This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • NetWitness Threat Content and Integrations Report - October 2021

NetWitness Threat Content and Integrations Report - October 2021

AmitRotem
Occasional Contributor AmitRotem Occasional Contributor
Occasional Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2021-10-15 09:35 AM

AmitRotem_0-1634304482943.png

 

NetWitness Threat Content and Integrations Report

October 2021

 

Threat Intelligence Update

BlackMatter

First detected by Recorded Future in July 2021, this ransomware-as-a-service (RaaS) cybergang has been responsible for several high-profile targeted attacks. Of likely Eastern European origin, BlackMatter first gained notoriety for a ransomware campaign targeting medical technology company Olympus in early September. Since then, BlackMatter's suspected victims include a US based real estate brokerage, a French liquor distributor, and an Austrian juicing equipment vendor among others . However, the ransomware group is most widely known for their involvement with the NEW Cooperative attack.

 

Although originally claiming to spare "Critical infrastructure facilities", BlackMatter struck Iowa agriculture collective NEW Cooperative over the weekend of September 17th, 2021. A ransom demand of $5.9 million USD was requested by the malicious group. BlackMatter also threatened to leak sensitive documents if the ransom was not paid by September 25, a common technique seen amongst RaaS organizations known as "double extortion". As a result of the ransomware, NEW Cooperative had to temporarily take all their IT services offline. At this point NEW Cooperative have said they are working with law enforcement agencies and cybersecurity companies to get back to fully operational, but there has been no publicly disclosed information on whether they have paid any part of the demanded ransom.

 

Much like it supposed successor Darkside, BlackMatter leverages an affiliate model, recruiting "initial access brokers" to gain access to lucrative ($100M or more in revenue) victim networks. Publicly available code analysis reveals that once inside, BlackMatter operates in several ways similarly to Darkside (responsible for JBS attack), REvil/Sodinokibi (Colonial Pipeline attack), and Lockbit (Accenture attack) ransomwares. Additionally, BlackMatter comes with both Windows and Linux variants. Researchers have seen this ransomware be just as effective proliferating corporate domains as targeting crucial Linux infrastructure such as VMware ESXi hosts.

 

With a growing list of victims across multiple industries, BlackMatter looks to be a sophisticated and well-funded group that will continue to operate for a good amount of time. Netwitness will continue to monitor for any new developments and adjust our detection capability accordingly.

 

Blog Posts

 

PetitPotam NTLM relay attack (RSA Link)

Lionel Gilles, a French-based Offensive Computer Security researcher at Sogeti, an IT services company based in Paris, France recently published a PoC tool called PetitPotam, which exploits the MS-EFSRPC (Encrypting File Services Remote Protocol). This affects organizations that utilize Microsoft Active Directory Certificate Services, (AD CS) a public key infrastructure (PKI) server. PetitPotam is considered a NTLM (NT LAN Manager) relay attack, a form of manipulator-in-the-middle attack. 

The following app rules help detect PetitPotam activity in the environment

  •    Anonymous NTLM logon detected
  •    Possible PetitPotam authentication attempt

Behavioral Indicators Helpful to Detect Ransomware Activity (RSA Link)

Ransomware operations have increased significantly over the past few years. As we have seen with recently publicized large-scale attacks, ransomware groups are adding a great deal of sophistication to their tactics. These incidents can severely impact business processes and leave organizations without the data they need to operate and deliver their mission-critical services. There is no indication of bad actors stopping anytime soon and new variants of the malware are created and deployed almost every day.

Now is the time for targeted threat detection against ransomware activity. Resources mentioned in this blog post will be helpful to effectively monitor, detect & further respond using the NetWitness Platform.

AWS CloudTrail - Anomalous Activity Detection Threat Content (RSA Link)

CloudTrail is an AWS service that helps in governance, compliance, and operational risk auditing of an AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. One can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help analyze and respond to activity in an AWS account.

As the adoption of AWS increases, the workload that is being dealt by AWS services globally, has grown exponentially and so has the variety of attacks that Threat Actors execute. To effectively identify unexpected, malicious, and anomalous access behavior, and maintaining security monitoring within an account, we have used CloudTrail Events to create Log based Application Rules and Event Stream Analytics (ESA) Rules.

 

Universal Plugins for AWS (RSA Link)

For customers that run their infrastructure on AWS cloud and would like to ingest logs from various services into NetWitness for security and compliance, we have developed Amazon CloudWatch Plugin and S3 Universal Connector. For customers on NetWitness platform 11.5 or later these universal plugins alleviate the problem of managing multiple connectors, one for each service, faced by our customers.

Application rules

New Application rules used for detecting registry changes

The windows endpoint agent has been updated to report new registry events that are targeted to detect persistence tactics when the malware uses registry API to modify\create registry keys. 

