Put another way: Red Canary’s alerts to our customers are 100% actionable and contain zero false positives. Red Canary uses internally-developed intelligence, intelligence gleaned from partners, and expert human analysts to sort through the noise, identifying and communicating legitimate threats to our clients in a timely manner. This also allows them to determine whether a more expansive investigation is warranted. After alerting our client to the occurrence, they or their IR partners can surgically remediate the threat. While we are providing this detection for the benefit of the Carbon Black community, it also highlights a key benefit of our approach: rapid identification of suspicious behaviors without explicit knowledge of the tool(s) an attacker uses. In any event, a process matching these criteria should be further investigated. Additionally, while this will detect exploitation of the aforementioned vulnerability, processes matching this query may have been compromised in another manner. Note: This raw Carbon Black query may identify activity that is not associated with CVE-2014-1776.
Running this query over the same period of time yields a single result, and a confirmed victim:Īnd a sample of some of the activity associated with child process 0159.dll: `modload:vgx.dll process_name:iexplore.exe modload:*.ocx childproc_name:*.dll` Doubly so when the parent process is a web browser. And while we do observe legitimate processes spawned from DLLs, this is atypical at best. However, the child process name in this case will match *.dll. We know that upon exploitation, iexplore.exe spawns a child process, which by itself is fairly common behavior. On this particular Carbon Black server, this query yields 175 results over 24 hours (click to enlarge images):ġ75 results is still a lot to go through, so we need to narrow our search down a bit. Note this simply identifies processes where potentially exploitable conditions exist results are not necessarily indicative of malicious activity. `process_name:iexplore.exe modload:vgx.dll modload:*.ocx` Using Carbon Black, we can quickly identify processes meeting these criteria: We know this exploit targets Internet Explorer (iexplore.exe), requires VGX.dll be loaded by the targeted iexplore.exe process, and is triggered by a malicious Flash file. This post provides some insight into how you can do the same.
Red Canary is actively detecting CVE-2014-1776, the latest “Internet Explorer zero-day,” on the endpoint by leveraging our global network of managed Bit9+Carbon Black sensors.
0 kommentar(er)
