BLUE TEAM VILLAGE - Endpoint Monitoring: With Free, and Open Source tools!
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39820 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 26159 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
FreewareOpen sourceOpen sourceSoftwareRevision controlRight angleFreewareComputer animation
01:19
Information securitySoftware testingIntelData managementWordFirewall (computing)Presentation of a groupSoftware testingInformation securityValue-added networkIntelComputer animation
02:02
Proxy serverContext awarenessComputer networkEncryptionAntivirus softwareArithmetic meanContext awarenessData managementElectronic mailing listRight anglePublic domainProduct (business)SoftwarePhysical systemService (economics)CuboidEncryptionComputer animation
03:44
Product (business)BuildingCountingPhysical systemScripting languageComputer animation
04:31
LoginPhysical systemScripting languageBlock (periodic table)Windows RegistryPhysical systemPhysical lawGastropod shellEvent horizonBlock (periodic table)Scripting languageFilter <Stochastik>Revision controlOrder (biology)Walther-Meissner-Institut für TieftemperaturforschungLoginComputer animation
05:12
Computer fileConfiguration spacePhysical systemEvent horizonEvent horizonProjective planeConfiguration spacePhysical systemModul <Datentyp>Order (biology)Scaling (geometry)Goodness of fitInformation securitySoftware developerComputer animation
06:39
Projective planePhysical systemBitConfiguration spaceParsingData storage deviceOpen sourceComputer animation
07:17
Event horizonParsingStack (abstract data type)Elasticity (physics)Event horizonCentralizer and normalizerWindowProjective planeIntegrated development environmentFeedbackInstallation artPhysical systemCASE <Informatik>Order (biology)Water vaporBeat (acoustics)Computer animation
08:08
InformationUniform resource locatorMultiplication signMalwarePhysical systemThread (computing)AutomationWordArithmetic meanContext awarenessQuery languageScripting language
09:10
Type theoryFrequencySoftware bugPattern matchingData storage devicePattern languageExpert systemQuery languageMatching (graph theory)FrequencyExterior algebraElasticity (physics)FreewarePhysical systemComputer animation
10:00
Multiplication signDifferent (Kate Ryan album)BuildingComputer fileDampingRule of inferenceCASE <Informatik>Projective planeSigma-algebra
10:33
Rule of inferenceFile formatSigma-algebraSoftware frameworkComputer fileWebsiteRepository (publishing)Different (Kate Ryan album)Projective planePhysical systemSigma-algebraRule of inferenceProcedural programmingComputer animation
11:29
Sigma-algebraRule of inferenceDifferent (Kate Ryan album)Computing platformCASE <Informatik>Execution unitShared memoryComputer animation
12:05
AutomationSimulationSoftware testingExecution unitBit rateScripting languageBitSoftware frameworkGame theoryEvent horizonPhysical systemEmulatorInsertion lossRule of inferenceParsingSigma-algebraThread (computing)Data storage deviceComputer animation
13:23
WordTrojanisches Pferd <Informatik>Process (computing)Inheritance (object-oriented programming)SharewareCASE <Informatik>Different (Kate Ryan album)Observational studyTrojanisches Pferd <Informatik>InternetworkingWorkstation <Musikinstrument>Power (physics)Semiconductor memoryHazard (2005 film)Macro (computer science)WordComputer animation
13:59
Physical systemThread (computing)Macro (computer science)Computer animation
14:40
Cloud computingMoving averageOffice suiteEntire functionProcess (computing)Inheritance (object-oriented programming)WordLine (geometry)Right angleScripting languagePerspective (visual)Uniform resource locatorComputer animation
15:33
Moving averageData typeVideo game consoleSigma-algebraMedical imagingOffice suiteCASE <Informatik>Inheritance (object-oriented programming)Revision controlRight angleField (computer science)Water vaporBinary codeMultiplication signComputer fileEvent horizonProcess (computing)Observational studyWord
17:03
Block (periodic table)Scripting languageTouch typingCASE <Informatik>Series (mathematics)AnalogyRule of inferenceDifferent (Kate Ryan album)Moment (mathematics)1 (number)Computer wormEvent horizonType theoryMiniDiscWorkstation <Musikinstrument>Semiconductor memoryPower (physics)Macro (computer science)TheoryPrice indexPrinciple of maximum entropyDelay differential equationRight angleComputer animation
18:48
