NICS-CTF - HackMD

# 主機資訊 | Hostname | Type | Intranet | DMZ | DMZ2 | | --- | --- | --- | --- | --- | | RD-1 | Client | 192.168.1.102 | | | | FS | Server | 192.168.1.21 | | | | Console | Offline | | | | | IT-1 | Client | 192.168.1.101 | | | | HR-1 | Client | 192.168.1.103 | | | | AD | Server | 192.168.1.10 | | | | Exchange-server | Server | | 192.168.0.25 | 10.88.0.25 | | Portal | Server | | 192.168.0.80 | 10.88.0.80 | | WebShop | Server | 10.101.0.22 | | | | Ubuntu | Server | 10.101.0.100 | | | | Drive | Server | 10.101.0.131 | | | | DNS | Server | 10.101.0.2 | | | | Attacker | Attacker | 10.101.0.0/24 | | | # Mapping | MITRE ATT&CK Matrix | | | Group | Search keyword | | --- | --- | --- | --- | --- | | https://attack.mitre.org/techniques/T1003/001 | LSASS Memory | Credential Access | test | | | https://attack.mitre.org/techniques/T1003/008 | /etc/passwd and /etc/shadow | Credential Access | | | | https://attack.mitre.org/techniques/T1110 | Brute Force | Credential Access | | | | https://attack.mitre.org/techniques/T1552/001 | Credentials In Files | Credential Access | | | | https://attack.mitre.org/techniques/T1005 | Data from Local System | Collection | | | | https://attack.mitre.org/techniques/T1039 | Data from Network Shared Drive | Collection | | | | https://attack.mitre.org/techniques/T1114/002 | Remote Email Collection | Collection | | | | https://attack.mitre.org/techniques/T1560/001 | Archive via Utility | Collection | | | | https://attack.mitre.org/techniques/T1046 | Network Service Scanning | Discovery | | | | https://attack.mitre.org/techniques/T1068 | Exploitation for Privilege Escalation | Privilege Escalation | | | | https://attack.mitre.org/techniques/T1078 | Valid Accounts | Privilege Escalation | | | | https://attack.mitre.org/techniques/T1070/001 | Clear Windows Event Logs | Defense Evasion | | | | https://attack.mitre.org/techniques/T1078 | Valid Accounts | Defense Evasion | | | | https://attack.mitre.org/techniques/T1550/002 | Pass the Hash | Defense Evasion | | | | https://attack.mitre.org/techniques/T1078 | Valid Accounts | Initial Access | | | | https://attack.mitre.org/techniques/T1190 | Exploit Public-Facing Application | Initial Access | | | | https://attack.mitre.org/techniques/T1078 | Valid Accounts | Persistence | | | | https://attack.mitre.org/techniques/T1505/003 | Web Shell | Persistence | | | | https://attack.mitre.org/techniques/T1092 | Communication Through Removable Media | Communication Through Removable Media | | | | https://attack.mitre.org/techniques/T1203 | Exploitation for Client Execution | Execution | | | | https://attack.mitre.org/techniques/T1204/002 | Malicious File | Execution | | | | https://attack.mitre.org/techniques/T1210 | Exploitation of Remote Services | Lateral Movement | | | | https://attack.mitre.org/techniques/T1550/002 | Pass the Hash | Lateral Movement | | | | https://attack.mitre.org/techniques/T1595/002 | Vulnerability Scanning | Reconnaissance | | | | | | | | | | | | | | | --- # IOC ### Splunk ``` ((Image="*winword.exe" OR (Image="*wordpad.exe" AND (CommandLine="*msdt.exe*") AND (CommandLine="*PCWDiagnostic*") AND (CommandLine="*IT_BrowserForFile*" OR CommandLine="*IT_LaunchMethod*"))) OR (Image="C:\\Windows\\System32\\cmd.exe" AND (CommandLine="*/k powershell*" OR CommandLine="*docx.exe*" OR CommandLine="*-NoProfile -command*" OR CommandLine="*Start-Process*"))) AND source="WinEventLog:*" ``` ### Malicious domains names robot-876.frge[.]io setnewcred.ukr.net.frge[.]io panelunregistertle-348[.]frge.io settings-panel.frge[.]io ukrprivacysite.frge[.]io config-panel.frge[.]io (medium confidence) smtp-relay.frge[.]io (medium confidence) kitten-268.frge[.]io/article.html www.specialityllc[.]com ### Compromised Ubiquiti routers 68.76.150[.]97 174.53.242[.]108 24.11.70[.]85 202.175.177[.]238 85.240.182[.]23 ### SSH rootkit IOCs 69.28.64[.]137 - Attacker’s IP packinstall.kozow[.]com - Installation script staging server --- # REF URL SOC Prime for APT28 https://socprime.com/rs/search-result?search=APT28&platforms=Splunk NCSC-MAR-Jaguar-Report https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jaguar-tooth/NCSC-MAR-Jaguar-Tooth.pdf APT28 Yara Rule https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt28.yar APT Group https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1636225066 MITRE For APT28 http://attack.mitre.org/groups/G0007/ MITRE FOR APT28 MAPPING https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fversions%2Fv13%2Fgroups%2FG0007%2FG0007-enterprise-layer.json