Are you struggling to keep up with false positive alerts? Worried the alerts you ingest will never catch true evil? Are you responding to malicious activity well after occurrence, rather than detecting in real time? If you answered “yes” to any of the above, this discussion is for you. Through this talk, attendees will be equipped with a trusted process to more effectively detect malicious activity in their environment.
Focusing on system binaries that frequently facilitate the download or execution of malicious code (rundll32.exe, msiexec.exe, regsvr32.exe, etc.), publicly available resources will be leveraged to determine normal behavior versus malicious behavior. We’ll walkthrough how to answer questions such as: what are normal command line parameters, process paths, and process lineages? Should this binary be making network connections? What are known abuse techniques of this binary?
We’ll then dive into a handful of options for creating effective detection logic. Delving into examples of real world threats and techniques often utilized by red teams (i.e.,search order hijacking, process injection, privilege escalation), these detection ideas will allow defenders to create alerts that have more meaning and a higher true positive rate.
Intro - What are LOLBins?
Discuss commonly used system binaries to download or execute malicious code
Rundll32, regsvr32, msiexec, mshta, msbuild
Gather Information
What is normal?
Process path, network connections, typical command line, process lineage
How can this binary be abused?
Use findings to explore detection options
Detect the Evil
What real threats should this be catching?
Example activity from threats such as
Qbot
Raspberry Robin
SocGholish
Potential to also catch widespread tactics utilized by many threats & red teams
Search Order Hijacking, Process Injection, Privilege Escalation
Негізгі бет Misbehaving Binaries: Methods to Detect LOLBin Abuse - Rachel Schwalk
Пікірлер