Software bugLibrary (computing)Normed vector spaceGastropod shellExecution unitRankingInheritance (object-oriented programming)Event horizonFormal grammarMIDIWechselseitige InformationEmulationMathematicsTwin primeDesign of experimentsBargaining problemInterior (topology)Process (computing)Physical systemSystem callCodeRevision controlBlock (periodic table)Latent heatSemiconductor memoryLoginRule of inferenceThread (computing)Content (media)Programmable read-only memoryTwitterParameter (computer programming)Scripting languageInformationPrice indexCartesian coordinate systemComputer animation
20:37
Rule of inferenceFunctional (mathematics)VirtualizationDifferent (Kate Ryan album)Exploit (computer security)CASE <Informatik>Suite (music)Semiconductor memoryProcess (computing)Information securityScripting languageRemote procedure callPower (physics)Event horizonNetwork topologyShared memory
21:57
Mechanism designDigital filterCASE <Informatik>InjektivitätSemiconductor memoryObservational studyEvent horizonProcess (computing)View (database)Power (physics)Object (grammar)BitSharewareWalther-Meissner-Institut für TieftemperaturforschungTrigonometric functionsCellular automatonMereologyPhysical systemSystem callComputer animation
23:19
StapeldateiComputer fileMoment (mathematics)Event horizonData managementRight angleTask (computing)Object (grammar)Computer animation
23:58
Parity (mathematics)CASE <Informatik>Process (computing)Physical systemComputer fileInformation securityObject (grammar)Task (computing)Configuration spaceData management
25:01
Event horizonWalther-Meissner-Institut für TieftemperaturforschungProcess (computing)Binary codeCASE <Informatik>Object (grammar)Computer programMultiplication signSoftware testingComputer animation
25:44
Rule of inferenceEvent horizonPhysical systemMereologyWalther-Meissner-Institut für TieftemperaturforschungProcess (computing)FlowchartDataflowDifferent (Kate Ryan album)
26:35
InformationInformationRule of inferenceTraffic reportingIncidence algebraMoment (mathematics)FlowchartSoftwareSampling (statistics)Latent heatGroup actionComputer animation
27:45
Rule of inferenceArchitectureRule of inferenceUnit testingSigma-algebraCASE <Informatik>Computing platformCasting (performing arts)Subject indexingStack (abstract data type)
28:45
Proxy serverProof theoryScripting languageCuboidCASE <Informatik>SharewareCartesian coordinate systemBlogTwitterBinary codeProof theoryProxy serverSign (mathematics)Window
29:41
Computer-generated imageryComputer fileScripting languageFile formatOrder (biology)Computer animationSource code
30:45
Location-based serviceComputer fileExistenceFrequency responseScripting languageCross-correlationFrequencyPhysical systemSubject indexingSlide ruleEvent horizonFile formatBinary codeFerry CorstenMultiplicationProxy serverMultiplication signSharewareElasticity (physics)Functional (mathematics)Computer animation
33:17
CodeSlide ruleProduct (business)Information securitySharewareScripting languageSlide rulePower (physics)Block (periodic table)Revision controlTwitterPhysical system
33:50
NamespaceScripting languageLoginNamespaceOrder (biology)Event horizonFilter <Stochastik>Latent heatComputer animation
34:28
WindowNamespaceDrop (liquid)Message passingWalther-Meissner-Institut für TieftemperaturforschungEvent horizonVirtual machineFrequencyTask (computing)Computer fileFitness functionInternet service providerData managementExt functorMoment (mathematics)Physical systemExistential quantificationComputer animationSource code
36:24
ScalabilityDisintegrationVisualization (computer graphics)Configuration spaceRootkitLimit (category theory)Multiplication signBitScripting languageOffice suiteTable (information)Hash functionPrice indexInformationSystem callInsertion lossSharewareEvent horizonScalabilityNetwork topologyFreewareVisualization (computer graphics)Physical systemOrder (biology)Moment (mathematics)Right angleSoftware frameworkTrailProjective planeLogic gateFlagProcess (computing)Computer animation
39:31
ScalabilityOpen sourceFreewareTheoryContext awarenessSigma-algebraFreewareCuboidScalabilityPresentation of a groupPhysical systemSoftwareIncidence algebraSign (mathematics)Open sourceMultiplication signFigurate numberContext awarenessComputer animation
40:35
Reading (process)Sigma-algebraQR codeStress (mechanics)Sheaf (mathematics)Mathematical analysis
41:09
Reading (process)Open sourceMobile appSeries (mathematics)BlogPhysical systemGame controllerPublic domainRadical (chemistry)Server (computing)Entire functionEvent horizonComputer animation
Transcript: English(auto-generated)
00:00
All right, these are the hardcore people, right? You guys are here at five o'clock to come here. This is really cool. Is it six? No. It's six twenty? This is what happens. So anyways, we have, okay, I'm gonna butcher his name, but I have to look it up again.
00:27
And I'm still gonna do it wrong. Rick Van June. That's wrong, I know. He's told me that's the
00:42
American version of it. So, he thinks so. He and Leandro Velasco are gonna talk about, and see I got that one right. Come on guys, that was easier, right? We are gonna talk about endpoint monitoring with free and open source software. This is gonna be a great talk, I'm
01:01
looking forward to this. So, hi guys. Thanks. So, welcome to our talk on endpoint monitoring using free and open source software. As discussed before, my name is Rick Van Duyen,
01:23
which is way different, but for American purposes, I'm Van June now. I work as a pen tester, I'm that dude, and a security researcher. We work at a company called Darebytes, and we do everything from pen testing up until policy, monitoring, viral
01:41
management, just IT security in the broadest sense of the word. I give this presentation together with my colleague, Leandro Velasco, which is very easily pronounceable for English speakers. He's, according to our HR department, he's a threat intel analyst, and a security researcher, and does not have profile picture. So, why do we need endpoint monitoring? I
02:07
would like to give a short introduction on the use of it, and some reasons why you need to be thinking about your endpoint monitoring before somebody else does. So, antivirus is currently being bypassed left and right. It's getting increasingly more easy to
02:23
infect system without antivirus being annoying to us. There's lots of EDR mumbo-jumbo passing around, so service managers, product managers, and sales dudes are looking at Gartner, so you need to think about it before they do. And network monitoring is getting increasingly
02:42
more difficult. It's great. Let's Encrypt is very popular, meaning that most of the traffic nowadays is encrypted. That also means that if you're just doing network monitoring, you'll see less and less and less, or you need to rely on a lot of threat intel, which is easily bypassable. As discussed before in the MITRE talk, we've seen that the pyramid of
03:03
pain, like tracking just domains and IPs, might be not so effective. So, we also think you're currently boring a lot of analysts to death with context-less alerts, so there's lots of blinky boxes doing, saying there's an alert, there's something going wrong, and
03:22
there's no real context there. Sometimes they put like one packet, and so this is the packet the alert fired on, and that's it. So, that's not that much to go on, and it's really hard to then determine, okay, is this something, and what's the context? So, I think that's the motivation for us to be doing this, and we were thinking, we were
03:44
sitting in a room, and we were thinking, okay, is there a product there? Do we build something? The thing is, like, we're engineers, so we like to build things, so we thought, okay, we're building something, we need to have some data, we need to figure out something, and then Leomolu started complaining, because we needed requirements. So,
04:05
then requirements, we, yeah, I just said we need this, but that doesn't count, according to the academic approach Leo has. So, we had some requirements, so one of the first things was, okay, we need a way to gather system activity data. So, we needed a
04:22
way to gather data from the system and see some of the system activity, user activity, commands being run. So, we looked at PowerShell script log logging, which allows you to, if your version of PowerShell is new enough, allows you to actually log
04:40
all PowerShell commands that are being executed, which is really great, because you will see lots and lots. It also has a downside, you will see lots and lots. And next to the whole PowerShell thing, we decided to go with Sysmon, which will allow you to log things like registry key creation, WMI event filters being created, DLLs being loaded. You can
05:06
actually view almost anything happening on a system, which is pretty amazing. However, in order to do that, you actually want to have a good config in order to know what you're logging, because you could literally log anything, but that would, like, if you're using
05:25
like a traditional C, you would probably kill it with a couple of hosts. Next to that, not all data is as relevant as the next. So, there's two major projects currently in development. There's the Swift on security config, which is pretty great to start with.
05:44
It's based on, like, a lot of events or new research or threats being disclosed. And then they update the config to log the new things. And it logs things in a very broad sense. So, you get some more data, which is really good, because you can see a lot. For those of you who are stuck with a solution that, yeah, that you need to pay per event or
06:06
you need to pay per megabyte stored, you might want to look at the project Olof Hartung is doing. He's a Dutch dude, and he's been working on a modular system config that allows you to only log what you already think is like evil. So, it scales down the
06:23
amount of events you have. It will also maybe limit you in looking back in the past, obviously. But for those of us that have to pay per megabyte parsed in our system, it's a very interesting project. But, as I said before, we chose to go with Swift. Thank
06:41
you. Thank you, Swift, for this great configuration. We modified it a little bit. We're logging some other things. We've added some things. And we'll be submitting a pull request to the project and hope to improve it. That's one of our goals. So, as I've said before, we have, we gather system data. But gathering data is not
07:04
enough. So, we need to have the ability to actually collect that and parse and store that centrally. So, one of the things many people think about when talking about open source would be elastic. So, we're just using elastic in this case. We're using
07:21
to gather all the data. We're using to ingest it, put it into elastic, to look at it. We had some great feedback by our friend Eric. Eric's not here right now, but thank you, Eric. To use the Windows Event Forwarder. We haven't actually played with
