When we started with Binary Defense’s Vision platform years ago, we knew it would be a long road and something to where we would continuously get better over time. Our motto is to always do things the right way, and build in the knowledge of attack intelligence through the industry to help the industry get better in defense.
Vision works by focusing on looking for abnormal behavior in an environment with agents all working together to identify attackers in the early stages. This is through understanding what normal behavior looks like, and looking for deviations to patterns on that behavior and sending the appropriate data to be reviewed by an analyst.
We’ve just released our Version 3 which brings a number of features and major enhancements to the product and places us in a whole different arena when it comes to endpoint security. This version is a testament to all the hard work and effort from the fine folks from Binary Defense and our mission. This version introduces a number of enhanced detection features, performance increases, and containment mode!
First, our dashboard has a number of new features and a redesigned look and feel:
As part of version 3, we introduce Containment Mode which allows analysts to move a system off the network to reduce the impact to the organization when it’s compromised. Containment works by first going to the compromised asset, and selecting “Contain”:
Next on the list is multiple new detection capabilities. We won’t go into all of them as there are many, but some of the fun ones and highlighted ones are named pipe impersonation. One of the common techniques for attackers once an administrator is to use named pipes in order to move themselves to SYSTEM level permissions. During this period, you can detect this based on specific indicators and trigger an alarm. In this example, we don’t particularly build alarms off specific tools, but more on the behavior the techniques themselves exhibit which are abnormal.
In this case, we’ll use Metasploit, but we don’t look at the specific tool itself. First, once a system is compromised (we get multiple indicators of this when it first happens), an attacker will typically escalate to SYSTEM in order to perform escalated attacks such as hash extraction, LSASS injection, etc. In the below screenshot, we use the GetSystem command which uses multiple techniques to escalate permissions; in this case, named pipe impersonation is used:
Once escalated to SYSTEM, often an attacker may migrate to another process by injecting memory from one process to another. Vision also picks up this technique. Below is using process injection after searching for explorer.exe: