Embed Size (px)
Citation preview
#CyberCamp19
Threat Hunting y Simulación de
Ataques Lórien Doménech Ruiz y Carlos Caballero García
Índice 1.Threat Hunting Intro 2.Vulnerabilities exploited by cybercriminals 3. Configuring threat hunting environments 4. Attack simulation 5. Playbook and case study 6. Conclusions
#CyberCamp19
Ponentes 1. Lórien Doménech Ruiz
Carlos Caballero García
Threat Hunting Intro
Threat Hunting Intro
Where is Threat Hunting in a Incident Life Cycle?
Professionals: Hackers, Sysadmins, Analysts, Incident Responders, Forensics …
Threat Hunting Intro
What is it for?
Threat Hunting Intro
What do we need?
Threat Hunting Intro
Others resources
Vulnerabilities exploited by cybercriminals
Vulnerabilities exploited by cybercriminals
MITRE ATT&CK™ It’s a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
mitre-attack.github.io/attack-navigator/enterprise
Vulnerabilities exploited by cybercriminals
Cybercriminals : Lazarus Group
Vulnerabilities exploited by cybercriminals
Mitre Att&ck on sandbox: Ryuk Ransomware analysis - 09/2019
Setting threat hunting environments
VPN
Threat Hunting environments
House Lab with ESXi
Requirements Laptops Server with ESXi VM Windows Server 2019 VM Windows 10 VM Windows 7 CentOS 7 Ubuntu S 18.04 (Caldera) Splunk Cloud (Universal Forwarder on Vm’s) Sysmon Configuration
Threat Hunting environments
House Lab with ESXi Detail requirements
CPU: 2 CPU: 2 CPU: 4 CPU: 2 CPU: 2 RAM: 4GB RAM: 2GB RAM: 6GB RAM: 3GB RAM: 2GB DISK: 40GB DISK: 20GB DISK: 40GB DISK: 10GB DISK: 10GB
CPU: Xeon 16 RAM: 64GB DISK: 2TB
Threat Hunting environments
Sysmon Configuration Install Sysmon with a configuration file to the environment. Installation: sysmon –accepteula –i c:\windows\config.xml
Threat Hunting environments
Threat Hunting environments
Threat Hunting environments
Threat Hunting environments
Detection Lab This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configuration
Primary Lab Features: • Microsoft Advanced Threat Analytics is installed on the WEF machine, with the
lightweight ATA gateway installed on the DC • Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-
ons for Windows are also preconfigured. • A custom Windows auditing configuration is set via GPO to include command line
process auditing and additional OS-level logging • Palantir's Windows Event Forwarding subscriptions and custom channels are
implemented • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs • osquery comes installed on each host and is pre-configured to connect to a Fleet
server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
• Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog • SMBv1 Auditing is enabled
Requirements • 55GB+ of free disk space • 16GB+ of RAM • Packer 1.3.2 or newer • Vagrant 2.2.2 or newer • Virtualbox or VMWare or AWS
DEMO TIME!
Threat Hunting environments
SOF-ELK® VM Platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. The platform is a customized build of the open source Elastic stack, consisting of the Elasticsearch storage and search engine, Logstash ingest and enrichment system, Kibana dashboard frontend, and Elastic Beats log shipper
Requirements • 40GB+ of free disk space • 8GB+ of RAM • VMWare
Threat Hunting environments
HELK HELK is one of the first open source hunt platforms. Components and structure:
Requirements 40GB+ of free disk space - 8GB+ of RAM - VMWare
Attack simulation
Attack simulation
Caldera CALDERA is an automated adversary emulation system, built on the MITRE ATT&CK™ framework.
Caldera 2.0 changes: the introduction of two operating modes: adversary mode (Adversary mode is the classic CALDERA capability) and chain mode (designed to allow users to orchestrate/string together atomic unit tests into larger attack sequences).
Requirements Python 3.5.3+ Google Chrome is our only supported/tested browser
Plugins
DEMO TIME!
Attack simulation
Cymulate Cymulate tests the strength of the security of the companies by simulating real cyber attacks across all attack vectors based on MITRE ATT&CK™.
Requirements Agent in the host Whitelist IP
Playbook and case study
Playbook and case study
PowerShell Hunting General Information Date 29/08/2019 Created by Lórien Doménech Ruiz Last execution date 09/09/2019 Estimated Resources About 24 hours Priority High
PowerShell Execution Tactic: Execution Technique: PowerShell (T1086)
Hypothesis & Trigger
Hypothesis Adversaries are using PowerShell commands to attack our infrastructure to gain access to resources inside the organization.
Hypothesis Status Initial Trigger Too many events related to suspicious PowerShell commands have been found on Siem or/and corporate Anti-Virus. MITRE Reference PowerShell (T1086) Classification Execution
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command
Technique Description locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems.
Techniques Detection Detection of PowerShell execution locally or remotely. This only focus on execution of PowerShell and not on what happens after the execution or the specific goal. This can be linked to several PowerShell execution variants - Basic PowerShell Execution
Techniques Detection Detection of the abuse of signed PowerShell Hosts bypassing application whitelisting and potentially constrained language mode. This focuses on PowerShell hosts beyond powershell.exe, powershell_ise.exe or wsmprovhost.exe - Alternate Signed PowerShell Hosts
Playbook and case study Threat Intelligence TH focus on the sector Energy Possible actors APT32, APT33, APT34, Dragonfly, Magic Hound, Threat Group-3390
APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to bePossible motivations Vietnam-based.
….
Software APT32: Cobalt Strike - commercial penetration testing tool
…
Actives campaign? APT32 (Last attack: February 2018, Area: East-Asian countries, References: link link2)
…
Actor capability APT32 (Initial access: spear-phishing emails, capability: High)
… Recommended Data Sources
ATT&CK Data Source Event Log PowerShell logs Microsoft-Windows-Sysmon/Operational
Turn on PowerShell Transcription
WinEvent Loaded DLLs DLL monitoring Windows Registry File monitoring Process monitoring powershell.exe, regsvr32.exe, cscript.exe, wscript.exe, Rundll32.exe
Process command-line parameters
Playbook and case study
Hunt Actions Date Action
30/08/2019 Research, get information from IT client and set the Lab environment
02/09/2019 Set the Lab environment and research 03/09/2019 Looking for Event ID: 4100, 4103 and 4104 04/09/2019 Looking for Event ID: 200, 400, 500, 501 and 800 05/09/2019 Try new configuration with Sysmon to log more event
Hunt Findings Date Detail
03/09/2019 *********************** 04/09/2019 *********************** 05/09/2019 **********************
Mitigations It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. (Citation: Netspi PowerShell Execution Policy Bypass) Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.
Code Signing Set PowerShell execution policy to execute only signed scripts. Disable or Remove It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since Feature or Program it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for
remote execution.
Privileged Account When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell Management execution policy, depending on environment configuration.
Playbook and case study
Final Conclusions Date: 10/09/2019 Time spent: 30 hours Has the hypothesis been confirmed? No.
X Partially. Yes.
Triggers another hunt? No. X Yes.
Constraints or difficulties while executing? The systems doesn’t collet all PowerShell information on the logs.
Hunter Notes 1. Explore the data produced in the lab environment with the analytics above and document what normal looks like from a PowerShell perspective. Then, take the findings and explore in the production environment. Lab environment 2. If execution of PowerShell happens all the time in your environment, then categorize the data collected by business unit or department to document profiles more efficiently.
Activity Logs? Partial Client Info ***** Suggested Use Case *****
Conclusions
Resources
Threat Hunting
https://github.com/0x4D31/awesome-threat-detection
https://posts.specterops.io/threat-hunting-with-jupyter-notebooks-part-1-your-first-notebook-9a99a781fde7
https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows
Sysmon
https://github.com/SwiftOnSecurity/sysmon-config
https://github.com/marcosd4h/sysmonx
PowerShell
https://attack.mitre.org/techniques/T1086/
https://github.com/PowerShellMafia/PowerSploit
https://github.com/samratashok/nishang
TaHiTI y MaGMa:
https://www.betaalvereniging.nl/wp-content/uploads/FI-ISAC-Use-Case-Framework-Full-Documentation.pdf
Sigma:
https://www.owasp.org/images/a/a8/GOD17-Sigma.pdf
Detection Lab:
https://github.com/clong/DetectionLab
SOF-ELK:
https://github.com/philhagen/sof-elk
HELK:
https://github.com/Cyb3rWard0g/HELK
Caldera:
https://github.com/mitre/caldera
GRACIAS
@loriendr @_CarlosCabal @CybercampES #CyberCamp19
