LONG THREAD.

Here are some detections / preventions in response to the DarkSide findings.

INITIAL COMPROMISE

Password attacks on perimeter. 2FA everything. Set lockout thresholds on logins. Ingest logs to SIEM and monitor for brute force attempts and impossible travel.
1/14

ItAlso as mentioned the attackers potentially accessed the VPN to disable MFA. Onboard your network devices to SIEM and monitor change events.

Malicious emails. Read this tweet - .

2/14

ESTABLISH FOOTHOLD.

BEACON - Hunting Tips, detections and IOCs - github.com/MichaelKoczwar…

MAINTAIN PERSISTENCE

TeamViewer / Anydesk. Create a SIEM rule and / or run threat hunt for ports in below thread. Try to pick one remote access for your organisation, block the rest.

3/14

Then alert on blocked installs / connections to any other remote access tools.

Legitimate credentials - Difficult to detect. Try prevent -

Sign up for Domain Monitoring on haveibeenpwned.com/DomainSearch. Ensure users use unique, lengthy password for each system. MFA as above.

4/14

ESCALATE PRIVILEGES.

Mimikatz -

Mimikatz SIGMA rules

github.com/SigmaHQ/sigma/…

github.com/SigmaHQ/sigma/…

Mimikatz Further Reading -

medium.com/@levurge/detec…

neil-fox.github.io/Mimikatz-usage…

LSASS Memory Dumps

Detections and reading - redcanary.com/threat-detecti…

5/14

Sigma Rule - github.com/SigmaHQ/sigma/…

MOVE LATERALLY.

RDP

Follow mitigations attack.mitre.org/techniques/T10…

Look in logs for -

User making multiple connections to different destinations in a short period of time.
User accessing devices via RDP that it doesn’t usually access.

6/14

For RDP, pLink etc it is worth also using this Sigma rule to look for netsh being used for port forwarding - github.com/SigmaHQ/sigma/…

INTERNAL RECON.

Powerview / Bloodhound. These relate to performing various recon on a Windows environment.

7/14

Find the weaknesses in your environment before the bad guys do, follow this post - blueteamblog.com/active-directo…

Built in Windows Utilities.

This is an old link but still rings true blogs.jpcert.or.jp/en/2016/01/win…. Look for an account running many of these commands in a short period.

8/14

This may need to be ran as a threat hunt, or a rule improved over time with adding known expected users.

Also this rule github.com/SigmaHQ/sigma/…

Advanced IP Scanner.

It doesn’t matter what scanner an attacker uses, SIEM rules should monitor suspicious network behaviour.

9/14

I wrote (badly, I need to update it) about some basic use cases to do this a year ago - blueteamblog.com/8-ways-to-dete…

Keep sure you can detect internal port scans of different types, spikes in traffic from a host OR port (Anomaly detection) based on either count or byte volume.

10/14

If you have an IDPS, it should do this for you out of the box.

COMPLETE MISSION.

PSExec.

How to detect PSExec - praetorian.com/blog/threat-hu…

How to detect it and it’s clones - redcanary.com/blog/threat-hu…

11/14

OTHER THOUGHTS.

Patch. I know this can be easier said than do at times, but it can be the difference between being breached, and not.

Test your defences - Once you have defences in place, test them. Are things really being blocked? Do alerts really trigger in your SIEM?

12/14

Test your responses. If shit does have the fan - do you have an IR team? Do you have one on retainer? Have you played out scenarios and went through the how, who and why you will respond to a real event?

13/14

I’m sorry this was so long and unstructured, but I hope it helps someone. 😀

14/14

Turned this into a blog post -

Reminder that I turned this into a blog post that is much easier to read - blueteamblog.com/darkside-ranso…