# Threat Hunting ## APT: DragonFly as defined by MITRE "Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks" ## TTPs: * Schedule Tasks Creation * Brute Force Attack * Phishing Email ## Detection and Prevention: ### Schedule Task Creation: #### Installing Sysmon: Windows: 1. Download Sysmon at this link: 2. Download the sysmon XML config file: 3. Now in the downloads folder run in an admin Powershell prompt ```powershell .\Sysmon.exe -accepteula -i .\sysmonconfig.xml ``` Contents of the XML: ```xml - - 12 2 4 12 0 0x8000000000000000 184 Microsoft-Windows-Sysmon/Operational DESKTOP-4E0BQFT - technique_id=T1053,technique_name=Scheduled Task CreateKey 2022-04-13 11:59:41.545 {76e50f37-2fc0-6244-1300-000000000300} 364 C:\Windows\system32\svchost.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\test-task NT AUTHORITY\SYSTEM ``` #### Wazuh Server config for Sysmon: 1. In the `/var/ossec/etc/shared/default/agent.conf` Add the lines below ```markup Microsoft-Windows-Sysmon/Operational eventchannel ``` 2. Next we must add the rule to the `/var/ossec/etc/rules/local_rules.xml` ```markup windows ^technique_id=T1053,technique_name=Scheduled Task$ ^CreateKey$ A Newly Scheduled Task has been Detected on $(win.system.computer) T1053 115006 ^HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator$ Suppression rule for scheduled task created by update orchestrator ``` #### Creating an Active Response Script: 1. Create the file `C:\Program Files (x86)\ossec-agent\active-response\bin\analyze-scheduled-task.cmd` and add the code below. {% code overflow="wrap" lineNumbers="true" %} ```batch @echo off setlocal enableDelayedExpansion reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=64BIT if %OS%==64BIT ( SET logFile="%programfiles(x86)%\ossec-agent\logs\scheduled-tasks.log" ) set input= for /f "delims=" %%a in ('powershell -command "$logInput = Read-Host; Write-Output $logInput"') do ( set input=%%a ) powershell -command "$string = '%input%'; $match = select-string 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree.*\\\\(\S*)\\r\\n' -inputobject $string; $taskName = $match.Matches.groups[1].value; $task = Get-ScheduledTask | where TaskName -EQ $taskName; $jsonTask = $task.Actions | ConvertTo-Json -Compress; try{$stream = [System.IO.StreamWriter]::new( '%logFile%', $true );'{\"ScheduledTaskAR\": ' + $jsonTask + ', \"TaskName\": \"' + $taskName + '\"}' | ForEach-Object{ $stream.WriteLine( $_ ) }}finally{$stream.close()}; exit" ``` {% endcode %} #### Configure Wazuh Agent to Monitor Response Log: 1. In the wazuh manager webui go to groups.

2. Edit the windows group

3. Add the lines below ```markup logs\scheduled-tasks.log syslog ``` If you don't have a windows group can add the lines below to `/var/ossec/etc/shared/default/agent.conf` on the wazuh server. ```markup logs\scheduled-tasks.log syslog ``` #### Now test to see if the scheduled-tasks.log is created Run the command below to create a test task {% code overflow="wrap" %} ```batch schtasks /create /tn test-task /tr "C:\Windows\System32\calc.exe" /sc onlogon /ru System /f ``` {% endcode %} Now the file `C:\Program Files (x86)\ossec-agent\logs\scheduled-tasks.log` should be created. It will look something like: ```json { "ScheduledTaskAR": { "CimClass": { "CimSuperClassName": "MSFT_TaskAction", "CimSuperClass": { "CimSuperClassName": null, "CimSuperClass": null, "CimClassProperties": "Id", "CimClassQualifiers": "", "CimClassMethods": "", "CimSystemProperties": "Microsoft.Management.Infrastructure.CimSystemProperties" }, "CimClassProperties": [ "Id", "Arguments", "Execute", "WorkingDirectory" ], "CimClassQualifiers": [], "CimClassMethods": [], "CimSystemProperties": { "Namespace": "Root/Microsoft/Windows/TaskScheduler", "ServerName": "DESKTOP-4E0BQFT", "ClassName": "MSFT_TaskExecAction", "Path": null } }, "CimInstanceProperties": [ { "Name": "Id", "Value": null, "CimType": 14, "Flags": "Property, NotModified, NullValue", "IsValueModified": false }, { "Name": "Arguments", "Value": null, "CimType": 14, "Flags": "Property, NotModified, NullValue", "IsValueModified": false }, { "Name": "Execute", "Value": "C:\\Windows\\System32\\calc.exe", "CimType": 14, "Flags": "Property, NotModified", "IsValueModified": false }, { "Name": "WorkingDirectory", "Value": null, "CimType": 14, "Flags": "Property, NotModified, NullValue", "IsValueModified": false } ], "CimSystemProperties": { "Namespace": "Root/Microsoft/Windows/TaskScheduler", "ServerName": "DESKTOP-4E0BQFT", "ClassName": "MSFT_TaskExecAction", "Path": null }, "Id": null, "Arguments": null, "Execute": "C:\\Windows\\System32\\calc.exe", "WorkingDirectory": null, "PSComputerName": null }, "TaskName": "test-task" }o ``` Now delete the task ```batch schtasks /delete /tn test-task ``` #### Creating the Rule: On the Wazuh server add the lines below into `/var/ossec/etc/rules/local_rules.xml` inside the \ ```markup json ^null$ (.|\s)*\S(.|\s)* A new scheduled task "$(TaskName)" has been created on "$(ScheduledTaskAR.CimSystemProperties.ServerName)". The task will execute the command - "$(ScheduledTaskAR.Execute) $(ScheduledTaskAR.Arguments)". T1053 json ^null$ (.|\s)*\S(.|\s)* A new scheduled task "$(TaskName)" has been created on "$(ScheduledTaskAR.CimSystemProperties.ServerName)". The task will execute the command - "$(ScheduledTaskAR.Execute)". T1053 ``` Now restart wazuh manager on the wazuh server ```bash systemctl restart wazuh-manager ``` #### Finished Product In the webui it should show up as below:

### Brute Force Attacks: #### Wazuh Server setup: 1. In the `/var/ossec/etc/ossec.conf` file make sure the lines below are not commented ```markup firewall-drop firewall-drop yes ``` 2. Now in the same file add the lines. There is a section towards the middle of the file that has \ commented out and you can add this right below that. ```markup firewall-drop local 5763 180 ``` 3. Now restart the Wazuh manager service: ```bash sudo systemctl restart wazuh-manager ``` #### Testing: 1. Run commands below to install hydra and trigger active response. ```bash sudo apt update && sudo apt install -y hydra ``` 2. Now hydra usage: ```bash sudo hydra 4 -l -P ssh ``` #### Final Output:

### Phishing Emails: The file below is a document I made as a proof of concept for a set of instructions that could be given out to a corporation. {% file src="/files/LKym2iDZQBuRuKGmFHzc" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://paul-gleason.gitbook.io/sec-350-enterprise-and-network-security-controls-1/projects/threat-hunting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.