Detecting remote code execution with Microsoft Advanced Threat Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-131591%22%20slang%3D%22en-US%22%3EDetecting%20remote%20code%20execution%20with%20Microsoft%20Advanced%20Threat%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131591%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20know%20that%20attackers%20can%20often%20use%20legitimate%20tools%20to%20take%20malicious%20actions.%20Recent%20incidents%20have%20been%20perpetrated%20using%20a%20known%20technique%20called%20Remote%20Code%20Execution%20(RCE)%20to%20spread%20malware%20inside%20a%20target%20network.%20This%20technique%20can%20be%20executed%20using%20legitimate%20tools%20such%20as%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fbb742610.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWMIC%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%2For%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fpsexec%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPSExec%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3EHowever%2C%20what%20attackers%20may%20not%20know%20is%20that%20this%20technique%20can%20be%20detected%20with%20Microsoft%20Advanced%20Threat%20Analytics%20(ATA).%20Historically%2C%20ATA%20has%20been%20able%20to%20detect%20RCE%20with%20PsExec.%26nbsp%3B%20In%20version%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fwhats-new-version-1.8%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EATA%201.8%3C%2FA%3E%2C%20the%20RCE%20detection%20capability%20was%20extended%20to%20include%20the%20Windows%20Management%20Instrumentation%20(WMI).%26nbsp%3B%20Having%20this%20visibility%20of%20remote%20execution%20on%20DCs%20is%20a%20critical%20detection%20trigger%20to%20start%20an%20investigation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24769i771CCFE74F1B8A14%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22ATA_3.png%22%20title%3D%22ATA_3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ERead%20about%20it%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F11%2F27%2Fdetecting-remote-code-execution-via-wmi-with-microsoft-advanced-threat-analytics%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEnterprise%20Mobility%20%26amp%3B%20Security%20blog%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-131591%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Community Manager

We know that attackers can often use legitimate tools to take malicious actions. Recent incidents have been perpetrated using a known technique called Remote Code Execution (RCE) to spread malware inside a target network. This technique can be executed using legitimate tools such as WMIC and/or PSExec.

 

However, what attackers may not know is that this technique can be detected with Microsoft Advanced Threat Analytics (ATA). Historically, ATA has been able to detect RCE with PsExec.  In version ATA 1.8, the RCE detection capability was extended to include the Windows Management Instrumentation (WMI).  Having this visibility of remote execution on DCs is a critical detection trigger to start an investigation.

 

ATA_3.png

Read about it in the Enterprise Mobility & Security blog.

0 Replies