BLUE TEAM VILLAGE - Endpoint Monitoring: With Free, and Open Source tools!

Video thumbnail (Frame 0) Video thumbnail (Frame 1986) Video thumbnail (Frame 3057) Video thumbnail (Frame 5605) Video thumbnail (Frame 6768) Video thumbnail (Frame 7806) Video thumbnail (Frame 9987) Video thumbnail (Frame 10921) Video thumbnail (Frame 12190) Video thumbnail (Frame 13744) Video thumbnail (Frame 15002) Video thumbnail (Frame 15823) Video thumbnail (Frame 17229) Video thumbnail (Frame 18124) Video thumbnail (Frame 20063) Video thumbnail (Frame 20975) Video thumbnail (Frame 21999) Video thumbnail (Frame 23317) Video thumbnail (Frame 25585) Video thumbnail (Frame 28204) Video thumbnail (Frame 30933) Video thumbnail (Frame 32934) Video thumbnail (Frame 34964) Video thumbnail (Frame 35938) Video thumbnail (Frame 37532) Video thumbnail (Frame 38600) Video thumbnail (Frame 39864) Video thumbnail (Frame 41619) Video thumbnail (Frame 43134) Video thumbnail (Frame 44536) Video thumbnail (Frame 46126) Video thumbnail (Frame 49926) Video thumbnail (Frame 50741) Video thumbnail (Frame 51711) Video thumbnail (Frame 54604) Video thumbnail (Frame 59273) Video thumbnail (Frame 60877) Video thumbnail (Frame 61720)
Video in TIB AV-Portal: BLUE TEAM VILLAGE - Endpoint Monitoring: With Free, and Open Source tools!

Formal Metadata

BLUE TEAM VILLAGE - Endpoint Monitoring: With Free, and Open Source tools!
Alternative Title
Open Source Endpoint Monitoring
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
There is a rising trend within Threat actors to find newer, more effective and stealthy ways to attack and gain persistence in a network. One way to achieve this is by abusing legitimate software such as Windows Management Instrumentation and PowerShell. This is the case for Living Off the Land and Fileless threats. By using these techniques, attackers can distribute their malicious code bypassing software whitelisting and avoid antivirus detection. A method to detect these threats is by monitoring endpoints activity. However, this option comes with many challenges that range from getting enough system’s activity information to handle hundreds of events per second. In our research, we analyze this monitoring method and the design challenges involved in it. Furthermore, we propose a solution that aims to detect and alert when advance threats are identified in a system. In order to provide an endpoint monitoring system free of any vendor lock-in, this solution combines the capabilities of different open source projects as well as free tools. These include, Sysmon for monitoring system activity, Elastic Stack (ELK) to store and search the collected data, ElastAlert to trigger alarms and the Sigma Project to define the rules for the alarms. This highly customizable solution would enable organizations to hunt for threats inside their network or create rules that would automatically detect specific threats upfront.
Revision control Freeware Open source Software Open source Right angle Freeware
Intel Data management Presentation of a group Word Firewall (computing) Software testing Software testing Information security Information security
Context awareness Context awareness Service (economics) Proxy server Electronic mailing list Computer network Public domain Product (business) Antivirus software Arithmetic mean Data management Software Cuboid Right angle Encryption Physical system
Building Counting Product (business) Physical system
Windows Registry Filter <Stochastik> Scripting language Scripting language Scaling (geometry) Block (periodic table) Software developer Computer file Physical law Projective plane Login Event horizon Revision control Goodness of fit Event horizon Order (biology) Gastropod shell Modul <Datentyp> Configuration space Configuration space Block (periodic table) Information security Physical system Physical system
Parsing Open source Projective plane Data storage device Configuration space Bit Physical system
Beat (acoustics) Context awareness Thread (computing) Multiplication sign Water vapor Event horizon Centralizer and normalizer Malware Automation Physical system Installation art Parsing Information Projective plane Feedback Stack (abstract data type) Uniform resource locator Arithmetic mean Word Event horizon Integrated development environment Personal digital assistant Query language Order (biology) Window Elasticity (physics)
Software bug Building Matching (graph theory) Computer file Multiplication sign Expert system Data storage device Rule of inference Frequency Pattern matching Exterior algebra Type theory Frequency Query language Personal digital assistant Different (Kate Ryan album) Elasticity (physics) Pattern language Damping Freeware
Rule of inference Sigma-algebra Computer file Sigma-algebra Projective plane File format Rule of inference Repository (publishing) Different (Kate Ryan album) Website Software framework Procedural programming Computing platform Physical system
Scripting language Execution unit Bit rate Personal digital assistant Execution unit Software testing Software framework Bit Game theory Automation Simulation Rule of inference
Emulator Bit rate Insertion loss Rule of inference Event horizon Physical system
Inheritance (object-oriented programming) Observational study Hazard (2005 film) Workstation <Musikinstrument> Trojanisches Pferd <Informatik> Trojanisches Pferd <Informatik> Shareware Power (physics) Word Personal digital assistant Different (Kate Ryan album) Internetworking Semiconductor memory Process (computing) Macro (computer science)
Thread (computing) Macro (computer science) Physical system
Scripting language Word Process (computing) Inheritance (object-oriented programming) Cloud computing Moving average Office suite Right angle Line (geometry) Perspective (visual) Entire function
Observational study Sigma-algebra Computer file Inheritance (object-oriented programming) Multiplication sign Binary code Water vapor Event horizon Field (computer science) Revision control Medical imaging Process (computing) Personal digital assistant Moving average Video game console Right angle Office suite Data type
Scripting language Workstation <Musikinstrument> Moment (mathematics) 1 (number) Principle of maximum entropy Price index Rule of inference Event horizon Theory Power (physics) Delay differential equation Type theory Process (computing) Semiconductor memory Different (Kate Ryan album) MiniDisc Right angle Series (mathematics) Block (periodic table) Macro (computer science) Computer worm Physical system
Wechselseitige Information Inheritance (object-oriented programming) Thread (computing) Code MIDI Parameter (computer programming) Login Rule of inference Emulation Twitter Revision control Latent heat Semiconductor memory Programmable read-only memory Ranking Library (computing) Formal grammar Scripting language Software bug Execution unit Information Twin prime Block (periodic table) Interior (topology) Content (media) Price index Cartesian coordinate system System call Mathematics Event horizon Bargaining problem Normed vector space Gastropod shell Design of experiments
Scripting language Suite (music) Functional (mathematics) Shared memory Rule of inference Event horizon Exploit (computer security) Power (physics) Process (computing) Personal digital assistant Different (Kate Ryan album) Semiconductor memory Network topology Remote procedure call Information security
Digital filter Observational study View (database) Cellular automaton Bit Mereology Event horizon Trigonometric functions Shareware Power (physics) Mechanism design Walther-Meissner-Institut für Tieftemperaturforschung Process (computing) Semiconductor memory Object (grammar) Physical system
Stapeldatei Data management Computer file Moment (mathematics) Right angle Object (grammar) Event horizon Task (computing)
Data management Walther-Meissner-Institut für Tieftemperaturforschung Process (computing) Computer file Personal digital assistant Binary code Configuration space Object (grammar) Parity (mathematics) Information security Physical system Task (computing)
Walther-Meissner-Institut für Tieftemperaturforschung Process (computing) Multiplication sign Flowchart Software testing Mereology Event horizon Rule of inference Physical system
Rule of inference Group action Information Sigma-algebra Moment (mathematics) Sampling (statistics) Incidence algebra Unit testing Rule of inference Architecture Subject indexing Latent heat Casting (performing arts) Software Personal digital assistant Flowchart Information Traffic reporting Computing platform
Scripting language Proxy server Binary code Cartesian coordinate system Shareware Twitter Proof theory Sign (mathematics) Personal digital assistant Blog Cuboid Proxy server Proof theory
Scripting language Computer file File format Computer-generated imagery Order (biology)
Scripting language Slide rule Existence Multiplication Computer file Ferry Corsten File format Multiplication sign Binary code Event horizon Frequency response Subject indexing Frequency Cross-correlation Location-based service Proxy server Physical system
Revision control Scripting language Slide rule Slide rule Block (periodic table) Code Information security Product (business) Shareware Twitter Physical system Power (physics)
Scripting language Filter <Stochastik> Namespace Order (biology) Namespace Login Event horizon
Existential quantification Computer file Namespace Moment (mathematics) Fitness function Virtual machine Drop (liquid) Ext functor Event horizon Frequency Message passing Data management Walther-Meissner-Institut für Tieftemperaturforschung Internet service provider Window Task (computing) Physical system
Trail Multiplication sign Disintegration Density of states Insertion loss Event horizon Scalability Visualization (computer graphics) Rootkit Flag Software framework Configuration space Office suite Logic gate Physical system Scripting language Information Moment (mathematics) Projective plane Bit Price index Limit (category theory) Scalability System call Shareware Process (computing) Hash function Visualization (computer graphics) Network topology Order (biology) Right angle Table (information) Freeware
Context awareness Reading (process) Presentation of a group Freeware Open source Multiplication sign Sigma-algebra Open source Stress (mechanics) Mathematical analysis Sheaf (mathematics) Theory Incidence algebra Scalability Scalability Sign (mathematics) Software QR code Cuboid Freeware Physical system
Reading (process) Radical (chemistry) Mobile app Server (computing) Game controller Blog Open source Public domain Series (mathematics) Entire function Physical system
all right these are the hardcore people right you guys are here at 5 o'clock to come here this this is really cool is it six no it's 6:20 this is what happens so anyways we have okay I'm gonna I'm gonna butcher his name but I have to look it up again and I'm still gonna do it wrong Rick van Joon that's wrong I know he's told me that's the American version of it so he thinks he and Leandro Velasco are gonna talk about and see I got that one right okay well come on guys that was easier right we are gonna talk about endpoint monitoring with free and open source software there's gonna be a great talk I'm looking forward to this so hi guys thanks so welcome to our talk on endpoint monitoring using free and open source software as discussed before my
name is Rick Van Dyne which is way different but for American purposes I'm van Jun now I work as a pen tester I'm that dude and the security researcher we work at a company called dare bites and we do everything from pen testing up until policy monitoring firewall management's just IT security in the broadest sense of the word I give this presentation together with my colleague liane de Velasco which is
very easily pronounceable and for English speakers he's according to our HR department he's a threat Intel analyst and the security researcher and does not have profile picture so why do we need endpoint
monitoring I would like to give a short introduction on the on the use of it and some reasons why you need to be thinking about your endpoint monitoring before somebody else does so antivirus is
currently being bypassed left and right it's getting increasingly more easy to infect the system without antivirus being annoying to us there's lots of EDR mumbo-jumbo passing around so service managers product managers and sales dudes are looking at Gartner so you need to think about it before they do a network monitoring is getting increasingly more difficult it's great let's encrypt is very popular meaning that most of the traffic's nowadays is encrypted that also means that if you're just doing network monitoring you'll see less and less and less or you need to rely on a lot of threat Intel which is Ely by passable as discussed before in the writer talk you seen that the pyramid of pain like tracking just domains and IPS might be not so effective so we also think they're currently boring a lot of analyst to death with context lists alerts so there's lots of blinky boxes doing saying there's an alert there's something going wrong and there's no real context there sometimes they put like one packet and so this is the packet the alert fired on and that's it so that's not that much to go on and it's really hard to then determine okay is this something and what's the context so I think that's the motivation for us to be doing this and we were thinking we're sitting in room and we were thinking okay is there
a product there do we build something the thing is like we were engineers so we like to build things so we thought okay we're building something we need to have some data we need to figure out something and then they all started complaining because we needed
requirements so them requirements we yeah I just said we need this but that doesn't count according to to the academic approach leo has so we had some
requirements so one of the first things was okay we need a way to gather system activity data so we needed a way to gather data from the system and see some of the system activity user activity commands being
run so we looked at PowerShell script log logging which allows you to if you're version 5 shells new enough allows you to actually log all PowerShell commands that are being executed which is really great because you you will see lots of laws it's also has a downside you will see lots of lots and next to the whole PowerShell thing and we decided to go with this month which will allow you to block things like registry key creation w my event filters being created dll's being loaded you can actually view almost anything happening on a system which is pretty amazing however in order to do that you
actually want to have a good config in order to know what you're logging because you could literally log anything but that would like if you're using like a traditional seemeth you would probably kill it with a couple of hosts next to that not all data is as relevant as the next so there's two major projects currently in in development there's the Swift home security config which is pretty great to start with it's based on like a lot of events or new research or threats being disclosed and then they update the config to log the new things and it locks things in a very broad sense so you get some more data which is really good because you can see a lot for those of you who are stuck with a solution that yeah you need to pay per event or you need to pay per megabyte stored you might want to look at the project all of hartong is doing he's a Dutch dude and he's been working on a modular system config that allows you to only log what you already think is like evil so it it scales down the the amount of events you have it will also maybe limit you in looking back in the in the past obviously but for those of us that have to pay per megabytes parsed in our system it's a very interesting project but as I said before we chose to go twist thank
you thank you Swift for this great configuration we modified it a little bit we're logging some other things we've added some things and we'll be submitting a pull request to the project and hope to improve it that's one of our goals so as I've said before we have we gather system data but gathering data is not enough so we need to have the ability to actually collect that and
parse and store that centrally so one of the things many people think about when talking about open source will be elastic so we're just using elastic in
this case we're using Venice Beach to gather all the data we're using lost I still you ingest it put it into lastik Cabana to look at it we had some great feedback by our friend Eric Eric's not here right now but thank you Eric to use the windows event for water we haven't actually played with that but for those of you working in a corporate environment it might be nice so using the windows event for order will allow you to use a GPO to push all your data to one central system install window beat there and it will help you ingest it into your elastic stack which is one less agent to run on all of your hosts so that might be nice for our projects just installing wheel of beat everywhere wasn't really an issue so I will now give the mic to my friend okay thank you
