Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
A D V E R S A R I A L A P P R O A C H T O
I M P R O V E D E T E C T I O N C A PA B I L I T I E S
MassimoBozzaEthical Hacker
SeniorSecurityEngineer@maxbozza
PietroRomanoPrincipal SecurityEngineer
@tribal_sec
AGENDA
Adversarialapproach
- Simulationvsemulation
IoC &IoA - Fusion
AdversarySimultation Framework- Threatanalysis- Attack- Detection
Scenario
- APT3
- KovCoreG
NextSteps
A D V E R S A R I A LA P P R O A C H
ADVERSARIALAPPROACH– WHATIS&ISN’T
ClassicRed Teaming
Black-boxactivity
Penetration Test
One shot activity
White-box activity
Cooperativeprocess
Repetitively process
Crossteam
ADVERSARIALAPPROACH- GETSTARTED
Nostandarddefinition foradversary simulation
Main goals• Improve securityDetection andResponse underlining blind spots
• KPIforbudgetallocation
• TrainBlueTeamagainst targeted attacks
• Evaluate blinky boxes/detection tools
• Purple teaming
• Threat emulation
• Attacksimulation
ADVERSARIALAPPROACH– SIMULATEvsEMULATE
SIMULATE EMULATE
Almost Same TTPofattackers Same TTPofattackers
Toolswithsame behavior Attacker’s customTools
Automation
ADVERSARIALAPPROACH– SIMULATEvsEMULATE
SIMULATE
Less accurate Moreaccurate
Re-useofavailable tools Moretimeconsuming
Sometimes attacker’sbehaviors areundisclosed
Morescalable
EMULATE
I O C - I O AF U S I O N
CLASH:IoC vsIoA
IndicatorofCompromise
• IPaddress
•Hash
•Exploits
•Malware
•Signatures
•Pattern
• LateralMovement
•CodeExecution
•C&C
•Persistenceactions
IndicatorofAttack
FUSION:IoC &IoA
ReactiveIndicators
ProactiveIndicators Detections&Response
Logs
CyberKILLCHAIN&MITREATT&CK
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command&Control
LateralMovement
InitialAccess
Execution
Persistence
PrivilegeEscalation
DefenseEvasion
CredentialAccess
Discovery
LateralMovement
Collection
Exfiltration
Command&Control
A D V E R S A R YS I M U L AT I O N F R A M EWO R K
AdversarySimulationFramework
Threat Analysis
Attack&Kill Chainsimulation
Detection
Sharing Testing Resultsanalysis
FrameworkModules
PointsofContact
Human-ledprocess
Enriches existing securitymeasures
Contextual insight data
ThreatIntel
OSINTFeed
CustomFeed
ThreatGroup
AttackScenario
AttackPath
Tools/Weapons
Threat Analysis
THREATANALYSIS
KnowledgeBase
THREATANALYSIS- Overview
01
02
03
04
05
ThreatIntelligence
DataFiltering• FilteringbyIndustry
• Filteringbytargettechnology• ThreatGroups
• TacticsDataAnalysis• Techniquesidentification• Weapons/Toolsused• Attackpaths• Operationalflows/Procedure
Reporting/KB• DataPresentation
• DataSharing• DataAssessment
ContinuousImprovement• Maintenance• Contentsintegration
• DatacollectionAsService• OSINT
LENAMalware
THREATANALYSIS– DataAnalysis&Reporting
ATTACK/KILLCHAINSIMULATION
Simulation
Customtoolset
Automationengine
KnowledgeBase
TTPMapping
TTPExtraction
Environmentsetup
Engineering
Execution
Reporting
KnowledgeBase
ATTACK/KILLCHAINSIMULATION- Overview
TTPextraction• Attacker’stoolAnalysis• Attacker’sbehavior
Environment• Setuptarget• Automationengine• Repositories
Reporting• KBenrichment• Logreporting
MappingTTP• Customtools• OScommands• OpenSourcetools
Engineering
• Custommodules• Customtools• Attackflow
Execution• Playbookrun• Logcollection
ATTACK/KILLCHAINSIMULATION– TTPMapping
Category /Techniques Description Attacker’s tool Simulation
Privilege Escalation
T1134This steals the access token fromanother process and uses it to gainaccess to other services orcomputers.
