forked from elastic/examples
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request elastic#329 from elastic/asjad-security-IOCs
IOCs added for ACSC2020-008 security advisory with associated caveats published in blogpost.
- Loading branch information
Showing
3 changed files
with
28 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| ## ACSC 2020-008 Advisory IOCs for Elastic SIEM | ||
|
|
||
| The Australian Cyber Security Centre (ACSC) recently [published an advisory](https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks) outlining tactics, techniques and procedures used against multiple Australian businesses in a recent campaign by a state based actor. | ||
|
|
||
| SIEM rules were created using the [list of IOCs](https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises-Indicators-of-Compromise.csv) published by the ACSC to detect and alert on a potential attack. | ||
|
|
||
| IOCs often change rapidly during campaigns and should not solely be relied upon for detections. However, it can be useful to maintain a list of IOCs in case other lines of defence are bypassed by the adversary. | ||
|
|
||
|  | ||
|
|
||
| * Download the [`acsc-2020-008-IOCs.ndjson`](acsc-2020-008-IOCs.ndjson) file containing the SIEM detection rules from Elastic’s GitHub repository. All rules are tagged with `IOC` and `2020-008` for convenient filtering and management in the SIEM UI | ||
| * Import the rules into SIEM | ||
| * Review the field names used within the rules. The rules currently reference default ECS fields, but your field names may vary internally | ||
| * Activate rules as required | ||
|
|
||
| Note that the SIEM rules currently run every 60 minutes, looking back at events from the last 60 minutes. The rules currently do not run actions for every execution. If you need to act on detections, it would be a good idea to set the frequency to `Hourly` rather than on each rule execution, to reduce the amount of noise created. | ||
|
|
||
| [Here is a full blog post](https/elastic.co/blog) on the campaign and Elastic Security. |
10 changes: 10 additions & 0 deletions
10
Security Analytics/ACSC2020-008_IOCs/acsc-2020-008-IOCs.ndjson
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| {"actions":[],"created_at":"2020-06-22T01:22:53.524Z","updated_at":"2020-06-22T01:26:19.829Z","created_by":"elastic","description":"Domain IOCs from ACSC Advisory 2020-008, applied on source.domain and destination.domain","enabled":false,"false_positives":[],"filters":[],"from":"now-3660s","id":"c954ed42-fa39-442c-ba00-50969a2cc816","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*","endgame*"],"interval":"60m","rule_id":"8c76c6ca-cd5b-43b1-9f76-40abb107d465","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":30,"name":"[IOC] - 2020-008 Domains","query":"destination.domain: \"mailguardonline.net\" or destination.domain: \"cybersecuritiesinc.net\" or source.domain: \"mailguardonline.net\" or source.domain: cybersecuritiesinc.net","references":["https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks"],"meta":{"from":"1m"},"severity":"low","updated_by":"elastic","tags":["IOC","2020-008"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":3} | ||
