A D V E R S A R I A L A P P R O A C H T O

I M P R O V E D E T E C T I O N C A PA B I L I T I E S

MassimoBozzaEthical Hacker

SeniorSecurityEngineer@maxbozza

PietroRomanoPrincipal SecurityEngineer

@tribal_sec

AGENDA

Adversarialapproach

- Simulationvsemulation

IoC &IoA - Fusion

AdversarySimultation Framework- Threatanalysis- Attack- Detection

Scenario

- APT3

- KovCoreG

NextSteps

A D V E R S A R I A LA P P R O A C H

ADVERSARIALAPPROACH– WHATIS&ISN’T

ClassicRed Teaming

Black-boxactivity

Penetration Test

One shot activity

White-box activity

Cooperativeprocess

Repetitively process

Crossteam

ADVERSARIALAPPROACH- GETSTARTED

Nostandarddefinition foradversary simulation

Main goals• Improve securityDetection andResponse underlining blind spots

• KPIforbudgetallocation

• TrainBlueTeamagainst targeted attacks

• Evaluate blinky boxes/detection tools

• Purple teaming

• Threat emulation

• Attacksimulation

ADVERSARIALAPPROACH– SIMULATEvsEMULATE

SIMULATE EMULATE

Almost Same TTPofattackers Same TTPofattackers

Toolswithsame behavior Attacker’s customTools

Automation

ADVERSARIALAPPROACH– SIMULATEvsEMULATE

SIMULATE

Less accurate Moreaccurate

Re-useofavailable tools Moretimeconsuming

Sometimes attacker’sbehaviors areundisclosed

Morescalable

EMULATE

I O C - I O AF U S I O N

CLASH:IoC vsIoA

IndicatorofCompromise

• IPaddress

•Hash

•Exploits

•Malware

•Signatures

•Pattern

• LateralMovement

•CodeExecution

•C&C

•Persistenceactions

IndicatorofAttack

FUSION:IoC &IoA

ReactiveIndicators

ProactiveIndicators Detections&Response

Logs

CyberKILLCHAIN&MITREATT&CK

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command&Control

LateralMovement

InitialAccess

Execution

Persistence

PrivilegeEscalation

DefenseEvasion

CredentialAccess

Discovery

LateralMovement

Collection

Exfiltration

Command&Control

A D V E R S A R YS I M U L AT I O N F R A M EWO R K

AdversarySimulationFramework

Threat Analysis

Attack&Kill Chainsimulation

Detection

Sharing Testing Resultsanalysis

FrameworkModules

PointsofContact

Human-ledprocess

Enriches existing securitymeasures

Contextual insight data

ThreatIntel

OSINTFeed

CustomFeed

ThreatGroup

AttackScenario

AttackPath

Tools/Weapons

Threat Analysis

THREATANALYSIS

KnowledgeBase

THREATANALYSIS- Overview

01

02

03

04

05

ThreatIntelligence

DataFiltering• FilteringbyIndustry

• Filteringbytargettechnology• ThreatGroups

• TacticsDataAnalysis• Techniquesidentification• Weapons/Toolsused• Attackpaths• Operationalflows/Procedure

Reporting/KB• DataPresentation

• DataSharing• DataAssessment

ContinuousImprovement• Maintenance• Contentsintegration

• DatacollectionAsService• OSINT

LENAMalware

THREATANALYSIS– DataAnalysis&Reporting

ATTACK/KILLCHAINSIMULATION

Simulation

Customtoolset

Automationengine

KnowledgeBase

TTPMapping

TTPExtraction

Environmentsetup

Engineering

Execution

Reporting

KnowledgeBase

ATTACK/KILLCHAINSIMULATION- Overview

TTPextraction• Attacker’stoolAnalysis• Attacker’sbehavior

Environment• Setuptarget• Automationengine• Repositories

Reporting• KBenrichment• Logreporting

MappingTTP• Customtools• OScommands• OpenSourcetools

Engineering

• Custommodules• Customtools• Attackflow

Execution• Playbookrun• Logcollection

ATTACK/KILLCHAINSIMULATION– TTPMapping

Category /Techniques Description Attacker’s tool Simulation

Privilege Escalation

T1134This steals the access token fromanother process and uses it to gainaccess to other services orcomputers.

