IBM QRadar

 View Only

FireEye Red Team Tools detection in QRadar

By Gladys Koskas posted Thu December 10, 2020 02:50 PM

  

Estimated reading time: 6 minutes

On December 8th 2020, FireEye disclosed that it was the target of a successful, highly sophisticated state-sponsored cyber attack. Many of the Red Team tools have already been released to the community and are already distributed in FireEye’s open-source virtual machine, CommandoVM.

FireEye has published countermeasures on GitHub in an effort to help organizations identify and mitigate the use of the stolen tools through the use of Yara, Snort, and other rule sets. The repository references more than 300 countermeasures rules compatible with Snort, Yara, ClamAV, HXIOC.

IBM can also help you extend that monitoring using QRadar. You’ll find below some guidance, sorted by ease of implementation (of course relative to each environment) from the easiest/fastest to the most advanced, as well as the resources associated to each method:

DSM updates

 By default, QRadar will include many detection thanks to the mapping of the events.

 Below is the list of devices that handle the CVE listed in the GitHub repository and are mapped in QRadar.

CVE

Device Type

QID

                                               Event Name                                             

CVE-2020-1472

 Symantec Endpoint Protection

42009366

 OS Attack: Microsoft Netlogon CVE-2020-1472 3                                                    

CVE-2020-1472

 Symantec Endpoint Protection

42009411

 OS Attack: Microsoft Netlogon CVE-2020-1472 4                                                    

CVE-2020-1472

 Snort Open Source IDS

2623098

 ET EXPLOIT Possible Zerologon NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)  

CVE-2020-1472

 Snort Open Source IDS

2623099

 ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)

CVE-2020-1472

 Juniper Networks Intrusion Detection and Prevention (IDP)

6273151

 MS-RPC:NTLGON-CVE-2020-1472-EOP                                                                  

CVE-2020-1472

 Symantec Endpoint Protection

42009336

 OS Attack: Microsoft Netlogon CVE-2020-1472                                                      

CVE-2020-1472

 McAfee Network Security Platform

8264218

 DCERPC: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)                            

CVE-2020-1472

 Snort Open Source IDS

2623646

 ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) UUID flowbit set                          

CVE-2020-1472

 Snort Open Source IDS

2623647

 ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2                                        

CVE-2020-1472

 Symantec Endpoint Protection

42009354

 OS Attack: Microsoft Netlogon CVE-2020-1472 2                                                    

CVE-2018-13379

 Snort Open Source IDS

2615902

 ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)    

CVE-2018-13379

 Symantec Endpoint Protection

42008498

 Web Attack: Fortinet FortiOS Directory Traversal CVE-2018-13379         

CVE-2018-13379

 McAfee Network Security Platform

8263716

 HTTP: FortiOS SSL VPN Arbitrary File Read Vulnerability (CVE-2018-13379)

CVE-2018-15961

 Snort Open Source IDS

2611023

 ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)

CVE-2018-15961

 McAfee Network Security Platform

8263991

 HTTP: Adobe ColdFusion File Upload Vulnerability (CVE-2018-15961)                        

CVE-2019-0604

 Snort Open Source IDS

2615360

 ET WEB_SPECIFIC_APPS Possible SharePoint RCE Attempt (CVE-2019-0604)

CVE-2019-0604

 Juniper Networks Intrusion Detection and Prevention (IDP)

6271499

 HTTP:EXPLOIT:CVE-2019-0604-RCE1                                     

CVE-2019-0604

 Juniper Networks Intrusion Detection and Prevention (IDP)

6271500

 HTTP:EXPLOIT:CVE-2019-0604-RCE2                                     

CVE-2019-0604

 McAfee Network Security Platform

8263304

 HTTP: Microsoft SharePoint Remote Code Execution (CVE-2019-0604)    

CVE-2019-0604

 Symantec Endpoint Protection

42008296

 Web Attack: Microsoft SharePoint RCE CVE-2019-0604                  

CVE-2019-0708

 Snort Open Source IDS

2615386

 ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)

CVE-2019-0708

 Stonesoft Management Center

64761227

 Generic_CS-Windows-RDP-CVE-2019-0708                                                     

CVE-2019-0708

 Symantec Endpoint Protection

42008293

 OS Attack: Microsoft Windows Remote Desktop Services RCE CVE-2019-0708                   

CVE-2019-0708

 Symantec Endpoint Protection

42008294

 OS Attack: Microsoft Windows Remote Desktop Services RCE CVE-2019-0708 2                 

CVE-2019-0708

 Juniper Networks Intrusion Detection and Prevention (IDP)

