Lazarus group apt1/16/2024 In addition to detecting process injection, another powerful threat hunting technique is to look for the execution of rare executables and binaries with uncommon extensions. There are also several open-source tools – such as ‘hollows_hunter’ - which can provide blue teams with the ability to scan endpoints for suspicious memory regions. Instead, a hunt query using Jupyter Notebooks was more appropriate in dealing with the complexities of process injection detection, where different types of process logs were correlated to filter for a sequence of events consistent with process hollowing. In the three-part blogpost, it was determined that neither process creation nor process access logs can be used on their own to identify process hollowing due to the significant number of false positives. For example, SpecterOps has published an excellent write-up on the procedures of crafting the detection logic for a specific type of process injection known as process hollowing. This example is just the tip of the iceberg and there are many other complex memory anomalies that can be examined to identify suspicious memory regions.Īlthough in-memory detection is often tackled through anti-virus or EDR software, blue teams can still leverage open source capabilities to alert on potential process injection. This would indicate that the process memory region is not “backed by disk” and could be an artifact of process injection. For example, a basic scanning technique could look for process memory regions which are executable but are not of the type MEM_IMAGE. This involves inspecting process memory in real-time and looking for anomalies which are indicators of process injection. In the case where malicious code is injected into Explorer.exe to launch a Cmd shell for further commands, process creation logs would also show Explorer.exe launching Cmd.exe.Īt F-Secure Countercept, we make use of advanced memory scanning techniques to detect instances of process injection. For example, it could be perfectly normal for Explorer.exe to launch Cmd.exe to perform administrative tasks. It is difficult to detect process injection with rules that look for process anomalies. Existing Sigma rules are also listed below, as some techniques were already covered. The Sigma rules created for the techniques discussed in this blog post, are marked in bold in the table below and are provided in the F-Secure Countercept GitHub repository. The actions performed within these later phases allow threat actors to establish a greater foothold on the target organization’s network, and are therefore critically important for defenders to detect. The remaining techniques in the defense evasion phase will be covered in this blog post, as well as the Credential Access, Lateral Movement and Command & Control phases. We covered three phases in the first blog post: Initial Access, Execution, and Persistence, and we discussed part of the Defense Evasion phase. From the TI report, we know that the Lazarus Group employed varying techniques across the MITRE ATT&CK® Matrix in their attack. As discussed in the first part of this blog series, these detection insights are derived from intelligence contained in a recent report released by the F-Secure Threat Intelligence (TI) Team. In this second blog post, we will continue to share actionable detection insights for blue teams to defend their organization against the Advanced Persistent Threat (APT) group – Lazarus Group.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |