For far too long Security Operation Centers have struggled to find that perfect balance of efficacy in alerting while trying to maintain an acceptable threshold of alerts firing into their SEIM. Today, we’re going to be looking into a research article for a FIN6 attack published by FireEye.

Attack Lifecycle

Background:

FIN6 is a financially motivated cybercriminal group with stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. In this particular scenario, FIN6 decided to broaden its scope of attack by also targeting the engineering industry. However, the particular attribution of TTPs historically seen by the actor group was also witnessed for this attack.

In this blog, we’ll go through the different types of attacks performed by this actor group and show you how we can sequence the layer 1 detections into a high-fidelity Threat Scenario with the out-of-the-box detection capabilities delivered within the Anvilogic platform. For this attack, we will mainly focus on two aspects of the attack lifecycle: Initial compromise and Internal recon & collection.

Initial Compromise:

The attack began with a compromise of an internet-facing system. The attackers leveraged stolen credentials to move laterally within the environment using Windows RDP. To establish a foothold and download their attacker tools, the attackers leveraged two techniques:

• Base64 encoded PowerShell commands
• Windows services created with looking like sc.exe

Detection with the Anvilogic platform:

‍Threat Identifiers (or layer 1 signals) exist within the platform to pick up on both techniques:

‍

‍

‍

Internal Reconnaissance and Collection:

The attackers then began to conduct internal recon inside the environment by leveraging an Active Directory query tool called adfind. The outputted data was compressed as a means of collection for exfiltration later via 7-zip.

‍

‍

Implement Layer 1 Threat Identifiers with the Anvilogic Detection PlatformsOnce again, both the usage of adfind and execution of 1-2 character executables such as 7.exe can be picked up with the existing use cases on the platform:

‍

Putting it all together:

Once we implement the underlying Layer 1 signals or Threat Identifiers, we can start stringing together more complex and higher efficacy alerts from the output of these signals to catch adversarial behavior.

Using the Anvilogic Platform’s Threat Scenario Builder, in under two minutes, you can piece together the complex attack path conducted by FIN6, sequence the attacks based on gathered intel, and span out the sequence in a realistic manner to eliminate any unwanted noise. The Scenario Builder makes it possible to yield an alert with a much higher true positive rate than the sum of its parts.

‍