What's in a path?
Sometimes it is helpful, especially in a large organization, to break up a search like C2 or processes with netconn into categories based on the directory. The directory may even provide some help with triage as we can make some basic assumptions.
download: user initiated
temp: generally not user initiated
appdata: the installer wants to look legitimate
All of these are fuzzy but I generally find potentially unwanted programs(PUPs) starting from download and the initial callback can help to identify it. Temp can be anything but those are sometimes the most interesting. For appdata installs I generally look at the directory name first, legitimate installs mimic the installer name while PUPs try to be clever and use a nonsense name.
Finding generic malware isn't sexy but if you hope to find the tricky stuff then you'll need a good base detection for everything else. As usual, any filtering has been left out of these examples.
Executions from Appdata\roaming -not netconn
Rex is pulling out the directory name for easy visual review.
Stats values pulls the unique path, md5 and computer, while dc(computer) counts the number of pcs with that path.
I use rarity of pc count and the number of times the path executed for filtering since I am looking for an installer which wouldn't be expected to run many times.
Netconn from Temp
Stats is just grouping things so they end up in the final table
Md5_count is the key here as I use it for rarity.
This should be fairly unique in the environment.
Netconn from Downloads
I am grouping only by md5 so computer counts are available but there could be several.
Rarity of both domain and computer count are the primary filters.
Next up suspicious directories for a more broad look.
download: user initiated
temp: generally not user initiated
appdata: the installer wants to look legitimate
All of these are fuzzy but I generally find potentially unwanted programs(PUPs) starting from download and the initial callback can help to identify it. Temp can be anything but those are sometimes the most interesting. For appdata installs I generally look at the directory name first, legitimate installs mimic the installer name while PUPs try to be clever and use a nonsense name.
Finding generic malware isn't sexy but if you hope to find the tricky stuff then you'll need a good base detection for everything else. As usual, any filtering has been left out of these examples.
Executions from Appdata\roaming -not netconn
Rex is pulling out the directory name for easy visual review.
Stats values pulls the unique path, md5 and computer, while dc(computer) counts the number of pcs with that path.
I use rarity of pc count and the number of times the path executed for filtering since I am looking for an installer which wouldn't be expected to run many times.
Netconn from Temp
Stats is just grouping things so they end up in the final table
Md5_count is the key here as I use it for rarity.
This should be fairly unique in the environment.
Netconn from Downloads
I am grouping only by md5 so computer counts are available but there could be several.
Rarity of both domain and computer count are the primary filters.
Next up suspicious directories for a more broad look.
Comments
Post a Comment