Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Monitoring Evasion

Monitoring Evasion

Section titled “Monitoring Evasion”

5 automated security scanners

Log Manipulation Detection

Section titled “Log Manipulation Detection”

Purpose: The Log Manipulation Detection Scanner is designed to identify and alert about potential tampering, deletion, and poisoning of log files within an organization. It utilizes advanced threat intelligence analysis techniques to detect malicious activities such as CVE references, malware indicators, command and control (C2) references, phishing and credential harvesting indicators, and exposure indicators that could suggest unauthorized access or data breaches.

What It Detects:

  • CVE References: Identifies patterns indicative of known vulnerabilities in log systems that might have been exploited for malicious purposes.
  • Malware Indicators: Detects keywords associated with malware, ransomware, and trojans which are often used to target logging infrastructure.
  • Command and Control (C2) References: Looks for references to servers used in command and control activities, a common tactic in log poisoning attacks.
  • Phishing and Credential Harvesting Indicators: Identifies indicators of phishing attempts or credential harvesting activities that could be leveraged to manipulate logs.
  • Exposure Indicators: Detects patterns suggesting data exposure, breaches, or unauthorized access which might result from log tampering.

Inputs Required:

  • domain (string): The primary domain to analyze for log manipulation indicators. This input helps the scanner focus its analysis on a specific organization’s logging systems and associated domains.

Business Impact: Ensuring the integrity of logs is crucial for maintaining trust in digital security measures, preventing unauthorized access, and facilitating swift response to potential threats. Detecting and mitigating log tampering can significantly reduce the risk of data breaches and enhance overall cybersecurity posture.

Risk Levels:

  • Critical: Findings include direct evidence of CVE exploitation or malware deployment affecting critical systems.
  • High: Significant indicators of phishing, credential harvesting, or exposure events that could lead to severe consequences if exploited.
  • Medium: Patterns suggesting potential vulnerabilities in logging systems but without immediate high impact.
  • Low: Informal indications of suspicious activities not yet confirmed as malicious but warranting monitoring for further analysis.
  • Info: Routine checks and findings indicating minimal risk or non-critical issues that do not pose an immediate threat.

Example Findings:

  • “Critical: Detected direct CVE-2021-44228 exploitation affecting multiple log servers.”
  • “High: Indicators of ongoing phishing campaigns targeting employee credentials, suggesting potential future log manipulation.”
  • “Medium: Weaknesses identified in the network configuration that could be exploited for unauthorized access if not addressed promptly.”
  • “Low: Unusual activity detected on a secondary logging server, possibly due to routine maintenance.”
  • “Info: Routine check indicates no significant threats but recommends updating antivirus definitions and monitoring remote log accesses more closely.”

This structured overview provides a detailed understanding of the scanner’s capabilities and its role in enhancing digital security measures.

Timestomping Detection

Section titled “Timestomping Detection”

Purpose: The Timestomping Detection Scanner is designed to identify potential attempts to hide malicious activities by altering file creation, modification, or access times. It aims to detect metadata manipulation and timestamp forgery to ensure the integrity and authenticity of digital assets.

What It Detects:

  • Files with timestamps that do not align with expected activity patterns are identified as anomalies.
  • Files where creation and modification times are identical suggest manual timestamp manipulation, indicating potential tampering.
  • Suspicious file creation at unusual hours or during non-working days suggests unauthorized activities.
  • Inconsistencies in timestamps across multiple files may indicate unauthorized access attempts.
  • Metadata containing known threat indicators such as CVE numbers, malware signatures, command and control references is searched for to detect potential threats.

Inputs Required:

  • domain (string): Primary domain to analyze for potential timestomping activities (e.g., acme.com). This input allows the scanner to target specific domains for analysis related to metadata manipulation and timestamp forgery.

Business Impact: Timestomping can be a critical security issue as it undermines the integrity of digital evidence, potentially allowing malicious actors to hide their tracks or manipulate system logs to evade detection. The ability to detect such manipulations is crucial for maintaining trust in digital systems and preventing unauthorized access to sensitive information.

