Monday, December 1, 2014

Detailed analysis of an ADP Invoice Phishing Attempt - IPS (Snort) and SIEM (QRadar) Rules



In this 6 part series, we analyzed a recent phishing attempt through an email which was sent to me. In the first post we looked at the email. The second post we did an analysis using Wireshark. In the third post we did some basic static analysis. In the fourth post we performed some basic dynamic analysis. In the fifth post, we performed some basic memory analysis. In this post we put it all together writing rules for our IPS (snort) and SIEM (QRadar) devices



Now that we've perform the analysis, let's use what we've gathered to defend our infrastructure.
In post 4  we identified the following
1.            Packet 3 and 4 shows the DNS request and response for "projetglory.awardspace.com" respectively. This is similar to what was reported by InetSim.
2.            Packets 5 to 7 shows the TCP connection being setup with the host which hosting "projetglory.awardspace.com".
https://www.snort.org/
3.            Once the connection was established the HTTP GET request was made to download "/fichiers/miniuk1.pmg"
4.            In packet 11 we see this request was successful via the "HTTP/1.1 200 OK"
5.            In packet 15 and 16, we see the DNS request and response for shalhart.com.
6.            Once the name was resolved we see in packet 17-19 a connection was setup to shalhart.com.
7.            In packet 20 a HTTP GET request was made for " miniuk1.pmg". This all confirms what was shown in the InetSim log file
Writing the snort rule ...
These rules will be placed in the "local.rules" file
This rule looks for the DNS request for shahlart.com

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Malicious DNS Request - shahlart.com"; content:"shahlart|03|com"; classtype:trojan-activity; reference:url,securitynik.blogspot.com; Priority:1; sid:4000001;)


This rule looks for the DNS request for projetglory.awardspace.com

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Malicious DNS Request - projetglory.awardspace.com"; content:"|70 72 6f 6a 65 74 67 6c 6f 72 79 0a|awardspace|03|com"; classtype:trojan-activity; reference:url,securitynik.blogspot.com; Priority:1; sid:4000002;)

This rule focuses on HTTP traffic

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ADP Phishing GET Request - shahlart"; content:"User-Agent|3a 20|mupdate"; content:"/miniuk1.pmg";  classtype:trojan-activity; detection_filter: track by_src, count 1, seconds 86400; reference:url,securitynik.blogspot.com; 
Priority:1; sid:4000003;)


Now that we have our IPS (snort) rule, let's develop a SIEM (QRadar) rule.
For this we will use a "Common Rule". A common rule is one which can run tests against either logs or flows (or both). To create this rule let's do the following:

1. From the "Offense" tab, select Rules
2. From the "Action" menu select "New Common Rule"3. Click "Next" then build the rule












































From the above we are keeping the rule simple, we are looking for traffic going to destination host 50.87.164.13 on destination port 80. In addition we 
are looking for payload that contains the string /miniuk1.pmg






















From the above rule response, the things which I configure most important are:

1. Create a new event when traffic relating to our rule is seen
2. Ensure the dispatched event is part of an offense
3. ensure an email is sent to sec@securitynik.com
4. We will also throttle the alerts to ensure we respond only 1 time per 24 hours per unique source.
5. Finally we ensure the rule is enabled






















The above represents a summary of our rule.


This concludes this series. Hope you enjoyed it as we went from the initial email which was received to analyzing enough to be able to develop rules for both our IPS (snort) and or SIEM (QRadar).



.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.
adp.pcap - 4cfd352a3c890873d20a33d35fffed25  
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53 

References:
http://www.snort.org
http://www-03.ibm.com/software/products/en/qradar-siem/

2 comments:

  1. Hello Nik,

    Could you provide us with the malware for us to do the same tests? For learning purposes too.

    Thanks

    ReplyDelete
    Replies
    1. Shaqe,
      I've attached the .pcap and the .zip files to all the posts in this series. You will need to extract the .exe from the .zip. I put the packet capture so that you can probably analyze it as you like

      Delete