Demo of SDR Exporter and RCA Threat Case investigation:

For the attack to get as far as it did I had to turn off 90% of the Sophos endpoint protections.  In the scenario the adversary compromises the endpoint and downloads multiple malware tools only one of which is caught.  The RCA will show both the convicted software and the suspect files downloaded that did not trigger a detection.The SDR Exporter can be used to see the command line options used in the attack and how the adversary established the initial control.  

Check out the Video https://vimeo.com/281641808 

In the video we want to use the SLQ version of the data recorder information to find out how notepad.exe was launched because the Threat Case information in Central appears to stop too early to identify the root cause. 

This video will show you how to convert a snapshot to SQL and load that into a SQLite browser to hunt for additional information like the command line used on a powershell or the parent process of a suspect executable.

Attack:

  • User browses to C2 site that downloads an HTA Application
  • User allows HTA to run
  • Adversary now has a metrepter session running
  • Attacker elevates priv
  • downloads putty.exe
  • downloads dropper.exe
  • runs dropper.exe
    •  dropper creates an alternate data track and runs
    •  connects to C2 site
    •  Embeds itself in an autostart registry entry
    •  runs powershell and does more stuff
  • runs putty.exe (to confirm additional backdoor works)
  • Detected by HMPA and clean initiated
  • RCA generated
  • metrepter sessions killed

ADMIN ACTIONS

Explore the Threat case and submit files to Sophos Labs for more information, then use the SDR Exporter to get more detailed information than is available in the threat case.

Have fun and feel free to post questions on the forum on this or any other topic related to the EAP for EDR. 

Thanks All