Monday, 22 October 2018

Hunting malware with Nexthink

Following the previous post on hunting cryptominers with Nexthink, this time the scope is expanded to attempt to capture a wide variety of malicious activity. In most situations a user will be willingly or unwillingly be forwarded to a web server to download malicious payload after a document has been opened, a macro has been run or something of that nature.

Assumptions:
1) At least from your endpoints there should be one and only way to reach the web, that being your proxy.

2) You trust the reputation data to know what is trustworthy (better than trying to know what is bad). From what I can find it is done via 3rd party BrightCloud (yes they have a URL lookup tool here)

NXQL code:

(select ((web_request (start_time protocol protocol_version incoming_traffic outgoing_traffic)) (user name) (device name) (binary paths) (port port_number) (domain name))
(from (web_request port domain binary user device)
(where executable (eq name (pattern "*rundll32.exe*")))
(where executable (eq name (pattern "*mshta.exe*")))
(where executable (eq name (pattern "*powershell*")))
(where executable (eq name (pattern "*ftp.exe*")))
(where executable (eq name (pattern "*cscript.exe*")))
(where executable (eq name (pattern "*wscript.exe*")))
(where executable (eq name (pattern "*bitsadmin*")))
(where executable (eq name (pattern "*wmic.exe*")))
(where executable (eq name (pattern "*regsvr*")))
(where executable (eq name (pattern "*infdefaultinstall*")))
(where executable (eq name (string "java.exe")))
(where executable (eq name (string "javaw.exe")))
(where executable (eq name (string "javaws.exe")))
(where executable (eq name (string "certutil.exe")))
(where executable (eq name (string "winword.exe")))
(where executable (eq name (string "excel.exe")))
(where executable (eq name (string "powerpnt.exe")))
(where domain (gt first_seen (datetime "$TWODAYSAGO"))
(ne threat_level (enum "none detected")))
(where destination (eq #"Servers"(enum "Proxy")))
(between now-1h now))
(limit 1000))

Breakdown:

  • We want the web_request table as the primary since we are looking for web connections.
  • The domain first seen time needs to be in the last two days, the $TWODAYSAGO variable is a bash one you can add at the top of your pull script like so:
    • TWODAYSAGO=`date --date="2 days ago" "+%Y-%m-%dT%H:%M:%S"`
  • Even though in the GUI you will see Domain -> Reputation, in the NXQL format things are not like that. There were some Data Model changes in version 6.10 where the field was introduced, yet the table in the background stayed the same (to avoid breaking client's scripts). Release document available here  
  • Define the destination of the traffic as corporate proxy traffic
  • Run in short intervals, every 1h

The resulting search following a test:



This is definitely not a wide scope rule, but it will definitely allow you to identify malicious activity without having to parse all the internal traffic your java apps make, or the internal powershell work your admins do.


Hope you get 0 hits :)