very much Rick so up until now we have like a nice pipeline we have we are gathering information from the systems using Sigma and skilled pure Logan we are shipping the data to a central location in that location we were parsing we are like rich in the data and we can display it using qivana but so we can do threat hunting because we have nice context we have the means to query we have the means to visualize using nice ash words but we don't want to do that manually all the time we want to provide some means to automate certain scenarios let's say like after analyst fine a nice scenario like a thread or the particular malware say okay this is nice this is a quality finite but I'd want to do it every time the same query I want to have like a way to have an alarm yeah that's it so there ways to implement that and elastic pro I want but we chose a
different one we chose to use a last alert because it's free it's really powerful and it's quite flexible and simple basically allow it allow us to do like alerts based on pattern matching so when certain query is found or triggers or give us a match in elastic search it will create an alarm but also it allow us to do more advanced alarms based on frequency for example or when distant events happen in the same whole store using the same domain or isn't the same user for example so it's allow us to do pretty much anything well that we need as I mention before electic provides I mean to do that it's called what it was called watcher now it's called expert but you need to pay for that so this is a nice alternative for for that's it
then we have way to three alarms but we want to write the rules in a way that we can share with the rest of the community because it's great but if you want to every time we're building knife rules will identify a lot of use cases or different interesting scenarios and we want to share with our colleagues or whatever we don't want to transform us into another like file or we don't want to reprocess our data or do it from scratch so we need to find a way that is standard and shareable so for that we
using Sigma Sigma is a really cool project made by Florian Roth Thank You Man and basically it's you write files in llamo and it's really easy it's human readable it has a simple schema you need to follow and it allow us to transform from that schema into different systems such as our site and I will show you a picture later also one of the biggest benefit of this repository is that a lot of people really contribute a lot of rules based on the mighty attack that you may have here it's a really nice framework it provides a lot of insight into techniques and procedures that the taggers are using so if you build a rule based on that you're you're going for like not just a simple detection you're going for a detection of a technique it's something more advanced and a lot of people really build some rules and those are polish in the Sigma repository so as I was mentioning before we have
Sigma from Sigma we can compile the rules into different platform we are using elastic I left a lot but you can do that to keep an accurate oxide spanked and there are a few more okay so
now we have alarms we have the rules we have a way to share the rules with the rest of the community and a way to transform those rules into whatever you're using but we want to test that how can we test out how can we test that after we modify rule we don't break it and still work so we need to have a way to do automatic unit tests so for our using Red Team automation in this case
an RTF from the end game company is a really nice one Fred canary also provides a framework such as this one but we chose red team automation because it's a bit more simplistic it's based on Python so you have like small scripts that they are trying to emulate certain attacks and you can build them as complex as you want or as simple as you want so for our framework it works pretty well and another reason is that rating automation
is so hot right now right okay here we
have the complete system as we were talking about the different component but before moving forward I want to give you like a refresh because like we have been talking a lot so well written automation with rating automation with emulate and with create event in the system with this one we parse this event or we actually monitor with generate events that will be gathered by builder bid ship - laughs - loss - we'll pass them and reach them and storing lattic elasticsearch then we have the Sigma rules here that will be compiled into a left alert rose and Elif dollar will be querying constantly elasticsearch looking for certain scenarios to trigger right those alarm will be displayed by Keanu UNK even also allow us to do threat hunting basically manually but enough of talk
let's do some demo because we don't want to bother you so the way we yeah well we
plant the the demos we have three different case studies we we're gonna analyze different fruits the first one
is about the station basically this MOT station is like a station for a motel that is based on work this warble is a hazard macro that will spawn Cindy Cindy will spawn a power show this parish hall will download this trojan from internet and executed directly from memory so the
idea is to first infect us then analyze the the sample or analyze the thread in our system and show that the alarm works so for the first one we have okay
let's hope it works okay so because I
really accept the editing of macro you don't see the banner here but trust me it did work no work hey you up no no I was just kidding just kidding alright alright so basically
because of this Mon we can see the
entire process creation or process 3 so on this side for you will be like the
left-hand side we have the parent and the right-hand side we have the the child so here we can see how we word execute CMD also I want you two to look
at this in deep and see what's going on here you can see there is a lot of a vocation right so what happened here is that somebody used in both the suffocation from Daniel Johan on these are really cool okay cool for the red team perspective right and it's a script that allows you to you give like a remote creation or like you like a common line and off of Katie like these and we talked with
Daniel and he confirmed that this is 100% invoked ossification quite cool is this is the first time we this is seen in the while because it's not that far since he Provost this his research but how can we detect this right because it's hard so for this because he's the first case study we're gonna use a simple approach and this is why windward is actually calling CMD I mean that's not normal I mean why is doing that right so let me show you how we create the Sigma role so you get into our mindset so this is Sigma is a Yama file you can see easy is human readable you have some documentation the most important thing here is we have we need to give some fields in this case is even ID one this means process creation so we are strapped in the next one say like look at this event ID then we provide a parent image in this case we are giving like the office suite because it's not only water we are interesting but we are also interested in like Excel PowerPoint whatever because none of those should spawn and any of these here we have some suspicious binaries I mean why win were should be calling a C over 32 right thank you much okay so after we compile this and there's not much fun to show you the compiled version because it's hard to read we load that into a lot alert and
we hope that it works and yeah it did
work so what is interesting here is that did trigger when when this event happened but also we have another rule that trigger when simply calls PowerShell that's not a really strong indication but together with the wind with the wing were calling cindy and simply calling powershell that becomes something more interesting so the idea here like if an analyst say this tool like something fishy going on right okay let me move you to the next case die okay now we're going to talk about Unicorn station this unicorn sticker is a tool to generate stickers based on PowerShell and the interesting thing of this one is that it takes a different type of payload such as powered CrowdStrike Empire meterpreter and embed that into a series of PowerShell commands heavily associated encoding Bay City for and the payload never touched the disk and goes directly into memory and for a unicorn started directly from it so what is important is that we can expect that in a certain moment power show will be executed will to unlock a mem copy because that's a way to place things in memory right okay let me get infected so we can analyze so something interesting I would a unicorn Adi Pro or it allows different delivery methodologies so one is a theory but you can also embed this into macro dde or different ones it says ongoing work is really amazing so here you can see that it is working some PowerShell happening and okay so again here we have our
system and we can see the the process creation so here we can see MST a
calling : PowerShell and again we see a
lot of application and encoded commence off from this alone it's hard to determine what's going on we might have some indication that something fishy going on because it's not normal to collect so many power source code con Mitchell but also please take a look at this this is strange basically what's happening here is a powerful trend to avoid calling PowerShell using the argument encoded because a lot of tools are looking for for that in particular so the way is doing it if I set in value that's why we have SV and get value somewhere here here and it's constructing own memory the PowerShell encoding c'mon so this is one way to detect such a thread will be like hey look at this this is quite unique I mean it's not that common to see this in a powershell execution but the prom with that approach is that it's quite simplistic to bypass you just need to add a comma or another carrot or whatever and your rule doesn't work anymore so this rule is simple it works pretty well for that a specific version but it's easy to bypass so we're going to think of something better how can we I mean what is the underline tactical what what is the the attacker trying to do really so as I mentioned before is trying to place some content into memory and execute it directly from there the problem is that this one doesn't allow us to see this information likely as Rick mentioned before we have a PowerShell script block login and we can see way more with that so this is what we can see this is
basically what PowerShell is trying to do one of those in Kali common end up executing this one of the interesting thing here is that is loading manually the cannot 32 DLL and is calling functions directly from this DLL such as wittle log read read mmm set so if we create a rule that is looking for these keywords we have a dictation right what is important to make it clear for you is that if
PowerShell is calling that as a command it's not PowerShell as a process calling this function is is literally the commands in the command line so let me show you the rule here so in this case interview soon event one that's for this month we're using four one zero for that if for remote execution and we have a bunch of functions of keywords we've dropped this keyword from my tree different eye Empire different Suites that do like a possible tation such as power sploit and the year that they are all share this idea of injecting things in memory and security so when we see that a PowerShell engine is up there is a PowerShell script that is security or calling these functions directly we might have in this case we create these we compile
