User Guide

Synapse-Mandiant User Guide

Synapse-Mandiant adds new Storm commands to allow you to query the Mandiant Advantage API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> mandiant.advantage.setup.apikey --self myapikey myapisecret
Setting Mandiant Advantage API key for the current user.

Retrieve indicator details

Enrich nodes and yield the results:

> hash:sha256#myhash | mandiant.advantage.indicators --yield
[['rep', 'rep.mandiant', 'rep.mandiant.apt29', 'rep.mandiant.beacon'], {'adds': [], 'dels': []}]
hash:md5=cbc1dc536cd6f4fb9648e229e5d23361
        .created = 2024/03/28 14:47:29.585
        .seen = ('2021/05/25 15:44:34.000', '2021/09/17 22:16:32.000')
        :_mandiant:icscore = 100
        #rep.mandiant = (2021/05/25 15:44:34.000, 2021/09/17 22:16:32.000)
        #rep.mandiant.apt29
        #rep.mandiant.beacon

Pivot to malware associated with an indicator:

> hash:sha256#myhash -> file:bytes -> #* -> risk:tool:software:tag
risk:tool:software=dbb7ee75ae799f64c5a5f57ab9fcac70
        .created = 2024/03/28 14:47:30.294
        :reporter = e961a43c0cee3fbcf7aeb4c567989be7
        :reporter:name = mandiant
        :soft:name = beacon
        :tag = rep.mandiant.beacon

Pivot to a threat cluster associated with an indicator:

> hash:sha256#myhash -> file:bytes -> #* -> risk:threat:tag
risk:threat=18f170d52f16976a705e1386c629d370
        .created = 2024/03/28 14:47:30.174
        :name = apt29 (mandiant)
        :org:name = apt29
        :reporter = e961a43c0cee3fbcf7aeb4c567989be7
        :reporter:name = mandiant
        :tag = rep.mandiant.apt29

Ingest reports

If Synapse-FileParser is installed on the Cortex the downloaded PDF version of the report will be automatically parsed. In the examples below it is not available, and therefore a warning is produced.

Ingest reports within a timebox:

