How to Deal with Undetected Malware?

%3CLINGO-SUB%20id%3D%22lingo-sub-1574689%22%20slang%3D%22en-US%22%3EHow%20to%20Deal%20with%20Undetected%20Malware%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1574689%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnti-Malware%20products%20like%20Windows%20Defender%20are%20getting%20smarter%20and%20stronger%20and%20it%20is%20not%20easy%20to%20find%20malware%20which%20won't%20be%20detected%20by%20them.%20In%20case%20we%20face%20such%20a%20case%2C%20we%20will%20send%20them%20to%20Microsoft%20Anti-Malware%20team%20for%20analyze%20and%20we%20do%20have%20have%20other%20defensive%20layers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20just%20wondering%20during%20the%200-days%20period%20where%20we%20are%20waiting%20for%20signature%20and%20we%20face%20undetected%20malware%2C%20how%20you%20are%20dealing%20with%20it%20and%20protect%20your%20enviroments%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20share%20some%20clue%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Use%20AppLocker%20to%20block%20them%20manually%3C%2FP%3E%3CP%3E2)%20Write%20some%20emergency%20PowerShell%20scripts%3C%2FP%3E%3CP%3E3)%20Isolate%20infected%20device%3C%2FP%3E%3CP%3E4)%20Implement%20some%20emergency%20policies%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20case%2C%20we%20ATP%20is%20available%2C%20it%20would%20be%20much%20easier%2C%20but%20let%20say%20how%20we%20handle%20it%20without%20ATP%20(consider%20complex%20scenario)%20and%20then%20we%20discuss%20about%20using%20ATP%20(as%20easy%20scenario)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20interested%20to%20hear%20what%20you%20think.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1576174%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Deal%20with%20Undetected%20Malware%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1576174%22%20slang%3D%22en-US%22%3EOne%20thing%20is%20to%20have%20good%20security%20policies%20indeed.%3CBR%20%2F%3EImplement%20ASR%20and%20enable%20all%20rules%20in%20block%20mode.%3CBR%20%2F%3E%3CBR%20%2F%3ESomething%20is%20is%20to%20do%20proactive%20hunting.%20This%20is%20searching%20for%20attackers%20in%20your%20network%20without%20knowing%20for%20sure%20if%20they%20are%20there.%3CBR%20%2F%3ECheck%20out%20this%20article%20for%20more%20info%20(it's%20from%20CrowdStrike%2C%20but%20it%20has%20some%20good%20information)%20%3CA%20href%3D%22https%3A%2F%2Fwww.crowdstrike.com%2Fepp-101%2Fthreat-hunting%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.crowdstrike.com%2Fepp-101%2Fthreat-hunting%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1576444%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Deal%20with%20Undetected%20Malware%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1576444%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3Bfor%20links%20%2C%20they%20are%20very%20valuable.%3C%2FP%3E%3CP%3EI%20believe%20by%20proactive%20hunting%20you%20are%20referring%20to%20things%20like%20Honeypot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1576458%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Deal%20with%20Undetected%20Malware%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1576458%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13441%22%20target%3D%22_blank%22%3E%40Reza%20Ameri%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20help%20recently%20i%20am%20facing%20issue%20my%20article%20which%20is%20%3CA%20href%3D%22https%3A%2F%2Ftoptrendpk.com%2Fhow-to-download-songs-from-amazon-music%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftoptrendpk.com%2Fhow-to-download-songs-from-amazon-music%2F%3C%2FA%3E%26nbsp%3Babout%26nbsp%3B%20Undetected%20Malware%20and%20its%20harm%20my%20site%20now%20its%20good%20write%20more%20about%20it%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1577530%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Deal%20with%20Undetected%20Malware%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1577530%22%20slang%3D%22en-US%22%3E%3CP%3EPosting%20has%20been%20reported%20to%20the%20moderator.%20Nothing%20tasty%20down%20that%20Cloudflare%20rat%20hole%20(and%20no%2C%20I%20do%20not%20mean%20the%20Crowdstrike%20site!)%20unless%20I've%20missed%20something.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1578932%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Deal%20with%20Undetected%20Malware%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1578932%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13441%22%20target%3D%22_blank%22%3E%40Reza%20Ameri%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20DART%2C%20we%20used%20a%20lot%20of%20Microsoft%20Threat%20Protection%20%5C%20Defender%20ATP%20custom%20detections%20paired%20with%20response%20actions%20to%20deal%20with%20this.