BDIR Podcast Episode-009 - MITRE ATT&CK Part 2

TOPIC: TORA TORA TORA - MITRE ATT&CK Part 2

SPONSORS OF OUR PODCAST

NEWS-WORTHY:

Data Breaches in the Last 30 Days Affect A Billion People - WAAY 31 ABC

  • https://www.waaytv.com/content/news/Data-Breaches-in-the-Last-30-Days-Affect-A-Billion-People--502303342.html

  • Q&A website Quora was hacked this week as well, potentially exposing data and private messages from 100 million users.

    The FBI is investigating a cyber breach of the National Republican Congressional Committee

    Dell, the computer company, announced a security breach although it does not believe consumer data was exposed.

    The city of Ames, Iowa had its parking ticket system breached, exposing ticket payer data.

    Dunkin' (formerly Dunkin Donuts) had its perks reward club database hacked.

    Atrium Health had 2.6 million patient records exposed

    A breach potential exposed Medical Informatics Engineering’s 3.9 million patient records across 12 states.

    41,000+ cancer patients had their records potentially exposed at Cancer Center Treatment of America's Arizona facility.

    Vision Direct handles payments for Visa, Mastercard, Maestro, and PayPal. It got hit.

    Millions of passengers of Cathay Pacific airline are at risk from a security breach.

    Also breached: US Postal Service, 1-800-Flowers, Butler County, OH's HIPAA records, and Nordstorm.

    Did we mention breaches at: Amazon, 1-877-Kars-4-Kids, Florida Department of Health, or Healthcare.Gov, or Commonwealth Bank?

Dell Forces Password Reset for Online Customers Following Data Breach

Marriott Starwood breached - Sheraton users beware...

SITE-WORTHY

1.  Malware Archaeology - Home of the ‘WIndows Logging Cheat Sheet(s)‘

2. MITRE ATT&CK website

TOOL-WORTHY

  1. KANSA - PowerShell IR tool

2. KANSA-LOG-MD - Coming SOON

MALWARE OF THE MONTH

  1. LOKIBot

  • Delivered by Word Doc, EXE, or MSI from a link or attachment in and email

    MSI

  • MSI Installer user interaction with GUI, so user has to approve installation

  • The user sees the installer start if you agree, of course people do

  • After it installs it just disappears

  • Places the payload in C:\Windows installer, an MSI feature

  • Deletes from Windows Installer and then places itself in C:\Users\<Bob>\AppData\Roaming with a name of Androidsomething in this sample

  • Directory is attrib +S +H as is the file

  • The original MSXYZ.tmp is loaded in memory, the copy on disk is not loaded

    Did not seem to have a persistence, maybe time delayed longer than we saw

    It was easily visible in Running Processes, a new feature of LOG-MD-Pro

    The .tmp file also called out to a C2 server

    Lesson Learned

  • BLOCK MSI attachments, no reason this should come in from email

  • If received from a link, that is more of a challenge

  • Check your running processes for items that are no longer on disk, so cannot be hashed, always bad

  • Look for parentless processes as MsiExec was the parent of the .tmp file that was loaded.

  • Same hash as the .EXE stored under \Roaming

TOPIC OF THE DAY

Mitre ATT&CK - TORA TORA TORA - PART 2

Listen to Part 1 with Katie Nickels from MITRE and the Show Notes here:

Articles:

  • At the end of the Show Notes

MITRE ATT&CK

ARTICLES:

MITRE ATT&CK

SANS THIR (Threat Hunting & Incident Response Summit - New Orleans 2018

Marriott Starwood/Sheraton Breach

  • Free WebWatcher Enrollment

    • info.starwoodhotels.com

      Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries. Guests from the United States who complete the WebWatcher enrollment process will also be provided fraud consultation services and reimbursement coverage for free.

      The section below provides additional information on steps you can take. If you have questions about this notification and to enroll in WebWatcher (if it is available in your country), please visit info.starwoodhotels.com.

      * Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.RDP Thriving on the Dark Web

Endgame - Putting the MITRE ATT&CK Evaluation into Context

Dark Reading - MITRE Changes the Game in Security Product Testing

JPCert Detecting Laternal Movement

-----------------------------------------------------------------------------------------------