Here’s a roundup of the latest security detection rules written by our very busy incident detection engineering team, integrated into Blumira’s cloud SIEM platform to identify potential Windows threats in your environment.
Missed last week’s additions to Blumira’s detection and response platform? Check out our blog post, Product Update: New Microsoft Sysmon Security Rules.
Written by Lead Incident Detection Engineer Amanda Berlin:
Detection: Blocked Access of Controlled Folder
Controlled folders are protected by Windows Defender as malware will often use these folders to install and maintain persistence. These folders can be configured across the organization with group policy by navigating to “Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access.”
MITRE ATT&CK: T1564, Tactic: Defense Evasion
Response Playbook: Blumira provides next steps to guide you through a workflow – if the program should be allowed to modify the listed folder, then you can close it as allowlisted. If not, then you can select the next step to block the action, indicating that the program should not be modifying the folder. We also recommend looking at what folders or files were modified by the program in question, and if the software that was run is an approved program.
Written by Sr. Incident Detection Engineer Bill Reyor:
Detection: Kerberoast Attack Behavior Detected
Threat actors can abuse the Kerberos protocol to recover plaintext passwords of Microsoft Active Directory service accounts using a tactic called Kerberoasting. Blumira detects and alerts your team whenever we observe a client IP interacting with a honeytoken account, similar to how attackers leverage the Kerberos protocol to recover service account passwords.
MITRE ATT&CK: T1558.003, Tactic: Credential Access
Response Playbook: Blumira provides a workflow to confirm if the workstation or user was performing a legitimate service, or, if it was unexpected behavior, to begin incident response procedures on the identified workstation, isolating the endpoint and resetting service accounts with potentially exposed credentials. We provide additional steps that customers can take to avoid false positives and help with Kerberos attack detection.
Written by Incident Detection Engineer Brian Laskowski:
Detection: Dump LSASS.exe Memory Using Windows Task Manager
This is a technique used by stealthier threat actors that may not want to drop malware that may trigger antivirus alerts. A user with local administrator permissions can use the Windows Task manager to perform a process dump of all running processes on the system including the Local Security Authority Subsystem Service (LSASS). The LSASS process handles authentication and a threat actor can recover hashes and passwords from the information dumped from the process.
MITRE ATT&CK: T1003.001, Tactic: Credential Access
Detection: Signed Binary Proxy Execution: Mshta
Mshta.exe is a built in utility for Microsoft Windows. This utility, however, can be abused to load malicious Javascript and VBscript and is often used to bypass application allowlisting and antivirus tools. Review the usage of this execution for known internal software or user activity.
MITRE ATT&CK: T1218.005, Tactic: Defense Evasion
Detection: Msiexec.exe – Execute Remote MSI File
Msiexec is software included in Windows to facilitate installing Windows installer (.msi) files. While common to use for installing packages locally, it can also be used to download software from a remote location. This is uncommon and should be investigated for potential malicious activity.
MITRE ATT&CK: T1218.007, Tactic: Defense Evasion
Detection: Qbot Email Dumping Indicator Removal
Qbot/Qakbot is a family of loader malware that are often introduced via malicious emails. These emails contain Excel or Word files that when opened download the Qbot malware to the local system. One of the first tasks Qbot performs on a local system is to collect a copy of any local emails in the user’s Outlook client, dump them to disk, and exfiltrate them. This alert triggers on the clean-up process after this is completed. So, if triggered, investigate for an active Qbot infection on the host and expect the contents of the user’s email inbox to already be exfiltrated.
MITRE ATT&CK: T1070.004, Tactic: Defense Evasion
Detection: Dump LSASS.exe Memory Using comsvcs.dll
Comsvcs.dll is a built-in Windows dll (dynamic-link library) that can be used to dump process memory. This dll can be used by more advanced threat actors looking to collect credentials from LSASS without the need to drop Mimikatz or other tools that might trigger an antivirus alert. Investigate the user executing the process as well as the process ID of the dumped process to see if it aligned with the LSASS process on {devname}.
MITRE ATT&CK: T1003.001, Tactic: Credential Access
Guide to Microsoft Security
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.
Protect Against Active Directory Attacks
Blumira has released a new tool on GitHub to help you easily protect against Active Directory credential attacks like Kerberoasting that can lead to ransomware infection.
How to Enable Sysmon for Windows Logging & Security
With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.