The initial breach was via an "EFax" spearphishing message -- sweet!
1039 compromised systems
1000+ unique malware samples
1000+ unique C2 domains/IPs
7000+ attacker files including scripts & tools
Pace: Infected ~10 systems/day
Client insisted on pulling systems offline when infection found, despite responders' urging not to do so.
Due to the volume and pace of machines compromised, the team had to abbreviate the typical deep-dive forensic analysis to just quick triage.
Developed indicators to assist with more efficient analysis.
- lateral mvmt
- data theft
- New back doors, etc.
- deviations from typical known attacker TTPs
Used client personnel to assist with monitoring and analysis.
Leveraged SCCM to look for known files, directories, etc.
Attacker used anti-forensic techniques
- secure deletion, moved from system to systems every 3 days or so
- used strong crypto in C2, used exclusively compromised 3rd party sites and social media
"Rolling Remediation" showed our hand to the attacker and allowed them to know which evasion techniques were working and which weren't.
Client used varying technology across business units -- made analysis difficult.
Attacker used sysInternals "sdelete" tool, but that leaves a EULA Accept key in the registry.
Team emphasized the use of automation to find new examples of known IOCs.
Sparklines used for documenting and visualizing time & volume of activity
Lesson: "Add Visibility & Never Stop Looking"
Network time provides a reliable chronology.
"Once an attacker is found, fight to maintain line-of-sight"
Persistence: run keys, .LNK files, services, WMI, scheduled tasks, overwriting existing scheduled tasks, over-writing legitimate files
Unique malware (by hash, file name, file size, and C2) per host!
Bro IDS' ssl.log shows a lot of info on SSL sessions even if you can't decode them. One element is the cypher in use, and the attacker here was using an unusual cypher. Bro also showed the email used for the key and automatically ID'ed self-signed certs.
Prioritize the UNKNOWN
"Methodology IOCs" helped identify systems that had no known malware on them.
PyInstaller or Py2Exe, then packed w/ UPX
- used WMI to persist backdoors and schedule backdoors to be extracted and executed MONTHS IN THE FUTURE
- used PowerShell for backdoors and ran Invoke-Mimikatz (evaded AV)
- embedded PowerShell code in WMI class properties to execute on remote systems
- attacked Kerberos tickets to make tracking of lateral mvmt difficult
WMI forensics: parsed the objects.data strings on the endpoint (Willi Ballenthin has Python modules for parting this now on his Github)
Team enabled PowerShell 4.0 logging.
"You must match or exceed the attackers' intensity"