07:41
that, but for those of you working in a corporate environment, it might be nice. So, using the Windows Event Forwarder will allow you to use a GPO to push all your data to one central system, install Winlock beat there, and it will help you ingest it into your elastic stack, which is one less agent to run on all of your hosts. So, that might be
08:01
nice. For our project, just installing Winlock beat everywhere wasn't really an issue. So, I will now give the mic to my friend. Okay, thank you very much, Rick. So, up until now, we have like a nice pipeline. We have, we are gathering information from the systems using Sysmon and the script log in. We are shipping the data to our central
08:23
location, and in that location, we are parsing, we are like, enriching the data, and we can display it using Kibana. But, so, we can do thread hunting, because we have nice context, we have the means to query, we have the means to visualize using nice dashboards, but we don't want to do that manually all the time. We want to provide some
08:44
means to automate certain scenarios. Let's say like after an analyst finds a nice scenario, like a thread or a particular malware, okay, this is nice, this is a query to find it, but I don't want to do it every time, the same query. I want to have like a way to
09:02
have an alarm. Yeah, that's it. So, there are ways to implement that, and elastic provide one, but we chose a different one. We chose to use a last alert, because it's free, and it's really powerful, and it's quite flexible and simple. Basically, allow, it allow us to, to do like alerts based on pattern matching, so when certain query is found,
09:25
or it triggers, or give us a match in Elasticsearch, it will create an alarm. But also, it allow us to do more advanced, uh, alarms based on frequency, for example, or when distant events happen in the same host, or using the same domain, or using the same user,
09:42
for example. So, it allow us to do pretty much anything well that we need. Um, as I mentioned before, elastic, elastic provides, I mean to do that, it's called, it was called Watcher, now it's called Xbox, but you need to pay for that. So, this is a nice alternative for, for that system. Then, we, we, we have a way to trigger alarms, but
10:05
we want to write the rules in a way that we can share with the rest of the community, because it's, it's great, but if you want to, every time we are building nice rules, we identify a lot of use cases, or different interesting scenarios, and we want to share with our colleagues, or whatever, we don't want to transform us into
10:22
another, uh, like, file, or, or, or, we don't want to reprocess our data, or do it from scratch. So, we need to find a way that is standard and shareable. So, for that, we're using Sigma. Sigma is a really cool project made by Florian Roth, thank you man. Um, basically, it, it's, you write files in YAML, and it's really easy,
10:44
it's human readable, it has a simple schema that you need to follow, and it allows us to transform from that schema into different systems, such as ArcSight, and I will show you a picture later. Also, one of the biggest benefits of this, uh, repository is that a lot
11:03
of people really contribute a lot of rules based on the MITRE attack, that you may have here is a really nice framework, it provides a lot of insight into techniques and procedures that the attackers are using, so if you build a rule based on that, you're, you're going for like a, not just a simple detection, you're going for a detection of a
11:22
technique, it's something more advanced, and a lot of people already build some rules, and those are published in the Sigma repository. So, as I was mentioning before, we have Sigma, from Sigma we can compile the rules into different platforms, we are using elastic, elastic alert, but you can do that to Kibana, Qradar, ArcSight, Splank, and
11:41
there are a few more. Okay, so now we have alarms, we have the rules, we have a way to share the rules with the rest of the community, and it's a way to transform those rules into whatever you're using, but we want to test that, how can we test that, how can we test that after we modify a rule, we don't break it and it still works, so we need to
12:02
have a way to do automatic unit tests, so for that we're using Red Team Automation, in really nice one, Red Canary also provides a framework such as this one, but we chose Red Team Automation because it's a bit more simplistic, it's based on Python, so you have like, small scripts that they are trying to emulate certain attacks, and you can build them
12:25
as complex as you want, or as simple as you want, so for our framework it works really well, and another reason is that Red Team Automation is so hard right now, right? Okay, here we have the complete system, as we were talking about the
12:40
different components, but before moving forward, I want to give you like a refresh, because we have been talking a lot, so, for Red Team Automation, with Red Team Automation, we emulate, and we create events in the system, with this one, we parse this event, or we actually monitor, we generate events that will be gathered by WillowBit, shipped to Loftash, Loftash will parse them, and reach them, and
13:03
store them in Elasticsearch, then we have the sigma rules here, that will be compiled into LS Alert rules, and LS Alert will be querying constantly Elasticsearch looking for certain scenarios to trigger, right? Those alarm will be displayed by Kibana, and Kibana also allow us to do thread hunting, basically manually, but enough of talk,
13:24
let's do some demos, because we don't want to bother you. So, the way we, yeah, we planned the demos, we have three different case studies, we're going to analyze different threads, the first one is Emotestation, basically this Emotestation is like a
13:42
station for Emotet, that is based on a word, this word has a macro, that will spawn CMD, CMD will spawn a PowerShell, this PowerShell will download this trojan from internet, and execute it directly from memory. So, the idea is to first infect us,
