Back

Endpoint Protection & Threat Analysis

Endpoints within an organization are constantly at risk of threats both online and offline, and with the advancement of various Endpoint Detection & Response (“EDR”) tools, security personnel now have more visibility into an organization than ever before.

This article will explore the configuration of EDR tools, sandboxed threat simulation, and post-incident threat analysis. In doing so, this article will model the hands-on techniques that threat hunters and security teams alike are capable of performing in order to discover host based threats.

EDR agent Installation

We begin by gaining access to an EDR platform. There are many on the market, and all will have a slightly different process of installing the “agents” or “sensors” or “sentinels” onto an endpoint or groups of endpoints. In this example, the Sophos XDR sensors will be demonstrated.

Figure I - Sophos Sensor Download

Food for Thought: Depending on how someone looks at it, EDR tools can be likened to a Command and Control (“C2”) framework, in the sense that a privileged piece of software is installed on an endpoint and is sending back endpoint telemetry to a central command center. In the case of EDR platforms however, we can hope that the central command center is a benevolent one controlled by an organization’s IT department.

Next, the sensor can be moved onto an endpoint and installed, as seen in Figure II.

Figure II - Sensor Install (Windows 10)

Figure III - EDR Dashboard Populated

Once installed, the endpoint should now populate within the EDR dashboard. From the EDR dashboard, there is visibility into many aspects of the endpoint, and in order to establish a useful sandbox, some malicious actions will be taken on the endpoint and investigated below.

In order to identify a scope, a fictional scenario will be created which will guide the investigation.

Scenario

An employee named Randy has decided to begin mining Monero cryptocurrency on his corporate device using the xmrig tool, which has been alerted due to its known file hash. Additionally, there have been some reports that Randy has downloaded a malware builder and is plotting to infect the internal network. Security personnel have confiscated Randy’s laptop and have begun to investigate the reported threats.

Scope:

1. Randy’s endpoint and user account

1. The current investigation will be limited to Randy’s device, and should only expand if there is evidence of additional compromise on the network.

2. Identification and Analysis of the xmrig Tool:

1. Examine the device for the presence of the xmrig mining tool
2. Analyze the installation date, file origin, and any modifications made to the xmrig tool.
3. Check for any scheduled tasks or services created to automate the mining process.

3. Investigation of Network Traffic:

1. Analyze outgoing network traffic from Randy's laptop to identify connections to Monero mining pools or other related external IP addresses.
2. Look for any unusual data transfers or large volumes of data being sent from the laptop.

4. Search for Evidence of a Malware Builder:

1. Investigate any downloaded files, especially around the time the malware builder was reported to be downloaded.
2. Perform a deep scan for known signatures of malware builders.
3. Examine downloads folder for traces of the malware builder download.

5. Evaluation of Endpoint Security Solutions:

1. Determine how the mining tool and potential malware builder were able to bypass existing security measures.
2. Assess the need for updated antivirus signatures or enhanced endpoint protection strategies.

XMRIG Identification and Removal

To begin, the xmrig software will first be identified on the system and removed. As a threat hunter, I know that xmrig is commonly identified by windows defender, so I will begin by querying the windows defender detections on the endpoint. Hopefully this action will also show some information regarding the malware builder, but let's see…

Figure IV - Windows Defender Detections

As seen above, windows defender was not able to identify the xmrig software, however it did identify various locations that Randy’s malware builder seems to live. We will leverage these paths later on when we focus on the removal of the builder, but for now let's move on with xmrig.

Hypothesis:

Based on how xmrig is obtained, I would guess that Randy downloaded xmrig from the internet, so let's check his downloads folder for the xmrig files.

There are a few ways of checking Randy’s downloads folder, but for quick remediation, I will remote into his endpoint and use the command line. (note: Truthfully I am opting for the command line because I am running this sandbox in a crappy virtual machine and the Sophos agent will fail if a query uses up more than 30% of the CPU.)

Figure V - Randy’s Downloads

Figure VI - Deleting Randy’s Files

As we can see from the above information, the xmrig software was downloaded on 12/13/2023. By doing some behind the scenes research and analysis, I was able to determine that the filehashes of xmrig downloaded to Randy’s machine match those of the regularly distributed tool, and thus I can be confident of its behavior and that it will not have further compromised the system or network.

For peace of mind, I also queried whether any scheduled tasks were created in the last week, and from my query I can see that there are not.

