hunting and detecting apts using
play

Hunting and detecting APTs using Sysmon and PowerShell logging TOM - PowerPoint PPT Presentation

Jan 08, 2023 •294 likes •1.45k views

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:> whoami /all Tom Ueltschi Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!) Focus & Interests: Malware Analysis, Threat Intel,

  1. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 54

  2. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 55

  3. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 56

  4. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 57

  5. Here’s that list of strings… BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 58

  6. SIGMA rule: Malicious PS keywords BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 59

  7. “Low FP/high TP” vs. “noisy” events (90 days) > > > YMMV !!! < < < not all strings are created equal  BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 60

  8. Renaming PS.exe (evasion technique?) BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 61

  9. RETEFE Malware sample BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 62

  10. DOC/macro copy/rename PS.exe to %TEMP%\rnd.exe BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 63

  11. ProcessCreate Event from PS-renamed Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 64

  12. Search for Description: Windows PowerShell Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 65

  13. Idea for detection • Search for processes with “ Description: Windows PowerShell ” • Exclude “ powershell.exe ” (the legitimate one) • Also exclude PowerShell ISE BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 66

  14. SIGMA Search for Description: PS without powershell.exe Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 67

  15. SIGMA Search for Description: PS without powershell.exe Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 68

  16. Hello, world! My name is NOT powershell.exe  BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 69

  17. PowerShell Empire Stager BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 70

  18. PS-SB BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 71

  19. Idea for detection • Search for any of 3 strings that are not obfuscated (performance reason)  $PSVERSionTaBle.PSVErSIOn.MAjoR  System.Management.Automation.Utils  System.Management.Automation.AmsiUtils • Remove obfuscation characters (simple de-obfuscation) • Search for any of 5 strings (unique, de-obfuscated)  EnableScriptBlockLogging  EnableScriptBlockInvocationLogging  cachedGroupPolicySettings  ServerCertificateValidationCallback  Expect100Continue BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 72

  20. PS-SB BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 73

  21. PS-Empire functions executed PS-TR • Pen- tester was having “fun” with Empire • PS-Empire functions with parameters found in PS transcript file • Searched for “ … | Out - String | %{… ” BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 74

  22. PS-Empire functions executed (top 60 funct’s ) PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 75

  23. PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 76

  24. PS-TR Discovery > User enumeration – how many? BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 77

  25. Unmanaged PowerShell BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 78

  26. Get-TimedScreenshots BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 79

  27. Get-TimedScreenshots BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 80

  28. Using powershell.exe vs. unmanaged PS (PowerPick) BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 81

  29. Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 82

  30. Re-test after enabling FileCreate for rundll32.exe Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 83

  31. Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 84

  32. PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 85

  33. PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 86

  34. Idea for detection • Search PowerShell Transcript Files for “ Host Application: ” which is NOT any of • powershell.exe • powershell_ise.exe • wsmprovhost.exe • and possibly very few others BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 87

  35. SIGMA PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 88

  36. Unmanaged PowerShell BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 89

  37. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 90

  38. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 91

  39. Start-ClipboardMonitor BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 92

  40. PowerShell BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 93

  41. Idea for detection • Search for PowerShell EncodedCommands in command-lines • Base64 decode EncodedCommand on the fly • Search for known malicious strings / cmdlets in decoded commands BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 94

  42. Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 95

  43. Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 96

  44. PowerPick BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 97

  45. PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 98

  46. Idea for detection • Search for known malicious strings (code snippets, even comments) in PowerShell ScriptBlock Logs and Transcript Files BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 99

  47. SIGMA PS-SB PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
APTS Applied Stochastic Processes Markov chains and reversibility Renewal processes and

APTS Applied Stochastic Processes Markov chains and reversibility Renewal processes and

APTS-ASP 1 APTS-ASP 2 APTS Applied Stochastic Processes Markov chains and reversibility Renewal processes and stationarity Nicholas Georgiou 1 &amp; Matt Roberts 2 nicholas.georgiou@durham.ac.uk and mattiroberts@gmail.com Martingales

982 views • 32 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
APTS Applied Stochastic Processes Nicholas Georgiou 1 &amp; Matt Roberts 2

APTS Applied Stochastic Processes Nicholas Georgiou 1 &amp; Matt Roberts 2

APTS-ASP 1 APTS Applied Stochastic Processes Nicholas Georgiou 1 &amp; Matt Roberts 2 nicholas.georgiou@durham.ac.uk and mattiroberts@gmail.com (Some slides originally produced by Wilfrid Kendall, Stephen Connor, Christina Goldschmidt and

3.38k views • 127 slides
Statistical Inference https://people.bath.ac.uk/masss/APTS/apts.html Simon Shaw University of

Statistical Inference https://people.bath.ac.uk/masss/APTS/apts.html Simon Shaw University of

