Detecting APT29 With SOCFortress
Spot malicious activity attributed to Russian State backed APT group 29.
APT29 is a threat group that has been attributed to the Russian government who have been in operation since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Emu) https://attack.mitre.org/groups/G0016/
This post illustrates the SOCFortress team simulating the APT29 killchain with CALDERA . We will demonstrate how to spot malicious activity and run in depth searches on the SOCFortress platform to view malicious activity associated with APT29 across our endpoint.
A Windows server was deployed and the Caldera agent (sandcat.go-windows.exe) was installed on the Widows server. The APT29 operation was then kicked off:
- We first see two alerts on the “EDR- _SUMMARY” dashboard that caught my eye.
- Multiple Sysmon Anomalies
- Windows Sigcheck — VirusTotal Hit Above 10 Matches
2. We select the dropdown and the link to view the alert metadetails in the Explore window.
3. We first spot a network connection being made out to 126.96.36.199 on an abnormal port 5353 that was invoked by a process that we are unfamiliar with (sandcat.go-windows.exe).
4. We also see an Unsigned Image being loaded, meaning that this software has not be signed and verified by Microsoft, a common practice for malware. Again, we see our friend who made the network connection to an uncommon port (sandcat.go-windows.exe).
Now we are seeing a cause for concern. Let’s go ahead and build a filter that will provide us “WARNING” and “ALERT” level events for the host in question (SOCFORTRESS-CALDERA).
- Head over to the Explore page
2. Build a query “agent_name:SOCFORTRESS-CALDERA AND syslog_level:WARNING OR syslog_level:ALERT”
Now let’s really start exploring.
Early on in the killchain, we see Powershell reach out to our Command and Control server that is running Caldera.
Hmm a network connection on port 8888, that doesn’t sound very common.
Uh-oh now we see Powershell being called with the “-ExecutionPolicy Bypass” flag being set. That’s never a good sign!
Holy crap, they are invoking Mimikatz that they have hosted on Github! Now we know this host is definitely infected. Let’s see what else we can find.
Trying to delete our Sysmon monitoring tool. That’s not very nice! However it is a common practice for malware to attempt to remove security logging. Good thing they failed 😊
Oh no, now a file has been dropped onto the system and was detected in the Virustotal scan!
The killchain then ended with the our computer being restarted ☹
This post only details a few of the malicious detections associated with APT29 and illustrates how the SOCFortress platform can help your SOC team pinpoint IoCs.
This demonstration was also ran without any AntiVirus agent and Windows Defender disabled. We are a reseller for an AntiVirus solution (WithSecure) that we have integrated with our platform and that can be purchased per agent. We also provide a Windows Defender script that ensures all of our recommended settings are set for free. SOCFORTRESS-CALDERA, did not do a very good job 😊
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Platform Demo: https://www.socfortress.co/demo_access.html
Free Tier: https://www.socfortress.co/trial.html