BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
2. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Speaker Background
Chris Gerritz
Co-Founder, Infocyte
Twitter: @gerritzc
Github: @singlethreaded
Prior:
Chief, DCC Operations
AFCERT
Speaker
Helped establish and led USAF’s
Enterprise Hunt Team.
~800,000 node playground
Founded a company that develops
hunt software and capabilities.
4. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
What is Hunt?
The proactive search for threats
hiding within a network you control.
5. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Why Hunt?
Reconnaissance Exploitation Installation
Command and
Control
Lateral
Movement
Exfiltration Persist
Real-Time Prevention/Detection Threat Hunting Forensics
Attack In Progress Breach Detection Gap Response
The average breach goes
undetected for more than 6+
months.
Many are breached and
don’t know it
Network
Breached
Incident
Discovered
6+ months average
6. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Hunt vs DFIR (tl;dr it’s sort of the same, but not)
• Incident response and forensics (DFIR) tools and techniques can be
used to hunt, but have some limitations:
• 1. No bread crumb trail to follow
• 2. Hunting requires scalability and reduced complexity
• Especially if it’s to be done iteratively (think ROI)
• Principle of Diminishing Returns:
• The objective is not to perform a full forensics investigation
• How do you know you aren’t hunting snipe? (aka something that
doesn’t exist)
Problem w/ focused or IOC-based hunts
7. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
The Hunter’s Tool Bag (Examples)
• Endpoint Solutions
• Scripting (Powershell, etc.)
• Interactive Endpoint Hunt Solutions
• Endpoint Response/Forensics Solutions
• Network Analysis Solutions
• passiveDNS Monitoring/Lookups
• Wireshark (sort of?)
• BroIDS
• Data-Centric Solutions
• i.e. Elastic, Hadoop, Splunk, SEIM, etc.
• Fed by Endpoint Detection & Response (EDR)
• Used to store/search centralized logs/events
• Malware Analysis
• PEStudio
• Cuckoo Sandbox
8. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Data-centric Analysis Endpoint Validation
• Enabled by centralized logging, long
data retention + sophisticated security
infrastructure and event visibility at all
levels (network, host, etc.).
• Endpoint methodology is independent
of existing security infrastructure and
can be performed on almost any
network (aka, the rest of us)
<>
A Tale of Two Hunting Methodologies
10. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
PSHunt Components/Modules
• Scanners
• Surveys
• Discovery
• Utilities
• Transport & Execution functions, etc
• Survey Analysis
• File Analysis
11. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Scanners
WMI
Query
PSHunt
Remote Registry
Query
Scanners:
Description: Used to rapidly scan
remote systems for a single piece of
information using remote queries.
Input: Target (DNS or IP)
Output: One Line (String or CSV)
Invoke-RemoteScan
12. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Survey Deployment / Transport
SMB
/Schtasks
PSHunt
SMB
SMB
/WMI
HTTP / FTP
Utilities [Execution]:
-> Start-RemoteProcess
Download or Directly
Encode Needed Libraries:
Invoke-DownloadFile
Convert-BinaryToString
Convert-StringToBinary
14. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Execution Methods
• WMI (Process Call Create)
• PSRemoting (Invoke-Command)
• Probably not enabled…
• Remote Task Scheduler (Schtasks)
• Remote Service Manager (PSExec)
Domain credentials
are used to
enumerate and
access endpoints.
Protip: type this in every
windows box you see:
15. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Discovery / Testing Access
Discovery:
Test-TCPPort
Test-TCPPorts
Get-RemoteArchitecture
Get-RemotePowershellVersion
Get-RemoteOperatingSystem
Additions:
Dsquery
Powersploit -> Recon
PowerView
Ports and Protocols:
•TCP 22 - SSH
•TCP 135 - WMI / RPC
•TCP 137 - NetBIOS (Name Resolution)
•TCP 139 - SMB over NetBIOS
•TCP 445 - Server Message Block (SMB)
•TCP 5985 - PSRemoting (http)
•TCP 1025 - 5000 - Legacy Win Dynamic Range
•TCP 49152 - 65535 - Modern Win Dynamic Range
17. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Survey: Collect from each host
• Active Processes
• Loaded Modules / Drivers
• Floating/Injected Modules
• Active Connections
• Autostarts/Autoruns
• Accounts
• Key Event Logs
(collect all the things)
PSHuntSurveysSurvey.ps1
Description: Used to collect
comprehensive information on the
state of a windows host
18. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Active Processes/Modules/Drivers
PSHunt’s Get-ProcessList = Get-WmiObject -Class Win32_Process
+ Get-Process –Module
+ Get-Hashes
+ Invoke-SigCheck (Sysinternals)
+ $Process.GetOwner()
19. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Persistence Mechanisms (Autostarts)
Implementation:
Wrapped Sysinternals
Autorunsc*
(Note: Interacting with the
registry is still a pain in the ass
in Powershell.)
*currently best open source
collection of autostart
locations – unfortunately, it’s
still not comprehensive
20. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Memory-resident Malware Analysis
Description: Discover DLL
Injection, Process Overwrites,
etc.
Uses:
PSReflect Module
• Uses Matt Graeber’s PSReflect Module to
access Native Win32 APIs:
• Implementation: VirtualQueryEx walk across
process memory looking for PE Headers in
RWX memory.
22. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Survey Analysis Modules
• Initialize-ReputationData
• Loads Data into $Global:FileReputation
• Update-HostObject
• Get-VTStatus
• Get-VTReport
• Group-HostObjects
Survey Analysis:
Description: Compare Survey
Results against Reputation Data
from local store and VirusTotal.
Perform Outlier and Anomaly
Analysis
23. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
VirusTotal
(64+ AV Engines)
Threat Intel
Providers
Survey.ps1
Survey
Static Analysis
Dynamic Analysis
(Sandbox)
Collect:
- What’s running (i.e. Processes)
- What’s triggered to run (i.e. autostarts)
- Indicators of Compromise (IoCs)
Reputation
Database
i.e. VirusTotal
Cuckoo Sandbox
Malwr.com
File & Malware AnalysisReputation & Threat Intelligence
- Hash Lookups
- IP/DNS Lookups
- IOC Lookups
PSHunt
Suspicious
Executable
PEStudio
PowershellArsenal
Survey.ps1
SurveySurvey.ps1
25. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Active Processes/Modules/Drivers
Some malware, even advanced types, attempt to “hide in plain sight”
or within the noise of the multitude of programs running on your
systems.
• Initial Technique: Hash everything and compare to a signature and
threat intelligence database like VirusTotal. This will clear all known-good
and known-bads.
• Adv. Technique:
1. Stack Remaining data and perform anomaly and outlier analysis
2. Perform static/dynamic analysis on the exe of any suspicious or out-
of-place processes
26. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Digital Signatures?
Digital Signatures: Most malware is not digitally signed by a legitimate
Certificate Authority (CA).
• Attackers may load their rogue CA into your local Trusted Root CA store at
the time the malware is installed (requires root privileges)
• Adv. Technique:
• Check anomalous/outlier root CA’s serial number against whitelist or
Google it for authenticity
• WARNING: Some may digitally sign malware with a legitimate but
compromised CA which renders this technique ineffective.
- Example: The Feb ‘13 attack against Bit9 targeted their CA server
27. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Persistence Mechanisms
Required to maintain the malware through reboots and in times
of dormancy.
• Scheduled Tasks, Jobs, etc.
• Registry Persistence (most common)
•Technique: Hash all referenced executables in registry and compare to Threat
Intel Database
• Boot Process Redirection (ie. Bootkits – very sophisticated!)
