![]() ![]() During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. To read the entire analysis, to download the report as a PDF.In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe. Using Recorded Future priority levels and response procedures with Sigma rules provides an easy-to-implement detection and response capability for cybersecurity teams.Įditor’s Note: This post was an excerpt of a full report. ![]() Sigma rules are an effective way to share detections among multiple platforms.Successful detection and response to credential harvesting activity may prevent intrusions from successfully completing their objectives.Most credential harvesting tools are high risk since they enable additional tactics, techniques, and procedures (TTPs) such as lateral movement and privilege escalation commonly, credential harvesting tools are used as a second-stage tool and indicate the host is already compromised.The Recorded Future Platform allows clients to access and download Sigma rules developed by Insikt Group for use in their organizations. Sigma is a standardized rule syntax which can be converted into many different SIEM-supported syntax formats. When combined with properly configured host-based logging, using tools such as Sysmon, Sigma rules can elevate the ability of an organization to detect and respond to threats with increased accuracy and efficiency. The Sigma rules provided by the open-source Sigma project and the custom rules developed by Recorded Future (available to existing clients only) offer a powerful capability to detect and respond to credential harvesting using existing SIEM solutions. Additionally, we provide an initial incident priority level and a high-level response procedure to help security operations teams respond to credential harvesting incidents. This article details our research regarding Sigma based detection rules for Mimikatz, LaZagne, T-Rat 2.0, and Osno Stealer. These tools were used to move laterally throughout the victim’s environment and compromise other hosts on the network. Details of a recent Ryuk incident show a 15-step procedure for victim compromise, 2 of which include the use of the credential harvesting tools Mimikatz and LaZagne. The use of credential harvesting tools is a common and powerful way for threat actors to gain additional access to your infrastructure. The target audience for this research includes security practitioners, network defenders, and threat intelligence professionals who are interested in protecting organizations from credential harvesting tools. Sources included the Recorded Future® Platform, Malpedia, PolySwarm, reverse engineering and open-source intelligence (OSINT) enrichments. Recorded Future’s Insikt Group created detections to run with SIEM software and incident response guides for 4 popular credential harvesting tools. To read the entire analysis, to download the report as a PDF. Editor’s Note: The following post is an excerpt of a full report. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |