Home
%3CLINGO-SUB%20id%3D%22lingo-sub-482994%22%20slang%3D%22en-US%22%3EInvestigating%20a%20Fileless%20Attack%20using%20Azure%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482994%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EThis%20blog%20was%20reviewed%20by%20Ben%20Nick%20(Senior%20Program%20Manager)%2C%20Tino%20Morenz%20(Senior%20Software%20Engineer)%2C%20Abhishek%20Singh%20(Senior%20Software%20Engineer)%20and%20the%20Fileless%20Attack%20Detection%20Dev%20Team.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20October%202018%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fannouncing-new-azure-security-center-capabilities-at-rsa-2018%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewe%20announced%3C%2FA%3E%20a%20new%20detection%20capability%20for%20Azure%20Security%20Center%20that%20targets%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fintelligence%2Ffileless-threats%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Efileless%20attacks%3C%2FA%3E%20on%20Windows%20machines.%20When%20Security%20Center%20detects%20this%20type%20of%20attack%2C%20it%20triggers%20an%20alert.%20This%20alert%20contains%20important%20details%20to%20help%20responders%20better%20understand%20the%20attack%20pattern%20and%20behavior.%3C%2FP%3E%0A%3CP%3EThis%20capability%20uses%20memory%20forensic%20techniques%20to%20cover%20a%20wide%20range%20of%20fileless%20attack%20behaviors%2C%20including%3A%20shell%20code%2C%20injected%20modules%2C%20and%20obfuscation%20techniques%20that%20you%20can%20read%20about%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fdetecting-fileless-attacks-with-azure-security-center%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EWhile%20the%20information%20that%20is%20exposed%20in%20the%20alert%20is%20useful%20for%20understanding%20what%20activity%20is%20present%20in%20a%20compromised%20process%2C%20it%20may%20not%20give%20you%20the%20entire%20answer%20of%20how%20that%20process%20came%20to%20be%20compromised.%20This%20is%20especially%20true%20if%20multiple%20processes%20are%20involved.%20For%20this%20reason%2C%20it%20is%20important%20to%20enable%20audit%20policies%20%3CEM%3EProcess%20Creation%3C%2FEM%3E%20(Event%204688)%20and%20the%20%3CEM%3ECommandLine%20field%20%3C%2FEM%3Einside%20event%204688.%20For%20more%20information%20about%20%3CEM%3EProcess%20Creation%20Event%204688%3C%2FEM%3E%20and%20general%20Audit%20Policy%20recommendations%2C%20read%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-ds%2Fplan%2Fsecurity-best-practices%2Faudit-policy-recommendations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESample%20Scenario%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20this%20scenario%2C%20Contoso%E2%80%99s%20Incident%20Response%20Team%20identifies%20an%20alert%20in%20Security%20Center%20that%20has%20the%20following%20information%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F110305i02C35C41685079F6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Fig1.PNG%22%20title%3D%22Fig1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ECobalt%20Strike%20is%20a%20feature-rich%20penetration%20testing%20tool%20that%20provides%20remote%20attackers%20with%20a%20wide%20range%20of%20capabilities%2C%20including%20escalating%20privileges%2C%20capturing%20user%20input%2C%20executing%20arbitrary%20commands%20through%20PowerShell%20or%20WMI%2C%20performing%20reconnaissance%2C%20communicating%20with%20C%26amp%3BC%20servers%20over%20various%20protocols%2C%20and%20downloading%20and%20installing%20additional%20malware.%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FMsftSecIntel%2Fstatus%2F1069624803135549442%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Security%20Intelligence%3C%2FA%3E%20already%20reported%20the%20use%20of%20this%20tool%20in%20different%20campaigns.%3C%2FP%3E%0A%3CP%3ETo%20better%20understand%20what%20happened%20here%20we%20need%20to%20navigate%20throughout%20the%20other%20fields%20in%20this%20alert%2C%20and%20there%20we%20will%20find%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20589px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F110308iA9CC62854DC4BA86%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Fig4.PNG%22%20title%3D%22Fig4.