ITC Security Threat of the Week – Week 23: Who’s watching your endpoints?

 In ITC's Threat of the Week

Windows endpoints, probably the most common devices on any corporate network. How much attention do you pay to what’s happening on them?

We know that signature based AV is pretty reliable when it comes to detecting longstanding, static, malware threats but much less so when it comes to unique or dynamically modifying code. So called ‘Endpoint protection’ software is the next step up from pure signature based AV, generally detecting suspicious behaviour but also rather prone to false positives.

Let’s take a look at just three of the most common tricks malware can use to hide on your system:

“Autostart” applications – There are a whole host of Windows registry keys that control which applications will be loaded automatically under both system and user accounts when a Windows Machine starts up.

Many applications write to these keys as part of their normal installation process, mostly so that parts of the application can be loaded into RAM and the main app appear to launch more quickly than it otherwise would. iTunes, Java Updater app, Adobe Reader can all commonly be found referenced here.

Some of the key locations that control this behaviour and that you should keep an eye on are listed below. Whilst you might not need to worry if you’re confident the application you’re installing is from a trusted source, unexpected changes to any of these locations, particularly ones referencing high entropy/random executable filenames are a sure-fire sign that something’s awry on your machine.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

HKEY_LOCAL_MACHINE \ Software \Microsoft\Windows\CurrentVersion\Runonce

HKEY_LOCAL_MACHINE \ Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_LOCAL_MACHINE \ Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER \Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\RunOnce

“Browser Helper Objects”

We’ve all seen machines with dozens of Internet Explorer toolbars occluding the view of any actual webpage. Those toolbars are all what’s called “Browser Helper Objects”. They’re not all that helpful. Applications references in the registry key below will be called whenever Internet Explorer is loaded. Generally speaking, you’re better off without anything in this registry key at all. Treat anything that tries to write here with utmost caution. Again, an audit of your desktop estate for the contents of this key will probably throw up some interesting results.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

“Command Hijack”

Quite why Windows makes this so easy is beyond me, but it’s amazingly simple to hijack the execution of any and all executable by modifying some simple registry keys. By manipulating the two keys below, for example, I could force any bit of malware I liked to be run whenever a user attempted to run any executable:

HKEY_LOCAL_MACHINE\Software\Classes\Exefile\Shell\Open\command

HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command

Clearly there’s almost zero reason for these keys to be set as anything other than their default.

So – how much do you care about your Windows endpoints? What processes or systems do you have in place to detect changes to these, or any other, critical Windows registry locations? How quickly would you be able to detect a change and take action? What kind of isolation and remediation action could you actually take? Could you correlate what looked like an apparently benign registry key change with a suspicious firewall log and flag it for analysis?

If you can’t answer those questions confidently, please get in touch – we can help.

ITC positively love providing cutting edge Network Access Control (NAC) systems that are able to control access to your network based on detailed, granular assessment of endpoint compliance. We can go beyond simple questions like “Is your AV up to date?” and implement systems that grant access to specific parts of your network based on assessment of more advanced policies such as “Has the CRC for the critical file referenced at a specific registry location changed within the last two days? and is the user logged on a member of a user group with permissions to the Secret Powerpoints folder”

We adore integrating these NAC solutions with advanced security monitoring tools to give you the full picture of what’s happening on your network and provide the ability to immediately alert and granularly isolate and remediate endpoints based on suspicious activity correlated across not just the endpoint itself but also logs received from all the other devices in your network.

Author: Kevin Whelan

Recent Posts

Leave a Comment

Big Data IT Security Specilists