Rapid Breach Response

This playbook does the following:

Collect indicators to aid in your threat hunting process.

• Retrieve IOCs of FireEye red team tools.
• Discover IOCs of associated activity related to the infection.
• Generate an indicator list to block indicators with SUNBURST tags.

Hunt for the indicators

• Search endpoints with the FireEye red team tools CVEs.
• Search endpoint logs for FireEye red team tools hashes.
• Search and link previous incidents with the FireEye hashes.

If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

This playbook includes the following tasks:

• Search for the Security Notice email sent from Codecov.
• Collect indicators to be used in your threat hunting process.
• Query network logs to detect related activity.
• Search for the use of Codecov bash uploader in GitHub repositories
• Query Panorama to search for logs with related anti-spyware signatures
  • Data Exfiltration Traffic Detection
  • Malicious Modified Shell Script Detection
    Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information:
Codecov Security Notice

On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations.
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
This playbook includes the following tasks:

• Collect IOCs to be used in your threat hunting process
• Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts
• Block known indicators
  ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

This manual playbook should be used as a sub-playbook in the 'SolarStorm and SUNBURST Hunting and Response' playbook and it helps you hunt for suspicious behavior related to SolarStorm activity.

Sources:

• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
• https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/
• https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

The playbook can be triggered manually or automatically by setting up a reoccurring job.

Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527.

Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online.

**Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task.

This playbook includes the following tasks:

• Manual actions to mitigate the exploit
• Search Vulnerable Devices using the CVE
• Query SIEM, FW, XDR to detect malicious activity and compromised hosts
• Run Dedicated Detection and Response playbook for Cortex XDR

More details on the vulnerabilities:
CVE-2021-1675 LPE
CVE-2021-34527 RCE

** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments.
Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints.

This playbook should be trigger manually and includes the following tasks:

• Collect related known indicators from several sources.
• Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products.
  • Splunk advanced queries can be modified through the playbook inputs.
  • QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook
• Search for internet facing Kaseya VSA servers using Xpanse.
• Block indicators automatically or manually.
• Provide advanced hunting and detection capabilities.
• Mitigation using Kaseya On-Premises and SaaS patch.

More information:
Kaseya Incident Overview & Technical Details

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

This playbook does the following:

• Collect indicators to aid in your threat hunting process.
  • Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin).
  • Retrieve C2 domains and URLs associated with Sunburst.
  • Discover IOCs of associated activity related to the infection.
  • Generate an indicator list to block indicators with SUNBURST tags.
• Hunt for the SUNBURST backdoor
  • Query firewall logs to detect network activity.
  • Search endpoint logs for Sunburst hashes to detect presence on hosts.
    If compromised hosts are found:
• Notify security team to review and trigger remediation response actions.
• Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

Sources:
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/
https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

This playbook is responsible for setting up the Rapid Breach Response Incident Info tab in the layout.

This playbook includes the following tasks:
Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSOAR 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed.
The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0.
This playbook should be trigger manually and includes the following tasks:

• Enrich related known CVEs and Malware Hashes used by the suspected APT actor.
• Search for unpatched endpoints vulnerable to the exploits.
• Search network facing system using Expanse for relevant issues.
• Indicators and known webshells hunting using SIEM products.
• Block indicators automatically or manually.
• Provide different mitigations that has been publicly published such as:
  • Patches
  • Workarounds
  • Yara and Snort Rules

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information:
Exploitation of Pulse Connect Secure Vulnerabilities

Rapid Breach Response dynamic section, will show the updated number of indicators found.

Rapid Breach Response dynamic section, will show the updated number of hunting tasks.

Rapid Breach Response dynamic section, will show the updated number of remaining tasks.

Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog.

Rapid Breach Response dynamic section, will show the updated number of completed tasks.

Rapid Breach Response dynamic section, will show the updated number of remediation tasks.

Rapid Breach Response dynamic section, will show the updated number of mitigation tasks.

Rapid Breach Response dynamic section, will show the updated number of eradication tasks.

Rapid Breach Response dynamic section, will show the updated number of tasks to complete.

This playbook does the following:

Collect indicators to aid in your threat hunting process.

• Retrieve IOCs of FireEye red team tools.
• Discover IOCs of associated activity related to the infection.
• Generate an indicator list to block indicators with SUNBURST tags.

Hunt for the indicators

• Search endpoints with the FireEye red team tools CVEs.
• Search endpoint logs for FireEye red team tools hashes.
• Search and link previous incidents with the FireEye hashes.

If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

This playbook includes the following tasks:

• Search for the Security Notice email sent from Codecov.
• Collect indicators to be used in your threat hunting process.
• Query network logs to detect related activity.
• Search for the use of Codecov bash uploader in GitHub repositories
• Query Panorama to search for logs with related anti-spyware signatures
  • Data Exfiltration Traffic Detection
  • Malicious Modified Shell Script Detection
    Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information:
Codecov Security Notice

On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations.
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
This playbook includes the following tasks:

• Collect IOCs to be used in your threat hunting process
• Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts
• Block known indicators
  ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

This manual playbook should be used as a sub-playbook in the 'SolarStorm and SUNBURST Hunting and Response' playbook and it helps you hunt for suspicious behavior related to SolarStorm activity.

Sources:

• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
• https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/
• https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

The playbook can be triggered manually or automatically by setting up a reoccurring job.

Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527.

Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online.

**Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task.

This playbook includes the following tasks:

• Manual actions to mitigate the exploit
• Search Vulnerable Devices using the CVE
• Query SIEM, FW, XDR to detect malicious activity and compromised hosts
• Run Dedicated Detection and Response playbook for Cortex XDR

More details on the vulnerabilities:
CVE-2021-1675 LPE
CVE-2021-34527 RCE

** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments.
Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints.

This playbook should be trigger manually and includes the following tasks:

• Collect related known indicators from several sources.
• Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products.
  • Splunk advanced queries can be modified through the playbook inputs.
  • QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook
• Search for internet facing Kaseya VSA servers using Xpanse.
• Block indicators automatically or manually.
• Provide advanced hunting and detection capabilities.
• Mitigation using Kaseya On-Premises and SaaS patch.

More information:
Kaseya Incident Overview & Technical Details

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

This playbook does the following:

• Collect indicators to aid in your threat hunting process.
  • Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin).
  • Retrieve C2 domains and URLs associated with Sunburst.
  • Discover IOCs of associated activity related to the infection.
  • Generate an indicator list to block indicators with SUNBURST tags.
• Hunt for the SUNBURST backdoor
  • Query firewall logs to detect network activity.
  • Search endpoint logs for Sunburst hashes to detect presence on hosts.
    If compromised hosts are found:
• Notify security team to review and trigger remediation response actions.
• Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

Sources:
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/
https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

This playbook is responsible for setting up the Rapid Breach Response Incident Info tab in the layout.

This playbook includes the following tasks:
Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSIAM 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed.
The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0.
This playbook should be trigger manually and includes the following tasks:

• Enrich related known CVEs and Malware Hashes used by the suspected APT actor.
• Search for unpatched endpoints vulnerable to the exploits.
• Search network facing system using Expanse for relevant issues.
• Indicators and known webshells hunting using SIEM products.
• Block indicators automatically or manually.
• Provide different mitigations that has been publicly published such as:
  • Patches
  • Workarounds
  • Yara and Snort Rules

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information:
Exploitation of Pulse Connect Secure Vulnerabilities

Rapid Breach Response dynamic section, will show the updated number of indicators found.

Rapid Breach Response dynamic section, will show the updated number of hunting tasks.

Rapid Breach Response dynamic section, will show the updated number of remaining tasks.

Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog.

Rapid Breach Response dynamic section, will show the updated number of completed tasks.

Rapid Breach Response dynamic section, will show the updated number of remediation tasks.

Rapid Breach Response dynamic section, will show the updated number of mitigation tasks.

Rapid Breach Response dynamic section, will show the updated number of eradication tasks.

Rapid Breach Response dynamic section, will show the updated number of tasks to complete.