%20Using%20this%20approach%2C%20you%20can%20isolate%20machines%2C%20block%20files%20by%20hash%20or%20certificate%2C%20run%20a%20quick%20scan%2C%20or%20collect%20a%20forensics%20package.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20you're%20referring%20to%20falls%20more%20in%20line%20with%20hardening%20than%20preventing%20a%200-day.%20You%20can%20definitely%20use%20AppLocker%20to%20prevent%20malware%2C%20but%20it%20really%20depends%20on%20how%20it%20was%20set%20up.%20I'd%20recommend%20checking%20out%20AaronLocker%20-%20a%20config%20written%20by%20Aaron%20Margosis%20some%20time%20ago%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FAaronLocker%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoft%2FAaronLocker%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOther%20protections%20would%20be%20attack%20surface%20reduction%20(ASR)%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Foverview-attack-surface-reduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Foverview-attack-surface-reduction%3C%2FA%3E%2C%20exploit%20protection%20(sort%20of%20like%20the%20new%20EMET)%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fenable-exploit-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fenable-exploit-protection%3C%2FA%3E%2C%20or%20Application%20Guard%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-application-guard%2Fmd-app-guard-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-application-guard%2Fmd-app-guard-overview%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20the%20end%20of%20the%20day%2C%20what%20really%20makes%20an%20attack%20successful%20(in%20my%20opinion)%20is%20availability%20of%20credentials%20with%20widespread%20administrative%20authority.%20Keep%20tabs%20on%20delegations%20made%20on%20the%20root%20object%20of%20the%20domain%20(the%20domainDns%20object)%2C%20user%20rights%20(especially%20on%20domain%20controllers)%2C%20and%20permissions%20to%20the%20AdminSDHolder%20object.%20Its%20that%20whole%20assume%20breach%20mentality%2C%20and%20why%20many%20customers%20are%20moving%20towards%20Azure%20AD%20joined%20devices%20since%20it%20decouples%20identity%20from%20authorization%2C%20uses%20strong%20authentication%2C%20and%20decouples%20authentication%20from%20authorization.%20Check%20out%20the%20famous%20Pass%20the%20Hash%20whitepaper%20for%20those%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fpth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fpth%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELast%2C%20microservices%20are%20the%20way%20to%20go.%20Avoid%20having%20one%20huge%20monolithic%20infrastructure%2C%20instead%20favoring%20smaller%20containerized%20services%20which%20only%20have%20access%20to%20what%20they%20need%20to%20operate.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20other%20place%20to%20keep%20an%20eye%20on%20is%20Defender%20ATP's%20threat%20and%20vulnerability%20management%20capability%20which%20can%20identify%20vulnerable%20applications%2C%20including%20which%20applications%20have%20an%20exploit%20in%20the%20wild.%20This%20paired%20with%20the%20Threat%20Analytics%20dashboard%20should%20keep%20you%20informed%20of%20many%20of%20the%20exploitation-centric%20threats%20to%20your%20infrastructure.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1581739%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Deal%20with%20Undetected%20Malware%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1581739%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730724%22%20target%3D%22_blank%22%3E%40MichaelJMelone%3C%2FA%3E%26nbsp%3Bfor%20your%20valuable%20inputs.%3C%2FP%3E%3CP%3EI%20believe%20security%20is%20more%20about%20defense%20strategy%2C%20MD%20ATP%20is%20great%20but%20due%20to%20certain%20company%20policy%20and%20licensing%20issues%2C%20it%20might%20take%20some%20times%20before%20approval%20and%20get%20this%20product%20running%20on%20environment%2C%20but%20when%20it%20happens%2C%20I%20believe%20people%20who%20are%20in%20charge%20of%20cybersecurity%20could%20start%20celebrating%20and%20have%20a%20easier%20life.%3C%2FP%3E%3CP%3EHowever%2C%20before%20that%20we%20need%20some%20defensive%20measurements%20in%20place%20which%20you%20discussed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1581863%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Deal%20with%20Undetected%20Malware%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1581863%22%20slang%3D%22en-US%22%3E%3CP%3ETotally%20agree%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13441%22%20target%3D%22_blank%22%3E%40Reza%20Ameri%3C%2FA%3E.%20The%20mantra%20I%20always%20used%20to%20use%20with%20my%20customers%20is%20security%20is%20not%20a%20product%2C%20its%20a%20technique%20that%20can%20be%20enabled%20by%20product.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Valued Contributor

