In assaults on infrastructure of assorted firms, cybercriminals are more and more resorting to manipulating modules that work together with the Native Safety Authority (LSA) course of. This permits them to steal person credentials, set up persistence within the system, elevate privileges, or prolong the assault to different methods throughout the goal firm. Due to this fact, for the most recent quarterly replace of our SIEM system, the Kaspersky Unified Monitoring and Evaluation Platform, we’ve added guidelines designed to detect such makes an attempt. By way of the MITRE ATT&CK classification, the brand new guidelines can detect strategies T1547.002, T1547.005 and T1556.002.
What are strategies T1547.002, T1547.005 and T1556.002?
Each variants of approach T1547 talked about above contain utilizing the LSA course of to load malicious modules. Sub-technique 002 describes including malicious dynamic-link libraries (DLLs) with Home windows authentication packages, whereas sub-technique 005 entails DLLs with safety help supplier (SSP) packages. Loading these modules permits attackers to entry the LSA course of reminiscence, which may comprise vital knowledge resembling person credentials.
Approach T1556.002 describes a situation the place an attacker registers a malicious password filter DLL within the system. These filters are primarily mechanisms for imposing password insurance policies. When a authentic person adjustments a password or units a brand new one, the LSA course of compares it towards all registered filters, and is compelled to deal with the passwords in plain textual content type, i.e., unencrypted. If an attacker manages to introduce a malicious password filter into the system, they’ll gather passwords with each request.
All three strategies contain putting malicious libraries within the C:Windowssystem32 listing and registering them within the system registry underneath the next keys of the SYSTEMCurrentControlSetControlLSA department: Authentication Packages for T1547.002, Safety Packages for T1547.005, and Notification Packages for T1556.002.
How our SIEM counters strategies T1547.002, T1547.005 and T1556.002
To counter these strategies, the Kaspersky Unified Monitoring and Evaluation Platform might be up to date with guidelines R154_02–R154_10, which detect, amongst different issues, the next occasions:
- Loading of suspicious authentication packages, password filter packages, and safety help supplier modules utilizing occasions 4610, 4614 and 4622, respectively.
- Instructions executed in cmd.exe and powershell.exe and geared toward modifying the LSA registry department and the Authentication Packages, Notification Packages and Safety Packages keys.
- Modifications (detected by means of registry modification occasion 4657) of the LSA registry department that would allow a malicious file.
Different enhancements within the Kaspersky Unified Monitoring and Evaluation Platform replace
On this replace, we’re additionally introducing rule R999_99, which detects adjustments in Energetic Listing accounts’ vital attributes, resembling scriptPath and msTSInitialProgram, which allow numerous actions to be carried out upon login.
These attributes set some scripts to execute each time a person logs into the system. This makes them a gorgeous goal for attackers aiming to ascertain persistence within the community. Tampering with these attributes might point out unauthorized makes an attempt to achieve a foothold within the system or escalate privileges — approach T1037.003 underneath the MITRE ATT&CK classification.
The technique for detecting these manipulations is to watch Home windows occasion logs — notably occasion 5136. This occasion data any adjustments made to things in Energetic Listing, together with attribute modifications.
After the most recent replace, our SIEM platform will present over 700 guidelines. Thus, by the top of 2024, our resolution will cowl 400 MITRE ATT&CK strategies. After all, we’re not aiming to create guidelines to detect each approach described within the matrix. A good portion of them can’t be totally addressed as a result of their nature — for instance, ones involving actions carried out outdoors the protected perimeter or the strategies not totally coated by SIEM options by definition. Nevertheless, within the fourth quarter of this yr, we’ve centered on additional increasing the protection of MITRE ATT&CK strategies whereas enhancing the detection logic for already coated strategies.
New and improved normalizers
Within the newest replace, we’ve additionally added normalizers to our SIEM system that help the next occasion sources:
- [OOTB] McAfee Endpoint DLP syslog
- [OOTB] LastLine Enterprise syslog cef
- [OOTB] MongoDb syslog
- [OOTB] GajShield Firewall syslog
- [OOTB] Eltex ESR syslog
- [OOTB] Linux auditd syslog for KUMA 3.2
- [OOTB] Barracuda Cloud Electronic mail Safety Gateway syslog
- [OOTB] Yandex Cloud
- [OOTB] InfoWatch Individual Monitor SQL
- [OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog
As well as, our specialists have improved the next normalizers:
- [OOTB] Microsoft Merchandise by way of KES WIN
- [OOTB] Microsoft Merchandise for KUMA 3
- [OOTB] KSC from SQL
- [OOTB] Ideco UTM syslog
- [OOTB] KEDR telemetry
- [OOTB] Vipnet TIAS syslog
- [OOTB] PostgreSQL pgAudit syslog
- [OOTB] KSC PostgreSQL
- [OOTB] Linux auditd syslog for KUMA 3.2
The total checklist of supported occasion sources in Kaspersky Unified Monitoring and Evaluation Platform 3.4 might be discovered within the On-line Assist, the place you may as well discover info on correlation guidelines. In our weblog you may as well learn in regards to the updates for our SIEM platform for the first, second and third quarters of 2024.
To be taught extra about our SIEM system, the Kaspersky Unified Monitoring and Evaluation Platform, please go to the official product web page.
