Introduction 

 

Welcome to the February 2022 installment of the NetWitness Threat Research Intelligence & Content update. Our intention is to produce a monthly retroactive roll-up that outlines what is new, and what has changed within NetWitness Threat Intelligence Content across our portfolio.  

 

More frequent communications will occur as events related to threat actor activity – their patterns of behavior, their tooling & infrastructure, their attacks, their operations, and their campaigns become available. The following points will factor into the frequency of such communications. However, other considerations may influence our communication cadence as well:   

• The subject and nature of the event(s) 
• The severity and global relevance/impact of the event(s) 
• The threat actors/adversaries associated with the event(s) 
• Our evolving understanding of the events and the actors along with the salient details related to them  
• Our ability to address them via machine readable threat intelligence (MRTI) content resulting in advanced detection capabilities  
• Our readiness to divulge and publish 

As we continue this effort throughout the year, we believe that we will demonstrate what has made NetWitness unique among its peers in industry throughout the world historically, in addition to what separates us from our peers today.  Our threat research intelligence content has historically differentiated us from our competitors. There is zero question in our minds that it remains a key differentiator for us and our customers. We are committed to seeing it evolve while we once again take our place among the industry’s luminaries with an authoritative voice and position. Our content will continue to mature -- becoming more intelligently packaged than in previous periods of our history. These bundles will aid our customers in spending their time where it matters most – on monitoring for and responding to threats once they are detected while continually increasing their visibility across their network environments both on and off premise.  

 

Critical to our success will be the increasing efforts in both alignment and execution with the NetWitness Global Incident Response Practice. Together, we believe that we represent a formidable capability and threat to adversaries threatening the risk postures of our customers and clients the world over. Our commitment to collaboration fueled by our passion for the work that we do has brought to bear a new era that will see us operating in a symbiotic fashion for the betterment of our business and most importantly our customers. Lastly, we would like to share that the format and nature of this monthly update will change over time, so please do not be alarmed if you see evolutions on this front as well.  We are excited to have you join us on this journey and believe that together we can work towards a safer, more secure tomorrow.  

 

Content Within NetWitness LIVE !...a Quick Refresher

 

Within the NetWitness LIVE! platform there are two (2) functional repositories where content is uploaded and stored for use by our customers. The first, labeled today as ‘RSA’ is where all production grade content that is and has been created by our teams is uploaded and curated over time. This content is the result of internal research work yielding actionable machine-readable content that includes:  

• Application rules 
• Packet parsers  
• Netwitness Reports 
• Event Stream Analysis (ESA) Rules 
• Feeds 
• Packs/Bundles  

The second repository found in the NetWitness LIVE! is labeled today as ‘COMMUNITY’[BETA]. There exist two (2) principal categories of content contained within this repository today. The first is content category is content that is created by members of the NetWitness community who elect to share it with their peers via NetWitness LIVE! These community members may include NetWitness employees who are not members of the threat research and intelligence team, partners, or customers. Additional differentiators between this type of content and production content are that it is not rigorously assessed and/or quality assurance assessed in the same way that production content is prior to it being uploaded and made available for consumption within the NetWitness LIVE! platform. Furthermore, today certain types of open-source content may be found within the ‘COMMUNITY’[BETA] repository. This repository may include all the previously mentioned types of content in addition to content other forms such as YARA Rules.  
 

During the month of February, the NetWitness Threat Research Intelligence team kicked off an initiative that focuses on content hygiene. Work within this initiative centers on assessing all current threat research and intelligence content for the following:  

• Logic  
• Efficacy/effectiveness  
• Relevance 
• Age  
• Dependencies 

This initiative is scheduled to run through the month of March 2022, and upon conclusion will see an announcement communicated to NetWitness customers that specifies which pieces of content have been identified and selected for End of Life (EoL)/deprecation along with other relevant data such as date(s) when such changes will be made and finalized.  

 

Production Content: Adjustments to Pre-Existent Content 

 

During the month of February 2022,  the following example of pre-existing content has been adjusted for better detection and support of the following: 

 

Packet Parsers  

 

Proxy_Block_Page 

 

Parses proxy denied exception pages. Registers the url that was requested and the reason for denial.  Blue Coat and Palo Alto are currently supported. Extraction of 'username' is supported for Palo Alto only, not Blue Coat.  Customized exception pages may not be detected and parsed. 

 

Production Content: New  

 

During the month of February 2022, we released the following new pieces of content. These new additions fell into two categories: application rules (apprules), and event stream analysis (ESA) rules.  

 

Application Rules  

 

InstallerFileTakeover File Create Event 

 

Detects signs of a Local Privilege Escalation CVE-2021-41379/CVE-2021-43883 via InstallerFileTakeover exploit that include a msiexec process 

 

InstallerFileTakeover Privilege Escalation POC 

 

Detection for Windows Installer Privilege Escalation POC(CVE-2021-41379) released by Abdelhamid Naceri 

 

GCP - Firewall rule modified 

 

This rule detects important changes done to firewall configuration within a GCP Account. 

 

GCP - VPC modified 

 

This rule detects important changes done to VPC configuration within a GCP Account. 

 

GCP - Unauthorized account activity 

 

This rule detects Unauthorized Operations in a GCP Account 

 

AWS - Security group or network acl modified 

 

This rule detects important changes done to security groups or network acls within an AWS Account. 