PlugX Tokenvator
Credentials
T1003Scrape LSASS memory to obtain logonpasswords PlugX
MimikatzProcdump
Lateral Movement andExecution
T1075T1077
Lateral movement with harvestedcredentials PlugX Mimikatz +custommodule
Technologystack
ATTACK/KILLCHAINSIMULATION– EnvironmentSetup
Playbooks – hosted onGit
Ansible Engine
Vault Modules Inventory
Filerepository
Targets
Internet
ATTACK/KILLCHAINSIMULATION– Engineering 1/2
Ansible Engine
Playbook
CustomModule
Roles
Txxx
Txxx
Library
ATTACK/KILLCHAINSIMULATION– Engineering 2/2
Ansible Engine
• Executemimikatz sekurlsa::logonpasswords toscrapecredentialsfromLSASS
• ParseoutputinanAnsible Readableformat
Mimikatz CredentialDump+OutputParser
CustomModule
When?• It’snotalreadypresentinAnsible library/community• Morespecificthanarole• Outputre-usableinothertasks
ATTACK/KILLCHAINSIMULATION– CustomToolset 1/2
• C++- Mimikatz custombuild• C#- Dropperwithobfuscatedandruntimepayloadcompiling• C#- Reverseshell• C++- MS0DayALPC-LPEcustombuild
• Powershell - ObfuscatedPowersploit script• Powershell - Modded MS16-032exploit
• Python- PayloadforOver-Pass-the-Hash• Python- C2Protocolsimulator
ATTACK/KILLCHAINSIMULATION– CustomToolset 2/2
C#- Dropperwithobfuscatedandruntimepayloadcompiling
• Hardcodedpayload• Modded version–downloadpayloadatruntime• Runtimepayloadcompilingandrun• LowAVdetection(onlyEDR)
Droppy
DETECTION
Human-ledcapability
Tecnology addiction
Pro-active /Re-active
Metrics&
DetectionCapabilities
IoA - IoC
ContentEngineeringonSIEM
MonitoringContentValidation
KnowledgeBase
DETECTION- Overview
ReportAnalysis• TTPextraction• Behaviour analysis• Targettipologies invetory
LogsCollection/Assessment• Technologiesidentification• Logstouse• Fields/Artifacts
VisibilityImprovement Contentsengineering• CorrelationrulesbasedonIoA• IoA /IoC Cross-correlation• Contentsvalidation
Reporting/KB• Logs/Technologiesused• Contentsinventory• Validationresults
ContinuousImprovement• KBMaintenance• Contentsevolution
• Logsintegration• Technologiesintegration• Tuning/Filtering
DETECTION– LogsCollection/Assessment
Splunk
CorrelationEngineIndexingStorage
Network
WECutil
Threat Intelligence
IoC IoC IoC
WEC
SubscriptionLogs
Splunk UniversalForwarder
SysmonSecurity
SystemPowerShell
Endpoints
ActiveDirectory
GroupPolicyObject(GPO)
Sysmon CustomConfig File
Filtering- Tools:TipsandTricks
Amazingfeaturehere18October2016
Yourtexthere
Yourtexthere
• EditSubscriptionXMLConf file• WindowsEventLogsupportsXMLPath Language(XPath)• Allowedactions/lognotusefulorverboseà Filtering
ManagesubscriptionsviaWecutil
• CreatesubscriptionviaWECServerEventViewer• 1LogRegistryà 1Subscription
• 1LogRegistryàmoreSubscriptions
CreateSubscriptionviaEventViewer
• Verboselogs• Filteringvia“Condition”
• is,isnot,contains,excludes,beginwith,endwith,lessthan,morethan,image• SwiftOnSecurity Sysmon Config
UseacustomSysmong confing
Sysmon:EventFilteringand(pre)Classification
S C E N A R I O # 1-
A P T 3
APT3- Intro
What about …ü Also known as UPSTeamandsuspected attribution Chinaü Targetsectors:Aerospace andDefense,ConstructionandEngineering,High
Tech,Telecommunications,Transportation
ü Associated malware:PLUGX,SHOTPUT,COOKIECUTTER,SOGUü APT3 uses acombination ofcustomandopenly available tools
ü Attackvectors:Thephishing emails used byAPT3areusually generic innature,almost appearing tobespam
APT3– Threat Analysis:Weapon /Tool:Assessment &Categorization
Weapon/Tool Type InitialAccess
Execution Persistence PrivilegeEscalation
DefenseEvasion
CredentialAccess
Discovery LateralMovement
Collection Exfiltration Command&Control
PIRPI RAT(Custom)
SHOTPUT RAT(Custom)
PLUGX RAT(Custom)
Backdoor.APT.CookieCutter
RAT(Custom)
OSInfo InformationDiscovery
Customizedpwdump
WinPwdDumper
CustomizedMimikatz
WinPwdDumper
Keyloggersw Keylogger
RemoteCMD RemoteExecution
Dsquery InformationDiscovery
ChromePass BrowserPwdDumper
Lazagne App.PwdDumper
ScanBox ExploitKit /Keylogger
APT3– Threat Analysis:Techniques Assessment
PIRPIRAT
Technique ID
ExfiltrationoverCommandandControlChanne
T1041
Command-LineInterface T1059
Rundll32 T1085
ProcessDiscovery T1057
RemoteSystemDiscovery T1018
SystemNetworkConnectionsDiscovery
T1049
FileandDirectoryDiscovery T1083
FileDeletion T1107
SystemNetworkConfigurationDiscovery
T1016
RemoteFileCopy T1105
PLUGXRAT
Technique ID
Command-LineInterface T1059
FileandDirectoryDiscovery T1083
ProcessDiscovery T1057
NewService T1050
ModifyExistingService T1031
ServiceExecution T1035
… …
……. …
…….…. …
InputCapture T1056
OSInfo
Technique ID
SystemNetworkConfigurationDiscovery
T1016
SystemInformationDiscovery T1082
… …
… …
RemoteSystemDiscovery T1018
…… …
PermissionGroupsDiscovery T1069
…….… …
…….… …
…….… …
CustomizedMimikatz
Technique ID
CredentialDumping T1003
… …
……. ……
LaZagne
Technique ID
CredentialDumping T1003
CredentialsinFiles T1081
……. ……
….….
Technique ID
… …
…… …
……. …
Weapons - Tools
Technique
Scenario#1
Scenario#2
Scenario#3
APT3– Kill ChainSimulation 1/4
Category /Techniques Description Simulation
Privilege Escalation
T1044T1034T1058T1038
FileSystemPermissions WeaknessPath InterceptionServiceRegistry Permissions WeaknessDLLSearch OrderHijacking
PowerUp
Credentials
T1003 Credential DumpingCustomMimikatz build
+Ansible Module
Lateral Movement andExecution
T1075T1077
PasstheHashWindowsAdmin Shares
CustomMimikatz build+
CustomTool
APT3– Kill ChainSimulation 3/4
Credential dumping is the process of obtaining account login and password information, normally in the form of a hashor a clear text password, from the operating system and software. Credentials can then be used to perform LateralMovement and access restricted information.
CredentialDumping(T1003)
APT3– Kill ChainSimulation 4/4
Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. Thismethod bypasses standard authentication steps that require a cleartext password, moving directly into the portion of theauthentication that uses the password hash.
OverPassTheHash (T1075)
APT3– Detection:Logs Collection/Assessment 1/6
DiscoveryDisplaylistofcurrentlyrunningprocessesandservicesonthesystem.
ProcessDiscovery(T1057)
PrivilegeEscalationThistechniquetriesaseriesofexploitstoelevatetoaSYSTEMlevelprocess(theseareactualexploits,nottrustabuses,sothere'salwaysthepotential
forbluescreening).
ExploitationforPrivilegeEscalation(T1068)
APT3– Detection:Logs Collection/Assessment 2/6
DefenseEvasion/PrivilegeEscalationIfyouhaveamediumintegrityprocess,butareanadministrator,
UACBypass willgetyouahighintegrityprocesswithoutpromptingtheuserforconfirmation.
BypassUserAccountControl(T1088)
DefenseEvasion/PrivilegeEscalationThisstealstheaccesstokenfromanotherprocessandusesittogainaccess
tootherservicesorcomputers.
AccessTokenManipulation(T1134)
APT3– Detection:Logs Collection/Assessment 3/6
CredentialAccess/CollectionDumpshashesfromtheSAMHivefile.ThistechniqueinjectsintotheLSASS.exe processandscrapesitsmemoryforplaintextpasswordsof
logged-onusers..
CredentialDumping(T1003)
APT3– Detection:Logs Collection/Assessment 4/6
PersistenceAdversarieswithasufficientlevelofaccessmaycreatealocalsystemordomainaccount.Suchaccountsmaybeusedforpersistencethatdonot
requirepersistentremoteaccesstoolstobedeployedonthesystem.Thenetusercommandscanbeusedtocreatealocalordomainaccount.
CreateAccount(T1136)
Execution/Persistence/PrivilegeEscalationAddscheduledtaskmayneedtomakesurethatthescheduleserviceisstartedandconfiguredtorunonbootsothatyourpersistencesticks.
