Detections of Malware Execution from Unusual Directories

0

Description:

Malware execution from unusual directories is one of the favorite proactive detections. That’s where the defenders should have to spend more time as adversaries try to execute malware in a trusted path. Identifying well-known processes and their well know directory usage will reveal the malware process execution.


Malware Directory Paths:

Before malware is executed. It will use specific directories as a trusted way to run the malicious scripts.

https://twitter.com/SBousseaden

Above is a Powershell script that is setting up the windows trusted directory “C:\windows\debug” with malicious PowerShell scripts to run. Instead, this is not running on the user account or not running on the current user directory.

Some of the well-known processes included for hunting:

wscript.exe Windows Script host is a service that provides scripting abilities for Windows operating systems. Wscript.exe is tasked with executing the VBScript files, and does not cause any harm to your PC.    
RegSvcs.exe RegSvcs.exe is part of the Remote Registry Services, used for registry manipulation. This is a critical Windows component and should not be disabled or removed.   The file RegSvcs.exe is located in a subfolder of C:\Windows
powershell.exe Powershell.exe is an executable file related to PowerShell and it doesn’t do harm to your computer in a normal state.  The genuine Powershell.exe file is a critical part of the Windows system and it is located in a subfolder of C:\Windows\System32\WindowsPowerShell\v1.0\.
cscript.exe Windows Console Based Script Host renders command line options for setting script properties. With this command line, users can run scripts by simply typing its name at the command prompt.  Cscript.exe is located in the C:\Windows\System32 folder.
cmd.exe cmd.exe interacts with the user through a command-line interface. On Windows, this interface is implemented through the Win32 console the original cmd.exe from Microsoft is an important part of Windows, but often causes problems. Cmd.exe is located in the C:\Windows\System32 folder.
rundll32.exe rundll32.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data.   The original rundll32.exe from Microsoft is an important part of Windows, but often causes problems. Rundll32.exe is located in the C:\Windows\System32 folder or sometimes in the C:\Windows folder.
regsvr32.exe Regsvr32.exe can be used to execute arbitrary binaries. Regsvr32.exe is located in a subfolder of C:\Windows—in most cases C:\Windows\SysWOW64\

Malware Execution From Unusual Path Cmdline:

Creating a rule to track the well known processes executing malware in suspicious paths.

query = ”’
process where event.type in (“start”, “process_started”, “info”) and
process.name : (“wscript.exe”,
“cscript.exe”,
“rundll32.exe”,
“regsvr32.exe”,
“cmstp.exe”,
“RegAsm.exe”,
“installutil.exe”,
“mshta.exe”,
“RegSvcs.exe”,
“powershell.exe”,
“pwsh.exe”,
“cmd.exe”) and

/* Adding suspicious execution paths here

/ process.args : (“C:\PerfLogs\“,
“C:\Users\Public\“, “C:\Users\Default\“,
“C:\Windows\Tasks\“, “C:\Intel\“,
“C:\AMD\Temp\“, “C:\Windows\AppReadiness\“,
“C:\Windows\ServiceState\“, “C:\Windows\security\“,
“C:\Windows\IdentityCRL\“, “C:\Windows\Branding\“,
“C:\Windows\csc\“, “C:\Windows\DigitalLocker\“,
“C:\Windows\en-US\“, “C:\Windows\wlansvc\“,
“C:\Windows\Prefetch\“, “C:\Windows\Fonts\“,
“C:\Windows\diagnostics\“, “C:\Windows\TAPI\“,
“C:\Windows\INF\“, “C:\Windows\System32\Speech\“,
“C:\windows\tracing\“, “c:\windows\IME\“,
“c:\Windows\Performance\“, “c:\windows\intel\“,
“c:\windows\ms\“, “C:\Windows\dot3svc\“,
“C:\Windows\ServiceProfiles\“, “C:\Windows\panther\“,
“C:\Windows\RemotePackages\“, “C:\Windows\OCR\“,
“C:\Windows\appcompat\“, “C:\Windows\apppatch\“,
“C:\Windows\addins\“, “C:\Windows\Setup\“,
“C:\Windows\Help\“, “C:\Windows\SKB\“,
“C:\Windows\Vss\“, “C:\Windows\Web\“,
“C:\Windows\servicing\“, “C:\Windows\CbsTemp\“,
“C:\Windows\Logs\“, “C:\Windows\WaaS\“,
“C:\Windows\twain_32\“, “C:\Windows\ShellExperiences\“,
“C:\Windows\ShellComponents\“, “C:\Windows\PLA\“,
“C:\Windows\Migration\“, “C:\Windows\debug\“,
“C:\Windows\Cursors\“, “C:\Windows\Containers\“,
“C:\Windows\Boot\“, “C:\Windows\bcastdvr\“,
“C:\Windows\assembly\“, “C:\Windows\TextInput\“,
“C:\Windows\security\“, “C:\Windows\schemas\“,
“C:\Windows\SchCache\“, “C:\Windows\Resources\“,
“C:\Windows\rescache\“, “C:\Windows\Provisioning\“,
“C:\Windows\PrintDialog\“, “C:\Windows\PolicyDefinitions\“,
“C:\Windows\media\“, “C:\Windows\Globalization\“,
“C:\Windows\L2Schemas\“, “C:\Windows\LiveKernelReports\“,
“C:\Windows\ModemLogs\“, “C:\Windows\ImmersiveControlPanel\“,
“C:\$Recycle.Bin\“)

and not process.parent.executable :

(“C:\WINDOWS\System32\DriverStore\FileRepository\\igfxCUIService*.exe”,
“C:\Windows\System32\spacedeskService.exe”,
“C:\Program Files\Dell\SupportAssistAgent\SRE\SRE.exe”) and

not (process.name : “rundll32.exe” and process.args : (“uxtheme.dll,#64”, “PRINTUI.DLL,PrintUIEntry”))

Source/Credits: https://twitter.com/SBousseaden

Happy Hunting!


Previous articleThreat Hunting Using Powershell and Fileless Malware Attacks
Next articleHindsight – Browser Forensic Analyzer for Web Artifacts

LEAVE A REPLY

Please enter your comment!
Please enter your name here