Attacks and Analysis: (SOP)

Password guessing Attacks:

Privilege Escalation Attack

Brute force Attack

Rainbow table Attack

Password Spray Attack

Dictionary Attack

Credential Stuffing Attack

credential dumping Attack

Credential Harvesting Attack

Silver Ticket Attack

Golden Ticket Attack

Phishing alerts/Login failure Attempts/Malware Types/DOS&DDOS/Port scanning attacks/OWASP

Malware: Virus/worm/Ransomware/Botnet/Adware/spyware/Keyloggger/Rootkit/Trojan Horse/Fileless

malware/

Living of the land attack:

Alert name : [CyberProof] - [Graph API] - IPC Medium Severity Alert containing Unfamiliar
Sign-In Properties

Priority : Medium

Incident: COT-20231209-00011

Link to cdc : https://cotecna.cyberproof.io/incidents/6573d502537b37cc1efd25dc/observables

Analysis
========
The alert was triggered due to detect unfamiliar sign in from the IP "103.134.204.30" by the user
[email protected].

>User usage location observed as Myanmar.

>User location and IP location observed to be same

>IP (103.134.204.30) belongs to Orange Broadband Co. Ltd,Myanmar.This IP address has been
reported a total of 1 time from 1 distinct source. It was most recently reported 2 years ago.
reported for brute-force and SSH

>User tried to sign in from IP 103.134.204.30 to application Office 365 Exchange Online and
interrupted due to MFA failure

>Device is not registered

>User agent observed to be Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36.User agent and IP is observed for the 1st
time for the user

>No historic traffic observed from the IP Also observed a interruption from another IP
69.160.27.125 to application Office 365 Exchange Online and interrupted due to MFA failure
user agent observed to be mobile device. This IP is also seen for the 1st time for the user

>only interruption observed

>Checked in ADD, Observed only user Pyi Nyein SHIN is using the IP
>Filtered username for 24hrs and observed User Login Failure, Web Service Login Succeeded,
Unknown, User Login Attempt, User Login Success, User Activity, Unauthorized Access
Attempt.

>multiple login failure Failure reasons observed as User needs to perform multi-factor
authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access
policies, per-user enforcement, requested by client, among others.

>IP is not observed in cotecna list

Conclusion
==========
user [email protected]. Login observed from window device from the location
Myanmar 103.134.204.30 .The Ip is malicious and observed interruption form the IP also
observed login events from mobile from IP which is also interrupted due to MFA failure. Failed
attempts observed due to MFA failure. No success events observed from this IPs.

Clarifications needed from L2: should we need a password reset? since multiple interruption
observed and source ip is maliciously reported Or do we need to confirm the with client?

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Alert: [CyberProof] - [Palo Alto] - User Login Failed 6 times in 10 minutes

Severity: Medium

Incident COT-20231125-00018

Analysis:

>>Run command on Active directory/on your command prompt “net user empid/username”
1. Check with the Team whether user has done any login failures.
2. For windows machines we need to check Event id , status code and sub status code.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

>Block the IP, block the username.

>Strong password policy 8 char password or preferred is 15-character password.

>VAPT team should perform password guessing attacks/dictionary attacks on employees.

>> The alert triggered due to multiple login failure events observed for the user veeam from IP
79.124.59.158

>> Source IP found to be malicious and belongs to ISP Tamatiya EOOD Usage Type Data Center/Web
Hosting/Transit.This IP address has been reported a total of 515 times from 157 distinct sources.
79.124.59.158 was first reported on January 30th 2023, and the most recent report was 8 hours ago.

Ref: https://www.virustotal.com/gui/ip-address/79.124.59.158/details (Artifact)

>> Filtered the source IP for past 24 hrs and observed events User Login Failure, Firewall Permit, User
Login Success.

>> Filtered on user name for the past 24 hours and observed user login failure, user login success, access
denied, and General authentication failed

>> User login success observed from IP 192.168.54.110 for User "veeam"

>>Historic traffic observed

>> Clarifications needed from L2: We are getting Multiple alerts from this IP. Under the ticket COT-
20231110-00050 the source IP 79.124.59.158 is already blocked. Kindly check and update what action
need to be taken.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Malware Attacks:
Alert Description: Multiple Exploit/Malware Types Targeting a Single Destination

containing Remote Code Execution

Analysis: TP or FP

Resolution/Remediation:

Incident Response Life cycle& NIST: NIST:

Isolation: Removing the device physically from network (no more internet)

Containing: Removing the device logically (still on internet)

05/01/24:

Payload (Attacker): Script which is used in a malware.

Payload (Analyst): Raw data or log data from a device.

Event: An action

Log: Complete information about the action which is performed on a device that is log

Offense/Alert/Incident/Alarm: If the actions are violating the rules, we have kept then it will trigger an
alert.

Log levels: Debug, information, notice, warning, error, critical, emergency ,all.

