Orbital Query Corner - Why does $malware keep coming back?

E.L. Howard · ‎07-15-2020

Symptoms

It’s happened to many of us, many times. We are alerted to an outbreak of malware in our networks, and begin the process of verification, remediation, system clean-up, etc – only to see the same thing reappear in our consoles as soon as we give users access to their systems again. What’s next? Wash, rinse, repeat.

Diagnosis

In “Exploiting the Rootkit Paradox with Windows Memory Analysis”, Jesse Kornblum made two very powerful points that ring true today.

All rootkits obey two basic principles:

They want to remain hidden.
They need to run.

While he applied these statements to rootkits, it has proven true time and time again, that the same statements apply across many malware variants. In other words, the same is yet true today. Malware needs to run, and malware authors want their toolkit to remain hidden.

This behavior technique [remaining hidden] gives attackers a persistent presence in an environment and can be delivered through several means. A _very short_ list includes:

Programs that execute from temporary or cache folders,
Programs that execute from user profiles,
Programs stored as Alternate Data Streams [0].

This query corner doesn’t provide us space to dig into all of the possible ways attackers hide their work, or methods of detection – but a quick win could be to keep an eye on users Roaming Profiles, for signs of non-standard executables and/or scripts. Such a tactic could be used to ensure compromise follows a user after systems are cleaned, or re-imaged.

Solution

This query corner doesn’t provide us space to dig into all of the possible ways attackers hide their work, or methods of detection – but a quick win could be to keep an eye on users Roaming Profiles, for signs of non-standard executables and/or scripts. Such a tactic could be used to ensure compromise follows a user after systems are cleaned, or re-imaged.

The catalog query called “Scheduled Task Search” [1] is designed to retrieve data for the list of scheduled tasks, per host. By default this query will return all scheduled tasks, but has options to focus the query on a particular path which can point to anomalous scripts or executables that could be indicative of unwanted applications, or actual malware.

Run the baseline query first, to ensure data is retrieved from your hosts
Configure the Scheduled Task Search parameter named “task_action” to look at roaming profiles, and run your focused queryIf your focused query returns no results – we have at least answered that question. If you would like to monitor this space on a recurring bassis, save this query as a Scheduled Job, and let Orbital background query your hosts and use the results to pick up a change in the environment

The first time you see a change in the results we may have some work to do, based on the query results.
If you've found this first version of the Query Corner useful, we will continue to dig deeper in the Endpoint Security discussion boards here on the Community site. Watch this space to see what comes next!

Links for references above:
0. https://docs.microsoft.com/en-us/sysinternals/downloads/streams
1. https://orbital.amp.cisco.com/stock/scheduled_tasks_param_searc