Efficient Investigation using Behavioral Attack Detection (BAD)

April 15th, 2016 by Peter Nguyen

What Magna Saw: Finding a Needle in 30 Minutes, with Automated Endpoint Analysis

Alert needle in haystackRecently, LightCyber Magna alerted a security analyst that in a single day a workstation in his network generated almost 5,000 failed DNS requests to what appeared invalid domains. This was an 20,000x increase from a calculated baseline of 0.02 failed DNS resolutions since Magna profiled the workstation. One example of these invalid domains is and is shown in the screenshot below. The alert also identified the process that was responsible for generating these DNS requests, which was svchost.exe.

It turns out the workstation had been rebooted, and the svchost.exe process made the DNS requests when it started back up.

The Magna Alert showing Trojan attempting to find its Command

Figure 1: The Magna Alert showing Trojan attempting to find its Command & Control server

The security analyst knew that these DNS request patterns were a sure sign that the machine was infected, so he used his other perimeter tools to investigate any other alerts that may have been triggered. After logging into the dashboard of his perimeter sandbox solution, the analyst saw that there were hundreds of uninvestigated alerts. But, performing a search for any alert that may have been triggered on the same host, the analyst found that a connection to a blacklisted domain was blocked by the perimeter solution.

More investigation of the domain determined that a Trojan was trying to reach its Command & Control server, and the quick cycling through so many options meant it would eventually be successful despite the best efforts of perimeter blocking. But the perimeter sandbox solution was not able to identify anything else on the endpoint – for example, it could not identify what the originating process was, so the security analyst went back to the Magna Analyst Dashboard to continue the investigation.

In the Magna Analyst Dashboard, the security analyst checked the Network and Endpoint Profiles to see if there was any other suspicious activity from the infected host. The Network Profile did not show anything additional that was suspicious but the Endpoint Profile did. There was nothing interesting in the Endpoint Profile’s Running Processes or Loaded DLLs table. But, looking at the Suspicious Artifacts table, there were three running process and two executables (c:\windows\system32\msdtc.exe and c:\windows\system32\presentationhost.exe) that looked unusual because of their low command prevalence – they were not seen running with these specific parameters anywhere else on the network.

Figure 2: Investigative data in Magna’s Analyst UI showing possible infected files on the endpoint

These suspicious artifacts had already been automatically analyzed by the Magna Cloud Expert System for augmentative intelligence, and no threat intelligence was found, which is not surprising because it could be a zero-day. So, the analyst used the “download” button to export the suspicious executables from Magna, and run them through his own on-premises sandbox. The on-prem sandbox deemed that the file was suspicious, so that was enough for the analyst to open a ticket to the desktop team to reimage the desktop.

This is another example how behavioral profiling, accurate detection, and automated investigation made the security analyst’s job easier. All together, it took him less than one hour to investigate a rather serious alert. Without Magna it could have taken him the entire day – assuming the analyst had even been able to tease out the seriousness of the issue from the other tools.

Click to learn more about how LightCyber Magna works to efficiently and accurately detect attackers.


Leave a Reply

Your email address will not be published. Required fields are marked *