GET A DEMO
See why 9,000+ companies trust Darktrace
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
Five Key Takeaways from Black Hat 2023
Hives & Frankensteins: The Half-Year Threat Report
Oops! Something went wrong while submitting the form.

Blog

Inside the SOC

Darktrace vs Cobalt Strike: How Antigena intercepted and delayed a Cobalt Strike intrusion

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
05
Apr 2022
05
Apr 2022
An attacker exploited vulnerabilities in Log4j to install Bughatch, Cobalt Strike Beacon, and NetSupport onto an Internet-facing VMware Exchange server within the network of a Darktrace customer. By inhibiting the attacker’s subsequent attempts to communicate with the compromised server, Antigena Network likely prevented ransomware from being deployed.

In December 2021 several CVEs[1] were issued for the Log4j vulnerabilities that sent security teams into a global panic. Threat actors are now continuously scanning external infrastructure for evidence of the vulnerability to deploy crypto-mining malware.[2] However, through December ‘21 – February ‘22, it was ransomware groups that seized the initiative.

Compromise

In January 2022, a Darktrace customer left an external-facing VMware server unpatched allowing Cobalt Strike to be successfully installed. Several IoCs indicate that Cuba Ransomware operators were behind the attack. Thanks to the Darktrace SOC service, the customer was notified of the active threat on their network, and Antigena’s Autonomous Response was able to keep the attackers at bay before encryption events took place.

Initially the VMware server breached two models relating to an anomalous script download and a new user agent both connecting via HTTP. As referenced in an earlier Darktrace blog, both of these models had been seen in previous Log4j exploits. As with all Darktrace models however, the model deck is not designed to detect only one exploit, infection variant, or APT.

Figure 1: Darktrace models breaching due to the malicious script download

Analyst investigation

A PCAP of the downloaded script showed that it contained heavily obfuscated JavaScript. After an OSINT investigation a similar script was uncovered which likely breached the same Yara rules.

Figure 2: PCAP of the Initial HTTP GET request for the Windows Script component

Figure 3: PCAP of the initial HTTP response containing obfuscated JavaScript

Figure 4: A similar script that has been observed installing additional payloads after an initial infection[3]

While not an exact match, this de-obfuscated code shared similarities to those seen when downloading other banking trojans.

Having identified on the Darktrace UI that this was a VMware server, the analyst isolated the incoming external connections to the server shortly prior to the HTTP GET requests and was able to find an IP address associated with Log4j exploit attempts.

Figure 5: Advanced Search logs showing incoming SSL connections from an IP address linked to Log4j exploits

Through Advanced Search the analyst identified spikes shortly prior and immediately after the download. This suggested the files were downloaded and executed by exploiting the Log4j vulnerability.

Antigena response

Figure 6: AI Analyst reveals both the script downloads and the unusual user agent associated with the connections

Figure 7: Antigena blocked all further connections to these endpoints following the downloads

Cobalt Strike

Cobalt Strike is a popular tool for threat actors as it can be used to perform a swathe of MITRE ATT&CK techniques. In this case the threat actor attempted command and control tactics to pivot through the network, however, Antigena responded promptly when the malware attempted to communicate with external infrastructure.

On Wednesday January 26, the DNS beacon attempted to connect to malicious infrastructure. Antigena responded, and a Darktrace SOC analyst issued an alert.

Figure 8: A Darktrace model detected the suspicious DNS requests and Antigena issued a response

The attacker changed their strategy by switching to a different server “bluetechsupply[.]com” and started issuing commands over TLS. Again, Darktrace detected these connections and AI Analyst reported on the incident (Figure 9, below). OSINT sources subsequently indicated that this destination is affiliated with Cobalt Strike and was only registered 14 days prior to this incident.

Figure 9: AI Analyst summary of the suspicious beaconing activity

Simultaneous to these connections, the device scanned multiple internal devices via an ICMP scan and then scanned the domain controller over key TCP ports including 139 and 445 (SMB). This was followed by an attempt to write an executable file to the domain controller. While Antigena intervened in the file write, another Darktrace SOC analyst was issuing an alert due to the escalation in activity.