14:03
then analyze the sample, or analyze the thread in our system, and show that the alarm works. So, for the first one, we have, okay, let's hope it works. Okay, so, because I already
14:21
accept the editing of macro, you don't see the banner here, but trust me, it did work. You hope. Yeah. Okay, okay, it's not working. Hey, you're up. No, no, it's working, sorry, just kidding, just kidding. All right. All right. So, basically, because of
14:43
Sysmon, we can see the entire process creation, or process three. So, on this side, for you will be like the left-hand side, we have the parent, and the right-hand side, we have the child. So, here we can see how Windward executes a CMD. Also, I want you to look at
15:12
the location, right? So, what happened here is that somebody invoked the location from Daniel. This is a really cool, okay, cool for the red team perspective, right? And it's a
15:27
script that allows you to, you give like a remote creation, or you give like a common line, and it obfuscated like this. And we talked with Daniel, and he confirmed that this is 100% invoked the location. It's quite cool, this is the first time, this is
15:42
seen in the wild, because it's not that far since he published his research. But how can we detect this, right? Because it's hard. So, for this, because it's the first case study, we're going to use a simple approach, and that is why Windward is actually
16:02
calling CMD. I mean, that's not normal, I mean, why is doing that, right? So, let me show you how we create the Sigma rule, so you get into our mindset. So, this is Sigma, it's a YAML file, you can see it's easy, it's human readable. Here we have some documentation. The most important thing here is, we have, we need to give some
16:23
fields, in this case it's event ID 1, this means process creation, so we are instructing the next one, say like, look at this event ID. Then, we provide the current images. In this case, we are giving like the office suite, because it's not only word that we are interested in, but we are also interested in like Excel, PowerPoint,
16:41
whatever, because none of those should spawn in any of these. Here we have some suspicious binaries, I mean, why Windward should be calling C or 32, right? Thank you much. Okay, so, after we compile this, and it's not much fun to show you the
17:01
compiled version, because it's hard to read, we load that into alert, and we hope that it works. And, yeah, it did work. So, what is interesting here is that, it didn't trigger when this event happened, but also we have another rule that triggers when CMD calls PowerShell. That's not a really strong indication, but together with the Windward calling
17:25
CMD, and CMD calling PowerShell, that becomes something more interesting. So, the idea here, like, if an analyst sees this tool, it's like, hmm, something efficient is going on, right? Okay, let me move you to the next case study. Okay, now we are going to talk
17:41
about Unicorn Stager. This Unicorn Stager is a tool to generate stagers based on PowerShell. And, the interesting thing of this one is that it takes different types of payloads, such as CrowdStrike, Empire, Metaproter, and embeds that into a series of PowerShell commands, highly obfuscated, encoding basically for, and the payload never
18:05
touches the disk. It goes directly into memory, and the unicorn starts that directly from it. So, what is important is that we can expect that in a certain moment PowerShell will be executed. Virtual analog and then copy, because that's the way to place things in memory, right? Okay, let me get infected, so we can analyze. So, something
18:28
interesting about the unicorn is that it allows different delivery methodologies. So, one is HTA, but you can also embed this into macro, DDE, or different ones. It's an ongoing work, it's really amazing. So, here you can see that it is working, some
18:46
PowerShell is happening. Okay, so again, here we have our system, and we can see the process creation. So, here we can see MSTA calling PowerShell. And again, we see a lot of
19:08
obfuscation and encoding commands. So, from this alone, it's hard to determine what's going on. We might have some indication that something fish is going on, because it's not normal to have so many PowerShells calling each other. But also, please take a
19:21
look at this. This is strange. Basically, what's happening here is that PowerShell is trying to avoid calling PowerShell using the argument encoded, because a lot of tools are looking for that in particular. So, the way it's doing it is by setting value, that's why we have SV, and get value somewhere here, here, and it's constructing on memory the
19:44
PowerShell encoded command. So, this is one way to detect such a thread will be like, hey, look at this, this is quite unique, I mean, it's not that common to see this in a PowerShell execution. But the problem with that approach is that it's quite simplistic to bypass. You just need to add a comma or another correct or whatever, and your rule
20:03
doesn't work anymore. So, this rule is simple, it works really well for that specific version, but it's easy to bypass. So, we need to think of something better. How can we, I mean, what is the underlying tactic? What is the attacker trying to do, really? So, as I mentioned before, it's trying to place some content into memory and
20:24
execute it directly from there. The problem is that Sysmon doesn't allow us to see this information. Likely, as Rick mentioned before, we have a PowerShell script log login, and we can see way more with that. So, this is what we can see. This is basically what
20:41
PowerShell is trying to do. One of those encoded commands end up executing this. One of the interesting things here is that it's loading manually the KML32 DLL and it's calling functions directly from this DLL, such as virtual log, create thread, and memset. So, if we create a rule that is looking for these keywords, we have a detection, right?