1. Event id’s: Event ID 4624 - Logon Success:

 Indicates a successful user logon.
2. Event ID 4634 - Logoff:
 Records the end of a user's logon session.
3. Event ID 4776 - Credential Validation:
  Logs an attempt to use a different username or password during a logon
event.
4. Event ID 7036 - Service Control Manager:
 Indicates that a service has started or stopped.
5. Event ID 7040 - Start:
 Logs the start of a Windows service.
6. Event ID 1102 - Audit Log Cleared:
 Indicates that the security log has been cleared, which can be a potential
security concern.
7. Event ID Event ID 10016 - DistributedCOM:
 Typically appears as a warning and is related to COM (Component Object
Model) permissions.
8. Event ID 4768 - Kerberos Authentication Ticket Request:
 Logs a request for a Kerberos ticket.
9. Event ID 4769 - Kerberos Service Ticket Request:
 Logs a request for a service ticket within the Kerberos authentication
protocol.
10. Event ID 7035 - Basic Service Operations:
 Records when a service changes its state.
11. Event ID 8001 - Logon Attempt with Expired Credentials:
 Indicates an attempt to log in with expired credentials.
12. Event ID 6013 - System Uptime:
 Logs the system's uptime.
13. Event ID 41 - Kernel-Power:
 Typically recorded during unexpected shutdowns or system reboots.
14. Event ID 6008 - Unexpected Shutdown:
 Logs unexpected system shutdowns.
15. Event ID 4672 - Special Logon:
 Indicates a special logon event, such as when a user logs on with
administrative rights.
16. Event ID 5152 - Windows Filtering Platform:
 Logs the filtering of a packet in the firewall.
17. Event ID 4720 - User Account Created:
 Indicates the creation of a new user account.
18. Event ID 4732 - User Added to Group:
 Logs the addition of a user to a security-enabled global group.
19. Event ID 4740 - User Account Locked Out:
 Indicates that a user account has been locked out due to multiple failed
logon attempts.
 20. Event ID Event ID 5156 - Windows Filtering Platform:
 Logs the connection between a user and an application through the
firewall.
Windows log on Types: total 10 levels we have (2 to 11) Logon types in Windows refer to the various
methods or mechanisms through which a user can log on to a computer or a network.

https://www.manageengine.com/products/active-directory-audit/learn/what-are-logon-types.html

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
08 Jan 2024

Alert name: [FortiGate] - UTM Virus Blocked

Analysis: We have checked the des tip reputation and URL reputation using OSINT.

Ref:
https://www.virustotal.com/gui/url/e5ee631ec6aaff50f53cfaa2bc3c58f71cc083f57e22b6a88614a18e5a
1ad7be?nocache=1

https://exchange.xforce.ibmcloud.com/url/
http:~2F~2Fwww.hebxjj.com~2Fdata~2Finclude~2Fexectask.php

Firewall Deny: Ack to sender

Firewall drop: No acknowledgement

As per the payload information from Fortinet firewall (UTM) logs , this URL is having a bad reputation

policytype=policy msg=File is infected. action=blocked service=HTTP

sessionid=142453552 srcip=192.168.86.30 dstip=160.124.53.36 srcport=61508 dstport=80
srccountry=Reserved dstcountry=Hong Kong srcintf=lan srcintfrole=lan dstintf=wan1
dstintfrole=wan srcuuid=d3a554b4-8d58-51eb-bd53-436e59db3f98 dstuuid=43a1a538-1681-
51ea-2169-5f91bd96737a proto=6 direction=incoming filename=exectask.php
quarskip=Quarantine-disabled virus=JS/Gnaeus.G!tr viruscat=Virus dtype=av-engine
ref=http://www.fortinet.com/ve?vn=JS%2FGnaeus.G%21tr virusid=7406806
url=http://www.hebxjj.com/data/include/exectask.php

Recommendations/Remediations:

Since the Outbound traffic is already blocked, no need to take further action. Hence we are closing this
case.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

11/Jan/24

CrowdStrike EDR Alerts:

Alert name : [CyberProof] - [CrowdStrike] - Impact via Inhibit System Recovery containing CS-Collection
Archive-Collected Data
Priority : High
Incident: COT-20231217-00016

Analysis
=============

> The alert was triggered due to a process attempted to delete a Volume Shadow Snapshot on the host
SAIL-SER-08.
> The user name observed that SAIL-SER-08$.
> COMMAND LINE
"C:\WINDOWS\system32\rundll32.exe" /d sdengin2.dll,ExecuteScheduledBackup
FILE PATH
\Device\HarddiskVolume4\Windows\System32\rundll32.exe
> From command line observed that a function to run a scheduled backup operation within the
Sdengin2.dll.
The process was blocked by CS itself.

Sdengin2.dll file It is part of Microsoft® Windows Backup Engine product developed by Microsoft®
Windows® Operating System. It is responsible for Microsoft Corporation functionality. This part is
required for Microsoft® Windows Backup Engine to function.
> Observed a disk operation on Dec. 17, 2023 19:00:00.309 in the dll Sdengin2.dll

>operation is blocked . No threat observed.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Alert name: [CyberProof] - [CrowdStrike] - High Severity Detection containing CS-Defense Evasion-
Indirect Command Execution
Incident ID: COT-20231208-00027
Severity: High

Analysis
========
The alert triggered for High Severity Detection containing CS-Defense Evasion-Indirect Command
Execution was detected on the host ODS1911001.

