Threat Hunting with TPS to Reveal Undetected Malicious Activities
One of the common concepts applied in threat hunting, is to define a hypothesis that will yield indicators/TTPs to follow, in order to discover malicious behavior that went under the radar. When using Verint’s Threat Protection System (TPS) for example, we can utilize predefined queries that aim to discover malicious indicators within the events’ raw data.
In this blog post we present a concept that can be utilized in Network Forensics – a tool that captures raw network data and Endpoint Forensics, recording raw information on operating system events. In the case described below, we queried the Endpoint Forensics data in order to examine Windows process executions, with command-line parameter that were executed from Roaming sub-directory
process.image.path == “*\roaming*” && process.commandline == “*”
The above query resulted in more than 2000 events, for one week of data. As this is not a scalable number of events for an analyst to examine, we can narrow it down by grouping specific fields for examination, for example:
- Command-line parameter: analyzing the parameters while searching for suspicious commands and then filtering out results based on attributes such as image path and endpoint, assists in triaging suspicious behavior
Example of Telegram updater process events
- Image name: inspecting the image name for an unfamiliar executable in combination with the uniqueness attributes
Example of Spotify process events
Grouping the results by process name narrowed down over 2000 events to 47 groups. Now we can focus on investigating the 47 unique process names, starting from the groups with the lowest count of unique events, to quickly notice a suspicious event:
- Process named Firewall.exe executed from a folder named Javaxa within the Roaming directory and a file named Firewall, within the same folder as a command-line parameter. From an analyst perspective, the combination of these indications raises several red-flags.
You can learn more about what we uncovered during the complete analysis of the malicious process in our blog post Breaking down builder-encrypted RAT.
TPS automatically creates a ‘profile’ for each investigated entity (such as endpoint, domain, process, file etc). The profile summarizes all the important events that are related to the entity in a statistical approach, which drastically reduces the analyst investigation time by providing the necessary data for understanding the entity. In our case, we utilized this feature to conclude that this behavior, is indeed malicious:
Process investigation using profiling
Based on the above data, we can quickly notice several suspicious indicators like parent-child relationships, which heavily suggests that RegSvcs.exe executes malicious code. The analyst can now dig-in and analyze the related events within the profile, in order to extract more indicators. In our case for example, we examined the unusual amount of create and delete file events by querying those events from the profiler, which will redirect us to the Endpoint Forensics tool:
File event analysis based on process profile
Now it is visible that the process creates and deletes the same file, named after the victim`s user-name within the Temp directory – definitely an additional suspicious indicator. Since the Profiler feature is displayed as a widget, the analyst can now continue and examine additional data provided by the entity profile.