Working with compromised flag
Sometimes, adversary can inject malicious code into a legitimate running process. Unfortunately, similar code injection techniques are also used by a lot of legitimate software, e.g. screen readers for the visually impaired.
Creating detections for every CodeInjection event would generate too many false positives. To solve this issue, we can use Compromised flag in ESET Inspect.
Rule
First, we create a rule that contains the action MarkAsCompromised without the TriggerDetection action. The MarkAsCompromised will add a flag to the process that is on the receiving end of code injection.
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Common Injection Targets</name> <category>Special</category> <os>Windows</os> <severity>90</severity> </description> <definition> <operations> <operation type="CodeInjection"> <operator type="AND"> <condition component="CodeInjectionType" condition="is" property="CodeInjectionType" value="SetThreadContext"/> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="msedge.exe"/> <condition component="FileItem" property="FileName" condition="is" value="ComSvcConfig.exe"/> <condition component="FileItem" property="FileName" condition="is" value="explorer.exe"/> <condition component="FileItem" property="FileName" condition="is" value="DevicePairingWizard.exe"/> <condition component="FileItem" property="FileName" condition="is" value="EhStorAuthn.exe"/> <condition component="FileItem" property="FileName" condition="is" value="Locator.exe"/> <condition component="FileItem" property="FileName" condition="is" value="WUAUCLT.exe"/> <condition component="FileItem" property="FileName" condition="is" value="WWAHost.exe"/> <condition component="FileItem" property="FileName" condition="is" value="WerFault.exe"/> <condition component="FileItem" property="FileName" condition="is" value="bootcfg.exe"/> <condition component="FileItem" property="FileName" condition="is" value="conhost.exe"/> <condition component="FileItem" property="FileName" condition="is" value="dllhost.exe"/> <condition component="FileItem" property="FileName" condition="is" value="getmac.exe"/> <condition component="FileItem" property="FileName" condition="is" value="systray.exe"/> </operator> </operator> </operation> </operations> </definition> <maliciousTarget name="none"/> <actions> <action name="StoreEvent"/> <action name="MarkAsCompromised"/> </actions> </rule> |
Now with the compromised flag set, we can reference it in another rule when additional suspicious operation, such as accessing the LSASS process will occur.
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Credential Dumping From Compromised Process</name> <category>Suspicious process creation and process manipulation</category> <os>Windows</os> <severity>90</severity> <mitreattackid>T1003.001</mitreattackid> <explanation>A process has accessed the LSASS process in a way that is typical for Mimikatz. LSASS contains sensitive information such as credentials.</explanation> <benignCauses>Legitimate applications that access other running processes in an improper way (e.g., certain installers).</benignCauses> <maliciousCauses>Adversary may access LSASS process in order to retrieve credentials - passwords and hashes.</maliciousCauses> <recommendedActions>1. Initiate Incident Response procedure.</recommendedActions> </description> <definition> <process> <condition component="ProcessInfo" condition="is" property="Compromised" value="1"/> </process> <operations> <operation type="OpenProcess"> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="lsass.exe"/> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%"/> <condition component="OpenProcess" property="AccessRight" condition="is" value="4112"/> </operator> </operation> </operations> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |