シナリオでは、検知対象となる項目があり、それらに対する検知の有無で評価しています。
検知も、Technique、Tactic、Generalで検知状況を細分化しています。
項目は、「(大項目番号).(中項目アルファベット).(小項目番号)」というルールで付与されています。
また、今回は私の独自の着眼点として、項目毎に5つの分類を追加してみました。
その項目が、どのような振る舞いであるか、またどのような系統の検知機能で検知されるべきか、という指標になりそう、という理由です。
項目によっては複数関連しそうなものもありましたが、今回はとりあえずいずれかの一つに分類することとしました。
分類は以下の観点です。
User activity (UA)
ユーザの操作が主となる項目(例:マウスクリックでプログラムを実行など)。
Malware Inside Behavior (MIB)
マルウェアの内部の動きが主となる項目。
検知する場合、マルウェアそのものの動作をモニタリングするか、マルウェアが動いたことによって発生した結果を検知する必要がある。
Command Level Behavior/Leaves traces to be detected in the OS (CB/LT)
攻撃者の操作によるコマンド実行や、マルウェア等が他のプロセスをコマンドライン等で起動したような振る舞い。DFIRをはじめとしたサイバー攻撃に対するフォレンジック観点などの方法で検知する必要がある。
また、マルウェアの内部動作を直接モニタリングしなくても、マルウェアが動いた結果がイベントログ等の痕跡に残り、それによる検知の可能性が高い項目もこちらに含むこととする。
Network (Nt)
ネットワークの通信をモニタリングするか、ネットワーク通信に関連するログ等を元に検知する必要がある。リモートログオンもこの項目に含めている。
File or data attribute (Attr)
ファイルまたはデータそのものを参照するなどして検知する必要がある。
この分類の結果、ユーザの操作が4項目、マルウェアそのものの動きに関する項目が3割強、コマンド等のふるまいに関する項目が4割強、ネットワークに関する項目が1割強、ファイルやデータそのものの情報が10項目となりました。
この項目分けと結果を比べることで、それぞれのソリューションが何に強く、何に弱いかを知る指標になるかと考え、前回に引き続き今回の分析でも採用しました。
前回、前々回に比べると、マルウェアそのものの動きに関する項目が増えた一方、コマンド等のふるまいに関する項目やネットワークに関する項目が減少しているようです。
理由として考えられる最大の要因は、今回のシナリオでマルウェアを多用することではあると思います。ただし、リモートワークで組織内のネットワークに端末が無いことや、ゼロトラストの考え方で端末ごとである程度自己完結できるセキュリティが指向されつつあることもあり、マルウェアやコマンドのふるまい監視による検知に重点が移りつつあるのかもしれません。ネットワークは、そもそもネットワーク監視機器に重点を置いているケースも多いことも考えられます。
項目の傾向変化の理由については、シナリオだけでなく、ゼロトラストやEDRによる原因究明のニーズ変化などもありそうなので、それぞれの人が自分で考察してもいいのではないかと思います。
シナリオ1 Carbon
Step | Detection criteria | UA | MIB | CB/LT | Nt | Attr |
1.A.1 | Gunter clicks link in email from noreply@sktlocal.it and downloads NTFVersion.exe | 〇 | ||||
1.A.2 | Gunter executes NTFVersion.exe | 〇 | ||||
1.A.3 | mxs_installer.exe is embedded inside NTFVersion.exe via the Resource Section | 〇 | ||||
1.A.4 | NTFVersion.exe modifies Gunter's Winlogon Registry Key | 〇 | ||||
1.A.5 | NTFVersion.exe modifies Shell key value to include mxs_installer.exe | 〇 | ||||
2.A.1 | EPIC Guard DLL is embedded inside the Resource Section of mxs_installer.exe | 〇 | ||||
2.A.2 | mxs_installer.exe injects EPIC GUARD DLL into explorer.exe via CreateRemoteThread | 〇 | ||||
2.A.3 | explorer.exe enumerates process list via CreateToolhelp32Snapshot | 〇 | ||||
2.A.4 | EPIC Worker DLL is embedded inside the Resource Section of explorer.exe's Guard DLL | 〇 | ||||
2.A.5 | explorer.exe injects EPIC Worker DLL into msedge.exe via CreateRemoteThread | 〇 | ||||
2.A.6 | msedge.exe enumerates all users on the local machine via NetUserEnum | 〇 | ||||
2.A.7 | msedge.exe enumerates Gunter's files via FindFirstFile & FindNextFile | 〇 | ||||
2.A.8 | msedge.exe bzip2 compresses discovery output in memory | 〇 | ||||
2.A.9 | msedge.exe base64 encodes discovery output in memory | 〇 | ||||
2.A.10 | msedge.exe connects to shoppingbeach[.]org over HTTP protocol | 〇 | ||||
