Embed Size (px)
Citation preview
Hunting for Unfriendly Easter EggsCapturing evidence of APT attacks
Michael Robinson & Craig Astrich
Introductions
Michael Robinson Craig Astrich
Page 2
Historical Note
• Term originated within the U.S. Air Force in 2006.
• Originally used so Air Force personnel could discuss a series of attacks attributed to a specific set of actors located in Asia-Pacific region with uncleared partners.
• The term appeared more publicly in 2008-2009 in conferences.
• The term has hit mainstream media in 2010 with the announcement of Operation Aurora.
• Attacks from foreign adversaries occurred before 2006.
Defining Advanced Persistent Threat (APT)
Page 3
APT Model
Model created in 2009.
Desire to break the chain as far to the left as possible.
Cloppert’s Kill Chain
Page 4
Defensive/protective measuresClean-up costs
APT Model
Recognized, but the model has limitations.
Not effective in defining all of the characteristics of the life cycle.
Cloppert’s Kill Chain
Page 5
Lots of activitygrouped together
ATTRIBUTION
Specificattacker/actor
Shift in Term’s Meaning
New de facto Model
Page 6
Attack withspecific characteristics
Tremendous Confusion Over the Term’s Meaning
New de facto Model
Page 7
Is it a person or an attack type?
Are the attackers nation states, terrorists, organizations or individuals?
Does it necessarily involve zero day exploitation?
Is customized malware always involved?
Do these attacks frequently use social networking/phishing attacks?
Are targets information resources or financial repositories?
Is it marketing hype?
Advanced Skills that run the full gamut.Capable of using basic tools and writing custom code.
Persistent Long-term interest and continued targeting.
Threat A person who mans the console behind the attack, rather the pre-configured malware (set it and forget it).
As a Proper Noun?
APT Definition – What do these terms mean?
Page 8
Combined, do the terms clearly articulate the challenge?
It isn’t detected by AV.
It survives reboots.
It that could steal data that would be harmful to the organization.
As malware?
Redefining the Model
Expand APT attacks into a full life cycle to obtain a better understanding.
The lifecycle recognizes the iterative process where an adversary obtains a deeper foothold into the network through lateral movement.
Move from the APT Kill Chain to the APT Life Cycle
Page 9
Redefining the Model
Interpreting data associated with each step to be based on use cases rather opinion.
Move from the APT Kill Chain to the APT Life Cycle
Page 10
Typical Attack
Page 11
Mail Server Domain Controller
SMTP Relay;Botnet C2 Server
Example of an Attack
Mail Server
Indicators of Compromise (IOCs)
Inbound email with attachmentAttachment cached in OLK folderAttachment executed – Prefetch
Outbound connection establishedFile downloaded
File cached - Change Journal entryFile executed - Prefetch file created
New DLL createdAutostart/autorun locations modified
Restore Point modifiedService restarted with injected DLL
Page 12
Domain Controller
SMTP Relay;Botnet C2 Server
Indicators of Compromise (IOCs)
• Outbound connection• New file downloaded• Lateral traffic• Query of Domain Controller• Existing accounts modified
Example of an Attack
Page 13
What a mess.
Redefining the Model
Review of each step…
Page 14
Redefining the Model
Page 15
…produces a comprehensive list of indicators.
Redefining the Model
• 300+ Indicators of Compromise (IOCs) were identified.
• IOCs were identified from multiple sources, i.e., disk, files, memory, and network traffic.
• The appearance of an individual IOC is likely to be insignificant.
• When multiple IOCs appear within close proximity of each other, i.e., clustering of events, the severity of an incident increases and the likelihood of a false positive decreases.
• Many IOCs are not monitored by typical security controls.
Results of Analysis
Page 16
APT Life Cycle
Step 1-1: Initial Reconnaissance
Page 17
Profile information is acquired about the organization and it’s employees.
Sources of information about primary/secondary targets may come from the following sources:
- Press releases- Corporate websites- Job postings- Tech forums- DNS records and registration- Social network sites, e.g., Facebook, LinkedIn, Spokeo- Pastebin
APT Life Cycle
Step 1-2: External Weaponization
Page 18
Two sets of tools may be leverages as weapons.
Custom malware may be developed based on targeted intelligence obtained during the initial reconnaissance phase that leverages the use of carefully choreographed social engineering.
Generic tools to be used during a “shotgun” approach could be used to “blast” all of the users of a network, as in a large spam/phishing campaign.
