Maastricht University Ransomware Attack Flow #116
Conversation
jonibim
changed the title
Added attack flow describing the Maastricht University ransomware attack that happened in 2019
jonibim
force-pushed
the
corpus/maastricht-ransomware
branch
from
2ada033 to
6c9f1c3
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #116 +/- ##
=======================================
Coverage 99.64% 99.64%
=======================================
Files 9 9
Lines 837 837
=======================================
Hits 834 834
Misses 3 3 ☔ View full report in Codecov by Sentry. |
|
Thank you for submitting this new flow. This is an excellent application of the Attack Flow concepts combined with good writing and clear organization. I'm excited to get this merged into our corpus. I have a few suggestions that I will leave here, but these are not mandatory. If you have the time and interest to make these adjustments, that's great, otherwise just let me know that you are done and I will merge this into our corpus. There is a URL object in STIX that you could use here. The infrastructure object is fine, but if you use URL objects it will be easier to extract the URL IOCs.
The direction of the arrow between action and asset indicates if the asset's state is changed or consumed. this example has the asset pointing to the action, which means the action depends on the state of the asset. I think you intended to communicate that the action changes the asset's state (i.e. the new state is "compromised"), so the arrow should point from action to asset.
This condition action appear to be reversed. If the condition "user opens excel attachment" is true, then that would lead to the "User Execution: Malicious File" action.
|
Changes: - The condition was rewritten and properly seated before the Action - Make use of the STIX objects for the URL - Rewrite infrastructure objects that contained URLs in them - Simplify the first malicious URL infrastructure objects into just one - Add an asset for internal domain at the moment it was fully compromised when the attacker gained admin control
|
@mehaase Thank you for your feedback. I implemented your feedback and I as well did some (small) improvements on the attack flow :) The full details of the changes I did are in the description of my last commit |
Changes: - Assets arrows were properly inversed to indicate that the action affected the asset - Fixed a hidden arrow under the OS Credential Dumping actions
…astricht-ransomware
|
Kudos, SonarCloud Quality Gate passed!
|
mehaase
merged commit d14bfe9
into
center-for-threat-informed-defense:main
|
Thank you @jonibim and my apologies for not seeing this earlier. I have just merged it in. |
My first attempt on making an attack flow describing the Maastricht University ransomware attack that happened in 2019. The article are used for building the attack flow (in Dutch): https://www.maastrichtuniversity.nl/nl/file/foxitrapportreactieuniversiteitmaastrichtnl10-02pdf
Please let me know if I missed anything or did something wrong.