Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

GRIZZLY STEPPE Detection with SecurityCenter

Note: Tenable SecurityCenter is now Tenable.sc. To learn more about this application and its latest capabilities, visit the Tenable.sc web page.

Governments and businesses around the world are always potential targets for spear phishing campaigns and APTs like GRIZZLY STEPPE. On December 29, 2016 the U.S. Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a Joint Analysis Report (JAR-16-20296) which included technical details about activity tied to exploitation and the eventual compromise of systems within the United States. The U.S. government is referring to this malicious cyber threat as GRIZZLY STEPPE. The Joint Analysis Report includes GRIZZLY STEPPE indicators of compromise such as a YARA rule and suspicious IP addresses and DNS names. Global organizations must be vigilant about detecting these latest indicators of compromise. SecurityCenter® can easily scan for these indicators and alert on any detections.

How does GRIZZLY STEPPE work?

GRIZZLY STEPPE follows a familiar attack pattern. It targets unsuspecting users with a spear phishing campaign, enticing them to click on a malicious link. As soon as the link is clicked, malicious code is delivered and executed, establishing persistent remote access to that system via a Remote Access Tool (RAT), typically in the form of a web shell.

Once a persistent connection has been established, the next step usually involves escalating privileges and enumerating Active Directory accounts, leading to all sorts of nefarious activity.

Indicators of compromise

The Joint Analysis Report released by DHS and FBI included many Indicators of Compromise (IOCs) which organizations can use to assess if their systems have been compromised. The chief indicator among them is a YARA rule which detects a PHP web shell which was used as part of the GRIZZLY STEPPE campaign.

Here’s the YARA rule :

rule PAS_TOOL_PHP_WEB_KIT
{
meta:
   description = "PAS TOOL PHP WEB KIT FOUND" 
strings:
   $php = "<?php"
   $base64decode = /\='base'\.\(\d+\*\d+\)\.'_de'\.'code'/ 
   $strreplace = "(str_replace("
   $md5 = ".substr(md5(strrev("
   $gzinflate = "gzinflate"
   $cookie = "_COOKIE"
   $isset = "isset"
condition:
   (filesize > 20KB and filesize < 22KB) and
   #cookie == 2 and
   #isset == 3 and
   all of them
}

Tenable’s YARA pattern detection

Last year Tenable released SecurityCenter functionality to look for malicious files based on textual and binary patterns as defined by a YARA rule. You can use this functionality to detect the malicious PAS PHP web shell identified in the Joint Analysis Report on Windows systems. Here is a sample scan based on the GRIZZLY STEPPE YARA rule:

Create a Yara scan policy

  1. Click Scans -> Policies -> Add.
  2. Select Malware Scan.
  3. Enter a scan name.
  4. Click Malware and enable File System Scanning.
  5. Select the desired Directories and upload the Yara Rules File.
  6. Click Submit.
  7. Create and run a scan using the new policy.

YARA scan in SecurityCenter

You can also run a similar YARA scan in Nessus®. Refer to Threat Hunting with YARA and Nessus for instructions on creating a YARA scan in Nessus®.

Suspicious IP/DNS event analysis with SecurityCenter

In addition to the YARA rule, the Joint Analysis Report also included IP addresses and DNS names tied to malicious actors related to the GRIZZLY STEPPE campaign. While many false positives have been reported with these IP addresses and DNS names, you may still want to scan for them or use new more reliable sources if they become available. Using SecurityCenter, you can define a custom Watchlist asset list to look for any events within your organization which are tied to these suspicious IP addresses as follows:

Create a new asset list

  1. Click Assets -> Add -> Custom -> Watchlist.
  2. Create a file containing the IP addresses.
  3. Assign a name to the asset list, such as Grizzly Steppe IPs.
  4. Click Submit.

Analyze events

  1. Click Analysis -> Events.
  2. Configure Event Analysis to include Destination Asset and Source Asset.
  3. Select Grizzly Steppe IPs as the asset to watch.
  4. Select a timeframe of events to monitor.
  5. Click Apply All, and review the events.

SecurityCenter Event Analysis



Follow similar steps to create assets for malicious DNS names, with the caveat that you may get many false positives.

In addition to Watchlists, you can also add custom IPs, URLs or domains to the built-in threat detection in LCE®. This is done by creating custom files in the LCE plugins directory. Refer to the Tenable Community Discussion for more details.

Protecting your systems

Review activity to and from any suspicious IP addresses related to GRIZZLY STEPPE, especially if it appears to be performing a vulnerability scan. For any public facing Windows systems, run a scan with the YARA signature listed above and review any activity that might indicate a compromise.



Thanks to Rich Walchuck, John Chirhart and Andrew Flick for their contributions to this blog.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Tenable Vulnerability Management

Formerly Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Cloud Security.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Cloud Security

Formerly Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.

Your Tenable Cloud Security trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Web App Scanning.

Contact a Sales Rep to Buy Tenable Cloud Security

Contact a Sales Representative to learn more about Tenable Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training