2.A.11 | msedge.exe connects to adversary's compromised proxy - shoppingbeach[.]org | 〇 | ||||
3.A.1 | cmd.exe executes various net group commands | 〇 | ||||
3.A.2 | cmd.exe executes "tasklist /svc" | 〇 | ||||
3.A.3 | msedge.exe uses a temporary AES key to encrypt command output in memory | 〇 | ||||
3.A.4 | msedge.exe RSA encrypts the AES temporary key in memory | 〇 | ||||
3.A.5 | cmd.exe reg queries the ViperVPNSvc service | 〇 | ||||
3.A.6 | cmd.exe executes powershell.exe to verify to which users can access the ViperVPN service | 〇 | ||||
3.A.7 | cmd.exe modifies the ViperVPN service registry key | 〇 | ||||
4.A.1 | svchost.exe creates C:\Windows\System32\WinResSvc.exe | 〇 | ||||
4.A.2 | WinResSvc.exe uses filenames mressvc.dll and MSSVCCFG.DLL to appear as benign/legitimate | 〇 | ||||
4.A.3 | WinResSvc.exe calls OpenSCManager & CreateService API to create WinResSvc service | 〇 | ||||
4.A.4 | WinResSvc.exe writes ServiceDLL value to the WinResSvc\Parameters Registry Key via RegCreateKey & RegSetValue API | 〇 | ||||
4.A.5 | WinResSvc.exe writes SystemRestoreGroup value to the Svchost Registry Key via RegCreateKey & RegSetValue API | 〇 | ||||
4.A.6 | WinResSvc.exe starts WinSys Restore Service via StartService API | 〇 | ||||
4.A.7 | svchost.exe injects into msedge.exe via CreateRemoteThread API | 〇 | ||||
4.A.8 | msedge.exe connects to prendre-des-vacances[.]fr over HTTP protocol | 〇 | ||||
4.A.9 | msedge.exe receives RSA encrypted symmetric key | 〇 | ||||
4.A.10 | msedge.exe receives CAST-128 encrypted tasking | 〇 | ||||
4.A.11 | svchost.exe executes commands via CreateProcess | 〇 | ||||
4.A.12 | svchost.exe executes cmd.exe | 〇 | ||||
4.A.13 | cmd.exe executes whoami | 〇 | ||||
4.A.14 | Msedge.exe CAST-128 encrypts task output | 〇 | ||||
4.A.15 | Msedge.exe base64 encodes task output | 〇 | ||||
5.A.1 | msedge.exe creates winsas64.bat | 〇 | ||||
5.A.2 | cmd.exe executes winsas64.bat | 〇 | ||||
5.A.3 | winsas64.bat sprays several weak passwords against domain admin accounts | 〇 | ||||
5.A.4 | svchost.exe spawns cmd.exe to delete winsas64.bat | 〇 | ||||
5.A.5 | msedge.exe creates C:\Windows\Temp\wmimetricsq.exe | 〇 | ||||
5.A.6 | svchost.exe moves C:\Windows\Temp\wmimetricsq.exe to \\bannik\C$\Windows\System32 | 〇 | ||||
5.A.7 | svchost.exe enumerates, modifies, and executes remote scheduled task \Microsoft\Windows\Customer Experience Improvement Program\Consolidator | 〇 | ||||
5.A.8 | msedge.exe writes to dsnap for C2 comms through hobgoblin | 〇 | ||||
5.A.9 | cmd.exe executes net group /domain | 〇 | ||||
5.A.10 | cmd.exe executes dsquery | 〇 | ||||
6.A.1 | msedge.exe creates C:\Windows\Temp\terabox.exe | 〇 | ||||
6.A.2 | cmd.exe moves terabox.exe to System32 folder | 〇 | ||||
6.A.3 | cmd.exe executes terabox.exe | 〇 | ||||
7.A.1 | msedge.exe creates C:\Windows\Temp\wsqsp.exe | 〇 | ||||
