Thursday, 7 February 2019

Threat Hunting #10 - Renamed/Modified Windows (ab)used Scripting Utilities

Pay attention to renamed or modified known utilities (i.e. cscript,wscript, wmic, rundll32, regsvr32,  mshta etc), this indeed defeats easily command line & process name based detection.

For instance if one is monitoring for the use of rar.exe (compression utility) with "-a and -p" options to archive and password protect data as a preparation for data exfiltration, the attacker can simply rename rar.exe to something else and boom!

For Sysmon users enable IMPHASH in your config:
  •  <HashAlgorithms>md5,IMPHASH</HashAlgorithms> 
Below example of a renamed compression utility:



Furthermore, imphash is also useful to detect similar implants (custom compiler or alike) within your network even if they have different C2 & md5/sha256 hashes

References:

https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

No comments:

Post a Comment