How Threat Hunting Can Help Defend Against Malware Attacks

<h4>By Kris Merritt (Vector8) and Justin Swisher (Anomali)</h4><p>Since the outbreak of Petya some days ago many articles have been written dissecting the malware, its purpose, and its attribution. These articles used reverse engineering and malware analysis to conduct post incident analysis. Vector8 and Anomali viewed the Petya outbreak differently, leveraging threat hunting techniques developed to identify and pattern malicious behavior evident in malware like Petya.</p><p>Specifically, our data source for analysis is a Microsoft Windows Sysinternals tool called <a href="https://technet.microsoft.com/en-us/sysinternals/sysmon" target="_blank">Sysmon</a>. In short, Sysmon provides an authoritative source of what’s happening on a computer by linking all observable activity on that system back to the responsible process(es). This is a boon for real-time threat hunting as well as forensic analysis; the conventional follow-on data collection to obtain such details is no longer required. In other words, Sysmon has high resolution and animation (<a href="https://www.vector8.io/blog/5d" target="_blank">see descriptions of these terms</a>). Read this blog post for further information regarding <a href="https://www.vector8.io/blog/sysmon" target="_blank">Sysmon as a detection, hunting, and analysis tool</a>.</p><p>By sending Sysmon events to an aggregation point for further querying and historical analysis, our analysis of Petya was limited only by speed of thought, not tooling or data gaps. In this case, the aggregation point is Elastic’s open source “Elastic Stack,” which consists of a Logstash aggregator, Elasticsearch cluster backend, and Kibana web user interface frontend.</p><p>Our test environment was a fresh Windows 10 install on a Virtual Machine, preloaded with Sysmon v6, a custom configuration, and a logger that feeds events to Vector8’s analysis platform (Sysmon + Elastic Stack). We copied over a confirmed sample of the Petya malware (027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745) to the machine. Next, we manually ran the malicious DLL via rundll32.exe on the command line with the flag “#1” to activate the malware.</p><p style="text-align: center;"><a data-lightbox="image" href="https://wwwlegacy.anomali.com/images/uploads/blog/sysmon.png"><img alt="Sysmon analysis" src="https://cdn.filestackcontent.com/Yl0o2YMLRzqSy7eeRVxL"/></a><br/> <em>Command line execution of the Petya malware</em></p><p>The following events are recorded by Sysmon and forwarded to the Vector8 cloud platform for analysis. This details how the malware behaves and provides insights into how to detect or prevent similar malware from executing in the future.</p><ol><li>The first thing that happens is that Rundll32.exe (the parent process) writes a copy of the DLL to ‘C:Windows’. This activity is unusual, but not necessarily malicious on its own.<ul><li>Sysmon event ID 11 (File Created)<pre> <strong>Image:</strong> C:WindowsSysWoW64 undll32.exe <strong>TargetFilename:</strong> C:Windowscc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745</pre></li></ul></li><li>Rundll32.exe then accesses raw disk several times, presumably to modify the MBR. Accessing raw disk is abnormal, as it bypasses the filesystem structure to access the disk sectors directly. This level of disk access is not normal operations and is very suspicious, especially by Rundll32.<ul><li>Sysmon event ID 9 (Raw Disk Access Read)<pre> <strong>Image:</strong> C:WindowsSysWOW64 undll32.exe <strong>Device:</strong> DeviceHarddisk0DR0</pre></li><li style="margin-bottom:30px;">1 access to the current working volume (DeviceHarddiskVolume2) and 24 accesses to DeviceHarddisk0DR0</li></ul></li><li>Rundll32.exe schedules a task to force reboot of the system 60 minutes from time of execution. Rundll32 creating a scheduled task is a suspicious pattern that should trigger a hunter to investigate.