 

AWS - Network route modified 

 

This rule detects important changes done to network routes, which includes local, vpn, transit gateway routes within an AWS Account. 

 

AWS - VPC flow logs modified 

 

This rule detects important changes done to VPC Flow Logs within an AWS Account. 

 

GCP - Admin privileges to service account 

 

This rule triggers when admin or service owner privileges are assigned to a service account by a user entity in a GCP Account.

 

GCP - Multiple vm instances created 

 

This rule triggers when 5 or more vm instances are launched within a single request by a single user entity in a GCP Account. 

 

GCP - Critical changes to logging 

 

This rule detects critical changes done to Pub/Sub or Logging Sources within a GCP Account. 

 

AWS - VPC modified 

 

This rule detects important changes done to VPC and its configurations within an AWS Account. 

 

Known BazarLoader GET Request 

 

BazarLoader (Also known as Baza, BazaLoader) is a fileless malware thought to be developed by the same group responsible for TrickBot. This particular backdoor employs a diverse set of delivery mechanisms including but not limited to exe files, macro enabled windows documents, and compromised installers. This rule helps to detect BazarLoader C2 Communication. 

 

GCP - Network route modified 

 

This rule detects important changes done to Network Route Configuration within a GCP Account 

 

Event Stream Analysis (ESA) Rules  

 

GCP - Multiple service accounts created within a short period of time 

 

This rule triggers when the specified number of Service Accounts are created within the specified amount of time, in a GCP Account. 

 

GCP - Buckets enumerated 

 

This rule triggers when specified number of buckets are listed by a single user entity within the specified amount of time, in a GCP Account. Please note that Admin Read Permission needs to be enabled within Audit Logging for Google Cloud Storage for this detection to work. 

 

GCP - Multiple custom roles deleted within a short period of time 

 

This rule triggers when the specified number of Custom IAM Roles are deleted within the specified amount of time, in a GCP Account. 

 

GCP - Mass copy objects 

 

This rule triggers when specified number of storage objects are copied by a single user entity within the specified amount of time, in a GCP Account. Please note that Data Read & Data Write Permissions needs to be enabled within Audit Logging for Google Cloud Storage for this detection to work. 

 

GCP - Multiple custom roles created within a short period of time 

 

This rule triggers when the specified number of Custom IAM Roles are created within the specified amount of time, in a GCP Account. 

 

GCP - Multiple service account keys created within a short period of time 

 

This rule triggers when the specified number of service account keys are created within the specified amount of time, in a GCP Account. 

 

GCP - Mass copy objects 

 

This rule triggers when specified number of storage objects are copied by a single user entity within the specified amount of time, in a GCP Account. Please note that Data Read & Data Write Permissions needs to be enabled within Audit Logging for Google Cloud Storage for this detection to work 

 

GCP - Multiple custom roles created within a short period of time 

 

This rule triggers when the specified number of Custom IAM Roles are created within the specified amount of time, in a GCP Account. 

 

GCP - Multiple service account keys created within a short period of time 

 

This rule triggers when the specified number of service account keys are created within the specified amount of time, in a GCP Account.

 

GCP - Multiple API services modified within a short period of time 

 

This rule triggers when the specified number of API Service Endpoints are modified within the specified amount of time, in a GCP Account. 

 

GCP - Mass delete objects 

 

This rule triggers when specified number of storage objects are deleted by a single user entity within the specified amount of time, in a GCP Account. Please note that Data Read & Data Write Permissions needs to be enabled within Audit Logging for Google Cloud Storage for this detection to work. 

 

GCP - Multiple project ownership invites created within a short period of time 

 

This rule triggers when the specified number of invites are sent out for project ownership within the specified amount of time, in a GCP Account. 

 

GCP - Multiple service accounts deleted within a short period of time 

 

This rule triggers when the specified number of Service Accounts are deleted within the specified amount of time, in a GCP Account. 

 

GCP - Multiple vm instances created in multiple zones within a short period of time 

 

This rule triggers when the specified number of VM instances are created in multiple zones within the specified amount of time, in a GCP Account. 

 

GCP - Multiple vm instances created within a short period of time 

 

This rule triggers when the specified number of VM instances are created within the specified amount of time, in a GCP Account. 

 

GCP - Multiple vm instances deleted within a short period of time 

 

This rule triggers when the specified number of VM instances are deleted within the specified amount of time, in a GCP Account. 

 

Community 

 

Application Rules  

Log4J Exploit Attempt 

 

To detect Log4j exploit attempt that can lead to RCE(CVE-2021-44228) via web requests. 

 

SysJoker Persistence 

 

SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. This endpoint appule reports when SysJoker creates persistence by adding an entry to the registry run key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run in Windows. 

 

SysJoker Backdoor Detected 

 

 

SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. This endpoint app rule reports files and folders created by the SysJoker malware in Microsoft Windows. It creates the C:\ProgramData\SystemData\ directory and copy itself under this directory, masquerading as igfxCUIService.exe (igfxCUIService stands for Intel Graphics Common User Interface Service). 

 

Open-Source Content  

 

Malware, Malicious Code and APT Open Source YARA Rules

 

The following corpus of YARA rules focus on the detection, identification, and analysis of various forms and types of malicious code & content (malware) and in some cases those threat actors/adversaries associated with their use and proliferation. These YARA rules have been collected from the open-source community and are being made available to our customers via our NetWitness Live Community capability.