How to fight hidden malware on Windows networks

If I listed the names of services on your Windows systems, would you be able to determine which ones were real and which ones were fake? Attackers often use fake services designed to act and look like real Windows services but contain malicious files. Is Windows Updates a true Windows service, or is it called “Windows Update” on your computer? Have you taken the time to become aware of what services and processes are normal on the computers in your network?

Create a baseline of Windows services

If you don’t know, you need to create a baseline that shows which services should be in your network. The PowerShell command get-service is a quick and dirty way to get a list of running services on a system.

Susan Bradley

When baselining a system, start with the basics. What services are expected to be running on your systems? On server systems in particular, have you taken the time to add monitoring services to alert you when a new service is added to a server system? While workstations may add new services on an irregular basis, services on servers tend not to change often. Monitoring a server for changes in services and critical root directories is a security process you’ll want to consider. You can add Sysmon, for example, to a server to monitor changes on a system.

Defending against tactics for hiding malware

In the past, malicious software didn’t work too hard to hide in your system. It would enter as services and drivers and look like a normal service. As we’ve hardened our systems, attackers must work harder to hide malware in our systems.

Malicious software might encrypt, compress, encode or use any number of means to hide and not be found in your system. Now antivirus looks less for file names, service names and types, and looks more to behaviors. If an application suddenly starts accessing a file that normally would contain secrets, antivirus will monitor the application for appropriate behavior.

As this Bromium blog notes, popular interpreted languages that attackers abuse include PowerShell, VBScript, JScript, Visual Basic for Applications (VBA) and commands interpreted by Command shell (cmd.exe). Emotet or Trickbot, for example typically come in on attachments that are designed to hide the malicious JavaScript payload in an enticing email attachment. Obfuscated JavaScript can be defended against.

First, try to keep the malicious payload from entering your system. Use email protection to scan and review all attachments coming into a firm. Don’t overlook education of your end users. An educated user can often be the best defense against attackers. Train them to inform you of unusual attachments or when their system acts strangely, showing signs of underperformance (often this is the only symptom that a system has been compromised).

Options for prevention

The attackers check the running services to ensure that they are not running in a virtual machine or sandbox. Often attackers want to hide how they will work on test machines used by investigators. So, they change their default behavior to further hide how their attack processes will work.

How can you prevent something that is designed to hide itself from running rampant on your system? You have options.

First you can block .js and .jse files from being attached to email and delivered to users in your office. Malicious files typically come in via macro-enabled Word documents. Consider alternative ways to share Office content that doesn’t expose users to risky decisions.

Ideally, get a license for Windows Defender Advanced Threat Protection (ATP). This cloud-based service is part of a Windows 10 E5 or Microsoft 365 E5 license. It hooks into Windows 10 and monitors activity. If a malicious activity is sensed, ATP alerts you with a graphical image of how the attackers came in and what impact they had in the system.

Next, enable attack surface reduction rules. Three in particular will need to be set.

• Block all Office applications from creating child processes.​
• Block Office applications from creating executable content.
• Block JavaScript or VBScript from launching downloaded executable content.

You can set these using Microsoft Intune, Mobile Device Management (MDM), Microsoft Endpoint Configuration Manager, Group Policy or PowerShell. For example, for Group Policy you’ll want to do the following:

• In the Group Policy Management Editor, go to “Computer configuration”
• Click “Administrative templates”.
• Expand the tree to “Windows components”.
• Go to “Windows Defender Antivirus”.
• Go to “Windows Defender Exploit Guard”.
• Go to “Attack surface reduction”.
• Select “Configure Attack surface reduction rules”.
• Select “Enabled”.

You can then set the individual state for each rule in the options section:

• Click “Show”.
• Enter the rule ID in the “Value name” column and your desired state in the “Value” column as follows:
  • Disable = 0
  • Block (enable ASR rule) = 1
  • Audit = 2

For the list above, the GUID to block all Office applications from creating child processes​ is:

 D4F940AB-401B-4EFC-AADC-AD5F3C50688A.

The GUID to block Office applications from creating executable content is:

3B576869-A4EC-4529-8536-B80A7769E899.

Finally, the GUID to Block JavaScript or VBScript from launching downloaded executable content is:

D3E037E1-3EB8-44C8-A917-57927947596D.

Susan Bradley

Start by enabling auditing to review the impact on your organization. Once you determine there is little to no impact to your organization, change the value to block (or 1) to enable them.

By understanding how attackers hide and can wiggle in means you can determine the best ways to protect your users. Take the time to understand how so you can better protect.

As always, sign up for TechTalk from IDG the YouTube channel for tech news of the day.