Detecting attempts to run untrusted code by using trusted executables in Azure Security Center
Early last year FireEye documented a sophisticated spear phishing campaign targeting individuals within the Mongolian government. In the initial part of this attack, they were bypassing AppLocker restrictions by using Regsrv32.exe, which enables the attacker to run untrusted code. This technique was used in many others attack campaigns.
I just saw that Yuri wrote an interesting blog post on how they are using virtual machine behavioral analysis in the Azure Security Center to detect attempts to bypass AppLocker. When Security Center detects an attempt to run untrusted code by using trusted executables, it will trigger an alert and let you know, which looks something like this:
Pretty cool, eh?
This is a great way to merge machine learning and active detection to generate better threat intelligence signals. If someone is trying to bypass AppLocker that signal should be getting higher visibility more quickly than the door rattlers hammering the Azure Network Security Group (NSG).
Would you know the difference? Use ASC to help you find out.