I think it is safe to say that 2020 has proven to be a year of fear, uncertainty, and doubt, and the data supports that threat actors of all stripes are taking advantage of it. In fact, COVID-19 alone is believed to be the largest coalescing cyber-attack in history. Of course, actors didn’t stop merely at using COVID-19 for nefarious means, but they have also leveraged things like uncertainty around the 2020 US Presidential Election, the growing social unrest across the globe, and many others. And while the objectives, tools, and outcomes of each of these attacks have all varied widely, one thing that has remained consistent is the use of phishing to establish a foothold in the environment.
The use of phishing – specifically using malicious attachments – as a means of penetrating organizations’ perimeter defenses, continues to rise and take a heavy toll on corporate security teams. While those security teams need to “get it right” every time with a never-ending onslaught of phishing attacks, a threat actor needs to only “get it right” once, often with a barrier of entry of nothing more than some free tools and a disposable (or altogether non-existent) email account.
It is because of the ubiquity of phishing as an initial method of establishing a foothold in organizations that threat hunters often focus very heavily on telltale signs of it to start their hunts. This is because while the tools, subject matter, and motivations of the actors involved may change frequently, their tactics, techniques, and procedures (TTPs), or more simply their behaviours, often don’t. With that in mind, let’s dive into one method that organizations can use to detect MITRE ATT&CK Technique T1556.001 – Spearphishing Attachments.
Hunting for phishing attachments is incredibly popular amongst hunt teams because it only requires basic Windows Event logging to get started. Security teams don’t require any other fancy tools like EDR or XDR platforms – though they can of course help. This low barrier of entry makes it incredibly accessible, especially for organizations just getting started or for first time hunters.
While searching across an entire enterprise for malicious phishing attachments may seem daunting at first, the methodology used is actually quite simple and straightforward, relying heavily on the concept of suspicious parent-child process relationships.
In the simplest terms, a process is any computer program being executed (duh!). A parent process is any program that spawns (or creates) one or more child processes. A child process is any program that was spawned by a parent process. In both of these instances, the important concept to understand is that a child process is executed (or invoked) from another program and not from the user.
With the concept of parent-child processes behind us, the next step is to consider what is “normal” behaviour both generally, and more specifically for your organization.
As an example, consider the workflow of an average user: like almost everyone, the average employee’s life at your organization likely revolves around email, and with those emails will likely come attachments. The average user often forgoes downloading and saving attachments, in favour of opening them directly from the email. In this case the parent process, OUTLOOK.exe, will spawn a child process corresponding to the attachment type, such as WINWORD.exe if the attachment were a *.doc file. This process of OUTLOOK.exe spawning one of the standard Microsoft Office applications likely occurs hundreds of times a day for most mid-sized organizations, and if that is where the processes stop, all is likely well.
However, malicious spearphishing attachments (often simply termed “maldocs” or referred to as Stage 0) often contain specially crafted macros. Macros are small pieces of code that allow users to automate specific tasks in a document, but they can also be used for malicious purposes. These malicious macros are often highly obfuscated, and some of them are quite clever in their design, in order to ward off curious security researchers, but the outcome of these macros is often the same. Specifically, to invoke another child process (often, but not always, PowerShell) which will enable the actor the ability to execute a wider array of commands that will enable allow them to download additional payloads (these payloads are often downloaders or droppers and are commonly referred to as Stage 1).
From a hunting perspective, we can use what we know about parent-child process behaviour to look at Windows Event logs a little more closely. Specifically, we can hone in on Windows Events with an ID of 4688 (which are events generated every time there is aa process is createion) to look for suspicious relationships between those processes. In this case we are specifically looking for process creation events for specific suspicious irregular tools like PowerShell, CScript, WScript, WMIC and othersimilar windows built-in toolss, where the Creator Process Name matches a Microsoft Office product (such as EXCEL.EXEexe, WINWORD.EXEexe, POWERPNT.exe, MSPUB.exe, and VISIO.exe).
Now, the results of such a hunt will likely still require analysis to separate the malicious activity from the Office power users (whose ingenuity will often leave security teams speechless, and sometimes terrified!), however the result of the hunt nonetheless it will give hunters a great starting point for hunting maldocs from spearphishing emails in their environment. Want to keep going? Continue the Hunt in the first episode of Cyborg Security’s Threat Hunting Deep Dives.