PlugX Tokenvator

Credentials

T1003Scrape LSASS memory to obtain logonpasswords PlugX

MimikatzProcdump

Lateral Movement andExecution

T1075T1077

Lateral movement with harvestedcredentials PlugX Mimikatz +custommodule

Technologystack

ATTACK/KILLCHAINSIMULATION– EnvironmentSetup

Playbooks – hosted onGit

Ansible Engine

Vault Modules Inventory

Filerepository

Targets

Internet

ATTACK/KILLCHAINSIMULATION– Engineering 1/2

Ansible Engine

Playbook

CustomModule

Roles

Txxx

Txxx

Library

ATTACK/KILLCHAINSIMULATION– Engineering 2/2

Ansible Engine

• Executemimikatz sekurlsa::logonpasswords toscrapecredentialsfromLSASS

• ParseoutputinanAnsible Readableformat

Mimikatz CredentialDump+OutputParser

CustomModule

When?• It’snotalreadypresentinAnsible library/community• Morespecificthanarole• Outputre-usableinothertasks

ATTACK/KILLCHAINSIMULATION– CustomToolset 1/2

• C++- Mimikatz custombuild• C#- Dropperwithobfuscatedandruntimepayloadcompiling• C#- Reverseshell• C++- MS0DayALPC-LPEcustombuild

• Powershell - ObfuscatedPowersploit script• Powershell - Modded MS16-032exploit

• Python- PayloadforOver-Pass-the-Hash• Python- C2Protocolsimulator

ATTACK/KILLCHAINSIMULATION– CustomToolset 2/2

C#- Dropperwithobfuscatedandruntimepayloadcompiling

• Hardcodedpayload• Modded version–downloadpayloadatruntime• Runtimepayloadcompilingandrun• LowAVdetection(onlyEDR)

Droppy

DETECTION

Human-ledcapability

Tecnology addiction

Pro-active /Re-active

Metrics&

DetectionCapabilities

IoA - IoC

ContentEngineeringonSIEM

MonitoringContentValidation

KnowledgeBase

DETECTION- Overview

ReportAnalysis• TTPextraction• Behaviour analysis• Targettipologies invetory

LogsCollection/Assessment• Technologiesidentification• Logstouse• Fields/Artifacts

VisibilityImprovement Contentsengineering• CorrelationrulesbasedonIoA• IoA /IoC Cross-correlation• Contentsvalidation

Reporting/KB• Logs/Technologiesused• Contentsinventory• Validationresults

ContinuousImprovement• KBMaintenance• Contentsevolution

• Logsintegration• Technologiesintegration• Tuning/Filtering

DETECTION– LogsCollection/Assessment

Splunk

CorrelationEngineIndexingStorage

Network

WECutil

Threat Intelligence

IoC IoC IoC

WEC

SubscriptionLogs

Splunk UniversalForwarder

SysmonSecurity

SystemPowerShell

Endpoints

ActiveDirectory

GroupPolicyObject(GPO)

Sysmon CustomConfig File

Filtering- Tools:TipsandTricks

Amazingfeaturehere18October2016

Yourtexthere

Yourtexthere

• EditSubscriptionXMLConf file• WindowsEventLogsupportsXMLPath Language(XPath)• Allowedactions/lognotusefulorverboseà Filtering

ManagesubscriptionsviaWecutil

• CreatesubscriptionviaWECServerEventViewer• 1LogRegistryà 1Subscription

• 1LogRegistryàmoreSubscriptions

CreateSubscriptionviaEventViewer

• Verboselogs• Filteringvia“Condition”

• is,isnot,contains,excludes,beginwith,endwith,lessthan,morethan,image• SwiftOnSecurity Sysmon Config

UseacustomSysmong confing

Sysmon:EventFilteringand(pre)Classification

S C E N A R I O # 1-

A P T 3

APT3- Intro

What about …ü Also known as UPSTeamandsuspected attribution Chinaü Targetsectors:Aerospace andDefense,ConstructionandEngineering,High

Tech,Telecommunications,Transportation

ü Associated malware:PLUGX,SHOTPUT,COOKIECUTTER,SOGUü APT3 uses acombination ofcustomandopenly available tools

ü Attackvectors:Thephishing emails used byAPT3areusually generic innature,almost appearing tobespam

APT3– Threat Analysis:Weapon /Tool:Assessment &Categorization

Weapon/Tool Type InitialAccess

Execution Persistence PrivilegeEscalation

DefenseEvasion

CredentialAccess

Discovery LateralMovement

Collection Exfiltration Command&Control

PIRPI RAT(Custom)

SHOTPUT RAT(Custom)

PLUGX RAT(Custom)

Backdoor.APT.CookieCutter

RAT(Custom)

