The Microsoft Sysinternal suite is commonly used by digital forensics and incident response teams as a cheap and easy to use approach for incident investigation and forensics in Windows systems. Despite their utility and value, the Cybereason Research Lab found that commonly used traditional Microsoft monitoring tools miss common attacker behavior such as privilege escalation, a commonly used technique by hackers that was believed to be used in the Home Depot breach.
We were interested to assess the ability of commonly used sysinternal tools to identify hard-to detect common attacker behavior of privilege escalation. Below are common use cases for privilege escalation, in which we tested three commonly used Microsoft monitoring tools: Sysinternals Process Monitor (procmon), Sysinternals Process Explorer (procexplor), and the lately launched Sysinternals System Monitor (sysmon).
Free eBook: Modern Retail Security Risk – Get your copy now.
Sysinternals tools are useful for detection of various malicious processes. However, given their popularity as breach forensics tools, we believe it is important to highlight their shortcomings. As privilege escalation is a common attacker behavior, we believe it is important to be aware of the limitations of these tools in spotting such attacker behaviors.
Privilege escalation is a critical and commonly used technique for attackers and is usually a first stepping stone enabling the hacker to completely take over the victim’s machine. It is important for Incident Investigation and SOC teams to be aware of common tools’ limitations in capturing such common behavior.
Our research found that Microsoft Sysinternals failed to capture escalated privileges in two distinct attack scenarios.
1 – Consider alternative investigation tools and use them altogether for better coverage of various attack scenarios.
2 – Perform the test as described in this document to simulate escalated privileges and test whether the tools used by your team for forensics properly capture the attack. For information and guidance, visit our website www.cybereason.com or contact us: firstname.lastname@example.org.
The original article can be viewed on the Cybereason Research Lab blog here.
Cybereason is the only solution to detect, in real-time, both known and unknown attacks and connect isolated indicators of compromise to form a complete, contextual attack story. Cybereason automatically reveals the attack TRACE elements: Timeline, Root cause, Adversary Activity, Communication and affected Endpoints and Users, to enable accurate and effective response.