> mandiant.advantage.reports --time ("2022-05-15", "+30days") --size 5 --yield
WARNING: Mandiant Advantage API /v4/report/22-00014120/indicators connection reset or timed out
WARNING: No storm module named fileparser matching version requirement >=4.13.1,<5.0.0
media:news=cda3c49db9b0c9dfd035279f2d798f76
        .created = 2024/03/28 14:47:31.069
        .seen = ('2022/06/13 19:19:52.403', '2022/06/13 19:19:52.404')
        :ext:id = 22-00014120
        :file = sha256:dd7ebad783a8a52b32884a3a4bead3b8a8b663a43c955dee3134285707d87203
        :published = 2022/06/13 19:19:52.403
        :publisher:name = mandiant
        :summary = Researchers at the Massachusetts Institute of Technology (MIT) say they have uncovered a new hardware attack dubbed "PACMAN" that is rooted in pointer authentication codes (PACs), has been demonstrated to work against Apple's M1 processor chipset, and could potentially be exploited by attackers to achieve arbitrary code execution (RCE) on macOS systems. According to MIT researchers Joseph Ravichandran, Weon Taek Na, Jay Lang, and Mengjia Yan, PACMAN uses "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity." The researchers add that, more concerning, is the fact that "while the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be." According to Apple, a PAC is a cryptographic hash that protects a pointer to ensure its integrity. However, PACMAN "removes the primary barrier to conducting control-flow hijacking attacks on a platform protected using pointer authentication." Apple goes on to state that PACMAN combines memory corruption and speculative execution to bypass the PAC security feature, leaking "PAC verification results via microarchitectural side channels without causing any crashes." Researchers assert, "This attack has important implications for designers looking to implement future processors featuring pointer authentication, and has broad implications for the security of future control-flow integrity primitives."
        :title = mit researchers discover new flaw in apple m1 cpus that can't be patched
        :url = https://advantage.mandiant.com/reports/22-00014120
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.news_analysis
WARNING: Mandiant Advantage API /v4/report/22-00014119/indicators connection reset or timed out
media:news=5e6d88c41a0ed3569d7c573c9a868ef6
        .created = 2024/03/28 14:47:31.639
        .seen = ('2022/06/13 19:16:47.100', '2022/06/13 19:16:47.101')
        :ext:id = 22-00014119
        :file = sha256:a655fb685a0fe4407d6bee7768611cab603be44f94e2978fdb929ac4067cbd14
        :published = 2022/06/13 19:16:47.100
        :publisher:name = mandiant
        :summary = Russian media group RBK has revealed that the website belonging to Russia's Kommersant FM radio station was hacked on June 8, 2022, to play the Ukrainian national anthem and Russian rock group Nogu Svelo's song "We Don't Need War." According to a tweet from Francis Scarr, who covers Russian state TV at the
                   BBC
                   , "Russian radio station Kommersant FM has been hacked and is currently playing Ukrainian and anti-war songs. Midway through a news bulletin not long ago, patriotic Ukrainian song Ой у лузі червона калина started playing."
        :title = russian radio station hacked to play ukrainian anthem and anti-war song
        :url = https://advantage.mandiant.com/reports/22-00014119
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.news_analysis
WARNING: Mandiant Advantage API /v4/report/22-00014118/indicators connection reset or timed out
media:news=63f0948fbae9be21a21863fef7c800be
        .created = 2024/03/28 14:47:32.190
        .seen = ('2022/06/13 19:13:57.990', '2022/06/13 19:13:57.991')
        :ext:id = 22-00014118
        :file = sha256:e9f0b55cd957b3dfeee0fc1e9083832953ce4ad8dac2ab5f4017706680d14b33
        :published = 2022/06/13 19:13:57.990
        :publisher:name = mandiant
        :summary = The Iranian government-linked "Lyceum" (Hexane, Spilrin) advanced persistent threat (APT) group has been spotted leveraging a new .NET-based backdoor dubbed "DnsSystem" in attacks targeting Middle Eastern telecommunications providers and firms operating in the energy and gas sector. According to Zscaler researchers, the Lyceum .NET backdoor borrows source code from the "DIG.net" open-source tool and was leveraged in a recent attack to conduct "DNS hijacking." "The malware leverages a DNS attack technique called 'DNS Hijacking' in which an attacker-controlled DNS server manipulates the response of DNS queries and resolve [sic] them as per their malicious requirements. The malware employs the DNS protocol for command and control (C2) communication which increases stealth and keeps the malware communication probes under the radar to evade detection," says Zscaler. Researchers add that DnsSystem also supports a range of functions that includes uploading/downloading files and abusing DNS records, including records for incoming commands and A records for data exfiltration, to execute system commands on infected machines. In order to infect targeted systems, Zscaler says Lyceum operators sent targeted victims spear-phishing emails containing a malicious Microsoft Word document purportedly related to Iranian military affairs. After victims enable macros in the malicious Word document and close it, DnsSystem is dropped on the system using the AutoClose() function, which reads a PE file from a text box seen on the seventh page of the Word document. According to Zscaler, "The dropped binary is a .NET based DNS Backdoor named 'DnsSystem' which allows the threat actors to execute system commands remotely and upload/download data on the infected machine. Initially the malware sets up an attacker controlled DNS server by acquiring the IP Address of the domain name 'cyberclub[.]one' = 85[.]206[.]175[.]199 using Dns.GetHostAddresses() for the DIG Resolver function, which in turn triggers an DNS request to cyberclub[.]one for resolving the IP address. Now this IP is associated as the custom attacker controlled DNS Server for all the further DNS queries initiated by the malware."
        :title = iran-linked lyceum apt adds a new .net dns backdoor to its arsenal
        :url = https://advantage.mandiant.com/reports/22-00014118
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.news_analysis
WARNING: Mandiant Advantage API /v4/report/22-00014115/indicators connection reset or timed out
media:news=f35ab600225d1095468f43e41088355e
        .created = 2024/03/28 14:47:32.738
        .seen = ('2022/06/13 19:06:52.284', '2022/06/13 19:06:52.285')
        :ext:id = 22-00014115
        :file = sha256:b24016601e5be5eecbcc9718a76c1288e3b5464cfe46243920d9d169c7ddf829
        :published = 2022/06/13 19:06:52.284
        :publisher:name = mandiant
        :summary = A darknet website is allegedly selling personally identifiable information (PII) belonging to Malaysians that was compromised in previous data breaches, according to Twitter user @Radz1112 (Cyber Guardian). As explained by Radzi1112, the darknet site allows cyber criminals to search for individuals' PII that includes their full names, dates of birth, addresses, telephone numbers, MyKad or military IDs, and dates of birth. Radzi1112 added that searching for a person via the MyKad ID will also provide hackers with that individual's full name, date of birth, gender, and home address. Radzi1112 goes on to point out, "OSINT (open source intelligence) tools are common and they display easily accessible information like a person’s social media, but this is one of the few instances where I am seeing country-specific database leaks being compiled in a single spot." He goes on to assert that the darknet site can be easily found using a Google search and that it could result in many more hackers working to exploit it for financial gain or for other purposes. To prevent their PII form being further compromised, Radzi1112 is now urging people to remove their PII (i.e., names, birth dates, car license plates, and places/dates of birth) from all social media platforms to prevent it from being further compromised. Cybersecurity consultant and LGMS Berhad Chairman Fong Choong Fook says that the data in this breach was published on the clearnet and can be easily removed by authorities once they know where it is located. Fong says he is not surprised that Malaysians' PII is being sold on the clearnet as there has been a series of data breaches throughout Malaysia and that the government has not yet taken action or revealed the results of the investigations into alleged data breaches that involved Malaysian government agencies. "They should be more transparent and announce to the public the result of their investigations. What did they find? How did they conduct it? They should share who was involved and what the root cause was so that we can take precautions to protect ourselves," says Fong.
        :title = malaysians' personal data allegedly being sold openly on the internet (update: site is down)
        :url = https://advantage.mandiant.com/reports/22-00014115
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.news_analysis
WARNING: Mandiant Advantage API /v4/report/22-00014114/indicators connection reset or timed out
media:news=c424b9f170fa81d62fd0c2e07d4cf6d2
        .created = 2024/03/28 14:47:33.297
        .seen = ('2022/06/13 19:02:14.873', '2022/06/13 19:02:14.874')
        :ext:id = 22-00014114
        :file = sha256:73141f2196f643eac2331b557486e17717138057d3ea74a6ec7ab32032113c55
        :published = 2022/06/13 19:02:14.873
        :publisher:name = mandiant
        :summary = Amid a spate of increased activity from the "Hello XD" ransomware gang, researchers say operators are now infecting targeted systems with a new encryptor that uses custom packing to evade detection and encryption algorithm changes. According to Palo Alto Networks, the development and use of the new encryptor is a significant departure from the "Babuk" source code on which Hello XD is based, which indicates the author was intent on developing a new ransomware strain with atypical features and capabilities. Reports also indicate that Hello XD is not using a Tor payment site to collect payments and is instead directing victims to engage in direct negotiations via a TOX chat service. Researchers also point out that, in the latest iteration of Hello XD, operators added an onion site to the ransomware note that is currently offline. Unit 42 researchers add that they have traced Hello XD's origins to the "S4KME" Russian-speaking threat actor that has uploaded tutorials about deploying Cobalt Strike Beacons and malicious online infrastructure.
        :title = hello xd ransomware now drops a backdoor while encrypting
        :url = https://advantage.mandiant.com/reports/22-00014114
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.news_analysis

Reports can also be ingested by ID:

> mandiant.advantage.reports "21-00012833" --yield
WARNING: Mandiant Advantage API /v4/report/21-00012833/indicators connection reset or timed out
WARNING: Mandiant Advantage API /v4/vulnerability/CVE-2021-1675 connection reset or timed out
WARNING: No storm module named fileparser matching version requirement >=4.13.1,<5.0.0
media:news=0cfd0a6a7a2c361d1321a634b3adefaf
        .created = 2024/03/28 14:47:34.009
        .seen = ('2022/05/26 21:48:07.377', '2022/05/26 21:48:07.378')
        :ext:id = 21-00012833
        :file = sha256:0505426cd590aede49d89ba8bedf339c0d8d68682e5149561dd9753dc264d8c0
        :published = 2022/05/26 21:48:07.377
        :publisher:name = mandiant
        :summary = An improper privilege management vulnerability exists within the Print Spooler component in Microsoft Windows Server 2019 and earlier that, when exploited, allows an attacker to locally escalate privileges. Exploit code is publicly available. Mitigation options include a vendor fix and a workaround.
        :title = microsoft windows server 2019 print spooler improper privilege management vulnerability
        :url = https://advantage.mandiant.com/reports/21-00012833
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.cyber_physical
        #rep.mandiant.vulnerability
        #rep.mandiant.vulnerability_report

Report references are linked via a -(refs)> lightweight edge.

