Threat Thursday - Red Canary October Detection Opportunities

Hi, and welcome to our #ThreatThursday covering recent detection opportunities published by Red Canary in their blog Intelligence Insights: October 2021. The Cyber Threat Intelligence (CTI) from Red Canary contains detection logic for specific threat procedures. We reviewed the methods and developed emulation plans where applicable to help test and validate the detection opportunities in your environment. These emulations help answer the questions:

• Do we alert on this already?
• Does our alert work?

• Are we responding to this activity?
• Do we have logging or detection gaps?

T1547.001 - Registry Run Keys / Startup Folder

The first detection opportunity mentioned by Red Canary is for PowerShell writing an LNK file shortcut to the startup directory. An LNK file is a shortcut that point points to an original file or application. When an LNK is placed in the startup folder an adversary can achieve persistence by having the LNK execute the command and control payload at start up.  Multiple adversaries have used the procedure of creating an LNK file in the startup folder. Red Canary states a trending threat named Yellow Cockatoo is leveraging this procedure. 

Emulation

To emulate this procedure, SCYTHE customers can import the Atomic test from our Community Threats Library. Others can generate this activity manually via the test from Atomic Red Team. 

Detection

Red Canary recommended using the following detection logic to detect the current threat:

• A powershell.exe process with a command line that contains “AppData”, a file modification containing start menu\programs\startup with a .lnk extension

 Alternatively, leverage the SIGMA Rule based on Red Canary’s recommendation.

Response

The incident responder should seek to determine the source of this activity and the depth of the attack by answering the following.

• Is the activity on this host caused by lateral movement from another host?

• If so, you may want to invoke a broader incident response plan.

• Was this host the only system impacted?

• Has the host conducted further actions on objectives? 

• Did this host conduct movement to other systems?

• If the host is the sole source of the activity with no lateral movement confirmed, then containment and remediation on the single host may be applicable.

T1072 - Software Deployment Tools

The second opportunity attempts to catch a Ransomware precursor. Ransomware is known to leverage enterprise remote management solutions in its campaigns. These solutions are leveraged to achieve persistence and conduct actions on objectives. Therefore, if the solutions listed here aren’t approved for your organization, consider proactively detecting them. This opportunity focuses on detecting installations of the ATERA remote management agent.

Emulation

To emulate this procedure, SCYTHE customers can import the test from our Community Threats Library. Others can generate this activity manually via the test below:

Set Registry Key:

reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks\AlphaAgent"

Clean up:

reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks" /f

Detection

Red Canary recommends the following detection logic:

•  A registry modification path that contains “ATERA Networks”

Please note that if you are using Sysmon, you likely need to add a target object that contains ATERA Networks.

Response

If the account owner did not conduct the installation, this indicates a malicious actor running actions on objectives, and the organization should enact its incident response plan.

T1553.005 - Mark-of-the-Web Bypass

The final emulation plan replicates downloading a VHD (Virtual Hard Disk) file from a web browser. This procedure is related to the Mark-of-the-Web Bypass technique, where adversaries leverage container files like VHD to subvert controls and detections. Red Canary observed Zloader conducting this procedure and highlighted a detection opportunity. 

Emulation

To emulate this procedure, SCYTHE customers can import the test from our Community Threats Library. Unfortunately, at this time, we do not have a non-SCYTHE emulation for this procedure.

Detection

In Red Canary’s blog post, they recommend the following logic:

• A process name consistent with browsers used in the organization such as chrome.exe, firefox.exe, microsoftedge.exe, microsoftedgecp.exe, or msedge.exe with a file modification containing a .vhd extension.

We recommend leveraging the following SIGMA rule as well. Please note to include all browsers observed in your environment, as these rules may not cover them all. If leveraging Sysmon, you will likely have to update the configuration to contain a target filename ending with “.vhd”.

Response

The responding analyst should seek to answer the following.

• Is the VHD file a legitimate disk image? 

• If legitimate, it may be possible to tune out the domain.
• If non-legitimate, how deep is the attack, and are there actions on objectives?

• What initiated the download?

• Are there other scripts, programs, or artifacts that caused the download and must be removed during remediation?

Special Thanks

We’d like to give a special thanks to Red Canary for all they contribute to the community. These emulation plans would not be possible without Red Canary publishing the detection opportunities in their Intelligence Insights: October 2021.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.