While most organizations have antivirus and firewall solutions, modern attacks such as those seen in the SolarWinds campaign and large-scale ransomware attacks delivered by commodity malware will continue to be a blindspot in a company’s security posture if the organization is not able to detect adversarial actions on process behavior.
From the use of novel deployment techniques like supply chain compromise to malware authors refactoring malware code to defeat static signatures, having the ability to monitor and detect obscure processes in your environment will give you ample opportunity to catch threat actors when other tools have failed.
Case 1: SolarWinds/UNC2452
In a blog post, Microsoft detailed the behavior of how the group behind the SolarWinds campaign made an effort to maintain operational security to evade detection of the origin of the malware that may have been later detected during follow through actions.
We see the threat actors took advantage of many legitimate tools to complete the objectives of their campaign, such as Windows Management Instrumentation (WMI), a file archiving utility called 7zip, and a tool to query Active Directory, Adfind. All of these tools can be used for legitimate, non-malicious reasons in an organization, so they will never be added to a virus definition database.
However, you can easily detect malicious use of these utilities by monitoring the invocation of these tools for patterns observed in current threat actor’s campaigns.
Here are WMI patterns for behavior-based detection from UN2452 activity:
|When executed during lateral movement, rundll32.exe ran through WMIC or Invoke-WMIMethod with "High" integrity level and spawned by WmiPrSE.exe, which is a rare combination.
The Cobalt Strike DLL was likely deleted after completed execution to avoid forensic recovery.
|Variant1 (executed from PowerShell as a result of issuing the "remote-exec" Cobalt Strike command):
Invoke-WMIMethod win32_process-name create -argumentlist 'rundll32c:\Windows\[folder]\[beacon].dll[export]'-ComputerName [target]
Variant2 (executed from rundll32.exe):
wmic /node:[target] process call create "rundll32 c:\windows\[folder]\[beacon].dll[export]"
|T1047 | Windows Management Instrumentation (WMI)
Case 2: Ransomware Operators
It’s likely the greatest and most impactful threat faced by many organizations today is big-game ransomware. ‘Big game’ means these ransomware operators are looking for large organizations that they can gain access to and elevate privileges to a high-enough position to encrypt large sections of an enterprise network and exfiltrate high-value data.
While antivirus software may focus on detecting the presence of actual ransomware in your environment, that is often a futile endeavor as the threat actors usually have enough permissions to disable the security tools by the time they’re deploying ransomware. Rather, it is much more effective to detect the behaviors leading up to the ransomware deployment and stopping the threat actor before they can achieve that stage of the intrusion. Previously, we mentioned the use of the Adfind utility by the UNC2452 threat actors. They are not the only threat group using the tool; in multiple reports, Ryuk, Egregor, Nefilim, and others have been seen using this tool as well.
Being able to detect the following command invocations using process monitoring would identify many of these actors long before they can act to deploy ransomware:
adfind.exe -f (objectcategory=person) > FILE.txt
adfind.exe -f objectcategory=computer > FILE.txt
adfind.exe -f (objectcategory=organizationalUnit) > FILE.txt
adfind.exe -subnets -f (objectCategory=subnet) > FILE.txt
adfind.exe -f "(objectcategory=group)" > FILE.txt
adfind.exe -gcb -sc trustdmp > FILE.txt
Likewise, most of the ransomware gangs – and the malware they use to access many networks – also use the built-in Windows utility “nltest.” Being able to monitor and alert on the following invocations will translate to a high-fidelity alert to stop early activity of many of these threat actors.
nltest /domain_trusts /all_trusts
How to Get Process Monitoring
Hopefully, the cases presented have provided some insight on why you need to monitor processes in your environment. So, the next logical question is – how do I do that? Well, there are a few approaches you can take.
One option can be to deploy what is known as an endpoint detection and response solution (EDR). The benefits of an EDR deployment include access to vendor support and additional capabilities beyond just the process monitoring, but the capital expense can be high.
You can also enable process monitoring in Windows logs. This is a free feature inherent in the Windows operating system. But the trade-off is that it is much more limited than EDR, and can miss malicious activity that EDR can detect. Additionally, you need to be logging these to a SIEM. Traditional SIEMs come with a downside of the user needing to write their own rules and maintain these as new threats emerge. This can be mitigated by using a cloud SIEM like Blumira that manages rules and detections so that customers always have detections covering the latest threats.
Finally, another free option is Sysmon, which extends the capabilities of logging in Windows far beyond the built-in log sources. This can give you EDR-like coverage without the upfront capital expenditure of additional security software.
Guide to Microsoft Security
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity. Download our Guide to Microsoft Security.