For example, to pivot to vulnerabilities and exploits:

> media:news#rep.mandiant.vulnerability_report -(refs)> risk:vuln
risk:vuln=bdfbc2a6dd05240a91b8ab2c151202ab
        .created = 2024/03/28 14:47:36.343
        :cve = cve-2021-1675
        :desc = An attacker could exploit this vulnerability to locally perform privilege escalation to SYSTEM. The attacker would need to run a specially crafted program or script on an affected system.
                Following the disclosure of this vulnerability, a related vulnerability enabling remote code execution was discovered. These two vulnerabilities were originally considered to be synonymous but were split into two distinct CVEs on July 1, 2021. The new vulnerability has been assigned the identifier
                CVE-2021-34527
                . As the methods of exploitation are similar for these vulnerabilities, PoC and exploit codes targeting CVE-2021-34527 are considered to be related and potentially useful to attackers of this vulnerability.
                On June 29, 2021, researchers released a working
                PoC on GitHub
                along with the technical details of CVE-2021-34527, then considered to be synonymous with this vulnerability. Researcher Florian Roth released Sigma rules on
                GitHub
                that can be used to query logs to detect exploitation using this PoC; however, attackers could modify the PoC to evade these detection rules. Additional variations of this original PoC have also been released and continued development of working exploits is expected. Additional detection guidance for CVE-2021-34527 can be found in Kevin Beaumont's
                blog
                . Detection and remediation information compiled from discussions on social media can be found on
                LaresLLC GitHub page
                . Microsoft has published 365 Defender queries that may be used to detect exploitation
                on GitHub
                .
                On December 30, 2021, researchers observed this vulnerability being used to distribute unknown ransomware. On March 3, 2022, discussions from threat actors regarding the exploitation of this vulnerability in order to deploy ransomware was discovered among leaked chat transcripts reportedly linked to the Conti ransomware group.
                Mandiant Threat Intelligence considers this a Medium-risk vulnerability because of the potential for privilege escalation offset by the local access required for exploitation.
                CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog on November 3, 2021, with a required remediation date of November 17, 2021.
                Please rate this product by taking a short four question survey
        :reporter = e961a43c0cee3fbcf7aeb4c567989be7
        :reporter:name = mandiant
        :type = improper_privilege_management
        #rep.mandiant.in_the_wild
> media:news#rep.mandiant.vulnerability_report -(refs)> media:news
media:news=536e0b43f0c8a5ce1037a23d3b06d075
        .created = 2024/03/28 14:47:35.862
        :published = 2021/06/27 06:00:00.000
        :title = this poc takes the form of a python script and a c# program capable of delivering a user-supplied payload to a vulnerable system.
        :url = https://github.com/cube0x0/CVE-2021-1675
        :url:fqdn = github.com
media:news=98f35977f921f8be295ded7f30f9c525
        .created = 2024/03/28 14:47:36.118
        :published = 2022/01/28 07:00:00.000
        :title = this poc will trigger this vulnerability to gain elevated privileges.
        :url = https://github.com/AndrewTrube/CVE-2021-1675
        :url:fqdn = github.com
media:news=bc74d88c71b2503f6e5e84ca7f89cafd
        .created = 2024/03/28 14:47:35.947
        :published = 2021/06/27 06:00:00.000
        :title = this poc takes the form of a powershell script capable of performing local privilege escalation to execute a user-supplied dll payload.
        :url = https://github.com/calebstewart/CVE-2021-1675
        :url:fqdn = github.com
media:news=5e11efcab3e635e8030fe1da56e087c9
        .created = 2024/03/28 14:47:36.204
        :published = 2022/05/25 06:00:00.000
        :title = this exploit takes the form of a metasploit module which can exploit this vulnerability in conjunction with cve-2021-34527.
        :url = https://packetstormsecurity.com/files/167261/cve_2021_1675_printnightmare.rb.txt
        :url:fqdn = packetstormsecurity.com
media:news=841237cd4a8afedb32d669baa8adb948
        .created = 2024/03/28 14:47:36.033
        :published = 2021/08/29 06:00:00.000
        :title = this exploit exists as a github repository containing a cobalt strike plugin which allows elevated privileges to be obtained.
        :url = https://github.com/mstxq17/CVE-2021-1675_RDL_LPE
        :url:fqdn = github.com

Use of meta:source nodes

Synapse-Mandiant uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Mandiant Advantage API.

> meta:source=87af91df0f689c810822046e49af0db8
meta:source=87af91df0f689c810822046e49af0db8
        .created = 2024/03/28 14:47:29.375
        :name = mandiant api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Mandiant. The following example shows how to filter the results of a query to include only results observed by Synapse-Mandiant:

> ou:name=apt29 -> risk:threat +{ <(seen)- meta:source=87af91df0f689c810822046e49af0db8 }
risk:threat=18f170d52f16976a705e1386c629d370
        .created = 2024/03/28 14:47:30.174
        :name = apt29 (mandiant)
        :org:name = apt29
        :reporter = e961a43c0cee3fbcf7aeb4c567989be7
        :reporter:name = mandiant
        :tag = rep.mandiant.apt29