OMAR61-eng/BOTSv2-TAEDONGGANG-APT-Incident-Response

# BOTSv2 Incident Response: TAEDONGGANG APT & Ransomware Attack ## 📌 Executive Summary This repository contains a comprehensive Incident Response and Digital Forensics report based on the **Splunk BOTSv2 (Boss of the SOC)** dataset. The investigation documents a sophisticated, multi-stage cyber attack executed by the **TAEDONGGANG APT** group. The compromise involved both insider threat activity and external exploitation. The attack chain began with internal reconnaissance, followed by external scanning targeting the organization's web server. The threat actors exploited multiple web vulnerabilities (XSS, SQL Injection, Shellshock) and abused the HTTP TRACE method to steal a valid session cookie. This facilitated session hijacking of a user's account (Kevin). Following initial access, the attacker compromised the user's machine via a malicious USB device, executed lateral movement across the network, and ultimately deployed Ransomware on another endpoint (Mallory's system), leading to data encryption and critical operational impact. ## 🔍 Incident Identification Overview | Field | Details | | :--- | :--- | | **Incident Category** | Multi-Stage Cyber Attack & Ransomware Deployment | | **SIEM Tool** | Splunk (BOTSv2 Dataset) | | **Threat Actor Group** | **TAEDONGGANG APT** | | **Attack Vectors** | Web Exploitation, HTTP TRACE Abuse, Malicious USB, Ransomware | | **Vulnerabilities Exploited** | Cross-Site Scripting (XSS), SQL Injection, Shellshock | | **Targeted Web Server** | `172.31.4.249` | | **Compromised Accounts** | Kevin (`10.0.2.109`) | | **Impacted Endpoints** | Mallory's System (`MACLORY-AIR13`) | | **External Attacker IPs** | `45.77.65.211` (Scanner), `71.39.18.125` (Hijacker) | | **Internal Recon Source** | Amber Turing (`10.0.2.101`) | ## 🗺️ Attack Lifecycle & Kill Chain 1. **Reconnaissance:** Internal network scanning initiated by Amber (`10.0.2.101`), paired with external web vulnerability scanning from `45.77.65.211`. 2. **Exploitation:** Attacker leveraged web application vulnerabilities, specifically abusing the **HTTP TRACE** method to bypass security controls. 3. **Credential Theft & Session Hijacking:** The attacker successfully stole a valid session cookie and hijacked Kevin's session from external IP `71.39.18.125`. 4. **Execution & Persistence:** A malicious USB device was used to further compromise Kevin's workstation. 5. **Lateral Movement:** The threat actor navigated through the internal network to identify high-value targets. 6. **Actions on Objectives (Ransomware):** The attacker successfully deployed ransomware on Mallory's endpoint (`MACLORY-AIR13`), encrypting critical files and causing severe data impact. ## 🛡️ Key Findings & Vulnerabilities (Lessons Learned) The investigation highlighted several critical security gaps that facilitated the attack: * **Web Application Vulnerabilities:** Unpatched vulnerabilities (Shellshock, SQLi) and misconfigurations (enabled HTTP TRACE method) allowed session cookie theft. * **Session Management:** Lack of anomaly detection for session hijacking (e.g., detecting sudden IP changes for the same session cookie). * **Endpoint Security:** Inadequate protection against removable media (Malicious USB) and delayed ransomware execution detection. * **User Awareness:** The attack heavily relied on social engineering and phishing tactics which bypassed human defenses. ## 💡 Containment & Remediation Strategy * **Web Security:** Disable the HTTP TRACE method on all web servers immediately to prevent Cross-Site Tracing (XST). Patch all edge systems against known exploits (Shellshock). * **Identity & Access Management:** Implement strict session invalidation upon IP change and enforce Multi-Factor Authentication (MFA). * **Endpoint Protection (EDR):** Restrict USB mass storage devices via Group Policy (GPO) and deploy behavior-based ransomware detection tools. * **Security Awareness:** Conduct mandatory training for employees on phishing identification and safe USB handling.