21:03
What is important to make it clear for you is that PowerShell is calling that as a command. It's not PowerShell as a process calling this function. It's literally the commands in the command line. So, let me show you the rule here. So, in this case, instead of using event one, that's for Sysmon, we're using for 104, that's for remote
21:26
execution, and we have a bunch of functions of keywords. We extract these keywords from Mitre, different empire, different suites that do like post exploitation, such as powersploit, and the idea that they all share this idea of injecting things in memory
21:45
and executing. So, when we see that a PowerShell engine is, there is a PowerShell script that is securing or calling these functions directly, we might have a trigger. In this case, we
22:00
create this, we compile it, and here you can see that it is working. So, we call it the memory injection command. Again, we have a unicorn specific version, and if we take a look at this tool, we're like, hmm, this is really phishing. Okay, let me show you the last case study. This is a bit, it's quite interesting, and we're going to have like a
22:22
spinoff, we modify part of this demo today, thanks to Matt, Matt Grevo. So, the idea that we were analyzing a miner, it's called GhostMiner, and the interesting thing of this GhostMiner is that it achieves persistency using WMI objects. So, basically what it
22:40
does, it creates a WMI filter that will be looking for a particular event in the system, and when that event happens, it will trigger a WMI consumer. This consumer has pre-programmed an action, such as call CMD, or start PowerShell, or even execute this JavaScript. When it calls a different command, it will do it via this process. So, also, if
23:06
you execute a remote command using WMI C, this process will be in charge of executing such a command. So, we will monitor this, and we will monitor this event. So, for that, we
23:23
create a batch file. So, what's happening at the moment is, first, we are setting, we are creating these objects, we create the filter that will be looking for the task manager. We trigger this event because we want to show you that it's working, and the
23:43
consumer is instructed to call Notepad, and as you can see, it's actually working here, because we started task manager. And then, how can we detect that, right? So, we have a bunch of dash work here. So, what we did first was to modify the system, the
24:07
configuration file, because the one provided by security doesn't allow us to do WMI monitoring. So, we modified that, and now we can see the creation of objects. So, first one, we see this one. This is the most interesting one, because, like, okay, why this consumer is trying to call CMD and then call PowerShell, and then call the
24:24
command. Here, we can see the filter that I was talking about. So, basically, it's waiting for the task manager creation. So, this is one approach, but in a lot of cases, it's not that strong, because it could be something that is happening normally in
24:43
the system. This is a little bit strange, but that's a different approach. Also, we want to monitor this process, because this process will be calling something suspicious. In this case, this process is calling CMD, that we'll call PowerShell, that we'll call Notepad. So, what we did was to create those two alarms, and let me
25:03
show you one of those. So, here we are monitoring what this process is calling, and when this process is calling one of these binaries, we trigger an alarm. In this case, we monitor when, in the event 20, that is the creation of WMI object, has, as a
25:25
target, so this is the destination of the consumer calling something, one of these. So, as you can expect, it works, because we test this several times. So, here's the system, and we call it a sufficient program. Okay, so I will give the voice back to
25:48
Rick. So, as shown before, we have the technology to actually do this. However, just
26:00
having a system that does this for you does not mean that you don't have to do anything. I think the most important part of having the ability to see all this is having a process and a team behind it that's actually capable of translating threat to actual work. Like the WMI event consumer, that's a trick described in MITRE, that's
26:21
fun, but you need to translate that to an actual detection rule so you can do something with it. So, we had a couple of discussions internally, and we had many, many different flow charts, and then we decided to not have a big one here, to try not to annoy you. So, how would this actually work? If you implement this, I would
26:45
say you wait for some infosec news, an incident happening at your company, new information being released, a report on some APT group, and the first thing you do is you try to understand what's actually happening. The moment you do, you can start
27:00
searching back in your own network, have I ever seen this before? Because that might also be interesting to know, and if you don't, you can go and look for a way on how to emulate it. So, make your own way of emulating the threat, or maybe get a sample, execute it, see what's happening. So, that could help create at
27:20
least a hunt, and if you get a really great hunt, you can let that evolve, and eventually create like a nice detection rule, and you can, in the end, have something implemented which will allow you to automatically detect a specific threat. So, it's not like something you put in immediately, it's something that has to
27:41
evolve. So, for those of you who don't like flowcharts, we made another one, but done with pictures. So, the thing, how it will actually work, so let's say you found something, you found your hunt's perfect, and you made a nice sigma, I hope you found a sigma rule, because we can all benefit from that. The first thing
28:02
