Windows Event ID 5379 to Detect Malicious Password-Protected File unlock

0

Attacks by malware are continuously growing. These malicious files use high-obfuscation algorithms to hide from traditional anti-malware detection solutions, and unfortunately, the threat actors are becoming more and more successful. 

One technique that has seen a positive track record for evading detection is when a malicious document is password-protected, and the password is given in the email body, making it easy to trick unsuspecting users into opening the malicious file.

Password protection makes it harder for traditional detection solutions to scan the attachment for malicious code.

Also Read: Most Common Windows Event IDs to Hunt – Mind Map

Example of the Malware Attack

The employee receives an email that appears to be from a trusted and well-known sender, or a common brand, with a catchy subject (ex. ‘Invoice’, ‘Payment verification’, etc). The email contains an attached file that is zipped and password-protected by the attacker. The password creates the illusion the attachment must contain confidential personal information that had to be secured.

When an employee receives the compromised email with the password-protected file and the required password to access the file, it raised no suspicions.

Also Read: Threat Hunting Using Windows Security Log

Attack Detection with Windows Event Logs

Example 1: Attack Detection Case

This event occurs when a user performs a read operation on stored credentials in Credential Manager. Example: Users open up ZIP files which are password-protected files with valid credentials.

Source: https://twitter.com/SBousseaden

The above figure illustrates User has opened the test (2).zip file. SBousseaden says opening a password-protected zip file using Windows Explorer generates a credman event 5379 with Target “Microsoft_Windows_Shell_ZipFolder:filename=zip_fil_path”.

Also Read: Malware Hiding Techniques in Windows Operating System

This can be correlated when malware is executed with windows legitimate processes ( Explorer.exe ) on specific file paths. Similar cases are also observed when users download, cracks/keygens to enable the full features of legitimate software. But ending up with system/network infections.

Source: https://twitter.com/SBousseaden

The above query shows that malware spread has been successfully detected using the event ID 5379.

Example 2: False Positive Case

Some people may experience Event ID 5379 flooding. It is good to review their user accounts/programs that are connected with the credential manager.

Assume Windows admin has disabled a user in my Active Directory (terminated the account). However, still getting the log that Event IDs 5379 (credential manager credentials were read.), 4673 (a privileged service was called.), 4656 (a handle to an object was requested.)

And the processes called are:

gfxdownloadwrapper.exe  4673
lsbupdater.exe  4673
cleanmgr.exe    4673
quickup.exe 4673
searchui.exe    4673

Disabling an account in AD doesn’t mean an account cannot log on to an endpoint due to cached credentials. The account may not have been disabled/removed from the machine in question, so some scheduled tasks associated with the account are still being executed on the machine (e.g. search indexing, disk cleanup, etc).

Considering the above scenario we can mark it as false-positive.

EQL Detection Query:

sequence by host.id with maxspan=1m
[any where event.code : "5379" and winlog.event_data.TargetName : "Microsoft_Windows_Shell_ZipFolder*"]
 [process where event.action == "start" and process.executable : "?:\\Users\\*\\Appdata\\Local\\Temp\\Temp?_*" and process.parent.name : "explorer.exe"]

Also Read: How to Detect Privilege Escalation Attacks and UAC Bypass on Windows

Other SIEM Products:

SOC analyst/ SOC Engineers use the below logic to create effective rules on their SIEMS to track Windows Event ID 5379 with malicious behaviors.

Correlate event ID 5379 with Target name "Microsoft_Windows_Shell_ZipFolder*" and process executable paths "?:\\Users\\*\\Appdata\\Local\\Temp\\Temp?_*" and parent process "explorer.exe" and process action is start.

Happy Hunting!

References:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379

securityboulevard.com

https://serverfault.com/questions/1092543/a-user-activity-is-detected-from-a-disabled-account-in-active-directory

Previous articleHow FIDO Makes Passwordless Authentication Works
Next articleHackers are Hiding Malware in Windows Event Logs Category 0x4142
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here