The following application rules detect these malware persistence techniques as behavior of compromise.

Modifies Startup Folder Location

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.

Tactic

Persistence

Technique

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 

Severity

High

 

Modifies Winlogon Registry Settings

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

Tactic

Persistence

Technique

Boot or Logon Autostart Execution: Winlogon Helper DLL 

Severity

High

 

Registers Time Provider Dll

Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains and adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.

Tactic

Persistence

Technique

Boot or Logon Autostart Execution: Time Providers 

Severity

High

 

Registers Port Monitor Dll

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

Tactic

Persistence

Technique

Boot or Logon Autostart Execution: Port Monitors 

Severity

High

 

Registers Netsh helper Dll

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner.

Tactic

Persistence

Technique

Event Triggered Execution: Netsh Helper DLL 

Severity

High

 

Registers AppInit Dll

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs value in the registry keys are loaded into processes. Like process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.

Tactic

Persistence

Technique

Event Triggered Execution: AppInit DLLs 

Severity

High

 

 Registers AppCert Dll

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs that are specified in the AppCertDLLs Registry key are loaded into every process that calls the ubiquitously used application programming interface (API) functions. Like process injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.

Tactic

Persistence

Technique

Event Triggered Execution: AppCert DLLs 

Severity

High

 

 Registers LSA Authentication package

Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start and they provide support for multiple logon processes and multiple security protocols to the operating system. Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location

Tactic

Persistence

Technique

Boot or Logon Autostart Execution: Authentication Package

Severity

High

 

Registers LSA Security package

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.

Tactic

Persistence

Technique

Boot or Logon Autostart Execution: Security Support Provider

Severity

High

 

Registers Boot Execute

Adversaries can add programs or processes to the registry value which will automatically launch at boot and can use this configuration location to execute malware, such as remote access tools, to maintain persistence through system reboots.

Tactic

Persistence

Technique

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Severity

High

 

 Modifies file associations

Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and adversaries can modify these values to continually execute arbitrary commands.

Tactic

Persistence/Privilege Escalation

Technique

Event Triggered Execution: Change Default File Association

Severity

Medium

 

Endpoint Rules

Ransomware Behavioral Detections - Threat Content

Per our research, we identified that impairing defenses to achieve evasion, tampering with system recovery mechanisms, disabling security tooling are couple of common techniques that are employed by threat actors during the various stages of typical ransomware operations.

Understanding the importance of detecting these exploitation methods used by threat actors, we have come up with endpoint-based application rules that aid in identifying not just malicious ransomware activity, but other adversaries as well that might employ similar techniques.

  • deletes shadow volume copies (*Existing Rule Updated)
  • deletes backup catalog (*Existing Rule Updated)
  • disables windows defender using powershell (*Existing Rule Updated)
  • deletes shadow volume copies using powershell
  • tampers with windows defender registry
  • removes windows defender definitions
  • evades scanning within windows defender
  • disables windows audit policy
  • clears application event log
  • clears setup event log
  • clears event logs using powershell
  • disables event logging service
  • enables safe mode
  • disables safe mode

Protocol Parsers

DCERPC

  • Added extraction of action meta from EFSRPC.

DynDNS

  • Added more dynamic DNS providers.

HTTP_lua

  • Made performance improvements

TLS_lua

  • Improved detection of TLS 1.3

Log Parsers - updated

Microsoft Azure

  • Added additional mappings in azure parser for Microsoft Defender ATP alerts received via MSGraph Universal Plugin.

Proofpoint Email Security

  • Additional meta mapping

Kaspersky Anti-Virus

  • Added additional parser rules to support new fields for customer logs.

Snort/Sourcefire

  • Added support for additional FirePower Threat Defense Events and provided fine-parsing for few other events.

Cisco Wireless Lan Controller

  • Updated the ciscowlc parser to provide support for Cisco 9800 series with firmware version 17.03.03

Trend Micro IMSS

  • Additional meta mapping

Common Event Format

  • Added support for 2 new Event sources CEF parsers. Checkpoint Identity Awareness and Trend Micro Email Inspector

 Fortinet Fortigate

  • Added support for more log formats

Cyberoam UTM

  • Additional meta mapping

VMware Workspace One

  • Correct mapping for OS meta as it was causing issue in investigation page

Linux

  • Additional meta mapping

Log Collections - updated

Salesforce Log Collection

  • Fixed bug where the option to disable SSL certificate validation was not working.

 

 

Thank you to @DarrenMccutchen , @jeethmathai , @Sarthak , @AhteshamPatel , @ManishJain4 , @RajasSave , @WilliamMotley1 for their help with compiling this report

  • MITRE ATT&CK
  • threat
  • threat content
  • threat detection
  • threat research
4 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.