# APT-33 Threat Hunt

<a class="anchor" id="Content"></a>

### Table of Contents

* [About APT33](#chapter1)
* [Threat Hunt Hypothesis](#chapter2)
* [Threat Hunt related TTPs Matrix](#chapter3)
* [Import required Libraries for the Hunt](#chapter4)
* [Start Session with Splunk \ other tools](#chapter5)
* [Intelligence based Hunt](#chapter6)
    * [Hash based Hunt](#section_6_1)
    * [IP Address based Hunt](#Section_6_2)
    * [Domain based Hunt](#Section_6_3)
    * [Network Artifacts based Hunt](#Section_6_4)
    * [Host Artifacts based Hunt](#Section_6_5)
* [Adversary Tool based Hunt](#chapter7)
* [Adversary TTP based Hunt](#chapter8)
* [Hunter Comments](#chapter9)
* [References](#chapter10)

### About APT33 <a class="anchor" id="chapter1"></a>

|               |    |
|:--------------|:---|
| Group         | G0082 |
|Alias          | Elfin, Holmium
| Description   | APT33 is a Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors |
| Reference        | [APT33 in MITRE ATT&CK](https://attack.mitre.org/groups/G0064/) |
    

### Threat Hunt Hypothesis <a class="anchor" id="chapter1"></a>
APT-33 is tragetting Bullish environment and able to compromise some systems



## APT-33 TTP Matrix
![](layer.svg)

## Import Libraries  << Add other libraries if required >>

In [None]:
from pyspark.sql import SparkSession

## Start Spark Session  <<<< Change to Splunk Configs>>>>

In [None]:
spark = SparkSession.builder.getOrCreate()
spark.conf.set("spark.sql.caseSensitive", "true")

## Intelligence based Hunt - Hashes \ IP Address \ Domain \ Network & Host Artifacts 

### APT-38 related Hashes IOCs
**Data Sources:** Crowdstrike Telemetry

**Detection Type:** Query on Crowdstrike logs 

**Criteria:** Check for any hits in last 3 months 


**Enter the Hashe Value(s):**

Note: Enter multiple Hashes in CSV format

<<<<   >>>>  Hashes entry text box

**Query:**
<<<<   >>>>  Enter the Splunk Query to search for hashes

**Query Result:**
<<<<   >>>> Show the Hits in a tabular format


**Hashes Query Outcome Observation:** 
<<<  >>> Text Box

## APT-38 related IP address IOCs
**Data Sources:** Darktrace \ Connection Telemetry

**Detection Type:** Query on conenction logs 

**Criteria:** Check for any hits in last 3 months 


**Enter the IP address(es) :**

Note: Enter multiple IPs in CSV format

<<<<   >>>>  IP address entry text box

**Query:**
<<<<   >>>>  Enter the Splunk Query to search for connections toward the known IPs

**Query Result:**
<<<<   >>>> Show the Hits in a tabular format


**IP Address Query Outcome Observation:** 
<<<  >>> Text Box

## APT-38 related Domain IOCs
**Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 


**Enter the Domain(s):**

Note: Enter multiple Domain in CSV format

<<<<   >>>>  Domain entry text box

**Query:**
<<<<   >>>>  Enter the Splunk Query to search for hits toward the IOC Domain(s)

**Query Result:**
<<<<   >>>> Show the Hits in a tabular format


**IOC Domain Query Outcome Observation:** 
<<<  >>> Text Box

##  Host Artifacts based Hunt
**Objective :**

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**




##  Network Artifacts based Hunt
**Objective :**

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**




##  Adversary Tools based Hunt
**Objective :**

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**




##  APT-38 TTPs based Hunt

### 1. Drive-by Compromise
**Objective :**


**Tactic:** Initial Access (TA0001)
### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 2. Spearphishing Attachment (T1566.001)
**Objective**
To identify successful or fail attempts of Spearphishing with attachment

**Tactic:** Initial Access (TA0001)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|1 | Emails with malicious attachments| | Check for blocked emails with attachments in Proofpoint |
|2   | Antivirus alerts of malicious files || |
|3   | User reported emails | | Emails categorized as Phishing by SOC after user reporting|
|4   | Stats for targetted user & Attacker Pattern & Procedures || Identify top Targetted User|


**Log Requirements \ Data Sources:** Proofpoint, AV logs, User reported emails 

**Detection Type:** Query on splunk logs 

**Known Procedure:**

**Criteria:** Check for any hits in last 3 months 

**References**

1. [Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
2. [APT38 spearphishing campaigns](https://www.cisa.gov/uscert/ncas/alerts/aa20-239a)



**Analytics:**
1. Check for files related to APT38 Phishing campaigns
2. Review Logon attempts after receipt of malicious emails
3. 



### 3. Native API (T1106)
**Objective :**

**Tactic:** Execution (TA0002)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 4. PowerShell (T1059.001) (Command and Scripting Interpreter)
**Objective :**

**Tactic:** Execution (TA0002)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 5. Visual Basic (T1059.005) (Command and Scripting Interpreter)
**Objective :**

**Tactic:** Execution (TA0002)
### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 6. Windows Command Shell (T1059.003) (Command and Scripting Interpreter)
**Objective :**

**Tactic:** Execution (TA0002)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 7. Cron (T1053.003)  (Scheduled Task/Job - T1053)
**Objective :**

**Tactic:** Execution (TA0002)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 8. Scheduled Task (T1053.005) (Scheduled Task/Job - T1053)
**Objective :**

**Tactic:** Execution (TA0002)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 9. Service Execution (T1569.002) (System Services - T1569)
**Objective :**

**Tactic:** Execution (TA0002)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 10. Malicious File (T1204.002) (User Execution- T1204)
**Objective :**

**Tactic:** Execution (TA0002)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 11. Windows Service (T1543.003) (Create or Modify System Process- T1543)
**Objective :**

**Tactic:** Privilege Escalation (TA0004)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 12. Modify Registry (T1112)
**Objective :**

**Tactic:** Defense Evasion (TA0005)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 13. Disable or Modify System Firewall (T1562.004) (Impair Defenses- T1562)
**Objective :**

**Tactic:** Defense Evasion (TA0005)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**






### 14. Impair Command History Logging (T1562.003) (Impair Defenses- T1562)
**Objective :**

**Tactic:** Defense Evasion (TA0005)

### Characteristics
| No | Characteristic | Note | Why|
|----|----------------|------|---|
|  1 | A 4663 EventID is logged| | This event is too vague, you need another characteristics to support the investigation |
|2   | The file accessed is browser's password database || |
|3   | The program that accessed the browser is not related to any browser | | Note every browser's default directory, and see if it's related|
|4   | AccessList is 4416 || This access code means that the program is simply reading the data, not writing it|


**Log Requirements \ Data Sources:** Darktrace & Network connection related Telemetry

**Detection Type:** Query on splunk logs 

**Criteria:** Check for any hits in last 3 months 

**References**




### Detection Type:Telemetry(None)

### Detection Type:None(None)

### Detection Type:Telemetry(Correlated)

### Detection Type:technique(alert)

### Detection Type:General(Correlated)

### Detection Type:technique(Alert)