Threat Hunting for Unexpectedly Patched Systems

Threat hunting is the proactive approach to find anomalies related to threats that could cause potential harm to an organization. These could be the signs of intrusion, as a part of malware campaign, ransomware attack, denial-of-service, data exfiltration and even crypto mining.

Threat hunters constantly look for abnormalities in the behavior of an endpoint, server which may be signs of compromise, intrusion, or exfiltration of data. They check proactively the signs of the presence of intruders currently or in the past. To perform this efficiently, threat hunters utilize tools that give them deep visibility and insight into systems-level microtransactions of every server and endpoint. One such sign is the detection of Unexpectedly Patched Systems in the environment.

Today, there are several malware and ransomware which tend to patch the target system after the initial infection. One of the first of this kind was, the Win32/Patched a.k.a. WinNT/Patched which is a Computer Trojan targeting the Microsoft Windows operating system that was first detected in October 2008. Files detected as “Trojan.Win32.Patched” are usually Windows components that are patched by a malicious application. The purpose of patching varies. For example, certain malware patches system components to disable security, such as the Windows Safe File Check feature. Other malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code.

Often malware today utilize this technique to fix the flaw which they exploited originally to intrude the system; to prevent a similar ‘hack’ by any other threat actor. According to the McAfee Labs Sep. 2017 Threat Report, 33% utilize ‘Unexpected patching of systems’ as an Indicator of Compromise for their threat hunting exercises.

Receiving an unexpected patch could be linked with the fifth stage of (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Ifeanyi Egede. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/zu3ns3DbQJ4/