Hi,

 

Anti-Malware products like Windows Defender are getting smarter and stronger and it is not easy to find malware which won't be detected by them. In case we face such a case, we will send them to Microsoft Anti-Malware team for analyze and we do have have other defensive layers.

 

I am just wondering during the 0-days period where we are waiting for signature and we face undetected malware, how you are dealing with it and protect your enviroments?

 

Let me share some clue:

 

1) Use AppLocker to block them manually

2) Write some emergency PowerShell scripts

3) Isolate infected device

4) Implement some emergency policies

 

In case, we ATP is available, it would be much easier, but let say how we handle it without ATP (consider complex scenario) and then we discuss about using ATP (as easy scenario)

 

I am interested to hear what you think. 

5 Replies
Highlighted
One thing is to have good security policies indeed.
Implement ASR and enable all rules in block mode.

Something is is to do proactive hunting. This is searching for attackers in your network without knowing for sure if they are there.
Check out this article for more info (it's from CrowdStrike, but it has some good information) https://www.crowdstrike.com/epp-101/threat-hunting/
Highlighted

Thank you @Thijs Lecomte for links , they are very valuable.

I believe by proactive hunting you are referring to things like Honeypot.

 

Highlighted

Hi @Reza Ameri ,

 

On DART, we used a lot of Microsoft Threat Protection \ Defender ATP custom detections paired with response actions to deal with this. Using this approach, you can isolate machines, block files by hash or certificate, run a quick scan, or collect a forensics package.

 

What you're referring to falls more in line with hardening than preventing a 0-day. You can definitely use AppLocker to prevent malware, but it really depends on how it was set up. I'd recommend checking out AaronLocker - a config written by Aaron Margosis some time ago: https://github.com/Microsoft/AaronLocker.

 

Other protections would be attack surface reduction (ASR) https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-..., exploit protection (sort of like the new EMET) https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-ex..., or Application Guard https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-g....

 

At the end of the day, what really makes an attack successful (in my opinion) is availability of credentials with widespread administrative authority. Keep tabs on delegations made on the root object of the domain (the domainDns object), user rights (especially on domain controllers), and permissions to the AdminSDHolder object. Its that whole assume breach mentality, and why many customers are moving towards Azure AD joined devices since it decouples identity from authorization, uses strong authentication, and decouples authentication from authorization. Check out the famous Pass the Hash whitepaper for those: https://aka.ms/pth 

 

Last, microservices are the way to go. Avoid having one huge monolithic infrastructure, instead favoring smaller containerized services which only have access to what they need to operate.

 

The other place to keep an eye on is Defender ATP's threat and vulnerability management capability which can identify vulnerable applications, including which applications have an exploit in the wild. This paired with the Threat Analytics dashboard should keep you informed of many of the exploitation-centric threats to your infrastructure.

Thank you @MichaelJMelone for your valuable inputs.

I believe security is more about defense strategy, MD ATP is great but due to certain company policy and licensing issues, it might take some times before approval and get this product running on environment, but when it happens, I believe people who are in charge of cybersecurity could start celebrating and have a easier life.

However, before that we need some defensive measurements in place which you discussed.

Highlighted

Totally agree @Reza Ameri. The mantra I always used to use with my customers is security is not a product, its a technique that can be enabled by product.