Figure 10: AI Analyst summary of the .dll file that Antigena intercepted to the Windows/temp directory of the domain controller

Following the latest round of Antigena blocks, the threat actor attempted to change methods again. The VMware server utilised the Remote Access Tool/Trojan NetSupport Manager in an attempt to install further malware.

Figure 11: Darktrace reveals the attacker changing tactics

Despite this escalation, Darktrace yet again blocked the connection.

Perhaps due to an inability to connect to C2 infrastructure, the attack stopped in its tracks for around 12 hours. Thanks to Antigena and the Darktrace SOC team, the security team had been afforded time to remediate and recover from the active threat in their network. Interestingly, Darktrace detected a final attempt at pivoting from the machine, with an unusual PowerShell Win-RM connection to an internal machine. The modern Win-RM protocol typically utilises port 5985 for HTTP connections however pre-Windows 7 machines may use Windows 7 indicating this server was running an old OS.

Figure 12: Darktrace detects unusual PowerShell usage

Cuba Ransomware

While no active encryption appears to have taken place for this customer, a range of IoCs were identified which indicated that the threat actor was the group being tracked as UNC2596, the operators of Cuba Ransomware.[4]

These IoCs include: one of the initially dropped files (komar2.ps1,[5] revealed by AI Analyst in Figure 6), use of the NetSupport RAT,[6] and Cobalt Strike beaconing.[7] These were implemented to maintain persistence and move laterally across the network.

Cuba Ransomware operators prefer to exfiltrate data to their beacon infrastructure rather than using cloud storage providers, however no evidence of upload activity was observed on the customer’s network.

Concluding thoughts

Unpatched, external-facing VMware servers vulnerable to the Log4j exploit are actively being targeted by threat actors with the aim of ransomware detonation. Without using rules or signatures, Darktrace was able to detect all stages of the compromise. While Antigena delayed the attack, forcing the threat actor to change C2 servers constantly, the Darktrace analyst team relayed their findings to the security team who were able to remediate the compromised machines and prevent a final ransomware payload from detonating.

For Darktrace customers who want to find out more about Cobalt Strike, refer here for an exclusive supplement to this blog.

Appendix

Darktrace model detections

Initial Compromise:

  • Device / New User Agent To Internal Server
  • Anomalous Server Activity / New User Agent from Internet Facing System
  • Experimental / Large Number of Suspicious Successful Connections

Breaches from Critical Devices / DC:

  • Device / Large Number of Model Breaches
  • Antigena / Network / External Threat / Antigena File then New Outbound Block
  • Device / SMB Lateral Movement
  • Experimental / Unusual SMB Script Write V2
  • Compliance / High Priority Compliance Model Breach
  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device
  • Experimental / Possible Cobalt Strike Server IP V2

Lateral Movement:

  • Antigena / Network / Insider Threat / Antigena Internal Anomalous File Activity
  • Compliance / SMB Drive Write
  • Anomalous File / Internal / Executable Uploaded to DC
  • Experimental / Large Number of Suspicious Failed Connections
  • Compromise / Suspicious Beaconing Behaviour
  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Anomalous Connection / High Volume of Connections to Rare Domain
  • Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Network Scan Activity:

  • Device / Suspicious SMB Scanning Activity
  • Experimental / Network Scan V2
  • Device / ICMP Address Scan
  • Experimental / Possible SMB Scanning Activity
  • Experimental / Possible SMB Scanning Activity V2
  • Antigena / Network / Insider Threat / Antigena Network Scan Block
  • Device / Network Scan
  • Compromise / DNS / Possible DNS Beacon
  • Device / Internet Facing Device with High Priority Alert
  • Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

DNS / Cobalt Strike Activity:

  • Experimental / Possible Cobalt Strike Server IP
  • Experimental / Possible Cobalt Strike Server IP V2
  • Antigena / Network / External Threat / Antigena File then New Outbound Block
  • Antigena / Network / External Threat / Antigena Suspicious File Block
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / Script from Rare External Location

MITRE ATT&CK techniques observed

IoCs

Thanks to Brianna Leddy, Sam Lister and Marco Alanis for their contributions.

