Veramine - a new security product from former MSRC specialists
A team of well-known security specialists who previously worked at the Microsoft Security Response Center and were involved in the development of EMET, published information about their new Windows product called Veramine . It is a cloud-based security solution and specializes in investigating anomalies in the operation of the system in order to detect various types of attacks and malicious actions, including pass-the-hash attacks, operation of LPE exploits, introduction of malicious code into processes, etc. .
Veramine specializes in studying the behavior of the target system using a client that sends information about events occurring in the system to the server, after which the server part builds the logic of the system and tries to detect anomalies there based on the rules used. The actions and possible anomalies occurring in the system can be viewed by the user through the web interface when connecting to his account on the server.
')
The paid version of Veramine differs from the free presence of more rules and methods for detecting malicious activity.
Fig. Detection LPE-exploit behavior.
The client part of Veramine collects comprehensive information about the actions and operations occurring in the system, and then sends them to a remote server, where they are analyzed. From the information received, the system generates a warning for the user, and also helps him to obtain information about the following actions.
Veramine is positioned as a product that does not consume a lot of system resources and CPU time.
Fig. Veramine's message about the famous tool for pass-the-hash attacks mimikatz.
The tool collects information about the following events in the system:
The client part of Veramine consists of a driver that specializes in collecting system events and a user-mode application that receives information collected by the driver and sends it to the server. The client part works with the server on one outgoing TCP / IP connection per port number 443. All information is transmitted to the server as a continuous stream via a secure TLS channel.
Veramine specializes in detecting the following types of attacks.
The tool does not require any signature updates for its work.
FAQ: veramine.com/faq.html
You can get the free version of the product on the website: veramine.com
Veramine specializes in studying the behavior of the target system using a client that sends information about events occurring in the system to the server, after which the server part builds the logic of the system and tries to detect anomalies there based on the rules used. The actions and possible anomalies occurring in the system can be viewed by the user through the web interface when connecting to his account on the server.
')
The paid version of Veramine differs from the free presence of more rules and methods for detecting malicious activity.
Fig. Detection LPE-exploit behavior.
The client part of Veramine collects comprehensive information about the actions and operations occurring in the system, and then sends them to a remote server, where they are analyzed. From the information received, the system generates a warning for the user, and also helps him to obtain information about the following actions.
- The system starts a process whose command line coincides with a specific line.
- The process running in the system establishes outgoing network connections at a specific domain or IP address.
- A process running on a system loads an executable file with a specific MD5 hash into memory.
- The system starts the processes of executable files without native support for DEP & ASLR.
- The system starts the execution of a file without a digital signature, but with elevated privileges.
- The system has a process that sends more than 10MB of network traffic.
- The system has a process that writes data to specific locations in the system registry.
- For a certain period of time in the system processes run from the account of the compromised user.
- The powershell process launched for execution in the last 24 hours files without a digital signature.
Veramine is positioned as a product that does not consume a lot of system resources and CPU time.
Continuous monitoring without compromising overall system performance. The Veramine sensor is aggressively optimized to minimize system overhead. After an initial enumeration period, the sensor consumes <1% CPU.
Fig. Veramine's message about the famous tool for pass-the-hash attacks mimikatz.
The tool collects information about the following events in the system:
- process activity;
- network activity;
- login operations;
- registry operations;
- remote file operations;
- SMB operations;
- changes in service configuration;
- changes in the state of privileges of processes;
- password dumping operations;
The client part of Veramine consists of a driver that specializes in collecting system events and a user-mode application that receives information collected by the driver and sends it to the server. The client part works with the server on one outgoing TCP / IP connection per port number 443. All information is transmitted to the server as a continuous stream via a secure TLS channel.
Veramine specializes in detecting the following types of attacks.
- Operation of LPE vulnerabilities to obtain maximum SYSTEM rights in the system.
- Dumping passwords and account data, for example, using the mimikatz tool.
- Unusual operations with processes and remote creation of threads, for example, the migrate attack technique known from metasploit.
- User download from the Internet or mail malicious files and launch them for execution.
The tool does not require any signature updates for its work.
... the veramine detection system requires no signature updates. It is not confirmed that it has been identified as malicious software. For this reason, the Veramine sensor happily coexists alongside existing traditional anti-malware products. It will not be necessary to observe the behavior of the computer.
FAQ: veramine.com/faq.html
You can get the free version of the product on the website: veramine.com
Source: https://habr.com/ru/post/307114/
All Articles