ScheduledTask(T1053)
APT3– Detection:Logs Collection/Assessment 5/6
LateralMovementUsedtoviewnetworksharedresourceinformation,addanewnetwork
resource,andremoveanoldnetworkresourcefromthecomputer.
WindowsAdminShares(T1077)
ExecutionAdversariesmayexecuteabinary,command,orscriptviaamethodthat
interactswithWindowsservices,suchastheServiceControlManager.Thiscanbedonebyeithercreatinganewserviceormodifyinganexisting
service.
ServiceExecution(T1035)
APT3– Detection:Logs Collection/Assessment 6/6
LateralMovementLogintoremotemachineusinghashandfilecopiestotheremoteboxvia
SMB,thencreatesaservice
Pass-The-Hash(T1075- targetside)
Target
APT3– Detection:Contents engineering
ContentEngineeringonSIEM
MonitoringContentValidation
Sub-Pathidentification
LogsEnrichment
AttackTactic
Cross-Tactics
AttackTechnique
IoCExternalFeedOR
OR
LogsCorrelation
S C E N A R I O # 2-
K O V C O R E G
K O V C O R E G - Intro
What about …ü KovCoreG also known as MaxTDSü Financially motivated threat actorü Activesince 2011
ü Associated malware:Zaccess,SecurityShield,Kovterü Kovter initially developed as ransomware,later reengineered as fraud
malware
ü Attackvectors:multipleExploitKits (Blackhole,RedKit,Sakura,NuclearPack,Styx,Sweet Orange,Angler),malvertising
K O V C O R E G – Threat Analysis:Techniques Assessment
OSComm
Technique ID
RegistryRunKeys/StartFolder
T1060
Scripting T1064
Mshta T1170
… …
…….… …
DataStaged T1074
…….… …
Anler EK
Technique ID
RemoteAccessTools T1219
… …
RemoteFileCopy T1105
Weapons - Tools
Technique
Scenario#1
Scenario#2
Scenario#3
RedKit
Technique ID
RemoteAccessTools T1219
… …
WebService T1102
Styx
Technique ID
ClearCommandHistory T1146
DataObfuscation T1001
Multi-StageChannels T1104
K O V T E R - Overview
Stage#1 Stage#2
Kovter:aFileless Malware
Stage#3 Stage#4 Stage#5
SpammailMacrobasedmaliciousspam
InstallationMalwarecomponentsareinstalledontargetmachineforshellspawning(techniques)
RegeditNewregistry keywithmaliciouscodeiscreated
InjectionOnrebootthemalwareinjectaShellcodeintoPowershell process.Thesameresultcanbeobtainedbyexecutingabatchorshortcutfile
DatatheftTheregsvr32.exeprocessisspawnedbyshellcodeinordertocreateconnection/stoC2system/ssandsentstealed information
K O V C O R E G – Kill ChainSimulation 1/2
Category /Techniques Description Simulation
Persistence
T1060 Registry Run Keys/StartFolder OScommands
DefenseEvasion /Execution
T1170T1064
Indicator Removal onHostScripting OScommands
Collection
T1074 DataStaged OScommands
K O V C O R E G – Kill ChainSimulation 2/2
K O V C O R E G – Detection:Logs Collection/Assessment 1/2
PersistenceNewsoftwareisassociatedtoextension
RegistryRunKeys/StartFolder(T1060)
PersistenceAddinganentryintheRegistryinordertocreateanewfileextension
RegistryRunKeys/StartFolder(T1060)
PersistenceCreateregistryentrieslinkedtodroppysoftware
RegistryRunKeys/StartFolder(T1060)
K O V C O R E G – Detection:Logs Collection/Assessment 2/2
ExecutionThebootstrapistriggeredusingcustomextension
Scripting(T1064)
ExecutionMSHTAisusedtorunawScriptShellObject
andrunthe“core”malware
MSHTA(T1170)
PersistenceSetavalueto“command”registryentry.
RegistryRunKeys/StartFolder(T1060)
N E X TS T E P S
NEXTSTEPS 1/2
Infrastructure Orchestration
MoreInteractive– Ansible RDPheadless module
Moresupported Platforms (OSX)
Initial Vector simulation
NEXTSTEPS 2/2
MachineLearningalgorithms
MoreAPT/TTP
Improve visibility:Extend supported platforms /components (WMI)
SIGMA:CRs inGeneric Signature Format
Contentsharing:MISP/CRiTs
Q&A
Grazie!