![]() It retrieves Windows updates and is also used by some third-party software vendors to handle file transfers (e.g., their update packages). The poisoned BITS tasks, which created installation and clean-up scripts after their payloads were downloaded, were self-contained in the BITS job database, with no files or registry modifications to detect on the host.īITS provides a native, reliable file transfer capability for the Windows operating system. Further analysis by SecureWorks Counter Threat Unit™ (CTU) researchers identified active malicious BITS jobs to download and execute new malware. A SecureWorks IR analyst flagged anomalous entries in the BITS event log. Antivirus software had previously detected and remediated malware on the compromised system, but malware-related network alerts continued. In May 2016, the SecureWorks ® Incident Response (IR) Team conducted an engagement involving a malware compromise. ![]() View our webinar on Hunting for persistence using Elastic Security.Threat actors leveraged a “notification” feature in the Windows Background Intelligent Transfer Service (BITS) to download malware. To learn more about threat hunting, download a free copy of The Elastic Guide to Threat Hunting. ![]() The features of Elastic Endpoint Security and SIEM - along with the protections provided out of the box - lower the barriers to entry for analysts, provides detailed visibility into endpoint activity, and enables organizations to prevent, detect, and respond to malicious behavior at scale. By building comprehension around adversary tradecraft, you can identify interesting patterns, behaviors, and artifacts that you can use to your advantage.Įlastic Security makes hunting for persistence easy. The number of techniques in an attacker’s arsenal can seem daunting at first, but we demonstrated a formulaic approach to examining, hunting for, and detecting techniques effectively. In this blog series, we examined popular techniques that attackers use to maintain a presence in their target environments. This EQL query can also be saved as a custom rule in Elastic Endpoint Security so that analysts can be alerted every time this activity occurs. In this case, it indicates that WSH was used to interpret a JScript or VBScript object that directly or by proxy implemented a scheduled task using schtasks.exe. Windows script host (WSH) is a script interpreter and should generally not have many descendants. This query matches behaviors described in our earlier APT34 example, in which schtasks.exe descended from wscript.exe. ![]() By uniquing on the command line, this allows us to focus our hunt on unique task creations and their properties. The EQL query in Figure 7 matches event sequences where the task scheduler process, schtasks.exe, is created by one of several commonly abused binaries and matches some of the command line parameters previously described. With an understanding of the technique, observable artifacts, and common attributes of schtasks.exe execution, we're better prepared to succeed in our hunt for malicious scheduled task creation events. Figure 1 depicts some of the command line parameters available to schtasks.exe, which we can use as references when analyzing task creation events. Threat actors like APT34, APT29, and FIN6 have been known to use scheduled tasks as a means to persist. It's also essential for security teams to baseline their environment, as knowing all the legitimate ways that scheduled tasks are used will help you become a more effective hunter and identify anomalies more quickly.Īn adversary may attempt to abuse scheduled tasks to execute programs at startup or on a regular cadence for persistence. It’s important to be aware of scheduled tasks that exist in your environment (such as maintenance or backup tasks) as well as tasks created during the installation of new software (like PDF readers or browsers). Scheduled tasks run at an elevated privilege level, which means this persistence mechanism can indirectly satisfy privilege escalation (TA0004) as well. Windows provides a built-in utility called schtasks.exe that allows you to create, delete, change, run, and end tasks on a local or remote computer.
0 Comments
Leave a Reply. |