Footnotes

1.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44530
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104

2. https://www.toolbox.com/it-security/threat-reports/news/log4j-vulnerabilities-exploitation-attempts

3. https://twitter.com/ItsReallyNick/status/899845845906071553

4. https://www.mandiant.com/resources/unc2596-cuba-ransomware

5. https://www.ic3.gov/Media/News/2021/211203-2.pdf

6. https://threatpost.com/microsoft-exchange-exploited-cuba-ransomware/178665/

7. https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/

8. https://gist.github.com/blotus/f87ed46718bfdc634c9081110d243166

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Dylan Evans
Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
share this article
CATEGORIES
McLaren
PREVENT
RESPOND
Cloud
Ransomware
Inside the SOC
Thought Leadership
Crypto
Email
Threat Finds
OT
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
RELATED BLOGS
No items found.
Trending blogs
1
Moving Beyond XDR to Achieve True Cyber Resilience with Darktrace ActiveAI Security Platform
Apr 9, 2024
2
Managing Risk Beyond CVE Scores With the Latest Innovations to Darktrace/OT
Apr 9, 2024
3
Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace/Email
Apr 7, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
Beyond DMARC: Navigating the Gaps in Email Security
Feb 29, 2024

More in this series

No items found.

Blog

Email

How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC

Default blog imageDefault blog image
08
May 2024

Why do we pay attention to the end user?

Every email security solution filters inbound mail, then typically hands over false positives and false negatives to the security team for manual triage. A crucial problem with this lifecycle is that it ignores the inevitability of end users being at the front line of any organization. Employees may receive point in time security awareness training, but it is rarely engaging or contextualized to their reality. While an employee may report a suspicious-looking email to the security team, they will rarely get to understand the outcome or impact of that decision. This means that the quality of reporting never improves, so the burden on the security team of triaging these emails – of which 90% are falsely reported – persists and grows with the business over time.

At Darktrace, we recognize that employees will always be on the front line of email security. That’s why we aim to improve end-user reporting from the ground up, reducing the overall number of emails needing triage and saving security team resource.

How does Darktrace improve the quality of end-user reporting?

Darktrace prioritizes improving users’ security awareness to increase the quality of end-user reporting from day one. We train users and optimize their experience, which in turn provides better detection. 

That starts with training and security awareness. Traditionally, organizations oblige employees to attend point-in-time training sessions which interrupt their daily work schedules. With Darktrace/Email, if a message contains some potentially suspicious markers but is most likely safe, Darktrace takes a specific action to neutralize the risky components and presents it to the user with a simple narrative explaining why certain elements have been held back. The user can then decide whether to report this email to the security team. 

AI shares its analysis in context and in real time at the moment a user is questioning an email
Figure 1: AI shares its analysis in context and in real time at the moment a user is questioning an email

The AI narrative gives the user context for why their specific email may carry risk, putting their security awareness training into practice. This creates an element of trust with the security solution, rather than viewing it as outside of daily workflows. Users may also receive a daily or weekly digest of their held emails and make a decision on whether to release or report them.  

Whatever the user’s existing workflow is for reporting emails, Darktrace/Email can integrate with it and improve its quality. Our add-in for Outlook gives users a fully optimized experience, allowing them to engage with the narratives for each email, as well as non-productive mail management. However, if teams want to integrate Darktrace into an existing workflow, it can analyze emails reported to an internal SOC mailbox, the native email provider’s 'Report Phish’ button, or the ‘Knowbe4’ button.

By empowering the user with contextual feedback on each unique email, we foster employee engagement and elevate both reporting quality and security awareness. In fact, 60% fewer benign emails are reported because of the extra context supplied by Darktrace to end users. The eventual report is then fed back to the detection algorithm, improving future decision-making.  

Reducing the amount of emails that reach the SOC

Out of the higher-quality emails that do end up being reported by users, the next step is to reduce the amount of emails that reach the SOC.   

