Cyber adversaries, or malware authors, are motivated to remove traces of malware execution for a variety of reasons, including avoiding “defense mechanisms”, as well as ensuring that software researchers malware cannot easily access malicious files. The MITER ATT&CK Matrix classifies tactics for such “defense mechanisms” under “Indicator Removal on Host” techniques with various sub-techniques, one of them being “Deleting files”
“Scope of visibility” is one of the essential elements of an effective cybersecurity strategy. Needless to say, the breadth of visibility goes hand in hand with the ability to manage the costs of creating that visibility. These costs would include not only the costs of the sensors to generate this visibility or the cost of storing the data, but also the operational and analytical costs involved in being able to generate information from this visibility, because “visibility” itself has many many nuanced layers. . For example, in the world of endpoint security, EDRs provide such sensors and usually have coverage to detect file deletion events. The importance of capturing file deletion gets further validation when, arguably, one of the most commonly used tools for monitoring system activities, Microsoft’s Sysmon tool added the ability to file deletion event monitoring starting with version 11.0 released in early 2020. But does that mean that this visibility is enough to cover the technique the ATT&CK matrix is hinting at? Let’s find out.
The standard Win32 method for deleting a file requires the file to be opened with FILE_FLAG_DELETE_ON_CLOSE such as when CreateFile() The API is invoked with this flag, the file is marked for deletion when the descriptor is closed. Similar features are included in the delete file() API that allows you to delete the file from the file system. Either of the 2 methods is captured via a Windows mini-filter driver or via API monitoring (used by most EDR sensors or other monitoring tools) where the same set of operations is observed, regardless of the user-space Win32 API used. Such events are reported as Event 26 (FileDelete) by Sysmon as described in the blog above. A similar event is captured by EclecticIQ Osquery Extension which provides real-time event monitoring capability in the Osquery agent. Osquery’s SQL interface allows these events to be formatted and structured into SQL tables that are easy to ingest, store, and query to help generate visibility data insights.
The image above shows the two agent sensors, Sysmon and Osquery agent with the EclecticIQ extension, capturing a file deletion event generated by a test tool posted here. But then here’s a catch. [Wouldn’t make for an interesting read if there was no catch]
The Windows operating system provides several methods for a file to be deleted. In order to self-delete, malware such as Zero-Access uses another trick it would help them escape such surveillance of deleted files. This method requires that the delete file file member FILE_DISPOSITION_INFORMATION be set to TRUE with SetFileInformationByHandle() APIs.
In the image above, the test tool creates a dummy file and deletes it by setting the delete file flag in sound FILE_DISPOSITION_INFORMATION. Apparently, when a file is deleted with this technique, Sysmon does not trigger a FileDelete Event. When the same test is run with Sysmon v13.31 running in the background, we can see that Sysmon has captured the FileCreated event but does not report any FileDelete Event.
These nuanced gaps in visibility allow malware authors to adopt techniques to avoid detection by Blue Teamers and Incident Responders.
In the latest version of EclecticIQ Osquery plugin (also provided as part of EclecticIQ Endpoint Response), this functionality has been added to detect file deletions by setting the Disposition, in addition to the existing functionality of capturing file deletion events. The event appears under the file system events collected by the extension with the action like FILE_DELETE_BY_DISP.
Combining the twin benefits of Osquery’s SQL form factor and visibility into a range of real-time events on the Windows operating system through an extension, the EclecticIQ agent aims to solve both problems, namely the collection of data in a relational format that is queryable, structured and just at the sensor level as well as an array of capabilities to minimize blind spots.
To learn more, visit Responding to EclecticIQ Endpoints or contact [email protected]
*** This is a syndicated blog from the Security Bloggers Network of Blog EclecticIQ written by the EclecticIQ Endpoint Security team. Read the original post at: https://blog.eclecticiq.com/catch-em-delete-increasing-visibility-not-the-cost