implanting backdoors to maintain persistence in the network. Lastly, we can see the asset scanning for Lightweight Directory Access Protocol (LD |
| Envoyé | Oui |
| Condensat | 389 445 5985 able about above access account actions activity actor actors additional address addresses advanced advised after alarm alarms all allowed along also analysis analyst analyze anomalous antivirus any anywhere are asset assets associated at&t attack attacks attempting backdoors batch before began being below block blocks blog breach building built call can chain cidr classless collecting commands company compromise compromised conducted costing could critical customer customer’s customers cyber cybercriminals darktrace decide deep deeper defined describes detected detecting detection determine device devices did directory discover dive dollars domain down due effective encrypted ensure environment environments event events evidence executing executive expanded exploited expose extended files filters find first flag following found from full further gained hands here high host identify image implanting incident include indicate indicators infamous information ingested initial initiated intelligence inter interaction internal inventory investigate investigation investigations ioc ips irp isolate isolated key kill known lastly laterally ldap lead level lightweight log logs looking machine maintain malicious malware managed management maximum message millions more most move multiple mxdr name nature network not notable notified numerous observed off often one only open other passwords performing permission persistence phone pivoted place plan platform port ports potentially prevent priority process prompted properly protocol provide public puts quarantine query quick ranges ransomware real received recent recommended reconnaissance red regarding related remediate remote reported response result reveal revealed review reviewing routing run scan scanned scanning scans search searching security see sensitive separate series server services shown smb sniffed snippets soc software source specific step steps stories successfully such suggests summary takes taking target targeted tarnished team then these threat time took traffic triggered two typically unable unique unknown upon use used user usernames using usm utilized utilizing vector viewer vulnerabilities vulnerable wannacry way weaponization went were narrowed what when which windows winrm wireshark within without world would |
| Tags | Ransomware Malware Threat Guideline |
| Stories | Wannacry |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.