![]() ![]() Now that we know we’re working with a threat, we still have some questions to answer. When we search the hashes for SummerBudget2022.xlsx and efhj.dll, the results are pretty telling: 29 vendors flagging the Excel file is bad and 55 flagging the DLL. Just like how someone may have a legitimate key to the building but might be using it to do something they shouldn’t. So, just because the hash of a file is clean does not mean the activity coming from it is safe. Often attackers will leverage the tools that are already on a device to accomplish their goals. You can see that the file itself is distributed by Microsoft, but that does not mean it can’t be used for evil. We like to use VirusTotal for this, but you can also use other public sandboxes such as Malware Bazaar or Triage. Some attackers will name their tools something that looks legitimate, but when searched, the hash will reveal “evil.” So, let’s take a look at regsvr32.exe. Speaking of hashes, let’s check to see if the hashes of the executables used are what they actually say they are. As you move up the pyramid, it becomes increasingly more difficult to identify and, ultimately, make detections for things like host artifacts, tools, and TTPs. You can see the easiest indicators are hashes, IP addresses, and domain names. The diagram below-also known as The Pyramid of Pain-simplifies this a bit. An IOC can be a lot of different things, with some more difficult to identify and act upon than others. Our methodology is to start with the data points provided in the alert that would be considered an indicator of compromise (IOC). While there are other processes that spawn from regsvr32.exe that could be explored, we need to avoid all rabbit holes (as tempting as it is) and focus on the task at hand: is this a threat we need to take action on? Determining if it’s a threat For the sake of those following along, the hash is: 878e47c8656e53ae8a8a21e927c6f7e0. Additionally, it could be pulled from the device and then you can run an MD5 checksum on it. You can get this data either from the point at which the original file was written to disk or when it was loaded with this regsvr32 command. What is the hash of efhj.dll? The name itself is interesting, but assessing the hash of the file will prove more fruitful. For now, let’s take note of it and move on. Could it be an acronym? Sure, but we’d definitely need to confirm that. Next, we need to examine the command line of regsvr32.exe to determine if anything funky is going on. dll files as command components in the registryĪlright, easy enough. First, we need to understand what regsvr32 is used for and, for that, it’s always best to go straight to the source. Is it suspicious, though? There are a couple of things we can do to answer this question. Depending on the tooling you have, this would be recorded in a file creation event.Īgain, we can see that Excel launched regsvr32.exe. Now, let’s take a look at the hash of the file Excel opened and take note of it. What we know (and see) is that excel.exe is spawning regsvr32.exe. Above all else, take note of the facts presented to you before forming hypotheses or assumptions of what may or may not be occurring. To truly understand the purpose of the alert, you have to sit back and observe what is on the screen. So, let’s dig in! What is the alert telling me? Launching a program that is considered suspicious.With this information, we can infer that the alert is looking for: In this particular case, we can’t see everything, but we are given a decent description of what is happening. Sometimes we can see the full logic in front of us, other times we cannot. When we get an alert, there is logic behind that alert that leads to the output we, as analysts, receive. But, what does that actually mean? The gravity of such a question is worth exploring on a fundamental level. If you’ve been an analyst for a while, perhaps you’d say: I got an alert? That’s easy, investigate it. Truth be told, it’s an excellent question and-in any given situation-you’ll find that the answer varies. The title of this blog is an inner quandary faced by security analysts every day. Minimize downtime with after-hours support. ![]() Train continuously for real world situations.Operationalize your Microsoft security stack.Protect critical production Linux and Kubernetes.Protect your users’ email, identities, and SaaS apps.Protect your corporate endpoints and network. ![]()
0 Comments
Leave a Reply. |