Threat Hunting with Symantec EDR and ATT&CK
With the current threat landscape, it’s becoming clearer and clearer every day that to mitigate against such threats, security tools alone are not the perfect solution and threat hunting is becoming a necessity for organizations.
One of the most critical requirements for threat hunting is making sure that the correct data Is being collected by our tools (Sysmon, EDR, IPS…etc.).
After collections comes analysis, and writing correct search queries can be powerful to help us in our analysis. We’ll be looking today at one of the data sources available, namely Symantec’s EDR or SEDR for short, and how can we use that data to write powerful search queries using the ATT&CK framework as a guide.
To get started we first need to clear some concepts related to Symantec EDR and Symantec endpoint technologies.
Symantec Endpoint Detection and Response
From the Broadcom techdocs website, here is how they define the SEDR.
Symantec Endpoint Detection and Response performs the critical security tasks that detect, protect, and respond to threats to your network.
Being an integral part of the threat hunting process, SEDR uses multiple technologies and techniques to detect threats, we’ll take a look at some of them.
Symantec Online Network for Advanced Response (SONAR)
As one of the most integral part of the EDR detection mechanisms, SONAR is a powerful technology that uses a heuristics system that leverages the Symantec’s online intelligence network. It will of a great aide when writing our search queries.
Advanced Attack Techniques
The “advanced attack techniques” technology will help detect multiple techniques and attacks which most of the time goes undetectable by endpoint agents. Such as fileless attacks, LOL binaries and scripts…etc. It leverages SONAR and SDS (Static Data Scanner).
Advanced Machine Learning
As the name suggest this detection mechanism uses machine learning to detect threats. The two engines I’ve found being used are: Criterion and Sapient
You can take a look at the other mechanisms and technologies that EDR uses to detects threats by visiting the following link.
Now that we’ve covered the basic mechanisms it’s time to start writing our search queries.
Symantec EDR Events
SEDR, collects a multitude of events ranging from windows registry operations and file creation to process creation and DLL’s being loaded. Most of these events are documented in the following two links.
Symantec EDR Events Fields
Once we get familiar with the events, we start looking at the fields that are multiples fields in each of the events, some are unique to the type of the event like “reg_value.path” that represents the value of the registry key that is being created / modified.
All of these fields can be used in our search queries, but there are some that I consider powerful and can help us go a long way in writing advanced queries. Let us take a look.
Parent and Child Processes — Command Line
The event actor and process fields signifies both the parent process and the child process respectively. The command line of both the parent and the child can be accessed via the two fields: “event_actor.cmd_line” and “process.cmd_line”
Parent and Child Processes — Executables Name
We can filter out executables by their name using the fields: “event_actor.file.name” and “process.file.name”
MITRE ATT&CK Integration
One of the most powerful things about the Symantec EDR is that it maps most of its events to ATT&CK out of the box.
So most of the time you’ll find the two fields: “mitre.tactic” and “mitre.technique_id” that indicates any possible techniques being used.
With the correct combination of queries you can filter out the good stuff and leave only the evil ones.
SONAR and Heuristics
As we’ve established previously, Symantec EDR uses multiples technologies (Signatures, Heuristics, ML, SONAR…etc.) to find threats. Most of these are part of the internals of the system. That means we cannot access them.
Fortunately, SEDR exposes these detections via two fields : “bash.virus_id” and “threat.id” that can then be queried from the EDR itself.
On the flip side, Symantec doesn’t provide any list of these signatures as far as i know, so to actually use these we need to encounter them at least once.
I’ve collected some signatures over the course of this research that i’ll be sharing so you can use them in your search queries. Stay tuned till the end of this blog.
Data Enrichment
One of the most well-hidden feature of the SEDR (for me at least) and in my opinion the most interesting one, is the data enrichment feature.
In short most of the events collected from the endpoints get populated with additional data that SEDR will add that indicates some behavior related to the event itself, for example:
A process event containing the “sc.exe start” command line will get its “enriched_data.rule_name” field populated with the rule “eScSvcStart” which indicates that the PE “sc.exe” has been used to start a service of some sort.
Similar to SONAR and Heuristics threats, i couldn’t find any resources listing these rules. But once again i was able to compile a little list of rules used by the EDR that i’ll share at the end.
I hope that you are starting to see that by using these fields and combining them with classical conditions like command line arguments and file paths we can being to write some advance search queries that’ll help us in our threat hunting.
Let The Hunt Begin
Now that we’ve understood a little bit how things gets collected and what are we capable of extracting in term of information from our events. I think it’s time to go and start writing those queries for your SEDR solution.
Armed hopefully with some new knowledge, I would like to share with you a couple of resources that I think is helpful to get you started and.
First is of course the MITRE ATT&CK website that contains a ton of information on tactics, techniques and tools used by attackers and APT groups.
Next is the SEDR threat hunting guide. That can be quite helpful if your starting and certainly to write some helpful queries.
The EQL library documentation, which is a wonderful resource. With it you can get inspired by queries written in EQL and then transform them into SEDR queries.
Lastly I’ll share with you the following files that contains threat names for SONAR and Heuristics detections that you can query via the fields “bash.virus_id” and “threat.id” and a file containing some enrichment rules that you can query via the field “enriched_data.rule_name”. All of the files are available at my GitHub below.
Thanks for reading. I hope you found this article helpful and you’ve learned something along the way.
Any feedback or remarks are much appreciated. You can send them my way via twitter @nas_bench
Happy Hunting
