In our first two blogs of this series we installed and configured a basic Sysmon set up with a verbose custom view, now we are going to show how even this simple set up can help with threat hunting and incident response. This is a very basic investigation to start with, but we will continue to ramp things up over the coming months.
Modern antivirus, despite being very good at identifying and blocking known threats, it can still be easily bypassed by unknown exploits (zero days) and malicious MS Office document macros. It can also have issues like any other software preventing it from working correctly which is why you need an effective logging solution that allows investigations to identify instances where malware has circumvented any protection in place.
This blog will use techniques we taught during our “Creating a Cyber Attack” series, so if you want to follow along and install a backdoor to hunt you can use the same malicious exe and website from that exercise. The first blog is here; https://blog.2code-monte.co.uk/2020/09/26/making-a-malicious-word-document-part-1-dde-vulnerability-feature/
In our scenario and end user has been duped into visiting a malicious website and downloading an application. They contact the service desk to report they think they have made a mistake, and we are going to try and identify if there is any malicious activity on their asset. Let’s jump in.
Our user has visiting the following site
And run the following application from the site
We connect to the asset, open Event Viewer and select our custom view we created earlier. We know the rough time they visited the website and we quickly find a file create alert at the same time for the file “update_flash.exe”
The next log entry shows the process create entry for “flash_update.exe” which was downloaded from legitimate.website.com
We now have the .exe name and the website address. The same log also shows the process ID (2508) and the parent process ID (3584). Let’s use Task Manager to see if we can gather a bit more info, and see if they are still running.
Once Task Manager has opened select to show processes from all users.
Then select “view”
and ensure PID is ticked so the process identifier column is displayed
Now we can see the PID, click the column header to sort numerically making them easier to find.
We can see the parent process 3584, but no sign of 2508 even though we can see “flash_update.exe” is still running but under a different PID.
Let’s right click the “flash_update.exe” process and look at the properties.
We can see that although the exe is named flash_update the description is completely different, and the product name seems to suggest it is something to do with a http server.
If we compare this to a genuine Adobe file already installed on the same asset it’s clear something is not right.
Let’s back back into the Sysmon logs and look for more info. Below we can see in the time line after the file create, and process create we have a network connection detected for the same “flash_update.exe”. Sysmon gives us a bucket load of information for this including;
- The process ID
- Source and destination hostname
- Source and destination IP addresses
- Source and destination port numbers
Let’s open a cmd prompt and use netstat to look for the connection.
We are going to use the flags “a” “n” “o” with the below cmd.
- -a – Displays all active TCP connections and the TCP and UDP ports on which the computer is listening
- -n – Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
- -o – Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager.
You can simply use netstat to identify just tcp ports, or just the specified port but for demo purposes we are using “-ano” There’s a good netstat tutorial here; https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat
We have highlighted the column headers this command provides and also highlighted the malicious process we have identified as running on this asset.
Sysmon has provided most of the information we need to be able to either monitor the machine for further information or terminate the malicious process.
Here we have the attackers view of the connection
Here we have shown how to run a basic investigation using only Sysmon and Task Manager, there are lot’s of other tools at our disposal and we will cover some of these in the future.