So many different types of suspicious activity on endpoints, where to start ?
Estimated reading time: 5 minutes
Monitoring endpoints is one of the biggest challenges for a SOC. Within a customer infrastructure, user roles, software, and behaviors can vary significantly from one machine to the other. With so many assets and users to manage, the real challenge is to differentiate malicious behavior from normal operations.
The biggest difficulty is to target suspicious behavior without creating large numbers of false positives, keeping the analysts focused and efficient.
The IBM QRadar Endpoint Content Extension can help you reach that goal.
In this blog we are going to answer the following “How can I” questions with some of the scenarios included in the content pack.
How can I:
- Detect reconnaissance tools?
- Limit my risk from the ransomware I hear about daily?
- Monitor credential dumping?
- Detect that a basic administration task is executed by a malicious actor?
The IBM QRadar Endpoint Content Extension has been optimized to work with Windows (Security event logs, Sysmon and PowerShell) and Linux (Auditd), but can be extended to other devices for which the same behaviors apply (ie: Mac OS, AIX, etc). We’ll cover the installation of the prerequisites and the extension of the capabilities in the second part of this post.
Scenarios Highlights
How can I detect reconnaissance tools?
Detecting reconnaissance tools is important for two main reasons. They are used by red teams and can be part of the test of your detection capabilities, and they are used by malware to identify weaknesses and available attack paths in your network.
The IBM QRadar Endpoint Content Extension implemented rules to help detect some of the tools used by both these actors: Cobalt Strike, SharpHound, PingCastle, Advanced IP Scanner, AdFind, Everything and Masscan.
Below is some additional information about the tools we implemented monitoring for:
- BloodHound, and its data-ingestion tool SharpHound, is an application used to map hidden and unintended relationships within an Active Directory environment. Attackers can use these tools to easily identify attack paths.
- PingCastle is a tool commonly used by enterprises to asses the security of their Active Directory. Malicious actors can use this tool to detect vulnerabilities within the environment.
- Advanced IP Scanner is a network scanner that can be used to remotely control devices in an environment. This tool can be used during a ransomware attack to enable lateral movement.
- AdFind is a command line Active Directory query tool. It can be used to quickly identify weak points within an Active Directory configuration.
- Everything (or ES) is a search utility allowing to find files and folders faster. This functionality can enable ransomware to gather information about all files and folders for later encryption.
- Masscan is a port-scanning tool. It is frequently used by attackers to list potentially vulnerable ports.
Here are a few examples of rules implemented:
|
Apply BB:BehaviorDefinition: Cobalt Strike Inbound Traffic on flows which are detected by the Local system
and when the source is Remote
and when the flow matches TLS JA3S Hash is not N/A
and when the flow matches TLS JA3S Hash is any of b742b407517bac9536a77a7b0fee28e9
|
|
Apply BB:BehaviorDefinition: Cobalt Strike Process Address on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event QID is one of the following (5001845) CreateRemoteThread
and when the event matches Start Address (custom) is not N/A
and when the event matches Start Address (custom) matches any of expressions \S+0B80
|
|
Apply Reconnaissance Tool Detected on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Operating System
and when the event category for the event is one of the following System.Process Creation Success, System.File Created
and when the event matches LOWER("Process Name") MATCHES '(sharphound|bloodhound|pingcastle|advanced_ip_scanner|adfind|everything|es|masscan)(\.exe)?' OR LOWER("Filename") MATCHES '(sharphound|bloodhound|pingcastle|advanced_ip_scanner|adfind|everything|es|masscan)(\.exe)?' AQL filter query
|
How do I limit my risk from the ransomware I hear about daily?
Maze, Revil/Sodinokibi/Sodin, LockerGoga, Erebus, WCry, Petya, BadRabbit… These names are all familiar, they are just the beginning in the long list of ransomware that have had major impact in our field. Ransomware is complex. It mutates, techniques vary, it can act over a long period of time, etc. But there are still tricks that can reveal the presence of ransomware (for more info, check out our ransomware dedicated blog entry).
Looking for decryption instructions
It is typical for ransomware to create a file to provide users with instructions on how to pay the ransom and recover their files. Lookup for keywords like: decrypt, recover, instructions, etc..
|
Apply Ransomware Decryption Instructions Created on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Operating System
and when the event category for the event is one of the following System.File Created
and when the event matches Filename (custom) is not N/A
and when the event matches LOWER("File Extension") MATCHES '.*?(where_my_files|how_to_(recover_data|decrypt)|contact_here_to_recover_your_files)' OR LOWER("Filename") MATCHES '(decrypt-files|[a-z0-9]{5,12}-readme|readme_for_decrypt)\.txt' OR (LOWER("Filename") MATCHES '.*?decrypt.*' AND LOWER("File Extension") IN ('txt','html')) AQL filter query
|
Looking for encrypted file extension
Ransomware typically encrypts files and appends a specific file extension as part of their process.
|
Apply Ransomware Encrypted File Extension on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Operating System
and when the event category for the event is one of the following System.File Created, Audit.Object Access Success, Audit.File Access Success
and when the event matches File Extension (custom) is not N/A
and when the event matches LOWER("File Extension") MATCHES '.*?(j|0x0|aaa|abc|biz|btc|ccc|clf|cry|ecc|enc|exx|ezz|fun|gws|ha3|kkk|lok|oor|rdm|rmd|rrk|scl|szf|vvv|xxx|xyz|zzz|1999|bloc|code|crab|ctb2|ctbl|epic|gdcb|good|hb15|hush|krab|kyra|lock|lol\!|mole|pzdc|raid
|razy|rdmk|rscl|trun|ttt\*|wall|xort|xrnt|xrtn|xtbl|34xxx|bleep|cazzo|crime|crinf|globe|lesli|magic|mecpt|micro|omg\!\*|oshit|rokku|saeid|sport|theva|vault|xdata|zendr|zepto|3angle|73i87a|8lock8|cerber|crysis
|czvxce|doomed|dharma|dll555|duhust|enigma|flyper|frozen|hnyear|kraken|kratos|locked|p5tkjw|poar2w|purged|remind|wallet|zendrz|alcatraz|bart\.zip|blackblock|bloccato|bugsecccc|coverton|crjoker|darkness
|encedrsa|enciphered|exploit|gefickt|gsupport|krypted|infected|kimcilware|korrektor|lechiffre|monstro|nochance|obfuscated|r16m01d05|radamant|sanction|securecrypted|surprise|unlockit|versiegelt
|better_call_saul|don0t0uch7h\!\$cryptedfile|foobar\.docx\.onyon|justbtcwillhelpyou|kimcilware\.lechiffre|mychemicalromance4ever|only-we_can-help_you|r(5|4)a|crypt(ed|o|endblackdc)|cryp(1|t)
|crypto(byte|win|shield|rlocker2015\!)|encryp(t|ted|tile|tedfile)|lock(y|ed)|key(z|h0les)|porn(o|oransom)|encrypted(aes|rsa)|btc(ware|btcbtc|-help-you)|(_|a|e|holly|super|tox|vs)crypt|aes(_ni|256|_ni_0day)
|keybtc@inbox_com|helpdecrypt@ukr|dyatel@qq_com_ryp|(sql772|milarepa\.lotos|vegclass|ecovector2)@aol\.com|_23-06-2016-20-27-23_\$f_tactics@aol\.com\$.legion|\$centurion_legion@aol\.com\$.cbf
|no\.(xop|btc|btcw)@protonmail\.ch|johnycryptor@hackermail\.com|(systemdown|greg_blood|savepanda|tombit|siri-down)@india\.com|pay(ransom|b|s|ms|mds|mts|mst|rms|rmts|mrts|btcs)|arzamass7@163\.com|암호화됨|uk-dealer@sigaint\.org|(oplata|relock|pizda|nalog|chifrator|gruzin|troyancoder)@qq_com)$' AQL filter query
|
Note: The rule includes a lot of extensions, therefore it is disabled by default. You might want to add some filters to the rule to reduce the scope of events tested before enabling it.
