Govt Abstract
Establishing persistence on a system permits a menace actor continued entry or course of execution throughout system restarts or different modifications. Because of this, monitoring for and investigating persistence indicators are key elements of any strong cybersecurity platform.
Two widespread persistence strategies are utilizing AutoStart Execution of packages throughout system boot or logon (T1547) and abusing scheduled process features (T1053). Nevertheless, official utility exercise additionally continuously entails AutoStart Execution and scheduled process features, so defending towards these strategies requires not solely detection monitoring but in addition evaluation by a cybersecurity skilled.
Throughout a current incident involving a LevelBlue MDR SOC buyer, an alarm that triggered for a Home windows Autorun registry key for persistence was traced again to a probably undesirable utility (PUA). The PUA purportedly was appearing as a PDF conversion utility. A evaluation of the preliminary alarm and related occasions revealed that the applying had established a double layer of persistence by utilizing each Scheduled Activity creation and Autorun registry keys to execute JavaScript underneath the guise of a Chrome browser extension. Extra open-source intelligence (OSINT) instruments recognized the applying as both a PUA or a probably malicious file. An investigation was created for the client with remediation suggestions and finally it was confirmed that the applying was neither anticipated nor approved throughout the buyer’s surroundings, and it was eliminated.
The identical utility was later detected in one other buyer’s surroundings, however on this case, the client had added a associated file hash to an exclusion record. As a result of the LevelBlue MDR SOC analyst had not too long ago investigated the applying and recognized it as probably malicious, they had been in a position to suggest eradicating the hash from the exclusion record and as a substitute including it to a blocklist.
Investigation
Preliminary Alarm Evaluate
The investigation started with the LevelBlue analyst receiving an alarm {that a} Home windows Autorun registry key named “ChromeBrowserAutoLaunch” had been added on an endpoint within the buyer surroundings. Whereas at first look this gave the impression to be a key set to auto-launch Chrome with a browser extension loaded, evaluation of the supply course of command line revealed a number of gadgets that warranted additional investigation.
Determine 1: The preliminary alarm for the autorun registry key creation
- The “–no-startup-window” choice: though that is generally used for official functions, it may additionally point out an try to cover exercise from the top person. The pathway of the extension being loaded confirmed it was not an extension that the person had put in from the Chrome webstore. The anticipated pathway for extensions from the webstore can be “C:Customers<username>AppDataLocalGoogleChromeUser DataDefaultExtensions”. Whereas a sideloaded extension may nonetheless be official, this gave further trigger to determine the origin of the registry key and extension.
- No verifiable browser extension with the identify “Extension Optimizer” was present in OSINT queries.
- Abuse of browser extensions (T1176) is a identified method and malicious extensions have a historical past of getting used for infostealing, adware, and browser hijack or redirect behaviors.
Expanded Investigation
Occasions Search
The analyst performed an occasion search to determine the origin of the browser extension “ExtensionOptimizer”. This search returned course of creation occasions that exposed the registry key was being added by a node.exe JavaScript course of executing from an AppData folder named “PDFFlex” within the pathway “C:Customers<username>AppDataLocalPDFFlexnode.exe”. A further occasion was logged on the similar time displaying that node.exe was additionally getting used to load the extension manually.
Determine 2: Occasions displaying the registry keys origin and handbook loading of the extension
The analyst looked for “PDFFlex” to know if the applying was widespread within the buyer’s surroundings and to acquire further artifacts relating to its origin or nature. The search revealed the applying’s presence was anomalous and likewise uncovered occasions that may very well be used for additional analysis.
The analyst obtained the filename of the applying’s MSI installer, the model and writer of the applying, and an occasion that confirmed the creation of a each day scheduled process. This process was configured to execute “node.exe replace.js –check-update” from the identical “PDFFlex” folder pathway seen within the registry creation occasions. Additional evaluation confirmed that this process was accountable for executing the method that was creating the Autorun registry key in an obvious double layer of persistence established on the endpoint.
