Since the outbreak of Petya, there have been many articles analysing and dissecting the malware, to determine its purpose, and who is ultimately responsible. Reverse engineering and malware analysis to conduct post incident analysis has provided the basis for the conclusions drawn in these features. Instead, Anomali, in collaboration with threat hunting experts Vector8, viewed the Petya outbreak differently by leveraging threat hunting techniques.
A Microsoft Windows Sysinternals tool called Sysmon was used as a data source for analysis. Sysmon acts to link all observable activity on that system back to the responsible processes, making it an authoritative source of what’s happening on a computer. This means that conventional follow-on data collection to obtain such details is no longer required, which is beneficial for real-time threat hunting as well as forensic analysis.
The analysis of Petya was limited only by speed of thought, not tooling or data gaps as Sysmon events were sent to an aggregation point for further querying and historical analysis. In this case, the aggregation point is Elastic’s open source “Elastic Stack,” which consists of a Logstash aggregator, Elasticsearch cluster backend, and Kibana web user interface frontend.
The test environment consisted of:
- Windows 10 install on a Virtual Machine, preloaded with Sysmon v6, a custom configuration, and
- A logger that feeds events to Vector8’s analysis platform (Sysmon + Elastic Stack).
A confirmed sample of the Petya malware was then copied to the machine and the malicious DLL via rundll32.exe was manually run on the command line with the flag “#1” to activate the malware.
The events below were recorded by Sysmon and forwarded to the Vector8 cloud platform for analysis. This details how the malware behaves and provides insights into how to detect or prevent similar malware from executing in the future.
- Firstly, Rundll32.exe (the parent process) writes a copy of the DLL to ‘C:\Windows\’. This activity is unusual, but not necessarily malicious on its own.
- exe then accesses raw disk several times, presumably to modify the MBR. Accessing raw disk is abnormal, as it bypasses the filesystem structure to access the disk sectors directly. This level of disk access is not normal operations and is very suspicious, especially by Rundll32.
- exe schedules a task to force reboot of the system 60 minutes from time of execution. Rundll32 creating a scheduled task is a suspicious pattern that should trigger a hunter to investigate.
- exe writes a .tmp file in the user’s Local\Temp directory. Temp files created in this directory would not normally cause alarm, unless linked to another more suspicious event.
- exe kicks off the .tmp file it wrote earlier and directs it to a named pipe. As referenced above, since this .tmp file is now communicating with another process over a named pipe, a hunter would want to investigate the .tmp file as this is unusual behaviour as well.
- exe writes a file called dllhost.dat to C:\Windows\, which is a very suspicious event as data files are not normally written to that directory.
- The tmp file accesses another running process, lsass.exe. This event could be a solid candidate for a hunting trigger as it could be indicative of credential harvesting or some other abuse of Windows’ security authority service (lsass.exe). It is not unusual for lsass.exe to be accessed, but a .tmp file doing so is highly unusual.
Crucial insights into the behaviours this malware exhibits can be gleaned from the results this type of analysis provides. These behaviours can then be examined and turned into defensive measures such as hunting triggers or even preventative measures through endpoint tools, network tools, or system policies.
For this example, there are a number of behaviour patterns we can act as markers for suspicious behaviour:
- Process writes a .tmp file, and that .tmp file is later run as a process
- A .tmp file accesses lsass.exe
- A schtasks.exe process command line includes the “shutdown” switch
- Rundll32.exe writes files
- The string “pipe” is found in a process’ command line
- A .dat file is written to c:\windows\
- Raw access reads to DR0 volume
It is important to note that these patterns are all based on endpoint process metadata, like Sysmon output. In addition, the fidelity of each of these patterns depends on what is normal in your environment.
Threat hunting can be used as a powerful tool not only to detect malicious behaviour missed by other security measures, but also drive a deeper understanding of how malicious software, actor tools, and behaviours work. Threat intelligence is also a valuable weapon when combined with retrospective analysis, allowing the hunter to uncover previously unknown indicators in historical data. Only with detailed and complete knowledge can an intelligent strategy be implemented to proactively detect, respond or prevent attacks.
By Justin Swisher, Threat Analyst at Anomali and Kris Merritt, Co-Founder at Vector 8