<ul><li>Sysmon event ID 1 (Process Created)<pre> <strong>CommandLine:</strong> /c schtasks /Create /SC once /TN "" /TR "C:Windowssystem32shutdown.exe /r /f" /ST 16:06 <strong>ParentCommandLine:</strong> rundll32.exe 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.dll,#1</pre></li></ul></li><li>Rundll32.exe writes a .tmp file in the user’s LocalTemp directory. Temp files created in this directory would not normally cause alarm, unless linked to another more suspicious event.<ul><li>Sysmon event ID 11 (File Created)<pre> <strong>Image:</strong> C:WindowsSysWoW64 undll32.exe <strong>TargetFilename:</strong> C:Users anooAppDataLocalTemp.95.tmp</pre></li></ul></li><li>Rundll32.exe kicks off the .tmp file it wrote earlier and directs it to a named pipe. As referenced above, since this .tmp file is now communicating with another process over a named pipe, a hunter would want to investigate the .tmp file as this is unusual behavior as well.<ul><li>Sysmon event ID 1 (Process Created)<pre> <strong>Image:</strong> C:Users anooAppDataLocalTemp.95.tmp <strong>CommandLine:</strong> "C:Users anooAppDataLocalTemp.95.tmp" \.pipe{77A05906-5A7D-4442-8140-0899A3C4423C</pre></li><li>When 5695.tmp runs (Sysmon event ID 1), we get its hash (02EF73BD2458627ED7B397EC26EE2DE2E92C71A0E7588F78734761D8EDBDCD9F), which open source research and VirusTotal results purport to be mimikatz</li><li>Sysmon pipe events show the pipe creation by rundll32.exe and access by 5695.tmp<ul><li>Sysmon event ID 17 (Pipe Created)<pre> <strong>Image:</strong> C:WindowsSysWoW64 undll32.exe <strong>PipeName:</strong> {77A05906-5A7D-4442-8140-0899A3C4423C}</pre></li><li>Sysmon event ID 18 (Pipe Connected)<pre> <strong>Image:</strong> C:Users anooAppDataLocalTemp.95.tmp <strong>PipeName:</strong> {77A05906-5A7D-4442-8140-0899A3C4423C}</pre></li></ul></li></ul></li><li>Rundll32.exe writes a file called dllhost.dat to C:Windows, which is a very suspicious event as dat files are not normally written to that directory.<ul><li>Sysmon event ID 11 (File Created)<pre> <strong>Image:</strong> C:WindowsSysWoW64 undll32.exe <strong>TargetFilename:</strong> C:Windowsdllhost.dat</pre></li><li>Open source research corroborates this file write and has concluded it is a legitimately signed psexec</li><li style="margin-bottom:30px;">Since dllhost.dat wasn’t executed in our sampling (due to our VM not meeting malware checks), we don’t get this file’s hash</li></ul></li><li>The tmp file accesses another running process, lsass.exe. This event could be a solid candidate for a hunting trigger as it could be indicative of credential harvesting or some other abuse of Windows’ security authority service (lsass.exe). It is not unusual for lsass.exe to be accessed, but a .tmp file doing so is highly unusual.<ul><li>Sysmon event ID 10 (Process Accessed)<pre> <strong>SourceImage:</strong> C:Users anooAppDataLocalTemp.95.tmp <strong>TargetImage:</strong> C:Windowssystem32lsass.exe <strong>CallTrace:</strong> C:WindowsSYSTEM32 tdll.dll+a5314|C:WindowsSystem32KERNELBASE.dll+290ad|C:Users anooAppDataLocalTemp.95.tmp+3390|C:Users anooAppDataLocalTemp.95.tmp+369a|C:Users anooAppDataLocalTemp.95.tmp+25e9|C:Users anooAppDataLocalTemp.95.tmp+4577|C:WindowsSystem32KERNEL32.DLL+8364|C:WindowsSYSTEM32 tdll.dll+65e91</pre></li><li>Lsass.exe then accesses the malicious rundll32.exe<ul><li>Sysmon event ID 10 (Process Accessed)<pre> <strong>SourceImage:</strong> C:Windowssystem32lsass.exe <strong>TargetImage:</strong> C:WindowsSysWoW64 undll32.exe <strong>CallTrace:</strong> C:WindowsSYSTEM32 tdll.dll+a5ea4|C:WindowsSystem32RPCRT4.dll+6576f|C:Windowssystem32lsasrv.dll+ceed|C:WindowsSYSTEM32SspiSrv.dll+11a2|C:WindowsSystem32RPCRT4.dll+77d63|C:WindowsSystem32RPCRT4.dll+3450f|C:WindowsSystem32RPCRT4.dll+3739a|C:WindowsSystem32RPCRT4.dll+4a2b4|C:WindowsSystem32RPCRT4.dll+491cd|C:WindowsSystem32RPCRT4.dll+49a7b|C:WindowsSystem32RPCRT4.dll+29c1c|C:WindowsSystem32RPCRT4.dll+2a09c|C:WindowsSystem32RPCRT4.dll+4438c|C:WindowsSystem32RPCRT4.dll+45beb|C:WindowsSystem32RPCRT4.dll+386ea|C:WindowsSYSTEM32 tdll.dll+325fe|C:WindowsSYSTEM32 tdll.dll+330d9|C:WindowsSystem32KERNEL32.DLL+8364|C:WindowsSYSTEM32 tdll.dll+65e91</pre></li></ul></li></ul></li></ol><p style="text-align: center;"><a data-lightbox="image" href="https://wwwlegacy.anomali.com/images/uploads/blog/kibana-petya-activity.png"><img alt="Petya activity" src="https://cdn.filestackcontent.com/ctrwSePSTfaoFjDT5w0E"/></a><br/> <em>Activity related to the execution of the Petya malware from 27 June 2017, as seen in Kibana</em></p><div style="padding:20px 20px 30px 20px;background:#cfe6f5;margin-bottom:30px;-webkit-border-radius:8px;-moz-border-radius:8px;border-radius:8px;"><div class="row"><div class="col-xs-12 col-sm-4 center"><a href="{page_1611}"><img alt="Petya Execution Infographic" src="https://cdn.filestackcontent.com/w6FNtLrrRFWsMTCTd5vP" style="margin-bottom:10px;"/></a></div><div class="col-xs-12 col-sm-8"><h4 class="nobottommargin"><a href="{page_1611}">Petya Execution Timeline</a></h4><p style="margin-bottom:20px;">See an in depth view of Petya's execution timeline with this infographic.</p><p class="nobottommargin"><a href="{page_1611}">VIEW NOW</a></p></div></div></div><p>The result of this type of analysis provides some crucial insights into the behaviors this malware exhibits. These behaviors can be examined and turned into defensive measures such as hunting triggers or even preventative measures through endpoint tools, network tools, or system policies.</p><p>For this example, there are a number of behavior patterns we can key on:</p><ul class="iconlist"><li><i class="icon-ok text-blue">​</i> Process writes a .tmp file, and that .tmp file is later run as a process</li><li><i class="icon-ok text-blue">​</i> A .tmp file accesses lsass.exe</li><li><i class="icon-ok text-blue">​</i> A schtasks.exe process command line includes the “shutdown” switch</li><li><i class="icon-ok text-blue">​</i> Rundll32.exe writes files</li><li><i class="icon-ok text-blue">​</i> The string "pipe" is found in a process’ command line</li><li><i class="icon-ok text-blue">​</i> A .dat file is written to c:windows</li><li><i class="icon-ok text-blue">​</i> Raw access reads to DR0 volume</li></ul><p>Note that these patterns are all based on endpoint process metadata, like Sysmon output. It’s also important to point out that the fidelity of each of these patterns depends on what is normal in your environment.</p><p>Threat hunting can be used as a powerful tool not only to detect malicious behavior missed by other security measures but also drive a deeper understanding of how malicious software, actor tools, and behaviors work and how to proactively detect or prevent them.</p><p>Anomali partners with Vector8 to provide threat hunting services. To find out more about this service, see our <a href="{page_3510}">Professional Services</a> page.</p><p><em>This is a joint blog between Anomali and Vector8. Vector8 provides threat hunting services leveraging tools, techniques, and expertise introduced in this blog. For more information on Vector8, visit them at <a href="https://www.vector8.io/" target="_blank">https://www.vector8.io/</a></em></p>