This blog post was originally published by Matthias Maier on the Splunk Blog on July 1, 2015. It presents a use case for identifying a phishing attack in real time in the Digital Guardian Splunk App with screenshots from the app dashboard. Generally Digital Guardian is able block this type of attack sequence when we see a user double click an email attachment and then an application like Word downloading and executing a binary. For the purpose of this demonstration we have let the attack run without blocking it. It is an important use case to be able to correlate alerts from the network with this kind of granular endpoint event data to understand which threats have landed and executed on an endpoint.

Hello Security Ninjas,

In the last write up I shared info of a phishing mail I received and what questions do you want to ask once an attack is identified. In this one, I want to give you some technical insights how it can look like when performing an investigation. I'm sure you have analyzed some of those attacks in your own environment so you know the departments that might be most targeted e.g. your high risk users – if you haven't I highly recommend you check your own environment by collecting data from the different sources and analyzing how infections start in your environment and where they occur most often.

In this case for tracking the process and generating the activity events I used "Advanced Threat Protection" from Digital Guardian.

1. Let's see how a phishing attack exploits a machine

In the events below you can nicely see that it starts with Outlook.exe copying a word document which is executed. That's generally fine and happens hundreds of times in an organization if someone sends an e-mail with an invoice attached that gets opened. But loading with a Macro malware from an external page – is not so common.

Screenshot taken from the DG Splunk App outlining a phishing attack. Each line shows a DG event and the Operation column shows the type of event. Some are atomic events such as File Write or Application Start, but those starting with a D such as D1 or D2 are correlated events where we have correlated multiple events in real-time on the endpoint into a higher level alert.

Translation of the events in words:

• 13:15:09 – Outlook opens a Word file (i413136.doc) from an email attachment
• 13:15:12 – Word opens the file
• 13:15:25 – Word loads the macro subsystem DLL scrrun.dll
• 13:15:26 – Word communicates over the network with suspicious domain creditbootcamp.com
• 13:15:26 – Word downloads the suspicious file pierre5.exe
• 13:15:27 – Word launches pierre5.exe
• 13:15:27 – pierre5.exe downloads the executable gsqy3uat.exe
• 13:15:28 – Application compatibility database is updated
• 13:15:29 – gsqy3uat.exe launches

If we correlate this with AV Scanner data we would see that no detection happened, which leads to the conclusion that even with an AntiVirus scanner the machine got infected. On 21 April the macro malware was detected on two of 57 AV engines and four weeks later (22 June) according to VirusTotal 32 of 57 AV engines detect it. You might also want to review at that stage if the IP of the domain was blocked from your firewalls or if the URL was blacklisted on your proxy server.

2. Communication to command and control center

Once the machine is infected you might see immediately or even with a time delay (more advanced, to bypass sandbox execution systems) some activities happening. Often one of these is that the malware tries to communicate outside.

Translation of the events in words:

• 13:15:29 – command shell is started, the command line is captured as “cmd /c C:\Users\tfischer.testing-W7\AppData\LocalLow\KYaoWQJS.bat”
• 13:15:30 – 2 registry entries are deleted
• 13:15:32 – gsqy3uat.exe starts communicating out to command and control but receives no reply; keeps trying for next 30 minutes

3. Downloading additional payload

As last step in this sample you can see how the malware gains SYSTEM Access. At this point the malware now has administrative rights and can either fulfill its objective or just "wait and sleep" until it has a proper mission to accomplish.

Translation of the events in words:

• 13:46:18 – process reflectively injects itself into rundll32.exe process (based on instructions from command and control)

I'm sure as a real Splunker you know what to look for in your logs now ;). You can find some search hints in our

Happy phishing your phished users,

Matthias

Further resources:

• Digital Guardian App for Splunk Enterprise

About Matthias Maier

Matthias Maier is Product Marketing Manager at Splunk. Matthias is a technical evangelist for Splunk in EMEA and is responsible for communicating Splunk's go to market strategy in the region. He works closely with customers to help them understand how machine data reveals new insights across application delivery, business analytics, IT operations, Internet of Things, and security and compliance. Matthias has a particular interest and expertise in security, and is the author of the Splunk App for IP Reputation. Previously Matthias worked at TIBCO LogLogic and McAfee as a senior technical consultant. He is also a regular speaker at conferences on a range of enterprise technology topics.