Blog Post

Mapping the Attack: Using Situations to Visualize an IcedID / Cobalt Strike Compromise

A real-world scenario

A couple of weeks ago, the Awake Labs team published a blog on the detection and investigation of Cobalt Strike Beacon which led to the uncovering of an IcedID infection. Today, we are going to take a deeper dive into a particular feature of the Awake Network Detection and Response (NDR) platform which we used to quickly map out the extent of the compromise, as well as provide a timeline and report for the customer. The Situations feature in the Awake platform enables incident response and security operations teams to collaboratively map out attack sequences; build a graphical storyboard of compromised devices and when they were impacted, as well as other relevant suspicious activities. A timeline of events is also automatically maintained.

In our case study, the first detection alerted the team to connections to the command and control (C2) domain: mazaksaedr23[.]space. The team started here and built the Situation out.

Building a Situation

It is possible to add a single artifact (such as a domain name, IP address or infected device) or a complete activity record (such as a connection from an infected device to a malicious domain) to a Situation.

To add a single artifact to a Situation, click on the context menu for the artifact and then ‘Add to a Situation’, as shown in Figure 1:

Pivoting from a domain to the broader attack ,IcedIDFigure 1: Adding the domain mazaksaedr23[.]space to a Situation

To add an activity record to a Situation, click on the context menu for the activity record of note and then ‘Add to a Situation’, as shown in Figure 2:

Adding a network activity to a Situation in Awake NDR, IcedID

Figure 2: Adding an activity record to a Situation

In our case, we added the activity record to get a good starting point for the timeline. Adding an item to a Situation presents the option to create a new Situation, name it and assign a user. To demonstrate this, we created ‘Example Situation’ (Figure 3). We gave this particular entry the title: First beacon from X to Cobalt Strike C2 domain mazaksaedr23[.]space. We entered the ‘Role’ of this item within the attack chain as ‘Confirmed C2’ (you will recognize some of these from the Mitre Att&ck Framework – see Figure 4) and gave a short summary of the activity in the ‘Reason’ section.

Creating a new Situation in Awake NDR, IcedID

Figure 3: Adding an item to a Situation

Flagging an activity as command and control,IcedID

Figure 4: Examples of ‘Roles’ an activity can be given when added to a Situation

Whilst working through the investigation using this method it was critical, yet simple, to add each new finding to the Situation.

The Attack Map

When items are added in this manner throughout the course of the investigation, Ava, the Awake virtual analyst, automatically builds a graphical representation of affected devices and their additional related behavior. Figure 5 demonstrates the Attack Map, showing the devices connecting to the C2 domain from the initial alert.IcedID/Cobalt Strike attack map in Awake NDR

Figure 5: Attack Map showing all items within the Situation that have direct relationships with mazaksaedr23[.]space

To navigate through the attack map, clicking on one of the arrows in a purple circle will show all items in the Situation with relationships to that node, as shown in Figure 6:Command and control domains and IPs in one screen,IcedID

Figure 6: Attack Map showing all items within the Situation that have a direct relationship with the selected device

Timelining: Overview and IcedID Attack Sequence

The Overview section of the Situation allows the investigative team to write a summary (Figure 7), add tags, assign tasks and update status (Figure 8).Attack overview in Awake NDR,IcedID

Figure 7: Situation Overview – summary and tags

Situation case management in Awake NDR

Figure 8: Situation Overview – status, tasks and risk level

The IcedID Attack Sequence section of a Situation shows a timeline of events as demonstrated in Figures 9 and 10.

IcedID attack timeline

Figure 9: First few stages of the Situation in chronological order, showing the IcedID executables being downloaded

Multi-stage attack in Awake NDR

Figure 10: Timeline showing the cutover of the C2 domain from mazaksaedr23[.]space to agitopinaholop[.]uno

Collaborative working and presentation

The Situation is saved and accessible on the platform, which enables flexible and collaborative working between Awake’s Managed Network Detection and Response (MNDR) team and our customers. In this instance, we were able to share this with our customer so they could quickly view and stay up to date on the investigative work. In addition to this, it is possible to export the Situation into PDF (Figure 11). This puts the timeline into a presentable offline format that can easily be reviewed with C-level executives, to clearly demonstrate the IcedID attack sequence to them using the Overview as an Executive Summary.

Reporting from an attack in Awake NDR

Figure 11: Page from the PDF report showing the first stage of the Attack Sequence in the timeline with the corresponding section of the Attack Map

Summary and Conclusion

Reporting and presenting findings of an investigation can often be time consuming and require significant effort to pull together. Using the Situations feature of the Awake NDR product, it is simple to build, maintain, and report on key findings in a collaborative manner.

Subscribe!

If you liked what you just read, subscribe to hear about our threat research and security analysis.

Kieran Evans
Kieran Evans

Threat Hunting and Incident Response Specialist