APT Life Cycle
Step 1-3: External Delivery
Page 19
Malicious payload is delivered to a victim via online or physical means.
The attack vectors may include:- Spam/Phishing- Spoofed e-mail/Spear Phishing/Whaling- Social networking sites- External media (USB storage media, CD/DVDs)- Network probe via Wi-Fi
- An external resource, such as DNS cache, is modified.
APT Life Cycle
Step 1-3: External Delivery
Page 20
Indicators of Compromise may include:- Identical spam in multiple users’ mailboxes- E-mail where origin SMTP IP address does not match domain name (reverse lookup)- E-mail’s SMTP address originates from an open relay (which accounts for 20% of spam on the Internet)- Unauthorized use of USB ports- Unauthorized network traffic- Unauthorized CD/DVDs in the workplace- Connections to websites with malicious content or sites with known drive-by attacks
APT Life Cycle
Step 1-4: Initial Exploitation
Page 21
The malicious content has been sent to the target(s) and the payload is executed locally.
Examples of an initial exploitation activity include:- A link that has been clicked by the user.- An e-mail attachment that is opened.- An object on a web page that is automatically executed by a browser or browser helper object (BHO).- A CD/DVD is inserted into a computer and a file is open or executed.
Indicators of Compromise may include:- Unresolved IP address and SMTP server- Redirects to hostile websites- Malicious JavaScript in a user’s cached Internet files- Executable files in a user’s cached Internet files, which may include .exe files, Flash files, etc.- PDFs with malicious content with OLK cache- Changes to the MUI cache- Modifications to the local HOSTS file- LNK file appears
Tangent: LNK Files
Page 22
MAC address of NIC on the computer where the shortcut was created.
Location of the target file.
Volume Serial Number
This should match the volume serial number of this particular drive, because the target path is C:\...
These timestamps are of the target file.
(Remember, these are stored within the LNK file. EnCase didn’t query the target file.)
APT Life Cycle
Step 1-5: Initial Installation
Page 23
Malicious software is installed on the system that has been targeted and exploited.This could result in the download and installation of a second-stage piece of malware.The running of the malicious software may result in a new application running or a new file being injected into a running process.
Indicators of Compromise may include:- Objects in the Internet cache- Files in OLK cache folder- Attachments with executable code within e-mails- Files with MZ header in the temp folder of the user’s profile or within C:\Windows\Temp.- New Prefetch files which include references to new drivers or recently downloaded files- Modifications to existing software drivers- Artifacts for persistence, e.g., addition to the autorun locations within the Windows Registry- Changes to $USN_Journal, especially code 0x0100- Outbound network traffic in the form of a beacon or DNS lookup to confirm network connectivity. (Lookups may use hostile sites, but may also use well-known sites with high up-time).
Tangent: $USN Journal Codes
Page 24
0x01 Data in one or more named data streams for the file was overwritten.0x02 The file or directory was added to.0x04 The file or directory was truncated.0x10 Data in one or more named data streams for the file was overwritten.0x20 One or more named data streams for the file were added to.0x40 One or more named data streams for the file was truncated.0x100 The file or directory was created for the first time.0x200 The file or directory was deleted.0x400 The user made a change to the file's or directory's extended attributes. These NTFS attributes are
not accessible to Windows-based applications.0x800 A change was made in the access rights to the file or directory.0x1000 The file or directory was renamed, and the file name in this structure is the previous name.0x2000 The file or directory was renamed, and the file name in this structure is the new name.0x4000 A user changed the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute. That is, the user
changed the file or directory from one that can be content indexed to one that cannot, or vice versa.0x8000 A user has either changed one or more file or directory attributes or one or more time stamps.
0x200000 A named stream has been added to or removed from the file, or a named stream has been renamed.
0x80000000 The file or directory was closed.
Reference: http://www.forensickb.com/2008/09/enscript-to-parse-usnjrnl.html
0x100 indicates a file was created.
0x200 indicates a file was deleted.
0x2000 indicates a file was renamed.
0x80000000 indicates a file was closed.
Tangent: $USN Journal Example
Page 25
A new file is created on the drive with the name badcode.exe.
badcode.exe 0x100
Content is added to badcode.exe. badcode.exe
0x100 + 0x02
0x102
89245
89245
Action Name CodeFile ID
badcode.exe is closed. badcode.exe
0x102+ 0x80000000
0x8000010289245
The file is renamed from badcode.exe to svchost.exe
badcode.exe 0x100089245
svchost.exe 0x200089245
svchost.exe
0x2000+ 0x80000000
0x8000200089245The same file identifier was used throughout the process.
