Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


GPO/Scheduled Task/snare detection were doing

  • Please log in to reply
No replies to this topic

#1 VertigoOne


  • Members
  • 4 posts
  • Local time:05:12 PM

Posted 01 June 2016 - 06:45 AM

Good day


We've had a round of tesla run through a while back, and we recently had a round of locky run through as well (after upgrading perimeter and local defenses no less), and we've been playing with some options because whatever you spend money on doesn't work as well as you think it does. You need to get creative with existing systems and get ahead on the wack-a-mole.


The whole answer is not security upgrades, we've received droppers and js vectors as young as 30 minutes and submitting them takes avast 24 hours and sophos 3 days to add to detection routines. The latest locky that hit encrypted 130Gb of data in less than an hour on an i5 laptop, and it grabbed even people sharing the "public" directory on windows 7 client computers over the network (about 30 systems). Fortunately, backups! Catching infections in under a minute is extremely important as they can encrypt unbelievably fast. The new locky we had literally was threading out to every network location it could find and running full tilt everywhere at the same time. They are NOT messing around anymore.


My new approach actually caught a dropper before it could do anything today, so i'll share, and it cost nothing, but it may have to be tweaked a little to your environment, and you are a good system admin right?


First approach, setup a server 2012 R2 core and share a directory to everyone, and put some files in there, put only two in the root or so, and create about a million small files in random directories below it as a small delay tactic that costs you nothing, xlsx, docx, pick a "business extension", i called this server AAAAAA01, enable auditing on this share. Put the share on the slowest disk you can spare, assign one cpu with 1% max use and 512Mb ram, can probably even use a samba server. Use certutil to calculate md5's and existence of the correct files in this root directory via script. monitor every 10 seconds. If the files change, or new files appear, dump the audit log, extract IP's and email them to yourself with high importance or start filtering out known good sources first and then do that. You don't need to buy tripwire.


Next step on that, auto windows firewall rule update on all production servers based on above ip's, NAC update, and if you have the switches for it, mac block or vlan quarantine, or my favorite, since it is a domain computer infecting the share, send email, outbound firewall block * rule on originating desktop and disable nic. whatever he does, he is blocked until we can investigate.


Users don't care about the network view here, so i'm going to clone and do a ZZZZZZ01 as well, or just netbios+tcp alias it Basically look at how the various routines return the network list, some are sorted, some are not, fit your server in the best way with some tuning as you are basically setting up a poor man's snare/honeypot to alert you to non-business share access without spending the tens of thousands of dollars to buy the enterprise solutions. This will even catch crackers if they snoop :)


If your feeling confident, you could even make a snare share on every machine if the next cryptoware does random first and then encryption, or monitor some specific folders on live share systems that nobody touches and fine tune the audit log to only new files or changed data of existing files. Most companies have a few shares and then hundreds of stations, so shares everywhere is just ignored by normal operations but malware will eat it up, and likely be so busy encrypting that it does not even get to the real. All depends on what your policies allow.


This will not STOP crypto's immediately in their tracks, but if a share encryptor fires up, i want to know as soon as possible if i should cancel a backup or not as well. My worst case scenario is a crypto flaring up just after people leave, and then the backups run, and then we backup up the crypto and we lose 24 hours on incremental. Yes we have volume shadow copies, but really, you want to full + shad restore 15Tb? No. Even if it only sees the snare after 30 minutes, it is better than an entire enterprise encrypted throughout the night because you were not aware, and turning on auditing everywhere and building thresholds for that is very hard and prone to false/positives as people are changing files all the time on production systems. This snare costs nothing to setup. you can even slow the adapter to 10Mb/s for added effect.


Second approach

GPO, scheduled task deployment for all desktop/laptop systems, desktop admin, run always, every minute repeat. modify these lines of powershell to your needs


Get-Process | Select-Object Path | out-string -width 4096 | findstr /L /I temp

Get-Process | Select-Object Path | out-string -width 4096 | findstr /L /I INetCache

Get-Process | Select-Object Path | out-string -width 4096 | findstr /L /I "Default\Cache"


yes, it is simple, but it works. Tesla and Locky and most of the others, when the dropper starts or IE "run" is done by user, it copies itself to a %TEMP% folder and executes, or it executes from inetcache, The other one is for chrome cache. Nothing should be _executing_ from there normally anyway, so my list of users with processes running from temp or inetcache is "very" short, and were cleaning them up until it is only known good. Were on 500 computers and i only have 6 people to ask about their software installation habits when i first turned it on. Yes, installing flash player may come up, but that is a known good you can check + file signature check + publisher check. why are users installing flashplayer without your deployment systems anyway?


Fire the output above into monitoring and start cleaning out, when your happy you have everything in your environment, start running automatic kills. For instance, the older locky copies itself as svchost.exe, but it executes from temp. So if you see a svchost.exe from the list above, kill it with fire. The new locky runs from temp too with a random name.There isn't many folders it "can" execute from with user privs so it will be something generic, and something as %environment_variable% for the time being. Most programs run from under program files, so you can really tune this to known custom apps running from .NET folders for clickonce under Apps\2,0 and anything else custom under users and program files and notice/kill the rest.


This is an alternative to whitelisting the entire enterprise application exe set, which is a pain for most users, and malware guys are getting clever with the svchost thing, or naming something winword. The nearest answer is where things are running, not what is the running thing called.


We pipe the above output to file first, and then we kill, so we can see what happened. This works fine.


Stop-Process -force -ProcessName ((Get-Content c:\prd\ps_admin_reports\$Env:COMPUTERNAME.txt) -replace ".exe" , "" | Split-Path -leaf).trim()
Stop-Process -force -ProcessName ((Get-Content c:\prd\ps_admin_reports\$Env:COMPUTERNAME.txt) | Split-Path -leaf).trim()
both lines are needed as sometimes processes run as .exe and sometimes not as .exe in the task list and your grabbing the fullpath of the process, not the process name itself. Someone with higher powershell skill can probably improve this a million times over, i come mostly from batch/vb, and i'm force learning myself powershell every now and then.
I caught a dropper busy downloading locky about 20 minutes ago and we could kill it before any damage, the user didn't even know, and we could tighen rules a bit. It looked like this in the file when running the above get-process routine. Obviously something you would like to know about right?
Anyways, good luck to everbody. This forum has helped me a lot, and i'll share anything that i know works, even if it can't work everywhere. A big part of being a sysadmin is taking things and making them work for you, and for what we do, it is definitely catching problems in a minute or less, which in the current regime is seriously needed.

BC AdBot (Login to Remove)



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users