The Cisco Talos Team just published a report on the latest APT28 malware that came in as a deceptive "Cyber Conflict U.S. Conference" flyer. You can read the article here:
I just wanted to capture some thoughts that come to mind when I read these types of reports and ask myself "How can we detect this type of attack?" There are some key take-ways from this report that would allow you to detect this type of attack fairly easily, or prevent it altogether since it used Word macros.
- Prevention - The email delivered a Microsoft Word document that used macros to infect the user. Prevent these types of attacks by 'Blocking Word Macros' using Group Policy!
- Detection - Using Event ID 4688 with Command Line logging enabled you could trigger on Word calling cscript, wscript, and PowerShell as this is NOT normal.
- Detection - A Dll is used to infect the system using a batch file to load it which runs RunDll32. Alerts on RunDll32 using 4688 with Command Line logging could trigger on this behavior.
- Detection - If you use Windows Firewall logging, which does NOT require using the Windows Firewall, you could detect the IPs used to communicate to the C2 server with 5156 events. Scan your environment for anyone else using the suspicious IPs.
- Detection - Monitoring changes to well known AutoRun registry locations could detect this behavior using a 4657 event. An Autoruns scanner like LOG-MD can also discover these malicious changes. This payload used the following key:
These types of attacks leave noise in well configured logs and can be detected, and in this case prevented by blocking macros for Word documents. You can use whatever solution you have to collect log data, LOG-MD of course can discover this type of attack if the logs are properly configured, but just searching AutoRuns and doing a Reg Compare would also gain you valuable data. Of course you need to configure your systems to collect the data locally in order to use it. Please read the 'Windows Logging Cheat Sheet' and the other cheat sheets on what to configure. You can get them here:
There is also a presentation I give on reducing/preventing malware/ransomware from phishing that can be found on the website as well:
And LOG-MD to collect logs, Autoruns, files, and registry data: