Almost every attack scenario depends on gaining Execution (MITRE ATT&CK TA0002) and the bad guys have found a lot of ways to avoid actual binaries in the form of EXEs and DLLs. But at the end of the day, nothing matches the speed, flexibility, and power of running your own malicious binary code in target environments, and so when you analyze today’s attacks, you still see the use of custom-built EXEs and DLLS by threat actors. Admittedly, more advanced attackers may at first delay use of custom binaries and rely on script and fileless techniques until they are confident in their level of compromise and stealth.
If we could instantly know whenever a novel EXE or DLL is loaded for the first time on our network, we could detect and respond to so many more attacks in a timely way. However, this remains an elusive goal.
It’s not because we can’t audit the execution of binaries. The Windows Security Log event ID 4688 tells you whenever a new process is started and provides the path of the binary. However, file names can easily be fakes so that’s not very useful for detecting the execution of novel code. On the other hand, Microsoft’s Sysmon utility provides event ID 7 logs information about the digital signature (if any) and – more importantly – the hash of the file itself. The signature gives you information about the provenance of the file. But the hash uniquely (let’s not quibble about collisions) identifies every EXE and DLL. See a new hash; you’ve got a new binary program on your hands.
In this real training for free event, we will explore what it takes to identify novel code running in your environment and how to avoid getting overwhelmed with innocuous alerts. That is a real challenge because novel but legitimate code is showing up on your endpoints all the time as a result of updates and patching. So, one of the big things we’ll discuss is how to filter out new but known binaries.
First, I will demonstrate Sysmon logging event ID 7, and then we will explore the steps involved in filtering that event against various criteria and whitelists so that you can isolate those novel binaries that are worth investigating.
Cimcor is the perfect sponsor for this session because their CimTrak technology is the best I’ve seen for tackling this important challenge. They’ve put a lot of work into efficiently whitelisting known binaries to avoid deluging you with noise. Justin Chandler will demonstrate this unique ability of CimTrak and more.
Please join me for this practical and educational real training for free session.