=> File name is x32dbg.exe and file hash is

ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15

File path : \Device\HarddiskVolume7\ \ \RECYCLER.BIN\files\x32dbg.exe

Command line \ \RECYCLER.BIN\files\x32dbg.exe"
=> IOA observed to be A file launched from a location previously associated with known malware, and
its process exhibited suspicious behavior. Review the file.
=>Hash found to be safe No security vendors and no sandboxes flagged this file as malicious and file is
signed.
=>Grand parent CommandLine observed to be C:\Windows\Explorer.EXE
=> Parent process is cmd.exe and 2 disk operations were detected for the process \Device\
HarddiskVolume7\ \ \RECYCLER.BIN\files\x32bridge.dll and \Device\HarddiskVolume3\Windows\
SysWOW64\win32u.dll

=> Username observed as ODSMEDZHYBOVSKIYV([email protected]).

Job title: Inspector ,Department: Commercial
=> Hash only observed in ODS1911001
=> Observed process was killed.
=>The x32dbg.exe could refer to a debugger tool named x32dbg (a 32-bit version of a debugger), which
is a legitimate tool used for software analysis. However, since it appears to be run from a suspicious
location (RECYCLER.BIN), this could indicate that the command is part of a malicious script or activity,
where an attacker could be trying to execute a piece of malware or unauthorized software disguised as a
debugger tool.

Clarification needed from L2: IOA observed as A file launched from a location previously associated with
known malware.File hash observed as non malicious the file path observed from RECYCLER.BIN. Kindly
suggest what action to be taken from our side.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Alert name: [CyberProof] - [CrowdStrike] - High Severity Detection containing CS-Defense Evasion-
Rundll32
Incident ID: COT-20231204-00009
Severity: High

Analysis
===========
> The alert was triggered due to Rundll32 launched a file with an unusual name in the host BLQ2010029
on Dec. 4, 2023 12:54:51

> The username observed as [email protected], who is analyst in Neotron Spa

> COMMAND LINE

"C:\Windows\System32\rundll32.exe" \{54A0F195-5E6A-444B-BAB5-6DFA37529751}.{216D0EF9-663C-
4ED9-8E39-544104EA287C},lw3dXsp1AFQHoQ1w
+
FILE PATH
\Device\HarddiskVolume3\Windows\System32\rundll32.exe

EXECUTABLE SHA256
00be065f405e93233cc2f0012defdcbb1d6817b58969d5ffd9fd

> From command line observed that the file “{54A0F195-5E6A-444B-BAB5-6DFA37529751}.{216D0EF9-

663C-4ED9-8E39-544104EA287C},lw3dXsp1AFQHoQ1w”, This appears to be a CLSID and possibly a
method or function call within that CLSID.

> The execution process was blocked and terminated by CS itself.

> No executions observed.

> No external or internal DNS connection observed

> 3 disk operations observed

\Device\HarddiskVolume3\Windows\System32\rundll32.exe (2)
\Device\HarddiskVolume3\Windows\System32\ntdll.dll

Clarification needed from L2: looking at the commandline, it seems to be FP. The identified Keywords
looks like windows machine GUID. it seems CS sensors identified the unique IDs separated by '.' as a file
name . Could you please clarify the same.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Email gatway:

Proofpoint TAP(IDS)

TRAPI(IPS):

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Crowdstrike Alerts:EDR
Alert: [CyberProof] - [Graph API] - Microsoft ATP Medium Severity Alert containing Unknown
Severity: High
Incident: COT-20240119-00019

Summary
> The alert was triggered due to Defender detected a malicious file associated with Ransomware
activity group Storm-0302 on host "sha2109002.asia.loc"
> File details
File Name: DSV-Outbound Invoice-S7565023-signed.pdf
Path: C:\Users\shazhengy\Downloads\DSV-Outbound Invoice-S7565023-signed.pdf
SHA256: 59a65376730ad54f2189a488f85e9cf584b048faefdd0e97c37f4e4065b52ac4
> as per OSINT, the file was detected by one vendor as PDF/Phishing.A.Gen.

>Checked in defender, File hash was only observed on host sha2109002.asia.loc, No hits observed for
the hash in CrowdStrike.

Recommendations
> Please remove the file from the device and initiate a scan on the host "sha2109002.asia.loc"

L2 task: please review the incident and suggest if there is any further actions needs to be taken from our
side.
Please send an email to customer. with below recommendations
Kindly check with the user if the file belongs to business purpose or not?
Inform the user to set new credentials as per Cotecna policy.
Kindly redeploy the host machine.
Warn the user to do not download file with out business purpose.
Kindly block the file hash in CS console and block the URL
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>