•Technique: Evaluate raw MBR (first 512 bytes of disk0) for redirection to
alternate boot loader
28. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Process Memory Injection
• DLL Injection / Process Hallowing:
1. Allocate chunk of unprotected Read/Write/Execute (RWX)
memory inside another legitimate process.
2. Load in a malicious DLL.
3. Redirect an execution thread.
4. Profit.
•Adv. Technique:
• Walk Process Memory looking for PE Headers in large chunks of
unprotected memory (Use @mattifestation’s PSReflect)
• False Positives will come from:
1. Just-in-Time (JIT) compilers – i.e. .NET and Java Apps
2. Security Software
30. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
PSHunt – Powershell Threat Hunting
Chris Gerritz
Co-Founder, Infocyte
Twitter: @gerritzc
Github: @singlethreaded
NOTE:
PSHunt will be posted on
Github this week.
Follow me:
Notas del editor
Malware hunt came about because of the recognition that existing investments in services and technology – some very significant – were still failing to prevent malware from entering the department of defense networks.
Quick detection post-infection was non existent and the type of behaviour that one would monitor for during the initial part of an attack would not be present after a successful malware installation. The malware often remained dormant for long period of time.
Our founders not only established the first enterprise-scoped hunt team, but their success and technical processes became a cornerstone of the US DoD cyber defense strategy/posture. - Internally called the Enterprise Hunt Team, official name of the team was later changed to DCC (Defensive Counter-Cyber).
Note on military terminology: Offensive Counter-Cyber = hack back, Defensive Counter-Cyber is defending and operating within home territory
“Instead of conducting a penetration test to confirm that an attacker can compromise your environment (similar to confirming that water is indeed wet), you should conduct an assessment to determine which adversaries are already operating within your environment. “
- Rick Holland, Forrester (1/26/16)
Security Trends:
2013 – Year of Next-Gen Firewall
2014 – Year of Threat Intel
2015 – Year of EDR
2016 – Year of Hunt
I could spend all day on 1 box
Focused / hypothesis-based hunts looking for one thing are usually a waste of time.
Data Analytics relies on the organization already having sophisticated and complete data collection and retention of logs and events. Endpoint Hunt methodology does not rely on existing security infrastructure.
Network Traffic Analysis – The perimeter is no longer well defined in networks with mobile, SaaS services, and ubiquitous encryption.
This slide should only be used when in-front of a technical audience or if the question comes up.
Infocyte Malware Hunter Platform (Simplified View)
Server consists of three services and a database:
API service is responsible for communication to the Infocyte Cloud Services
Threat Intelligent Services, File Reputation Services (4.5+ Billion files) and Sandbox Services (as well as licensing)
Worker service
This is what deploys to endpoints and what collects endpoint scan reprots
Core cervices
Analytics services and the main communication bridge to the database and message broker services.
Database
Ports are customizable in the installer, but all communications from services and database are encrypted in a TLS 1.2 tunnel.
To view your certificate stores, run certmgr.msc as described there. The "root" store contains the root CA, i.e. the CA which are trusted a priori. certmgr.msc shows you an aggregate view of all root CA which apply to the current user; internally, there are several relevant stores (the "local machine" stores apply to all users, the "current user" stores are specific to the current user; and there also are "enterprise" stores which are similar to "local machine" but meant to be filled automatically from the AD server of the current domain).
See this page for a list of all CA that Microsoft puts in Windows by default; any discrepancy would be a local variation. The list is occasionally updated, and this is propagated to your computer through the normal Windows update mechanisms.
http://security.stackexchange.com/questions/48437/how-can-you-check-the-installed-certificate-authority-in-windows-7-8
https://www.thawte.com/roots/
Large = 2+ pages of memory (a page is 4kb). Meterpreter is around 650kb in memory, 150kb for the 1st stage but that’s big compared to most. Staged malware can be small but they won’t have very many features (i.e. communications, command parsing, search protocols) loaded at smaller sizes.