IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Turla Content Extension for IBM QRadar SIEM

By Amy Seo posted Mon August 14, 2023 01:34 PM

  

Introduction

A Russian hacker group called Turla is widely known for their attacks. They have been acting since 2004 and made victims in 45 countries. Turla is also a malware, where multitude of different malware families fall under Turla. Familiar names include Epic, TinyTurla, Empire, and more.

The Security Content team investigated Turla attacks based on MITRE ATT&CK techniques. We include both generic technique detection rules as well as Turla specific rules. You may see the difference in the rule names, the generic ones may be named "Suspicious XYZ behaviour" while the Turla specific rules are "Potential Epic Activity".

The reason both rules are included is because Turla involves several techniques to trigger their attack. And this attack can also rise from other attackers. To ensure complete coverage, both generic technique detection rules and Turla-specific rules have been included.

Turla Carbon malware starts with an Initial Access technique. A spearphishing email or a compromised website is used to install a backdoor. Next is Exfiltration where sensitive information is leaked to the attackers. There is also Lateral Movement to move across the network to other computers.

From this, we observe the malware behaviours typically start with an Initial Access, followed by other tactics such as Exfiltration, Collection, Command and Control, and etc. 

A total of 374 custom rules are contained in the content extension. 

General Techniques

Activities are detected based on MITRE ATT&CK techniques. Some techniques are common to multiple threats. In this case we have created rules that work independently of Turla, which are more common and cover across threats.

Let’s take a look at an example in more detail.

Dump Credentials from Windows Credential Manager with PowerShell

Apply Dump Credentials from Windows Credential Manager With PowerShell on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following Audit.Command Execution Success, Exploit.Command Execution
and when the event matches (LOWER("Command") LIKE '%get-passwordvaultcredentials%' OR LOWER("Command") LIKE '%get-credmancreds%') OR (LOWER("Command") LIKE '%new-object%' AND LOWER("Command") LIKE '%windows.security.credentials.passwordvault%') OR (LOWER("Command") LIKE '%new-object%' AND LOWER("Command") LIKE '%microsoft.csharp.csharpcodeprovider%' AND LOWER("Command") LIKE '%runtime.interopservices.runtimeenvironment]::getruntimedirectory(%' AND LOWER("Command") LIKE '%collections.arraylist%' AND LOWER("Command") LIKE '%codedom.compiler.compilerparameters%') AQL filter query


This rule detects adversaries searching for common password storage locations to obtain user credentials. Any commands that potentially refer to Windows credential locations (e.g. password vaults) are monitored. 

If the technique is generic enough to raise concerns of false positives, the rule is translated to a building block and must trigger other following malicious behaviours. 

File and Directory Permission Modification after Download

Apply File and Directory Permission Modification after Download on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Endpoint Devices, BB:DeviceDefinition: Operating System
and when BB:CategoryDefinition: File Permission Changed match at least 1 times with the same Machine Identifier (custom) in 1 hour(s) after BB:BehaviorDefinition: Download Utilities in Events, BB:BehaviorDefinition: PowerShell File Download Activity, BB:CategoryDefinition: Object Download Events match

This rule has several child building blocks. 

 BB:CategoryDefinition: File Permission Changed
BB:BehaviorDefinition: Download Utilities in Events
BB:BehaviorDefinition: PowerShell File Download Activity
BB:CategoryDefinition: Object Download Events

The file download activities are not suspicious by nature, but when file permissions change after a file download, it is suspicious.

Turla Malware Activity

Each rule covers a Turla malware activity. Each rule is composed of multiple building blocks, each discovering a specific activity related to the malware family.

  1. Potential Carbon Activity
  2. Potential ComRAT Activity
  3. Potential Crutch Activity
  4. Potential Empire Activity
  5. Potential Epic Activity
  6. Potential Gazer Activity
  7. Potential HyperStack Activity
  8. Potential Kazuar Activity
  9. Potential LOLBIN Activity
  10. Potential Mosquito Activity
  11. Potential TinyTurla Activity
Let’s take a look at a few rules in more detail.
Potential Epic Activity
Apply Potential Epic Activity on events which are detected by the Local system
and when an event matches any of the following BB:BehaviorDefinition: Epic Filenames, BB:BehaviorDefinition: Epic Log Filenames, BB:BehaviorDefinition: Epic Search Terms

This rule has several child building blocks:

BB:BehaviorDefinition: Epic Filenames
BB:BehaviorDefinition: Epic Log Filenames
BB:BehaviorDefinition: Epic Search Terms

Turla Epic malware uses spearphishing email, social engineering to install .SCR files, sometimes packaged in .RAR format. It exploits Java, Adobe, or Internet Explorer vulnerabilities to install fake applications that look legit, like adobe installer.

Command and control step for the malware executes reconnaissance commands, which is detected by Potential Turla Recon Activity.

Known malware names and hashes, any keywords included in the commands are monitored.

Potential TinyTurla Activity

Apply Potential TinyTurla Activity on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following Audit.Object Load Success, System.Successful Registry Modification
and when the event matches LOWER("Filename") MATCHES ('w64time*') OR LOWER("Registry Value Data") MATCHES ('.*?w64time*') AQL filter query

TinyTurla installs a backdoor called "Windows Time Service" to avoid detection. The service DLL is named w64time.dll, where a benign service DLL w32time.dll exists for Microsoft Windows. The rule detects occurrences of w64time.

Conclusion

Cyber attacks are always evolving. Turla is not an exception. Our content extension cover both generic techniques and Turla-specific behaviour to provide a good security coverage base.

The content is mapped to its respective MITRE ATT&CK mapping on the Use Case Manager.

1 comment
26 views

Permalink

Comments

Thu September 21, 2023 04:48 PM

I have the current version of this Turla content extension installed in my QRadar., Version: 1.0.0

Looking at the rules in the Use Case Manager none of them have any MITRE tactics and/or techniques mapped to them either at the building block or rule levels.

What is the source of the heat coverage map in this article? 

I am working through mapping each of the rules at the rule level and will post an exported JSON file to a separate blog if clients want to apply the MITRE TTPs to their rules in their QRadar UCM from this Turla content extension.