One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8355889 |
| Date de publication | 2023-07-13 10:00:00 (vue: 2023-07-13 10:06:36) |
| Titre | Histoires du SOC: OneNote Malspam & # 8211;Détection et ampli;réponse Stories from the SOC: OneNote MalSpam – Detection & response |
| Texte | This blog was co-written with Kristen Perreault – Professional Cybersecurity andJames Rodriguez – Sr. Specialist Cybersecurity.
Executive summary
Since December 22nd, 2022, there has been an increase in malware sent via Phishing emails via a OneNote attachment. As with most phishing emails, the end user would open the OneNote attachment but unlike Microsoft Word or Microsoft Excel, OneNote does not support macros. This is how threat actors previously launched scripts to install malware.
Minimal documentation has been made towards the tactics, techniques, and procedures (TTP’s) observed in these attacks. Some of the TTP’s observed included executions of Powershell.exe usage and Curl.exe once a hidden process was ran. Once the hidden executable was clicked on, a connection was made to an external site to attempt to install and execute malware. Once executed the attacker will unload additional malicious files and gain internal information from within the organization. In this case, malicious files were detected and mitigated by SentinelOne.
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
The initial alarm came in for malware being detected by SentinelOne which was a .One file type. The file sourced from Outlook indicated this was likely a phishing email. Shortly after receiving the initial alarm, the MES SOC Threat Hunters (SECTOR Team) were alerted by a customer experiencing this activity and began their deep dive. Upon entering the file hash obtained from the SentinelOne event, no discernible information regarding the file’s purpose was uncovered. This prompted SECTOR to utilize Deep Visibility to gain further insight into the process and purpose of the detected file.
Deep Visibility is a feature within SentinelOne that provides comprehensive insight into the activities and behaviors of threats within a network environment. This feature allows security teams, such as SECTOR, to investigate and respond to threats by providing greater insight in processes, network connections, and file activities. It is an incredibly powerful tool in SentinelOne and is commonly used during the Incident Response process.
Expanded investigation
Events Search
A search string was created for Deep Visibility which included the file name and associated file hashes. An event in SentinelOne was found that included a Curl.exe process with the external domain minaato[.]com. When reviewing the domain further, it was determined that this was a file sharing website and additional malicious indicators were uncovered. Analyzing the DNS request to minaato[.]com, showed events with the source process mshta.exe with the target process curl.exe, and the parent process of onenote.exe. This chain of processes were the heuristic (behavioral) attributes that prompted SentinelOne to fire off an alert. Utilizing these TTP and previous source processes, a new query was generated to find any potential file populating the same activity. This led SECTOR to detect another file under Cancellation[.]one.
Event Deep Dive
SECTOR began their event deep dive with an initial IOC based search query that included the file name and the domain that generated outbound network connections.
Pivoting off of the results from the initial IOC based search query, SECTOR created a secondary search query that included multiple file names, domains, and hashes that were found. These IOCs had not been previously discovered in the wild but once they were found, SECTOR provided them to the AT&T AlienLabs team for additional detection engines, correlation rules, and OTX (AT&T Open Threat Exchange Platform) pulse updates.
After gathering all the IOCs, a third heuristic-based search query was created. This new query aimed to find any remaining events relat |
| Envoyé | Oui |
| Condensat | “minaato “ping 2022 202b7c6c05c1425c8c7da29a97c386ede09f1b9f 22nd 670604eeef968b98a179c38495371209 776181d69149f893e9b52d80908311c0f42ec5eb 83f0f1b491fa83d72a819e3de69455a0b20c6cb48480bcd8cc9c64dbbbc1b581domain 8f4fc0dbf3114200e18b7ef23f2ecb0b31a96cd7 able activities activity actors additional affected after aimed alarm alert alerted alienlabs all allows although analyzing andjames another any asked assets associated association at&t attachment attacker attacks attempt attributes avoid awareness background based been began behavior behavioral behaviors being best block blocking blog brought building but came cancelation cancellation case chain click clicked com com” command common commonly communicated comprehensive compromise compromised conjunction connection connections contained correlation created curl customer customers cybersecurity data december deep demonstrates detect detected detection determined detonate devices did discernible discovered dive dns documentation does domain domains downloads due during email emails end engines enhanced ensure entering environment event events excel exchange exe exe” executable execute executed execution executions executive expanded experienced experiencing external false feature fellow file file’s files final find findings fire firewalls focuses found from further gain gathered gathering generated given globally greater had has hash hashes have heuristic hidden how hunt hunters hunting image implementing importance incident included increase incredibly indicated indicators information initial insight install interaction internal investigate investigation ioc ioc’s iocs itself kristen launched led likely link macros made mainly malicious malspam malware md5 mes microsoft might minaato minimal mitigated most mshta multiple name names necessary network new not observed obtained occurring off olimobile once one onenote ones open opened organization others otx outbound outlook outreach overlayed parent passwords perreault phishing pivoting platform populating positives potential powerful powershell practices previous previously procedures process processes professional prompted provided provides providing pull pulse purpose query ran rather receiving regarding related remaining remediation removing request resetting respond response results review reviewing rodriguez rules same sandbox scanning scripts search secondary sector security see sellscentre sent sentinelone sha1 sha256 sharing shortly showed sift simonoo since site situational soc soc: some source sourced specialist specific stage steps stock stories string successfully such summary support tactics target team teams techniques than them then these third threat threats through tool towards ttp ttp’s type unauthorized uncovered under unlike unload updates upon usage used user using utilize utilizing visibility website when where which wild will within word would written |
| Tags | Malware Tool Threat |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.