Once a user reports an email, Darktrace will independently determine if the mail should be automatically remediated based on second level triage. Darktrace/Email’s Mailbox Security Assistant automates secondary triage by combining additional behavioral signals and the most advanced link analysis engine we have ever built. It detects 70% more sophisticated malicious phishing links by looking at an additional twenty times more context than at the primary analysis stage, revealing the hidden intent within interactive and dynamic webpages. This directly alleviates the burden of manual triage for security analysts.

Following this secondary triage the emails that are deemed worthy of security team attention are then passed over, resulting in a lower quantity and higher quality of emails for SOC manual triage.

Centralizing and speeding analysis for investigations

For those emails that are received by the SOC, Darktrace also helps to improve triage time for manual remediation.  

AI-generated narratives and automated remediation actions empower teams to fast-track manual triage and remediation, while still providing security analysts with the necessary depth. With live inbox view, security teams gain access to a centralized platform that combines intuitive search capabilities, Cyber AI Analyst reports, and mobile application access. With all security workflows consolidated within a unified interface, users can analyze and take remediation actions without the need to navigate multiple tools, such as e-discovery platforms – eliminating console hopping and accelerating incident response.

Our customers tell us that our AI allows them to go in-depth quickly for investigations, versus other solutions that only provide a high-level view.

Cyber AI Analyst provides a simple language narrative for each reported email, allowing teams to quickly understand why it may be suspicious
Figure 2: Cyber AI Analyst provides a simple language narrative for each reported email, allowing teams to quickly understand why it may be suspicious

Conclusion

Unlike our competitors, we believe that improving the quality of users’ experience is not only a nice-to-have, but a fundamental means for improving security. Any modern solution should consider end users as a key source of information as well as an opportunity for defense. Darktrace does both – optimizing the user experience as well as our AI learning from the user to augment detection.  

The benefits of empowering users are ultimately felt by the security team, who benefit from improved detection, a reduction in manual triage of benign emails, and faster investigation workflows.

Augmented end user reporting is just one of a range of features new to Darktrace/Email. Check out the latest Innovations to Darktrace/Email in our recent blog.

Continue reading
About the author
Carlos Gray
Product Manager

Blog

Inside the SOC

Detecting Attacks Across Email, SaaS, and Network Environments with Darktrace’s AI Platform Approach

Default blog imageDefault blog image
30
Apr 2024

The State of AI in Cybersecurity

In a recent survey outlined in Darktrace’s State of AI Cyber Security whitepaper, 95% of cyber security professionals agree that AI-powered security solutions will improve their organization’s detection of cyber-threats [1]. Crucially, a combination of multiple AI methods is the most effective to improve cybersecurity; improving threat detection, accelerating threat investigation and response, and providing visibility across an organization’s digital environment.

In March 2024, Darktrace’s AI-led security platform was able to detect suspicious activity affecting a customer’s email, Software-as-a-Service (SaaS), and network environments, whilst its applied supervised learning capability, Cyber AI Analyst, autonomously correlated and connected all of these events together in one single incident, explained concisely using natural language processing.

Attack Overview

Following an initial email attack vector, an attacker logged into a compromised SaaS user account from the Netherlands, changed inbox rules, and leveraged the account to send thousands of phishing emails to internal and external users. Internal users fell victim to the emails by clicking on contained suspicious links that redirected them to newly registered suspicious domains hosted on same IP address as the hijacked SaaS account login. This activity triggered multiple alerts in Darktrace DETECT™ on both the network and SaaS side, all of which were correlated into one Cyber AI Analyst incident.

In this instance, Darktrace RESPOND™ was not active on any of the customer’s environments, meaning the compromise was able to escalate until their security team acted on the alerts raised by DETECT. Had RESPOND been enabled at the time of the attack, it would have been able to apply swift actions to contain the attack by blocking connections to suspicious endpoints on the network side and disabling users deviating from their normal behavior on the customer’s SaaS environment.