6271581

 APP:REMOTE:CVE-2019-0708-CE                                                              

CVE-2019-0708

 Symantec Endpoint Protection

42008563

 OS Attack: Microsoft Windows Remote Desktop Services RCE CVE-2019-0708 3                 

CVE-2019-11580

 Snort Open Source IDS

2615735

 ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)                     

CVE-2019-11580

 McAfee Network Security Platform

8264249

 HTTP: Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability (CVE-2019-11580)

CVE-2019-19781

 Snort Open Source IDS

2618461

 ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)   

CVE-2019-19781

 Symantec Endpoint Protection

42008728

 Web Attack: Citrix ADC RCE CVE-2019-19781                                                                      

CVE-2019-19781

 Snort Open Source IDS

2619423

 ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2

CVE-2019-19781

 McAfee Network Security Platform

8263684

 HTTP: Citrix ADC Arbitrary Code Execution Vulnerability (CVE-2019-19781)                                       

CVE-2020-10189 

 Symantec Endpoint Protection

42008877

 Attack: Zoho ManageEngine Desktop Central CVE-2020-10189                 

CVE-2020-10189 

 Snort Open Source IDS

2620468

 ET EXPLOIT Zoho ManageEngine Desktop Central RCE Inbound (CVE-2020-10189)

CVE-2019-3398

 McAfee Network Security Platform

8263992

 HTTP: Atlassian Confluence Server and Data Center Directory Traversal Vulnerability (CVE-2019-3398)

CVE-2020-0688

 Snort Open Source IDS

2620186

 ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688) 

CVE-2020-0688

 Symantec Endpoint Protection

42008836

 Web Attack: Microsoft Exchange Remote Code Execution CVE-2020-0688             

CVE-2020-0688

 McAfee Network Security Platform

8263777

 HTTP: Microsoft Exchange Server Memory Corruption Vulnerability (CVE-2020-0688)

CVE-2016-0167 

 McAfee Network Security Platform

8260232

 HTTP: Microsoft Win32k Elevation of Privilege Vulnerability (CVE-2016-0167)

CVE-2017-11774

 Symantec Endpoint Protection

42008397

 Web Attack: Microsoft Office Outlook CVE-2017-11774                           

CVE-2017-11774

 Juniper Networks Intrusion Detection and Prevention (IDP)

6272196

 HTTP:STC:OUTLOOK:CVE-2017-11774                                               

CVE-2017-11774

 McAfee Network Security Platform

8263431

 HTTP: Microsoft Outlook Security Feature Bypass Vulnerability (CVE-2017-11774)

CVE-2018-8581 

 McAfee Network Security Platform

8263128

 HTTP: Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2018-8581)

CVE-2018-8581 

 Juniper Networks Intrusion Detection and Prevention (IDP)

6272775

 HTTP:CVE-2018-8581-PE                                                               

CVE-2019-8394

 McAfee Network Security Platform

8263990

 HTTP: Zoho ManageEngine ServiceDesk Plus Upload Arbitrary Files Vulnerability (CVE-2019-8394)

 

Snort rules

These rules are probably the fastest to implement. Once you have ensured your Snort device accounts for the right signatures, the QRadar part is only 2 steps:

Apply Red Team Countermeasures - Snort Rules on events which are detected by the Local system
and when the event(s) were detected by one or more of Snort Open Source IDS
and when the event matches "Rule ID" in (25894, 25893, 25874, 25881, 25879, 25848, 25887, 25873, 33355045, 25890, 25892, 25878, 25891, 25857, 25880, 25885, 25900, 62010239, 25886, 25875, 25889, 25877, 25888, 25884, 25902, 25866, 25899, 25882, 25876, 25901, 25849, 100001, 25850) AQL filter query


Custom Property Rule ID

UZVkAdYMQlqniHmrLks5_temp.png

Event Parsing

Offense

MD5, SHA-1 and SHA-256

 Another quick hit would be to enable detection with MD5, SHA-1 and SHA-256. Here, the proposal is to create 3 reference sets and 1 custom rule.

  1. Create three Reference Sets, one per hash type and populate them with the FireEye_RedTeamTools_md5, FireEye_RedTeamTools_sha1, FireEye_RedTeamTools_sha256 files (comma separated) using the same procedure as described before.