OSInfo InformationDiscovery

Customizedpwdump

WinPwdDumper

CustomizedMimikatz

WinPwdDumper

Keyloggersw Keylogger

RemoteCMD RemoteExecution

Dsquery InformationDiscovery

ChromePass BrowserPwdDumper

Lazagne App.PwdDumper

ScanBox ExploitKit /Keylogger

APT3– Threat Analysis:Techniques Assessment

PIRPIRAT

Technique ID

ExfiltrationoverCommandandControlChanne

T1041

Command-LineInterface T1059

Rundll32 T1085

ProcessDiscovery T1057

RemoteSystemDiscovery T1018

SystemNetworkConnectionsDiscovery

T1049

FileandDirectoryDiscovery T1083

FileDeletion T1107

SystemNetworkConfigurationDiscovery

T1016

RemoteFileCopy T1105

PLUGXRAT

Technique ID

Command-LineInterface T1059

FileandDirectoryDiscovery T1083

ProcessDiscovery T1057

NewService T1050

ModifyExistingService T1031

ServiceExecution T1035

… …

……. …

…….…. …

InputCapture T1056

OSInfo

Technique ID

SystemNetworkConfigurationDiscovery

T1016

SystemInformationDiscovery T1082

… …

… …

RemoteSystemDiscovery T1018

…… …

PermissionGroupsDiscovery T1069

…….… …

…….… …

…….… …

CustomizedMimikatz

Technique ID

CredentialDumping T1003

… …

……. ……

LaZagne

Technique ID

CredentialDumping T1003

CredentialsinFiles T1081

……. ……

….….

Technique ID

… …

…… …

……. …

Weapons - Tools

Technique

Scenario#1

Scenario#2

Scenario#3

APT3– Kill ChainSimulation 1/4

Category /Techniques Description Simulation

Privilege Escalation

T1044T1034T1058T1038

FileSystemPermissions WeaknessPath InterceptionServiceRegistry Permissions WeaknessDLLSearch OrderHijacking

PowerUp

Credentials

T1003 Credential DumpingCustomMimikatz build

+Ansible Module

Lateral Movement andExecution

T1075T1077

PasstheHashWindowsAdmin Shares

CustomMimikatz build+

CustomTool

APT3– Kill ChainSimulation 3/4

Credential dumping is the process of obtaining account login and password information, normally in the form of a hashor a clear text password, from the operating system and software. Credentials can then be used to perform LateralMovement and access restricted information.

CredentialDumping(T1003)

APT3– Kill ChainSimulation 4/4

Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. Thismethod bypasses standard authentication steps that require a cleartext password, moving directly into the portion of theauthentication that uses the password hash.

OverPassTheHash (T1075)

APT3– Detection:Logs Collection/Assessment 1/6

DiscoveryDisplaylistofcurrentlyrunningprocessesandservicesonthesystem.

ProcessDiscovery(T1057)

PrivilegeEscalationThistechniquetriesaseriesofexploitstoelevatetoaSYSTEMlevelprocess(theseareactualexploits,nottrustabuses,sothere'salwaysthepotential

forbluescreening).

ExploitationforPrivilegeEscalation(T1068)

APT3– Detection:Logs Collection/Assessment 2/6

DefenseEvasion/PrivilegeEscalationIfyouhaveamediumintegrityprocess,butareanadministrator,

UACBypass willgetyouahighintegrityprocesswithoutpromptingtheuserforconfirmation.

BypassUserAccountControl(T1088)

DefenseEvasion/PrivilegeEscalationThisstealstheaccesstokenfromanotherprocessandusesittogainaccess

tootherservicesorcomputers.

AccessTokenManipulation(T1134)

APT3– Detection:Logs Collection/Assessment 3/6

CredentialAccess/CollectionDumpshashesfromtheSAMHivefile.ThistechniqueinjectsintotheLSASS.exe processandscrapesitsmemoryforplaintextpasswordsof

logged-onusers..

CredentialDumping(T1003)

APT3– Detection:Logs Collection/Assessment 4/6

PersistenceAdversarieswithasufficientlevelofaccessmaycreatealocalsystemordomainaccount.Suchaccountsmaybeusedforpersistencethatdonot

requirepersistentremoteaccesstoolstobedeployedonthesystem.Thenetusercommandscanbeusedtocreatealocalordomainaccount.

CreateAccount(T1136)

Execution/Persistence/PrivilegeEscalationAddscheduledtaskmayneedtomakesurethatthescheduleserviceisstartedandconfiguredtorunonbootsothatyourpersistencesticks.

