[Upcoming Session] 2024 Mid-Year Attacks & Trends. Join us August 1st.
Register
Skip to main content
On-Demand Webinar

The simplicity of advanced correlation using Anvilogic’s Scenario Creation

Future SIEM
Maturity
Security Trends
On-Demand Webinar

The simplicity of advanced correlation using Anvilogic’s Scenario Creation

Detection Strategies

For far too long Security Operation Centers have struggled to find that perfect balance of efficacy in alerting while trying to maintain an acceptable threshold of alerts firing into their SEIM. Today, we’re going to be looking into a research article for a FIN6 attack published by FireEye.

Attack Lifecycle

Background:

FIN6 is a financially motivated cybercriminal group with stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. In this particular scenario, FIN6 decided to broaden its scope of attack by also targeting the engineering industry. However, the particular attribution of TTPs historically seen by the actor group was also witnessed for this attack.

In this blog, we’ll go through the different types of attacks performed by this actor group and show you how we can sequence the layer 1 detections into a high-fidelity Threat Scenario with the out-of-the-box detection capabilities delivered within the Anvilogic platform. For this attack, we will mainly focus on two aspects of the attack lifecycle: Initial compromise and Internal recon & collection.

Initial Compromise:

The attack began with a compromise of an internet-facing system. The attackers leveraged stolen credentials to move laterally within the environment using Windows RDP. To establish a foothold and download their attacker tools, the attackers leveraged two techniques:

  • Base64 encoded PowerShell commands
  • Windows services created with looking like sc.exe

Detection with the Anvilogic platform:

Threat Identifiers (or layer 1 signals) exist within the platform to pick up on both techniques:

Figure 1: Encoded Powershell Commands

Figure 2: Windows Service Created

Internal Reconnaissance and Collection:

The attackers then began to conduct internal recon inside the environment by leveraging an Active Directory query tool called adfind. The outputted data was compressed as a means of collection for exfiltration later via 7-zip.

Implement Layer 1 Threat Identifiers with the Anvilogic Detection PlatformsOnce again, both the usage of adfind and execution of 1-2 character executables such as 7.exe can be picked up with the existing use cases on the platform:

Putting it all together:

Once we implement the underlying Layer 1 signals or Threat Identifiers, we can start stringing together more complex and higher efficacy alerts from the output of these signals to catch adversarial behavior.

Using the Anvilogic Platform’s Threat Scenario Builder, in under two minutes, you can piece together the complex attack path conducted by FIN6, sequence the attacks based on gathered intel, and span out the sequence in a realistic manner to eliminate any unwanted noise. The Scenario Builder makes it possible to yield an alert with a much higher true positive rate than the sum of its parts.

Get the Latest Resources

Leave Your Data Where You Want: Detect Across Snowflake

Demo Series
Leave Your Data Where You Want: Detect Across Snowflake
Watch

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

Demo Series
MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot
Watch
Break Free from SIEM Lock-in
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution GuidesWhite PapersData Sheets
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2024 Anvilogic. All Rights Reserved.
[Upcoming Session] 2024 Mid-Year Attacks & Trends. Join us August 1st.
Register
Skip to main content
White Paper

The simplicity of advanced correlation using Anvilogic’s Scenario Creation

Future SIEM
Maturity
Security Trends
Break Free from SIEM Lock-in
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution GuidesWhite PapersData Sheets
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2024 Anvilogic. All Rights Reserved.
[Upcoming Session] 2024 Mid-Year Attacks & Trends. Join us August 1st.
Register
Skip to main content
May 13, 2021

The simplicity of advanced correlation using Anvilogic’s Scenario Creation

Future SIEM
Maturity
Security Trends

For far too long Security Operation Centers have struggled to find that perfect balance of efficacy in alerting while trying to maintain an acceptable threshold of alerts firing into their SEIM. Today, we’re going to be looking into a research article for a FIN6 attack published by FireEye.

Attack Lifecycle

Background:

FIN6 is a financially motivated cybercriminal group with stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. In this particular scenario, FIN6 decided to broaden its scope of attack by also targeting the engineering industry. However, the particular attribution of TTPs historically seen by the actor group was also witnessed for this attack.

In this blog, we’ll go through the different types of attacks performed by this actor group and show you how we can sequence the layer 1 detections into a high-fidelity Threat Scenario with the out-of-the-box detection capabilities delivered within the Anvilogic platform. For this attack, we will mainly focus on two aspects of the attack lifecycle: Initial compromise and Internal recon & collection.

Initial Compromise:

The attack began with a compromise of an internet-facing system. The attackers leveraged stolen credentials to move laterally within the environment using Windows RDP. To establish a foothold and download their attacker tools, the attackers leveraged two techniques:

  • Base64 encoded PowerShell commands
  • Windows services created with looking like sc.exe

Detection with the Anvilogic platform:

Threat Identifiers (or layer 1 signals) exist within the platform to pick up on both techniques:

Figure 1: Encoded Powershell Commands

Figure 2: Windows Service Created

Internal Reconnaissance and Collection:

The attackers then began to conduct internal recon inside the environment by leveraging an Active Directory query tool called adfind. The outputted data was compressed as a means of collection for exfiltration later via 7-zip.

Implement Layer 1 Threat Identifiers with the Anvilogic Detection PlatformsOnce again, both the usage of adfind and execution of 1-2 character executables such as 7.exe can be picked up with the existing use cases on the platform:

Putting it all together:

Once we implement the underlying Layer 1 signals or Threat Identifiers, we can start stringing together more complex and higher efficacy alerts from the output of these signals to catch adversarial behavior.

Using the Anvilogic Platform’s Threat Scenario Builder, in under two minutes, you can piece together the complex attack path conducted by FIN6, sequence the attacks based on gathered intel, and span out the sequence in a realistic manner to eliminate any unwanted noise. The Scenario Builder makes it possible to yield an alert with a much higher true positive rate than the sum of its parts.

Break Free from SIEM Lock-in

Break Free from SIEM Lock-in

Book a Demo