ACT : FIRST 2019 Training - Assignments

Overview

This page shows some generic queries / graph queries including assignments.

For assignments related to the API, look at https://github.com/mnemonic-no/act-workshop-api

Introduction

Introduction 1

/object-fact-query/hash/d06432486e7e9c2b8aaef4f42c11cf8efe19689638a3512ce931a23bdb5f2b4c

Introduction 2

/object-fact-query/threatActor/APT3

/object-fact-query/tactic/lateral-movement

/object-fact-query/tool/foosace

/object-fact-query/ipv4/153.148.23.118

Task 1

/object-fact-query/tool/remsec

Task 2

/object-fact-query/ipv4/188.116.32.164

Task 3

/object-fact-query/asn/8048

Introduction 3

/object-fact-query/tool/twoface

Task 4

/object-fact-query/tool/gulpix

Assignments

1. Which threat actor is associated with the MD5 hash 8849538ef1c3471640230605c2623c67?

Answer (white text on white background):

APT3


2. Find the ipv4 address that 'zebrocy' malware samples have connected to.

Answer (white text on white background):

45.124.132[.]127


3. Which organization owns the ipv4 address 185.223.163[.]26, and which country is it located in?

Answer (white text on white background):

logicum in Estonia


4. Which threat actor is associated with the ipv4 address 188.116.32[.]164?

Answer (white text on white background):

APT29


5. Which tool is associated with the ipv4 address 142.11.238[.]56, and how many content objects are classified as this tool?

Answer (white text on white background):

mirai, 407 content objects


6. How many techniques are implemented by the malware 'trickbot'?

Answer (white text on white background):

29


7. Which content object connects the ipv4 address 96.36.253[.]146 to 'trickbot'?

Answer (white text on white background):

32640b777321e41bdfd0a71d8138e6fe3e384f7977b05d6785043afec6555e11


8. How many threat actors use the tool 'tasklist'?

Answer (white text on white background):

7


9. Which threat actors use both 'certutil' and 'mimikatz'?

Answer (white text on white background):

APT28, menuPass, OilRig


10. Which technique is implemented by both 'bitsadmin' and 'certutil'?

Answer (white text on white background):

Remote File Copy


11. Which threat actors use techniques that accomplish the tactic 'impact'?

Answer (white text on white background):

APT37, APT38, FIN4, Lazarus Group


12. Which of the techniques associated with the tactic 'lateral-movement' are "orphans" (not known to be used by any threat actor or implemented by any tool)?

Answer (white text on white background):

Shared Webroot


13. Which threat actor uses a tool that implements the technique 'User Execution'?

Answer (white text on white background):

Lazarus Group


14. What is the title (name) of the report that mentions IP addresses from the autonomous system (asn) 22400?

Answer (white text on white background):

APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign


15. How many different tools have communicated with IP addresses owned by the organization 'digitalocean'?

Answer (white text on white background):

102


16. Try to find an alias for the tool 'sekur'. Then try to find a publically available, credible source that confirms your findings.

Answer (white text on white background):

carbanak (or anunak), example source: https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/


17. Try to find an alias for the tool 'trickster'. Then try to find a publically available, credible source that confirms your findings.

Answer (white text on white background):

trickbot, example sources: https://securelist.com/bots-and-botnets-in-2018/90091/ and https://threats.kaspersky.com/en/threat/Trojan.Win32.Trickster/


18. Try to find an explanation for why the content 82c5e0bf27c61c320d70d9977d6933528ba2ed446ea5032d5daa0723b020a60a is classified as both 'sekur' and 'mimikatz'. 

Answer (white text on white background):

sekur (aka carbanak/anunak) includes code from mimikatz which has triggered AV signatures for mimikatz, example source: https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html


19. What kind of malicious activity is associated with the path '/signin.php'? 

Answer (white text on white background):

Apple-like malicious phishing domains (seen from the names of related reports). Feel free to explore further.


20. One IP address owned by an organization located in Venezuela is related to ransomware. Which ransomware family (tool)? 

Answer (white text on white background):

locky. The IP address is 159.90.60[.]215, which belongs to asn 11694.

Case Study

You are the head of the computer security incident response team (CSIRT) at a large international managed services provider (MSP). You get a call from the threat hunting team who tell you that they have identified potentially malicious activity in historical logs. The threat hunting team has found suspicious network traffic to the following IP addresses:

158.255.208.61
67.205.132.17

Before you decide whether or not to initiate incident response, you try to assess the situation. Several questions need to be answered:

  1. Are the indicators found by the threat hunting team related to known malicious activity?
  2. Is the infrastructure related to a known threat actor and/or malware?
  3. If the findings indicate a breach, what is the severity and how should the CSIRT respond?

While you are working, the threat hunting team has found another piece of evidence. In the endpoint security logs, they noticed a piece of malware that was initially not detected, but was caught after a signature update. The file hash of the malware is:

ff49c2d72e4c47ddc388c47a13dfd9e5

Is this malware related to the other findings? If so, how?


You think you have identified the threat actor, and you want to search the historical logs for all indicators related to the campaign. Try to create an indicator set for the threat actor..

The threat hunting team asks for information they can use to hunt for the threat actor's tactics, techniques, procedures and tools. Try to find that for them. Also try to find reports about the threat actor.

Graph Queries

Graph Query 1

/gremlin/ipv4/153.148.23.118/g.bothE().otherV()

Graph Query 2

/gremlin/ipv4/153.148.23.118/g.bothE().otherV().path().unfold()

Graph Query 3

/gremlin/ipv4/153.148.23.118/g.bothE().otherV().bothE().otherV().path().unfold()

Graph Query 4

/gremlin/ipv4/153.148.23.118/g.bothE().otherV().bothE('resolvesTo').otherV().path().unfold()

Graph Query 5

/gremlin/ipv4/153.148.23.118/g.bothE().otherV().bothE().otherV().hasLabel('report').path().unfold()

Graph Query 6

/gremlin/threatActor/APT3/g.as('startNode').repeat(inE('attributedTo').otherV()).times(2).inE('observedIn').otherV().hasLabel('content').outE('classifiedAs').otherV().where(inE('classifiedAs').otherV().outE('observedIn').otherV().repeat(outE('attributedTo').otherV()).times(2).count().is(eq(2L)))inE('classifiedAs').otherV().outE('observedIn').otherV().repeat(outE('attributedTo').otherV()).times(2).where(neq('startNode')).path().unfold()

Graph Query Building Blocks

Filtering

Filtering on fact type (edge label)

inE('<factType>')
outE('<factType>')
bothE('<factType>')

Filtering on fact value (edge value)

inE().has('value','<fact value>')
outE().has('value','<fact value>')
bothE().has('value','<fact value>')


Filtering on object type (node label)

inV().hasLabel('<objectType>')
outV().hasLabel('<objectType>')
bothV().hasLabel('<objectType>')
otherV().hasLabel('<objectType>')

Filtering on object value (node value)

inV().has('value','<object value>')
outV().has('value','<object value>')
bothV().has('value','<object value>')
otherV().has('value','<object value>')

Filtering on multiple labels (Boolean OR)

Replace within() by without() to exclude labels.

bothE().hasLabel(within('<factType 1>','<factType 2>',...))
otherV().hasLabel(within('<objectType 1>','<objectType 2>',...))

Filtering on multiple values (Boolean OR)

Replace within() by without() to exclude values.

bothE().has('value',within('<fact value 1>','<fact value 2>',...))
otherV().has('value',within('<object value 1>','<object value 2>',...))

Filtering on number of facts (edge count)

Example: Only traverse nodes that have less than 20 incoming "mentions" edges
where(inE('mentions').count().is(lt(20L)))

Setting a node label and filtering on it later

g.as('startNode').[...].where(neq('startNode')).[...]


Other

Traversing aliases

Find information related to any of the known aliases of a threat actor or tool:

Object type: threatActor or tool
Object value: Name of the threat actor or tool, e.g. APT10 or trickbot

Gremlin query building block:
g.optional(emit().repeat(outE('alias').otherV()).until(cyclicPath()))

Data Model

Nodes and Edges, excluding 'mentions'

Nodes and Edges, including 'mentions'

Facts connected to a single object




Attachments:

datamodel.png (image/png)
datamodel-mentions.png (image/png)
datamodel-single.png (image/png)
datamodel.png (image/png)
datamodel-mentions.png (image/png)
datamodel-single.png (image/png)