Leading investment firm validates defenses against Black Basta

Leveraging Prelude to monitor, optimize, and validate defenses

Black Basta is a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

Black Basta affiliates use common initial access techniques such as phishing and exploiting  vulnerabilities, and then employ a double-extortion model, both encrypting systems and exfiltrating data.

01. Control policy optimization

Prior to control testing and validation, Prelude identifies a control misconfiguration and recommends a policy change in the firm’s EDR, CrowdStrike.

Specifically, updating Sensor Machine Learning to an Aggressive state provides an optimal configuration to prevent 3 of the 6 identified techniques for the ransomware.

02.  Initial control assessment

Based on the identified techniques, a sequence of threat hunting queries built to search for relevant behavior and IOCs within CrowdStrike are generated. These can be deployed from Prelude to identify any existing behavior associated with Black Basta in the firm’s environment.

//go:embed SharpWMI.exe
var malicious []byte

func writeMalicious() bool {
 Endpoint.Say("Attempting to write malicious program to disk")
 return !Endpoint.Quarantined("dllhost.exe", malicious)
}

func executeMalicious() bool {
 Endpoint.Say("Attempting to execute malicious program")
 _, err := Endpoint.Shell(strings.Fields("cmd.exe /c .\\dllhost.exe action=getenv"))

 return err == nil
}

Additionally, Prelude generated 6 tests which emulate techniques utilized by Black Basta and evaluates the EDR’s ability to observe, detect, or prevent that behavior including T1562.001 Disabling AMSI (prevent) and T1036.005 Match Legitimate Name or Location (observed).

These tests ensure proper log, detection, and prevention coverage of these techniques, providing assurance to the firm that they’re suitably protected against Black Basta.

03. Continuous control validation

Finally, the firm is able to leverage Prelude’s detection rules (in the form of a CrowdStrike IOA) to increase detection rates for two Black Basta techniques where controls underperformed against provided tests, Match Legitimate Names and Disabling ASMI.

title: Masquerading - Match Legitimate Name or Location
author: Prelude
status: production
detection:
  condition: selection
  selection:
    Image:
      - .*cmd\.exe
    CommandLine:
      - .*dllhost\.exe\s+action=getenv
logsource:
  product: windows
  category: process_creation
references:
  - https://attack.mitre.org/techniques/T1059/005/
description: Detects the execution of dllhost through a masqueraded dllhost process.

Prelude enables the firm to continuously validate those detections and existing defenses by automatically running the previous simulations on relevant endpoints on a regular cadence.