By Randy Franklin Smith
As I write this, yet another ransomware attack is underway. This time it’s called Petya, and it again uses SMB to spread. But here’s the thing — it uses an EXE to get its work done. That’s important because there are countless ways to infect systems, with old ones being patched and new ones being discovered all the time. You definitely want to reduce your attack surface by disabling/uninstalling unneeded features. Plus, you want to patch systems as soon as possible.
Those are preventive controls and they are irreplaceable in terms of defense in depth. But no layer of defense is ever a silver bullet. Patching and surface area management will never stop everything.
So, we need an effective detective control that tells us as soon as something like Petya gets past our frontline preventive layers of defense. The cool thing is that you can do that using nothing more than the Windows security log – or even better – Sysmon. Event ID 4688, activated by enabling Audit Process Creation for success, is a Security log event produced every time an EXE loads as a new process.
If we simply keep a running baseline of known EXE names and compare each 4688 against that list, BAM!, you’ll know as soon as something new, like Petya’s EXEs, run on your network. Of course you need to be collecting 4688s from your workstations, and your SIEM needs to be able to do this kind of constant learning whitelist analysis. You are going to get events when you install new software or patch old software, but only when new EXE names show up.
The only problem with using 4688 is it’s based on EXE name (including path). Bad guys can – but don’t usually bother to use replace known EXEs to stay below the radar. That would defeat the above scheme. So what can you do? Implement Sysmon, which logs the hash of each EXE. Sysmon is a free element of Microsoft Sysinternals written by Mark Russonovich and friends. Sysmon event ID 1 (shown below) is logged the same time as 4688 (if you have both process creation auditing and Sysmon configured) but it also proves the hash of the EXE. So even if the attacker does replace a known EXE, the hash will difference, and your comparison against known hashes will fail – thus detecting a new EXE executing for the first time in your environment.
Log Name: Microsoft-Windows-Sysmon/Operational
Date: 4/28/2017 3:08:22 PM
Event ID: 1
Task Category: Process Create (rule: ProcessCreate)
UtcTime: 2017-04-28 22:08:22.025
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CommandLine: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –type=utility –lang=en-US –no-sandbox –service-request-channel-token=F47498BBA884E523FA93E623C4569B94 –mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ParentCommandLine: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”
Tracking by hash will generate more false positives because anytime a known EXE is updated by the vendor, the first time the new version runs, a new hash will be generated and trip a new alarm or entry on your dashboard. But this tells you that patches are rolling out and confirms that your detection is working. And you are only notified the first time the EXE runs provided, you automatically add new hashes to your whitelist.
Whether you track new EXEs in your environment by name using the Security Log or by hash using Sysmon – do it! New process tracking is one of those highly effective, reliable and long lived, strategic controls that will alert you against other attacks that rely on EXE still beyond the horizon.
EventTracker has a built-in feature that will detect and alert on EXEs and DLLs the first time they run, plus they just released a Dormant Malware Hunter in the latest version of their software. Modern malware, including ransomware, copies itself with different names and hashes to various folders, so that if the original is identified and removed, the clones remain ready to attack at a later time. The Dormant Malware Hunter identifies hidden EXE and DLL files that have never executed, while exempting those found on a known safe files list. As a result, copies of malware can be removed from the network, preventing re-infection or propagation.