Elevate Cyber Defense with Qualys Advanced Hunting
Introduction
In today’s cyber threat landscape, proactive approaches such as threat hunting have become key in any organization’s defense strategy, identifying and tackling threats before they become an incident.
That is why Qualys is delighted to introduce Advanced Hunting, our threat-hunting functionality in the Endpoint Detection and Response (EDR) platform that allows security teams to actively search for potential threats, identify potential breaches, and uncover malicious activities that might have bypassed traditional detection methods. To further streamline the hunting process, our Threat Research Unit has developed a set of curated, predefined hunting queries, allowing teams to jump-start their investigations with insights based on the latest threat intelligence.
Qualys EDR Advanced Hunting
Advanced Hunting is based on Qualys Query Language (QQL). It provides an expressive and flexible way for analysts to perform various operations like Search by Field, String matching, Exact matching, Full Text Search, etc.
This blog explores Advanced Hunting and how it empowers cybersecurity professionals to enhance their environment’s overall security.
Qualys’s TRU offers a curated collection of custom pre-built hunting queries tailored to hunt for trending threats, MITRE ATT&CK TTPs, and common use cases. These queries help analysts search for anomalies in their endpoints and eliminate potential threats.
- Common Hunting Queries: Investigate common hunting scenarios.
- Trending Threat: Hunt for trending threats.
- ATT&CK TTP: Investigate MITRE ATT&CK TTPs.
Advanced Hunting is located at Qualys > Endpoint Detection and Response > Hunting > Advanced Hunting. In the next section, we will briefly examine advanced hunting in action while investigating a ransomware attack.
Use-Case: Investigation using Advanced Hunting
The following scenario elaborates on how hunting queries can be used. The malware is executed in the Qualys Research Environment in “Detect Only” mode to capture relevant events.
An analyst ran a predefined advanced hunting query – “Registry Run Keys Modification” and found a suspicious registry modification.
- We found the following suspicious registry entry created in the system –
“HKU\S-1-5-21-3319599449-2141404066-4016250668-1608\Software\Microsoft\Windows\CurrentVersion\Run”
“IosqeLsTxx”= "C:\users\truser\Downloads\WinUpdater.exe"
- Let’s investigate further and check how this registry was created in the system.
The Process Tree of this event shows “powershell.exe” has created this registry entry with the following arguments –
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name IosqeLsTxx -Value '"C:\users\truser\Downloads\WinUpdater.exe"' -Type String
- This “powershell.exe” is executed by cmd.exe (PID: 8420)
- The process cmd.exe (PID: 8420) also executed the following processes
Process Name | Argument |
powershell.exe | New-ItemProperty -Path “HKCU:\Software\Microsoft\Windows\CurrentVersion\Run” -Name IosqeLsTxx -Value ‘”C:\users\truser\Downloads\WinUpdater.exe”‘ -Type String |
powershell.exe | New-NetFirewallRule -DisplayName “MyApp” -Direction Inbound -Action Allow -Program “C:\Users\truser\Downloads\WinUpdater.exe” -Enabled True |
net.exe | localgroup |
net.exe | group /domain |
sc.exe | query |
WMIC.exe | path win32_networkadapter where “NetConnectionStatus=2” get Name |
systeminfo.exe | |
powershell.exe | Get-ChildItem C:\Users\truser |
- This “cmd.exe” is executed by WinUpdater.exe (PID: 4524).
- “WinUpdater.exe” is executed from the following location:
“C:\Users\truser\Downloads\WinUpdater.exe”
- Using the following hunting query, we can find the activity performed by “WinUpdater.exe”
parent.name:WinUpdater.exe and action:["RUNNING","CREATED","ESTABLISHED"]
- WinUpdater.exe has
- Executed cmd.exe process
- Created bmatter.exe file
- Established Network connection
- Bmatter.exe is executed via cmd.exe by WinUpdater.exe
- Using the following hunting query, we can find the files modified by “bmatter.exe”
parent.name:bmatter.exe and type:file
- Several files are renamed by the process “bmatter.exe” to the “X6NHiD5Oz” extension.
- This suggests that “bmatter.exe” is ransomware.
- Using the following hunting query, we can find which process has created “WinUpdater.exe”
file.name:"WinUpdater.exe" and action:"created"
- The “WinUpdater” is created by “firefox.exe”, a web browser.
- The malware must have come into the system via a download.
Thus, using Advanced Hunting, we have identified the threat and its activities. The user can explore further and find more information about the threat using Advanced Hunting.
Hunting and documenting help us piece together attacker activity like the one below.
Hunting Queries Examples
In this section, we have listed some examples of hunting queries:
1. Processes or Executables: Querying for a specific process that is running on certain endpoints.
type:`process` and action:`running` and process.name:"<process_name.exe>"
2. Suspicious PowerShell Scripts: Query that can help detect the execution of encoded PowerShell commands that might indicate potential compromise.
type:`process` and action:`running` and process.name:'powershell.exe' and process.arguments:'.-enc'
3. Scheduled Task Created: Search for abnormal scheduled tasks created in system that point to temp. This may suggest an attacker is trying to maintain persistence on the system after initial access.
type:process and action:running and process.name:"schtasks.exe" and (process.arguments:"/create" or process.arguments:"-create") and process.arguments:”temp”
4. File Hashes: Searching for known malicious hash values (MD5, SHA256) across all endpoints.
type:`file` and action:`created` and file.hash.sha256:"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
5. Network Connections: Identify endpoints that have made suspicious outbound connections to suspicious IP addresses.
type:`network` and action:`established` and network.remote.address.ip:`X.X.X.X`
6. Winlogon registry Changes: Detecting unusual changes in the Windows Registry that could be malware persistence.
type:`registry` and registry.key:"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" and action:`write` and registry.value:"DefaultDomainName"
7. System Information Discovery: Query for commands that are used for getting system information in the last 24 hours.
type:`process` and action:`running` and process.name:"ipconfig.exe" and event.dateTime:[now-24h ... now]
8. Inhibit System Recovery: Identify deletion of Shadow Copy using VSSAdmin
type:`process` and action:`running` and process.name:"vssadmin.exe" and process.arguments:["delete","resize"]
9. Archive Collected Data: Data is archived using utilities like 7z, WinRAR, etc.
type:`file` and action:`created` and file.extension:"7z" and parent.name:"7z.exe"
10. Suspicious File Downloads via Curl: Detects the execution of curl.exe with arguments indicative of file downloads, often used in malicious activities for downloading files.
platform:'Windows' and type:`process` and action:`running` and process.name:'curl.exe' and process.arguments:["--remote-name", "--upload-file", "--output", "http", "https", "--request", "-O", "-ge", "-X", "-G"]s
Conclusion
Qualys’ Advanced Hunting offers a powerful approach for identifying and responding to emerging threats in real time. With curated, predefined hunting queries created by our Threat Research Unit, security teams can quickly and effectively launch targeted investigations, maximizing the efficiency and impact of their threat-hunting efforts. By enabling teams to proactively search for and address potential risks, Advanced Hunting enhances incident response capabilities and helps prevent costly security breaches. Advanced hunting within the Qualys EDR platform is an invaluable tool for organizations seeking a proactive and flexible approach to endpoint security.
Contributors
- Akshay Thorve, Senior Threat Engineer, Qualys