Nevertheless, thanks to DETECT and Cyber AI Analyst, Darktrace was able to provide comprehensive visibility across the customer’s three digital estate environments, decreasing both investigation and response time which enabled them to quickly enact remediation during the attack. This highlights the crucial role that Darktrace’s combined AI approach can play in anomaly detection cyber defense

Attack Details & Darktrace Coverage

Attack timeline

1. Email: the initial attack vector  

The initial attack vector was likely email, as on March 18, 2024, Darktrace observed a user device making several connections to the email provider “zixmail[.]net”, shortly before it connected to the first suspicious domain. Darktrace/Email identified multiple unusual inbound emails from an unknown sender that contained a suspicious link. Darktrace recognized these emails as potentially malicious and locked the link, ensuring that recipients could not directly click it.

Suspected initial compromise email from an unknown sender, containing a suspicious link, which was locked by Darktrace/Email.
Figure 1: Suspected initial compromise email from an unknown sender, containing a suspicious link, which was locked by Darktrace/Email.

2. Escalation to Network

Later that day, despite Darktrace/Email having locked the link in the suspicious email, the user proceeded to click on it and was directed to a suspicious external location, namely “rz8js7sjbef[.]latovafineart[.]life”, which triggered the Darktrace/Network DETECT model “Suspicious Domain”. Darktrace/Email was able to identify that this domain had only been registered 4 days before this activity and was hosted on an IP address based in the Netherlands, 193.222.96[.]9.

3. SaaS Account Hijack

Just one minute later, Darktrace/Apps observed the user’s Microsoft 365 account logging into the network from the same IP address. Darktrace understood that this represented unusual SaaS activity for this user, who had only previously logged into the customer’s SaaS environment from the US, triggering the “Unusual External Source for SaaS Credential Use” model.

4. SaaS Account Updates

A day later, Darktrace identified an unusual administrative change on the user’s Microsoft 365 account. After logging into the account, the threat actor was observed setting up a new multi-factor authentication (MFA) method on Microsoft Authenticator, namely requiring a 6-digit code to authenticate. Darktrace understood that this authentication method was different to the methods previously used on this account; this, coupled with the unusual login location, triggered the “Unusual Login and Account Update” DETECT model.

5. Obfuscation Email Rule

On March 20, Darktrace detected the threat actor creating a new email rule, named “…”, on the affected account. Attackers are typically known to use ambiguous or obscure names when creating new email rules in order to evade the detection of security teams and endpoints users.

The parameters for the email rule were:

“AlwaysDeleteOutlookRulesBlob: False, Force: False, MoveToFolder: RSS Feeds, Name: ..., MarkAsRead: True, StopProcessingRules: True.”

This rule was seemingly created with the intention of obfuscating the sending of malicious emails, as the rule would move sent emails to the "RSS Feeds” folder, a commonly used tactic by attackers as the folder is often left unchecked by endpoint users. Interestingly, Darktrace identified that, despite the initial unusual login coming from the Netherlands, the email rule was created from a different destination IP, indicating that the attacker was using a Virtual Private Network (VPN) after gaining a foothold in the network.

Hijacked SaaS account making an anomalous login from the unusual Netherlands-based IP, before creating a new email rule.
Figure 2: Hijacked SaaS account making an anomalous login from the unusual Netherlands-based IP, before creating a new email rule.

6. Outbound Phishing Emails Sent

Later that day, the attacker was observed using the compromised customer account to send out numerous phishing emails to both internal and external recipients. Darktrace/Email detected a significant spike in inbound emails on the compromised account, with the account receiving bounce back emails or replies in response to the phishing emails. Darktrace further identified that the phishing emails contained a malicious DocSend link hidden behind the text “Click Here”, falsely claiming to be a link to the presentation platform Prezi.

Figure 3: Darktrace/Email detected that the DocSend link displayed via text “Click Here”, was embedded in a Prezi link.
Figure 3: Darktrace/Email detected that the DocSend link displayed via text “Click Here”, was embedded in a Prezi link.

7. Suspicious Domains and Redirects

After the phishing emails were sent, multiple other internal users accessed the DocSend link, which directed them to another suspicious domain, “thecalebgroup[.]top”, which had been registered on the same day and was hosted on the aforementioned Netherlands-based IP, 193.222.96[.]91. At the time of the attack, this domain had not been reported by any open-source intelligence (OSINT), but it has since been flagged as malicious by multiple vendors [2].

