preloader

How To Detect Advanced Persistent Threats in QRadar

Detecting persistency of malicious software through a centralized monitoring system such as IBM QRadar can be a challenge as the straightforward solution of monitoring scheduled tasks through Windows Security Logs does not provide the information to determine the legitimacy of a newly created scheduled task running a process on the environment.

To detect possible malicious persistency on an endpoint device, Windows released “Autoruns.”

Autoruns has the most comprehensive knowledge of auto-starting locations of any startup monitor which shows you what programs are configured to run during system bootup or login. This utility also calculates hashes of each startup process and can cross-reference those hashes against Virus-Total to determine the public reputation of each start-up process.
Even though Autoruns is great for onsite investigations, it does not scale well as it does not generate a log file and does not contribute to the Windows security event logs.

For Autoruns to create an ingestible log, we are going to need to use a script called: AutorunsToWinEventLog.

What does AutorunsToWinEventLog do?

Autoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.

Steps Required:

1. Obtain AutorunsToWinEventLog from https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog

2. Run the following command from an admin PowerShell console:

.Install.ps1

The script will do the following by default:

  • Creates the directory structure at c:Program FilesAutorunsToWinEventLog
  • Copies over AutorunsToWinEventLog.ps1 to that directory
  • Downloads Autorunsc64.exe from https://live.sysinternals.com
  • Sets up a scheduled task to run the script daily @ 11am

Since it’s a PowerShell script, it can be modified with a very basic knowledge of programming.

3. Check the Windows event viewer after running the script.

As you can see in the above picture, you have Autoruns under Applications and Services Logs.

4. Once Autoruns saves the logs in the local Windows event viewer, we can use a wincollect agent with the following X-Path query to pull that information and send it over to Qradar:

<QueryList>

<Query Id="0" Path=" Autoruns ">

<Select Path="Autoruns">*</Select>

</Query>

</QueryList>

5. Manually create parsers for the logs that arrive as "unknown" through your Windows event viewer (As these are not supported by IBM DSMs).

That’s it! The autoruns data will be fed into your QRadar environment automatically, and you’ll be able to detect persistent threats.

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

Understanding UBA (IBM QRadar)

We recently held an exclusive roundtable at IBM's Israel HQ...

COMING SOON: Vulnerability Management - Carbon Black Cloud

In today’s threat landscape, security teams are facing an influx...

Carbon Black App Control Vulnerability

Impacted Products This vulnerability affects versions 8.0, 8.1, 8.5, and...

1 2 3 6

Join our newsletter!

x
c
o
n
t
a
c
t

u
s


    linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram