RSA Admin

You Need This Hourly Executable Report

Discussion created by RSA Admin Employee on Mar 6, 2013
Latest reply on Aug 30, 2013 by Thomas Schaub

In all my experience in the field, this report has come in most handy when I arrive to a customer's site and they don't have a Spectrum appliance, and I need to find find malware on the network.  The hourly output of this report is manageable by a staff of analysts and it only takes a few minutes to detect the likely malicious EXEs or to add a false positive to the built-in filter.

 

Open Informer and create the following rule:

55499

You need to ensure that the sessionid is included and be sure the sort-by is NONE.  My where clause begins where an alert does not exist.  I put all of my known intelligence alerts and known threats into this alert key to be processed separately.  For this use case I'm only interested in brand new stuff, and this is why I'm ignoring this key.  The RSA CSIRC uses a similar method, alerting known intelligence into their own custom key called "monitors."  You could do the same, but it involves modifying the index keys on the decoders, concentrators and brokers.  The rest of my where clause is pretty straightforward.

 

The Then statement must begin with the dedup command.  Below this are all of the false-positives or known bad sites that I'm tired of looking at on an hourly basis.  And remember, you can filter by any of the keys you have in your select statement, but I stick with ip.dst, org.dst and alias.host most often.  The filter_out commands are very quick, and can be an exact match, or a contains statement.  For instance, if I wanted to filter out 'www.windowsupdate.com' I can use the entire name or just use 'windowsupdate' and the results will be the same.  You can likewise filter out all of microsoft by using the org.dst key.

 

The report output ideally should produce no more than 50 results per hour.  Add additional filters as needed to reduce the output to something your analyst can process.  This is what the output looks like:

 

55503

In this example, all of these results are malicious, but I'm interested in the highlighted sessionid.  Clicking that will take you directly to the session in Investigator.  And then you can click on the file location icon to take you to the location of that file in your local system cache.  One quick warning- with malicious files, your local AV may automatically quarantine this file or deny you access to your cache.  I disable my AV when investigating malware.

 

55504

Here is a screenshot of the file in your local cache. 

 

55505

This 70 KB file can now be easily uploaded to VirusTotal or put into your own sandbox for analysis.  Below is the VirusTotal results of what turns out to be a new Zeus Variant that also employs a reverse proxy shell into the affected system-

55506

So by using your combination of automating your analysis, filtering out false positives, and reviewing an hourly report, you can keep a pretty tight lookout for emerging malware threats in your environment.  It is no substitution for the Spectrum appliance, but it is a good workable solution in a pinch.

Outcomes