Professional Documents
Culture Documents
Hunting and Detecting APT Attack
Hunting and Detecting APT Attack
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 2
BotConf Speaker history
• 2013 - My Name is Hunter, Ponmocup Hunter
• 2014 - Ponmocup Hunter 2.0 – The Sequel
• 2015 - LT: Creating your own CTI (in 3 minutes.. or 5 )
• 2016 - Advanced Incident Detection and Threat Hunting using
Sysmon (and Splunk)
• 2017 - LT: Sysmon FTW!
• 2018 - Hunting and detecting APTs using Sysmon and PowerShell
logging
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 3
Outline (remember, it’s a short 30min fast 40min talk)
• Introduction
• 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 4
Motivation – why yet another talk?
• Positive feedback is always nice and encouraging
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 5
Motivation – why yet another talk?
• Positive feedback is always nice and encouraging
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 6
Motivation
the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 7
Motivation
the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 8
Motivation -- the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 9
Motivation -- the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 10
Motivation -- the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 11
SIGMA… say what?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 12
SIGMA… say what?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 13
Are you ready for a change?
Source: https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-
Detection-And%20Evasion-Using-Science.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 14
Are you ready for a change?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 15
Our setup
• ~25’000 hosts
• ~150 GB/day
• Event logs
• Windows
• Sysmon
• Powershell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 16
ATT&CK is the new {APT,Cyber,AI,ML,blockchain,etc}
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 17
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 18
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 19
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 20
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 21
ATT&CKcon 2018
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 22
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 23
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 24
Data Sources & Event Logs
• Sysmon Sysmon
• PowerShell ScriptBlock Logging PS-SB
• PowerShell Transcript Logging PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 25
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 26
Outline
• Introduction
• 1st of 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 27
WMI Event Subscription (Persistence)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 28
APT group named “Atomic Kittens”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 29
WMI Event Subscription
Source: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 30
WMI Event Subscription
Source:
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 31
WMI Event Subscription
Source:
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 32
WMI Event Subscription
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 33
How noisy is the Sysmon WmiEvent?
> 90 days
> 270 EP’s
< 600 events
4 diff types
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 34
SIGMA
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 35
SIGMA
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 36
Outline
• Introduction
• 2nd of 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 37
Logon Scripts (Persistence, Lateral Movement)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 38
APT group named “Cuddly Panda Bears”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 39
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 40
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 41
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 42
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 43
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 44
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 45
Idea for detection
• Search for child processes of “userinit.exe”
• Exclude “explorer.exe” (normal)
• Exclude logon scripts (after baselining & vetting)
• Possibly a small number of other legitimate executables, but
feasible to enumerate and filter out
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 46
SIGMA
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 47
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 48
PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 49
Outline
• Introduction
• 3rd of 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 50
PowerShell (execution)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 51
PowerShell (execution)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 52
APT group named “Magic Hound”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 53
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 54
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 55
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 56
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 57
Here’s that list of strings…
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 58
SIGMA rule: Malicious PS keywords
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 59
“Low FP/high TP” vs. “noisy” events (90 days)
> > > YMMV !!! < < < not all strings are created equal
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 60
Renaming PS.exe
(evasion technique?)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 61
RETEFE Malware sample
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 62
DOC/macro copy/rename PS.exe to %TEMP%\rnd.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 63
ProcessCreate Event from PS-renamed
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 64
Search for Description: Windows PowerShell
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 65
Idea for detection
• Search for processes with “Description: Windows PowerShell”
• Exclude “powershell.exe” (the legitimate one)
• Also exclude PowerShell ISE
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 66
Search for Description: PS without powershell.exe SIGMA
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 67
Search for Description: PS without powershell.exe SIGMA
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 68
Hello, world! My name is NOT powershell.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 69
PowerShell Empire Stager
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 70
PS-SB
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 71
Idea for detection
• Search for any of 3 strings that are not obfuscated (performance reason)
$PSVERSionTaBle.PSVErSIOn.MAjoR
System.Management.Automation.Utils
System.Management.Automation.AmsiUtils
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 72
PS-SB
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 73
PS-Empire functions executed PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 74
PS-Empire functions executed (top 60 funct’s) PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 75
PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 76
Discovery > User enumeration – how many? PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 77
Unmanaged PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 78
Get-TimedScreenshots
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 79
Get-TimedScreenshots
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 80
Using powershell.exe vs. unmanaged PS (PowerPick)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 81
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 82
Re-test after enabling FileCreate for rundll32.exe
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 83
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 84
PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 85
PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 86
Idea for detection
• Search PowerShell Transcript Files for “Host Application:”
which is NOT any of
• powershell.exe
• powershell_ise.exe
• wsmprovhost.exe
• and possibly very few others
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 87
SIGMA
PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 88
Unmanaged PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 89
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 90
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 91
Start-ClipboardMonitor
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 92
PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 93
Idea for detection
• Search for PowerShell EncodedCommands in command-lines
• Base64 decode EncodedCommand on the fly
• Search for known malicious strings / cmdlets in decoded commands
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 94
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 95
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 96
PowerPick
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 97
PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 98
Idea for detection
• Search for known malicious strings (code snippets, even comments)
in PowerShell ScriptBlock Logs and Transcript Files
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 99
SIGMA
PS-SB
PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 100
PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 101
Detecting known bad vs. hunting unknown
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 102
Obfuscate-Mimikatz.sh only random strings
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 103
Detection vs. Hunting
• So far we looked at known malicious strings or behaviors
• Now let’s hunt for the unknowns
• Enumerate legitimate PS script files and function names
Build a whitelist to filter out legitimate functions
• Search for rarest function names in PS logs (apply whitelist filtering)
• Use stacking, long tail analysis, LFO to find interesting stuff
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 104
Enumerate PS script files and function names
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 105
Enumerate PS script files and function names
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 106
Search for rarest PS script files
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 107
Search for rarest PS function names
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 108
Create whitelist lookup with known good
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 109
Create blacklist lookup with known bad
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 110
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 111
SIGMA rules (contributions coming soon…)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 112
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 113
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 114
Thanks for your attention!!
• Twitter: @c_APT_ure
• Blog: http://c-apt-ure.blogspot.com/2017/12/is-this-blog-still-alive.html
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 115