My “a-ha!

”
Moment
SANS THIR Summit

John Stoner
October 2019
# whoami > John Stoner
GCIA, GCIH, GCTI
20+ years of cyber security
experience
Creator of SA-Investigator
for Splunk
Blogger on Hunting and
SecOps
Symantec→ArcSight→Splunk-
Principal Security I’ve Seen them all
Strategist Loves The Smiths and all
@stonerpsu 80’s sadtimey music
 Training Realistic

Competition FUN!
Fast Forward Four Months
Why Do We
Hunt?
What To Hunt
For?
Models
With Great
Power, Comes
Great
Responsibility
Thought and Planning Is Needed…
 Ask A
Question

Background
Research

Construct a
Hypothesis

Experiment

Analyze and
Draw
Conclusion

Report
Findings
Ask A Question
 External Stimuli (News, Threat
Intelligence, etc)

Questions To What data sources have visibility

Ask into or at least reference FTP?

What do data flows look like

between sources and
destinations?
Background Research
Identifying Communication Paths
Network Visibility
Host Visibility
 Command Line Options - FTP Switches

http://www.nsftools.com/tips/MSFTP.htm
Construct a Hypothesis
Hypothesis - Exfiltration Over Alternative Protocol
• Data Exfiltration may occur via FTP

• ATT&CK Description: Data exfiltration is

performed with a different protocol from the
main command and control protocol or
channel. The data is likely to be sent to an
alternate network location from the main
command and control server. Alternate
protocols include FTP, SMTP, HTTP/S, DNS, or
some other network protocol. Different
channels could include Internet Web services
such as cloud storage.
https://attack.mitre.org/wiki/Technique/T1048
 Can we see commands being issued that
are associated with FTP?

How Might What user accounts are being used in the

FTP communications?
We Confirm
or Refute Our
Hypothesis? During what times do these events occur?

Are specific files being moved (up or

down) with FTP?
Experiment
Time Series Analysis of src/dest Pairs
Suricata
Find FTP Sessions
Drilling Into Fields for More Specificity
Using Time Series Data to See Event Clusters
First & Second Transmission
Third & Fourth Transmission
Filename Stacking
Commands Executed
Parent Processes
Time Series Analysis of src/dest Pairs Network
Find FTP Sessions
Drilling Into Fields for More Specificity
Using Time Series Data to See Event Clusters
Filename Stacking
Commands Executed
Parent Processes Host
Analyze and
Draw Conclusions
 Two Workstations were communicating to external IP 160.153.91.7

Two Servers were only seen in Palo Alto traffic

Adversary is using the ftp command on the workstations to exfiltrate data

What Did I Filename with a dll extension is used to obfuscate a script is being called

Learn? The same seven files were downloaded to two workstations on August 23

PDF files were uploaded multiple times, probably because TopSecretYeast.pdf

could not be uploaded (PAN:Threat shows blocked) on August 25

Exfiltrated data is destined for a domain called hildegardsfarm.com

Was I Able To Confirm My Hypothesis?
• FTP was being used for exfiltration of Frothly data
• FTP was primarily used and was seen on three systems
• Scripted actions
• Based on winsys32.dll files found with –s argument in Sysmon
• Was not fully successful
• Multiple attempts seen including a ftp open command were seen
What Did You See First?

Report Findings
Visualize Your Hunt - FTP Exfiltration
Upload
topsecretyeast.pdf
(blocked) IP: 10.0.2.107
Hostname: wrk-btun
IP: 71.39.18.125 FTP Arguments Referenced
Palo Alto Firewall -i –s:winsys64.dll
-i –s:winsys32.dll
-i –s:singlefile.dll
FTP open hildegardsfarm.com
IP: 160.153.91.7 IP: 10.0.2.109
Domain: Hostname: wrk-klagerf
hildegardsfarm.com

Download Upload
dns.py frothly_passwords.kdbx
nc.exe 496 pdfs
psexec.exe topsecretyeast.pdf (aborted)
python-2.7.6.amd64.msi
wget64.exe
winsys64.dll
 Blacklist Domains and IP

Establish baselines of communication

between external and internal systems
How Can I
Monitor for data that is not expected to
Operationalize be on the network
My Hunt?
Monitor files of interest and their
locations

Monitor for odd arguments with

commands
MITRE ATT&CK Techniques Referenced
• Exfiltration Over Alternative Protocol –
https://attack.mitre.org/techniques/T1048/
• Commonly Used Port – https://attack.mitre.org/techniques/T1043/
• Remote File Copy – https://attack.mitre.org/techniques/T1105/
• PowerShell – https://attack.mitre.org/wiki/Technique/T1086
• Scripting – https://attack.mitre.org/techniques/T1064/
• Data Encoding – https://attack.mitre.org/techniques/T1132/
Lessons Learned
• Started this Hunt for Data Exfiltration
• It went on and on (and on…)
• FTP was one hunt
• DNS was another

• Found myself in the middle of a web

application attack when hunting
PowerShell Empire
• Do these things connect?
• Nope, different hunt
• Try to keep things chewable

• Avoid bright shiny objects

• Don’t let them distract
 Hunting
Hypotheses

• PowerShell • Spearphishing • Suspicious User

Empire Attachment Agent Strings
• Data • User Execution • OSINT
Exfiltration • Account Gathering
Over FTP Persistence • Lateral
• Data • Surviving a Movement
Exfiltration Reboot • Data Staging
Over DNS
• Clearing Audit
• Adversary Logs
Infrastructure
• Credential Access is most glaring
• Used Mimikatz (in memory)
• https://attack.mitre.org/wiki/
Technique/T1003
• Do we have logging to provide
insight into this?
• Privilege Escalation is light
• Bypass User Account Control
• https://attack.mitre.org/wiki/
Technique/T1088
• Not a lot of Discovery seen to date
 https://mitre.github.io/attack-navigator

MITRE ATT&CK - Taedonggang

My a-ha Moment
• Didn’t occur at the end of the 13 hunts

• Kicked in during my hunting in

PowerShell

• Data set had not been examined in 4

months or so, almost starting fresh

• It isn’t something to be daunted by!

 A single hunt does not create a complete picture

Mind The Gap

Couple of Stay On Target

Parting
Thoughts Apply a Method to Your Hunt

MITRE ATT&CK is great brain candy

Operationalize your findings

Data Sets to Play With!!!
BOTS version 1
https://www.splunk.com/blog/2018/05/10/boss
-of-the-soc-scoring-server-questions-and-
answers-and-dataset-open-sourced-and-ready-
for-download.html
Dataset -
http://explore.splunk.com/BOTS_1_0_datasets
Investigating with Splunk Companion App
• https://splunkbase.splunk.com/app/3985/
BOTS version 2
https://www.splunk.com/blog/2019/04/18/boss
-of-the-soc-2-0-dataset-questions-and-answers-
open-sourced-and-ready-for-download.html
Dataset -
https://events.splunk.com/BOTS_2_0_datasets
Advanced APT Hunting Companion App
https://splunkbase.splunk.com/app/4430/
• https://www.splunk.com/blog/2019/06/07/bo
ss-of-the-soc-bots-advanced-apt-hunting-
companion-app-now-available-on-
splunkbase.html
Thank You! John Stoner
@stonerpsu