you do is you generate rules for your platform, which in our case is like the last alert, it could also be Splunk, or, I don't know, ArcSight or something. That will be keep searching on our elastic stack. You can then automate or do a unit test of all your rules using retio automation, and
28:24
any, well, that will obviously generate some logging, the logging will be put into the elastic stack, the last alert will hopefully find whatever you're trying to do, and put that into the alarms index, so you will be able to review that alarm. So, how would we actually, how would this actually
28:43
work? So, let's say you wake up one morning, and Matt Graber thinks of another thing, and you have to handle it. So, this was, while we were doing this research, this was a tweet by Matt Graber describing an application whitelisting bypass that would allow you to execute
29:01
commands using some signed Windows binary. So, the great thing of this research was actually that only 20% of the blog focused on exploitation, and about 80% focused on defense, so that already does a lot of work for you, so that's lucky, that's also lucky for the demo. So, it describes a way to actually execute and bypass the application
29:26
whitelisting, and it also came with a nice POC, so a nice proof concept, in this case, I think it executed somewhere at COG, or at least it does in our demo. So, what we did is we actually created a retio
29:41
automation script for this, which will allow us to, well, execute quibbly-foo, I guess that's the name, which, what it does, it drops a xsl file, and then tries to execute that using vignerm.vbs, the thing is, there's like four ways to call it, and there's two
30:04
different files you can actually use to exploit this, so there's now eight COG's being popped up, for those of you who are very interested, I can show you later how eight COG's work, sorry, so,
30:22
first thing, there's two files, there's the wsmtxt, and wsmpty.xsl, which need to be created in order to have the file, it's an XML-ish format, which has, which you can embed some JavaScript
30:40
in there, or vbscript, which will allow you to execute, however, that on its own wouldn't be enough, so you need to actually see something, just alerting on the existence of like a xsl file would be a bit silly, so the thing is, there's actually a pretty particular way you need to call this, so the vignerm.cbs needs
31:02
to be in the command line, because we can't modify that file, and as you can see, you can see cscript.exe slash winword.exe, so the vignerm script verifies if cscript.exe is somewhere in its command line, but it doesn't have to be the binary that calls it, so if you would just look at the binary name,
31:23
you would actually get bypassed, and the same goes for all these formats, there's like four different ways to call it, the rta file helped us actually figure that out, so what would be nice is to have the ability to actually correlate these two events, so we have two loose alarms, and we could
31:40
use a human to do that, but then you get very bored analysts, and that's not so nice, so what we did is we created something for this, because elasticsearch does not allow for correlation, elast alert also does not allow for correlation, so we invented something called ghetto correlation, which is correlation for people who don't have
32:03
fancy systems, what we actually did is we look at our own alerts index, and we used a frequency function within elast alert to see, okay, can we get two squibbly-foo related alarms on the same system within x period of time,
32:22
and then you would be able to actually correlate, which is great, because as mentioned earlier by Leandro, there are some events that are suspicious, but not enough to actually alert them, but you could actually add like a suspicious tag and have like, okay, there's multiple suspicious events on the same system within an hour or one minute,
32:41
doesn't really matter, so you could actually gain something from all those quirky things that are not necessarily bad, but you might want to do something about, so ghetto correlation might be for you, and the funny thing was, this morning we woke up, and Matt Graber and I think
33:03
Lee Holmes published their slides on subverting Sysmon, which actually kind of defeats the purpose of the whole thing, so we were looking at that, and it's actually pretty cool, because they were actually pretty good at subverting it, so we didn't make a full demo of this, and it might fail, but the thing is, it turns out
33:24
that Sysmon, oh sorry dude, so this was this tweet, I woke up to this thing, which is not very nice, and then we looked at the slides, there are multiple ways of subverting Sysmon, there's also a lot of ways to subvert like PowerShell script block logging, but the fun thing is, you can actually look for
33:40
the subversion attempts, which also are, a regular user is not gonna try and subvert Sysmon or PowerShell script block logging, that's weird, so what we did is we looked at it, so what happens is, the way Sysmon logs the event consumers, or any event filters and all the things, is actually by looking at a very,
34:01
one specific name space, so what the guys did was actually create a script that adds another name space, and that hosts the active script consumer, so then, the script consumer will still like filter and execute things, but Sysmon doesn't detect anything anymore, so we looked at that in order to figure out, oh wait, there's a GitHub too,
34:22
so for those of you who want to play with that, where are you, it's not in there, so, as we said, we just built this like an hour before the talk, so we're reusing their POC, and as you can see,
34:43
there's like, if task manager opens WMI file, drop.txt gets created, it's just, we needed to execute something, we actually stole their POC, so no credit there, but the thing is, we started looking at that, so what is, how could we even detect this?
