To understand and help identify specific security activities of interest, single indicators of compromise (IOCs) are vital. However, since it’s a singular part of a larger narrative they fall short of providing organizations with reliable, scalable and maintainable defense strategies. The creation of detection content based on the sequences of threat behaviors help enable organizations to quickly and easily detect threat adversaries' tactics, techniques and procedures (TTPs), most of which would be easily overlooked outside of a sequence. TTPs are procedures that adversaries typically follow to achieve their underlying objectives and are not easily changed. This is why the Anvilogic threat research team, The Forge, works to ensure their threat detections focus on threat behavioral patterns. As the team shared in our recent whitepaper “Forging Success in Threat Detection at the Apex of the Pyramid”, most detection strategies today focus solely on atomic level indicators, but the need for detections to be based around threat behaviors is becoming evident - as made evident through the Conti Leaks.
The Forge has examined various attack chains with a focus on the Conti ransomware gang. Several Conti leaks were released in August 2021 from an insider and from a Ukrainian researcher in February 2022. The information obtained from the leaks offers valuable insight into the group’s day to day operations, as well as their manuals and procedures. The procedures used by threat operators provide defenders with the insights needed to understand the mindset of the attacker, to understand what and how threat objectives are achieved. The Conti leaks reveal the human elements of the mighty ransomware group and how they are susceptible to habits of monotony. By breaking down the notable observations it is possible to construct threat content and threat scenarios from the leak and help defenders understand Conti and the attacker’s behaviors.
If it ain’t broke
The most reliable form of threat detection is to focus on adversary TTPs. TTPs are hard for adversaries to change, which is solidified by Conti operators. The recent leaks revealed their operations don't stray from proven success. Security researcher Lawrence Abrams, from BleepingComputer pointed out in a specific chat conversation (figure 1) from Conti affiliates that describes procedures that mimic that of Ryuk ransomware operators, even using the same batch file “adf.bat”. The Conti gang follows standard operating procedures as most corporate and large enterprises do, as it provides a formula for desired and repeatable outcomes.
(Figure 1) Twitter: @LawrenceAbrams
A breakdown of the Conti chat logs are well documented by Krebs in his Conti series, which details the “corporate” side of Conti and reveals the group’s daily operations. Whilst they’re a criminal organization, the ransomware group operates not all that differently from most enterprises containing structured work hours, a chain of command and salary employees with roles and responsibilities. It’s a group with structure, providing training manuals and guides to ensure their operations are successful. However, with that structure and a need to adhere to a set of guidelines, it further emphasizes the power of detection through the sequencing of threat behaviors.
Countering The Attack
Threat actors run their playbooks, as they’ve developed a formula for achieving their objectives. Researchers studying that formula can craft reliable detections targeting their actions on objectives. A recent technique involved the usage of HTA files that execute with mshta to distribute malicious payloads. An observed attack chain for this technique was provided by NETBYTESEC, detailing an infection flow (figure 2) with Emotet obtaining initial access through the execution of a malicious document, followed by a series of LOLBins mshta, powershell, rundll32, file download from command and control and registry modification. This attack chain has also been utilized from threat actors InSideCopy, TA551 and from BazarLoader campaigns. Threat actors are able to rerun playbooks undeterred, since defenders are not developing reliable content or pattern-based detections to detect or block malicious activity.
Creating threat scenarios can help provide organizations the counter measures they need to detect malicious sequences of activity. Threat identifiers by themselves would have executed numerous alerts from the one attack requiring an excess of effort to triage and correlate the activity. Through a threat scenario an alert captures the full attack chain in one detection (figure 4) and is reliable with higher confidence as the alert encompasses multiple threat identifiers to identify malicious activity that are typically missed on their own. The team’s simulated Conti exercise also followed a similar scenario as the technique is proven to work for offensive users.
Continuing to Capture Threat Behaviors
Defenders are able to capitalize on threat research to create sequence patterns to track malicious behaviors. Diving further into Conti leaks, the group has maintained manuals (figure 5 and 6), how-to documents and training materials for their users that offer guidance in achieving their attack objectives. This revelation reinforces the potential of threat scenario-based detections; threat behaviors can be captured to identify malicious attack behaviors.
The leak in information can be invaluable to blue team analysts, as detailed prior with Ryuk and Conti’s TTP similarities, threat actors reuse techniques that work. Activities from their leaked manuals are directly followed during threat campaigns as evident from DFIR Report’s well-written honey pot analysis. In an observed Ryuk campaign (figure 7), a phishing email was used to deliver Bazarloader through a malicious link, pivoted to initiate specific reconnaissance activity spanning over an hour querying active directory and registry then following with executing Adfind. The threat activity, dissected into a time-based sequence (figure 8) to provide an accurate threat scenario detection to capture specific threat activity with threat identifiers that alone can be noisey for security analysts to triage. The focus of identifying threat activity based on TTPs is crucial for defenders to reliably capture malicious threat activity.
Threat scenario development is not limited to only researching threat actors. While it is ideal, the research can be obtained from observing any offensive group that includes pentesters and internal red teams. Red team members conducting internal assessments offer incredible insights into how compromises can occur from within an organization's environment. From tracking their campaigns from start to finish, blue teamers can identify the necessary steps an attacker needs to take to create not only threat identifiers for atomic level detections but pair the activity according to threat scenarios to create accurate, high confidence detections.
While threat actors take advantage of their victims by exploiting human tendencies and errors, the human factor is a commonality defenders can exploit as well. The Conti leaks gave us insight and confirmation about the group’s operations. Revealing that they are not all that different from corporate organizations with internal problems including personnel, trust and complaints, they are indeed human with tendencies to follow structure and can succumb to complacency. By structuring detections around their operational playbooks, reliable threat detection content can be created that scales to their threats. As threat adversaries trust their playbooks, us defenders can begin trusting our detections.Want the latest report on trending threats? Sign up for our weekly Threat Report to get active notifications of relevant threats to harden your security posture
Additional HTA Reference Examples
- InSideCopy APT:
- Red Canary:
- Twitter: @Max_Mal_: BazarLoader: https://twitter.com/Max_Mal_/status/1484553931841757191
- Brian Krebs, Conti blogs:
- Conti Leak 2021: https://vblocalhost.com/conference/presentations/all-roads-lead-to-rome-the-conti-manual-leak-dissection/
- DFIR Report: Ryuk Return: https://thedfirreport.com/2020/10/08/ryuks-return/
- GitHub: Res260 - Conti Procedures: https://github.com/Res260/conti_202202_leak_procedures
- NETBYTESEC: “TECHNICAL MALWARE ANALYSIS: THE RETURN OF EMOTET“: https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html
- Twitter: @LawrenceAbrams: https://twitter.com/LawrenceAbrams/status/1498525119148351489?s=20&t=uWpqK0v4PF9x1XFMFlVwt