it and here you can see that it is working so we call it the memory sexual comment let's again we have unicorn physic version and if we take a look at this tool like this is really fishing okay let me show you the last okay study
this a bit I so quite interesting and we want to have like a spin-off we modify part of this demo today thanks to so tell you that we were analyzing a minor let's call it was minor and the interesting thing of this calls minor is that it achieves persistency am using the view of my object so basically what it does it raise a WMI filter that will be looking for a particular event in the system and when that even happen it would trigger at the view of my consumer this consumer has pre-programmed an action such as cosine d of star power cell or even a skewed this javascript and when it calls a different command we will do it via this process so also if you execute a remote command using do rio mi see this process will be in charge of executing such a command so there you heard we would monitor this and we will monitor this event so we
create a batch file so worried what's
happening at the moment is first we are setting we are creating these objects we create the filter that will be looking for the task manager that's what we triggered this event because we want to show you that it's working and the consumer is instructed to call notepad and as you can see is actually working here because we started task manager and then how can we detect that right so we have a bunch of - were here yep so where
we what we did first was to modify this is a small configuration file because the one provided by switch on security doesn't allow have to do aw my monitoring so we might say that and now we can see the creation of objects so first one we see this one this is most interesting one because it's like okay why this consumer is trying to call CMD and then call powershell with an incall the command here we can see the filter I was talking about so basically is waiting for the task manager creation so this is one approach but in alone it's not the strong because it could be something that is happening normally in the system this is a little bit strange but that's it if not also we want to monitor this process because this process will be calling something suspicious in this case this process is calling CMD that will call powershell double called notepad so what we did was to create those two alarms and let me show
you one of those so here we are monitoring what this process is calling and when this person is calling one of these binaries which are an alarm in this case the monitor when given 2030 secretion of WMI object has as a target so this destination of this is the consumer calling something one of these so a few can expect it works because we
test this several times so you have your resistant and EMI calling so is sufficient problem okay so I will give
the voice back to Rick so as shown before we we have the technology to actually do this however just having a system that does this for you does not mean that you don't have to do anything I think the most important part of having the ability to see all this is having a process and the team behind it that's actually capable of translating threats to actual work there's like the WMI event consumer that's the trick described a minor that's fun but you need to translate that to an actual detection rule so you can do something with it so we had a couple of discussions internally and we had many many different flowcharts and then we decided to not have a big one
here to not try it often are you so how would this actually work in yeah if you implement this I would say you you wait for some info Technos an incident happening at your company new information being released a report on some apt group and the first thing you do is you try to understand what's actually happening the moment you do you can start searching back in your own network have I ever seen this before because that might also be interesting to know and if you don't you can go and look for a way on how to emulate it so make your own way of emulating the threat or maybe get a sample executed see what's happening so that could help create at least hunt and if you get a really great hunt you can evoke the let it evolve and eventually create like a nice detection rule and you can and in the end have something implemented which will allow you to automatically detect the specific threats so it's not like something you put in immediately it's something that has to has to evolve so for those of you who don't like flowcharts we made
another one with them with pictures so the thing how it will actually work so let's say you found something you found your your hunts perfect and you made a nice Sigma I hope Sigma rule because we can all benefit from that the first thing you do is you generate joules for your platform which in our case is like a last Lert but it cost me Splunk or I don't know oxide or something that will put any then we'll be keep searching on our elastic cast stack you can then ultimate or do a unit test of all your rules using retinal automation and any well that will obviously generate some logging the logger will put we put into the elastic stack a last layer will hopefully find whatever you are trying to do and put that into the alarms index so you will be able to review that alarm so how would we actually how would this actually work so let's say you wake up one morning and Matt Graber thinks of
