[Meta] Masquerading and Suspicious Child Processes on Business Apps

[w0rk3r]

Summary

Explore opportunities to detect masquerading and suspicious processes on commonly used business apps such as communication apps, browsers, and Windows native applications and processes.

### Tasks
- [x] Select a pool of Communication Apps to get started - Week 1
- [x] Select a pool of Browsers to get started - Week 1
- [x] Search for blogs, papers, or talks around masquerading and signature anomalies - Week 1
- [ ] ~~Search for previous vulnerable versions and exploits on communications apps, try to simulate - Week 1/2~~
- [ ] Look for malware score matches on processes matching communication app names, detonate them - Week 1
- [x] Look at ER/DR alerts matching communication app names - Week 1/2
- [x] Analyze Windows Signatures on specific paths, such as system32 - Week 2
- [x] Write new rules - Weeks 1 & 2

Goals

• Cover Scenarios where attackers abuse stolen certificates to sign trojanized applications and installers
• Introduce BBRs to gather data and baseline these application behaviors, after excluding common ones.
• Introduce initial coverage around suspicious installers that can be part of malicious Ad campaigns or that try to impersonate legitimate apps.

Resources:

https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-page-impersonating-slack-website-customer-798 https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign

Task Details

Select a pool of Communication Apps to get started

• Zoom
• Slack
• Outlook
• Teams
• Thunderbird
• Webex
• Discord
• RocketChat
• Mattermost
• Whatsapp

Select a pool of Browsers to get started

• Chrome
• Firefox
• Brave
• Island
• MS Edge
• Whale

Analyze Windows Signatures on specific paths, such as system32

Used Sigcheck to extract information about executables on System32 that comes in clean installs of Win10, Win11, Windows Server 2016, Windows Server 2019, and Windows Server 2022, then did some Python stuff to convert this output to JSON, those can be found here in their original format, and here in JSON.

PRs

• https://github.com/elastic/detection-rules/pull/2995
• https://github.com/elastic/detection-rules/pull/2997
• https://github.com/elastic/detection-rules/pull/2998
• https://github.com/elastic/detection-rules/pull/3006
• https://github.com/elastic/detection-rules/pull/3021
• https://github.com/elastic/detection-rules/pull/3022
• https://github.com/elastic/detection-rules/pull/3068

[brokensound77]

Has progress been started on this @w0rk3r? Any status updates?

[w0rk3r]

Closing this one as completed, the only task scoped which I'm postponing to a second phase is the malware score one. Once we promote the new BBR rules and have enough telemetry I'll work on it.