You can’t detect 0-day exploits but… you can detect what happens next
TLDR: One of the best-known ways to gain access into an organization and avoid detection is by way of a zero day. This term is used to describe ...
4 min. read
22 Jul 2021
One of the best-known ways to gain access into an organization and avoid detection is by way of a zero day. This term is used to describe vulnerabilities that vendors and users are unaware of. Though a zero day can’t be detected, the aftermath will reveal itself on the affected system. In this piece, we have provided ways to utilize the SCYTHE adversary emulation platform to detect and respond to malicious behaviors. SolarWinds, Serv-U, Google Chrome and a few other recent zero-day attack procedures are covered. Commonalities between each of these attacks are explained as well as a guide for attack emulation and executables for detection and response.
A zero day (or 0-day) is a vulnerability that is not known by the software vendor nor the end users. They are a great way to gain initial access into an organization without being detected. Zero days are rarely used in widespread attacks as they are a high cost to the attacker (identifying a vulnerability that has a high chance of successful exploitation). Zero days can be sold and purchased by governments or malicious actors when they are not disclosed to the affected vendor. The problem with zero days is that there are no detections, however, we argue that what can be detected is what happens after the zero day exploits a system.
In this blog post we look at some of the recent (July 2021) 0-day attacks targeting SolarWinds Serv-U, Microsoft Print Spooler (PrintNightmare), Google Chrome, and others. What occurs after successful exploitation and how can you detect the unknown? Our focus on assumed breach gives you plenty of behaviors you can actively detect and respond to by using the SCYTHE adversary emulation platform.
The folks at Google make a good point in their blog that the number of 0-days being detected does not necessarily mean there are more 0-days; instead, that we are detecting more 0-days used in the wild. That may be because of an increase in detection and disclosure which is a good thing. We want threat actors to have to spend more resources to obtain 0-days than to leverage methods that can be patched.
Print Nightmare 0-day in Windows Print Spooler
Microsoft has released multiple CVEs for vulnerabilities known as Print Nightmare. The Windows Print Spooler is a service that runs by default on all systems. As the name suggests, it allows you to print. In most organizations, you have a print server that allows endpoints to connect, install the print driver, and print. In the past month, the printer spooler service has been under review due to various vulnerabilities:
Apart from the inherent issue that these are all 0-days and neither vendors nor end users knew about the vulnerability or exploit, all of these 0-days leverage the exploited process to spawn other processes. This gives the blue team a great opportunity to detect exploits or other behaviors that leverage this technique. By monitoring the processes that are spawned from other processes, it allows for the identification of processes that should not be starting. For example, if you see Microsoft Word running powershell.exe, that is probably malicious activity. Head to detect and respond section for more.
While there are multiple exploits available for these 0-days, you don’t have to exploit any process to emulate the technique you want to detect: a process spawning another process. Exploitation, by design, is risky and may crash a service or an entire system. As we build detections, testing in non-production is ideal. However, once the detections are in production, we should test to ensure our people, process, and technology is working as assumed.
Our focus in detection should be on what happens after the exploit. For a 0-day, neither the vendor nor you will know about the vulnerabilities until they are detected in another attack. Do not wait for that. You can build detections of the behaviors that occur after exploitation. As there were multiple 0-days explained in this post, we will cover the detections holistically. Shout out to our friends at Splunk that had a great post on detecting PrintNightmare.
An executable spawning mshta.exe
An executable spawning cmd.exe
An executable spawning powershell.exe
An executable spawning rundll32.exe
An executable spawning whoami
An executable spawning dir
mshta.exe reaching out to the internet
Zero days by definition are difficult to detect as the vulnerability is not known by the vendor nor the end users. Therefore, focus on detecting and responding to what occurs after the successful exploit. In this post we cover multiple 0-days that were released in the last month, understand how they were used by threat actors, and emulate the behaviors so that we can detect and respond to them. If you are interested in trying out SCYTHE for Attack, Detect, and Response, let us know.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.