Catching Lazarus: Threat Intelligence to Real Detection Logic - Part One
Contents
Catching Lazarus: Threat Intelligence to Real Detection Logic - Part One
By Guillaume Couchard, Qimin Wang and Thiam Loong Siew on 25 September, 2020
Introduction
This is the first of two blog posts from the F-Secure Countercept team discussing how the Tactics, Techniques and Procedures (TTPs) used by the Lazarus Group in a recent campaign can be turned into detection logic. In this post we will share open source Sigma[1] rules and actionable detection insights to enable blue teams to detect attacks using the same or similar techniques. The foundation of this work is a report[2] from the F-Secure Threat Intelligence Team which exposed and detailed some of the Lazarus Group’s current modus operandi. Our second blog will look at further techniques employed by the Lazarus Group once they establish a foothold on a network.
From the Threat Intelligence report, we know that the Lazarus Group employed varying techniques across the MITRE ATT&CK® Matrix[3] …
By Guillaume Couchard, Qimin Wang and Thiam Loong Siew on 25 September, 2020
Introduction
This is the first of two blog posts from the F-Secure Countercept team discussing how the Tactics, Techniques and Procedures (TTPs) used by the Lazarus Group in a recent campaign can be turned into detection logic. In this post we will share open source Sigma[1] rules and actionable detection insights to enable blue teams to detect attacks using the same or similar techniques. The foundation of this work is a report[2] from the F-Secure Threat Intelligence Team which exposed and detailed some of the Lazarus Group’s current modus operandi. Our second blog will look at further techniques employed by the Lazarus Group once they establish a foothold on a network.
From the Threat Intelligence report, we know that the Lazarus Group employed varying techniques across the MITRE ATT&CK® Matrix[3] …
IoC
66.181.166.15
http://66.181.166.15:8080/uc
https
https://bit.ly/2vvLE0n
http://66.181.166.15:8080/uc
https
https://bit.ly/2vvLE0n