Mapping the Attack: Using Situations to Visualize an IcedID / Cobalt Strike Compromise
A real-world scenario
A couple of weeks ago, the Awake Labs team published a blog on the detection and investigation of Cobalt Strike Beacon which led to the uncovering of an IcedID infection. Today, we are going to take a deeper dive into a particular feature of the Awake Network Detection and Response (NDR) platform which we used to quickly map out the extent of the compromise, as well as provide a timeline and report for the customer. The Situations feature in the Awake platform enables incident response and security operations teams to collaboratively map out attack sequences; build a graphical storyboard of compromised devices and when they were impacted, as well as other relevant suspicious activities. A timeline of events is also automatically maintained.
In our case study, the first detection alerted the team to connections to the command and control (C2) domain: mazaksaedr23[.]space. The team started here and built the Situation out.
Building a Situation
It is possible to add a single artifact (such as a domain name, IP address or infected device) or a complete activity record (such as a connection from an infected device to a malicious domain) to a Situation.
To add a single artifact to a Situation, click on the context menu for the artifact and then ‘Add to a Situation’, as shown in Figure 1:
To add an activity record to a Situation, click on the context menu for the activity record of note and then ‘Add to a Situation’, as shown in Figure 2:
Figure 2: Adding an activity record to a Situation
In our case, we added the activity record to get a good starting point for the timeline. Adding an item to a Situation presents the option to create a new Situation, name it and assign a user. To demonstrate this, we created ‘Example Situation’ (Figure 3). We gave this particular entry the title: First beacon from X to Cobalt Strike C2 domain mazaksaedr23[.]space. We entered the ‘Role’ of this item within the attack chain as ‘Confirmed C2’ (you will recognize some of these from the Mitre Att&ck Framework – see Figure 4) and gave a short summary of the activity in the ‘Reason’ section.
Figure 3: Adding an item to a Situation
Figure 4: Examples of ‘Roles’ an activity can be given when added to a Situation
Whilst working through the investigation using this method it was critical, yet simple, to add each new finding to the Situation.
The Attack Map
When items are added in this manner throughout the course of the investigation, Ava, the Awake virtual analyst, automatically builds a graphical representation of affected devices and their additional related behavior. Figure 5 demonstrates the Attack Map, showing the devices connecting to the C2 domain from the initial alert.
Figure 5: Attack Map showing all items within the Situation that have direct relationships with mazaksaedr23[.]space
Figure 6: Attack Map showing all items within the Situation that have a direct relationship with the selected device
Timelining: Overview and IcedID Attack Sequence
Figure 7: Situation Overview – summary and tags
Figure 8: Situation Overview – status, tasks and risk level
The IcedID Attack Sequence section of a Situation shows a timeline of events as demonstrated in Figures 9 and 10.
Figure 9: First few stages of the Situation in chronological order, showing the IcedID executables being downloaded
Figure 10: Timeline showing the cutover of the C2 domain from mazaksaedr23[.]space to agitopinaholop[.]uno
Collaborative working and presentation
The Situation is saved and accessible on the platform, which enables flexible and collaborative working between Awake’s Managed Network Detection and Response (MNDR) team and our customers. In this instance, we were able to share this with our customer so they could quickly view and stay up to date on the investigative work. In addition to this, it is possible to export the Situation into PDF (Figure 11). This puts the timeline into a presentable offline format that can easily be reviewed with C-level executives, to clearly demonstrate the IcedID attack sequence to them using the Overview as an Executive Summary.
Figure 11: Page from the PDF report showing the first stage of the Attack Sequence in the timeline with the corresponding section of the Attack Map
Summary and Conclusion
Reporting and presenting findings of an investigation can often be time consuming and require significant effort to pull together. Using the Situations feature of the Awake NDR product, it is simple to build, maintain, and report on key findings in a collaborative manner.
If you liked what you just read, subscribe to hear about our threat research and security analysis.
Threat Hunting and Incident Response Specialist
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…