Threat actor & TTPs

• APT 28: Fancy Bear -

• Attributed to Russia's GRU (General Staff Main Intelligence Directorate) they are attributed with compromising the Hillary Campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 which used spear phishing. Their goals are to benefit Russian interests and weaken opposition, including the United States. The Attack exfiltrated large volumes of data from the DNC and began in 2015 carrying through to late 2016.

• The TTP's I will be search for are known malicious domains used by APT28 by adding them to Wazuh's monitored domains list, use the FIM scan to search for known malware signatures.

By modifying the ossec.conf file and adding domains to the local_rule.xml file you can monitor domains associated with apt28 such as:

a.b-cdn.com
airbnbapi.com
barentsobserver.com
bellingcat.com
cci-ammunition.com
clickmeter.com
diycraftsdecoration.com
driveonecloud.com
expressobutiolemailer.com
finanz.ru
fort-russ.com
inosmi.ru
login-page.net
mapscanner.com
mediapowergroup.com
novayagazeta.ru
oneworldpress.net
playattack.co
politsovet.ru
pravmir.ru
promopage.info
rambler.ru
redpills.cc
sibuglemet.ru
t.co 
# (Twitter URL shortener)
to-read-xls.com
vpn4test.com
wikileaks-forum.com

• By adding the file paths and hashes of these known malicious files to the ossec.conf file and configuring Wazuh you can monitor files for changes with these signatures.

• APT2 Known Maleware Signatures:

  • CHOPSTICK
  • Gamefish
  • Hammertoss
  • MiniDuke
  • Sednit
  • Sofacy
  • Sourface
  • X-Agent

• These TTPs can be simulated by a log of visting one of these known sites as well as a config file with the malware signature contained within it.