There are malware tools available that can create Windows services with random service names and descriptions. Emotet infection is an example of malicious services created on the machine. This is due to how Emotet installs itself on a machine, creating randomly named numeric services, which in turn try to run another randomly named executable in C:\Windows [1]. The example below shows four Emotet services (others may have more) that have been created on an infected machine.

 

Hunting Malware by Detecting Random Strings in LOGTITAN NG SIEM

 

Numerous malware families also create registry keys for persistence with randomized key names and values [2]. Filenames are also may be an indicator of malware [3,4]. Also, Emotet utilizes random file names. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the costliest and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.

One last example is process names; often malware will put itself, randomly named, into a randomly named folder in AppData. There are actually two potential applications here: one for the name of the binary itself, and one for the randomly named folder in which it resides [5].

Monitoring for infected files

  • C:Windows
  • C:Program Files
  • C:\Windows\ProgramData
  • C:Users/[current user]/AppData
  • C:Users/[current user]/AppData/Roaming
  • C:Users/[current user]/AppData/Roaming/Microsoft
  • C:/Windows/SysWOW64
  • …..

LOGTITAN detects randomly-named files, registry keys, services and processes (Both created and spawned by) in real-time.

LOGTITAN utilizes:

Event ID 7045 — A service was installed in the system

Event ID 4688 — A new process has been created

Event ID 4656 — A handle to an object was requested. File and Registry

Event ID 4697 — A service was installed in the system

Sysmon [7]

And in Linux, just monitor /var/log/audit/audit.log file.

Hunting Malware by Detecting Random Strings in LOGTITAN NG SIEM

 

 

Hunting Malware by Detecting Random Strings in LOGTITAN NG SIEM

 

Hunting Malware by Detecting Random Strings in LOGTITAN NG SIEM

 

Suspicious processes, files, and services are detected in real-time and depicted in the InstallOperation field on the LOGTITAN schema. LOGTITAN utilizes ML to detect suspicious processes, files, and services.

 

Hunting Malware by Detecting Random Strings in LOGTITAN NG SIEM

 

References

  1. https://community.sophos.com/kb/en-us/127218
  2. https://www.tripwire.com/state-of-security/mitre-framework/evade-detection-hiding-registry/
  3. https://community.spiceworks.com/topic/2168878-remove-new-emotet-trickbot-malware
  4. https://blog.talosintelligence.com/2019/08/threat-roundup-0726-0802.html
  5. https://www.dell.com/support/article/tr/tr/trdhs1/sln285424/security-scanner-malware-removal-guide?lang=en
  6. https://labs.jumpsec.com/2019/02/06/enhanced-logging-to-detect-common-attacks-on-active-directory-part-1/
  7. https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554993664.pdf
  8. https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
  9. https://securityboulevard.com/2019/06/security-alert-fin8-is-back-in-business-targeting-the-hospitality-industry/
  10. https://www.binarydefense.com/trickbot-ono-new-tricks/
  11. https://blog.malwarebytes.com/detections/trojan-emotet/