Hunting and detecting APTs using Sysmon and PowerShell logging TOM - - PowerPoint PPT Presentation

hunting and detecting apts using
SMART_READER_LITE
LIVE PREVIEW

Hunting and detecting APTs using Sysmon and PowerShell logging TOM - - PowerPoint PPT Presentation

Jan 08, 2023 294 likes •1.45k views

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:> whoami /all Tom Ueltschi Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!) Focus & Interests: Malware Analysis, Threat Intel,

slide-1
SLIDE 1

Hunting and detecting APTs using Sysmon and PowerShell logging

TOM UELTSCHI BOTCONF 2018

slide-2
SLIDE 2

C:> whoami /all

  • Tom Ueltschi
  • Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!)
  • Focus & Interests: Malware Analysis, Threat Intel, Threat Hunting,

Red / Purple Teaming

  • Member of many trust groups & infosec communities
  • FIRST SIG member (malware analysis, red teaming, CTI)
  • Twitter: @c_APT_ure

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 2

slide-3
SLIDE 3

BotConf Speaker history

  • 2013 - My Name is Hunter, Ponmocup Hunter
  • 2014 - Ponmocup Hunter 2.0 – The Sequel
  • 2015 - LT: Creating your own CTI (in 3 minutes.. or 5 )
  • 2016 - Advanced Incident Detection and Threat Hunting using

Sysmon (and Splunk)

  • 2017 - LT: Sysmon FTW! 
  • 2018 - Hunting and detecting APTs using Sysmon and PowerShell

logging

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 3

slide-4
SLIDE 4

Outline (remember, it’s a short 30min fast 40min talk)

  • Introduction
  • 3 techniques from MITRE ATT&CK

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 4

slide-5
SLIDE 5

Motivation – why yet another talk?

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 5

  • Positive feedback is always nice and encouraging 
slide-6
SLIDE 6

Motivation – why yet another talk?

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 6

  • Positive feedback is always nice and encouraging 
slide-7
SLIDE 7

Motivation the real one

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 7

slide-8
SLIDE 8

Motivation the real one

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 8

slide-9
SLIDE 9

Motivation -- the real one

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 9

slide-10
SLIDE 10

Motivation -- the real one

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 10

slide-11
SLIDE 11

Motivation -- the real one

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 11

slide-12
SLIDE 12

SIGMA… say what?

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 12

slide-13
SLIDE 13

SIGMA… say what?

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 13

slide-14
SLIDE 14

Are you ready for a change?

Source: https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation- Detection-And%20Evasion-Using-Science.pdf

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 14

slide-15
SLIDE 15

Are you ready for a change?

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 15

slide-16
SLIDE 16

Our setup

  • ~25’000 hosts
  • ~150 GB/day
  • Event logs
  • Windows
  • Sysmon
  • Powershell

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 16

slide-17
SLIDE 17

ATT&CK is the new {APT,Cyber,AI,ML,blockchain,etc}

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 17

slide-18
SLIDE 18

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 18

slide-19
SLIDE 19

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 19

slide-20
SLIDE 20

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 20

slide-21
SLIDE 21

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 21

slide-22
SLIDE 22

ATT&CKcon 2018

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 22

slide-23
SLIDE 23

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 23

slide-24
SLIDE 24

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 24

slide-25
SLIDE 25

Data Sources & Event Logs

  • Sysmon
  • PowerShell ScriptBlock Logging
  • PowerShell Transcript Logging

 SIGMA rule available

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 25

Sysmon PS-SB PS-TR SIGMA

slide-26
SLIDE 26

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 26

slide-27
SLIDE 27

Outline

  • Introduction
  • 1st of 3 techniques from MITRE ATT&CK

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 27

slide-28
SLIDE 28

WMI Event Subscription (Persistence)

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 28

slide-29
SLIDE 29

APT group named “Atomic Kittens” 

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 29

slide-30
SLIDE 30

WMI Event Subscription

Source: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 30

slide-31
SLIDE 31

WMI Event Subscription

Source: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 31

slide-32
SLIDE 32

WMI Event Subscription

Source: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 32

slide-33
SLIDE 33

WMI Event Subscription

  • Generating test events using “PowerLurk” Github project
  • Likely won’t catch many APTs searching for

Register-MaliciousWmiEvent ;-)

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 33

slide-34
SLIDE 34

How noisy is the Sysmon WmiEvent?

> 90 days > 270 EP’s < 600 events 4 diff types

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 34

Sysmon

slide-35
SLIDE 35

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 35

Sysmon SIGMA

slide-36
SLIDE 36

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 36

Sysmon SIGMA

slide-37
SLIDE 37

Outline

  • Introduction
  • 2nd of 3 techniques from MITRE ATT&CK

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 37

slide-38
SLIDE 38

Logon Scripts (Persistence, Lateral Movement)

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 38

slide-39
SLIDE 39

APT group named “Cuddly Panda Bears” 

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 39

slide-40
SLIDE 40

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 40

slide-41
SLIDE 41

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 41

slide-42
SLIDE 42

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 42

slide-43
SLIDE 43

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 43

slide-44
SLIDE 44

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 44

slide-45
SLIDE 45

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 45

slide-46
SLIDE 46

Idea for detection

  • Search for child processes of “userinit.exe”
  • Exclude “explorer.exe” (normal)
  • Exclude logon scripts (after baselining & vetting)
  • Possibly a small number of other legitimate executables, but

feasible to enumerate and filter out

  • Search for ProcessCreate or RegistryEvents with the registry key

name “UserInitMprLogonScript”

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 46

slide-47
SLIDE 47

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 47

Sysmon SIGMA

slide-48
SLIDE 48

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 48

Sysmon

slide-49
SLIDE 49

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 49

PS-TR

slide-50
SLIDE 50

Outline

  • Introduction
  • 3rd of 3 techniques from MITRE ATT&CK

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 50

slide-51
SLIDE 51

PowerShell (execution)

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 51

slide-52
SLIDE 52

PowerShell (execution)

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 52

slide-53
SLIDE 53

APT group named “Magic Hound”

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 53

slide-54
SLIDE 54

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 54

slide-55
SLIDE 55

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 55

slide-56
SLIDE 56

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 56

slide-57
SLIDE 57

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 57

slide-58
SLIDE 58

Here’s that list of strings…

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 58

slide-59
SLIDE 59

SIGMA rule: Malicious PS keywords

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 59

slide-60
SLIDE 60

“Low FP/high TP” vs. “noisy” events (90 days) > > > YMMV !!! < < < not all strings are created equal 

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 60

slide-61
SLIDE 61

Renaming PS.exe

(evasion technique?)

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 61

slide-62
SLIDE 62

RETEFE Malware sample

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 62

slide-63
SLIDE 63

DOC/macro copy/rename PS.exe to %TEMP%\rnd.exe

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 63

slide-64
SLIDE 64

ProcessCreate Event from PS-renamed

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 64

Sysmon

slide-65
SLIDE 65

Search for Description: Windows PowerShell

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 65

Sysmon

slide-66
SLIDE 66

Idea for detection

  • Search for processes with “Description: Windows PowerShell”
  • Exclude “powershell.exe” (the legitimate one)
  • Also exclude PowerShell ISE

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 66

slide-67
SLIDE 67

Search for Description: PS without powershell.exe

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 67

Sysmon SIGMA

slide-68
SLIDE 68

Search for Description: PS without powershell.exe

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 68

Sysmon SIGMA

slide-69
SLIDE 69

Hello, world! My name is NOT powershell.exe 

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 69

slide-70
SLIDE 70

PowerShell Empire Stager

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 70

slide-71
SLIDE 71

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 71

PS-SB

slide-72
SLIDE 72

Idea for detection

  • Search for any of 3 strings that are not obfuscated (performance reason)

 $PSVERSionTaBle.PSVErSIOn.MAjoR  System.Management.Automation.Utils  System.Management.Automation.AmsiUtils

  • Remove obfuscation characters (simple de-obfuscation)
  • Search for any of 5 strings (unique, de-obfuscated)

 EnableScriptBlockLogging  EnableScriptBlockInvocationLogging  cachedGroupPolicySettings  ServerCertificateValidationCallback  Expect100Continue

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 72

slide-73
SLIDE 73

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 73

PS-SB

slide-74
SLIDE 74

PS-Empire functions executed

  • Pen-tester was having “fun” with Empire
  • PS-Empire functions with parameters found in PS transcript file
  • Searched for “… | Out-String | %{…”

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 74

PS-TR

slide-75
SLIDE 75

PS-Empire functions executed (top 60 funct’s)

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 75

PS-TR

slide-76
SLIDE 76

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 76

PS-TR

slide-77
SLIDE 77

Discovery > User enumeration – how many?

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 77

PS-TR

slide-78
SLIDE 78

Unmanaged PowerShell

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 78

slide-79
SLIDE 79

Get-TimedScreenshots

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 79

slide-80
SLIDE 80

Get-TimedScreenshots

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 80

slide-81
SLIDE 81

Using powershell.exe vs. unmanaged PS (PowerPick)

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 81

slide-82
SLIDE 82

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 82

Sysmon

slide-83
SLIDE 83

Re-test after enabling FileCreate for rundll32.exe

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 83

Sysmon

slide-84
SLIDE 84

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 84

Sysmon

slide-85
SLIDE 85

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 85

PS-TR

slide-86
SLIDE 86

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 86

PS-TR

slide-87
SLIDE 87

Idea for detection

  • Search PowerShell Transcript Files for “Host Application:”

which is NOT any of

  • powershell.exe
  • powershell_ise.exe
  • wsmprovhost.exe
  • and possibly very few others

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 87

slide-88
SLIDE 88

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 88

PS-TR SIGMA

slide-89
SLIDE 89

Unmanaged PowerShell

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 89

slide-90
SLIDE 90

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 90

slide-91
SLIDE 91

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 91

slide-92
SLIDE 92

Start-ClipboardMonitor

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 92

slide-93
SLIDE 93

PowerShell

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 93

slide-94
SLIDE 94

Idea for detection

  • Search for PowerShell EncodedCommands in command-lines
  • Base64 decode EncodedCommand on the fly
  • Search for known malicious strings / cmdlets in decoded commands

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 94

slide-95
SLIDE 95

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 95

Sysmon

slide-96
SLIDE 96

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 96

Sysmon

slide-97
SLIDE 97

PowerPick

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 97

slide-98
SLIDE 98

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 98

PS-TR

slide-99
SLIDE 99

Idea for detection

  • Search for known malicious strings (code snippets, even comments)

in PowerShell ScriptBlock Logs and Transcript Files

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 99

slide-100
SLIDE 100

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 100

PS-SB PS-TR SIGMA

slide-101
SLIDE 101

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 101

PS-TR

slide-102
SLIDE 102

Detecting known bad vs. hunting unknown

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 102

slide-103
SLIDE 103

Obfuscate-Mimikatz.sh  only random strings

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 103

slide-104
SLIDE 104

Detection vs. Hunting

  • So far we looked at known malicious strings or behaviors
  • Now let’s hunt for the unknowns
  • Enumerate legitimate PS script files and function names

 Build a whitelist to filter out legitimate functions

  • Search for rarest function names in PS logs (apply whitelist filtering)
  • Use stacking, long tail analysis, LFO to find interesting stuff

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 104

slide-105
SLIDE 105

Enumerate PS script files and function names

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 105

slide-106
SLIDE 106

Enumerate PS script files and function names

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 106

slide-107
SLIDE 107

Search for rarest PS script files

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 107

slide-108
SLIDE 108

Search for rarest PS function names

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 108

slide-109
SLIDE 109

Create whitelist lookup with known good

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 109

slide-110
SLIDE 110

Create blacklist lookup with known bad

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 110

slide-111
SLIDE 111

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 111

slide-112
SLIDE 112

SIGMA rules (contributions coming soon…)

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 112

slide-113
SLIDE 113

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 113

slide-114
SLIDE 114

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 114

slide-115
SLIDE 115

Thanks for your attention!!

Time left for questions?

  • Twitter: @c_APT_ure
  • Blog: http://c-apt-ure.blogspot.com/2017/12/is-this-blog-still-alive.html

 many resources about Sysmon linked in one place

BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 115