Detecting techniques in the Orangeworm attack group

Scenario: You work in a hospital that uses outdated and insecure technology. Despite how vocal you've been about the need to upgrade, your hospital uses older operating systems and often neglects to patch computers. You are concerned about the attack group Orangeworm stealing patient information to sell on the black market or to engage in corporate espionage. You are also concerned that the group will infect your network computers and use malware to control medical devices, such as MRI and X-ray machines. 

How Splunk software can help

The Splunk Security Research team developed this use case to help you detect a number of the associated techniques, such as use of command-line arguments and of sc.exe, a non-essential Windows file that can manipulate Windows services. It also helps you get more information on web hosts that you suspect have been compromised.

What you need 

To succeed in implementing this use case, you need the following dependencies, resources, and information.

People

The best person to implement this use case is a security analyst, threat hunter, or security tools engineer  who is familiar with how their Splunk installation is consuming Microsoft Sysmon and Windows event logs or logs generated by other EDR tools. This person might come from your team, a Splunk partner, or Splunk OnDemand Services.

Time

Detecting a potential Orangeworm attack using Splunk software can last from 1 to  24 hours.

Technologies 

The following technologies, data, and integrations are useful in successfully implementing this use case: 

• Splunk Enterprise or Splunk Cloud
• Common Information Model
• Data sources onboarded
  • Authentication data
  • Endpoint data
  • Web server data

How to use Splunk software for this use case

You can run many searches with Splunk software to help with a potential Orangeworm attack. Depending on what information you have available, you'll likely first want to run the following baseline searches: 

• Previously seen command line argument
• Previously seen Windows service

After you have established baselines, you can run the following detection searches: 

• First time seen command line argument
• First time seen Windows service
• Sc.exe manipulating Windows services
  

Finally, you can then investigate the triggered detection using these searches:

• Authentication logs for an endpoint
• Processes running on a host
• Web activity from a host

Other steps you can take

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

• Ingesting command-line arguments from endpoint detection and response (EDR) technologies
• Having an incident response template or automation setup for quarantining a machine as quickly as possible to avoid lateral movement

Related resources 

These additional Splunk resources might help you understand and implement this use case:

• Conf Talk: How we built an efficient healthcare privacy monitoring platform

How to assess your results

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

• Changes in execution patterns: In a typical environment, most endpoint processes listed do not change their execution pattern. While assessing the results of these detections, the analysts should investigate the parent process that originated the execution.
• Unseen processes: Parent processes like Word.exe, Powerpoint.exe, or a process completely unseen before are the usual indicators of malicious activity.