malware hunter how to guide for securitycenter continuous view™

Malware HunterHow To Guide for SecurityCenter Continuous View™

Tenable provides Continuous NetworkMonitoring™ to identify vulnerabilities,

reduce risk, ensure compliance, and “hunt malware”.

Hunting for Malware

• New versions of malware are released daily• Making a new Dashboard for each malware can

become complicated and time consuming.• A new template was designed for malware

hunting and can be customized for new malware.• The new dashboard has Indicator of Compromise

(IOC) components and template components.

Malware Hunter Dashboard

• Left Side– These components are

developed to be customized by the organization for each new malware.

– Each will be discussed in detail.

• Right Side– These components are

Indicators of Comprise (IOC) and are not intended to be modified.

IOC Components

• There are 5 matrix components.• These components provide

several saved queries that can aid in the hunt for malware.

• Each of these components can be individually downloaded from the SecurityCenter feed or as a collection.

• These components contain indicators that may occur with normal traffic and should be investigated and/or monitored for suspicious events.

• Account Weakness - Suspicious Login Activity (Events from Last 72 Hours)

• Indicators - Malicious Process Monitoring

• Unknown Process - Microsoft Windows Autoruns

• Verizon 2015 DBIR - Forensic Indicators

• Verizon 2015 DBIR - Indicator of Compromise (IOC) Events

IOC Components

Template Components

• These components are templates that can be edited by the organization.

• Each component has a cell with the default filter and the other cells have sample content to be edited.

• Malware Hunter - DNS Domains Watchlist (Last 72 Hours)

• Malware Hunter - IP Address Any Event Traffic (Last 72 Hours)

• Malware Hunter - Malicious Process Detection Using MD5 Hashes

• Malware Hunter - Microsoft Windows Known Bad AutoRuns / Scheduled Tasks MD5 Hash Searches

Template Components

Malware HunterMalicious Process Detection Using MD5 Hashes

• This component uses the Malicious Process Detection plugins to monitor for the associated MD5 hashes identified by the FBI.

• Additionally, an indicator is used to help identify all the Malicious Process Detection plugins currently in SecurityCenter. There are several plugins to identify malicious processes, of which some focus on operating systems such as Windows, Linux, or Mac OS X. Others allow for security administrators to input their own MD5 hashes and check for MD5 hashes identified by Mandiant. The indicators will change colors when a match is found.

• The red indicator “Malicious Process Detection” means that a match for the plugins is found. The remaining cells must be edited and the appropriate MD5 hash added to vulnerability text. The cells that require editing will turn purple when a match is located.

• Many types of malware can be identified by different MD5 hashes.

• Edit the component and place the respective hashes in the filters.


To edit the component, click on the arrow in the corner and select edit.

Next, select the cell to be modified.


• Next, edit the filter by selecting the pencil icon on the right hand side.– This is the Vulnerability Text

field.– Put the full MD5 hash string in

this field.• Now change the indicators

– Put in the last 6 characters for each MD5.

– Make sure to input the string into both the default setting and match setting.

Malware HunterMicrosoft Windows Known Bad AutoRuns

Scheduled Tasks MD5 Hash Searches

• This component provides indicators of possible malware using the reputation Microsoft Windows Known Bad AutoRuns / Scheduled Tasks plugin.

• Plugin 74442 (Microsoft Windows Known Bad AutoRuns / Scheduled Tasks) shows that the Windows system has one or more registry entries that are known to be associated to malware.

• The indicators will change colors when a match found. The red indicator “Bad AutoRun” means that a match for the plugin 74442 is found. The remaining cells must be edited and the appropriate MD5 hash added to the vulnerability text. The cells that require editing will turn purple when a match is located.

• Many types of malware can be identified by different MD5 hashes.

• Edit the component and place the respective hashes in the filters.



To edit the component, click on the arrow in the corner and select edit.




• Next, edit the filter by selecting the pencil icon on the right hand side.– This is the Vulnerability Text

field.– Put the full MD5 hash string in

this field.• Now change the indicators

– Put in the last 6 characters for each MD5.


Malware HunterDNS Domains Watchlist (Last 72 Hours)

• This component provides a series of indicators that report on DNS query events detected by PVS and logged to LCE.

• Each malware version often uses some sort of a call-home or command-and-control method to contact the malware source. This matrix allows the analyst to monitor specific DNS patterns.

• Search for DNS queries captured by PVS using the “PVS-DNS_Client_Query” Normalized Event. – The raw message will contain a statement

similar to this: The most recent DNS query performed was for: www.google.com to the server at 10.31.15.1

• The “DNS Client Query” indicator turns blue when data is present. The other indicators need to be modified to contain a FQDN of the domain name the organization is looking for.

• The FQDN can be searched for using keyword searches and Boolean logic. However, there is one important detail to remember: when searching the syslog text, all punctuation is removed and replaced with an AND, resulting in www.google.com being translated to www AND google AND com.

• Edit the component and place the respective DNS entries in the filters.


To edit the component, click on the arrow in the corner and select edit



• Next, edit the filter by selecting the pencil icon on the right hand side.– This is the Syslog Text field.– Put the FQDN string or

pattern in this field.• Now change the indicators

– Put the FQDN for each indicator.


Malware HunterIP Address Any Event Traffic (Last 72 Hours)

• This component indicates if specific IP addresses have been seen in LCE events over the last 72 hours.

• These events were collected using PVS, LCE Client, NetFlow, or by other LCE collection methods.

• Each of these cells must be modified to reflect the targeted malware. Each malware version often uses some sort of a call-home or command-and-control method to contact the malware source.

• This component allows the analyst to track any communication with the malicious addresses.

• Edit the component and place the respective IP addresses in the filters.


To edit the component, click on the arrow in the corner and select edit

To edit the component ,click on the arrow in the corner and select edit


• Next, edit the filter by selecting the pencil icon on the right hand side.– The address field is not present

by default and needs to added.– Put the address or subnet that

is known to host malware.• Now change the indicators

– Put the address or subnet for each indicator.


Hunting for Malware• To summarize, hunting for malware requires IOC components and

custom components.– The IOC components are provided via the SecurityCenter feed and do

not require updating.– IOC components contain queries that are valid. However, they should

be monitored for malicious activity.– The custom components are also available the SecurityCenter feed.– The custom components need to be updated for each type of malware.

• For more support check out the Discussion Forums and Customer Support Portal– Indicators of Compromise and Malware – Tenable Customer Support Portal

https://discussions.tenable.com/community/indicators-of-compromise-and-malware

malware hunter how to guide for securitycenter continuous view™

Documents

new malware

malware hunter dashboard

malware hunting

types of malware

template components

matrix components

associated md5 hashes

different md5 hashes