March 26, 2020 Detection and response

2020 Threat Detection Report: the conversation continues

You asked, we answered. Here are some questions from readers of Red Canary’s 2020 Threat Detection Report, featuring video clips from our live webinar.

Is the report available as a PDF?

 

You can download a one-page summary PDF by clicking on the top right corner of the report. We proactively made the decision to create this year’s report as a digital experience so that we can update it as often as our data shifts, without the lag in time of re-designing a PDF and having out-of-date versions floating around.

 

Why do the 2018 rankings in this year’s report differ from what was listed in last year’s report?

Because the 2019 Threat Detection Report was our inaugural publication, we looked at data from multiple years of collection, naming PowerShell the number 1 technique for that data set. In the 2020 report, we analyzed data from the 2019 calendar year and compared it to prevalence data from the 2018 calendar year (i.e., not from the previous Threat Detection Report) to identify more recent changes or trends. Process Injection was number 1 in 2018 and 2019, thus the ranking that you see in the 2020 report.

 

How do I detect and mitigate Process Injection?

 

Process Injection, a defense evasion mechanism, was our most detected technique in 2019. Look out for processes entering your system without a command line. In this clip, our panelists also make recommendations for application whitelisting and monitoring requested access codes.

 

Why are some of the industries you reported on in last year’s report missing from this year’s industries page?

Because we only looked at data collected from the 2019 calendar year, the total threat volume for some sectors wasn’t quite large enough for a good statistical analysis. That said, if there is a certain sector you’re curious about, let us know. 

 

How do you detect legitimate tools being used maliciously?

 

Multiple readers asked about detecting the malicious use of legitimate tools such as PowerShell and living-off-the-land binaries (LOLBins). Since you can’t disable these tools all together, our panelists shared some strategies for weeding out the good from the bad.

 

What technique saw the biggest increase in prevalence in 2019?

Rising from 75th to eighth, DLL Search Order Hijacking was the most ascendant technique across our customer base. However, this increase may be the result of improved detection abilities on our end rather than a distinct rise in prevalence.

 

Did TrickBot skew the data set this year?

 

A small number of our incident response engagements with large organizations influenced our rankings due to widespread infections. That said, TrickBot—and the techniques associated with it—would have been predominant in any event. When we filter detections associated with incident response engagements out of the report altogether, the order of the top 20 most prevalent techniques changes slightly; for example, PowerShell jumps from fourth to first and Process Injection falls from first to second. However, the composition of the top 20 remains largely the same—with just one change: Command-Line Interface joins the top 20 at the expense of Mshta.

 

Can you filter the report by operating system?

The current analysis does not include a breakdown by OS, but we are considering that for future updates. For now, you can find OS-specific resources elsewhere on our website, including open source projects and webinars. 

 

Should smaller organizations be more worried about targeted or opportunistic attacks?

 

The “Big 3” infection chain—Emotet, TrickBot, and Ryuk—does not discriminate when it comes to targets. Katie Nickels and Tony Lambert shed some light on what to prioritize based on your specific organization’s needs.

 

Any advice for large-scale memory detection of fileless malware?

Large-scale in-memory detection can get extremely difficult without a lot of resources, and the results can produce a ton of extraneous detail. We’ve had luck detecting fileless malware by examining command-line arguments that indicate code is being loaded from the Windows Registry or that a process is being used as an injection target. In the case of Cobalt Strike and other tools, you can potentially detect Process Injection based on the lack of command-line arguments for rundll32, werfault, and other processes that are commonly used by Cobalt Strike for injection. In the case of fileless malware that uses tools like PowerShell or Mshta, you can build detection around command-line options that suggest that suspicious code is being read from the Windows Registry.

Another method for detecting fileless malware involves examining processes related to scripting such as PowerShell, wscript.exe, mshta.exe, Python, and others for indications that an entire script is being passed via the command line instead of in file form.

 

What combinations of techniques should I prioritize in my detection strategy?

 

Any techniques that work together to enable lateral movement should be top of mind. In this clip, Tony Lambert breaks down a single command line with occurrences of WMI, PowerShell, and Remote File Copy.

 

How would you detect usual webshells hanging from the wild?

When analyzing endpoint telemetry, it’s challenging to distinguish malicious commands executing webshells from the legitimate commands that web servers or frameworks commonly use (i.e., PHP, ASP.NET). However, we’ve developed sound strategies for detecting malicious webshells by looking for parent-child process relationships where server processes are spawning suspicious instances of processes like PowerShell, cmd.exe, wscript.exe, and cert.util among others.

That said, you can readily detect an adversary writing a webshell to disk using EDR telemetry. For example, if the adversary isn’t capable of uploading files—but they are capable of issuing commands—then it is common for the adversary to issue cmd.exe /c echo commands that write the contents of a webshell to disk in text form. It is exceedingly rare for web servers to execute these echo commands, and, as such, they make for good detection criteria in this context.

 

How did adversary emulation tools like Cobalt Strike play into 2019’s detections?

 

Cobalt Strike helped facilitate Process Injection’s number 1 spot in 2019. It also enables multiple adversaries to be present on an environment at once. Analysts and red teams should keep their eye on this ever-evolving tool.

 

Is there a recording of the webinar launching the Threat Detection Report?

You can now watch the webinar in its entirety here. In fact, we recently made all of our webinars available to the public, no registration required.

 

How can we reduce the risk to our networks now that more people are working remotely?

 

In light of current events, more and more teams are shifting to remote work, putting certain infrastructure at a greater risk of exposure. Our final clip has some tips for securing your systems while working from home.

 

 

Connecting Kinsing malware to Citrix and SaltStack campaigns

 

Detecting COR_PROFILER manipulation for persistence

 

Process Injection: a primer

 

Keeping tabs on Blue Mockingbird

Subscribe to our blog