Looking for particular behavior of the most active ransomware
The IBM QRadar Endpoint Content Extension includes 11 additional detections for BadRabbit, Maze, Petya, REvil, WCry in both events and flows
|
Apply Ransomware: Maze Suspicious File Transfer on flows which are detected by the Local system
and when the destination is Remote
and when the flow matches Application is DataTransfer.FTP
and when the flow matches File Name is any of [2.txt or ad.7z]
|
|
Apply Ransomware: WCry Payload in Flows on flows which are detected by the Local system
and when the flow context is Local to Local
and when the destination port is one of the following 445
and when the destination side of the flow has payload data
and when the flow matches FORMAT::PAYLOAD_TO_HEX(destinationpayload) like '%00 00 00 31%' and FORMAT::PAYLOAD_TO_HEX(destinationpayload) like '%4a 6c 4a 6d 49 68 43 6c 42 73 72 00%' and FORMAT::PAYLOAD_TO_HEX(destinationpayload) like '%2b 00 00 00 00 98 07 c0%' AQL filter query
|
How can I monitor credential dumping?
There are many ways to search for credential information on a system. The IBM QRadar Endpoint Content Extension is helping with the detection of four methods
- Registry scanning
- Dumping via Security Accounts Manager (SAM)
- Registry modification to force wdigest to store credentials in plain text
|
Apply Credential Dumping Activities Discovered on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following Audit.Object Access Success, System.Process Creation Success, Audit.Command Execution Success
and when the event matches Process Name (custom) is any of [reg.exe or regedit.exe or regedit32.exe]
and when the event matches LOWER("Process CommandLine") MATCHES '.*?reg(\.exe\")?\s+(add|query|save).*(uselogoncredential|password|sam|system|security).*' OR LOWER("Registry Key") MATCHES '\\system\\(controlset001|controlset002|currentcontrolset).*wdigest' AQL filter query
|
- Lookup for passwords stored in plain text using findstr, grep, find, select-string
|
Apply Search for Password Files using findstr (Windows) on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following System.Process Creation Success
and when the event matches Process CommandLine (custom) is not N/A
and when the event matches LOWER("Process Name") MATCHES 'findstr\.exe' AQL filter query
and when the event matches LOWER("Process CommandLine") MATCHES '.*?password.*' AQL filter query
|
How can I detect that a basic administration task is executed by a malicious actor?
The Att&ck matrix is certainly a good guide to implement the supervision of the endpoints and cloud environment, but can sometimes be challenging due to the “simplicity” of the techniques.
How do I ensure that the technique Hidden Files and Directories (now sub-technique of Hide Artifacts), or Remote Desktop Protocol (now sub-technique of Remote Services) are not generating false positives every time an administrator creates a file or connects to a server?
The route chosen in the IBM QRadar Endpoint Content Extension is to correlate these basic actions with malicious ones.
The BB:BehaviorDefinition: Regular Endpoint Administration Building Block includes all the behavior definitions of actions that are fairly common in an administrator’s day (user management, file management, discovery in command line)
|
Apply BB:BehaviorDefinition: Regular Endpoint Administration on events which are detected by the Local system
and when an event matches any of the following BB:BehaviorDefinition: Admin Privileges Added (Unix), BB:BehaviorDefinition: Admin Privileges Added (Windows), BB:BehaviorDefinition: Admin Privileges Removed (Windows), BB:BehaviorDefinition: Download Utilities in Events, BB:BehaviorDefinition: Group or Account Discovery, BB:BehaviorDefinition: Hidden File or Folder Created, BB:BehaviorDefinition: Password Policy Discovery (Unix), BB:BehaviorDefinition: Password Policy Discovery (Windows), BB:BehaviorDefinition: Run as Superuser or Another User (Unix), BB:BehaviorDefinition: Run as Superuser or Another User (Windows), BB:BehaviorDefinition: User Account Added (Unix), BB:BehaviorDefinition: User Account Added (Windows), BB:BehaviorDefinition: User Account Deleted (Unix), BB:BehaviorDefinition: User Account Deleted (Windows), BB:CategoryDefinition: File Permission Changed, BB:BehaviorDefinition: PowerShell File Download Activity, BB:BehaviorDefinition: PowerShell File Upload Activity, BB:BehaviorDefinition: Directory Discovery (Windows), BB:BehaviorDefinition: Repeated Nslookup Usage, BB:BehaviorDefinition: Hostname or Network Discovery, BB:BehaviorDefinition: Multiple File Deletions on Endpoint System, BB:BehaviorDefinition: Directory Discovery (Unix)
|
The BB:BehaviorDefinition: Suspicious Endpoint Activities Building Block is referencing all the rules that are already creating offenses.
