You are part of a blue team on a low budget (or with very few people) and don’t have any ThreatButt or other fancy anti-APT appliances? Let’s see what we can do with what we have. I will assume you have (at least) web proxy logs (that’s really the basics).
Basic IOCs don’t work anymore
Maintaining an updated and curated list of IOCs is very hard and if you are a very small team, it is practically vain. C2 URLs change every day, it is a painful effort considering the malicious domains will be dead a few days later…
What you want is to build an efficient set of simple yet effective rules that will tighten your detection process a bit more (especially if you don’t have that saucy threat intel big organizations can afford).
Using patterns
The URLs can change but the methodology a threat actor employ will (almost) systematically be the same. Step 1) compromise random vulnerable CMS, 2) upload the malicious binary, 3) spam/phish the planet for people to click on links or attachments (malicious Word documents that drops the binary), 4) rinse and repeat.
One major disease vector are compromised WordPress websites. They are notoriously used for one shot campaign and low budgets threat actors (mostly criminal). Often they will drop their malicious binaries into a directory where they have write access. It will look something like this: hxxp://www.pwndwebsite.ru/wp-content/uploads/2015/06/malicious.exe
Here is a simple regular expression to search in your logs for any highly suspicious download that could have been triggered by a macro script inside a malicious document:
/wp-(includes|admin|content)/.*\.(exe|dll|scr)
This could also be applied for Drupal, Joomla and so on, but you get the idea.
Pattern, pattern, pattern
Nowadays ransomware are a rising threat — even fully featured in MrRobot season 2, but no spoiler here — most of them demands the victim to use Tor hidden services. They sometimes mention various clearnet “Tor gateways” (like www.tor2web.org) in order for the victim to pay and decrypt the files without installing Tor.
One basic pattern here is the usage of onion.to kind of addresses: any access to URL like hxxps://duskgytldkxiuqc6.onion.to/ is suspicious and should be considered harmful inside your corporate network. They could be detected with this regexp:
[a-z0–9]{16}\.(onion|tor2web|torlink)\.
These “clearnet” Tor hidden services are also being used as C2 by some other malware, killing two birds with one stone. Of course with this you’ll only detect things after an infection, but hey, you still get to detect that! 👍
Phishing
Some phishing kits are reusing logos hosted on the authentic website, for example: https://www.paypalobjects.com/webstatic/mktg/Logos/paypal-logo.svg is the paypal logo and could be “stolen” using a simple <img src> tag inside an HTML webpage.
How do detect that? Simple! Just check for any GETs access to paypalobjects.com which have an unusual Referer (not coming from legitimate websites). This is just an example using PayPal but should be tested for all mostly phished domains (Google, Yahoo, Banks, etc.).
There are so many other elegant patterns to be used — from particular Word document properties to weird User-Agents — I might write about a few others in another post but I’ll let you think of the smart ones!
Loopholes
Of course, this methodology doesn’t provide any help against so called “APT”. It will mostly cover some of the crimeware out there. But be smart, look at all the similarities between malicious campaigns and try to forget about IOCs for a few hours — once you see past through it you may discover some unknown samples and help the community.
Conclusion
These are just a few examples showing you how to leverage some patterns found in large malware campaigns into some simple regexps or rules. You should try implementing them in Snort, Splunk, grep (!), … whatever the tool you are using.
Please let me know if you have any comments or feedbacks. You can ping me @x0rz on Twitter to discuss about it 😉
