Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018
Hunting and detecting APTs using Sysmon and PowerShell logging
TOM UELTSCHI BOTCONF 2018
C:> whoami /all
• Tom Ueltschi
• Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!)
• Focus & Interests: Malware Analysis, Threat Intel, Threat Hunting, Red / Purple Teaming
• Member of many trust groups & infosec communities
• FIRST SIG member (malware analysis, red teaming, CTI)
• Twitter: @c_APT_ure
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 2
BotConf Speaker history
• 2013 - My Name is Hunter, Ponmocup Hunter
• 2014 - Ponmocup Hunter 2.0 – The Sequel
• 2015 - LT: Creating your own CTI (in 3 minutes.. or 5 )
• 2016 - Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
• 2017 - LT: Sysmon FTW!
• 2018 - Hunting and detecting APTs using Sysmon and PowerShell logging
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 3
Outline (remember, it’s a short 30min fast 40min talk)
• Introduction
• 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 4
Motivation – why yet another talk?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 5
• Positive feedback is always nice and encouraging
Motivation – why yet another talk?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 6
• Positive feedback is always nice and encouraging
Motivationthe real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 7
Motivationthe real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 8
Motivation -- the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 9
Motivation -- the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 10
Motivation -- the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 11
SIGMA… say what?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 12
SIGMA… say what?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 13
Are you ready for a change?
Source: https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 14
Are you ready for a change?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 15
Our setup
• ~25’000 hosts
• ~150 GB/day
• Event logs
• Windows
• Sysmon
• Powershell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 16
ATT&CK is the new {APT,Cyber,AI,ML,blockchain,etc}
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 17
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 18
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 19
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 20
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 21
ATT&CKcon 2018
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 22
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 23
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 24
Data Sources & Event Logs
• Sysmon
• PowerShell ScriptBlock Logging
• PowerShell Transcript Logging
SIGMA rule available
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 25
Sysmon
PS-SB
PS-TR
SIGMA
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 26
Outline
• Introduction
• 1st of 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 27
WMI Event Subscription (Persistence)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 28
APT group named “Atomic Kittens”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 29
WMI Event Subscription
Source: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 30
WMI Event Subscription
Source: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 31
WMI Event Subscription
Source: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 32
WMI Event Subscription
• Generating test events using “PowerLurk” Github project
• Likely won’t catch many APTs searching for Register-MaliciousWmiEvent ;-)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 33
How noisy is the Sysmon WmiEvent?
> 90 days> 270 EP’s< 600 events4 diff types
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 34
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 35
Sysmon
SIGMA
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 36
Sysmon
SIGMA
Outline
• Introduction
• 2nd of 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 37
Logon Scripts (Persistence, Lateral Movement)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 38
APT group named “Cuddly Panda Bears”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 39
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 40
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 41
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 42
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 43
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 44
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 45
Idea for detection
• Search for child processes of “userinit.exe”
• Exclude “explorer.exe” (normal)
• Exclude logon scripts (after baselining & vetting)
• Possibly a small number of other legitimate executables, but feasible to enumerate and filter out
• Search for ProcessCreate or RegistryEvents with the registry key name “UserInitMprLogonScript”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 46
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 47
Sysmon
SIGMA
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 48
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 49
PS-TR
Outline
• Introduction
• 3rd of 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 50
PowerShell (execution)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 51
PowerShell (execution)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 52
APT group named “Magic Hound”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 53
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 54
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 55
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 56
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 57
Here’s that list of strings…
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 58
SIGMA rule: Malicious PS keywords
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 59
“Low FP/high TP” vs. “noisy” events (90 days)> > > YMMV !!! < < < not all strings are created equal
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 60
Renaming PS.exe(evasion technique?)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 61
RETEFE Malware sample
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 62
DOC/macro copy/rename PS.exe to %TEMP%\rnd.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 63
ProcessCreate Event from PS-renamed
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 64
Sysmon
Search for Description: Windows PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 65
Sysmon
Idea for detection
• Search for processes with “Description: Windows PowerShell”
• Exclude “powershell.exe” (the legitimate one)
• Also exclude PowerShell ISE
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 66
Search for Description: PS without powershell.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 67
Sysmon
SIGMA
Search for Description: PS without powershell.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 68
Sysmon
SIGMA
Hello, world! My name is NOT powershell.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 69
PowerShell Empire Stager
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 70
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 71
PS-SB
Idea for detection
• Search for any of 3 strings that are not obfuscated (performance reason) $PSVERSionTaBle.PSVErSIOn.MAjoR
System.Management.Automation.Utils
System.Management.Automation.AmsiUtils
• Remove obfuscation characters (simple de-obfuscation)
• Search for any of 5 strings (unique, de-obfuscated) EnableScriptBlockLogging
EnableScriptBlockInvocationLogging
cachedGroupPolicySettings
ServerCertificateValidationCallback
Expect100Continue
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 72
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 73
PS-SB
PS-Empire functions executed
• Pen-tester was having “fun” with Empire
• PS-Empire functions with parameters found in PS transcript file
• Searched for “… | Out-String | %{…”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 74
PS-TR
PS-Empire functions executed (top 60 funct’s)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 75
PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 76
PS-TR
Discovery > User enumeration – how many?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 77
PS-TR
Unmanaged PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 78
Get-TimedScreenshots
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 79
Get-TimedScreenshots
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 80
Using powershell.exe vs. unmanaged PS (PowerPick)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 81
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 82
Sysmon
Re-test after enabling FileCreate for rundll32.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 83
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 84
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 85
PS-TR
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 86
PS-TR
Idea for detection
• Search PowerShell Transcript Files for “Host Application:” which is NOT any of• powershell.exe
• powershell_ise.exe
• wsmprovhost.exe
• and possibly very few others
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 87
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 88
PS-TR
SIGMA
Unmanaged PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 89
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 90
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 91
Start-ClipboardMonitor
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 92
PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 93
Idea for detection
• Search for PowerShell EncodedCommands in command-lines
• Base64 decode EncodedCommand on the fly
• Search for known malicious strings / cmdlets in decoded commands
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 94
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 95
Sysmon
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 96
Sysmon
PowerPick
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 97
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 98
PS-TR
Idea for detection
• Search for known malicious strings (code snippets, even comments) in PowerShell ScriptBlock Logs and Transcript Files
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 99
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 100
PS-SB
PS-TR
SIGMA
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 101
PS-TR
Detecting known bad vs. hunting unknown
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 102
Obfuscate-Mimikatz.sh only random strings
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 103
Detection vs. Hunting
• So far we looked at known malicious strings or behaviors
• Now let’s hunt for the unknowns
• Enumerate legitimate PS script files and function names
Build a whitelist to filter out legitimate functions
• Search for rarest function names in PS logs (apply whitelist filtering)
• Use stacking, long tail analysis, LFO to find interesting stuff
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 104
Enumerate PS script files and function names
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 105
Enumerate PS script files and function names
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 106
Search for rarest PS script files
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 107
Search for rarest PS function names
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 108
Create whitelist lookup with known good
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 109
Create blacklist lookup with known bad
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 110
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 111
SIGMA rules (contributions coming soon…)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 112
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 113
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 114
Thanks for your attention!!
Time left for questions?
• Twitter: @c_APT_ure
• Blog: http://c-apt-ure.blogspot.com/2017/12/is-this-blog-still-alive.html
many resources about Sysmon linked in one place
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 115