Statistical Inference https://people.bath.ac.uk/masss/APTS/apts.html Simon Shaw University of Bath APTS, 16-20 December 2019 Simon Shaw (University of Bath) Statistical Inference APTS, 16-20 December 2019 1 / 95 Principles for Statistical

1.34k views • 95 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil the Lion, Hwange National Park, Zimbabwe, 2013 Yann Prisner-Levyne WILD FAUNA= NATURAL RESOURCES UNDER INTERNATIONAL LAW Principle of permanent

400 views • 21 slides
Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm Licensing (Briefly) Hunting on Traditional Territory Hunting off Traditional Territory Applying for a FWID and BCEID Metis Hunting in BC

377 views • 13 slides
Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

TABAKOV TROPHY HUNTING Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in Catalonia that the hunting area of El Vedat is situated, only 45mn of Barcelona. The territory extends on more than 3000 ha of

385 views • 10 slides
Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in popularity; Several Youtube channels (THLR.NO, EuLRH) have attracted a considerable number of followers; A riflescope is a must-have ; Often

649 views • 11 slides
APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who we are? Ali Abbasi : PhD student in Distributed and Embedded System Security Group

921 views • 43 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting in the mountains No need to overstretch the neck while using it Can be used without a tripod The user simply puts the scope on the top of

229 views • 9 slides
THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal Intent Value Targets APT Approach &amp; 4 Emergence of 3 Ransomware Ransomhacks 5 YARA Hunting for 5 Key Takeaways Crypto Implementations ~whoami

363 views • 32 slides
Du Cercle The APTs That Werent La cuadrature du cercle La cuadratura del circulo Die

Du Cercle The APTs That Werent La cuadrature du cercle La cuadratura del circulo Die

La Quadrature Du Cercle The APTs That Werent La cuadrature du cercle La cuadratura del circulo Die Quadratur des Kreises Squaring the circle Marion Marschalek marion@cyphort.com @pinkflawd What makes

701 views • 41 slides
Survival Analysis APTS 2015/16 Ingrid Van Keilegom Institut de statistique, biostatistique et

Survival Analysis APTS 2015/16 Ingrid Van Keilegom Institut de statistique, biostatistique et

Survival Analysis APTS 2015/16 Ingrid Van Keilegom Institut de statistique, biostatistique et sciences actuarielles Universit catholique de Louvain Glasgow, August 22-26, 2016 Basic concepts Nonparametric estimation Hypothesis testing

10.27k views • 183 slides
OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz

OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz

DETECT . ANALYZE . REMEDIATE OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz +972-545444313 1 1 1 What People Think 2 True or False? Threat intelligence Nation-state actors Commercial threat

247 views • 24 slides
2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and

2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and

2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and why does it matter?) Who we are (and why does it matter?) So... 2013 2013 Significant Events Research Themes Future Themes ? References / Links

983 views • 71 slides
NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE Mariano Graziano, Davide Canali, Leyla Bilge, Andrea Lanzi and Davide Balzarotti Eurecom Symantec Research Labs Universit degli Studi di

695 views • 34 slides
Bro Scripts The Bro Monitoring Platform Agenda Thursday Block 1: Bro-Overview and introduction.

Bro Scripts The Bro Monitoring Platform Agenda Thursday Block 1: Bro-Overview and introduction.

Bro Scripts The Bro Monitoring Platform Agenda Thursday Block 1: Bro-Overview and introduction. Structure, setup, administration. Exercise: find your way around in the training VM. Block 2: Bro-logs, network logs. Introduction on

292 views • 13 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent &amp; capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Acute Variables Of Training The Process Of Designing Training Plans SBS Academy: Unit 2 Mo

Acute Variables Of Training The Process Of Designing Training Plans SBS Academy: Unit 2 Mo

Acute Variables Of Training The Process Of Designing Training Plans SBS Academy: Unit 2 Mo Module le 2. 2.8 Unit 2- Coaching For Physique Athletes Learning Objectives Understand the role of exercise selection in training for

282 views • 14 slides
ECE590 Computer and Information Security Fall 2018 Malware Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2018 Malware Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2018 Malware Tyler Bletsch Duke University [SOUP13] defines malware as: a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality,

766 views • 53 slides
The BigChaos Solution to the Netflix Prize Presented by: Chinfeng Wu 1 Saturday, April 10,

The BigChaos Solution to the Netflix Prize Presented by: Chinfeng Wu 1 Saturday, April 10,

The BigChaos Solution to the Netflix Prize Presented by: Chinfeng Wu 1 Saturday, April 10, 2010 Outline The Netflix Prize The team &quot;BigChaos&quot; Algorithms Details in selected algorithms End-Game

561 views • 32 slides

More recommend