Malware Hunter How To Guide for SecurityCenter Continuous View™
Tenable provides Continuous Network Monitoring™ to identify vulnerabilities, reduce risk, ensure compliance, and “hunt malware”.
Hunting for Malware New versions of malware are released daily Making a new Dashboard for each malware can become complicated and time consuming. A new template was designed for malware hunting and can be customized for new malware. The new dashboard has Indicator of Compromise (IOC) components and template components.
Malware Hunter Dashboard Left Side –These components are developed to be customized by the organization for each new malware. –Each will be discussed in detail. Right Side –These components are Indicators of Comprise (IOC) and are not intended to be modified.
IOC Components There are 5 matrix components. These components provide several saved queries that can aid in the hunt for malware. Each of these components can be individually downloaded from the SecurityCenter feed or as a collection. These components contain indicators that may occur with normal traffic and should be investigated and/or monitored for suspicious events. Account Weakness - Suspicious Login Activity (Events from Last 72 Hours) Indicators - Malicious Process Monitoring Unknown Process - Microsoft Windows Autoruns Verizon 2015 DBIR - Forensic Indicators Verizon 2015 DBIR - Indicator of Compromise (IOC) Events
IOC Components
Template Components These components are templates that can be edited by the organization. Each component has a cell with the default filter and the other cells have sample content to be edited. Malware Hunter - DNS Domains Watchlist (Last 72 Hours) Malware Hunter - IP Address Any Event Traffic (Last 72 Hours) Malware Hunter - Malicious Process Detection Using MD5 Hashes Malware Hunter - Microsoft Windows Known Bad AutoRuns / Scheduled Tasks MD5 Hash Searches
Template Components
Malware Hunter Malicious Process Detection Using MD5 Hashes This component uses the Malicious Process Detection plugins to monitor for the associated MD5 hashes identified by the FBI. Additionally, an indicator is used to help identify all the Malicious Process Detection plugins currently in SecurityCenter. There are several plugins to identify malicious processes, of which some focus on operating systems such as Windows, Linux, or Mac OS X. Others allow for security administrators to input their own MD5 hashes and check for MD5 hashes identified by Mandiant. The indicators will change colors when a match is found. The red indicator “Malicious Process Detection” means that a match for the plugins is found. The remaining cells must be edited and the appropriate MD5 hash added to vulnerability text. The cells that require editing will turn purple when a match is located. Many types of malware can be identified by different MD5 hashes. Edit the component and place the respective hashes in the filters.
Malware Hunter Malicious Process Detection Using MD5 Hashes To edit the component, click on the arrow in the corner and select edit. Next, select the cell to be modified.
Malware Hunter Malicious Process Detection Using MD5 Hashes Next, edit the filter by selecting the pencil icon on the right hand side. –This is the Vulnerability Text field. –Put the full MD5 hash string in this field. Now change the indicators –Put in the last 6 characters for each MD5. –Make sure to input the string into both the default setting and match setting.
Malware Hunter Microsoft Windows Known Bad AutoRuns Scheduled Tasks MD5 Hash Searches This component provides indicators of possible malware using the reputation Microsoft Windows Known Bad AutoRuns / Scheduled Tasks plugin. Plugin (Microsoft Windows Known Bad AutoRuns / Scheduled Tasks) shows that the Windows system has one or more registry entries that are known to be associated to malware. The indicators will change colors when a match found. The red indicator “Bad AutoRun” means that a match for the plugin is found. The remaining cells must be edited and the appropriate MD5 hash added to the vulnerability text. The cells that require editing will turn purple when a match is located. Many types of malware can be identified by different MD5 hashes. Edit the component and place the respective hashes in the filters.
Malware Hunter Microsoft Windows Known Bad AutoRuns Scheduled Tasks MD5 Hash Searches To edit the component, click on the arrow in the corner and select edit. Next, select the cell to be modified.
Malware Hunter Microsoft Windows Known Bad AutoRuns Scheduled Tasks MD5 Hash Searches Next, edit the filter by selecting the pencil icon on the right hand side. –This is the Vulnerability Text field. –Put the full MD5 hash string in this field. Now change the indicators –Put in the last 6 characters for each MD5. –Make sure to input the string into both the default setting and match setting.
Malware Hunter DNS Domains Watchlist (Last 72 Hours) This component provides a series of indicators that report on DNS query events detected by PVS and logged to LCE. Each malware version often uses some sort of a call-home or command-and-control method to contact the malware source. This matrix allows the analyst to monitor specific DNS patterns. Search for DNS queries captured by PVS using the “PVS-DNS_Client_Query” Normalized Event. –The raw message will contain a statement similar to this: The most recent DNS query performed was for: to the server at The “DNS Client Query” indicator turns blue when data is present. The other indicators need to be modified to contain a FQDN of the domain name the organization is looking for. The FQDN can be searched for using keyword searches and Boolean logic. However, there is one important detail to remember: when searching the syslog text, all punctuation is removed and replaced with an AND, resulting in being translated to www AND google AND com. Edit the component and place the respective DNS entries in the filters.
Malware Hunter DNS Domains Watchlist (Last 72 Hours) To edit the component, click on the arrow in the corner and select edit Next, select the cell to be modified.
Malware Hunter DNS Domains Watchlist (Last 72 Hours) Next, edit the filter by selecting the pencil icon on the right hand side. –This is the Syslog Text field. –Put the FQDN string or pattern in this field. Now change the indicators –Put the FQDN for each indicator. –Make sure to input the string into both the default setting and match setting.
Malware Hunter IP Address Any Event Traffic (Last 72 Hours) This component indicates if specific IP addresses have been seen in LCE events over the last 72 hours. These events were collected using PVS, LCE Client, NetFlow, or by other LCE collection methods. Each of these cells must be modified to reflect the targeted malware. Each malware version often uses some sort of a call- home or command-and-control method to contact the malware source. This component allows the analyst to track any communication with the malicious addresses. Edit the component and place the respective IP addresses in the filters.
Malware Hunter IP Address Any Event Traffic (Last 72 Hours) To edit the component, click on the arrow in the corner and select edit
Malware Hunter IP Address Any Event Traffic (Last 72 Hours) Next, edit the filter by selecting the pencil icon on the right hand side. –The address field is not present by default and needs to added. –Put the address or subnet that is known to host malware. Now change the indicators –Put the address or subnet for each indicator. –Make sure to input the string into both the default setting and match setting.
Hunting for Malware To summarize, hunting for malware requires IOC components and custom components. –The IOC components are provided via the SecurityCenter feed and do not require updating. –IOC components contain queries that are valid. However, they should be monitored for malicious activity. –The custom components are also available the SecurityCenter feed. –The custom components need to be updated for each type of malware. For more support check out the Discussion Forums and Customer Support Portal – Indicators of Compromise and MalwareIndicators of Compromise and Malware –Tenable Customer Support Portal