Phishing - What does it look like in machine data?



In this post we take a look at how Digital Guardian and Splunk can correlate data events in real time to identify phishing attacks.

This blog post was originally published by Matthias Maier on the Splunk Blog on July 1, 2015. It presents a use case for identifying a phishing attack in real time in the Digital Guardian Splunk App with screenshots from the app dashboard. Generally Digital Guardian is able block this type of attack sequence when we see a user double click an email attachment and then an application like Word downloading and executing a binary. For the purpose of this demonstration we have let the attack run without blocking it. It is an important use case to be able to correlate alerts from the network with this kind of granular endpoint event data to understand which threats have landed and executed on an endpoint.

Hello Security Ninjas,

Shark Phishing

In the last write up I shared info of a phishing mail I received and what questions do you want to ask once an attack is identified. In this one, I want to give you some technical insights how it can look like when performing an investigation. I'm sure you have analyzed some of those attacks in your own environment so you know the departments that might be most targeted e.g. your high risk users – if you haven't I highly recommend you check your own environment by collecting data from the different sources and analyzing how infections start in your environment and where they occur most often.

In this case for tracking the process and generating the activity events I used "Advanced Threat Protection" from Digital Guardian.

1. Let's see how a phishing attack exploits a machine

In the events below you can nicely see that it starts with Outlook.exe copying a word document which is executed. That's generally fine and happens hundreds of times in an organization if someone sends an e-mail with an invoice attached that gets opened. But loading with a Macro malware from an external page – is not so common.

Phishing Events 1 Screenshot taken from the DG Splunk App outlining a phishing attack. Each line shows a DG event and the Operation column shows the type of event. Some are atomic events such as File Write or Application Start, but those starting with a D such as D1 or D2 are correlated events where we have correlated multiple events in real-time on the endpoint into a higher level alert.

Translation of the events in words:

  • 13:15:09 – Outlook opens a Word file (i413136.doc) from an email attachment
  • 13:15:12 – Word opens the file
  • 13:15:25 – Word loads the macro subsystem DLL scrrun.dll
  • 13:15:26 – Word communicates over the network with suspicious domain creditbootcamp.com
  • 13:15:26 – Word downloads the suspicious file pierre5.exe
  • 13:15:27 – Word launches pierre5.exe
  • 13:15:27 – pierre5.exe downloads the executable gsqy3uat.exe
  • 13:15:28 – Application compatibility database is updated
  • 13:15:29 – gsqy3uat.exe launches

If we correlate this with AV Scanner data we would see that no detection happened, which leads to the conclusion that even with an AntiVirus scanner the machine got infected. On 21 April the macro malware was detected on two of 57 AV engines and four weeks later (22 June) according to VirusTotal 32 of 57 AV engines detect it. You might also want to review at that stage if the IP of the domain was blocked from your firewalls or if the URL was blacklisted on your proxy server.

2. Communication to command and control center

Once the machine is infected you might see immediately or even with a time delay (more advanced, to bypass sandbox execution systems) some activities happening. Often one of these is that the malware tries to communicate outside.

Phishing Events 2

Translation of the events in words:

  • 13:15:29 – command shell is started, the command line is captured as “cmd /c C:\Users\tfischer.testing-W7\AppData\LocalLow\KYaoWQJS.bat”
  • 13:15:30 – 2 registry entries are deleted
  • 13:15:32 – gsqy3uat.exe starts communicating out to command and control but receives no reply; keeps trying for next 30 minutes

3. Downloading additional payload

As last step in this sample you can see how the malware gains SYSTEM Access. At this point the malware now has administrative rights and can either fulfill its objective or just "wait and sleep" until it has a proper mission to accomplish.

Phishing Events 3

Translation of the events in words:

  • 13:46:18 – process reflectively injects itself into rundll32.exe process (based on instructions from command and control)

I'm sure as a real Splunker you know what to look for in your logs now ;). You can find some search hints in our

Happy phishing your phished users,

Matthias

Further resources:

About Matthias Maier

Matthias Maier is Product Marketing Manager at Splunk. Matthias is a technical evangelist for Splunk in EMEA and is responsible for communicating Splunk's go to market strategy in the region. He works closely with customers to help them understand how machine data reveals new insights across application delivery, business analytics, IT operations, Internet of Things, and security and compliance. Matthias has a particular interest and expertise in security, and is the author of the Splunk App for IP Reputation. Previously Matthias worked at TIBCO LogLogic and McAfee as a senior technical consultant. He is also a regular speaker at conferences on a range of enterprise technology topics.

Matthias Maier

Please post your comments here

Advanced Threat Protection - Building a Kill Chain Defense

Detect and stop targeted attacks with a data-centric approach that protects sensitive data regardless of the source of attack.

Download now

Related Articles
91% of Cyber Attacks Start with a Phishing Email: Here's How to Protect against Phishing

Phishing attacks continue to grow in sophistication and effectiveness – here’s how to defend against this common threat.

What is Phishing? Common Attacks & How to Avoid Them

The goal of nearly every phishing attempt is to steal information but attacks can come in different forms. In today's blog, we break down common phishing types, tactics and 50 examples of phishing attacks.

Iranian Hackers Stole Corporate Secrets; 200 Oil, Gas, Manufacturing Firms Targeted

The campaign, which counts oil, gas, and heavy machinery manufacturers among its victims, has been responsible for millions of dollars in lost productivity and data.