Remediation is arguably the most important step in Incident Response, as it ensures malicious artifacts and other remnants of attacker activity are cleaned up to ensure the environment is more resilient to similar attacks going forward. Unfortunately, this step is often overlooked or tasks are distributed amongst siloed IT teams and can get lost in the ether. Tanium breaks down these silos with a platform for real time detection, investigation, and remediation all from a single console. A recent update to the Tanium Protect module includes new functionality that is designed to speed up the remediation process and instill confidence that these threats are permanently eradicated. This blog post will outline the necessary steps to guide threat hunters as they scour their environment for malicious artifacts and utilize the new remediation functionality within the Tanium Protect module.
From the beginning: A Threat Intelligence Report Is Released
A common request for any threat hunter is to identify the presence of specific malicious artifacts, whether coming from paid or open source intelligence sources. Typically, threat hunters identify the indicators of compromise (IOCs) and search their environment for these artifacts to identify if they are impacted. Tanium has multiple methods of providing this search functionality, and now taking action on impacted endpoints has never been easier. In this example, we will cover the common threat intelligence workflow from intelligence sources for cleanup, ensuring that files and other IOCs will be permanently removed from impacted endpoints.
One of the first tasks to complete in any threat hunting exercise is to identify indicators or artifacts to look for in the environment. In this example, we will use a US-CERT threat intelligence report for Backoff Malware, a memory based keylogger that is known to target point-of-sale systems in the retail industry.
Figure 1: Snippet of Backoff Malware report from US-CERT
This report provides several IOCs, including file names, file hashes, and registry entries. It is possible to copy this entire report and create a Signal alert, or an OpenIOC indicator to search the environment within minutes. However, for demonstration purposes, we will validate these findings manually instead.
Searching the Enterprise
The first file system artifact to search for is the malicious file “javaw.exe”, within the path “C:\Users
Figure 2: Output from the sensor “Index Query File and Hash” confirming the presence of Backoff binaries
From this query, we can see there are multiple malicious files present within the environment that need to be removed. Before we start remediation, let’s explore the other indicators in the report to ensure other artifacts are not overlooked.
With the “AutoRun Program Details” sensor, we can quickly analyze all persistent binaries across the enterprise. Since we are interested in the registry entries that relate to our Backoff intelligence report, we can use the filter on the right side, just above the result grid, to limit results to only those that include the hash of the malware. We now know there are multiple persistence locations for this malware.
Figure 3: Output from the sensor “AutoRun Program Details”, identifying Backoff persistence mechanisms
The Tanium Sensor “Get Folder Contents” provides the contents of any specified folder. By running this, we can see that the other IOCs from the Backoff report are in fact present.
Figure 4: Output from “Get Folder Contents” sensor, confirming additional Backoff artifacts
Creating a Remediation Policy for clean-up
As a recap, we have validated that artifacts from the Backoff threat intelligence report are present within the environment, and cleanup is needed. By using the sensors referenced above, we have the following actions that need to be performed:
Kill the javaw.exe process
Delete the files javaw.exe and log.txt
Delete registry values:
“HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows NT Service”
“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows NT Service”
We can create a new Protect remediation policy by navigating to the Policies section within the Tanium Protect module - the option to create a new policy is located in top right corner.
Figure 5: The Tanium Protect Policy Configuration Page
Once selected, the Add Policy configuration page will load. Here, it is possible to provide the Policy Name, Description, and Type. Fill in the details, and select Policy Type as Remediation.
Figure 6: Tanium Protect’s Remediation Policy creation page
Once the Remediation Policy Type is selected, a set of options to configure the policy appear below. Selecting “Add Task’ will provide options for taking actions against endpoints. As outlined above, the tasks needed for our example are to Kill Process, Delete File, and Delete Registry Key.
First, we will select “Kill Process” and provide the process name. An option to specify a timeout period, as well as the ability to set a number of retry attempts, are available within the remediation workflow. Once a task is entered, it’s possible to select “Add Task” to add additional steps to the remediation policy. The next task is “Delete File”. Enter in the path to delete. Additional tasks can be entered as seen in the screenshot below to perform more actions.
Note that wildcards can be used within the path to handle variables such as user profiles. In addition, once multiple tasks are entered, the task order can be changed by selecting the area next to the task number and dragging it to the desired location. Error handling can be set on each task so that the policy can exit or be ignored if an error is encountered. Once all tasks are entered, select the Create button and the policy will be created.
Figure 7: The full remediation task created to clean up the Backoff malware artifacts.
The next step is deciding which systems or computer groups should enforce the policy. Select the “Add Enforcement” button.
Figure 8: The Remediation Policy after creation but before enforcement.
On this page, several options are provided for targeting dynamic computer groups or specific computers by name for the remediation enforcement. Enforcements can be run once or scheduled to repeat on a defined interval to ensure any newly impacted systems are remediated.
Figure 9: The enforcement options for the remediation policy.
Once the policy is enforced, affected computers will report which tasks were applicable and successfully applied. In the screenshot below, we can see that the policy was applied successfully; by drilling down on the results, we can also see that all tasks were performed.
Figure 10: Policy results page showing the status of the enforcement and other details about the policy.
Now that we know how easy it is to create and manage remediation tasks, the last step is to validate that the task completed successfully. Remember that remediation tasks can be set to re-enforce on a recurring interval. Should one of the artifacts listed in the remediation task re-appear, a conflict will be listed in the status of the task to inform the user of a potential issue. With this new functionality, we can incorporate the remediation phase of an incident into our Tanium workflows.
Figure 11: Drilldown of the remediation results outlining each step of the policy and the actions taken.
Bringing it all together
These new features enable incident responders the ability to organize and manage multiple remediation policies. This converts a notoriously arduous process into a simple streamlined workflow. By speeding the remediation phase, incident responders can quickly pivot to recovery efforts and continue maintaining a resilient network.
About the Author Aaron Goldstein is a Director with Tanium’s Endpoint Detection and Response (EDR) Team. He joined Tanium after 9 years of Incident Response consulting and threat intelligence management. When he is not fixated on securing the world, Aaron enjoys traveling to remote locations and hiking.