another thing and you have to handle it so this was while we were doing this research this was a tweet by Matt graver describing an application whitelisting bypass that would allow you to execute months using some sign to Windows binary so the great thing of this this research was actually that only 20% of the blog focused on exploitation and about 80% focused on defense so that already does a lot of work for you so that's lucky and it's also lucky for the demo so it describes a way to actually but execute and bypass the application whitelisting and it also came with a nice box Oh a nice proof concept in this case I think it executed something right or at least it does in our demo so what we did is we actually created a Red Team automation script for this which will
allow us to well execute scribbly food
yes that's the name which what it does drops a XSL file and then tries to
execute that using venerable CVS and the thing is there's like four or five or four ways to call it and there's two different files you can actually use to exploit this so there's now eight being popped up for those as you are very interested I can show later how it look sorry so first thing there's two files there's the WS m TX t + WS m PT y dot x SL x SL which need to be created in order to to have the file it's an XML ish format which has which is you can embed some JavaScript that there are VB script which will allow you to execute however that on his own wouldn't be enough so
you need to actually see something because just alerting all the the existence of like XSL file would be a bit silly so the thing is there's
actually a pretty particular way you need to call this so the venerable CBS needs to be in the command line because we can't modify that file and and as you can see you can see C script don't EXO / windward dot exit so the vinner m script verifies if c script of x is somewhere in its command line but it doesn't have to be the binary that calls it so if you would just look at the binary name you would actually get bypass and the same goes for all these formats there's like four different ways to call it now the RTA file helped us actually figure that out so what would be nice is have the ability to actually correlate these two events so we have to loose alarms and well we could use a human to do that but then you get very bored analysts and that's not so nice so what we did is we created something for this because elasticsearch does not allow for correlation alas alert also does not allow for correlation so we invented something called ghetto correlation which is correlation for people who don't have fancy systems what we actually did is we use we look at our own alerts index and we use the frequency function within a last alert to see okay can we get to scribbly fool related alarms on the same system within X period of time and then you could be it would be able to actually correlate which is great because as mentioned earlier by Leandro there are some events that are suspicious but not enough to actually alert all but you could actually add like a suspicious tag and have like okay there's multiple suspicious events on the same system within an hour or one minute doesn't really matter so you could actually like gain something from from all those like quirky things that are not necessarily bad but you might want to do something about so ghetto correlation might be for you well and the funny thing was this morning we woke up and Mac Raber and I think Lee homes published their slides on suffering system which actually kinds of defeats the purpose of the whole thing so we were looking at that and it's actually pretty cool because they were actually pretty good at subverting it so
we didn't make a full demo of this and it might fail but the thing is it turns out that this mom sorry dude so this was
this tweet I woke up to this thing it's not very nice and then we looked at the slides there are multiple ways of subverting system or there's also a lot of ways to subvert like powershell script log logging but the fun thing is you can actually look for this version if attempts which also are a regular user is not going to try and subvert say small or powerful script block logging that's weird so what we did we looked at it so what
happens is the the way see small logs the event consumers or any event filters and all the things is actually by looking at a very one specific namespace so what the guys did was actually create a script that adds another namespace and that hosts the active trip consumer so then the script consumer will still like filter and execute things but this one doesn't detect anything anymore so we looked at that in order to figure out oh
wait there's a get up too so for those of you want to play with that and where are you it's not in there so so as we
said we just built this like an hour
before the talk so so we're reusing their POC and as you can see there's
like if task manager opens W my file droplet ext gets created it's just we needed to execute something we actually stole their pox or no credit there but the thing is we started looking at that so what is how could we even detect this is there any possibility if the fitness because we checked it doesn't lock the creation of the WMI events consumer or any of those so what what is there what's there is limited but might be interesting as you can see there is a Windows event ID 63 message event message that says that the new provider was registered in a new namespace so we looked at that and we with this machine has been running for like a couple of months now and if you start looking at that and you do a Windows Update you get a hailstorm of alarms so it won't work if you update systems but if you get one lonely one and we could do something with frequency there again you might be able to detect the fact that something's happening on that system it at least it's interesting to look at at the moment you see other weird events but the reason we put it in there was not that not just to say like our system kind of works on that but more the fact that you will be able to like literally sit in the back of a room somebody tweets something and within an hour have something something to look at I'm not saying it's like the most robust solution but because you're you can move pretty quickly it's pretty nice so enough positive let's talk about the
