In addition to the Analytic Story on AWS Cryptomining we covered in our blog post from last week, this week's Enterprise Security Content Update release highlights a recent Department of Homeland Security (DHS) alert fingering the Russian government for cyber activity targeting critical infrastructure sectors and includes searches to help detect similar activity.
Check out the highlights:
Russian Government Implicated in Cyber Attacks Against US Infrastructure
The frequency of nation-state cyberattacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity.
One joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.
Find out more about suspicious activities—spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications and many more—in this Analytic Story.
This Analytic Story includes a number of detection searches, such as:
- Monitoring for PowerShell processes that were launched using a parameter designed to bypass the local PowerShell execution policy.
- A search that looks for specific registry paths that malware often uses to ensure survivability and persistence on system startup.
- Alerting for spikes in SMB traffic that may indicate an infected host attempting to spread ransomware to other hosts in your environment.
It also includes some environment-specific and investigative searches that may help you go deeper.
Data Sources Required:
- Network traffic logs
- Logs that include both the process name and command-line from your endpoints