{"id":112055,"date":"2020-06-01T12:00:45","date_gmt":"2020-06-01T19:00:45","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=112055"},"modified":"2020-07-09T14:24:55","modified_gmt":"2020-07-09T21:24:55","slug":"cortex-insider-threat","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/06\/cortex-insider-threat\/","title":{"rendered":"Physical Hack, Insider Threat: Busted by Cortex XDR Managed Threat Hunting"},"content":{"rendered":"

One day, a SOC analyst sits down at his computer with his morning coffee and opens the following message alerting him to a possible insider threat:<\/b><\/p>\n

\u201cHello, my name is Alicia from the Cortex XDR Managed Threat Hunting (MTH) team. I\u2019m investigating suspicious activity in your network and could use some assistance... To help our investigation, could you please check the following? ... \u201d <\/i><\/b><\/p>\n

What is this?! Read on to learn about a sneaky insider attack and the service that discovered it with the latest story in our <\/b>Busted by Cortex XDR series<\/b><\/a>, featuring our Cortex XDR Managed Threat Hunting team!<\/b><\/p>\n

\"This<\/span><\/div><\/p>\n

This real customer story from an EMEA-based consulting firm took place in March before the COVID-19 pandemic hit, and began with an employee hacking his own laptop to obtain local admin credentials, using a technique called \u201cSticky Keys.\u201d Here\u2019s how the MTH team caught the employee, traced how the individual learned and built up the hack, and how the customer\u2019s SOC team contained the attack:<\/span><\/p>\n

\"This<\/span><\/div><\/p>\n\n\n\n
\u201cSticky Keys\u201d?<\/b><\/p>\n

Windows contains accessibility features that may be launched with a key combination from the login screen. An adversary can replace these programs to get a command prompt \u2013 by default, these applications run under the system account, with administrative credentials.\u00a0<\/span><\/p>\n

Two common accessibility programs are:<\/span><\/p>\n

1. C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times (Sticky Keys)\u00a0<\/span><\/p>\n

2. C:\\Windows\\System32\\utilman.exe, the Windows application that is designed to allow the user to configure Accessibility options, such as the Magnifier, High Contrast Theme, Narrator and On Screen Keyboard when they press Windows + U on the login screen.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Our customer\u2019s SOC analyst clicked on the Cortex XDR Activity in Alicia\u2019s email to get a picture of what she was referring to. Cortex XDR explained the suspicious activity in a simple graphical form:<\/span><\/p>\n

\"Cortex<\/span><\/div>
Cortex XDR\u2019s root cause analysis screen showing the affected laptop<\/figcaption><\/figure>\n

The customer\u2019s SOC analyst quickly downed his coffee, rolled up his sleeves and grabbed his keyboard to confirm Alicia\u2019s analysis. Alicia replied a few minutes later, explaining the nature of the threat and recommending steps for remediation. Here\u2019s a screenshot of the actual response:<\/span><\/p>\n

\"This<\/span><\/div><\/p>\n

The \u201cSticky Keys\u201d technique triggered our MTH team\u2019s attention as part of looking for signs of admin credentials harvesting. Utilman.exe is a Windows protected file and the only way to overwrite it would be to first disable the Windows system file checker, or do it without the operating system running.\u00a0<\/span><\/p>\n

 <\/p>\n

Unfortunately...<\/span><\/h2>\n

The employee had already gained local admin creds and continued his attack through the command shell. The question now: What did the employee do with those creds? Before we share what happened in the heat of the moment, let\u2019s take a break instead and learn who Alicia is.<\/span><\/p>\n

 <\/p>\n

Who\u2019s Alicia?<\/span><\/h2>\n

Alicia is an expert in hunting and collecting threats, and in reverse-engineering malware using code analysis. Her team runs in-depth research to gain insight into techniques that threat actors use to compromise entire organizations. Her goal is to provide context, explain the nuts and bolts of attacks, who\u2019s executing them and why they do so. What gets Alicia going is to empower SOCs to better defend their companies.\u00a0<\/span><\/p>\n