limitations so yeah it's all great it's amazing however
there are some caveats or there at least some things that we haven't fully explored so there are some things that might be interesting to improve on and I
think the main thing would be to look at scalability and robustness of the entire system and we know the elastic stack can handle lots of lots of data so that shouldn't be a problem however for our project we haven't tried so it might fail obfuscation is an issue we showed the demo with a motet invoked ossification by Daniel Bohannon is pretty cool currently the system doesn't really handle that so what you could do is at ingestion time try to enrich your events by detecting obfuscation and say like oh this looks office catered so I have a flag or something or maybe even try to do fish gate I know there is a PowerShell script that for the invoke invoke invoke obfuscation that's meant for bow show so there is an invoke D obfuscation for that for the DOS sophistication however there isn't one but it might be very interesting to look at that to have something that at ingestion time will fix that for you looking at all the commands and things are nice however what if somebody just drops a binary that executes the command and is gone that might be tricky and you might lose sight of what's happening actually so there might still be nice at ingestion time also enrich your invents with threat intelligence information such as we're just looking at simple hashes I mean if it's there why not do it Cubana has a vague framework which allows you to actually create your own visualizations which would allow you to have fancy things free analysts like maybe have a process tree or call stack all those things so you could actually visualize that a bit better and not have to look at like a table with all the things in there I mean fine for me but some people like pretty pictures there's been a lot invested into say small coffee tampering and PowerShell scribble logging evasion or disabling of it I think that's actually great it's very good to see that people are actually investing time into that so it's good I think it means you're on the right track right all attackers and red teams are now looking into ways to subvert that so I think we still need to look at the subversion attempts in order to determine that it's happening and I mean the moment that happens you lose visual visibility but the the fact that somebody's trying to disable PowerShell script log logging might be a strong indication of something weird going on anyway and the last thing would be bringing around land there are people now like dropping their own run DLL 32 but names blog don't waddle exa which kind of defeats most of those detection because they're all based on names and that doesn't work anymore so that might be an issue so in conclusion I think
this whole endpoint monitoring with free and open source software really works Wow who would've guessed that I will say that but it does allow for experimentation without a budget it's very easy to start and there's no licensing cost it's flexible scalable we think and it will give you and your analyst a pretty fun time trying to figure out all the things that are happening so you can go from an incident to a hunt with alarm pretty quickly as shown with with the system on subversion thing you can give your analysts more complex than the blinky box with its bad sign and it can also get your analyst very enthusiastic about new red teaming attacks because it's not just a new attack you have to wait for an update so your system really detects something but you would have the ability I should do something so figure out what it does figure out how it works and then try and stop it and that makes for happy and skilled analysts so that's what that's our presentation if any of you will want to
do anything with this we uploaded all our books the coalface the Sigma things to get help just trust the QR code there's no goatee there I promise you you can also read our paper because this is all based on a paper called final stress analysis and the section just review it if you have any questions or any comments like you up here or you did this wrong or I have done it better please let us know we want to learn so does anybody have
any questions do it in the back so we actually tried and we had like 40 Meg's a day but it might be worse if you're using like a server or terminal server a domain controller that might be way more any other questions that's all of blog I guess is it recent blog series I don't know might be the the one by Olaf he focused a lot on tuning it down so if you have a system that that like you have the paper you prevent or you just don't have the ability it's stored too much look at his coffee it's really nice and it like narrows things down and he made like an entire blog series on it some how to do that and how to work with it and he made a nice Splunk app to hunt and stuff he's really good any other questions nope okay thank you guys Oh [Applause]