
Advanced threat detection use cases for Windows
Read time: 5 minutes
The past few years have been very eventful in the field of cybersecurity; researchers are making discoveries to enhance the security posture and cover the loopholes. Meanwhile, cybercriminals are increasing their attack landscape with advancements in malware and ransomware development. Most of the malware is developed and distributed on Windows as it being the widely used and known operating system making it more attack prone and Common target. Organizations are also making significant investments and efforts to fight against advanced adversaries yet Cyber Criminals have successfully conducted a series of highly targeted attacks against multiple organizations. Let us understand their attack patterns using the latest Kaseya REvil Supply Chain Attack.
- The REvil ransomware attack was initiated by running the malicious PowerShell script from a directory which was whitelisted as part of Kaseya deployment requirement.
- This script first disabled the Microsoft Defender to prevent potential blocking of following malicious files and activity.
- Then it downloaded the malicious file and decoded it into an executable file using the windows certificate utility. It deleted the loader file, and the legitimate Kaseya process started the malware executable with elevated privileges.
- This malware executable installed an old version of Microsoft defender, which was vulnerable to DLL side-loading and downloaded a malicious DLL file named the same as DLL used by an older version of Defender. When Microsoft Defender starts it loaded the malicious DLL into its memory space which hijacked the execution flow and started encrypting files.
- REvil does not attack the countries which were once part of USSR, checking the system language and keyboard layout.
We at Zensar have designed proactive use cases to get better visibility and security with the Windows system and build a good security posture. Following are the use cases built to address security loopholes more effectively and proactively, considering that required logging prerequisites are enabled.
Perquisites:
- Enable policy to include command-line process in process creation events.
- Enable PowerShell Script Block Logging
Use Cases:
- Command-Line Network Connection
- Description: Adversaries can abuse cmd.exe or powershell.exe to download malicious files from a remote URL. They try to establish a back-communication channel to a remote site to download the malicious files and exfiltrate data.
- Objective: Identifies cmd.exe or powershell.exe making a network connection.
- MITRE Att&ck
- Tactics: Execution
- Technique: Windows Command Shell
- Attempt to Stop Security Services
- Description: Adversaries may try to stop any security services or auditing services like Windows defender, realtime monitoring, Intrusion Prevention system, etc, to avoid detection.
- Objective: This use case looks for any attempt to stop security or auditing services.
- MITRE Att&ck
- Tactics: Execution
- Technique: System Service: service execution
- Process Started from Unusual Directory
- Description: To prevent detection, adversaries may start the processes from unusual directories like temp, user’s local directory, or some whitelisted directory. These processes can hide behind legitimate windows processes.
- Objective: This use case looks for process creation events and observes any attempt to start a process from any unusual directory. Also, we may need to whitelist few services which may start process from the temp directory.
- MITRE Att&ck
- Tactics: Defense Evasion
- Technique: Hide Artifacts
- Multiple New Services Identified On the Same Host
- Description: Adversaries try to install services that can be utilized to execute the malicious code, which may be some vulnerable legitimate windows services. Therefore, it is very important to look for the installation of multiple new services on a host.
- Objective: This use case looks for any attempt to install a new service into a system. This use case is prone to false positives, so it is important to baseline the legitimate activities performed by admins.
- MITRE Att&ck
- Tactics: Privilege Escalation
- Technique: Process Injection
- Volume Shadow Copy Deletion
- Description: The shell scripts executed by Adversaries often contain the instruction to delete the volume shadow copies so that victims cannot retrieve the backups
- Objective: Identifies the use of wmic.exe/ vssadmin.exe for shadow copy deletion on endpoints.
- MITRE Att&ck
- Tactics: Impact
- Technique: Inhibit System Recovery
- Multiple Windows File Modification Detected
- Description: Unauthorized modification of files can lead to business disruption or loss of sensitive data, such as PII. Therefore, it is essential to detect and investigate unauthorized attempts to modify files
- Objective: To observe unusual attempts to modify the huge number of files within a short time span, which indicates a compromised system
- MITRE Att&ck
- Tactics: Impact
- Technique: Data Encrypted for Impact
- Geo Location-Based Attacks
- Description: Adversaries are generally used to check the geolocation of victims by looking into System Language and Keyboard Layout to avoid targeting their nation.
- Objective: This use case looks for the usage of command or script execution to check the system language or keyboard layout, commands like DISM utility or LANG_SYSTEM_DEFAULT macros, etc.
- MITRE Att&ck
- Tactics: Discovery
- Technique: System Location Discovery
Co-relating these use cases can help detect malware/ransomware activities early in the attack cycle and prevent them from impacting the user/data.
Here at Zensar, as a part of the Cybersecurity Research and Content Development team for Digital security and threat hunting, we are coming up with a series of blogs uncovering the advanced detection capabilities.