Threat Hunting for Unexpectedly Patched Systems
Threat hunting is the proactive approach to find anomalies related to threats that could cause potential harm to an organization. These could be the signs of intrusion, as a part of malware campaign, ransomware attack, denial-of-service, data exfiltration and even crypto mining.
Threat hunters constantly look for abnormalities in the behavior of an endpoint, server which may be signs of compromise, intrusion, or exfiltration of data. They check proactively the signs of the presence of intruders currently or in the past. To perform this efficiently, threat hunters utilize tools that give them deep visibility and insight into systems-level microtransactions of every server and endpoint. One such sign is the detection of Unexpectedly Patched Systems in the environment.
Threat Hunting Perspectives
Today, there are several malware and ransomware which tend to patch the target system after the initial infection. One of the first of this kind was, the Win32/Patched a.k.a. WinNT/Patched which is a Computer Trojan targeting the Microsoft Windows operating system that was first detected in October 2008. Files detected as “Trojan.Win32.Patched” are usually Windows components that are patched by a malicious application. The purpose of patching varies. For example, certain malware patches system components to disable security, such as the Windows Safe File Check feature. Other malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code.
Often malware today utilize this technique to fix the flaw which they exploited originally to intrude the system; to prevent a similar ‘hack’ by any other threat actor. According to the McAfee Labs Sep. 2017 Threat Report, 33% utilize ‘Unexpected patching of systems’ as an Indicator of Compromise for their threat hunting exercises.
Adversary Behaviors to Hunt for Unexpectedly Patched Systems
Receiving an unexpected patch could be linked with the fifth stage of the Cyber Kill Chain, known as – Installation. Therefore, the behavior prioritized to hunt for will be ‘Process Execution.’
Malicious processes can be executed by the attacker on the target system by leveraging various ways. A process might be executed by a user double-clicking on an icon, automated service running while in the booting stage or via a script calling an application.
Hence, an attacker can execute a malicious process masquerading as a legitimate process of ‘system patch update.’ While most of the time an attacker gets hold of a system, they typically interact with it via the command-line interface, but this could also be done via a GUI. Ideally, the threat hunter should look for when the path was pushed, what did the patch constitute of, what changes have been inflicted on the target system as a result of this patch.
What to Hunt for?
- Was the process execution a legitimate one or a fake one?
- What makes the process look suspicious?
- Are there any false logos?
- The naming convention of the process (e.g., Incorrect nomenclature).
- Unexpected execution of scripts?
- Unexpected downloads from the internet?
- The context behind the installation of update (whether the update was shown while startup while browsing a website, or through email, or pop-up).
- Look for threat campaigns installing malware through fake updates from the past.
Attacker’s success depends on the ability to execute processes on targeted systems. By leveraging this and ensuring visibility into the process executed, malicious activities can be spotted. By correlating data or automating the collection of this data with a proper automation tool, the threat hunters can find post-compromise activities. This is why it is very essential to align your threat hunting strategy to a well-defined structure.
MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected. ATT&CK for Enterprise is an adversary behavior model that describes the actions an adversary may take to compromise and operate within an enterprise network. The full ATT&CK Matrix includes techniques spanning Windows, Mac, and Linux platforms and can be used to navigate through the knowledge base.