Risk Levels:

  • Critical: Files with timestamps set far into the future or past relative to other files on the system, suggesting significant tampering.
  • High: Identical creation and modification times within a file, indicating manual timestamp manipulation.
  • Medium: Files created at unusual hours or during non-working days when legitimate user activity is unlikely.
  • Low: Minor inconsistencies in timestamps across multiple files that may indicate unauthorized access attempts but do not necessarily suggest malicious intent.
  • Info: Informational findings related to the detection of known threat indicators in file metadata, which could be useful for further investigation but does not pose immediate critical risks.

Example Findings:

  1. A file with a creation timestamp set far into the future relative to other files on the system was detected as an anomaly, suggesting potential tampering.
  2. A file with identical creation and modification times within it indicates manual manipulation of its metadata timestamps, which is considered high risk due to the possibility of hidden malicious activities.

Encrypted C2 Detection

Section titled “Encrypted C2 Detection”

Purpose: The Encrypted C2 Detection Scanner is designed to identify and analyze various techniques used by malware and command and control (C2) servers to evade TLS inspection, domain fronting, and protocol tunneling. This tool helps in identifying potential malicious activities that may bypass security measures intended to protect communication channels from unauthorized interception.

What It Detects:

  • TLS Inspection Evasion: The scanner detects patterns related to techniques used by malware to bypass TLS inspection, such as the use of phrases like “tls inspection sevasion” or “bypass tls.”
  • Domain Fronting: Malware may utilize domain fronting strategies that manipulate DNS resolution to direct traffic through a different server than intended. The scanner looks for indicators of this behavior in headers like “domain fronting” and “host header steering.”
  • Protocol Tunneling: Malicious actors might use protocol tunneling over HTTP or HTTPS to hide data exfiltration activities. This is detected by searching for terms related to protocol tunneling within the domain content.
  • Known Exploited Vulnerabilities (CISA KEV): The scanner scans for specific vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog, which could be exploited for C2 communication. These are identified using regular expressions matching CVEs.
  • Malicious Indicators: The scanner flags domains associated with known malware, ransomware, trojans, or other malicious indicators of command and control activities.

Inputs Required:

  • domain (string): This is the primary domain to be analyzed. Users must provide a valid domain name for the tool to perform its analysis.

Business Impact: Identifying evasion techniques used by malware in C2 communications is crucial as it helps security teams proactively mitigate risks associated with unauthorized data access and potential breaches. Detecting these tactics early can significantly enhance network security posture, preventing potential data theft or other malicious activities.

Risk Levels:

  • Critical: The scanner does not explicitly define conditions for critical risk levels in the provided sections of the README. However, such a severity could be assigned if patterns indicative of highly sophisticated and dangerous malware are detected.
  • High: High risk is associated with techniques that significantly increase the likelihood of bypassing security measures, such as TLS inspection evasion or domain fronting. If these tactics are identified in substantial numbers or through critical vulnerabilities, this would warrant a high severity assessment.
  • Medium: Medium risk findings might include less common but still significant evasion methods or indicators that could be mitigated with further investigation and possibly user interaction to confirm suspicious activity.
  • Low: Low risk findings usually pertain to benign activities or patterns that do not significantly impact security posture, such as minor protocol tunneling instances without clear malicious intent.
  • Info: Informational findings provide context but generally pose minimal threat unless they escalate in severity.

If the README does not specify exact risk levels, one might infer that critical and high risks are associated with overt signs of malware activity or significant evasion tactics, while medium to low risks involve less obvious indicators or activities that could be benign.

Example Findings:

  • The domain “maliciousdomain.com” shows multiple instances of obfuscated language suggesting TLS inspection evasion techniques in its documentation.
  • An IP address linked to the domain exhibits abnormal traffic patterns indicative of protocol tunneling over HTTPS, which is flagged as a potential risk due to the covert nature of such activities.

SIEM Blind Spot Analysis

Section titled “SIEM Blind Spot Analysis”

Purpose: The SIEM Blind Spot Analysis Scanner is designed to identify coverage gaps and detection bypass methods in Security Information and Event Management (SIEM) systems. By analyzing exposed services, vulnerabilities, and threat intelligence feeds, this scanner helps organizations pinpoint areas where their SIEM might be missing critical data or being evaded.

What It Detects:

  • Exposed Services: Identifies publicly accessible services that could be exploited, such as SSH, Telnet, FTP, HTTP, and HTTPS ports.
  • Known Vulnerabilities: Detects known vulnerabilities in exposed services using the CISA KEV list, which includes specific pattern matches for CVEs.
  • Malware and Ransomware Indicators: Scans for indicators of malware or ransomware activities, including keywords like “malware,” “ransomware,” and “trojan.”
  • Command and Control (C2) Activity: Identifies potential command and control servers or channels, with patterns that include terms related to command and control.
  • Phishing and Credential Harvesting: Detects signs of phishing attacks or credential harvesting attempts, including keywords like “phishing” and “credential harvesting.”

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com. This input is essential for directing the scanner’s analysis towards a specific target.

Business Impact: Identifying exposed services, known vulnerabilities, malware indicators, C2 activity, and phishing activities is crucial for maintaining robust security posture in SIEM systems. These findings can help organizations prioritize patches, implement network segmentation, and enhance overall threat detection capabilities.

Risk Levels:

  • Critical: Conditions that could lead to immediate data loss or system compromise, such as unpatched vulnerabilities or high-risk malware indicators.
  • High: Conditions that pose significant risk but are not immediately critical, such as exposure of sensitive services like SSH and HTTP/HTTPS.
  • Medium: Conditions that may indicate potential risks if left unchecked, such as the presence of phishing activities in the network environment.
  • Low: Informative findings that do not directly impact security but can provide context for ongoing monitoring and improvement efforts.

Example Findings:

  1. The scanner identifies an SSH service running on port 22, which is a critical exposed service that could be exploited by malicious actors.
  2. It detects the presence of known vulnerabilities in services like Apache Struts (CVE-2021-44228), indicating potential security gaps that need immediate attention.

Alert Throttling Fatigue Exploitation

Section titled “Alert Throttling Fatigue Exploitation”

Purpose: The Alert Throttling Fatigue Exploitation Scanner is designed to evaluate whether an organization’s alerting system is being exploited through throttling fatigue. This occurs when attackers overwhelm the security team with a high volume of alerts, thereby reducing their ability to effectively detect and respond to real threats.

What It Detects:

  • High Volume of Alerts: Identifies patterns indicating a large number of alerts generated within a short period, often due to automated or malicious activities.
  • Known Exploited Vulnerabilities: Recognizes vulnerabilities that could be exploited by attackers to generate excessive alerts, potentially masking the detection of critical threats.
  • Malware and Ransomware Indicators: Looks for indicators of malware or ransomware activities that might lead to alert fatigue, such as repeated failed login attempts or unusual data access patterns.
  • Command and Control (C2) Activity: Detects patterns related to command and control servers, which could be used to orchestrate large-scale attacks, leading to a deluge of alerts.
  • Phishing and Credential Harvesting Attempts: Identifies phishing attempts or credential harvesting activities that might generate numerous alerts, consuming the security team’s resources without providing significant threat intelligence.

Inputs Required:

  • domain (string): The primary domain to analyze, which serves as the focal point for detecting alert fatigue exploitation patterns across various network and system interactions.

Business Impact: This scanner is crucial for organizations concerned with maintaining a robust security posture against sophisticated cyber threats. By identifying and mitigating alert fatigue, it helps ensure that critical alerts are not drowned out by false positives or noise generated through malicious activities, allowing the security team to focus on genuine threats more effectively.

Risk Levels:

  • Critical: Conditions exist where repeated failed login attempts or significant data access patterns indicative of malware suggest a high level of alert fatigue exploitation, potentially masking actual breaches.
  • High: Known vulnerabilities being exploited without remediation could lead to an escalation in the number and severity of alerts, indicating a critical need for immediate attention.
  • Medium: Emerging indicators of phishing activities or unauthorized data access might not yet trigger critical alerts but are indicative of potential future exploitation, warranting monitoring and possible preventive actions.
  • Low: Minimal instances of high volume alerts that can be attributed to routine system activity rather than exploitation could still be monitored for trends or anomalies in alert generation.
  • Info: Routine system scans or minor vulnerabilities identified without active exploitation might not pose an immediate threat but are useful for maintaining a baseline understanding of network and system health.

Example Findings:

  1. A domain consistently generates over 500 alerts within a single day, with no apparent correlation to actual threats detected by other security tools.
  2. Known vulnerabilities such as CVE-2023-1234 are exploited on multiple systems across the network, leading to an exponential increase in alert volume unrelated to genuine breaches.