 <\/p>\n

The Hack<\/span><\/h2>\n

Back to the story: Cortex XDR\u2019s endpoint agent logs signaled that the employee obtained admin credentials to his laptop (which, for the record, happened without the company\u2019s permission). He replaced utilman.exe on his computer with cmd.exe, the Windows command shell, which triggered an alert that Alicia picked up and connected with a couple of commands that the employee ran right after. Until Alicia\u2019s email arrived, the customer\u2019s SOC analyst was unaware of the situation. Without the Managed Threat Hunting service, this could have come across as a few unrelated activities, and could have ended up as a missed attack.<\/span><\/p>\n

 <\/p>\n

But Why?<\/span><\/h2>\n

The MTH team continued to investigate Cortex XDR network and endpoint logs and found that the employee ran commands to reset the local admin\u2019s password and to list local user accounts that were previously logged into his laptop.<\/span><\/p>\n

Alicia explains that attackers can use a password reset to gain access to accounts. They do this to regain network access when they\u2019ve lost it over the course of carrying out an attack. The employee may have been on the network for a while.\u00a0<\/span><\/p>\n

In the best-case scenario, the employee turned to the dark side only to \u201clevel up\u201d his laptop for innocent, work-related tasks.<\/span><\/p>\n

Alternatively, Alicia explains that the enumeration of local user accounts is a sign of an attempt to gain access to other users\u2019 accounts, and possibly even to domain admin credentials. The former can grant access to confidential information, such as source code or sales results, while the latter can take the company\u2019s computer network down. When a user logs in to a PC, the login credentials get cached in Windows. With local admin rights, attackers can enumerate that cache and, with various techniques, operate on behalf of those accounts \u2013 even on behalf of domain admin accounts \u2013 to access network resources.\u00a0<\/span><\/p>\n

 <\/p>\n

How Could He Do It as a Regular User?<\/span><\/h2>\n

The employee was a regular user and shouldn\u2019t have been able to replace utilman.exe with the command shell. The Windows operating system deploys several protective mechanisms to prevent this abuse. One mechanism is that the application must reside within the System32 folder (which is why cmd.exe was used, and not other applications). Another is that the change can only be made by an administrator.<\/span><\/p>\n

Alicia kept investigating. She searched the internet, network and endpoint logs for clues to help the customer\u2019s SOC analyst understand how the user could escalate his privileges to be an admin. She eventually found that the employee physically attached a USB stick to his laptop, restarted the computer, launched a live Linux distribution from the USB stick, mounted the Windows partition and finally copied cmd.exe onto utilman.exe, overriding Windows\u2019 operating system file protection while Windows wasn\u2019t running. The employee then reset the system again, removed the USB stick, booted back the Windows partition, pressed Windows + U on the login screen and suddenly faced a blank command window, running under the highest local privileges, ready to execute his commands.<\/span><\/p>\n

\"This<\/span><\/div><\/p>\n

 <\/p>\n

Busted.<\/span><\/h2>\n

Following these insights by Alicia, the customer\u2019s SOC analyst confirmed the employee\u2019s\u00a0 activities by connecting to the laptop using Cortex XDR Live Terminal. The customer\u2019s SOC analyst took the laptop down, disabled the employee\u2019s account and initiated the necessary HR actions that same day. Alicia had found a threat, helped the customer\u2019s SOC analyst find the root cause, recommended remediation action and moved on to the next threat in the world. The customer\u2019s SOC analyst learned a new trick and, thankfully, got out of this trouble before it turned into a disaster. What happened with the employee and how far he got before they caught him remains a mystery. What we know is that they caught him early enough to not read this story in the news as a data breach, a long outage or a copyright infringement case \u2013 and that\u2019s what matters.<\/span><\/p>\n

The CSO remembers the next day\u2019s triage with a sense of a \u201cperfect day,\u201d feeling confident about his SOC team and how the Cortex XDR Managed Threat Hunting team helped\u00a0 protect his company.<\/span><\/p>\n

 <\/p>\n

Best Practices to Protect Against Insider Threats<\/span><\/h2>\n

Insider-caused security incidents \u2013 whether due to malice or negligence \u2013 are a pervasive problem for organizations and can be hard to prevent without disrupting the ability for employees to do their jobs. <\/span>Ponemon Institute has found<\/span><\/a> that the percentage of insider incidents has increased by 47% since 2018, and the cost has increased by 31% over the same time period. Here are some steps that your security team can take in order to minimize the chances of an insider threat like the one described above:<\/span><\/p>\n