A Threat Hunter Himself
•
7 likes•1,203 views
The document provides biographies and background information for two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
Report
Share
A Threat Hunter Himself
- 1. A Threat Hunter Himself Teymur Kheirkhabarov Sergey Soldatov
- 2. BIO • Head of SOC @Kaspersky Lab • BMSTU graduate, CISA, CISSP • Ex- Infosec dept. director • Ex- Infosec admin • Ex- software developer • Ex- musician, sportsman • SOC Analyst @Kaspersky Lab • SibSAU (Krasnoyarsk) graduate • Ex- Infosec dept. head • Ex- Infosec admin • Ex- System admin
- 3. Cyber threat hunting is the practice of searching iteratively through data to detect advanced threats that evade traditional security solutions Threat hunting? https://sqrrl.com/solutions/cyber-threat-hunting/
- 4. BUSINESS: • Minimize residual risks • Minimize time between attack and detection TECH: • Unknown [targeted] attacks detection • Non-malware attacks detection • TTP based detection • “Time machine” for evidence analysis What for? Security ToolsMonitoringHunting Prevention Threat hunting SOC Alerting Risks
- 5. Hunting vs. Alerting SOC/Alerting • Reactive • Detect/forget Hunting/Mining • Proactive • Repeated searches TI IRAlerting Hypotheses Hunting MA* DF Alerting IR TI http://reply-to-all.blogspot.ru/2016/07/blog-post.html (RU) * MA – malware analysis, DF – digital forensics, IR – incident response
- 6. [Big] data • OS processes activities • OS events • Security tools • Net perimeter • … Process/Procedure • TI + all possible detection techniques • Previous experience • Situational awareness • … Human • Able to produce and check hypothesis • quick-witted What is needed?
- 7. The Process: Theory Level 1: “TI Farm” Level 2: “Cases” Objects (MD5, FQDN) Objects behavior & IPC (use tags from pervious level) Tags/Labels Suspicious objects Suspicious systems Raw events Level 3: Analyst Digital forensics (DF) Incident response (IR) Malware analysis (MA) IoC Feeds AM detects Behavior patterns Whitelisting Popularity Similarity SOC practice Known attackers TTP (reports) DF, IR practice Security assessment practice Heuristics Machine learning Manual analysis Sandbox Scripts :)
- 8. What How More info Process activities @endpoint Sysinternals Sysmon https://technet.microsoft.com/en- us/sysinternals/sysmon Autoruns Sysinternals Autorunsc https://technet.microsoft.com/ru- ru/sysinternals/bb963902.aspx E-mail attachments MTA + Python + Yara https://github.com/Yara-Rules/rules What’s inside? Task How Link Log shipping Filebeat Winlogbeat https://www.elastic.co/products/beats/filebeat https://www.elastic.co/products/beats/winlogbeat Parsing, Processing, TI matching Logstash https://www.elastic.co/products/logstash https://github.com/aptnotes/data Storage Elasticsearch https://www.elastic.co/products/elasticsearch Search & Visualization Kibana https://www.elastic.co/products/kibana
- 9. Event Class ID Rate Importance Process Create 1 Low-Medium Detect initial infection and malware child processes. Process Terminate 2 Low-Medium Useful for forensic investigations. May be correlated with process creation events Driver Load 6 Low Detect device drivers loading Image Load 7 High (use with filtration) Detect DLL injection, unsinged DLL loading File Creation Time Changed 2 Medium-High (need to exclude browsers and archivers) Detect anti-forensic activity (timestamp changed to cover tracks) Network Connection 3 High (use with filtration) Identify network activity, connection to malware C&C servers, connection to ransomware server to download encryption keys CreateRemoteTh read 8 Low-Medium Detect code injections used by malware Credential theft tools (i.e. mimikatz, WCE) also use this technique to inject their code into the LSASS process Process accessed 10 High (use with filtration) RawAccessRead 9 Low Detect dropping off SAM or NTDS.DIT from compromised hosts Data: sysmon events
- 11. • autorunsc – a * -ct –h –m –s –nobanner /accepteula • –v –vt – if VirusTotal detects matter • Simple Powershell script compares current autorunsc result with the previous one and writes text log Data: autorunsc
- 12. • Python script: • Get email headers • Get attachments: name, size, MD5, file type • Check Yara from https://github.com/Yara-Rules/rules (can be any) • If attachment is archive: check if it password protected, inflate and repeat previous • Returns JSON output, example: {"source_arch_md5": "1788A5624790B6707241E45461443757", "file_name": "x64/mimilib.dll", "subject": "Fwd: u0421u0447u0435u0442 u043du0430 u043eu043fu043bu0430u0442u0443", "x-virus-scanned": "", "yara_matches": ["mimikatz"], "file_size": 32256, "date": "Sun, 13 Nov 2016 20:56:11 +0300", "cc": [], "MD5": "7DF94A9513983F9324C630C98B2BACCD", "from": "victim@test.local", "file_type": "PE32+ executable (DLL) (console) x86-64, for MS Windows", "yara_check_date": "2016-11-13T16:46:41.788812", "user-agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101n Thunderbird/45.4.0", "to": ["victim2@test.local"], "ip": ["172.16.205.139"], "message-id": "<dfea49de-290a-52f5-14f6-1b1dbe5d5454@test.local>", "x-mailer": "", "mime_type": "application/x-dosexec"} Data: e-mail attachments
- 13. Data: files&URL from traffic, Dynamic analysis • TODO: • Deploy BRO: url, file extractor • Deploy Cuckoo sandbox • Python script new ver.: url from e-mail • Windows events: registry changes, file access, service install, task scheduling, power shell, …. • Correlation engine: Exper
- 14. The Process: Practice Autorunsc (filebeat) Sysmon (winlogbeat) Endpoint Python script (filebeat) Yara MTA (Exim) Index events Logstash RabbitMQ Logstash logstash-mail logstash-autorunsc logstash-windows logstash-files ElasticsearchUnique file aggregation ‘TI Farm’
- 15. Unique files aggregation index
- 16. Demo time!!!
- 17. • Excel with macros • downloads into memory and execute sytem.ps1: • downloads meterpreter payload into memory and run it • Creates scheduled task “System inventory” persistence Attacker creates excel downloader
- 18. Attacker starts reverse shell handler
- 19. Attacker sends, Victim receives Super AV Super AV
- 21. Analyst hypothesis start: inject into lsass
- 22. Who injected into lsass?
- 23. Who started lsass injector?
- 24. Who started lsass injector starter?
- 25. Check if explorer.exe compromised…
- 26. Search for powershell start
- 27. Who started powershell which started powershell which injected explorer.exe?
- 28. Who created scheduled task?
- 29. Who sent email? Any other affected?
- 30. • TH – the only effective way to counter customized threats • TH – ‘must have’ process of security operations • TH – can’t be fully automated • TH – never-ending self-improving closed cycle via IR/DF/MA • TH needs data & human-machine analysis • TH can be done by yourself! Outrotemp<random1>.exe injected Lsass.exe syswow64svch0st.exe started temp<random1>.exe temp<random2>.exe started syswow64svch0st.exe Exprorer.exe started temp<random2>.exe Compromised explorer.exe powershell.exe inject into explorer.exe Strange http to 66.66.66.66 powershell.exe started powershell.exeTeskscheduler started powershell.exe Powershell.exe started schtasks.exe Thunderbird.exe started excel.exe started wmiprvse.exe started powershell.exe
- 31. • All configs: https://github.com/votadlos/ZN2016 Q&A Thank you for your attention!