7.A.2 | msedge.exe creates C:\Windows\Temp\wsqmanager.exe | 〇 | ||||
7.A.3 | cmd.exe executes terabox.exe to pass the hash with previously discovered Adalwolfa creds | 〇 | ||||
7.A.4 | msedge.exe connects to eunewswire[.]eu over HTTP protocol | 〇 | ||||
7.A.5 | cmd.exe deletes terabox.exe, wsqsp.exe, and wsqmanager.exe | 〇 | ||||
8.A.1 | msedge.exe creates wingtsvcupdt.exe | 〇 | ||||
8.A.2 | wingtsvcupdt.exe logs keystrokes to %temp%\~DFA512.tmp | 〇 | ||||
8.A.3 | cmd.exe deletes mwingtsvcupdt.exe and ~DFA512.tmp | 〇 | ||||
9.A.1 | msedge.exe creates C:\Windows\Temp\tmp504e.tmp | 〇 | ||||
9.A.2 | msedge.exe creates C:\Windows\Temp\pscp.exe | 〇 | ||||
9.A.3 | cmd.exe executes pscp.exe to copy tmp504e.tmp to 10.20.10.23 as /tmp/tmp514f524f using Adalwolfa's credentials | 〇 | ||||
9.A.4 | msedge.exe creates C:\Windows\Temp\plink.exe | 〇 | ||||
9.A.5 | cmd.exe executes plink to execute /root/hsperfdata | 〇 | ||||
9.A.6 | cmd.exe deletes tmp504e.tmp, pscp.exe, and plink.exe | 〇 | ||||
9.A.7 | hsperfdata has encrypted strings in the binary | 〇 | ||||
9.A.8 | hsperfdata masquerades as cron by executing from /usr/bin/cron | 〇 | ||||
9.A.9 | hsperfdata adds executable flag to created file cron | 〇 | ||||
9.A.10 | hsperfdata stops the cron service | 〇 | ||||
9.A.11 | hsperfdata modifies/restarts the cron service | 〇 | ||||
9.A.12 | cron installs a TCP filter on the eth0 interface | 〇 | ||||
9.A.13 | cron sniffs network traffic on eth0 for the magic packet | 〇 | ||||
10.A.1 | cron receives and triggers on a TCP packet containing a magic sequence of bytes | 〇 | ||||
10.A.2 | TCP packet payload data is base64 encoded | 〇 | ||||
10.A.3 | cron executes a reverse shell to 176.59.15.33:8081 | 〇 | ||||
10.A.4 | Watering hole via Javascript is established on the apache server | 〇 | ||||
(合計) | 2 | 25 | 36 | 8 | 5 |
シナリオ2 Snake
Step | Detection criteria | UA | MIB | CB/LT | Nt | Attr |
11.A.1 | Egle browses to nato-int.com and is redirected to anto-int.com and downloads NFVersion_5e.exe | 〇 | ||||
11.A.2 | Multiple snippets of JavaScript are executed | 〇 | ||||
11.A.3 | Egle executes NFVersion_5e.exe | 〇 | ||||
11.A.4 | msedge.exe connects to svobodaukrayin[.]ua over HTTPS protocol | 〇 | ||||
11.A.5 | msedge.exe connects to the adversary's compromised proxy - svobodaukrayin[.]ua | 〇 | ||||
11.A.6 | msedge.exe spawns cmd.exe to execute "systeminfo" | 〇 | ||||
12.A.1 | msedge.exe downloads C:\Users\Egle\Desktop\gupsys.exe | 〇 | ||||
12.A.2 | gusbsys.exe installs vulnerable driver - C:\WINDOWS\$NtUninstallQ608317$ \gigabit.sys |
〇 | ||||
12.A.3 | gupsys.exe disables driver signature enforcement (DSE) | 〇 | ||||
12.A.4 | gupsys.exe installs C:\WINDOWS\$NtUninstallQ385719$ \gup.sys |
〇 | ||||
12.A.5 | gupsys.exe removes gbyte.sys and re-enables DSE | 〇 | ||||
12.A.6 | gup.sys XOR decodes msnrcv64t.dll | 〇 | ||||
12.A.7 | msnrcv64t.dll is embedded inside gup.sys | 〇 | ||||
12.A.8 | gup.sys hooks various SYSCALL functions at runtime | 〇 | ||||
12.A.9 | gup.sys registers a Filtering Windows Platform Management (FWPM) Filter | 〇 | ||||
12.A.10 | gup.sys injects msnrcv64t.dll into msedge.exe/taskhostw.exe | 〇 | ||||
12.A.11 | msedge.exe XOR encrypts HTTP traffic to bestcafenews[.]com | 〇 | ||||
12.A.12 | msedge.exe connects tobestcafenews[.]com over HTTP protocol | 〇 | ||||
12.A.13 | gupsys.exe deletes gbyte.sys | 〇 | ||||
13.A.1 | taskhostw.exe executes commands via CreateProcessW | 〇 | ||||
13.A.2 | taskhostw.exe executes tasklist.exe /v | 〇 | ||||
13.A.3 | taskhostw.exe writes output to a named pipe svccommsdev that msedge.exe reads | 〇 | ||||
13.A.4 | taskhostw.exe executes net.exe user /domain EgleAdmin | 〇 | ||||
13.A.5 | taskhostw.exe enumerates a list of running processes | 〇 | ||||
13.A.6 | taskhostw.exe duplicates Egle's access token | 〇 | ||||
13.A.7 | taskhostw.exe executes net.exe with Egle's access token via CreateProcessWithTokenW | 〇 | ||||
13.A.8 | taskhostw.exe enumerates a list of shares via net use | 〇 | ||||
14.A.1 | msedge.exe downloads fs_cmu_v2.exe and file_svc_mgr.exe to named pipe svcsvcctrldev that taskhostw.exe reads | 〇 | ||||
14.A.2 | taskhostw.exe writes fs_cmu_v2.exe and file_svc_mgr.exe to System32 folder on Azuloas | 〇 | ||||
14.A.3 | taskhostw.exe authenticates as EgleAdmin to gain access to berzas | 〇 | ||||
14.A.4 | file_svc_mgr.exe executes fs_cmu_v2.exe on Berzas as EgleAdmin | 〇 | ||||
14.A.5 | msedge.exe on Berzas connects to themedicalinfo[.]net over HTTP protocol | 〇 | ||||
14.A.6 | taskhostw.exe deletes file_svc_mgr.exe and fs_cmu_v2.exe | 〇 | ||||
15.A.1 | taskhostw.exe executes powershell.exe with flags "-nol -noni -nop -enc" and arguments "$ProgressPreference = \"SilentlyContinue\"; Get-Module -ListAvailable -Name ActiveDirectory" | 〇 | ||||
15.A.2 | taskhostw.exe enumerates Active Directory groups via Get-ADGroup | 〇 | ||||
15.A.3 | taskhostw.exe enumerates accounts belonging to domain groups (Domain Admins and Server Management) via Get-ADGroupMember | 〇 | ||||
15.A.4 | taskhostw.exe enumerates account information (Zilvinas and ZilvinasAdmin) via Get-ADUser | 〇 | ||||
15.A.5 | taskhostw.exe enumerates domain computer information via Get-ADComputer | 〇 | ||||
16.A.1 | msedge.exe downloads loadperf.exe (mimikatz), fs_mgr.exe (psexec), and fs_cmu.exe (Snake installer) to named pipe (svcsvcctrldev) that taskhostw.exe reads | 〇 | ||||
16.A.2 | taskhostw.exe writes loadperf.exe (mimikatz), fs_mgr.exe (psexec), and fs_cmu.exe (Snake installer) to System32 folder on Berzas | 〇 | ||||
16.A.3 | taskhostw.exe dumps credentials using Mimikatz sekurlsa::logonpasswords | 〇 | ||||
17.A.1 | taskhostw.exe executes a pass-the-hash attack to authenticate as ZilvinasAdmin and use PsExec to execute the third Snake installer on uosis | 〇 | ||||
17.A.2 | msedge.exe connects to worldcup2023aus[.]org over HTTP protocol | 〇 | ||||
17.A.3 | taskhostw.exe deletes fs_mgr.exe, loadperf.exe, and fs_cmu.exe | 〇 | ||||
17.A.4 | taskhostw.exe enumerates running processes via "tasklist.exe /v" to discover ZilvinasAdmin process | 〇 | ||||
17.A.5 | taskhostw.exe creates a new domain admin Leshy using ZilvinasAdmin access token | 〇 | ||||
18.A.1 | msedge.exe downloads and writes mtxconf.dll, mtxcli.dll, msiex.ps1, perfe009.dat, wdr.rules.xml to a named pipe svcsvcctrldev that taskhostw.exe reads | 〇 | ||||
18.A.2 | taskhostw.exe writes mtxconf.dll, mtxcli.dll, msiex.ps1, perfe009.dat, wdr.rules.xml to System32 folder | 〇 | ||||
18.A.3 | taskhostw.exe copies above files to DREBULE C$ | 〇 | ||||
18.A.4 | winmail.dat masquerades as the file attachment created by Microsoft Outlook (https://support.mozilla.org/en-US/kb/what-winmaildat-attachment) | 〇 | ||||
18.A.5 | taskhostw.exe uses WMIC to execute msiex.ps1 on drebule, via CreateProcessWithToken, using a copy of ZilvinasAdmin's token | 〇 | ||||
18.A.6 | cmd.exe executes powershell.exe on DREBULE | 〇 | ||||
18.A.7 | LightNeuron is installed as a Microsoft.Exchange.Transport.Agent .ConnectionFiltering.dll |
〇 | ||||
18.A.8 | LightNeuron masquerades as a benign connection filtering agent | 〇 | ||||
18.A.9 | taskhostw.exe deletes msiex.ps1, wdr.rules.xml, mtxconf.dll, mtxcli.dll, perfe009.dat | 〇 | ||||
19.A.1 | EdgeTransport.exe reads emails containing JPG attachments for C2 communications | 〇 | ||||
19.A.2 | EdgeTransport.exe uses steganography to extract C2 communications from JPG attachment | 〇 | ||||
19.A.3 | the jpg is base64 encoded | 〇 | ||||
19.A.4 | EdgeTransport.exe spawns cmd.exe to execute commands via _popen | 〇 | ||||
19.A.5 | EdgeTransport.exe spawns cmd.exe to execute ipconfig /all | 〇 | ||||
19.A.6 | EdgeTransport.exe AES encrypts command output to be returned to the C2 | 〇 | ||||
19.A.7 | EdgeTransport.exe uses steganography to embed C2 communications in JPG attachment | 〇 | ||||
19.A.8 | The JPG attachment is base64 encoded to be added as an attachment to a MIME formatted email | 〇 | ||||
19.A.9 | EdgeTransport.exe communicates to the C2 server in an email to noreply@innovationmail.net via .eml written to "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Pickup\" | 〇 | ||||
19.A.10 | EdgeTransport.exe rejects delivery of emails containing C2 communications | 〇 | ||||
19.A.11 | EdgeTransport.exe collects and logs all incoming emails to nk.local to C:\Windows\ServiceProfiles \NetworkService\AppData\Local\Temp \tmp4C4E |
〇 | ||||
19.A.12 | EdgeTransport.exe exfiltrates the email log file over its existing C2 channel | 〇 | ||||
(合計) | 2 | 24 | 26 | 10 | 5 |