Introduction to Malware Endpoint hunting

Imagine at this stage that threat intelligence feeds are in place and network traffic/flow is being monitored, but nothing is producing warnings that warrant further investigation. That does not imply that the attacker has not gained access to the network. They likely breached the perimeter fortifications by circumventing the perimeter defenses. Perhaps an employee’s laptop was compromised at home or in a nearby coffee shop, and the enemy gained access to the heart of our organization. To be successful as a hunter, you must assume that the enemy has already gained access and that you must locate them. In this article we will concentrate on locating malware endpoints.

Before we can begin hunting, we must focus on the fundamentals, namely the endpoints that we are employed to guard and that attackers are targeting.

Servers often undergo little change. Meaning that software is not installed on a daily basis. The services, processes, etc. are consistent on a daily basis. Windows updates may be performed monthly or quarterly. If servers are watched, it should be easier to detect irregularities than on desktop devices.

Each organization will have its own set of regulations prohibiting or permitting the end user to undertake specific actions.

Some organizations grant end users local administrator privileges because it’s simpler to let the end user to install and configure anything rather than phoning the help desk or because an application will function if the user is granted local administrator privileges.

Some corporations will give end users local admin rights to certain folders, services, etc. but this can still pose a significant problem.

If this is known to an attacker then that can be exploited to gain access and elevate privileges on the system.

When it comes to the Windows core processes and attempting to determine whether or not it is a legitimate core process, we can consider the following factors:

  • Was it spawned by the intended parent process?
  • Is it deviating from the expected course?
  • Is the spelling correct?
  • Is it running with the correct SID?
  • Is the signature from Microsoft?

Hunting tips:

  • Core Windows processes shouldn’t running from Windows temp locations, or the Recycle Bin, neither should be communicating to any outbound IPs.
  • Check for digital signatures. (All Microsoft artifacts should be digitally signed)
  • Look for any process that have cmd.exe, wscript.exe, etc. running as a child process, especially for web browsers.
  • Lastly, you’ll need to dig deeper and that is where memory analysis will come into play to find since of DLL injection, Process Hollowing, etc.

This article’s objective is to search for malicious objects lurking within processes, services, files, and folders, etc.

In the following paragraphs, we will explain baselining, a practice that many businesses should employ within their organizations.

As stated in the post entitled hunting web shells baselines will assist you in discovering irregularities within system processes, services, drivers, installed apps, file structures, etc.

A baseline is a file used to compare current settings and/or setups. The present state of a machine, file system, etc. can be compared to the baseline to identify any anomalies.

In theory, the baseline would be produced whenever a developer or development team last modified the folder structure. At the time of comparison, whether daily, weekly, etc., this baseline (CSV) would be compared to the present-day folder structure (CSV).

If a changed or new file is identified, this would be an indication to check the web server in question further. If your organization engages in change management, there would be some indication that a folder structure update was slated to occur.

If there is no trace of an authorized update, you will know that something unauthorized occurred, whether intentionally or not.

A number of products, including TripWire, SolarWinds, AlienVault, TrustWave, and LogRhythm, aid in monitoring unwanted file modifications.

In a big corporate system with hundreds of thousands of nodes, it is impossible to detect these modifications and investigate each modified or new file.

The process of comparing artifacts to a set configuration or merely detecting changes that do not adhere to a specified policy can be aided by numerous appliances.

Regardless of the wording, security devices on the market are capable of doing the task. Occasionally, organizations do not incorporate these functions within these already-present network equipment, despite the fact that they should.

System Center Configuration Manager (SCCM) is capable of performing this function as an example:

System Center Configuration Manager configuration baselines include predefined configuration items and, potentially, other configuration baselines. After creating a configuration baseline, you can distribute it to a collection so that devices in that collection may download it and assess their compliance with it.

System Center Configuration Manager

Why is SCCM used as an illustration?

As indicated previously, many major organizations may already have SCCM in place to deliver OS images, Windows Updates, push software packages, etc., but SCCM may not be leveraged to its best capacity. Occasionally, the Security Team is unaware of the full capabilities of the apps utilized by other IT teams in the environment. SCCM is a prime illustration.

PowerShell Desired State Configuration

If you have a limited security budget and do not want to wait until the following fiscal year to request a new, much-needed security equipment, you can use PowerShell. We have already seen how PowerShell can help us detect file changes.

PowerShell can also assist with machine configuration baselines. This PowerShell feature is called Desired State Configuration.

Desired State Configuration (DSC) is crucial to the configuration, management, and upkeep of Windows-based servers. It enables a PowerShell script to specify the setup of a computer using a declarative model in a straightforward, standard, and easy-to-understand manner.

Two primary benefits of Desired State Configuration are:

  • The ability to configure machines identically in order to standardize them; and

  • Ensure that, at a given time, the configuration of a machine is equal to its starting configuration in order to prevent drift.

If you are familiar with Puppet, Ansible or Chef, then you can understand DSC.

Microsoft Security Compliance Manager

Microsoft Security Compliance Manager is another product that may prove handy.

SCM provides ready-to-deploy policies and DCM configuration packs based on Microsoft security guide recommendations and industry best practices, enabling you to manage configuration drift and address compliance requirements for Windows operating systems, Office applications, and other Microsoft applications with relative ease.

You can get Windows 7 Security Baseline, Windows Server 2008 Security Baseline, and Windows 2012 Security Baseline, all based on distinct Microsoft products.

Here you may get Microsoft Security Compliance Toolkit 1.0 for Windows 10.

On TechNet, it is mentioned that Microsoft Security Compliance Manager has been retired, although PowerShell DSC’s growing popularity is also mentioned, which has already been mentioned.

For certain forms of analysis, such as memory analysis, it is advantageous to have a process or service baseline to compare to a memory image in order to detect malware on a system.

In the following paragraphs, we will examine how to establish these baselines using PowerShell.

Services Baseline

You can use the Get-Service PowerShell cmdlet to obtain a baseline of the running services on a freshly imaged and configured system.

Get-Service * | Where {$_.status -eq "Running"} | Export-Clixml Baseline-Services.xml

A concise description of the code (only components not previously described):

  • The Get-Service * cmdlet instructs PowerShell to retrieve all of the device’s services.

  • Where $_.status –eq "Running" is present, these entries are filtered and only running services are exported to an XML file.

Compare-Object, another PowerShell cmdlet, can be used to compare the original services baseline (XML) to the current list of running services on any particular device:

Compare-Object (Import-Clixml Baseline-Services.xml)(Get-Service * | Where {$_.status -eq "Running"}) -Property DisplayName | Where-Object {$_.sideindicator -eq "<="}

Compare-Object instructs PowerShell to compare 2 sets of objects. The first object is represented by Import-Clixml Baseline-Services.xml. We’re importing the baseline file here (XML). Second object - Obtaining the list of currently operating services.

  • -Property DisplayName instructs PowerShell to retrieve the service’s display name.

  • Where-Object $_.sideindicator –eq "<=" instructs PowerShell to only display elements that Compare-Object indicates as being distinct from the baseline.

The same can be done with a system’s processes.

You only need to make a few modifications to the preceding PowerShell code, and instead of Get-Service, we will use Get-Process.

Get-Process | Export-Clixml Baseline-Processes.xml

Get-Process instructs PowerShell to obtain all the processes in the device and export information to a XML file.

As you can see in the code below, to conduct the comparison, is comparable with a minor modification:

Compare-Object (Import-Clixml Baseline-Processes.xml)(Get-Process) -Property Name | Where-Object {$_.sideindicator -eq "<="}

As you have seen, the same PowerShell code snippet used to generate a baseline for operating services on a Windows machine was also used to create a baseline for running processes.

There are further baselines that can be created with PowerShell.

Baselines can be established for virtually anything. What do you wish to use as a baseline against which you may need to conduct a comparison in the future to detect anything suspicious?

Get-WmiObject Win32_UserAccount | Export-Clixml Baseline-UserAccounts.xml
Get-WmiObject Win32_OperatingSystem | Export-Clixml Baseline-OS.xml
Get-WmiObject Win32_SystemUsers | Export-Clixml Baseline-SystemUsers.xml

In addition to the previously specified components, the following should be baselined (if not controlled by Active Directory):

  • Accounts on a computer system (user or service)
  • System administrators on the local level
  • Folder permissions
  • Folders contents: Tasks folder (scheduled tasks), Network directories holding executables and files for internal installation

Consult the MSDN page on Win32 Classes for the names of the WMI classes accessible using the Get- WMIObject PowerShell cmdlet.

Conclusion

Creating baselines is a crucial security step that must be completed if you have enterprise-grade appliances or use free technologies like PowerShell.

We’ve discussed the significance of developing various sorts of baselines, but don’t forget that you have access to tools that will facilitate the creation of these crucial artifacts.

References

MSDN Create configuration baselines in Configuration Manager

Puppet

Ansible

Chef

Microsoft Security Compliance Manager

Microsoft Security Compliance Toolkit 1.0

Win32 Classes

WMI Classes

Want to learn practical Threat Hunting tactics and strategies? Enrol in MTH - Certified Threat Hunter Certification.