External Sites Summary showing the suspicious domain that had never previously been seen on the network. A total of 11 “Suspicious Domain” models were triggered in response to this activity.
Figure 4: External Sites Summary showing the suspicious domain that had never previously been seen on the network. A total of 11 “Suspicious Domain” models were triggered in response to this activity.  

8. Cyber AI Analyst’s Investigation

As this attack was unfolding, Darktrace’s Cyber AI Analyst was able to autonomously investigate the events, correlating them into one wider incident and continually adding a total of 14 new events to the incident as more users fell victim to the phishing links.

Cyber AI Analyst successfully weaved together the initial suspicious domain accessed in the initial email attack vector (Figure 5), the hijack of the SaaS account from the Netherlands IP (Figure 6), and the connection to the suspicious redirect link (Figure 7). Cyber AI Analyst was also able to uncover other related activity that took place at the time, including a potential attempt to exfiltrate data out of the customer’s network.

By autonomously analyzing the thousands of connections taking place on a network at any given time, Darktrace’s Cyber AI Analyst is able to detect seemingly separate anomalous events and link them together in one incident. This not only provides organizations with full visibility over potential compromises on their networks, but also saves their security teams precious time ensuring they can quickly scope out the ongoing incident and begin remediation.

Figure 5: Cyber AI Analyst correlated the attack’s sequence, starting with the initial suspicious domain accessed in the initial email attack vector.
Figure 5: Cyber AI Analyst correlated the attack’s sequence, starting with the initial suspicious domain accessed in the initial email attack vector.
Figure 6: As the attack progressed, Cyber AI Analyst correlated and appended additional events to the same incident, including the SaaS account hijack from the Netherlands-based IP.
Figure 6: As the attack progressed, Cyber AI Analyst correlated and appended additional events to the same incident, including the SaaS account hijack from the Netherlands-based IP.
Cyber AI Analyst correlated and appended additional events to the same incident, including additional users connecting to the suspicious redirect link following the outbound phishing emails being sent.
Figure 7: Cyber AI Analyst correlated and appended additional events to the same incident, including additional users connecting to the suspicious redirect link following the outbound phishing emails being sent.

Conclusion

In this scenario, Darktrace demonstrated its ability to detect and correlate suspicious activities across three critical areas of a customer’s digital environment: email, SaaS, and network.

It is essential that cyber defenders not only adopt AI but use a combination of AI technology capable of learning and understanding the context of an organization’s entire digital infrastructure. Darktrace’s anomaly-based approach to threat detection allows it to identify subtle deviations from the expected behavior in network devices and SaaS users, indicating potential compromise. Meanwhile, Cyber AI Analyst dynamically correlates related events during an ongoing attack, providing organizations and their security teams with the information needed to respond and remediate effectively.

Credit to Zoe Tilsiter, Analyst Consulting Lead (EMEA), Brianna Leddy, Director of Analysis

Appendices

References

[1] https://darktrace.com/state-of-ai-cyber-security

[2] https://www.virustotal.com/gui/domain/thecalebgroup.top

Darktrace DETECT Model Coverage

SaaS Models

- SaaS / Access / Unusual External Source for SaaS Credential Use

- SaaS / Compromise / Unusual Login and Account Update

- SaaS / Compliance / Anomalous New Email Rule

- SaaS / Compromise / Unusual Login and New Email Rule

Network Models

- Device / Suspicious Domain

- Multiple Device Correlations / Multiple Devices Breaching Same Model

Cyber AI Analyst Incidents

- Possible Hijack of Office365 Account

- Possible SSL Command and Control

Indicators of Compromise (IoCs)

IoC – Type – Description

193.222.96[.]91 – IP – Unusual Login Source

thecalebgroup[.]top – Domain – Possible C2 Endpoint

rz8js7sjbef[.]latovafineart[.]life – Domain – Possible C2 Endpoint

https://docsend[.]com/view/vcdmsmjcskw69jh9 - Domain - Phishing Link

Continue reading
About the author
Zoe Tilsiter
Cyber Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.