Embed Size (px)
Citation preview
HUNT OR BE HUNTED
7th June 2017
• Senior Threat Hunter @ Countercept
• Pentester + Defensive fanboi
• Bug Bounty Lover <3
• Blogger? @pwndizzle
WHOAMI
Threat hunting when you don’t know you’re threat hunting…
“THE PROCESS OF PROACTIVELY AND ITERATIVELY SEARCHING THROUGH NETWORKS TO DETECT AND ISOLATEADVANCED THREATS THAT EVADE EXISTING SECURITY SOLUTIONS”
- SQRRL
What is threat hunting?
Manual
Alerts from
“products” (AV)
Semi-AutomatedFully Automated
Manual Threat
HuntingAssisted Hunts
Vuln Scanners
(Nessus)Manual
PentestingTools (nmap)
Advanced
Threat Hunting
Traditional
security teams
Manual vs Automated
OFFENCE
DEFENCE
Tactical T
hreat In
tel
10%
40%
80%
99%
AUTOMATED NOTIFICATION
AUTOMATION
Cap
ab
ility
‘HUNTING USE CASE’ GENERATION (HYPOTHESIS)
‘HUNTING USE CASE’EXECUTION
The Paris Model(or Hunting Rocket, or APT Eiffel Tower)
Process
• Red team use-case: HTA w/PS payload
• Manual hunt: mshta.exe usage, PS script logging
• Automated hunt: suspicious processes/script analysis
• Refine automation (increase fidelity): Filtering/Enrichment
Requirements
• People: someone needs to know this technique, understand it enough to search and automate
• Tech: endpoint visibility required + automated analysis framework.
Paris Model In Action
Where do I start?
What data sources?
Payload
executed
Data
exfiltrated
Persistence
installed
Escalated
Privs
Lateral
movement
Payload
delivered
• Email Filter
• Web Proxy
• Bro Logs
• Firewall
• Endpoint
• Windows/Linux logs
• AV logs
• Bro Logs
• Web Proxy
• App Logs
How to do analysis?
IOCs are bad*
*If you rely on IOCs as your primary detection technique
Specific Attacker TTPs
• Anomaly or context driven
• Windows – Logins, DCSync, PrivEsc,
Lockouts
• Binaries
• Execution – cmd, ps, wscript, wmi
• Enumeration - net
• Persistence – schtasks, services, registry, cron
• In-Memory injection
• Privilege Escalation
• UAC Bypass
Endpoint
Logs Network
• Domain classification/history/age
• File analysis - Extension, Content-
type, Content, Mismatches
• Data Transfers –
Uploads/Downloads
• Dynamic DNS usage
• DNS Tunneling
In-Memory Injection
Detection
• Suspicious threads
• Unknown module
• Unusual Permissions (e.g. RWX)
• Check for MZ
• Check for PE Header
• Check for MS-DOS strings
Injection Techniques
• LoadLibrary
• Process Hollowing
• Reflective Loading
• Hooking
Advanced Attack Detection @ Securitay2017 -
https://youtu.be/ihElrBBJQo8
Least Frequency Analysis/Stacking
Frequency
Count
Highest Frequency
Process Name Count
conhost.exe 11730618
cscript.exe 9819507
cmd.exe 1497875
WmiPrvSE.exe 1444628
dllhost.exe 579741
Lowest Frequency
Process Name Count
hpzpsl01.exe 1
ismagent.exe 1
MSIAE02.tmp 1
dJK4oMMtx.exe 1
SketchUp.exe 1Anomalies
That’s a bit weird
Relationships/Graphing
Clustering/Behaviour Based Detection
https://countercept.com/our-thinking/machine-learning/
Automation
Efficiency is intelligent laziness
Speeding it up
• Data analysis with scoring/rules (“Assisted Hunts”)
• Enrichment/Context
• Integrated prevention/response
• Ticketing – Creation, Updating, Closing
• Payload Analysis – VT and Cuckoo integration, IDA/Radare plugins
• Comms with other users/clients
(https://github.com/dropbox/securitybot)
Welcome to the
real world…
• Targeting ATM management systems! :O
Example #1 – Don’t trust your admins
• Lateral movement using “Advanced IP Scanner”
• History of deployment, 1 host, 5 hosts, 27 hosts.
• Compiled Python binary with key-logging capabilities
• Suspicious executable bstack.exe running from StartUp folder
Example #2 – Emotet - Macros+Powershell <3
Scoring
• Hidden Window (3/10)
• WebClient Download File (10/10)
• URL in args (7/10)
• Start-Process (8/10)
• Network comms/File writes (9/10)
IEX( ( '36{78Q55@32t61_91{99@104X97{114Q91-32t93}32t93}32t34@110m111@105}115X115-
101m114_112@120@69-45{101@107X111m118m110-73Q124Q32X41Q57@51-
93Q114_97_104t67t91{44V39Q112_81t109@39}101{99@97}108{112}101}82_45m32_32X52{51Q93m114@97-
104{67t91t44t39V98t103V48t39-101}99}97V108}112t101_82_45{32@41X39{41_112t81_109_39m43{39-
110t101@112{81t39X43@39t109_43t112_81Q109t101X39Q43m39}114Q71_112{81m109m39@43X39V32Q40}32m3
9_43_39{114-111m108t111t67{100m110{117Q39_43m39-111-114Q103_101t114@39m43-39{111t70-
45}32m41}98{103V48V110Q98t103{48@39{43{39-43{32t98m103_48{111@105t98@103V48-39@43{39_32-
32V43V32}32t98t103@48X116m97V99t98X103t48_39V43m39@43-
39X43Q39_98@103@48}115V117V102Q98V79m45@98m39Q43{39X103_39X43Q39V48}43-39}43t39}98-
103{48V101_107Q39t43X39_111X118X110V39X43}39t98_103{48@43}32_98{103}48{73{98-
39@43t39m103_39}43{39{48Q32t39X43X39-32{40V32t41{39Q43V39m98X103{39_43V39{48-
116{115Q79{39_43_39}98}103m48{39Q43t39X32X43{32_98@103-39@43m39X48_72-
39_43t39V45m39t43Q39_101Q98}103_48-
32_39Q43V39V32t39V43}39m43Q32V98X39Q43_39@103_48V39@43Q39@116X73t82V119m98-
39{43_39}103Q48X40_46_32m39}40_40{34t59m91@65V114V114@97_121}93Q58Q58V82Q101Q118Q101{114}115
_101m40_36_78m55@32t41t32-59{32}73{69V88m32{40t36V78t55}45Q74m111@105-110m32X39V39-32}41'.SpLiT(
'{_Q-@t}mXV' ) |ForEach-Object { ([Int]$_ -AS [Char]) } ) -Join'' )
• IEX (9/10)
• Letter/Number/Special Char Ratios (8/10)
• Decoder Stub (7/10)
• Length (8/10)
https://github.com/danielbohannon/Invoke-Obfuscation
How to be a stealthier attacker
Foothold
Execution
Persistence
C2/Exfil
• Avoid SysInternals Autoruns - Scheduled Tasks, Services, Registry, Cron,
Launch Daemons/Agents
• WMI and COM not perfect but better than others
• Use “hide in plain sight” techniques
• Outlook rules, Office templates
• DLL side-loading
• Rootkits
• Anything involving custom applications
• Don’t use persistence if you don’t need to!
• Avoid network comms from processes which don’t have network comms
• Avoid newly registered domains, if possible use Google/Twitter/Youtube etc.
• Avoid DNS tunneling
• Use SSL and outlook/browsers where possible and go low and slow
• Avoid new processes and avoid using command line arguments
• Avoid Windows utilities – cmd, powershell, net, reg, etc.
• Avoid in-memory techniques
• Avoid “hacker tools” – Metasploit, CobaltStrike, Mimikatz
• Avoid “spraying” credentials
• WMI is a better option
• Use direct Windows API access where possible
• Modify tools/binaries – name, hash, description
• Avoid macros/hta files
• Social engineering, exploits, webapps are better
• Abuse third party services Facebook/Linkedin
• Target personal assets instead of corporate assets
• Data – OSQuery, GRR, Sysmon, Bro,
Event logs
• Storage – Elastic
• Analytics - ElasticDSL, Kibana,
ElastAlert, 411
• Infrastructure – Puppet, Chef, Ansible,
Docker
DIY Detection
But what about
CVE-2017-0144?!
Blue is the new red…
QUESTIONS?
