Getting the most out of CLI Anomaly Alerts

Efflux's analytic models detect when something is unique about a CLI for a modeled process. In this example, we'll be looking at powershell.

Push notifications occur when a command has never been across the enterprise and never seen on a given host. Attackers often use powershell, and there is generally a good chance that the scripts they launch will look different than what's currently going on in your environment. Of course, this could also be caused by a variety of benign situations. Perhaps you have particularly experimental developers on your team. Or a vendor pushes an update via their agent, which launches a script.

In any case, examining the individual CLI and process details is time intensive, and may exhibit elements of malicious behavior even though a script is completely benign.

As such, we recently introduced a feature for you to quickly inspect whether that CLI is indeed unique, like our models say. This feature uses an Elasticsearch "More Like this" query, and displays the results in Kibana. Let's take a look at an alert.

Wow - that doesn't look good at all! Some of you will recognize this as a payload from an open source penetration testing framework. Let's see how widespread it is by clicking on the Kibana Link (More CLI's like this).

 

At a glance, it looks like this host has been busy, but not with this particular command. So we've got something unique and in this case, malicious, to investigate. Now let's take a look at the flip side, where an alert pops for a more common command. We'll use this CLI:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -WindowStyle Hidden -command "& 'C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1' -MonitoringContext -ShowDetailedErrors -ErrorAction:Continue"

If our model has been built correctly, this shouldn't alert at all. But let's say an OS update caused this CLI to change slightly, and it did alert. Here's the Kibana view:

 

The list of repeated commands goes on for nearly a page. However, we can very quickly see that this benign CLI is indeed a common command being run in the environment periodically.

Hopefully you're not seeing that for malicious scripts!

To cut down on false positives, our current procedure is to incorporate these new and unique CLIs into our models after an observation period on the order of hours. This is so we can paint a reasonable picture of what is and isn't normal. Future releases will include functionality for you to control how the model is patched directly. Stay tuned!

 

23 March Update (by John Myers):

Our latest release now includes a micro-feedback mechanism.  Each event in Slack comes with feedback buttons. This provides a way to provide instant feedback to our analysis backend. Clicking benign will update our models such that this type of alert is learned and muted in the future. The other two options will ensure that future CLI invocations that match the current one, continue to alert. If no action is taken within 24 hours, we will automatically learn this CLI event and cease alerting for future events.

Efflux Slack Notification. Alert derived from Carbon Black data. Automatically decoded from powershell's base64 encoded commands and analyzed by Efflux.

Efflux Slack Notification. Alert derived from Carbon Black data. Automatically decoded from powershell's base64 encoded commands and analyzed by Efflux.

Additionally, we are doing beta testing of our visualization tool, Clarity. Clarity will plot both process launch and network connections along a time-series track. Instead of the usual relationship graphs from many other tools, we provide the ability to view what actually happened with hosts in questions, over time, so analysts can go step-by-step and evaluate an attack or suspicious behavior in full.

The image below shows the same alert pushed via Slack, on Clarity, along with the other process launches and network connections that were collected against the host in question.  Clarity displays both network flow and endpoint socket connection data (which we multiplex in our backend) as most endpoint agents do not capture every session from a host. Our ability to multiplex network flow data with the endpoint ensures that all network activity to/from a host can be presented to analysts and responders.

Process launches are below the timeline in red and internal/external network connections are above the timeline in blue.

Clarity also supports full Lucene style searches against all data ingested by Efflux. This includes network flow and endpoint telemetry.

Future releases will include additional event notifications, specifically within the realm of network lateral movement, covert comms, and data exfiltration. Which will be based on our combined network flow and endpoint data analysis engines. Micro-feedback will continue along with each event type.

Micro-feedback will also be analyzed to cluster specific events together and provide time-series Narratives that cluster many alerts into a single picture, allowing for faster, more efficient threat hunting and remediation.