In part 1 of this blog series, we analyzed malware behaviour, and, in part 2, we learned how to detect persistence tricks used in malware attacks. Still, there are more types of events that we can observe with Osquery when malicious activity happens. So, in the last blog post of the series, we will discuss how to detect another example of a technique used in a malware attack, one that involves installing a root certificate in the system that can be used to intercept information transmitted over secure TLS/SSL communications (man in the middle). We will also see how to use the Alienvault Agent and Alienvault USM Anywhere to create custom rules and detect malicious activity in your environment.
Detecting newly installed root certificates
Root certificates are usually pre-installed in a system by the manufacturer or by the software supply chain. They are used in public key cryptography to identify the Certificate Authority and are commonly used to establish TLS and SSL connections in web browsers. System and applications trust certificates installed in the root.
Attackers can take advantage of this trust and install a root certificate in the system to intercept communications or code signing among other things. In this example, we will install our own certificate that could be used to intercept connections with banking platforms to steal users’ personal information. After installing it, we can take a look in the system Trusted Root Certification Authorities using the MMC console to see how our certificate has been placed.
As we discussed before, Osquery can detect this activity by querying the certificates table. If we perform a query retrieving all certificates installed in Trusted Root Certification Authorities, we will discover our certificate in the same way we did before.
This query can be used to list new certificates in the system:
How to use the power of Osquery with Alienvault Agent and AlienVault USM Anywhere
So far, we have observed how Osquery can help to enable endpoint detection and response (EDR) capabilities. Now it’s time to see how we can use Osquery through the AlienVault Agent in AlienVault USM Anywhere.
The AlienVault Agent is a lightweight endpoint agent based on Osquery that is configured to schedule queries by time intervals, enabling continuous endpoint detection. You can see the query collection in AlienVault USM at Data Sources > Agents > Configuration Profiles. These queries are maintained and updated by the AlienVault Labs team who research new threats and malicious activities, and build and update queries based on that research.
If we go for Windows Full configuration profile, we can see how many queries the Agent is performing in the endpoint. Among all of these queries, we find some that are intended to hunt for persistence techniques, DLL injections, backdoors, cryptominers or even system misconfigurations.
Use Case 1: Detecting system backdoor persistence
Now we will see how to create a custom orchestration rule to detect malicious activities using the events generated by the Alienvault Agent. The first thing we have to do is to search for interesting events that come from the AlienVault Agent data source. In this case, I will create an alarm rule for “Universal Windows Platform apps persistence detected” query. This query has been created for detecting a know persistence mechanism used to hide a program that will run on startup from the Autoruns tool.
Once we have the events we want, it’s necessary to take notes of interesting fields. Some can be used for conditions in our rule and others can be used as highlight fields. For example, in the event below, there are some interesting fields like:
- Data Source: AlienVault Agent
- Event Type: detection_appx_persistence
- Registry Value: C:Windowssystem32cmd.exe
In the Settings > Rules section of USM Anywhere, we can create an orchestration rule for Alarm type. Because we want an alarm to trigger “Universal Windows Platform apps persistence” events, we can start adding trivial conditions first, such as Data Source == AlienVault Agent and Event Type == detection_appx_persistence. Then, imagine that we only want to trigger the alarm when the process placed in the registry value is either cmd.exe or powershell.exe, which are commonly used by backdoor systems. We can add a group condition with an OR operator inside to match the case.
Once the orchestration rule is created, we can test it by running the malicious command to add a backdoor to the system using the technique we are trying to detect. After that, if we look in the alarms sections, we can see how the activity is triggering our new alarm rule.
Use Case 2: Detecting processes listening connections
Imagine your company is being targeted by one of the latest threats and you want to detect the activity the malware is performing. After reading a blog post about the research, you discover that a piece of malware is using a modified version of netcat in order to gain a remote shell in the infected machine.
If we take a look to the different events available from Agent, we can see that Listening Port events report when a process is listening for incoming connections.
Then, we can create a new rule to match when a process placed in /tmp (temporary directory), folder that usually doesn’t require administrative privileges to write files, starts listening connections on a specific port and keeps waiting for establish a communication with the attacker. Also, we can add the parameter --allowfile /tmp/, which we learned from the research blog is a common IOC discovered.
As we can see, one alarm has been triggered indicating that one of our hosts is infected with the malware we want to detect. We can take a look and find the most important characteristics of the activity in the highlight fields.
Throughout this blog series, we have discussed how the use of Osquery can help you to detect malware and other malicious activities on your endpoints. By implementing Osquery through the AlienVault Agent, part of USM Anywhere, you can take that malware detection and analysis to the next level. USM Anywhere enables powerful endpoint detection and response capabilities (EDR) continuously and automatically monitoring your endpoints for threats, correlating that data with network security data, and giving you a centralized console to review all security alarms, query your systems for forensics information, and create customized orchestration rules to automate those queries and other incident response actions.
There’s so much more to discover. Take a tour of USM Anywhere in our online, interactive demo or get started with a free 14-day trial.