35:01
Is there any possibility of detecting this, because we checked, it doesn't log the creation of the WMI events consumer, or any of those, so what is there? What's there is limited, but might be interesting, as you can see, there is a Windows event ID 63 message,
35:21
event message, that says that a new provider was registered in a new name space, so we looked at that, and this machine has been running for like a couple of months now, and if you start looking at that, and you do a Windows update, you get a hail storm of alarms,
35:40
so it won't work if you update systems, but if you get one lonely one, and we could do something with frequency there again, you might be able to detect the fact that something's happening on that system, at least it's interesting to look at the moment but you see other weird events, but the reason we put it in there,
36:01
was not just to say like our system kind of works on that, but more the fact that you will be able to like literally sit in the back of a room, somebody tweets something, and within an hour, have something, something to look at, I'm not saying it's like the most robust solution, but because you can move pretty quickly, it's pretty nice,
36:22
so enough positive, let's talk about limitations, so yeah, it's all great, it's amazing, however, there are some caveats, or there are at least some things that we haven't fully explored,
36:40
and so there are some things that might be interesting to improve on, and I think the main thing would be to look at scalability and robustness of the entire system, we know the elastic stack can handle lots and lots of data, so that shouldn't be a problem, however, for our project, we haven't tried, so it might fail, obfuscation is an issue,
37:02
we showed the demo with Emotet, invoked obfuscation by Daniel Bohannon, it's pretty cool, currently the system doesn't really handle that, so what you could do is at ingestion time, try to enrich your events by detecting obfuscation, and say like, oh, this looks obfuscated, so I have a flag or something,
37:21
or maybe even try to de-obfuscate, I know there is a PowerShell script for the invoke obfuscation, that's meant for PowerShell, so there's an invoke de-obfuscation for that, for the DOS obfuscation, however, there isn't one, but it might be very interesting to look at that, to have something that at ingestion time
37:40
will fix that for you, looking at all the commands and things are nice, however, what if somebody just drops a binary that executes a command and it's gone, that might be tricky, and you might lose sight of what's happening, actually, so it might still be nice to, at ingestion time, also enrich your events with threat intelligence
38:02
information, such as looking at simple hashes, I mean, if it's there, why not do it? Kibana has a Vega framework, which allows you to actually create your own visualizations, which would allow you to have fancy things for your analysts, like maybe have a process tree or call stack, all those things,
38:22
so you could actually visualize it a bit better and not have to look at a table with all the things in there, I mean, fine for me, but some people like pretty pictures. There's been a lot invested into Sysmon, call tempering and PowerShell script logging evasion or disabling of it,
38:41
I think that's actually great, it's very good to see that people are actually investing time into that, so it's good to, I think it means you're on the right track, right? All attackers and red teams are now looking into ways to subvert that, so I think we still need to look at the subversion attempts in order to determine that it's happening,
39:01
and I mean, the moment it happens, you lose visibility, but the fact that somebody's trying to disable PowerShell script logging might be a strong indication of something weird going on anyway. And the last thing would be bring your own land, there are people now like dropping their own run DLL 32 with names blah, blah, blah.exe,
39:22
which kind of defeats most of those detections because they're all based on names and that doesn't work anymore, so that might be an issue. So, in conclusion, I think this whole endpoint monitoring with free and open source software really works, wow, who would have guessed I would say that, but it does allow
39:42
for experimentation without a budget, it's very easy to start, there's no licensing cost, it's flexible, it's scalable, we think, and it will give you and your analyst a pretty fun time trying to figure out all the things that are happening. So, you can go from an incident to a hunt
40:00
to an alarm pretty quickly, as shown with the Sysmon subversion thing, you can give your analyst more context than the blinky box with its bad sign, and it can also get your analyst very enthusiastic about new red teaming attacks, because it's not just a new attack and you have to wait for an update
40:20
so your system really detects something, but you would have the ability to actually do something, so figure out what it does, figure out how it works, and then try and stop it. And that makes for happy and skilled analysts. So, that's our presentation. If any of you will want to do anything with this, we uploaded all our POCs, the configs,
40:42
the sigma things to GitHub, just trust the QR code. There's no goatee there, I promise you. You can also read our paper, because this is all based on a paper called Filestrats Analysis and Detection. Just review it if you have any questions
41:00
or any comments like you fucked up here, or you did this wrong, or I have done it better. Please let us know, we want to learn. So, does anybody have any questions? Dude in the back.
41:21
Use this thing. So, we actually tried and we had like 40 megs a day, but it might be worse if you're using like a server or terminal server, a domain controller. That might be way more. Any other questions?
41:47
That's Olaf's blog, I guess. Is it recent blog series? I don't know, might be the one by Olaf. He focused a lot on tuning it down.
42:00
So, if you have a system that you have to pay per event or you just don't have the ability to store too much, look at his config, it's really nice. And it narrows things down, and he made like an entire blog series on it on how to do that and how to work with it. And he made a nice Splunk app to hunt and stuff. It's really good.
42:22
Any other questions? Nope, okay, thank you guys. Oh, sorry dude. Thank you.