TOPIC: TORA TORA TORA - MITRE ATT&CK Part 2
SPONSORS OF OUR PODCAST
NEWS-WORTHY:
Data Breaches in the Last 30 Days Affect A Billion People - WAAY 31 ABC
Q&A website Quora was hacked this week as well, potentially exposing data and private messages from 100 million users.
The FBI is investigating a cyber breach of the National Republican Congressional Committee
Dell, the computer company, announced a security breach although it does not believe consumer data was exposed.
The city of Ames, Iowa had its parking ticket system breached, exposing ticket payer data.
Dunkin' (formerly Dunkin Donuts) had its perks reward club database hacked.
Atrium Health had 2.6 million patient records exposed
A breach potential exposed Medical Informatics Engineering’s 3.9 million patient records across 12 states.
41,000+ cancer patients had their records potentially exposed at Cancer Center Treatment of America's Arizona facility.
Vision Direct handles payments for Visa, Mastercard, Maestro, and PayPal. It got hit.
Millions of passengers of Cathay Pacific airline are at risk from a security breach.
Also breached: US Postal Service, 1-800-Flowers, Butler County, OH's HIPAA records, and Nordstorm.
Did we mention breaches at: Amazon, 1-877-Kars-4-Kids, Florida Department of Health, or Healthcare.Gov, or Commonwealth Bank?
Dell Forces Password Reset for Online Customers Following Data Breach
Marriott Starwood breached - Sheraton users beware...
https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/
Kroll offers monitoring of your breached information on the Dark Web for FREE to affected users
SITE-WORTHY
1. Malware Archaeology - Home of the ‘WIndows Logging Cheat Sheet(s)‘
2. MITRE ATT&CK website
TOOL-WORTHY
KANSA - PowerShell IR tool
2. KANSA-LOG-MD - Coming SOON
MALWARE OF THE MONTH
LOKIBot
Delivered by Word Doc, EXE, or MSI from a link or attachment in and email
MSI
MSI Installer user interaction with GUI, so user has to approve installation
The user sees the installer start if you agree, of course people do
After it installs it just disappears
Places the payload in C:\Windows installer, an MSI feature
Deletes from Windows Installer and then places itself in C:\Users\<Bob>\AppData\Roaming with a name of Androidsomething in this sample
Directory is attrib +S +H as is the file
The original MSXYZ.tmp is loaded in memory, the copy on disk is not loaded
Did not seem to have a persistence, maybe time delayed longer than we saw
It was easily visible in Running Processes, a new feature of LOG-MD-Pro
The .tmp file also called out to a C2 server
Lesson Learned
BLOCK MSI attachments, no reason this should come in from email
If received from a link, that is more of a challenge
Check your running processes for items that are no longer on disk, so cannot be hashed, always bad
Look for parentless processes as MsiExec was the parent of the .tmp file that was loaded.
Same hash as the .EXE stored under \Roaming
TOPIC OF THE DAY
Mitre ATT&CK - TORA TORA TORA - PART 2
Listen to Part 1 with Katie Nickels from MITRE and the Show Notes here:
Articles:
At the end of the Show Notes
MITRE ATT&CK
MITRE ATT&CK Evaluations
The Malware Management Framework
Why is ATT&CK useful?
How do we go about using it?
Where do we start?
Let’s talk about Cheat Sheets…
What do the Cheat Sheets and ATT&CK have in common?
Windows ATT&CK Logging Cheat Sheet
Windows ATT&CK LOG-MD Cheat Sheet
ARTICLES:
MITRE ATT&CK
Please contribute to ATT&CK! Email us at attack@mitre.org
Watch the ATT&CK Con 2018 YouTube videos
https://youtu.be/NVgqx7M1K20 - Day 1 morning
https://youtu.be/_HSkva44lFo - Day 1 afternoon
https://youtu.be/LxzVtfw4WyQ - Day 2 morning
SANS THIR (Threat Hunting & Incident Response Summit - New Orleans 2018
https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018/summit-agenda
Watch for the Presentations and Videos to be published
Marriott Starwood/Sheraton Breach
Free WebWatcher Enrollment
Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries. Guests from the United States who complete the WebWatcher enrollment process will also be provided fraud consultation services and reimbursement coverage for free.
The section below provides additional information on steps you can take. If you have questions about this notification and to enroll in WebWatcher (if it is available in your country), please visit info.starwoodhotels.com.
* Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.RDP Thriving on the Dark Web
Endgame - Putting the MITRE ATT&CK Evaluation into Context
Dark Reading - MITRE Changes the Game in Security Product Testing
JPCert Detecting Laternal Movement
-----------------------------------------------------------------------------------------------