How to Detect and Analyze the Execution of Unsigned or Malicious Executables
Detecting unsigned or malicious executables is critical for identifying potential threats, as attackers often use these to execute unauthorized code, escalate privileges, or exfiltrate data. Monitoring key logs and correlating events can help uncover such activities.
1. Monitor for Executables in Unusual Locations
What to Look For:
Process Creation Events:
Event ID 4688: Logs the creation of new processes.
Focus on executables running from uncommon directories like:
%TEMP%%APPDATA%User-specific directories.
Legitimate software typically runs from trusted locations such as
C:\Program Files\orC:\Windows\System32\.
Red Flags: Executables launching from temporary or user directories, especially with suspicious names.
2. Check for Execution of Unsigned Binaries
What to Look For:
Code Integrity Events:
Event ID 3065: Indicates that the image hash of an executable could not be verified by Code Integrity.
Behavioral Patterns:
Unsigned or tampered executables are often indicative of malicious activity.
Red Flags: Executables flagged as unsigned, tampered, or lacking valid digital signatures.
3. Investigate Use of Known Exploitation Tools
What to Look For:
Common Tools:
Event ID 4688: Look for execution of known malicious tools, such as:
mimikatz.exenetcat.execobaltstrike.exe
Command-Line Arguments:
Analyze the arguments associated with these executables for further intent.
Red Flags: Execution of tools commonly used for exploitation, credential dumping, or lateral movement.
4. Correlate with File Creation Logs
What to Look For:
File Creation Events:
Event ID 4663: Captures access attempts to objects (files).
Event ID 4660: Logs file deletions, which may follow file creation to hide traces.
Behavioral Patterns:
Newly created executables that are executed shortly after being dropped.
Red Flags: Files dropped in temporary directories and executed immediately, especially if deleted afterward.
5. Cross-Reference with Network Logs
What to Do:
Correlate Network and Endpoint Activity:
Match the execution of suspicious binaries with:
Outbound connections to external IPs or domains.
Attempts to communicate with known Command-and-Control (C2) servers.
Network Indicators:
Large data transfers or unexpected connections to unfamiliar locations following executable launches.
Red Flags: Network traffic originating from suspicious binaries, especially to external or untrusted destinations.
6. Immediate Response
What to Do:
Terminate Malicious Processes:
Stop the executable to prevent further execution or spread.
Isolate the Affected System:
Disconnect the compromised host from the network to contain the threat.
Initiate Investigation:
Collect forensic data, including:
Process trees.
Associated files and logs.
Network traffic data.
Enhance Security Controls:
Implement or strengthen:
Application Whitelisting: Restrict execution to trusted applications only.
Endpoint Detection and Response (EDR): Deploy EDR tools to monitor and block unauthorized executables.
Post-Incident Actions:
Educate Users:
Train staff on recognizing malicious attachments, downloads, or execution warnings.
Regularly Audit Systems:
Conduct routine reviews of systems for unauthorized executables or changes.
Strengthen Monitoring:
Configure SIEM rules to flag:
Unsigned binaries.
Executables running from unexpected locations.
Conclusion
Detecting unsigned or malicious executables requires vigilant monitoring of process creation events, code integrity logs, and network activity. Swift detection and response ensure that malicious activity is contained and mitigated effectively.
Last updated