Threat Horizons-Cloud Threat Intelligence
Contents
Threat Horizons
Cloud Threat Intelligence
November 2021. Issue 1
Providing threat intelligence to those in the Cloud
Part of offering a secure cloud computing platform is providing cloud users with cybersecurity threat
intelligence so they can better configure their environments and defenses in manners most specific to
their needs. Google's Cybersecurity Action Team is pleased to publish the first issue of Threat Horizons
report. The report is based on threat intelligence observations from the Threat Analysis Group (TAG),
Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other internal teams. It provides
actionable intelligence that enables organizations to ensure their cloud environments are best
protected against ever evolving threats. In this and future threat intelligence reports, Google will
provide threat horizon scanning, trend tracking, and Early Warning announcements about emerging
threats requiring immediate action.
___
Summary of Observations
While cloud customers continue to face a variety of threats across applications and infrastructure,
many successful attacks are due to poor hygiene and a lack of …
Cloud Threat Intelligence
November 2021. Issue 1
Providing threat intelligence to those in the Cloud
Part of offering a secure cloud computing platform is providing cloud users with cybersecurity threat
intelligence so they can better configure their environments and defenses in manners most specific to
their needs. Google's Cybersecurity Action Team is pleased to publish the first issue of Threat Horizons
report. The report is based on threat intelligence observations from the Threat Analysis Group (TAG),
Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other internal teams. It provides
actionable intelligence that enables organizations to ensure their cloud environments are best
protected against ever evolving threats. In this and future threat intelligence reports, Google will
provide threat horizon scanning, trend tracking, and Early Warning announcements about emerging
threats requiring immediate action.
___
Summary of Observations
While cloud customers continue to face a variety of threats across applications and infrastructure,
many successful attacks are due to poor hygiene and a lack of …
IoC
rule UC_ttp_BlackMatter__RegKeys {
meta:
author = "Google Cloud Threat Intelligence"
description = "Known registry keys used by Black Matter"
events:
// Modifying the privacy settings screen settings
($e.principal.registry.registry_key = /software\\policies\\microsoft\\windows\\oobe/ nocase
and
$e.principal.registry.registry_value_name = "disableprivacyexperience" nocase) or
// Storing the screen's resolution in the registry
($e.principal.registry.registry_key = /SOFTWARE\\[A-Za-z0-9]{8}/ and
($e.principal.registry.registry_value_name = /hScreen/ or
$e.principal.registry.registry_value_name = /vScreen/ )) or
// RunOnce key
($e.principal.registry.registry_key =
/SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce/ nocase and
$e.principal.registry.registry_value_name = /[A-Z]{3}[0-9]{3}[a-z]{3}/ )
condition:
$e
}
rule UC_ttp_BlackMatter__SafeBoot {
meta:
author = "Google Cloud Threat Intelligence"
description = "Detects a machine's configuration being changed to safe boot"
ext_description = "Known command line for Black Matter's SafeBoot"
events:
($e.principal.process.file.full_path = /bootcfg/ nocase and
($e.principal.process.command_line = /\/raw \/a \/safeboot:network \/id 1/ or
($e.principal.process.command_line = /\/raw \/fastdetect \/id 1/)) or
($e.principal.process.file.full_path = /bcdedit/ nocase and
($e.principal.process.command_line = /\/raw \/set \/{current\} safeboot network/ or
$e.principal.process.command_line = /\/raw \/deletevalue \{current\} safeboot/)))
condition:
$e
}
meta:
author = "Google Cloud Threat Intelligence"
description = "Known registry keys used by Black Matter"
events:
// Modifying the privacy settings screen settings
($e.principal.registry.registry_key = /software\\policies\\microsoft\\windows\\oobe/ nocase
and
$e.principal.registry.registry_value_name = "disableprivacyexperience" nocase) or
// Storing the screen's resolution in the registry
($e.principal.registry.registry_key = /SOFTWARE\\[A-Za-z0-9]{8}/ and
($e.principal.registry.registry_value_name = /hScreen/ or
$e.principal.registry.registry_value_name = /vScreen/ )) or
// RunOnce key
($e.principal.registry.registry_key =
/SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce/ nocase and
$e.principal.registry.registry_value_name = /[A-Z]{3}[0-9]{3}[a-z]{3}/ )
condition:
$e
}
rule UC_ttp_BlackMatter__SafeBoot {
meta:
author = "Google Cloud Threat Intelligence"
description = "Detects a machine's configuration being changed to safe boot"
ext_description = "Known command line for Black Matter's SafeBoot"
events:
($e.principal.process.file.full_path = /bootcfg/ nocase and
($e.principal.process.command_line = /\/raw \/a \/safeboot:network \/id 1/ or
($e.principal.process.command_line = /\/raw \/fastdetect \/id 1/)) or
($e.principal.process.file.full_path = /bcdedit/ nocase and
($e.principal.process.command_line = /\/raw \/set \/{current\} safeboot network/ or
$e.principal.process.command_line = /\/raw \/deletevalue \{current\} safeboot/)))
condition:
$e
}