I’ve been emphasizing lately that most attacks begin with a malicious document being opened by a handful of highly vulnerable end-user applications: Word, Excel, Outlook, PowerPoint, Acrobat and other PDF apps. These applications are so vulnerable because they are feature-rich, support dynamic, active content and they parse and process untrusted content straight from the Internet. For the purposes of this discussion I’ll call these the gateway applications.
Most frequently, the initial payload in the document runs another process to proceed with the attack. Sometimes that process is a malicious executable downloaded from a staging site, but attackers are trying to stay under the radar so more often they use PowerShell, CMD.exe or anyone of a host of other executables built-in to Windows, collectively called Living Off the Land Binaries (LOLBins)
In this webinar, we will take a close look at detecting malicious child processes spawned by each gate application. First, we need to baseline legitimate child processes started by gate apps as a normal course of user activity. Then we need to compare those binaries to a list of common LOLBins to identify how frequently and in which cases these gateways legitimately use LOLBins.
The primary Windows Security Log Event for determining this is 4688 - A new process has been created. I already have “Audit Process Creation” enabled on my team’s workstations and I’ll be analyzing all the processes started by gateway apps.
I would encourage you to do the same right now. Why don’t you enable “Audit Process Creation” on your workstation if it’s not already enabled and start collecting data. Here is a nifty LogParser script that will analyze your Security Log and produce a list of unique parent/child process names.
logparser "select distinct EXTRACT_TOKEN(Strings,13,'|') AS parent, EXTRACT_TOKEN(Strings,5,'|') as Child into c:\junk\parent-child.csv from security where EventId=4688" -o:csv
My initial investigation indicates that for most environments, the number of different binaries started by these “gateway” apps is pretty limited, with little overlap among LOLBins which makes our job much easier.
In the webinar, we will discuss how you can dig further with Event ID 4688 for situations where the legit/malicious indicator is ambiguous, by looking at the Process Command Line and other data.
CarbonBlack is the perfect sponsor for this webinar because their powerful technology does a great job of scrutinizing process lineage and can actively intervene and disrupt attacks like this. Stacia Tympanick, from Carbon Black, will show you that and more.
Please join us for this real training for free session.