forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cisa_aa22_277a.yml
18 lines (18 loc) · 1.22 KB
/
cisa_aa22_277a.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
name: CISA AA22-277A
id: db408f93-e915-4215-9962-5fada348bdd7
version: 1
date: '2022-10-05'
author: Michael Haag, Splunk
description: From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.
narrative: CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.
references:
- https://www.cisa.gov/uscert/ncas/alerts/aa22-277a
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection