As attacks are more common and sophisticated, defense solutions must keep up the pace in order to secure the users’ cyber activities. The Microsoft Defender Advanced Threat Protection (MDATP) is an enterprise security solution, which was built to prevent, detect, investigate and respond to threats.
MDATP automatically filters and detects suspicious events on the endpoints, which can be managed by IT security professionals through a cloud-based platform. Beside the basic detection rules, there is an opportunity to personalize the platform to fit the enterprises needs. This function gives the opportunity to do Threat Hunting methodologies on this platform. With this, there is an opportunity to react to alerts, such as isolating the malware infected machine.
Why Threat Hunting is necessary?
Threat Hunting is a proactive approach to security, so we don’t wait for security incidents to happen, but with the help of indicators (such as threat intelligence, malware characteristics, new vulnerabilities) we can find out whether a threat is relevant for the company’s infrastructure or not. If we find it relevant, we can take preventive steps or create alert rules to reduce the dwell time (the time between the infrastructure’s malware infection and the detection time).
What is a malware?
One of the problems which an IT security professional should face is malware. There are several type of malwares, which are included but not limited to ransomware, which encrypts the data on the device, and the decryption key is given only if the user pays for it; spyware, which collets information about the users without their knowledge; adware, which gives the users targeted adverts based on their online activity; trojan, which is named after the trojan horse, looks like a legitimate software, but the malicious actor can take over the control of the device with the help of it. A detailed description of malwares can be found here.
The Hunt for the persistent malware
In this blogpost we will walk through an example to see the MDATP’s capabilities to hunt for persistent malicious software. The goal for the malware is to remain undetected in the system and to be able to operate after a system reboot. To achieve this, most of the malware either modify different registry keys or create new ones. We will hunt for the malware with MDATP following this path. The MDATP is accessed via the https://securitycenter.windows.com link.
[/vc_column_text][vc_empty_space][vc_single_image image=”30726″ img_size=”full”][vc_empty_space][vc_column_text]
Multiple choices are available on this interface, but for us, the Advanced hunting option is the proper tool (marked with red on Figure 1), because this is the one which can be used to access raw data with the help of the Kusto Query Language (KQL). The Advanced hunting schema builds up from tables, which are giving you information about events or devices. You can find more information about these tables here.
[/vc_column_text][vc_empty_space][vc_single_image image=”30727″ img_size=”full”][vc_empty_space][vc_column_text]
The necessary table for us is the DeviceRegistryEvents, which contains information about the creation and modification of registry entries. In this table, the ActionType and RegistryKey columns are containing the necessary information to write the query.
From the ActionType column the “RegistryKeyCreated” string, and from the RegistryKey column the “Run”, “RunOnce”, “RunService”, “RunServiceOnce” strings needs to be involved in the query to narrow down the scope of the search.
For now, we will whitelist the “setuphost.exe” string from the InitiatingProcessFile column for false positive tuning purpose. After putting these data together, our query is the following:
[/vc_column_text][vc_empty_space][vc_single_image image=”30728″ img_size=”full”][vc_empty_space][vc_column_text]
|where ActionType == "RegistryKeyCreated"
|where InitiatingProcessFileName != "setuphost.exe"
|where RegistryKey has @"\Windows\CurrentVersion\Run"
or RegistryKey contains "RunOnce"
or RegistryKey contains "RunServices"
or RegistryKey contains "RunServicesOnce"
Running this query gives us a verifiable number of matches. In this query, no column is filtered out, so in case of a match, the column will be presented even if it has no value in it. By clicking on the suspicious finding, the information will be visualized, so the process tree is easy to follow, and the original initiating process can be identified, which caused the new registry key creation.
[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_wp_text][xyz-ips snippet=”metadatatime”]