As Australian Prime Minister Scott Morrison sounded the alarm on nation-state attacks targeting critical infrastructure in the land Down Under, the Australian Cyber Security Centre released an advisory detailing tactics, techniques and procedures observed in the attacks.
An advisory from the Australian Cyber Security Centre (ACSC) warns that highly sophisticated attacks are currently underway against organizations in Australia. Threat actors have successfully breached a number of networks and are using “living off the land” techniques to spy and exfiltrate data, while attempting to stay under the radar.
“Living off the land” is a strategy typical of advanced persistent threat (APT) groups; the strategy consists of using standard system utilities and legitimate third-party tools to conduct a cyberattack. This helps to evade easy detection. The threat actors also compromised legitimate Australian websites in order to use them as command and control (C&C) servers, thus better hiding their malicious communication.
Organizations are well advised to review the indicators of compromise (IOCs) released by the ACSC.
However, in order to gain comprehensive and immediate visibility into possibly compromised endpoints, no tool serves better than an endpoint detection and response (EDR) solution. As Forrester’s February 2020 Now Tech: Enterprise Detection and Response, Q1 2020 report states, “A key benefit of EDR products is the ability to hunt for indications that an adversary has eluded your security controls and is lying in the weeds of your infrastructure.”
ESET Enterprise Inspector (EEI) is ESET’s EDR solution and is specifically designed to detect the tactics, techniques and procedures used in targeted attacks by APT groups. Deploying EEI in your environment offers two key benefits:
- Immediate visibility into events happening on endpoints
Nothing makes an incident responder’s job easier than a tool that can easily integrate with other tools, provide rich context to events and filtering data down to the specific behaviors that give away the presence of a threat actor. EEI provides context about the reputation and popularity of executables, as well as information on process trees, scripts, command line arguments, paths, signers and hashes.In addition, EEI provides full transparency into its rule logic, allowing responders to understand why specific behaviors were detected. Visibility is further enhanced by extensive searching and filtering capabilities that help to pinpoint and quickly expose the behavior of malicious actors.
- Suspicious activities automatically set off alarms
Backed by over 30 years of research into malicious behavior, ESET’s own malware research team has written over 300 custom rules that automatically detect specific behaviors commonly exhibited by APTs. EEI’s engine evaluates endpoint events against the rules. Offending processes, along with their process trees, are saved for further investigation by incident responders. EEI is powerful enough, for example, to automatically sound the alarm on numerous techniques identified by the ACSC in their advisory:
|APT Technique Identified by the ACSC
|EEI Detection Rule
|Legitimate, benign executable susceptible to DLL search order hijacking is run; legitimate executable’s process loads actor’s malicious DLL instead of the intended legitimate DLL
|Trusted process loaded suspicious DLL [B0406a] OR
Reputable process loaded suspicious DLL [B0406b] (rule triggered depends on details of abused executable)
|The actor used a pre-compiled version of the JuicyPotato executable available from the JuicyPotato GitHub project
|Endpoint detection +
Unpopular process has started from %Temp% [Z0402] OROther rules based on context of execution
|Malicious actor used the native Windows tools at.exe and schtasks.exe to execute software on remote hosts
|Unpopular process executed from a Scheduled Task [F0411] +
Network connection from a system utility program [A0510] +
Scheduling task on system start/login [B0101](triggering of rule will depend on details of actor’s behavior)
|An IIS process (w3wp.exe) spawns PowerShell processes either directly or via cmd.exe
|Generic IIS backdoor activity – child process [F0403]
|A PowerShell reverse shell payload spawned from cmd.exe
|PowerShell executed with long cmdline [D0415] +
Powershell.exe creates an internal network connection [A0502a] + Other rules based on payload
Every minute in an incident investigation is precious. Incident responders need powerful tools like EEI to complement their toolkit and empower them to easily and quickly reconstruct the adverse events happening on endpoints. The faster threat actors are discovered, the sooner remediation steps can be taken to get back to normal business operations.