The Microsoft Sysinternal suite is commonly used by digital forensics and incident response teams as a cheap and easy to use approach for incident investigation and forensics in Windows systems. Despite their utility and value, the Cybereason Research Lab found that commonly used traditional Microsoft monitoring tools miss common attacker behavior such as privilege escalation, a commonly used technique by hackers that was believed to be used in the Home Depot breach.
We were interested to assess the ability to of commonly used sysinternal tools to identify hard-to detect common attacker behavior of privilege escalation. Below are common use cases for privilege escalation, in which we tested three commonly used Microsoft monitoring tools: Sysinternals Process Monitor (procmon), Sysinternals Process Explorer (procexplor) and the lately launched Sysinternals System Monitor (sysmon).
Sysinternals tools are useful for detection of various malicious processes. However, given their popularity as breach forensics tools, we believe it is important to highlight their shortcomings. As privilege escalation is a common attacker behavior we believe it is important to be aware of the limitations of these tools in spotting such attacker behaviors.
We ran two different tests in which we took enterprise scenarios, and used some exploits to simulate escalated privileges.
Discussion
Privilege escalation is a critical and commonly used technique for attackers and is usually a first stepping stone enabling the hacker a complete takeover the victim’s machine. It is important for Incident Investigation and SOC teams to be aware of tools’ limitations in capturing such common behavior.
Our research found that Microsoft Sysinternals failed to capture escalated privileges in two distinct attack scenarios.
Proposed actions:
1 – Consider alternative investigation tools and use them altogether for better coverage of various attack scenarios.
2 – Perform the test as described in this document to simulate escalated privileges and test whether the tools used by your team for forensics properly capture the attack. For information and guidance, visit our website www.cybereason.com or contact us: contact@cybereason.com