In previous posts we have discussed how AutoFocus accelerates the analysis, hunting, and incident response workflows by providing full context for threat events seen on your network, as well as high-level visibility into how targeted a threat is against you or your industry peers.
This visibility into the threat landscape enables teams to move away from chasing alerts, instead prioritizing response activities for the most critical threats, and proactively implementing new defensive measures. The real power of AutoFocus is its ability to not only consolidate billions of indicators from WildFire customers around the globe, but more importantly to provide a platform for deriving intelligence and context around those indicators through crowd-sourced tags. AutoFocus customers can develop their own private tags for internal company use, or they can choose to share them publicly for the benefit of all AutoFocus users. And of course, all AutoFocus customers benefit from the expertise of Unit 42, our threat intelligence team, which is constantly monitoring the front lines and dark recesses of the web to identify new malware families and attack campaigns, publish research, and develop new tags.
Previously, AutoFocus tags were targeted in two areas:
- Malware Family tags, based on any combination of behavioral and atomic characteristics of a malware family. These are highly durable, and allow security teams to detect and gain context on new variants and other tweaks the malware authors make to avoid detection.
- Campaign tags, which provide a way to “bucketize” atomic indicators such as hashes and domains related to a threat campaign or Unit 42 report, providing responders with the additional context to know that an alert is not just bad but related to a known adversary or campaign. These Campaign tags can also be used proactively to implement defenses in advance of an actual attack on your company or industry.
AutoFocus is constantly evolving, and with the release of the 1.0.7 version of AutoFocus today, we have further enhanced our ability to provide context into events and facilitate speedy educated response. AutoFocus tags can now differentiate between tag classes, such as Malware Family and Campaigns (See Figure 1), which helps responders know immediately if an tagged event is based on internal intelligence or from Unit 42 researchers.
In this release of AutoFocus, Unit 42 researchers have also added an additional class of tag, Malicious Behavior, to provide additional insight into the capabilities or intent of a piece of malware. Even if a malware sample is unique enough that an existing Malware Family tag has not been developed, it very likely will match an existing Malicious Behavior tag that provides the responder immediate insight into what a piece of malware is trying to do. Additionally, because the Malicious Behavior tags are behavior-based, they can even apply to benign samples that may exhibit some questionable behavior, thus warranting further research.
Figure 1 Malicious Behavior and Malware Family tags represented in AutoFocus.
To showcase the power and flexibility of the Malicious Behavior tags, we have selected a range of new Malicious Behavior tags to help you visualize the wide range of capabilities this new tag class provides.
Since malware normally has to communicate to an external server for command and control or to download additional malware, it frequently takes steps to lower the security posture of the affected system by modifying the Windows Firewall settings or even disabling it altogether. This tag detects a wide variety of mechanisms malware can utilize to modify the firewall, including the legitimate command line utilities and changes to the system registry.
A common goal of Android malware is to intercept, read, or delete SMS messages from an infected device. Not only are there privacy and data theft implications, but also this tactic can be used to prevent detection or hide ongoing activity. (Note that this behavior does not include sending SMS messages, which is a different tag.)
There are a wide variety of malware families that attempt to steal digital currency such as Bitcoin, and often this capability is bundled with other common malware families that may normally lack that “feature”. This tag highlights the common approaches taken to access or steal the most prevalent digital currencies.
PowerShell is a powerful command-line shell with an associated scripting language, commonly used for administrative activities and automation. Of course our adversaries also leverage this tool to perform a wide range of nefarious activities. One capability that PowerShell provides is the ability to query the system to identify installed Antivirus software, which obviously is useful information for avoiding detection, taking steps to disable AV, or otherwise gaining insight into the system or environment for reconnaissance purposes.
Malicious software is often injected into legitimate running processes on affected systems to make identification and recovery of the malware more difficult. There are a wide variety of mechanisms for injecting code, and more often than not this is indicative of malicious activity that warrants further investigation.
Browser Helper Objects (BHO) were designed by Microsoft to provide a way to add third-party extensions to Internet Explorer to enhance functionality, but BHO have also been leveraged for malicious intent. The addition of a BHO to a system could be a legitimate activity, or it could be more nefarious such as an adware toolbar or even malware designed to hijack or intercept internet browsing.
One of the primary goals of Advanced threat actors is credential theft, and normally this starts with the local system credentials which are then used to attempt to spread laterally across the network. Legitimate software should rarely, if ever, attempt to access the local SAM database.
Microsoft Windows has security measures to prompt the user before executing files downloaded from the internet, and malware often tries to avoid this prompt, which would alert the user that something malicious was potentially happening and help prevent it. Unfortunately there are system changes that malware can implement to prevent the “Open File – Security Warning” dialog box from appearing.
The Volume Snapshot Service, also known as Shadow Copy, is a backup and recovery technology in Windows that can be used to restore a system to a previously “known good” state after a system crash or faulty software installation. Shadow copies can also be used to restore from malware infections, so malware, especially ransomware, will often attempt to delete these backups to prevent the user from being able to restore his or her system.
Attackers and malware authors often want to get a quick snapshot of a compromised system, or even a more complete local network recon, which is then uploaded to the command and control server. Usually this reconnaissance is performed with a variety of common built-in Windows commands, which while commonly used by Administrators are rarely executed by benign software.
Hopefully this introduction into Malicious Behavior tags gave you some insight into the power of this capability and its ability to provide as much context as possible to responders immediately. The goal of AutoFocus is to empower security teams to protect their organizations from unique and targeted attacks, and the use of real-time, full-context insight into the events happening not only on their network but across the Palo Alto Networks customer base is the first step in that process.
[Palo Alto Networks Research Center]