Friday, August 25, 2017

Homegrown Hunt: You Can Do This! (or How to Think Like a RAT!)

Preamble and Assumptions:

1. Before we begin, this post won’t by any means try to define Hunt.  There are already hundreds of articles arguing about what that term means, this isn’t one of them.  I use the word sprinkled throughout quite loosely and you are free to take poetic license of your own while reading.


2. This is by no means an exhaustive guide to hunt; hunt never ends, it evolves daily, sometimes hourly. The following is meant to simply get you started thinking about some easy, low-hanging fruit, so that maybe you’ll want to take it further. There’s so much more that I could have included, but as someone I respect and look up to recently taught me, “MaryEllen, don’t let perfect be the enemy of good!”  In other words, at some point you just have to cut bait and drop it, hook, line and sinker, or you’ll never publish it!


3. Regardless of the maturity level of your enterprise, work with what you have.  At the end of the day, if you read the following and it affords you the opportunity to increase the security posture of your organization even a little, everybody wins!


4. Some of the concepts mentioned below are from brainstorming sessions with someone far smarter than me, my long-time friend and colleague, Lawrence Judd.  Thank you Lawrence.  I strive to be at your level every single day, and it’s a privilege to call you friend.  Lawrence is wicked smart, and sometimes when I’m chatting with him, I find myself harkening back to one of my first conversations with a NYC building Superintendent.  He would tell me, “MaryEllen, if you want to catch a rat, you have to think like a rat, behave like a rat, and sometimes even pretend you ARE a rat!”

5. I’m finally digging through all the stuff I learned at BlackHat and DEF CON, and you may see some of that referenced below.  Enjoy!

Let’s Dive In!

Bytes In vs. Bytes Out (Producer-Consumer Ratio, or PCR) from Robert M. Lee and David J. Bianco’s BlackHat presentation:

  • See slide #12.  One way to implement that might be to run a daily script that calculates the bytes-in vs. bytes-out per endpoint (PCR). When you do that over time, you can begin to compare the data and look for blips which could indicate someone was staging, i.e. planning to leave in a couple weeks and siphoning a bunch of stuff out.  I've worked in companies where they had v.v. expensive tools that could track all of those types of behaviors, but if the security posture (or budget) within your organization is still maturing, get down in the weeds and write your own, you can do this!
  • There are a couple other slides in David and Robert's deck that I would like to try to turn into use cases as well. 
Moving on - Ground Speed; badging/access logs, including but not limited to:

⇨If I physically badge into an office in North America but then log into the network later that day from the APAC region, whassup?

⇨If I log into the network from the APAC region, but then later that same day I physically badge into an office in North America, whassup?

⇨If I log into a system in North America and then later that day I also log in from the APAC region, whassup?

Login time behaviors oddities:

⇨For example, let’s say someone almost always works 8am-4pm but now all of a sudden they are logged in at 2am, whassup?

Don’t just monitor your logs for unsuccessful logins, also track successful logins, but with correlation, for example, did any of those unsuccessful login attempts just log in, or was there a successful login from an account we have no record of?  Just today, FS-ISAC warned that credential stuffing/ATO attacks are at an elevated level and there is a huge uptick in brute force attacks attempting to leverage stolen credentials. They suggested a possible defense around that would be to monitor your Call Center for increases in account lock-outs.

If you have Splunk, take a look at Shannon Entropy via the following 
(if you don’t have Splunk, try to see how you can improvise using other tools):

https://www.splunk.com/blog/2015/10/01/random-words-on-entropy-and-dns.html

https://www.splunk.com/blog/2016/04/21/when-entropy-meets-shannon.html

Also with Splunk, take a look at the following (again, if you don’t have Splunk, try to see how you can improvise using other tools):

https://www.splunk.com/blog/2016/03/22/splunking-1-million-urls.html

https://www.splunk.com/blog/2016/04/01/hunting-that-evil-typosquatter.html

Huge shout-out to Google Chrome’s Andrew R. Whalley who I had the great fortune of meeting at BlackHat.  I was invited to a small group where Mr. Whalley was discussing browser security and some interesting trickery such as Unicode characters and xn--, some of which are outlined here, and here. There are nuggets in both URL's to begin building alerts for.

Office products (Word, Excel, PowerPoint, etc.) probably shouldn’t be spawning .exe, cmd.exe, PowerShell, and a host of other items, for example.

You can hunt down private domain registrations so as to properly investigate, triage and submit for takedown.  I attended a Lunch and Learn in June at the SANS Austin Summit by DomainTools that specifically talked about just that, it was fascinating.  Lunch and Learns aren't recorded and don't always release a slide deck afterward, but I found a free video on the DomainTools Web site which is similar to the talk they gave in Austin.  If you advance the video to exactly 15 minutes in, at the "Hunt Case Study" section, they discuss work-arounds/pivots for private registrations.  It's not in the video link, but at the Lunch and Learn they were even showing how you could pivot off of Google Analytics code to see if anyone else had used it.  I wish I had taken better notes, but I was pretty fried at that point from the malware 610 class I was taking...the video link is close to what was in their talk, just start at exactly 15 minutes in, at "Hunt Case Study."


Track anomalies in CarbonBlack, NetWitness, Splunk, Tanium or a million other other tools, including but not limited to:

o Large outbound files.
o Outbound .rar and .tar files.
o Traffic to high risk geo locations such as .cn, .nk, .ru, .su, tr, etc.
o Traffic from any of the top 20 in your APL reaching-out to high risk locations such as .cn, .nk, .ru, .su, .tr, etc.
o Traffic to odd TLD’s such as .xyz, .sex, .sexy, .xxx, etc.

Applications running which have a hash that’s different than all known good application hashes in the enterprise.

Detecting MimiKatz running in memory:

  • If I understood the author correctly, regardless of what process MimiKatz is injected into, it needs both of these to run: vaultcli.dll and wlanapi.dll.

Known Web Server apps being launched from non-standard locales:

o apache.exe where path is NOT: c:\oracle\program files\apache
o tomcat.exe where path is NOT: c:\program files\tomcat

Track exe’s that could be associated with evil (impersonating the legitimate versions), for example, if any of the following have a running path that is NOT c:\windows  OR c:\winnt (not an exhaustive list):

o aspnet_compiler.exe
o at.exe
o bcdedit.exe
o bitsadmin.exe
o cmd.exe
o conhost.exe
o csc.exe
o cscript.exe
o csrss.exe
o dfsvc.exe
o excel.exe
o expler.exe
o hh.exe
o hkcmd.exe
o IEExec.exe
o iexple.exe
o iexpress.exe
o igfxpers.exe
o igfxsrvc.exe
o ilasm.exe
o InstallUtil.exe
o journal.exe
o jsc.exe
o lsass.exe
o lsm.exe
o MSBuild.exe
o msdt.exe
o mshta.exe
o msiexec.exe
o mstsc.exe
o Net.exe
o Net1.exe
o ping.exe
o PowerShell.exe
o PowerShell_ise.exe
o PresentationHost.exe
o reg.exe
o RegSvcs.exe
o RegSvr32.exe
o rundll32.exe
o sc.exe
o script.exe
o SearchFilterHost.exe
o SearchProtocolHost.exe
o services.exe
o set.exe
o setx.exe
o spoolsv.exe
o svchost.exe
o systemreset.exe
o taskhost.exe
o taskmgr.exe
o vbc.exe
o vssadmin.exe
o w3wp.exe
o winlogon.exe
o winword.exe
o wmic.exe
o Wscript.exe
o wuauclt.exe


Detect single character file name executables, including but not limited to: 0-9.exe and A-Z.exe as well as other characters like ..exe, _.exe, $.exe, etc.

Monitor email for certain file-types within zip, such as .js or scr.

Monitor for encrypted zips.

Check email for .iso, .scr, etc. attachments.

Detect zero-byte files.
o There are several concerns with zero-byte files, some I am sure I am not even aware of, but think of log deletion...files that should contain content but all of a sudden do NOT.  Also, think of destructive malware, which can zero-out files: https://forums.malwarebytes.com/topic/87855-zero-byte-data-files - there are probably a lot of other things, so if anyone wants to pile on, please do!


Take a look at the SANS “Finding Evil” poster.  Note which processes should never spawn certain other processes, etc. and create rule-sets or dashboards to look for those types of anomalies.  Additionally, this may help you begin tracking known malware injects.

Check the “Behavior Rule-sets” and “Digital Signatures” as outlined in this famous SANS poster.

Monitor what’s being downloaded across the organization.

Correlate hosts that generate greater than one a/v alert within the span of up to one week.

Track a/v hits where the action was “Allowed”, “Deferred”, “Left Alone”, etc.  Create rule-sets for correlation.

Track a/v hits where the action was “Blocked”, “Deleted”, “Quarantined”, etc.  Create rule-sets for correlation.

CarbonBlack offers the following threat indicators:

o Execution from Recycle Bin
o Suspicious process name
o Processes with obfuscated extensions
o Known malware file name
o Execution from System Volume Information folder
o Possible BlackPOS malware registry artifact
o Possible APT backdoor installation
o Possible Ransomware file artifac
o Possible Point-of-Sale malware file artifact
o Execution from APT staging area
o Possible credential theft or misuse
o Possible ZeroAccess activity
o Possible Tibet.c backdoor installation
o Possible wirelurker infection
o ntvdm.exe spawned by office application
o Siesta campaign indicators
o PlugX campaign indicators
o Modification of launchd.conf
o Suspicious OSX persistence mechanism
o Modification of /etc/rc.common
o Possible Olyx/Lasyr activity
o Possible wirenet and/or netweird activity
o Possible Flashback infection
o Possible iWorm infection
o Possible NetWeirdRC infection
o Suspicious local password change
o Attempted osx password hash collection
o Execution from trash bin
o Suspicious process execution
o Suspicious shell activity
o Powershell executed with encoded instructions
o Modification of powershell execution policy
o Possible malicious powershell activity
o Possible WMI Persistence
o Possible WMI command invocation
o WinRM command activity


Begin looking at all the remote access software being utilized in your environment and start to baseline the activity around it. I'm not just talking about Windows built-in RDP, but also tools like GoToMyPC, LogMeIn, TeamViewer, and even Web-Based products such as Join.me (to name a few).  These can all be valuable tools but if a SysAdmin has one sitting on his/her server that they didn't install themselves...ummm...gulp.


Lastly, it’s too much to retype it all, but there is a wealth of additional information along the topic of hunt at the following links:

I met Cheryl Biswas at DEF CON a few weeks ago when her laptop malfunctioned as she was taking the stage for her talk. She asked if anyone in the audience had a spare laptop, and guess what, I did...and I gained a wonderful new friendship as well!  Not only is Cheryl incredibly smart, this woman knows her stuff when it comes to Threat Intel and Hunt!  Take a read!

Contains 87 references to Hunt, just search the page for “Hunt”

Contains 21 references to Hunt, just search the page for “Hunt”


http://www.threathunting.net/reading-list

http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance

http://www.hexacorn.com/blog/page/26

http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance