Cb Connect 2018 | Power of You | Register Now


Detecting Exploitation of ‘Legitimate’ User Accounts via Carbon Black

Detecting Exploitation of Legitimate User Accounts via Carbon Black
December 9, 2015 / Bruce Van Dyke

One of the major initiatives in every major organization is provisioning, deprovisioning and managing user accounts. New employees need accounts, employees who transfer roles between departments need adjustments to what they are allowed to access, new systems/apps are deployed, old systems get retired and so on.

A common tactic used by attackers is to piggyback on legitimate user accounts and hide their malicious activity within the day-to-day business transactions that require the use of these accounts. Once an attacker gains access to a system and can capture legitimate credentials, they can proceed with their reconnaissance and exploitation by looking like legitimate traffic.

Controlling use of credentials is not a simple matter. Getting visibility to WHEN credentials are used, by WHOM, WHEN and from WHAT device is difficult (if not impossible) for many organizations to understand. This is the perfect storm for hackers to navigate in because they can operate easily without detection.

Frequently, security and compliance audits identify credential management as a key control. However, enforcement and visibility to actual credential execution is very difficult to measure and control. Carbon Black excels at providing visibility to any process execution. Typically, our customers use it for finding suspicious and malicious patterns of behavior that are indicative of attackers executing malware.

The exact same approach can be used to watch execution of legitimate software that the business relies on to operate. In the case of inappropriate use of credentials, Carbon Black can be configured to look for usage of remote desktop, ftp, psexec, and other tools that can be used inappropriately by looking at east-west traffic or abnormal behavior.

For example, to see when particular applications run, something as simple as this watchlist would watch for particular processes being created:

process_name:mstsc.exe or process_name:ftp.exe or process_name:psexec.exe

Also, because Carbon Black sees the username and domain associated with each process launch, monitoring of what user accounts are running processes on the server, or where non-domain accounts are being used can occur.

hostname:<myserver> -username:<expected usernames> -username:system


hostname:<myserver> username:* -username:<mydomain>



In this case, why is the “Sales Engineer” account, a local account, being used instead of a domain account? Because we were able to search for a particular machine and then negate any domain or system accounts, we can find local privileges that go against our policy. The best part is we can alert on them (or even network isolate or ban hashes) automatically next time because of the watchlists.

This provides the ability to rapidly and automatically identify suspicious use of credentials, whether it’s an insider accessing information they should not have rights to, or an attacker using legitimate credentials to probe and move laterally.

Carbon Black has extraordinary flexibility to help in many areas. It will automatically find execution of vulnerable applications such as Java, Flash, or Acrobat; patterns of suspicious behavior such as modifying Windows Services or using PowerShell in particular ways; and the execution of known malware. Beyond this, with centralized, indexed, searchable data, the power to hunt for suspicious activity (even going back in time) is truly game changing.

Carbon Black automatically correlates multiple sources of threat feed data to automatically detect malicious activity. Additionally, you can extend its utility to find inappropriate use of credentials by legitimate insiders or malicious use of credentials by attackers who are active inside your company.

TAGS: bit9 / Carbon Black / cyber attacks / detection / User accounts / watchlists