| {"actions":[],"created_at":"2020-06-22T01:25:40.348Z","updated_at":"2020-06-22T01:31:33.101Z","created_by":"elastic","description":"URL IOCs from ACSC Advisory 2020-008, applied on url.full and url.original","enabled":false,"false_positives":[],"filters":[],"from":"now-3660s","id":"c30788a0-5aa6-4bce-b2f6-f2d28e40c354","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*","endgame*"],"interval":"60m","rule_id":"63397814-a850-40c0-b2e0-9e27fdef9f98","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"name":"[IOC] - 2020-008 URLs","query":"url.full: \"https://api.onedrive.com/v1.0/shares/s!Ajp1Jcp4TBtmgRyuTf0Ow-_r40_x/driveitem/content\" or url.original: \"https://api.onedrive.com/v1.0/shares/s!Ajp1Jcp4TBtmgRyuTf0Ow-_r40_x/driveitem/content\" or url.full: \"https://www.dropbox.com/s/qf15ewsstzk4qoz/Thesis%20Information%20to%20be%20referenced%20from.ppt?dl=0\" or url.original: \"https://www.dropbox.com/s/qf15ewsstzk4qoz/Thesis%20Information%20to%20be%20referenced%20from.ppt?dl=0\" or url.full: \"https://uceaf62bf364381a378c816b41ba.dl.dropboxusercontent.com/cd/0/get/A2Vm2UTAy5MCwUTkAgc7zFzIQyACqaHZ2yiX2ORjm3twvsr6cvxtZv0ARG5lyIZq4N60QtQgVm5JL5pTbto45FtwfTs8d9-QuL3_YsAukrIOoZLpoOKRi_DRl5Wxq6TQHIk/file?dl=1\" or url.original: \"https://uceaf62bf364381a378c816b41ba.dl.dropboxusercontent.com/cd/0/get/A2Vm2UTAy5MCwUTkAgc7zFzIQyACqaHZ2yiX2ORjm3twvsr6cvxtZv0ARG5lyIZq4N60QtQgVm5JL5pTbto45FtwfTs8d9-QuL3_YsAukrIOoZLpoOKRi_DRl5Wxq6TQHIk/file?dl=1\" or url.full: \"https://login.contact.cybersecuritiesinc.net/\" or url.original: \"https://login.contact.cybersecuritiesinc.net/\" or url.full: \"https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=8f43aaa9-d9d7-4eb1-8172-0669dae105aa&redirect_uri=https://www.mailguardonline.net/oauth/api/microsoft/callback&scope=offline_access user.read mail.readwrite&state=EmERFnNRcD2DbezEvK245MXBEokQh6&response_mode=form_post\" or url.original: \"https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=8f43aaa9-d9d7-4eb1-8172-0669dae105aa&redirect_uri=https://www.mailguardonline.net/oauth/api/microsoft/callback&scope=offline_access user.read mail.readwrite&state=EmERFnNRcD2DbezEvK245MXBEokQh6&response_mode=form_post\" or url.full: \"https://www.mailguardonline.net/oauth/api/microsoft/callback\" or url.original: \"https://www.mailguardonline.net/oauth/api/microsoft/callback\"","references":["https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks"],"meta":{"from":"1m"},"severity":"low","updated_by":"elastic","tags":["IOC","2020-008"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":3} | ||
| {"actions":[],"created_at":"2020-06-22T01:32:38.108Z","updated_at":"2020-06-22T01:36:55.595Z","created_by":"elastic","description":"Email address IOCs from ACSC Advisory 2020-008, applied on user.email","enabled":false,"false_positives":[],"filters":[],"from":"now-3660s","id":"86835998-2df7-4a0a-b59a-140bea57ac6a","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*","endgame*"],"interval":"60m","rule_id":"e798e55a-0a42-4b5d-b8da-a26adb3161b2","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":30,"name":"[IOC] - 2020-008 Emails","query":"user.email: \"[email protected]\" or user.email: \"[email protected]\" or user.email: \"[email protected]\" or user.email: \"[email protected]\" or user.email: \"[email protected]\" or user.email: \"[email protected]\" or user.email: \"[email protected]\" or user.email: \"[email protected]\" or user.email: \"[email protected]\" or user.email: \"[email protected]\" or user.email: \"[email protected]\" or user.email: \"[email protected]\"","references":["https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks"],"meta":{"from":"1m"},"severity":"low","updated_by":"elastic","tags":["IOC","2020-008"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":4} | ||
| {"actions":[],"created_at":"2020-06-22T01:38:01.358Z","updated_at":"2020-06-22T01:40:09.747Z","created_by":"elastic","description":"User Agents IOCs from ACSC Advisory 2020-008, applied on user_agent.original","enabled":false,"false_positives":[],"filters":[],"from":"now-3660s","id":"b066437b-544c-4797-8283-4a95ce4710b7","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*","endgame*"],"interval":"60m","rule_id":"e00d03dc-eaee-4756-90e1-d0890f38bfeb","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":30,"name":"[IOC] - 2020-008 User Agents","query":"user_agent.original: \"Microsoft SkyDriveSync 17.005.0107.0008 ship; Windows NT 10.0 (16299)\" or user_agent.original: \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36\" or user_agent.original: \"exchangelib/3.1.1+(python-requests/2.21.0)\" or user_agent.original: \"python-requests/2.2.1\" or user_agent.original: \"CPython/2.7.2\"","references":["https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks"],"meta":{"from":"1m"},"severity":"low","updated_by":"elastic","tags":["IOC","2020-008"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":4} | ||
| {"actions":[],"created_at":"2020-06-22T01:40:54.896Z","updated_at":"2020-06-22T01:41:53.838Z","created_by":"elastic","description":"File path IOCs from ACSC Advisory 2020-008, applied on file.path","enabled":false,"false_positives":[],"filters":[],"from":"now-3660s","id":"248f4cea-303f-4e7f-b69a-f869b5497b91","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*","endgame*"],"interval":"60m","rule_id":"a03ae4a1-1d75-41fe-a024-eeaee9f4877a","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"name":"[IOC] - 2020-008 File paths","query":"file.path: \"%APPDATA%\\Roaming\\Microsoft\\Word\\STARTUP\\Template.dotm\"","references":["https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks"],"meta":{"from":"1m"},"severity":"low","updated_by":"elastic","tags":["IOC","2020-008"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":4} | ||
| {"actions":[],"created_at":"2020-06-22T01:42:18.117Z","updated_at":"2020-06-22T01:43:14.730Z","created_by":"elastic","description":"File directory IOCs from ACSC Advisory 2020-008, applied on file.directory","enabled":false,"false_positives":[],"filters":[],"from":"now-3660s","id":"a8f851dc-560b-4a2f-b46b-c971c40883db","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*","endgame*"],"interval":"60m","rule_id":"63c22fa1-3575-45cd-8f1c-e4fb84db7e2d","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":30,"name":"[IOC] - 2020-008 File directories","query":"file.directory: \"C:\\Logs\\PerfLogs\" or file.directory: \"C:\\ProgramData\\.Lookup\"","references":["https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks"],"meta":{"from":"1m"},"severity":"low","updated_by":"elastic","tags":["IOC","2020-008"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":5} | ||
| {"actions":[],"created_at":"2020-06-22T01:44:01.437Z","updated_at":"2020-06-22T01:48:15.148Z","created_by":"elastic","description":"IP/Ports IOCs from ACSC Advisory 2020-008, applied on source.ip and source.port","enabled":false,"false_positives":[],"filters":[],"from":"now-3660s","id":"e3ba24c4-842f-4a56-9bfb-9174fb45a466","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*","endgame*"],"interval":"60m","rule_id":"f89d264d-33cf-4a29-93fb-f9c833a7ca3f","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":30,"name":"[IOC] - 2020-008 IP/Ports","query":"destination.ip: \"127.0.01\" and destination.port: [6666 TO 6675]","references":["https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks"],"meta":{"from":"1m"},"severity":"low","updated_by":"elastic","tags":["IOC","2020-008"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":5} | ||
| {"actions":[],"created_at":"2020-06-22T01:48:56.013Z","updated_at":"2020-06-22T01:56:49.585Z","created_by":"elastic","description":"IPv4 addresses IOCs from ACSC Advisory 2020-008, applied on source.ip and destination.ip","enabled":false,"false_positives":[],"filters":[],"from":"now-3660s","id":"787457dc-823f-499b-ba7e-9cacfdce3efc","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*","endgame*"],"interval":"60m","rule_id":"b8007d43-44a4-4bff-afd1-0bbe6b2512d7","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":30,"name":"[IOC] - 2020-008 IPv4 Addresses","query":"source.ip: \"104.156.233.219\" or destination.ip: \"104.156.233.219\" or source.ip: \"131.153.16.198\" or destination.ip: \"131.153.16.198\" or source.ip: \"134.209.97.239\" or destination.ip: \"134.209.97.239\" or source.ip: \"138.197.204.4\" or destination.ip: \"138.197.204.4\" or source.ip: \"139.59.90.114\" or destination.ip: \"139.59.90.114\" or source.ip: \"144.202.85.4\" or destination.ip: \"144.202.85.4\" or source.ip: \"154.16.136.100\" or destination.ip: \"154.16.136.100\" or source.ip: \"159.203.29.101\" or destination.ip: \"159.203.29.101\" or source.ip: \"167.172.36.95\" or destination.ip: \"167.172.36.95\" or source.ip: \"172.86.75.49\" or destination.ip: \"172.86.75.49\" or source.ip: \"172.86.75.7\" or destination.ip: \"172.86.75.7\" or source.ip: \"172.86.75.86\" or destination.ip: \"172.86.75.86\" or source.ip: \"193.187.173.38\" or destination.ip: \"193.187.173.38\" or source.ip: \"194.36.191.227\" or destination.ip: \"194.36.191.227\" or source.ip: \"194.71.130.113\" or destination.ip: \"194.71.130.113\" or source.ip: \"198.255.66.27\" or destination.ip: \"198.255.66.27\" or source.ip: \"206.189.180.4\" or destination.ip: \"206.189.180.4\" or source.ip: \"206.189.98.83\" or destination.ip: \"206.189.98.83\" or source.ip: \"23.129.64.156\" or destination.ip: \"23.129.64.156\" or source.ip: \"23.228.74.58\" or destination.ip: \"23.228.74.58\" or source.ip: \"31.214.157.153\" or destination.ip: \"31.214.157.153\" or source.ip: \"43.231.77.218\" or destination.ip: \"43.231.77.218\" or source.ip: \"45.125.192.221\" or destination.ip: \"45.125.192.221\" or source.ip: \"45.153.231.121\" or destination.ip: \"45.153.231.121\" or source.ip: \"45.63.41.207\" or destination.ip: \"45.63.41.207\" or source.ip: \"5.188.37.38\" or destination.ip: \"5.188.37.38\" or source.ip: \"5.8.8.9\" or destination.ip: \"5.8.8.9\" or source.ip: \"54.78.227.17\" or destination.ip: \"54.78.227.17\" or source.ip: \"79.134.235.87\" or destination.ip: \"79.134.235.87\" or source.ip: \"79.134.235.89\" or destination.ip: \"79.134.235.89\" or source.ip: \"81.194.38.139\" or destination.ip: \"81.194.38.139\" or source.ip: \"92.38.188.85\" or destination.ip: \"92.38.188.85\" or source.ip: \"94.103.95.25\" or destination.ip: \"94.103.95.25\" or source.ip: \"139.99.237.34\" or destination.ip: \"139.99.237.34\"","references":["https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks"],"meta":{"from":"1m"},"severity":"low","updated_by":"elastic","tags":["IOC","2020-008"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":6} | ||
| {"actions":[],"created_at":"2020-06-22T01:58:48.514Z","updated_at":"2020-06-22T02:10:44.273Z","created_by":"elastic","description":"File hash IOCs from ACSC Advisory 2020-008, applied on file.name, process.hash.md5 and process.hash.sha256","enabled":false,"false_positives":[],"filters":[],"from":"now-3660s","id":"596c117c-0d23-435e-b845-c3d5b44d7b17","immutable":false,"index":["auditbeat-*","filebeat-*","packetbeat-*","winlogbeat-*","endgame*"],"interval":"60m","rule_id":"d818b19d-d75a-4141-98a2-9958c2f6c406","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":30,"name":"[IOC] - 2020-008 File hashes","query":"(file.name: \"jp.exe\" and (process.hash.md5:\"808502752ca0492aca995e9b620d507b\" or process.hash.sha256: \"0f56c703e9b7ddeb90646927bac05a5c6d95308c8e13b88e5d4f4b572423e036\")) or (file.name: \"TmDbgLog.dll\" and (process.hash.md5:\"67d735924a1c717ca8fc5e0b8f2973b0\" or process.hash.sha256: \"e84badc0eeacf3bf3a9e562662f05ebf05ab19196b740566a4e72a469460a55d\")) or (file.name: \"Potato.dll\" and (process.hash.md5:\"aa5681d62bec91da9f1f41bc5a7a63bc\" or process.hash.sha256: \"b094a8616804fbd5ff21b9c8153622eca7909b9f35251579ba383e16de11c0ed\")) or (file.name: \"ccc.dll\" and (process.hash.md5:\"76a14ee686e7010a7f2ad91fbc0caf2c\" or process.hash.sha256: \"a7798930028248330c905a4e9ce70cebc445dc3d898b9bf80235e3f5fb0003d2\")) or (file.name: \"HttpCore.dll\" and (process.hash.md5:\"5986e7094706504d190e23337e1fc4c7\" or process.hash.sha256: \"4fc27fc85d2a37eaefb61e2350907aafc27a11084c8f19d66ee9b044cd29e006\")) or (process.hash.md5:\"02e82b6efcffafc2b03858f626bdffb8\" or process.hash.sha256: \"704d8ad511789cde160c82cac7c363147f436280927c21d91abaf23ebd34f53e\") or (process.hash.md5:\"5d92c39f39d12ab69fcfb9b96400f39a\" or process.hash.sha256: \"a1900f7a85f39a3ab9a9079115d55d2d14b55f6cc774346d6375f10589cea770\") or (process.hash.md5:\"9cc60c92bf512bf34a5d34412ea80525\" or process.hash.sha256: \"183328d94bbb13a6fd13d0b9f4401157ff666956a3accabce8c72822ef9e2a24\") or (process.hash.md5:\"b0671a8d75cd548be50b7d71027b1f64\" or process.hash.sha256: \"2b71dd245520d9eb5f1e4c633fee61c7d83687591d9f64f9390c26dc95057c3c\") or (process.hash.md5:\"a049833256e22cd07cb480803a339545\" or process.hash.sha256: \"a5c8934836f5b36bba3a722eab691a9f1f926c138fefe5bae07e9074e7c49ae3\") or (process.hash.md5:\"b6cb873067f3f1a457b3ced951213c72\" or process.hash.sha256: \"eb2c2516a518381d5c5727d6d7c6de5ea6acd614e437099a0ded24dc851afc55\") or (process.hash.md5:\"7400d58f5dbc4a9b80db4da9d4944d86\" or process.hash.sha256: \"b0d2980b40bb0e59fa8b1982f5cf7768bb4bd6e8c5e20addf4333de59bc372d4\") or (process.hash.md5:\"46a473898e2618dece83bc18d7792acb\" or process.hash.sha256: \"10162feb5f063ea09c6a3d275f31abf0fe8a9e4e36fded0053b1f8e054da8161\") or (process.hash.md5:\"e817a1384d3496d9835c855fb61527c5\" or process.hash.sha256: \"f2e94285fd5ecd1952b2a2b3031f5bc188a6f25867ca8cdda14ae95902e6a7cc\") or (process.hash.md5:\"998355e6c1d266272352df64ea1af615\" or process.hash.sha256: \"95395b254bf02f157a60fa604679efc1f8c5912cf633ff33216ce43df47fca15\") or (process.hash.md5:\"45f330f1210baf9cb292d9e365d9cc9b\" or process.hash.sha256: \"3e2605056cf3f55e47679ea414d14d455dbff58fdfe5de9bc837479c8fa3b1de\")","references":["https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks"],"meta":{"from":"1m"},"severity":"low","updated_by":"elastic","tags":["IOC","2020-008"],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":6} | ||
| {"exported_count":9,"missing_rules":[],"missing_rules_count":0} |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.