Determine 3: Scheduled process created to persistently add the registry key every day
Determine 4: Occasion displaying the identify of the applying’s MSI installer file discovered within the person’s downloads folder
Determine 5: Set up occasion displaying the model and writer of the applying “PDFFlex”
Occasion Deep-Dive
The analyst then carried out a number of OSINT searches utilizing the data obtained in occasion searches to confirm the use case and potential legitimacy of the applying.
- No verifiable info was discovered for the MSI file “FreePDF_49402039.msi” or the writer PDFFlex.io.
- The analyst performed a Whois search of the area “pdfflex.io” and located that it was not registered.
- An online seek for “PDFFlex 3.202.1208.0” returned a verdict of “malicious exercise” from the sandbox software ANY.RUN, which offered a SHA256 file hash of 9c5d756045fd479a742b81241ccf439d02fc668581a3002913811a341278de43.
- A search of the hash on VirusTotal revealed that it had been flagged as probably malicious by a number of safety distributors, together with Sophos and Fortinet.
- The analyst leveraged SentinelOne Deep Visibility to verify that the hash for the MSI file on the client’s endpoint matched the hash within the ANY.RUN report. On the time of the alarm, incidents weren’t being triggered on the hash. The SentinelOne software additionally confirmed that the MSI file was signed by “Eclipse Media Inc,” which proved key in a later incident for one more LevelBlue buyer.
Determine 6:Deep Visibility search in SentinelOne displaying the file hash for the MSI file discovered on the endpoint
Response
Constructing the Investigation
The analyst’s investigation and OSINT analysis returned a number of factors to point that the “PDFFlex” utility was seemingly not a desired utility within the surroundings:
- The presence of the applying on the endpoint was anomalous for the surroundings as occasions for it weren’t noticed for different endpoints.
- The appliance had established what gave the impression to be a double layer of persistence by utilizing a scheduled process and autorun registry key to create and launch an unverified browser extension “ExtensionOptimizer.”
- OSINT experiences for the MSI file indicated probably malicious habits.
Collectively, these knowledge factors indicated that the applying was neither desired nor anticipated within the buyer surroundings and may very well be categorized as a PUA/PUP, if not as outright malicious, and thus needs to be faraway from the endpoint.
Buyer Interplay
The analyst created an investigation that detailed the findings relating to the applying “PDFFlex,” the browser extension “ExtensionOptimizer,” the noticed persistence behaviors, and the findings of the OSINT analysis. They beneficial that the client reimage the endpoint or take away the related AppData folders for “PDFFlex” and “ExtensionOptimizer” the scheduled duties, and the related registry keys. Shortly after the preliminary investigation, the LevelBlue MDR SOC recognized one other endpoint within the buyer’s surroundings that was exhibiting the identical persistence indicators underneath the applying identify “PDFTool.” The client confirmed that the functions weren’t approved and finally elected to take away the endpoints from service and substitute them.
Whereas the MSI file initially didn’t set off an alarm, a number of days after the investigation, its hash was added to the SentinelOne Cloud international blocklist and commenced to set off alarms. Throughout evaluation of one in every of these for one more buyer, a LevelBlue analyst discovered that the client had added a hash-based exclusion for a equally named pdf-related MSI file with a distinct file hash but in addition signed by “Eclipse Media Inc.”
This buyer had beforehand noticed the menace however added the hash to the exclusion record in SentinelOne as a result of no unfavourable experiences noticed whereas researching the file utilizing OSINT instruments. The LevelBlue group’s information of the signer “Eclipse Media Inc” together with their current evaluation of the applying allowed them to tell the client in regards to the dangers of the applying. Based mostly on the analyst’s suggestion, the exclusion was eliminated and a blocklist motion for the alternate hash was added as a substitute.
Conclusion
This incident highlights not solely the necessity for monitoring and alerting on scheduled process and Autorun registry key creation but in addition the worth of getting skilled evaluation of those occasions. On this investigation, the analyst’s use of OSINT and sandboxing instruments equivalent to ANY.RUN offered the essential context wanted to guard the client’s surroundings from threats. As well as, the analyst’s analysis and prior information of the file signer “Eclipse Media Inc” later proved key in defending one other LevelBlue buyer that had created an exclusion for what was seemingly the identical PUA underneath a distinct file hash.