Renames should always appear in pairs.
At this point, the file is closed and there is no activity on the disk.
05/28/12 09:28:25
Time
05/28/12 09:28:27
05/28/12 09:28:27
05/28/12 09:28:29
05/28/12 09:28:29
05/28/12 09:28:29
APT Life Cycle
Step 1-6: Command & Control Activity
Page 26
The infected computer establishes a connection with a remote computer. While this may involve creation of listener that responds to an inbound connection, it will likely be an executable or injected process that creates an outbound connection to a remote host. The remote host may be a command and control server, it could be a proxy server, or an infected computer that is part of a botnet.
Indicators of Compromise may include:- New running processes- Restarted running processes which contain injected code- New Prefetch files which include references to new drivers or recently downloaded files- Disabling of normal services, e.g., anti-virus engines or the local firewall- Outbound network traffic- Network connections stored on the infected computer to non-legitimate sources.
Tangent: Prefetch Files
Page 27
08/19/09 01:22:19PM
Prefetch File Analysis: WinPrefetchView
Page 28
APT Life Cycle
Step 2-1: Internal Reconnaissance
Page 29
Information is gained about the infected computer and LAN.
Sources of information used during reconnaissance may include:- OS footprint- User name and profile information- IP addresses/DHCP information- Domain name- Names of network, e.g., list of domain controllers, internal DNS servers, and network services- Network connections
Indicators of Compromise may include:- Connectivity to an Internet-based resource used to deliver commands to the infected computer- Lateral network traffic and PINGs- Connections to network shares- Abnormal running services/processes- Creation of Prefetch files for network diagnostic tools, such as netstat- Additions to the UserAssist Registry keys- Installation of administrator tools on the infected computer to perform reconnaissance activities
APT Life Cycle
Step 2-2: Internal Weaponization
Page 30
The tools used to internally compromised are not necessarily the same as those used to gain initial access to the system.
These tools may be administrator tools, such as PSEXEC. Some may be customized.
Indicators of Compromise may include:- Connectivity to an Internet-based resource used to deliver commands to the infected computer- Installation of new executable files to the user’s profile or C:\Windows\System32 directory.- Changes to $USN_Journal, especially code 0x0100- Creation of Prefetch files to indicate existing administration tools were run.
APT Life Cycle
Step 2-3: Internal Delivery
Page 31
Tools used for the advancement throughout the network are copied to the infected computer.
Indicators of compromise may include:- Connectivity to an Internet-based resource used to deliver commands to the infected computer- New files on the file system- Modifications to timestamps; inconsistencies between $SIA and $FN portions of the $MFT- Changes to the $USN_Journal, especially code 0x0100- Changes to the list of network connections maintained within memory of the infected computers- Internal, lateral network traffic
Tangent: Timestamps
Page 32
All eight timestamps are in $MFT.
$STANDARD_INFORMATIONType: 0x10Min Size: 0x30Max Size: 0x48
Read offset to attribute content and add:• Created (0x00)• Last Modified (0x08)• MFT Entry Modified (0x10)• Last Accessed (0x18)
$FILE_NAMEType: 0x30Min Size: 0x44Max Size: 0x242
Read offset to attribute content and add:• Created (0x08)• Last Modified (0x10)• MFT Entry Modified (0x18)• Last Accessed (0x20)
Tangent: Timestamps
Page 33
Standard Information
Attribute
FileName
Attribute
Standard Information AttributeCreated: 12/29/2011 9:00:00AMLast Modified: 12/29/2011 9:00:00AMLast Access: 12/29/2011 9:00:00AMMFT Entry: 01/13/2012 11:15:30AM
File Name AttributeCreated: 01/13/2012 11:13:18AMLast Modified: 01/13/2012 11:13:18AMLast Access: 01/13/2012 11:13:18AMMFT Entry: 01/13/2012 11:13:18AM
APT Life Cycle
Step 2-4: Internal Exploitation
Page 34
During internal exploitation an attacker positions himself to move laterally by compromising the integrity of another system within the network. This may involve obtaining escalated privileges, exploiting the operating system, user application, or implanting code that will execute.
