The 2014 SANS DFIR Poster is titled “Know Normal…Find Evil.” It provides information on several fundamental Windows processes in order to educate responders and forensic analysts to differentiate between legitimate instances and suspicious/malicious ones.
The exciting thing for us is this fits precisely into the data Carbon Black is collecting all the time on our customers’ endpoints. Using a sample set of real enterprise data and by talking to the data-store directly (to retrieve data programmatically), we can see the typical usernames and parent processes of ~720,000 instances of svchost.exe across 1,000 endpoints (some names/data redacted or obfuscated):
Parent Process: (720268)
- services.exe: 703755
- rpcnet.exe: 9368
- msmpeng.exe: 6934
- svchost.exe: 152
- eholeoyt.exe: 14
- 37056.mp3: 1
- 55.mp3: 1
- 94.mp3: 1
- SYSTEM: 432676
- Local Service: 182387
- Network Service: 78322
- john.smith: 42
- jane.smith: 1
- bob.smith: 1
- frank.smith: 1
Does anything jump out at you? Why are there processes with an “.mp3” extension, and why are they the parents of svchost.exe? And why are there user accounts running svchost.exe? Let’s go to the Carbon Black console to find out more:
One instance across the 1,000 hosts has that parent name for svchost. Let’s dive in:
A quick look shows a non-system username, as svchost.exe is usually SYSTEM, Local Service, or Network Service (which we confirmed with real-world data above):
If we expand the whole process tree out, we see that it gets pretty wild:
If we look at what svchost.exe is doing, we see it writing out a temporary file (unsigned), and then loading it as a module! If you look at the tree above, you’ll also notice that executable is also spawned as a child of svchost.exe – not good!
We see from the process tree that this malicious process tree started with Internet Explorer. If we look at IE, we see that in fact did write out and spawn the executable 94.mp3:
As I wrap up this blog post, the last thing I want to point out is that while we provide this enterprise intelligence to our users to make responding to incidents much faster, there’s a whole new realm of detection that is possible. By creating “watchlists,” we can detect and be alerted when these or similar behaviors occur. Here are two examples:
Alert me when svchost.exe runs as anything other than SYSTEM, Local Service, and Network Service:
- –username:SYSTEM –username:”Local Service” –username:”Network Service” process_name:svchost.exe
Alert me when svchost.exe has an unusual parent:
- -parent_name:services.exe –parent_name:rpcnet.exe –parent_name:msmpeng.exe –parent_name:svchost.exe process_name:svchost.exe
You can take these much further, create exceptions, or tie them to specific md5s, too.
The 2014 SANS DFIR poster is a nice resource and with the right visibility you can use the information from security experts like SANS to quickly pinpoint unusual attributes and behavior. Furthermore, you can turn “what’s normal” (or rather, abnormal) into detection rules and start getting alerts for attacker behavior regardless of what C2 site they communicate to or what hash the malicious binary has.
Looking for a little more information? Check out this blog post from Forensicaliente.