[2023]How did I discover a completely unmarked threat within five minutes through EDR huoji Security,Cybersecurity,Network Security,Endpoint Security,Malware 2023-11-02 251 次浏览 0 次点赞 > In daily EDR operation and maintenance, we have discovered an abnormal situation, but we cannot immediately determine it because all known databases cannot match this abnormal situation # At the Begin In daily operations and maintenance, we have found that EDR rarely reports suspicious activities, which generally do not occur on a completely unknown program except for a few rogue software: <!--more-->  Immediately conducting an investigation, we found that the sample came from the desktop, indicating that the source of the sample is suspicious. In addition, the process security is unknown, indicating that it is not in any known database:  The file in our minds is malicious software with a confidence level of 10% # File analysis The behavior triggered by this sample immediately caught our attention. Let’s continue investigating it, and the first thing that came to mind was Virustotal. However, on Virustotal, this sample was completely undetected, so file based analysis is invalid We immediately observe the file entropy of this file:  The high entropy indicates that this file is encrypted Observing the file section again, it was found that the section also showed abnormal section names:  It can be seen that this file has been packed, so file based analysis such as association samples (file fuzzy hash), or imphash is completely useless The file in our minds is malicious software with a confidence level of 30% # IOC indicator query We immediately conducted a query on all IOC of this program:  An IOC query was conducted on all connected networks and it was found that all IP addresses were marked as unknown addresses/domain names by all domestic and foreign IOC We don’t feel emotional about this situation because it’s already understandable. This situation is called the IOC dilemma, where the IOC performs better in detecting known threats and can only label new threats as unknown The file in our minds is malicious software with a confidence level of 30% # Summary of EDR Log Behavior In the event of IOC and AV engine failure, we should proceed to the next step of analyzing the behavior. Firstly, we should print out all the behaviors of this sample and let’s first look at medium to high risks:   Then view the source through the process chain:  This represents that it was launched from explorer.exe, and the source is IM download. Let’s analyze the behavior of this software step by step based on ATT&CK and view the ATT&CK matrix:  As can be seen, this sample was manually executed by the user, commonly used antivirus software discovery, debugger avoidance, reflection loading, and even screenshots (the heat map does not calculate low or notify techniques, so there are no operations such as connections and commands) From the graph, we found that the complete attack chain is relatively complete, so we can basically determine that this is a malicious program that was manually executed by the user The file in our minds is malicious software with a confidence level of 100% # Full Behavior Discovery After confirming that this is a new threat, we immediately conducted behavioral traceability on the sample At the beginning of the sample, security software will discover through wmi:  Afterwards, read the own resource file. Possible encryption and decryption operations:  Then connected to the HTTP network and deliberately disguised self as a Windows update service. As you can see, the domain name is in the URL  The payload should be written in the registry:  After taking screenshots of the screen and uploading information Persisting through RPC sending scheduled tasks:  # Conclusion So far, within five minutes, we have conducted research, analysis, and traceability on this completely unknown threat without relying on any IOC 本文由 huoji 创作,采用 知识共享署名 3.0,可自由转载、引用,但需署名作者且注明文章出处。 点赞 0
还不快抢沙发