Indicators of compromise may include:- Connectivity to an Internet-based resource used to deliver commands from the infected computer- New files on the file system- Modifications to timestamps; inconsistencies between $SIA and $FN portions of the $MFT- Changes to the $USN_Journal, especially code 0x0100- Modifications to the autorun locations, which would allow an executable to launch or inject malicious code with a known process, e.g., explorer.exe- Internal, lateral network traffic
Lateral Connections within the LAN
Page 35
C:\Users\robinson>netstat -ano
Active Connections
Proto Local Address Foreign Address State PIDTCP 0.0.0.0:135 0.0.0.0:0 LISTENING 964TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4TCP 0.0.0.0:912 0.0.0.0:0 LISTENING 3624TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1492TCP 10.201.152.21:139 0.0.0.0:0 LISTENING 4TCP 10.201.152.21:49269 10.50.5.207:5061 ESTABLISHED 5708TCP 10.201.152.21:49724 10.201.152.18:8080 ESTABLISHED 7340TCP 10.201.152.21:52100 173.194.73.147:80 ESTABLISHED 1320TCP 10.201.152.21:64561 10.50.4.128:2310 CLOSE_WAIT 4784TCP 127.0.0.1:7778 0.0.0.0:0 LISTENING 3136TCP 127.0.0.1:16386 127.0.0.1:52444 TIME_WAIT 0
This IP address is for a neighboring PC.Why?
APT Life Cycle
Step 2-5: Internal Installation
Page 36
During the internal installation phase an attacker compromises the integrity of another system within the network. This may involve exploiting the operating system, exploiting a user application, or implanting malicious code that will execute. The insertion of this code would circumvent intrusion detection systems. The use of known, legitimate administration tools would not be captured by anti-virus software.
Indicators of compromise may include:- Connectivity to an Internet-based resource from the initially infected computer.- Connectivity to an Internet-based resource used to deliver commands to the newly infected computer- New running processes- Restart of existing processes to include injected code- Creation of Prefetch files to indicate existing administration or malicious tools were run.- Internal, lateral network traffic
APT Life Cycle
Step 2-6: Persistence
Page 37
An attacker establishes persistence on a network when he maintains a presence in the network as various machines go offline or as incident response procedures are implemented. This will frequently involve establishing connectivity with multiple hosts on the compromised network.
Indicators of compromise may include:- Connectivity to an Internet-based resource from the initially infected computer.- Connectivity to an Internet-based resource from the multiple computers. This may be a beacon to test connectivity, e.g., DNS lookups, etc.- Outbound network traffic from computers that don’t typically communicate to the Internet, e.g., print servers, domain controllers- New running processes- Restart of existing processes to include injected code- Addition of Prefetch files- Internal, lateral network traffic- New user accounts on local hosts or within a domain controller- Change of permissions/rights/roles of existing network accounts.
APT Life Cycle
Iterative Process
Page 38
Once inside the network, the attacker engages in an iterative process to retain a foothold within the compromised network.
This can result in:- New malware being launched within the network to upgrade existing malware that may
be detected by anti-virus software- Disabling network security safeguards to avoid detection- Erasing artifacts, such as log files, etc.- Lateral traffic between computers.
APT Life Cycle
Iterative Process
Page 39
Indicators of Compromise may include:- Connectivity to an Internet-based resource from the multiple computers.- Outbound network traffic from computers that don’t typically communicate to the Internet, e.g., print servers, domain controllers- New running processes- Restart of existing processes to include injected code- Creation of Prefetch files to indicate existing administration or malicious tools were run.- Internal, lateral network traffic- New user accounts on local hosts or within a domain controller- Change of permissions/rights/roles of existing network accounts.- Reinfection of previously cleaned computers- Exfiltration data files on computers. This may include the presence of empty files that are re-used.
APT Life Cycle
2-7: Mission Fulfillment
Page 40
An attacker successfully fulfills his mission, which may include:- the exfiltration of data from the network- launching a denial of service attack- incorporate infected computers into a botnet
Indicators of compromise may include:- Connectivity to an Internet-based resource from the multiple computers.- Outbound network traffic from computers that don’t typically communicate to the Internet, e.g., print servers, domain controllers- New running processes- Restart of existing processes to include injected code- Addition of Prefetch files- Internal, lateral network traffic- New user accounts on local hosts or within a domain controller- Change of permissions/rights/roles of existing network accounts.
Hunting for Unfriendly Easter EggsCapturing evidence of APT attacks
Michael Robinson & Craig Astrich
