{"id":98695,"date":"2019-05-23T06:00:24","date_gmt":"2019-05-23T13:00:24","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=98695"},"modified":"2019-05-22T15:27:48","modified_gmt":"2019-05-22T22:27:48","slug":"xdr-tales-from-the-soc-hunting-for-persistent-malware","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2019\/05\/xdr-tales-from-the-soc-hunting-for-persistent-malware\/","title":{"rendered":"Tales From the SOC: Hunting for Persistent Malware"},"content":{"rendered":"

\"\"<\/p>\n

At <\/span>Ignite '19<\/span><\/a>, Vidya Gopalakrishnan, SOC Engineer, and Matt Mellen, Sr. SOC Manager, will be giving attendees a rare glimpse into the Palo Alto Networks Security Operations Center (SOC). They\u2019ll shed light on our overall strategy as well as how <\/span>Cortex XDR<\/span><\/a> has helped automate and enhance a tier-less security operating model. Palo Alto Networks has the benefit of being our own \"customer zero\" for all new Palo Alto Networks products, allowing us to make product improvements and develop best practices while keeping our security team on the cutting edge of technology. While Cortex XDR adds intelligence and efficiency into all three key functions of security operations \u2013 alert triage, incident investigation\/response, and threat hunting \u2013 Vidya and Matt will be focusing specifically on how they have been using it for threat hunting, the area in which companies usually have the fewest available resources. <\/span><\/em><\/p>\n

 <\/p>\n

Here\u2019s an exclusive preview of how we\u2019ve used Cortex XDR to hunt, identify, and remediate a piece of persistent malware.<\/span><\/p>\n

 <\/p>\n

How to hunt for persistent malware<\/b><\/p>\n

The Mitre Att&ck framework describes \u201cpersistence\u201d as an action or config change that allows an adversary to maintain access to a system despite restarts, credential loss, or other interruptions. There are many techniques by which malware can achieve persistence; one common tactic is to change registry \u201crun\u201d keys, which causes a program to be executed every time a user logs in. Sounds relatively simple to identify, right? But capturing the different techniques without getting tripped up by false positives is not an easy feat without the right tools and processes.<\/span><\/p>\n

 <\/p>\n

Step 1: Search<\/b><\/p>\n

Cortex XDR comes pre-configured with an array of known behavior-based indicators of compromise (BIOCs). These BIOCs are rules that identify interesting or malicious behaviors based on tactics, techniques and procedures \u2013 rather than the easily evaded artifacts typically used in IOC hunting. The first step is to search for alerts with the category of \u201cPersistence,\u201d and set the alert source as \u201cBIOCs<\/a>.\u201d In this case, we\u2019re targeting BIOCs that accompany typical persistence behavior, such as registry keys that have been written over or added to the registry by an unsigned process.<\/span><\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

 <\/p>\n

Step 2: Find what stands out<\/b><\/p>\n

The search generates a list of events. Duplicate results from a large number of hosts generally indicates normal behavior; they can be removed. Several, however, show an executable from a suspicious path. C:\/Google is definitely not a normal folder path, and the filename (oMO.exe) is also unusual. <\/span><\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

Step 3: Triage and Validate<\/b><\/p>\n

Selecting any one of these events, we click \u201cAnalyze\u201d to see the chain of events (or causality). We can see that Cortex XDR identifies the root cause as cmd.exe from which everything was spawned. In the below screenshot, oMO.exe is identified as malware, which is why it shows up in red. If needed, additional information can be obtained from knowledge bases such as <\/span>AutoFocus<\/span><\/a> and VirusTotal with a simple right-click. The number of BIOC alerts (16) indicates that this event requires further investigation using the EDR events collected for omO.exe and the rest of the causality.<\/span><\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

Step 4: Investigate<\/b><\/p>\n

For further investigation, we have the option to click into several tabs revealing the forensic detail used to confirm that this is indeed malware. In these tabs, we find evidence across various types of endpoint behaviors. In the Alerts Tab, we find that the Persistence BIOC fired for the same machine 16 times. Furthermore, we can investigate the associated endpoint and network behaviors from the other tabs.<\/span><\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

Looking through these tabs, we find: <\/span><\/p>\n

1. Registry tampering visible on the registry tab.<\/span><\/p>\n

2. A suspicious connection to a random GoDaddy site visible on the Network tab.<\/span><\/p>\n

3. Repetitive file reads that show the malware reading itself from the startup menu on the File tab.<\/span><\/p>\n

Each of these is typical of persistence behavior. <\/span><\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

 <\/p>\n

 <\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

 <\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

 <\/p>\n

If you\u2019re not a forensic specialist, this information can be a lot to take in, but Cortex XDR simplifies the known bad activity into contextual alerts so less experienced analysts can also perform fast and accurate investigations. This kind of information not only further confirms that this is malware but can also provide visibility into how much of our infrastructure this piece of malware may have infiltrated, to help assess the scope of damage.<\/span><\/p>\n

 <\/p>\n

Step 5: Remediate <\/b><\/p>\n

Now that we\u2019re clear that this is malicious activity, we take action. We first issue a reimage of the system given that it was affected by malware. We then blacklist the malware, preventing execution on endpoints, and do the same for the \u201cbad domain,\u201d blocking transmission through network and cloud protection points. This, in turn, updates Wildfire where the malicious entities will be confirmed. The prevention signatures will automatically be updated on Traps and pushed to all of our global customers, thereby enabling future prevention of a malware sample that the environment has not previously seen.<\/span><\/p>\n

 <\/p>\n

Step 6: Breathe<\/b><\/p>\n

That\u2019s it \u2013 the world is now a slightly safer place. <\/span><\/p>\n

Within a few clicks, Cortex XDR has simplified a legacy threat hunting process that is so cumbersome that companies often can\u2019t get to it, which contributes to industry statistics such as a mean-time-to-identify of 197 days. <\/span><\/p>\n

Persistent malware is one example of structured data hunting, which is performed based on predefined behaviors that generate alerts. At Ignite, Vidya and Matt will also be sharing use cases of Cortex XDR for unstructured data hunting, using robust machine learning capabilities to find anomalies across hundreds of data dimensions. These are the types of threats that are even harder to identify using legacy approaches. <\/span><\/em><\/p>\n

To learn more, catch the \u201c\u2018Stand and Still\u2019 Hunting with Cortex XDR\u201d session on June 3rd at <\/span>Ignite USA<\/span><\/a>. If you can\u2019t make it to Austin but would like to see more of Cortex XDR in action, <\/span>click here to request a demo<\/span><\/a>.<\/span><\/em><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Here\u2019s an exclusive preview of how we\u2019ve used Cortex XDR to hunt, identify, and remediate a piece of persistent malware.<\/p>\n","protected":false},"author":644,"featured_media":98696,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6770],"tags":[6737,1819,6786],"coauthors":[6785,1355],"class_list":["post-98695","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-future","tag-cortex-xdr","tag-ignite","tag-threat-hunting"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/05\/control-room-1.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98695","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/644"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=98695"}],"version-history":[{"count":15,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98695\/revisions"}],"predecessor-version":[{"id":99014,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98695\/revisions\/99014"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/98696"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=98695"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=98695"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=98695"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=98695"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}