Figure VII - Scheduled Tasks

Network Analysis

In order to further understand the network connections and data transfer activity, I will again query the endpoint for network activity to identify xmrig behavior.

Figure VIII - xmrig network activity

From this activity, we can see that Randy ran xmrig on 12/14/2023 which contacted both 178.128.242.134 as well as 199.247.27.41 on port 3333. Using this information, we can block the xmrig software signatures as well as these IP addresses from being contacted.

Additionally, this search showed no network connections related to the malware builder, which is good news. Lets shift to investigating that component of this incident.

Malware Builder Analysis

Up to this point, we have found a few Indicators of Compromise (“IoC’s”) for the identified malware builder:

1. C:\Users\randy\Downloads\887 RAT Builder.a\crack.exe
2. C:\Users\randy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe
3. SHA-256 hashes

As before, I will remove the executable from all file paths and confirm that its file hash no longer exists on the system. Based on my investigation, it would appear that this software was relatively basic, and Randy fortunately did not actually build any malware with it.

Thankfully, no additional Indicators of Compromise were identified.

Evaluation and Detections

Based on our brief investigation, we can begin thinking about detections. Using our IoC’s to inform the detections, the following are some realistic options:

1. File Path Detections

1.    C:\Users\randy\Downloads\887 RAT Builder.a\crack.exe
2.     C:\Users\randy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe

2. SHA-256 Hash Detections

1. Using the SHA-256 hashes of the malicious files, create hash-based detection rules. These rules will trigger an alert whenever a file with the specified hash is detected on the system.

3. Network Traffic Detections

1. Configure rules to monitor for network traffic to the IPs 178.128.242.134 and 199.247.27.41, especially on port 3333. This is typically indicative of xmrig's cryptocurrency mining activity.

4. Behavioral Detections

1. Since xmrig is a known mining tool, set up behavioral detection rules that identify typical mining tool behaviors, such as high CPU usage over an extended period, creation of mining-related file paths, or connection attempts to known mining pools.

Note: Unfortunately, I am using a free trial version of EDR software, and I am unable to configure these alerts, however at a high level, these detections can be used based on our IoC’s.

Conclusion

The exploration and application of Endpoint Detection & Response (EDR) tools in this report underscores their critical role in modern cybersecurity defenses. Our journey through the installation and configuration of Sophos XDR sensors, coupled with hands-on threat hunting and incident response activities, has vividly demonstrated the capabilities and benefits of these powerful tools.

The fictional scenario involving employee Randy, who engaged in unauthorized Monero mining and downloaded a malware builder, served as a practical backdrop for applying EDR tools in a real-world context. The detailed steps taken - from the initial identification of the xmrig mining tool and malware builder to the thorough network analysis and eventual remediation - highlight the depth and breadth of visibility that EDR solutions provide.

Through this exercise, we learned key lessons:

1. Comprehensive Endpoint Visibility: EDR tools like Sophos XDR offer an unparalleled view into endpoint activities, allowing security teams to detect and investigate threats that would otherwise go unnoticed.
2. Proactive Threat Hunting: The ability to actively hunt for threats based on IoCs such as file paths, file hashes, and network traffic patterns is invaluable. This proactive stance is crucial in today's constantly evolving threat landscape.
3. Effective Incident Response: The rapid identification and removal of the xmrig tool and the investigation into the malware builder underscore the importance of an efficient and effective response to security incidents.
4. Strategic Detections and Preventive Measures: The development of detection rules based on IoCs and the consideration of behavioral patterns for future alerts underscore the strategic approach required in cybersecurity. While our limitations in configuring alerts due to software constraints were noted, the conceptual framework for these detections is universally applicable.
5. Importance of Continued Learning and Adaptation: The cybersecurity field is dynamic, necessitating continual learning, adaptation, and improvement of tools and techniques.

In conclusion, the utilization of EDR tools is not just about deploying technology; it's about integrating these tools into a broader cybersecurity strategy. This includes understanding the tools' capabilities, continuously updating detection rules, and educating users about safe computing practices. As demonstrated, EDR solutions are a vital component of an organization's defense, providing the necessary capabilities to detect, investigate, and respond to threats effectively. This exercise reinforces the notion that in the realm of cybersecurity, vigilance, combined with the right tools and expertise, is the key to maintaining a robust security posture.