Target Package: APT 18
APT 18 is a threat group that has been in operation since at least 2009. A broad overview of how they operate consists of usually sending their victims a phishing email which will download a Remote Access Trojan (RAT). Some of their observed persistence mechanisms have been using registry run keys pointing to an executable that is in the user AppData\Roaming folder. They have also been known to use the Startup Folder and Windows services for persistence. In the past they have established their Command and Control channel over http, https and DNS. If two-factor authentication is not used they will try to rely on stolen credentials for access. This threat actor is skilled at using “Living Off The Land” techniques to laterally move and exfiltrate data from a victims environment. APT 18 has been known to use the AT task scheduler (at.exe) to schedule tasks to move laterally in an environment, but with their skilled use of “Living Off The Land” I wouldn’t be surprised if the use of Windows Management Instrumentation (WMI) or PowerShell is also used to gain access to other workstations and servers in the environment.
- Dynamite Panda
- Threat Group-0416
- Wekby Group
- T1070.001 – Application Layer Protocol: Web Protocols
- T1071.004 – Application Layer Protocol: DNS
- T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys/Startup
- T1059.003 – Command and Scripting Interpreter: Windows Command Shell
- T1133 – External Remote Services
- T1083 – File and Directory Discovery
- T1070.004 – Indicator Removal on Host: File Deletion
- T1105 – Ingress Tool Transfer
- T1027 – Obfuscated Files or Information
- T1053.002 – Scheduled Task/Job: At (Windows)
- T1082 – System Information Discovery
- T1078 – Valid Accounts
How To Detect With Sysmon and Elastic Stack:
I won’t being covering every single technique but this should be good to get an idea of how to craft your queries. Remember every environment is different so these queries may not be fine tuned enough to filter out noise in your specific environment. The main objective is to test your tools to see if they can detect this type of activity and then tune your environment accordingly.
- T1070.001 –
- Kibana Query: winlog.event_id:3 AND winlog.event_data.Image: “~c:\users\*” AND NOT (“~onedrive*” OR “~dism*”)
- In this query I am looking through all Sysmon Network Connection events for executables running from user space and filtering out onedrive and dismhost. The last part of the query could also be filtered out in your Sysmon Configuration (recommended) or at the Logstash server
- Kibana Query: winlog.event_id:22 AND winlog.event_data.Image: “~c:\users\*” AND NOT (“~onedrive*” OR “~dism*”)
- In this query I am looking through all Sysmon DNS Query events for executables running from user space and filtering out onedrive and dismhost. The last part of the query could also be filtered out in your Sysmon Configuration (recommended) or at the Logstash server
- Kibana query: winlog.event_id:1 AND winlog.event_data.Image: “~reg.exe” AND (winlog.event_data.ParentImage: “~C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” OR winlog.event_data.ParentImage: “~C:\Windows\System32\cmd.exe”)
- This query is looking through all my Sysmon Process Create events looking reg.exe being called from PowerShell or cmd.exe.
- winlog.event_id:* AND (“dir” or “tree”)
- This isn’t the best query, it will be pretty noisy, but I was able to detect the technique with it.
- Kibana query: winlog.event_id:* AND (“del” OR “rm”)
- Not a high fidelity query but it got the job done
- Kibana query: (winlog.event_id:4104 AND winlog.event_data.ScriptBlockText: “~certutil”) OR (winlog.event_id:1 AND “certutil”)
- So this query is looking for Red Canary Atomic Test #7 for this particular tactic, which is downloading a remote file with certutil. I am looking for any scriptblock logs containing certutil or any Sysmon Process Create events using certutil.
- Kibana query: winlog.event_id: 1 AND winlog.event_data.CommandLine: “~C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand”
- This query could be easily bypassed by changing some of the command, but for my purposes I was able to detect the test using it. From there you could do more correlation through the ProcessGuid.
- Kibana query: winlog.event_id:1 AND winlog.event_data.Image: “~C:\Windows\System32\at.exe”
- In this query we are looking for Sysmon Process Creates with at.exe as the target image.
- Kibana query: winlog.event_id:1 AND (winlog.event_data.Image: “~reg.exe” OR winlog.event_data.Image: “~C:\Windows\System32\systeminfo.exe”)
- In this query we are looking for Red Canary’s Atomic Test #2 for this tactic by looking for all Sysmon Process Creates looking specifically for reg.exe and systeminfo.exe.
This wraps up my first target package to profile a known APT group hopefully this post has been helpful. Until next time…