Investigating Low-Variance Behaviors

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 42 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:00
>> Hello, and welcome to Lesson
00:00
2.5, Investigating Low-Variance Behaviors.
00:00
In this lesson, we'll demonstrate how to perform
00:00
hands-on investigations to find low-variance behaviors.
00:00
Continuing with our scheduled task example,
00:00
through our open-source research,
00:00
we identified several data sources that can
00:00
be used to detect the scheduled tasks technique,
00:00
including monitoring for process
00:00
and file creation events,
00:00
file modifications,
00:00
and scheduled job creation, amongst others.
00:00
Let's begin our hands-on investigation by looking at
00:00
what activities are occurring when a task is scheduled.
00:00
To accomplish this, we can use Procmon,
00:00
a free tool and the windows suite internal
00:00
suite that shows real-time file system,
00:00
registry, and process activity.
00:00
In our example, we start Procmon
00:00
and observe what activity occurs for
00:00
both the command line invocation and
00:00
GUI invocations of the scheduled tasks technique,
00:00
as we try to identify what is common across them,
00:00
including observable second and third-order effects.
00:00
From the resulting records,
00:00
we observe that both of these methods use
00:00
the task schedule service and that
00:00
the task scheduler executes the same sequence of events.
00:00
Let's look at this in a bit more detail.
00:00
Hoffman will return a list of all
00:00
of the activity occurring on the system,
00:00
which will be way more information than we need.
00:00
We will need a filter to display
00:00
only the most relevant information
00:00
for our investigation of scheduled tasks.
00:00
As an example, you can filter using
00:00
the expression command line
00:00
contains schedule or process name contains tasks.
00:00
Here we have a filtered set of records that show
00:00
activity related to the task scheduler service,
00:00
which both the command line
00:00
and GUI and vacations utilize.
00:00
Examining these records, we can see
00:00
that there are many registry actions being
00:00
taken to create and set
00:00
registry keys associated with the new task,
00:00
giving us the name of the keys being used.
00:00
Keep that in mind in case we decided to collect
00:00
specific registry events and feature collection efforts.
00:00
We also see some file creation and
00:00
writing activity associated with
00:00
writing the new job file,
00:00
describing the tasks to schedule.
00:00
This also gives us additional useful information,
00:00
like the path to the job file and
00:00
the correlation between that path
00:00
and the registry key activity above.
00:00
We can also run wind debug
00:00
or some other debugging tool while
00:00
scheduling a task to watch as
00:00
DLLs are loaded and functions are called.
00:00
As we debug, we can also check the event logs
00:00
to determine which lines of code trigger which events.
00:00
In this case, debugging shows us that XML light that
00:00
DLL is being used to create the XML job file content.
00:00
That should task invokes the task scheduling DLL,
00:00
which is common across the API and GUI implications too.
00:00
We can then see that an RPC runtime DLL is called,
00:00
even though the task is being
00:00
scheduled locally in this instance,
00:00
which then makes a cyst call that seems to execute
00:00
both the registered key creation
00:00
and the dump file creation.
00:00
With those events, both the 4663 and 4698 events
00:00
are triggered and logged.
00:00
Keep in mind that debugging can require
00:00
a significant amount of
00:00
low-level behavioral knowledge to interpret,
00:00
and thus can be very difficult
00:00
for those without that background.
00:00
Summarizing our research, including
00:00
extending it past just what we've covered so far,
00:00
we have identified a few candidates
00:00
for low variance behaviors.
00:00
One is the creation of
00:00
a job file within the test directory.
00:00
File creation is probably very noisy,
00:00
so it needs to be filtered.
00:00
Events don't provide information
00:00
about the contents of the file.
00:00
Location could also be configurable.
00:00
Filtering on a specific directory may
00:00
leave you with blind spots and
00:00
cause the analytic to be brittle.
00:00
We can also look at built-in Windows events
00:00
for registry values.
00:00
We know the default key-value for
00:00
scheduling tasks so we can filter on those events.
00:00
Events, however, will have similar issues to job
00:00
file creation and the possible blind spot created by
00:00
filtering on key values and events lacking
00:00
informational content for any analytics
00:00
we may want to do later.
00:00
Expanding the research to include remote execution.
00:00
Remote task scheduling uses the endpoint mapper port,
00:00
followed by an ephemeral port
00:00
associated with task scheduling on the remote machine.
00:00
Analyzing network traffic could help us detect activity,
00:00
but the port numbers we found in
00:00
the task scheduling documentation are used
00:00
by other applications and can be reconfigured.
00:00
We would prefer to use
00:00
a more robust method for detection.
00:00
Consistent characteristic DLLs are observed being loaded,
00:00
but DLL loading is very common activity,
00:00
so events are likely to be very noisy.
00:00
So far, we don't have a clear invariant behavior,
00:00
but we do have several promising leads for
00:00
low-variance behaviors and an understanding
00:00
of their pros and cons.
00:00
We will keep these candidates in mind.
00:00
We've learned a lot so far.
00:00
To summarize task scheduling on Windows,
00:00
the main sequence of activity that
00:00
is variant to implementation in
00:00
vacation and even use
00:00
case includes a process being created,
00:00
DLLs loaded, the registry modified with values,
00:00
a job file written,
00:00
and the task being created.
00:00
For remote scheduling,
00:00
a network DLL is also loaded on the source machine and
00:00
network activity occurs associated with
00:00
task scheduling service on the destination machine,
00:00
using either default or
00:00
configured ports for that network.
00:00
Although there are many ways to
00:00
schedule a task on Windows,
00:00
registry modification and job file creation always
00:00
occur and thus can be considered are invariant behaviors,
00:00
with event 4698 being
00:00
triggered during some of those actions.
00:00
In summary, hands-on investigation plays
00:00
a key role in identifying
00:00
low variance and invariant behaviors.
00:00
If you have the resources available,
00:00
it may be necessary to conduct
00:00
this type of detailed analysis in
00:00
order to identify some of
00:00
the more complex low variance behaviors.
Up Next