This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

How to use Security Validation and VirusTotal to measure your Internet Security Controls

Posted on 05-17-2024 04:59 AM
tameri
Staff
Reply posted on --/--/---- --:-- AM

In this post, I will show you how to use VirusTotal and Mandiant Security Validation to validate that your internet security controls can detect and/or prevent command and control communication for a malware sample.

As a security analyst, you have been tasked with validating whether your network security controls can detect and/or prevent Cobalt Strike Command and Control communication..

The steps will be as follows:

  1. Find the Cobalt Strike malware sample that triggered both crowdsourced IDS and YARA rules.
  2. Download the PCAP artifacts of the malware.
  3. Create network actions by importing the PCAP.
  4. Run the network actions between an internal actor (representing a victim PC) and a cloud actor (representing the adversary C2 server).
  5. Validate the efficacy of the internet security controls and address any gaps.

Having access to VirusTotal you can search using the following filter:

crowdsourced_ids:"Cobalt Strike" crowdsourced_ids:"Beacon" crowdsourced_yara_rule:CobaltStrike

The filter will return a list of malware files uploaded to VirusTotal that generated network traffic detected by the crowdsourced IDS rules and matched one or more of the Cobalt Strike Yara rules.

tameri_12-1715947019863.png

 

Out of these I picked up the following interesting malware (artifact.exe

SHA-256 : bac119d2db4efdad6c6b264942e0e10ec5c3d919480b8ed2b25a747ad4e8a96e)

Going through the details of the sample, it is definitely malicious and matches 3 YARA rules and 4 Cobalt Strike IDS rules. This means we have a good sample representing a real working malware.

tameri_11-1715946988396.png

 

Letโ€™s download the pcap , Go to BEHAVIOR then Click on Download Artifacts and Download the PCAP of VirusTotal Jujubox

tameri_2-1715946219300.png

Next upload the pcap to Mandiant Security Validation, Goto Library --> Actions --> Add Action --> Select form PCAP and upload the pcap file to the Upload Pcap File Form

tameri_3-1715946274842.png

All looks good and nothing to change in the Conversations form, Then Click on Next

tameri_4-1715946306684.png

In the Create PCAP Action Form, add the necessary information as shown and Then save the action

tameri_5-1715946400987.png

Go back to the Library --> Actions --> Select the action you created and Click on Run

tameri_6-1715946432045.png

In the Job Definition Form, select your Source and Destination Actors, then Click Run Now

tameri_8-1715946463903.png

Wait a few minutes and them view the results. As you can see the Coblat Strike communication has been blocked.

tameri_9-1715946511811.png

The Next Generation Firewall (Palo Alto) successfully detected and prevented the communication. The logs and alerts were sent to the SIEM (QRadar).

tameri_10-1715946534820.png

Excellent job! Now you can demonstrate with evidence that your internet security controls, along with SIEM integration, can detect and prevent command and control communications relevant to the threats that matter to your organization.

 

 

5 0 743
Topic Labels
0 REPLIES 0