With the remote work force, the need for endpoint visibility is drastically increasing. Adversaries are also working from home, finding new attack techniques, last month had a spike in newly discovered remote code execution vulnerabilities.
While the company’s culture moving towards working from home, the threat landscape is also moving towards this new culture.
Seeing what’s happening inside the endpoint enables threat hunters to detect many threats, known and unknown. One effective utility that can provide us with much needed visibility is Sysmon, which provides detailed information about processes, network, registry and file activities in the Windows based systems. Leveraging such telemetry, we can effectively detect many attack techniques. In this blog we will highlight some detection methodologies.
Modelling User, Process and Endpoint Behavior
Building a behavioral profile for the processes can help us detect unknown and unusual activities. IBM Security QRadar can establish such a baseline and store the process behavior in Reference Data. Contextualizing the behavior helps to further to slice down the baseline, which leads to better deviation and detection, for example: If the workstation starts an unusual process, this can be sliced down to the per user or per department level. In such an instance, we don’t expect the HR team to use PowerShell or to execute whoami while the sysadmins might use Powershell in their daily duties. … and so on.
QRadar can also baseline processes by parent-child relationships, which helps detect if a process has an unusual parent, since attackers usually try to mask their activities to make it look like a normal process, for example, they might name their malicious executable “svchost.exe” or “calc.exe” to mask them and so on.
In this manner, profiling and slicing the network connection by each process, can help detect unusual network connections. Sysmon can log the network connections from the endpoints tying them to the process that created the network connections and this context can hep us detect unusual network connections, for example: if the calculator creates a network connection, which we don’t expect to see happen at all! Another example would be when a process usually lives by conducting local to local communication and suddenly we see it communicate with remote IPs for first time!
Adding the process and user context to netflows brings additional insights and helps to further slice down the data exfiltration per process. It will show us the average outbound transmitted data per process, allowing us to detect each time a process deviates from it. A simple example is whether you expect the calc.exe to transmit 2 GBs outside the network. This key valuable information also helps the incident response team to identify which process initiated that network connection in the first place.
IBM QRadar User Behavior Analytics (UBA) helps security analysts easily identify risky users, visualize their unusual activities and drill down into the underlying events and network flows that contributed to a user’s risk score. QRadar UBA combines behavioral rules and machine learning (ML) models to add user context to network, log, vulnerability and threat data to quickly and accurately detect attacks and unusual user behavior.
Detecting the Usage of Stolen Credentials
While Sysmon can help detect post exploitation activities such as Credential Dumping in security, we always need to establish an in-depth defense strategy.
We need to detect the stage where the attacker or the phisher will start using the stolen credentials. IBM Security Trusteer helps us detect the usage of stolen credentials with cloud-based intelligence, AI and patented machine learning that includes detections for:
- Suspicious use of device or employee's credentials across different accounts too frequent or from different locations, these are called velocity patterns.
- Session and device manipulation, malicious use of VPN or other virtual deceiving tools
- Validating if some of the device or session attributes already exist in Trusteer’s fraud network.
- Using a malware compromised device that allows an attacker to steal employee credentials
IBM Security Trusteer remote workforce solution provides a quick and agentless way to visualize risk and be alerted to unauthorized access from unmanaged devices used by your employees working from home. More details can also be found in Jose Bravo's video: Monitoring UNMANAGED devices (working from home) in QRadar
IBM QRadar Endpoint Content Extension
QRadar offers a unified set of use cases to detect the threats at the endpoint that includes the majority of MITRE tactics, including the initial execution, privilege escalation, credential dumping, lateral movement, etc. QRadar users can download it from the marketplace:
IBM QRadar Endpoint Content Extension
In the following two sections, we will highlight the two techniques most often by attackers during their course of action. Traditionally they uses DNS and PowerShell to carry and execute their malicious activities
PowerShell
Adversaries are moving into using standard sysadmin tools to perform their malicious activities, and a prime example is using PowerShell to execute a fileless malicious commands or to move laterally in the network .
Standard Windows logs and Sysmon logs will create an event any time a new process is created and the logged event will contain the process command line. However that’s not sufficient, as an adversary may start PowerShell and inside it he/she can execute PowerShell commands, which will not be logged in the process creation event. This is why we need to log the native PowerShell logs in order to capture every command that is executed.
The following screenshot shows how QRadar detects malicious and obfuscated PowerShell commands using the entropy and the command line length
Analyzing the DNS queries
Whenever a user or process in the workstation is browsing and surfing the internet, it needs to resolve the domain name to an IP address. Gaining visibility into the DNS queries will help detect threats, such as:
- Queries to a recently created domain
- Queries to a random and lengthy domain name, like: leifhefoiewnmoiwuehdeiqdpwq3rp32ir3r.com
- DNS query with many subdomains, like: pictures.facebook.admin.myfacebook.fb.facebook.com.example.com
- Domain generation algorithms (DGA)
- Squatting, etc.
Adversaries are also utilizing DNS for data exfiltration, QRadar Network Insights can help detect and analyze DNS queries from inside the network. Recently attackers started to exploit the SIGRED vulnerability ,which is a remote command execution vulnerability. QNI can detect it by looking for specific DNS query types and the size of the DNS response.
The QRadar DNS Analyzer App has many out-of-the-box use cases that can be used to detect malicious and unusual DNS queries.
Interested in learning more? Register for the webinar, “Endpoint Security and Threat Hunting to Protect your Remote Workforce” on August 21 to learn how we can analyze the events and network traffic to detect a full chained attack.
References:
IBM QRadar Endpoint Content Extension
Detecting Stealthy Persistence Techniques Using QRadar and Sysmon
Identifying Named Pipe Impersonation and Other Malicious Privilege Escalation Techniques
Think Like A Hacker
IBM QRadar Content Extension for Sysmon
User Behavior Analytics for QRadar
IBM QRadar DNS Analyzer