Kognos for MSSPs reduces MTTD/MTTR metrics to mere minutes. Learn More.

Decoding Advanced Adversary Intent at Machine Speed

Erik Heuser, Chief Security Research Officer

The Kognos autonomous XDR investigative platform uses relationship graphs to capture all activity, interrogate it by dynamically asking pertinent questions based on current observations, and autonomously track malicious users or external actors throughout the network, creating attack campaigns and bubbling the riskiest to the top.  Each analysis node is powered by a Knowledge Graph-based inquiry engine which is inspired by the work done on the Mitre ATT&CK Matrix.  To generate these attack campaigns, the analysis nodes will perform several thousand queries into the relationships graph and the platform is able to auto-scale from hundreds of these analysis queries per second to thousands, based on need and load. The platform does this 24 hours a day, 365 days a year, and presents the users with a summary view or a forensic timeline of interesting events.

Case Study

Story summary

Here is a scenario meant to illustrate several key concepts of the platform. An attack begins as a dropper disguised as a resume is received by a Talent Manager in the HR department. The summary of the campaign is as given above, however here is the detailed evidence timeline of the attack which is enumerated below with their associated timeline entries.

Persistence / Command & Control

The dropper unpacked the meterpreter implant into the users Startup Autorun folder and executed where it immediately called back to the Command and Control server at 74.207.247.47.

Meterpreter Loading Powershell Extension

Shortly after, the meterpreter was issued commands to load the Powershell module, this was captured when Powershell core libraries were loaded after the initial process execution. The platform now considers this executable as capable as Powershell itself.

Invoke-Mimikatz Executed in-memory

Invoke-Mimikatz was run in-memory and 151.101.0.133 is raw.githubusercontent.com, this feature is extremely difficult to find when executed in this fashion. There are no command-line artifacts and Powershell.exe itself was not invoked from the command line.

Credential Access via in-memory Invoke-Mimikatz

A few seconds later the Mimikatz DLL was unpacked into memory and accessed the virtual memory space of lsass.exe, the Local Security and Accounting Subsystem, to scrape for passwords and hashes stored in memory.

Remote Discovery Commands

Now that credentials have been harvested, the attacker begins to look around the network with Active Directory commands.

Remote Execution creates a Shadow Copy

Having found the Domain Controller the machine authenticated against, a Shadow Copy of the system drive is created remotely.

Remote Host Executing WMIC Commands

The platform is alerted to the Remote Execution and starts tracking on the targeted machine.  It recognizes WMI was used to remotely execute commands and tracks it onto the WMI Provider Host executable, correlating the logon event, and follows the process graph to the commands that created the Shadow Copy.

Stage the Active Directory Database

The attack campaign timeline then jumps back to our original host where commands are executed to copy the NTDS.dit, the Active Directory database, to the Windows temp directory.

Staged Data Exfiltration

A share was quickly mounted, the NTDS.dit file copied, and the share deleted.

Remote Persistence

Sticky Keys is set remotely, to ensure access if the stolen passwords are changed.

Defense Evasion

Deleting the USN journal is an anti-forensics method commonly used to cover up evidence that sensitive data might have existed on a compromised system.

Process Injection

Finally, in case those actions are starting to filter up to security instrumentation, the actor injects the meterpreter into the WMI Provider Host, and since the Powershell module is still loaded into the meterpreter, the Powershell Libraries follow and are loaded.

Conclusions

There are hundreds to thousands of individual campaigns, that could be inter-related, happening on the average corporate network right now. This small scenario fired on a very small subset of the Knowledge Graph based inquiry engine, but illustrates how the platform can follow actors through the network and generate a coherent timeline for an analyst to quickly read through and gain insights into what is actually happening on their network. 

As an analyst, are you seeing what is important?

Kognos continuously monitors billions of relationships to detect suspicious behavior. Once detected, Kognos uses an AI powered inquiry engine to ask thousands of forensic questions per second to fully contextualize the attack and present the findings as complete attack campaigns, allowing the analyst to respond in real-time.

Contact

Oxygen Icon Box

2064 Walsh Ave, STE C1
Santa Clara, 
California - 95050

Oxygen Icon Box

info@kognos.io

Copyright © 2021 Kognos, Inc. All Rights Reserved.
envelopemap-markercross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram