search

OTRF / detection-hackathon-apt29

Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets
GNU General Public License v3.0
130 stars 41 forks source link

2.B) Exfiltration Over Command and Control Channel #4

Open Cyb3rWard0g opened 4 years ago

Cyb3rWard0g commented 4 years ago

Description

The file is then exfiltrated over the existing C2 connection (T1041).

[pupy] > download "C:\Users\pbeesly\AppData\Roaming\Draft.Zip" .

DarthRaki commented 4 years ago

All of my analytics are using this tool set (https://github.com/idaholab/Malcolm)

Can I detect a C2 connection in my traffic over HTTPS (with such a small data its hard to show the items that stand out)

Query I start with protocols == tls && protocols != https && tags == cert:self-signed (the driving factor behind this is if the communication is TLS encrypted but not using HTTPs it then becomes suspsect for being on ports that https would use. Add in a self-signed cert its highly likely a piece of malware)

We use SPI VIEW to quickly see all the IPs both src and dst https c2

we can also see the Cert information for each item and a count next to them. (Use these items for OSINT sites like (shodan and censys.io)

We can also see the large databytes present during exfil, Timestamps also to correlate host logs Http c2 info

neu5ron commented 4 years ago

yep, there are known JA3 and JA3S hashes of Kali and Metasploit. 72a589da586844d7f0818ce684948eea

neu5ron commented 4 years ago

72a589da586844d7f0818ce684948eea

althought, before people say "Nate SIGMA IS MUCH MORE THAN FOR IOC's..." yeah I know ;)

here is quick rule for sigma, I didn't grab all the JA3's in there (working on few other things), but whichever are deemed known malicious add them to the list below in the placeholders ReplaceMeWithKnownBadJA3

title: Known Bad JA3 Hash for attack tool
status: experimental
description: JA3 SSL/TLS hashes for known bad attack/pentesting tools
references:
    - "https://github.com/OTRF/detection-hackathon-apt29/issues/4"
author: '@neu5ron Nate Guagenti, OTRF Community'
date: 2020/05/03
modified: 2020/05/03
logsource:
    product: zeek
    service: ssl
detection:
  ja3_hashes:
   ja3:
     - '72a589da586844d7f0818ce684948eea'
     - $ReplaceMeWithKnownBadJA3
     - $ReplaceMeWithKnownBadJA3
     - $ReplaceMeWithKnownBadJA3
  condition: ja3_hash
falsepositives:
    - Always worth looking into known attack tool usage, however you may have people just trying to test a tool and it not be a full blown incident
level: medium
Cyb3rWard0g commented 4 years ago

Hey @neu5ron , would it be good to tag those JA3 sigs for each C2? Like 

72a589da586844d7f0818ce684948eea #Metasploit

Also, if the JA3 query is done. Would you mind moving it to https://github.com/OTRF/detection-hackathon-apt29/tree/master/rules and then push a PR? Thank you man I appreciate all the help! 👍

Cyb3rWard0g commented 4 years ago

2.B.1 Exfiltration Over Command and Control Channel

Procedure: Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) Criteria: The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel