Project 3 Threat Hunting - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki
This page covers content related to SEC-350 Project 3 - Threat Hunting.
The head of all of my linked scripts in GitHub is located Oliver-Mustoe-Tech-Journal/SEC-350/PROJ_3/. When running any commands it is expected that you are in that directory.
With the success of the Taiwan superconductor industry in 2019, hackers were bound to notice. That is where my threat actor, Chimera, comes into play. Observed throughout 2019-2021, multiple companies from varied industries have been impacted from this ATP. They started in 2019 specifically on the Taiwan high-tech superconductor industry and have continued to expand into the airline industry. Of particular interest to this group is sensitive/patented information that might give competitors or nation states a one up in their own production.
.png)
Environment was made on my 480 class environment in vCenter. Particularly content from Milestone 8 and Milestone 9 was used. In my environment a domain called "sec.local" was also created and it contained AD1-350 as the domain controller and WKS1-350 as a domain joined host.
NOTE that the following files must be downloaded separately from Splunk and placed in Oliver-Mustoe-Tech-Journal/SEC-350/PROJ_3/files/splunk/:
- Splunk enterprise deb
- Splunk universal forwarder msi
- Splunk addon for Windows - NOTE: file must be de-compressed in the files folder
.png)
Configuration files:
- gateway-config.yml - An Ansible script that sets up up EDGE-350
- gateway-config-dhcp.yml - An Ansible script that sets up DHCP on EDGE-350
- splunk-enterprise-setup-350.yaml - An Ansible script that sets up Splunk Enterprise server on a Ubuntu VM (SPLUNK-350)
-
active-directory-setup.yml - An Ansible script that sets up Active directory on AD1-350
- Following command needs to be run first to set IP:
Edit-WVMIP -vm ad1-350 -ethernetname Ethernet0 -ip 192.168.0.5 -mask 255.255.255.0 -gateway 192.168.0.2 -nameserver 192.168.0.2 -defaultJSON ./480.json- windows-domain-add-350.yml - An Ansible script that adds a workstation to the created domain
- win-splunk-forwarder-setup.yaml - An Ansible script that installs the Splunk Universal forwarder on Windows systems
- user-seed.j2 - Config file for Splunk user setup
- inputs.conf - Config file for Splunk forwarding
- forwarder_outputs.conf.j2 - Config file for Splunk forwarding output
- win_inputs.conf.j2 - Config file for Splunk log collection input
- 350-inventory.yml - Inventory YAML file for all hosts used in this 350 environment
Commands run to setup environment (Not including PowerShell (above) or VM deployment):
ansible-playbook --ask-pass gateway-config.yml -i inventories/350-inventory.yml
ansible-playbook --ask-pass gateway-config-dhcp.yml -i inventories/350-inventory.yml
ansible-playbook -i inventories/350-inventory.yml active-directory-setup.yml --ask-pass -K
ansible-playbook -i inventories/350-inventory.yml windows-domain-add-350.yml --ask-pass -K
ansible-playbook -i inventories/350-inventory.yml splunk-enterprise-setup-350.yaml --ask-pass -K
ansible-playbook -i inventories/350-inventory.yml win-splunk-forwarder-setup.yaml --ask-pass -KNOTE: I would also correctly set SPLUNK-350's timezone to "America/New York"
In my domain, "sec.local", I made a GPO on the top level of the domain that had the following configuration using RSAT tools on WKS1-350:
- Under "Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell" enabled Module Logging and PowerShell Script Block Logging
%20(2).png)
- Under "Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Configuration\Detailed Tracking" Enabled audit events for Success and Failure:
.png)
- Under "Computer Configuration\Policies\Administrative Templates\System\Audit Process Creation" Enabled the inclusion of command line in process creation events
.png)
- Under "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options" Enabled the forcing of audit policy subcategory settings
.png)
With Splunk I also made sure to install the Splunk addon for Windows (done through Ansible scripts above). Inside I collected data from a few sources, seen here win_inputs.conf.j2, but most importantly was the WinEvent log security events:
.png)
This enabled me to parse the logs created by the above GPO.
All alerts presented use the following settings. These settings allow the searches to be done once per minute, looking back at the past minute, and alerting on any findings. Per alert the name/severity was changed appropriately:
| Alert Name | Severity |
|---|---|
| 350NETALERT | HIGH |
TTP Description:
In the discovery stage of an attack, Chimera has been observed using the following net commands to identify information about the host they are on.
net user
net user Administrator
net user <username> /domain
net localgroup administrators
Alert Search:
index="350" source="wineventlog:security" | rex field=_raw "Name='SubjectUserSid'>(?<SubjectUserSid>.*?)<\/Data.*'CommandLine'>(?<CommandLine>.*[nN][eE][tT].*?)<\/Data.*Name='ParentProcessName'>(?<ParentProcessName>.*?)<\/Data" |
regex ParentProcessName != ".*splunkd.exe.*|.*svchost.exe.*|.*iexplore.exe.*|.*msedge.exe.*|.*explorer.exe.*" |
regex CommandLine != ".*svchost.*" |
stats count by host,SubjectUserSid,CommandLine,ParentProcessName
Alert in Action:
.png)
| Alert Name | Severity |
|---|---|
| 350NTDSACTIVITY | CRITICAL |
TTP Description:
In the Privilege escalation/discover phase Chimera has been observed running the tool NtdsAudit V2.0.5 to dump the hashes of domain users.
msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv
NOTE: renamed ntdsaudit.exe to msadcs.exe.
And Chimera was seen using ntdsutil to create a copy of the AD database NTDS.dit and followed by a repair action from esentutl to fix a possible corrupt NTDS.dit.
ntdsutil "ac i ntds" "ifm" "create full C:WindowsTemptmp" q q
esentutl /p /o ntds.dit
Alert Search:
index="350" source="wineventlog:security" | rex field=_raw "Name='SubjectUserSid'>(?<SubjectUserSid>.*?)<\/Data.*'CommandLine'>(?<CommandLine>.*[nN][tT][dD][sS].*?)<\/Data.*Name='ParentProcessName'>(?<ParentProcessName>.*?)<\/Data" |
stats count by host,SubjectUserSid,CommandLine,ParentProcessName
Alert in Action:
.png)
NOTE: Commands used by the actor have been modified in the "Alert in Action" section to properly reflect the pathing needed for the commands to be executed in a single bat file. The threat actor likely did something similar to switch directories/pull files to run certain commands above. Even if the actor was to do so differently from the example, the commands would still be caught using the search as seen above on the third line.
.png)
| Alert Name | Severity |
|---|---|
| 350SCHTASKS | HIGH |
TTP Description:
During the execution of an attack, Chimera has been observed using scheduled tasks to install Cobalt Strike and perform discovery commands through a .bat file. Example below.
schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:windowstempupdate.bat" /sc once /f /st 06:59:00
Alert Search:
index="350" source="wineventlog:security" | rex field=_raw "Name='SubjectUserSid'>(?<SubjectUserSid>.*?)<\/Data.*'CommandLine'>(?<CommandLine>.*[sS][cC][hH][tT][aA][sS][kK][sS].*?)<\/Data.*Name='ParentProcessName'>(?<ParentProcessName>.*?)<\/Data" |
stats count by host,SubjectUserSid,CommandLine,ParentProcessName
Alert in Action:
.png)
- https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
- https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730
- https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf
- https://cycrafttechnology.medium.com/threat-attribution-chimera-under-the-radar-7c4cce390efd