Recently a Cyberseer customer fell victim to such attack. The customer’s existing endpoint solution was not able to prevent the attack which was, therefore, able to bypass their security controls. Through the use of an advanced network monitoring tool, Cyberseer were able to identify and notify the customer before any harm could be done.
The aim of this blog is to look at a typical infection by malicious e-mail attack vector, and how the use of a next-gen anti-virus solution can first prevent an unsuspecting user from becoming a victim and secondly; through the use of an accompanying incident response tool, can allow for incident responders to see a detailed view of the attack timeline.
For the purposes of this blog, a Word document with a malicious macro has been created. When run the macro will invoke Powershell, reach out to an online service and download the post-exploitation tool Mimikatz. Following a successful download, Mimikatz will then be invoked to gather credential data from the Windows system. This type of attack methodology is commonly referred to as a memory-based attack that focuses on getting data out of the memory, rather than traditional focus areas, such as local file directories or registry keys.
To mimic a real-life scenario, an e-mail with a malicious attachment was created.
Upon running the macro little is seen by the user but in the background, an attempt to read/scrape the Local Security Authority Subsystem Service or ‘lsass.exe’ is observed and subsequently blocked by the antivirus engine and accompanying Memory Protect agent.
In many breach events, a benign process is initially exploited by malicious payload code. When this occurs, the malicious payload code executes in the memory of an application without attempting to create or execute a new malicious executable. In the case of this example, the malicious code is executing in the memory of the Powershell application.
The Memory Protect agent hooks various user-mode application program interface (API) functions in order to maintain state and watch for certain hard-coded behaviours considered to be indicative of a compromise. Whenever such a behaviour is detected, an event is communicated to the service before the hooked API function is allowed to complete. The service then responds with an action for the agent to take, such as:
- Ignore the violation and let it execute
- Alert on the violation, but let it execute
- Block the violation and send an alert
- Terminate the process completely
In the case of our malicious macro being executed, the following timeline of events is generated:
Moving from left to right we can initially see the start of the WmiPrvSE.exe process followed by the start of powershell.exe executing the embedded command:
Next, we can see the creation, writing, overwriting and eventual deletion of temporary files to do with the event:
Following the launch of powershell.exe, the next stage of the malicious macro was to firstly connect and then download the externally hosted Mimikatz script:
Upon invoking the Mimikatz script, the antivirus deems this activity as malicious and blocks the interaction with the lsass.exe process:
To conclude the timeline, the powershell.exe process is then exited.
Scripting engines such as VBA and Powershell can often be the workhorses of day to day IT operations but at the same time expose a significant amount of functionality that can be leveraged by malicious actors. Next-gen solutions such as Cylance understand the behaviours, traits, and features of malware, pre-emptively stopping new and emerging threats whilst giving security teams a timeline of activities leading up to an attack that can highlight existing weaknesses in security infrastructure. This combination of visibility and autonomous incident response workflows within Cylance frees up business resources.
CylancePROTECT redefines the thought process behind anti-virus (AV) by leveraging machine learning aspect of AI on the endpoint. The CylancePROTECT machine learning model sits within the endpoint and looks deeper into features of each executable to define the good and bad aspects associated with it, pre-execution. In the split second CylancePROTECT takes to analyse the executable it can determine an action depending on whether its malicious or not. CylancePROTECT has been independently proven to prevent, pre-execution in excess of 99% of threats.
CylanceOPTICS, installed alongside CylancePROTECT is the prevention first, endpoint detection and response (EDR) piece to the Cylance solution. CylanceOPTICS will store forensically pertinent data in a secure database on the local machine. It operates by deploying sensors into the device’s operating system at various levels and against various subsystems to collect information, then aggregates that information into a localised data store to track, alert upon, and respond to, complex malicious situations as they unfold.