Tracking and Responding to AgentTesla Using EDR

AhnLab Security Emergency response Center (ASEC) has been uploading a summary of weekly malware statistics every week.

This post will cover how EDR is used to detect, track, and respond to AgentTesla, an Infostealer continuously being distributed among the malware mentioned in the post above.

AgentTesla is an Infostealer that steals user credentials saved in web browsers, emails, and FTP clients. AhnLab’s EDR products detect certain types of PE files accessing user account credential files and categorize this behavior as a threat.

Figure 1. AgentTesla-related EDR threat log
Figure 2. Details of account credential theft behavior

AgentTesla’s behaviors can be tracked by viewing the diagram in the detailed information on an account credential theft behavior detection log.

Figure 3. Diagram of AgentTesla’s behavior

Figure 3 shows that AgentTesla copies files to the %appdata% directory and registers them as files for exception to prevent them from being detected by Windows Defender. The diagram also shows that they are registered to the Task Scheduler to be executed continuously.

Figure 4. Process tree information of AgentTesla’s behavior

Afterward, it goes through recursive execution to steal user account credentials and other information saved to web browsers and sends the collected data over an SMTP port to the threat actor’s IP.

By taking measures such as removing auto-execution registration entries, deleting the created files, and adding a user-defined rule policy on affected PCs with the information above, internal propagation can be effectively prevented.

First, a user-defined rule must be created using the information procured above by following this path: EPP -> Policy -> EDR User-Defined Rules -> Add -> Add New tab.

Figure 5. Making a new user-defined rule

The rule name must be easy to identify, and as this behavior is created with the information collected from malicious file samples, its severity must be set to High. Set the detection name and diagnostic message to be displayed in the threat entry and select Behavior-based rule.

Figure 6. Setting the rule name and detection name and diagnostic message to be displayed

Afterward, set, the IP detected in Figure 4, as a dynamic network condition. Dynamic network connection conditions occur very frequently in normal processes, and using these without static conditions may cause performance issues, thus it is recommended to also add a static condition.

Figure 7. Creating an AgentTesla C2 connection detection rule

When this is saved, a rule that detects any connections made to AgentTesla’s C2 is created. To apply this rule to agents, a new EDR user-defined rule policy must be added.

User-defined rule policies can be added by following this route: EPP -> Policy -> Security Product Policy -> Add -> EDR Policy -> EDR User-defined Rule Policy.

Figure 8. Adding a user-defined rule policy

Use the Add button on the Add User-defined Rule Policy screen to add the behavior-based rule created in Figure 7 above.

Figure 9. Adding a behavior-based rule

When added, click Disable under Automatic Response to set automatic response processes for when the rule conditions are met.

Figure 10. Automatic response settings

Apply this newly created policy to enable automatic blocking and responses when a connection to the same C2 is made from another PC.

Figure 11. Detection with a user-defined rule
Figure 12. A PC whose network connection has been restricted by automatic response

As seen above, EDR products can be used to track malware and respond to these threats to prevent further propagation.

[File Detection]
Trojan/Win.PWSX-gen (2023.05.31.02)

[Behavior Detection]


More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.

The post Tracking and Responding to AgentTesla Using EDR appeared first on ASEC BLOG.

Article Link: