Active and Passive Mandiant APT1 Detection
The Mandiant® Intelligence Center™ recently released a report exposing APT1's multi-year, enterprise-scale computer espionage campaign. Mandiant considers APT1, one of China's most persistent cyber espionage groups, to be one of the most prolific in terms of sheer quantity of information stolen.
I read the Mandiant APT1 report with a great deal of interest. There was a tremendous amount of detail in the report about attacker techniques, indicators of compromise, and who the adversaries could possibly be. What I found most interesting, though, was the large amount of technical detail provided about the indicators of compromise – domain names, SSL certificates, file hashes, and more. Yesterday, Tenable's research team leveraged this information into a wide variety of reporting and detection tools which are now available in Nessus and SecurityCenter.
Malicious Process Detection: APT1 Software Running
This new Nessus plugin extends the hash lookup process for malware introduced last year to also include the APT1 hashes reported by Mandiant. This plugin requires credentials and tests Windows systems.
APT1-related SSL Certificate Detected
This new Nessus plugin extends the extensive SSL certificate testing performed by Nessus to also include those reported by Mandiant. The SSL certificates in the APT1 report were for command and control.
This audit file determines possible infections by several of the malware items identified by Mandiant. It includes checks for 32 of the malware variants identified in Appendix C: The Malware Arsenal. The audit file utilizes a combination of registry checks and file system checks to find hosts that might likely be at risk or infected.
Mandiant APT1 SSL Connection Activity Report
The SecurityCenter report leverage's the Tenable Passive Vulnerability Scanner's ability to identify the certificate name used in SSL network connections. These real-time logs are sent to the Tenable Log Correlation Engine where they are summarized in an "SSL_Cert_Summary" event. Searching these events allows for an efficient search of historical APT1 SSL activity.
I'd like to thank Mandiant for sharing this sort of information and encourage this type of reporting and research.
Related Articles
Taking IBM QRadar SIEM One Step Further Using Tenable.ad
September 30, 2021If you can't continuously monitor Active Directory, it's impossible to achieve full visibility into your evolving attack surface. Here's how combining Tenable.ad with IBM QRadar can help. It's no sec...
Recap: Geeking Out II with Marcus
April 15, 2013Ron and I spent most of the webcast rotating around the theme of detection algorithms: how do you determine what is normal and what is not? We started off with one of my favorite questions, "Are there...
Log Correlation Engine 3.6 – Now with its own GUI
January 5, 2011<p>Tenable Network Security has released version 3.6 of the <a href="http://www.nessus.org/products/lce/" target="_self">Log Correlation Engine</a>. This new version includes many performance enhancements as well as its own web-based user interface. This blog entry describes the new user interface, the increased performance and the new features of LCE 3.6.</p>
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Event Monitoring