Threat Overview – Hunting for Credential Theft – Identify When an InfoStealer May be Stealing Sensitive Access
The recent SnowFlake incident has brought to light the importance of protecting your credentials and access to sensitive tools. Infostealers are the highway in which many threat actors and access brokers garner their initial foothold in environments. This collection of hunt packages has been specifically put together to help organizations and teams detect and prevent info stealing malware from operating within their environment. This variant of malware is normally designed to steal sensitive information from victimized systems. The info or data stolen typically include proprietary/personal information, login credentials, financial data, and other data that a victim would consider confidential. The first infostealer malware was discovered in 2006 and was known as ZeuS (or Zbot). It was used to steal banking credentials, eventually leading to banking fraud and malicious botnets. Since then, infostealer malware has evolved and many different variants with the same agenda have appeared in the wild. Most recently, utilizing Intel 471’s reliable threat intelligence, it was reported of the compromising of hundreds of Snowflake instances that were accessed via credentials taken with Infostealer malware – individuals reportedly targeted didn’t have MFA enabled, thus were susceptible to compromise. The major consequences of infection can result in the loss of sensitive data, persistent espionage and/or financial losses to the targeted victims. This type of malware has been around for a sustained period of time and has no reason to fade away, due to its functionality and usefulness to threat actors. Therefore, the understanding of and preparation for such infections should be taken seriously in any environment.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Hunt Packages
Potentially Injected Process Command Execution
This Hunt Package identifies child processes that require interactive output that are not executed by cmd.exe and powershell.exe.
Defender Bypass via Registry Key Changes
This package is designed to identify when Microsoft Defender Antivirus is disabled or modified through manipulation of the TamperProtection, DisableAntiSpyware, DisableBehaviorMonitoring, DisableOnAccessProtection, or DisableScanOnRealtimeEnable registry keys.
Autorun or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
Suspicious File Creation in OneNote Exported File Folders – Potential OneNote Phishing
This hunt package aims to identify potential OneNote phishing activity involving suspicious extensions that are commonly abused to run malware on a Windows system. Emotet, a banking Trojan, is now being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems. The attackers use social engineering techniques to entice victims into enabling macros to activate the attack chain. The OneNote file is simple but effective in social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the View button, victims inadvertently double-click on an embedded script file instead. The Windows Script File (WSF) is then engineered to retrieve and execute the Emotet binary payload from a remote server.
Executing System32 Directory Executables for Masquerading
This Threat Hunt package is designed to identify when a native System32 Windows named executable is executed outside of the standard System32 directory for the purpose of masquerading.
Excessive Windows Discovery and Execution Processes – Potential Malware Installation
This package utilizes a list of commonly abused LOLB which an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection or malicious activity occurring on a victim host. To reduce false positives, distinct counts per process name can be utilized to ensure over 5 unique processes from the list were executed versus just checking more than 6 events were generated on the host.
Masquerading Process Outside of Native Directory
This package is designed to capture activity of a process being created that would normally exist within the C:\\Windows\\System32 or C:\\Windows\\Syswow64 directory executing from an abnormal location. This activity has been seen in recent campaigns run by the APT known as MosesStaff.
Scheduled Task Created
This use case is meant to identify newly created scheduled tasks via specific command-line parameters.
Microsoft Malware Protection Engine (MsMpEng) Executed From Non-Standard Directory – Potential Masquerading or DLL Side-Loading
The intent of this Hunt package is to identify the presence of a process masquerading as the legitimate Microsoft Malware Protection Engine. The Microsoft Malware Protection Engine is an anti-malware application that resides in either the C:\\Program Files\\Windows Defender\\ or C:\\ProgramData\\Microsoft\\Windows Defender\\ folders. Legitimate executions of the application should be spawned from these locations. This package identifies any outliers that are not executed from these normal folders, indicating a process is masquerading as the legitimate Microsoft Malware Protection Engine or DLL side-loading attempts.
Suspicious OneNote Exported File in Command Execution – Potential OneNote Phishing
This hunt package aims to identify potential OneNote phishing activity involving suspicious extensions that are commonly abused to run malware on a Windows system. Emotet, a banking Trojan, is now being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems. The attackers use social engineering techniques to entice victims into enabling macros to activate the attack chain. The OneNote file is simple but effective in social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the View button, victims inadvertently double-click on an embedded script file instead. The Windows Script File (WSF) is then engineered to retrieve and execute the Emotet binary payload from a remote server.
Common Abused Executables Launched Outside of System32
The provided logic is intended to identify when a commonly abused executable that typically resides within the C:\\Windows\\System32 folder is executed and resides outside of its normal path. The C:\\Windows\\System32 folder houses core files and executables native to the Windows Operating System.