DATA SCIENCE THE DFIR OUT OF THIS! John Lukach blog.4n6ir.com - - PowerPoint PPT Presentation

▶

Jan 20, 2024 304 likes •771 views

IM GONNA HAVE TO DATA SCIENCE THE DFIR OUT OF THIS! John Lukach blog.4n6ir.com @jblukach AGENDA DATA SOURCE CLEAN DATA ADD CONTEXT VISUALIZATION SYSMON System Monitor is a Windows system service and device driver that,

SLIDE 1

I’M GONNA HAVE TO

DATA SCIENCE

THE DFIR OUT OF THIS!

John Lukach blog.4n6ir.com @jblukach

SLIDE 2

AGENDA

DATA SOURCE
CLEAN DATA
ADD CONTEXT
VISUALIZATION

SLIDE 3

SYSMON

System Monitor is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. https://technet.microsoft.com/en-us/sysinternals/sysmon

SLIDE 4

SYSMON

System Monitor does not provide collection or analysis of the events it generates, nor does it attempt to protect or hide itself from attackers. Sysmon64.exe -accepteula

i
h md5
n
l
r

SLIDE 5

SYSMON-DFIR

Michael Hagg has compiled a great list of Sysmon resources! https://github.com/MHaggis/sysmon-dfir

SLIDE 6

EVENT IDS

SLIDE 7

PROCESS CREATION

SLIDE 8

NETWORK CONNECTION

SLIDE 9

NO BLIND SPOTS

A Transparent Proxy has the ability to intercept connections between clients and servers without being visible using Web Cache Communication Protocol (WCCPv2).

SLIDE 10

PYTHON-EVTX

Willi Ballenthin released a pure Python parser for Windows Event Log files providing programmatic access to the File and Chunk headers, record templates and event entries. pip3 install python-evtx https://github.com/williballenthin/python-evtx

SLIDE 11

LOG VOLUME

SLIDE 12

SEARCHABLE

SLIDE 13

EXPLORE

SLIDE 14

PROCESS EXPLORER

SLIDE 15

PROCESS-FOREST

Willi Ballenthin released a Python script that builds historical process hierarchies from process auditing and Symon event logs. https://github.com/williballenthin/process-forest

SLIDE 16

PYRAMID OF PAIN

http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

SLIDE 17

SYSMON-FOREST.PY

https://github.com/jblukach/sysmon-forest

SLIDE 18

HELP

SLIDE 19

CLEAN DATA

-sqlite is the path to the SQLite database location
-evtx is the path to the Sysmon Event Log location
-insert is the flag to add events to the database

SLIDE 20

STATISTICS

-stats on the number of processes, connections and etc.

SLIDE 21

ADD CONTEXT

-dns is the path to a text file with a list of domains
-hash is the path to a text file with a list of hashes
-ip is the path to a text file with a list of ip addresses
-meta is the path to a text file with a list of meta data

SLIDE 22

THIRD PARTY

-maxmind is the path to the GeoLite2 City database

pip3 install geoip2

http://dev.maxmind.com/geoip/geoip2/geolite2/

-rfc1918 flags private non-routable IP addresses

pip3 install IPy

SLIDE 23

VISUALIZATION

-tree builds historical structure of processes, connections & etc.

SLIDE 24

COLORS

-bad
-blah
-evil
-good
-known
-mark
-unknown

SLIDE 25

DETAILS

-detail display specifics on a process by unique identifier

SLIDE 26

DEMO

SLIDE 27

CLEAN DATA

python3 sysmon-forest.py --sqlite Cerber.SQLite --evtx Cerber.evtx --insert

SLIDE 28

CLEAN DATA

SLIDE 29

STATISTICS

python3 sysmon-forest.py --sqlite Cerber.SQLite --stats

SLIDE 30

STATISTICS

SLIDE 31

STATISTICS

SLIDE 32

STATISTICS

SLIDE 33

RFC1918

python3 sysmon-forest.py --sqlite Cerber.SQLite --rfc1918 --blah

SLIDE 34

RFC1918

SLIDE 35

CONTEXT

SLIDE 36

CONTEXT

python3 sysmon-forest.py --sqlite Cerber.SQLite --meta input.txt --bad

SLIDE 37

CONTEXT

SLIDE 38

VISUALIZATION

python3 sysmon-forest.py --sqlite Cerber.SQLite --tree

SLIDE 39

VISUALIZATION

SLIDE 40

DETAIL

python3 sysmon-forest.py --sqlite Cerber.SQLite --detail {596b7bab-706f- 586a-0000-00108cba1c00}

SLIDE 41

DETAIL

SLIDE 42

BONUS

SLIDE 43

CERBER

SLIDE 44

CERBER

SLIDE 45