Active and Passive Mandiant APT1 Detection

by Ron Gula
February 20, 2013

The Mandiant® Intelligence Center™ recently released a report exposing APT1's multi-year, enterprise-scale computer espionage campaign. Mandiant considers APT1, one of China's most persistent cyber espionage groups, to be one of the most prolific in terms of sheer quantity of information stolen.

I read the Mandiant APT1 report with a great deal of interest. There was a tremendous amount of detail in the report about attacker techniques, indicators of compromise, and who the adversaries could possibly be. What I found most interesting, though, was the large amount of technical detail provided about the indicators of compromise – domain names, SSL certificates, file hashes, and more. Yesterday, Tenable's research team leveraged this information into a wide variety of reporting and detection tools which are now available in Nessus and SecurityCenter.

Malicious Process Detection: APT1 Software Running

This new Nessus plugin extends the hash lookup process for malware introduced last year to also include the APT1 hashes reported by Mandiant. This plugin requires credentials and tests Windows systems.

APT1-related SSL Certificate Detected

This new Nessus plugin extends the extensive SSL certificate testing performed by Nessus to also include those reported by Mandiant. The SSL certificates in the APT1 report were for command and control.

APT1 Configuration Audit File

This audit file determines possible infections by several of the malware items identified by Mandiant. It includes checks for 32 of the malware variants identified in Appendix C: The Malware Arsenal. The audit file utilizes a combination of registry checks and file system checks to find hosts that might likely be at risk or infected.

Mandiant APT1 SSL Connection Activity Report

The SecurityCenter report leverage's the Tenable Passive Vulnerability Scanner's ability to identify the certificate name used in SSL network connections. These real-time logs are sent to the Tenable Log Correlation Engine where they are summarized in an "SSL_Cert_Summary" event. Searching these events allows for an efficient search of historical APT1 SSL activity.

I'd like to thank Mandiant for sharing this sort of information and encourage this type of reporting and research.