ScheduledTask(T1053)

APT3– Detection:Logs Collection/Assessment 5/6

LateralMovementUsedtoviewnetworksharedresourceinformation,addanewnetwork

resource,andremoveanoldnetworkresourcefromthecomputer.

WindowsAdminShares(T1077)

ExecutionAdversariesmayexecuteabinary,command,orscriptviaamethodthat

interactswithWindowsservices,suchastheServiceControlManager.Thiscanbedonebyeithercreatinganewserviceormodifyinganexisting

service.

ServiceExecution(T1035)

APT3– Detection:Logs Collection/Assessment 6/6

LateralMovementLogintoremotemachineusinghashandfilecopiestotheremoteboxvia

SMB,thencreatesaservice

Pass-The-Hash(T1075- targetside)

Target

APT3– Detection:Contents engineering

ContentEngineeringonSIEM

MonitoringContentValidation

Sub-Pathidentification

LogsEnrichment

AttackTactic

Cross-Tactics

AttackTechnique

IoCExternalFeedOR

OR

LogsCorrelation

S C E N A R I O # 2-

K O V C O R E G

K O V C O R E G - Intro

What about …ü KovCoreG also known as MaxTDSü Financially motivated threat actorü Activesince 2011

ü Associated malware:Zaccess,SecurityShield,Kovterü Kovter initially developed as ransomware,later reengineered as fraud

malware

ü Attackvectors:multipleExploitKits (Blackhole,RedKit,Sakura,NuclearPack,Styx,Sweet Orange,Angler),malvertising

K O V C O R E G – Threat Analysis:Techniques Assessment

OSComm

Technique ID

RegistryRunKeys/StartFolder

T1060

Scripting T1064

Mshta T1170

… …

…….… …

DataStaged T1074

…….… …

Anler EK

Technique ID

RemoteAccessTools T1219

… …

RemoteFileCopy T1105

Weapons - Tools

Technique

Scenario#1

Scenario#2

Scenario#3

RedKit

Technique ID

RemoteAccessTools T1219

… …

WebService T1102

Styx

Technique ID

ClearCommandHistory T1146

DataObfuscation T1001

Multi-StageChannels T1104

K O V T E R - Overview

Stage#1 Stage#2

Kovter:aFileless Malware

Stage#3 Stage#4 Stage#5

SpammailMacrobasedmaliciousspam

InstallationMalwarecomponentsareinstalledontargetmachineforshellspawning(techniques)

RegeditNewregistry keywithmaliciouscodeiscreated

InjectionOnrebootthemalwareinjectaShellcodeintoPowershell process.Thesameresultcanbeobtainedbyexecutingabatchorshortcutfile

DatatheftTheregsvr32.exeprocessisspawnedbyshellcodeinordertocreateconnection/stoC2system/ssandsentstealed information

K O V C O R E G – Kill ChainSimulation 1/2

Category /Techniques Description Simulation

Persistence

T1060 Registry Run Keys/StartFolder OScommands

DefenseEvasion /Execution

T1170T1064

Indicator Removal onHostScripting OScommands

Collection

T1074 DataStaged OScommands

K O V C O R E G – Kill ChainSimulation 2/2

K O V C O R E G – Detection:Logs Collection/Assessment 1/2

PersistenceNewsoftwareisassociatedtoextension

RegistryRunKeys/StartFolder(T1060)

PersistenceAddinganentryintheRegistryinordertocreateanewfileextension

RegistryRunKeys/StartFolder(T1060)

PersistenceCreateregistryentrieslinkedtodroppysoftware

RegistryRunKeys/StartFolder(T1060)

K O V C O R E G – Detection:Logs Collection/Assessment 2/2

ExecutionThebootstrapistriggeredusingcustomextension

Scripting(T1064)

ExecutionMSHTAisusedtorunawScriptShellObject

andrunthe“core”malware

MSHTA(T1170)

PersistenceSetavalueto“command”registryentry.

RegistryRunKeys/StartFolder(T1060)

N E X TS T E P S

NEXTSTEPS 1/2

Infrastructure Orchestration

MoreInteractive– Ansible RDPheadless module

Moresupported Platforms (OSX)

Initial Vector simulation

NEXTSTEPS 2/2

MachineLearningalgorithms

MoreAPT/TTP

Improve visibility:Extend supported platforms /components (WMI)

SIGMA:CRs inGeneric Signature Format

Contentsharing:MISP/CRiTs

Q&A

Grazie!