  2. Install content extensions containing Hash properties or create your own.
    On the App Exchange, you can find MD5, SHA-1 and SHA-256 parsed for the following devices:
    Carbon Black Response, Cisco AMP, McAfee ePolicy Orchestrator, Microsoft Windows Defender ATP, Microsoft Windows Security Event Log

  3. Create a rule that tests the Custom Properties MD5 Hash, Parent MD5, SHA1 Hash, Parent SHA1 Hash, SHA256 Hash, Parent SHA256 Hash against the new Reference Sets.
Apply Red Team Countermeasures - Tools Hash on events which are detected by the Local system
and when the event(s) were detected by one or more of Carbon Black Response, Cisco AMP, McAfee ePolicy Orchestrator, Microsoft Windows Defender ATP, Microsoft Windows Security Event Log
and when the event matches ("MD5 Hash" IS NOT NULL AND REFERENCESETCONTAINS('FireEye Red Team Countermeasures - MD5', "MD5 Hash")) OR ("Parent MD5" IS NOT NULL AND REFERENCESETCONTAINS('FireEye Red Team Countermeasures - MD5', "Parent MD5")) OR ("SHA1 Hash" IS NOT NULL AND REFERENCESETCONTAINS('FireEye Red Team Countermeasures - SHA1', "SHA1 Hash")) OR ("Parent SHA1 Hash" IS NOT NULL AND REFERENCESETCONTAINS('FireEye Red Team Countermeasures - MD5', "Parent SHA1 Hash")) OR ("SHA256 Hash" IS NOT NULL AND REFERENCESETCONTAINS('FireEye Red Team Countermeasures - SHA256', "SHA256 Hash")) OR ("Parent SHA256 Hash" IS NOT NULL AND REFERENCESETCONTAINS('FireEye Red Team Countermeasures - SHA256', "Parent SHA256 Hash")) AQL filter query
aabu2cNDSCK2ZcCO33pI_temp.png



Endpoint content extension

If you have read the Endpoint blog published a few weeks ago, you probably remember that the first topic was about tools used by both Red Teams and Malware.
We implemented some rules specific to known tools (Cobalt Strike, SharpHound, PingCastle, Advanced IP Scanner, AdFind, Everything and Masscan) as well as more general ones.

As mentioned in their blog, “The Red Team tools stolen by the attacker did not contain zero-day exploits. The tools apply well-known and documented methods that are used by other red teams around the world.”.  The Endpoint Content Extension, associated with the Windows CEP and the Linux CEP, provides a solid base that can be reused (completely or duplicated for tuning) to extend the detection to FireEye specific tools.

 Here is the list of rules that require focus for behaviour and IOC related to attack paths reconnaissance tools:

  • Cobalt Strike Behaviour Detected
  • Excessive Nslookup Usage
  • Excessive Failed Access to an Administrative Share from the Same Source
  • Reconnaissance Tool Detected
  • SharpHound PowerShell Detected
  • BB:BehaviorDefinition: Cobalt Strike Process Address
  • BB:BehaviorDefinition: Cobalt Strike Port Usage
  • BB:BehaviorDefinition: Cobalt Strike Outbound Traffic
  • BB:BehaviorDefinition: Cobalt Strike Inbound Traffic
  • BB:BehaviorDefinition: Repeated Nslookup Usage
  • BB:BehaviorDefinition: Hostname or Network Discovery

We also have a few rules focusing on credential dumping, scans, protocol flaws, etc

  • Credential Dumping Activities Discovered
  • Excessive Login Failures via RDP
  • Excessive Login Failures via RDP to Multiple Machines
  • RDP Hijacking Tool Detected
  • Search for Password Files using findstr (Windows)
  • Search for Password Files using Select-String (Windows)
  • Search for Password Files using grep or find (Unix)
  • BB:BehaviorDefinition: Group or Account Discovery
  • BB:BehaviorDefinition: Password Policy Discovery (Unix)
  • BB:BehaviorDefinition: Password Policy Discovery (Windows)

The installation and configuration related to the Endpoint content extension requires a little more work as it potentially involves the configuration of the Endpoints to send relevant logs to QRadar.
The procedure is described in the QRadar configuration section of the Endpoint blog

Conclusion

These are examples of measures you can implement fairly quickly, many other possibilities are left available to you. You can extend the detection to all your devices compatible with YARA such as Crowdstrike, Bluecoat, Symantec, Websense, etc. and centralize the correlation and alerting on QRadar (refer to all-yara.yar on GitHub).

In conclusion, a security incident of this magnitude and the media coverage that follows may leave you feeling overwhelmed, but continuous updates and the latest security research can help you deal with the situation. Many solutions exist, each step little better than the previous one.

If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.

#Highlights
#Highlights-home
#QRadar

0 comments
720 views

Permalink