Abstract
This article presents a novel algorithm for the detection of exploit chains in a Windows based environment. An exploit chain is a group of exploits that executes synchronously, in order to achieve the system exploitation. Unlike high-risk vulnerabilities that allow system exploitation using only one execution step, an exploit chain takes advantage of multiple medium and low risk vulnerabilities. These are grouped, in order to form a chain of exploits that when executed achieve the exploitation of the system. Experiments were performed to check the effectiveness of developed algorithm against multiple anti-virus/anti-malware solutions available in the market.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The list is created according to the JPCERT report Detecting Lateral Movement through Tracking Event Logs, which suggest the following processes for active tracking: cmd, powershell, regsvr32, rundll32, mshta. https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
- 2.
- 3.
- 4.
References
Pwn2own 2018: Day two results and master of Pwn. https://www.zerodayinitiative.com/blog/2018/3/15/pwn2own-2018-day-two-results-and-master-of-pwn. Accessed 17 May 2018
Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: an efficient out-of-vm approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 363–374. ACM (2011)
Mandal, D., Zhang, Y.: The Great Escapes of VMware: A Retrospective Case Study of VMware Guest-to-Host Escape Vulnerabilities. Blackhat, London (2017)
Sensepost. https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/. Accessed 17 May 2018
Neumann, W.C., Corby, T.E., Epps, G.A.: System for secure computing using defense-in-depth architecture. U.S. Patent 7,428,754. Issued 23 Sept 2008
Win, T.Y., Tianfield, H., Mair, Q.: Big data based security analytics for protecting virtualized infrastructures in cloud computing. IEEE Trans. Big Data 4(1), 11–25 (2018)
Wang, X., Qi, Y., Wang, Z., Chen, Y., Zhou, Y.: Design and implementation of SecPod, a framework for virtualization-based security systems. IEEE Trans. Dependable Secure Comput. (2017)
Ucci, D., Aniello, L., Baldoni, R.: Survey on the usage of machine learning techniques for malware analysis. arXiv preprint arXiv:1710.08189 (2017)
Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. arXiv preprint arXiv:1804.04177 (2018)
Dosfuscation: Exploring the depths of Cmd.exe obfuscation and detection techniques
Research Report Released: Detecting lateral movement through tracking event logs (version 2). https://blog.jpcert.or.jp/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.htm. Accessed 17 May 2018
Bohannon, D.: https://www.fireeye.com/blog/threat-research/2018/03/dosfuscation-exploring-obfuscation-and-detection-techniques.html. Accessed 19 May 2018
Server Virtualization and Os Trends. Spiceworks, Inc. https://community.spiceworks.com/networking/articles/2462-server-virtualization-and-os-trends. Accessed 24 May 2018
Virtual Machine Escape. https://en.wikipedia.org/wiki/Virtual_machine_escape. Accessed 17 May 2018
patch Blog Luka Treiber. http://blog.0patch.com/2017/10/micropatching-hypervisor-with-running.html. Accessed 18 May 2018
4688(s): A new process has been created. (windows 10). Mir0sh. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688. Accessed 19 May 2018. URL: https://www.blog.pythonlibrary.org/2010/07/27/pywin32-getting-windows-event-logs/. Website Title: The Mouse Vs The Python. Date Accessed 27 May 2018
Comsecuris/vgpu_shader_pocs Comsecuris. https://github.com/Comsecuris/vgpu_shader_pocs. Accessed 18 May 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Yamiun, M.M., Katt, B., Gkioulos, V. (2020). Detecting Windows Based Exploit Chains by Means of Event Correlation and Process Monitoring. In: Arai, K., Bhatia, R. (eds) Advances in Information and Communication. FICC 2019. Lecture Notes in Networks and Systems, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-030-12385-7_73
Download citation
DOI: https://doi.org/10.1007/978-3-030-12385-7_73
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12384-0
Online ISBN: 978-3-030-12385-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)