Detecting attempts to run untrusted code by using trusted executables in Azure Security Center


In February 2017, Fireye documented a sophisticated spear phishing campaign targeting individuals within the Mongolian government. In the initial part of this attack, they were bypassing AppLocker restrictions by using Regsrv32.exe, which enables the attacker to run untrusted code. This technique was used in many others attack campaignsBy using virtual machine behavioral analysis, Security Center can detect attempts to bypass AppLocker. When Security Center detects an attempt to run untrusted code by using trusted executables, it will trigger an alert similar to the one below.

While Security Center can help you to detect this attack, you can use EMET to mitigate it. Besides that, always remember to implement least privilege administrative model, and privilege access workstations.

 

 

Comments (0)

Skip to main content