|
Apply BB:BehaviorDefinition: Suspicious Endpoint Activities on events which are detected by the Local system
and when an event matches any of the following Communication with a Potential Hostile Host, Communication with a Potential Hostile IP Address, Credential Dumping Activities Discovered, Critical File Permission Changed (Unix), Critical Security Tool Killed (Unix), Critical Security Tool Stopped, Detection of Malicious IOC, File Created with Right to Left Override, File Created with Space After Filename, Potential Component Object Model (COM) Hijacking, Potential DLL Hijacking, Potential Malicious Application Shimming, Programming Environment Spawned by a Suspicious Process, Process Masquerading (Unix), Process Masquerading (Windows), Recommended Blocked Process is Running, User Account Creation followed by Account Deletion (Unix), User Account Creation followed by Account Deletion (Windows), Attempt to Delete Shadow Copies, Cobalt Strike Behavior Detected, Excessive Failed Access to an Administrative Share from the Same Source, Excessive File Deletion and Creation, Excessive Login Failures via RDP, Excessive Login Failures via RDP to Multiple Machines, Excessive Nslookup Usage, Ransomware Decryption Instructions Created, Ransomware Encrypted File Extension, Ransomware: Maze IOC in Events, Ransomware: REvil IOC in Events, RDP Hijacking Tool Detected, Reconnaissance Tool Detected, Recovery Disabled in Boot Configuration Data, Search for Password Files using findstr (Windows), Search for Password Files using grep or find (Unix), Search for Password Files using Select-String (Windows), SharpHound PowerShell Detected, Suspicious Amount of Files Deleted on the Same Machine, Suspicious Amount of Files Renamed on the Same Machine (Windows), Suspicious Amount of Files Renamed/Moved on the Same Machine (Unix)
|
The Suspicious Activity Followed by Endpoint Administration Task Rule is in charge of feeding the offenses created by the suspicious action with the administration actions.
|
Apply Suspicious Activity Followed by Endpoint Administration Task on events which are detected by the Local system
and when BB:BehaviorDefinition: Regular Endpoint Administration match at least 1 times in 10 minutes after any of BB:BehaviorDefinition: Suspicious Endpoint Activities match with the same Machine ID (custom)
|
As an example, this rule will trigger if the BB:BehaviorDefinition: User Account Added Building Block is matching after Credential Dumping Activities Discovered Rule, this could indicate that a malicious actor is in the process of creating an account for persistence.
Other Use Cases
The IBM QRadar Endpoint Content Extension covers many more use cases, including the following:
- Attempt to delete Shadow Copies
- Boot Recovery Disablement
- COM Hijacking
- RDP Hijacking
- Process Masquerading
- Malicious program executing scripts
- Malicious software downloading files
- Remote script execution
- Suspicious account management
- Password policy discovery
- Suspicious File management
- etc
Refer to the documentation for the exhaustive list of content included.
The content pack also includes a Pulse dashboard, which provides a global overview of your environment.
QRadar configuration
Install the DSM
Download and install the DSM relevant to your environment via Auto-Updates or Fix Central. The content pack has been optimized to work with Windows and Linux environments, but can be adapted to any operating system.
Configure the devices
Refer to the DSM Guide for the basic configuration.
Additional steps must be taken to configure Sysmon on Windows and Auditd on Linux to match all the rules included in the content pack.
Sysmon configuration on IBM Knowledge Center
Auditd configuration on IBM Knowledge Center
Install the Content Extensions
Rules
The IBM QRadar Endpoint Content Extension is available on the App Exchange.
Properties
The pack contains Custom property definition placeholders. This means that you can copy the Custom Properties provided and adapt them to your environment by adding expressions under that definition. You can also download our sets of Custom Properties.
Let's take the example of the rule
RDP Hijacking Tool Detected.
|
Apply RDP Hijacking Tool Detected on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Operating System
and when the event category for the event is one of the following System.Process Creation Success
and when the event matches LOWER("Process Name") MATCHES '(ngrok|tscon).*' AQL filter query
|
This rule would work the same way for any log source type (including custom types) included in the Operating System building block, as long as QRadar parses the Process Name Custom Property and the Process Creation event is categorized as System.Process Creation Success.
Custom Property placeholders are meant to be reused to adapt the content to any environment.
Custom Event Properties UI:
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.
#Highlights
#Highlights-home
#QRadar