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBased%20on%20the%20information%20available%20in%20the%20alert%2C%20we%20can%20interpret%20that%20the%20attacker%20compromised%20the%20system%2C%20and%20started%20rundll32.exe%20in%20suspended%20mode%2C%20injected%20their%20payload%20into%20the%20process%2C%20changed%20the%20entry%20point%20for%20the%20process%20to%20point%20to%20their%20payload%2C%20and%20started%20running%20the%20process.%20This%20interpretation%20is%20possible%20because%20of%20the%20following%20facts%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERundl32exe%20isn%E2%80%99t%20normally%20run%20without%20additional%20%3CEM%3Ecommandline%3C%2FEM%3E%20parameters.%20If%20you%20were%20to%20execute%20rundll32.exe%20like%20that%20it%20would%20simply%20exit%20immediately.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EThe%20injected%20thread%E2%80%99s%20start%20time%20and%20process%20start%20time%20are%20identical%2C%20so%20it%20means%20the%20injected%20thread%20was%20created%20immediately%20after%20the%20process%20was%20started.%20Note%20that%20the%20%3CEM%3EProcess%20Creation%20Time%3C%2FEM%3E%20is%20in%20UTC%2C%20the%20%3CEM%3EThread%20Creation%3C%2FEM%3E%20time%20is%20in%20local%20time%2C%20hence%20the%20difference.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAs%20far%20as%20who%20injected%20the%20thread%20into%20the%20process%2C%20given%20the%20proximity%20of%20%3CEM%3EProcess%20Creation%3C%2FEM%3E%20time%20and%20%3CEM%3EThread%20Creation%3C%2FEM%3E%20time%2C%20and%20the%20fact%20that%20%3CEM%3Erundll32%3C%2FEM%3E%20would%20have%20had%20to%20be%20started%20in%20suspended%20mode%2C%20it%E2%80%99s%20likely%20that%20the%20parent%20process%20did%20indeed%20do%20the%20injection.%20Unfortunately%2C%20we%20don%E2%80%99t%20have%20more%20than%20the%20parent%20PID%20in%20this%20case%2C%20possibly%20because%20the%20attacker%20had%20already%20killed%20that%20parent%20process%20to%20avoid%20detection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20to%20do%20next%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAfter%20reading%20the%20alert%20details%2C%20and%20understand%20what%20it%20was%20done%2C%20you%20can%20start%20by%20following%20the%20remediation%20steps%20provided%20by%20this%20alert%2C%20which%20are%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20566px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F110309i2BA870E990A1BEAB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Fig5.PNG%22%20title%3D%22Fig5.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESome%20of%20these%20steps%20may%20not%20be%20possible%20in%20some%20circumstances%2C%20such%20as%20the%20step%20number%202%2C%20since%20in%20this%20particular%20case%2C%20when%20the%20Contoso%20IR%20Team%20arrived%20the%20compromised%20Server%20was%20restarted%20already.%20If%20the%20machine%20was%20still%20running%2C%20you%20could%20use%20the%20instructions%20from%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F931673%2Fhow-to-create-a-user-mode-process-dump-file-in-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20to%20obtain%20a%20user-mode%20dump.%3C%2FP%3E%0A%3CP%3EIf%20Security%20Center%20is%20monitoring%20your%20Windows%20Servers%20(supported%20versions%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-os-coverage%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%2C%20you%20will%20also%20have%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-wdatp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Server%20Defender%20ATP%2C%20since%20it%20will%20be%20automatically%20deployed%20by%20ASC%3C%2FA%3E.%20Windows%20Server%20Defender%20ATP%20has%20more%20analytics%20which%20can%20give%20more%20information%20about%20this%20type%20of%20attack.%20Read%20the%20article%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2018%2F09%2F27%2Fout-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EOut%20of%20sight%20but%20not%20invisible%3A%20Defeating%20fileless%20malware%20with%20behavior%20monitoring%2C%20AMSI%2C%20and%20next-gen%20AV%3C%2FA%3E%2C%20for%20more%20information%20on%20how%20Microsoft%20Defender%20ATP%20can%20be%20used%20to%20not%20only%20detect%2C%20but%20to%20stop%20fileless%20attacks.%20For%20more%20information%20about%20how%20ASC%20uses%20memory%20forensic%20techniques%20to%20perform%20fileless%20attack%20detection%20see%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fdetecting-fileless-attacks-with-azure-security-center%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article.%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-482994%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

This blog was reviewed by Ben Nick (Senior Program Manager), Tino Morenz (Senior Software Engineer), Abhishek Singh (Senior Software Engineer) and the Fileless Attack Detection Dev Team.

 

In October 2018 we announced a new detection capability for Azure Security Center that targets fileless attacks on Windows machines. When Security Center detects this type of attack, it triggers an alert. This alert contains important details to help responders better understand the attack pattern and behavior.

This capability uses memory forensic techniques to cover a wide range of fileless attack behaviors, including: shell code, injected modules, and obfuscation techniques that you can read about here.

While the information that is exposed in the alert is useful for understanding what activity is present in a compromised process, it may not give you the entire answer of how that process came to be compromised. This is especially true if multiple processes are involved. For this reason, it is important to enable audit policies Process Creation (Event 4688) and the CommandLine field inside event 4688. For more information about Process Creation Event 4688 and general Audit Policy recommendations, read this article.

 

Sample Scenario

In this scenario, Contoso’s Incident Response Team identifies an alert in Security Center that has the following information:

 

Fig1.PNG

Cobalt Strike is a feature-rich penetration testing tool that provides remote attackers with a wide range of capabilities, including escalating privileges, capturing user input, executing arbitrary commands through PowerShell or WMI, performing reconnaissance, communicating with C&C servers over various protocols, and downloading and installing additional malware. Microsoft Security Intelligence already reported the use of this tool in different campaigns.

To better understand what happened here we need to navigate throughout the other fields in this alert, and there we will find:

 

Fig4.PNG

 

Based on the information available in the alert, we can interpret that the attacker compromised the system, and started rundll32.exe in suspended mode, injected their payload into the process, changed the entry point for the process to point to their payload, and started running the process. This interpretation is possible because of the following facts:

  • Rundl32exe isn’t normally run without additional commandline parameters. If you were to execute rundll32.exe like that it would simply exit immediately. 
  • The injected thread’s start time and process start time are identical, so it means the injected thread was created immediately after the process was started. Note that the Process Creation Time is in UTC, the Thread Creation time is in local time, hence the difference.

As far as who injected the thread into the process, given the proximity of Process Creation time and Thread Creation time, and the fact that rundll32 would have had to be started in suspended mode, it’s likely that the parent process did indeed do the injection. Unfortunately, we don’t have more than the parent PID in this case, possibly because the attacker had already killed that parent process to avoid detection.

 

What to do next?

After reading the alert details, and understand what it was done, you can start by following the remediation steps provided by this alert, which are:

 

Fig5.PNG

Some of these steps may not be possible in some circumstances, such as the step number 2, since in this particular case, when the Contoso IR Team arrived the compromised Server was restarted already. If the machine was still running, you could use the instructions from this article to obtain a user-mode dump.

If Security Center is monitoring your Windows Servers (supported versions here), you will also have Windows Server Defender ATP, since it will be automatically deployed by ASC. Windows Server Defender ATP has more analytics which can give more information about this type of attack. Read the article Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-..., for more information on how Microsoft Defender ATP can be used to not only detect, but to stop fileless attacks. For more information about how ASC uses memory forensic techniques to perform fileless attack detection see this article.