SlideShare una empresa de Scribd logo

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

Descargar como PPTX, PDF
Christopher Gerritz
Christopher Gerritz

BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.

Tecnología
1 de 30
Hunting on the Endpoint w/ Powershell Chris Gerritz
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Speaker Background Chris Gerritz Co-Founder, Infocyte Twitter: @gerritzc Github: @singlethreaded Prior: Chief, DCC Operations AFCERT Speaker Helped establish and led USAF’s Enterprise Hunt Team.  ~800,000 node playground Founded a company that develops hunt software and capabilities.
Threat Hunting 101
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz What is Hunt? The proactive search for threats hiding within a network you control.
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Why Hunt? Reconnaissance Exploitation Installation Command and Control Lateral Movement Exfiltration Persist Real-Time Prevention/Detection Threat Hunting Forensics Attack In Progress Breach Detection Gap Response The average breach goes undetected for more than 6+ months. Many are breached and don’t know it Network Breached Incident Discovered 6+ months average
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Hunt vs DFIR (tl;dr it’s sort of the same, but not) • Incident response and forensics (DFIR) tools and techniques can be used to hunt, but have some limitations: • 1. No bread crumb trail to follow • 2. Hunting requires scalability and reduced complexity • Especially if it’s to be done iteratively (think ROI) • Principle of Diminishing Returns: • The objective is not to perform a full forensics investigation • How do you know you aren’t hunting snipe? (aka something that doesn’t exist) Problem w/ focused or IOC-based hunts
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz The Hunter’s Tool Bag (Examples) • Endpoint Solutions • Scripting (Powershell, etc.) • Interactive Endpoint Hunt Solutions • Endpoint Response/Forensics Solutions • Network Analysis Solutions • passiveDNS Monitoring/Lookups • Wireshark (sort of?) • BroIDS • Data-Centric Solutions • i.e. Elastic, Hadoop, Splunk, SEIM, etc. • Fed by Endpoint Detection & Response (EDR) • Used to store/search centralized logs/events • Malware Analysis • PEStudio • Cuckoo Sandbox
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Data-centric Analysis Endpoint Validation • Enabled by centralized logging, long data retention + sophisticated security infrastructure and event visibility at all levels (network, host, etc.). • Endpoint methodology is independent of existing security infrastructure and can be performed on almost any network (aka, the rest of us) <> A Tale of Two Hunting Methodologies
PSHunt Powershell Threat Hunting Module
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz PSHunt Components/Modules • Scanners • Surveys • Discovery • Utilities • Transport & Execution functions, etc • Survey Analysis • File Analysis
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Scanners WMI Query PSHunt Remote Registry Query Scanners: Description: Used to rapidly scan remote systems for a single piece of information using remote queries. Input: Target (DNS or IP) Output: One Line (String or CSV) Invoke-RemoteScan
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey Deployment / Transport SMB /Schtasks PSHunt SMB SMB /WMI HTTP / FTP Utilities [Execution]: -> Start-RemoteProcess Download or Directly Encode Needed Libraries: Invoke-DownloadFile Convert-BinaryToString Convert-StringToBinary
Remote Execution & Transport Scanning Stuff
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Execution Methods • WMI (Process Call Create) • PSRemoting (Invoke-Command) • Probably not enabled…  • Remote Task Scheduler (Schtasks) • Remote Service Manager (PSExec) Domain credentials are used to enumerate and access endpoints. Protip: type this in every windows box you see:
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Discovery / Testing Access Discovery: Test-TCPPort Test-TCPPorts Get-RemoteArchitecture Get-RemotePowershellVersion Get-RemoteOperatingSystem Additions: Dsquery Powersploit -> Recon PowerView Ports and Protocols: •TCP 22 - SSH •TCP 135 - WMI / RPC •TCP 137 - NetBIOS (Name Resolution) •TCP 139 - SMB over NetBIOS •TCP 445 - Server Message Block (SMB) •TCP 5985 - PSRemoting (http) •TCP 1025 - 5000 - Legacy Win Dynamic Range •TCP 49152 - 65535 - Modern Win Dynamic Range
Windows Host Survey
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey: Collect from each host • Active Processes • Loaded Modules / Drivers • Floating/Injected Modules • Active Connections • Autostarts/Autoruns • Accounts • Key Event Logs (collect all the things) PSHuntSurveysSurvey.ps1 Description: Used to collect comprehensive information on the state of a windows host
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Active Processes/Modules/Drivers PSHunt’s Get-ProcessList = Get-WmiObject -Class Win32_Process + Get-Process –Module + Get-Hashes + Invoke-SigCheck (Sysinternals) + $Process.GetOwner()
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Persistence Mechanisms (Autostarts) Implementation: Wrapped Sysinternals Autorunsc* (Note: Interacting with the registry is still a pain in the ass in Powershell.) *currently best open source collection of autostart locations – unfortunately, it’s still not comprehensive
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Memory-resident Malware Analysis Description: Discover DLL Injection, Process Overwrites, etc. Uses: PSReflect Module • Uses Matt Graeber’s PSReflect Module to access Native Win32 APIs: • Implementation: VirtualQueryEx walk across process memory looking for PE Headers in RWX memory.
Survey Analysis
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey Analysis Modules • Initialize-ReputationData • Loads Data into $Global:FileReputation • Update-HostObject • Get-VTStatus • Get-VTReport • Group-HostObjects Survey Analysis: Description: Compare Survey Results against Reputation Data from local store and VirusTotal. Perform Outlier and Anomaly Analysis
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz VirusTotal (64+ AV Engines) Threat Intel Providers Survey.ps1 Survey Static Analysis Dynamic Analysis (Sandbox) Collect: - What’s running (i.e. Processes) - What’s triggered to run (i.e. autostarts) - Indicators of Compromise (IoCs) Reputation Database i.e. VirusTotal Cuckoo Sandbox Malwr.com File & Malware AnalysisReputation & Threat Intelligence - Hash Lookups - IP/DNS Lookups - IOC Lookups PSHunt Suspicious Executable PEStudio PowershellArsenal Survey.ps1 SurveySurvey.ps1
Finding Bad Things
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Active Processes/Modules/Drivers Some malware, even advanced types, attempt to “hide in plain sight” or within the noise of the multitude of programs running on your systems. • Initial Technique: Hash everything and compare to a signature and threat intelligence database like VirusTotal. This will clear all known-good and known-bads. • Adv. Technique: 1. Stack Remaining data and perform anomaly and outlier analysis 2. Perform static/dynamic analysis on the exe of any suspicious or out- of-place processes
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Digital Signatures? Digital Signatures: Most malware is not digitally signed by a legitimate Certificate Authority (CA). • Attackers may load their rogue CA into your local Trusted Root CA store at the time the malware is installed (requires root privileges) • Adv. Technique: • Check anomalous/outlier root CA’s serial number against whitelist or Google it for authenticity • WARNING: Some may digitally sign malware with a legitimate but compromised CA which renders this technique ineffective. - Example: The Feb ‘13 attack against Bit9 targeted their CA server
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Persistence Mechanisms Required to maintain the malware through reboots and in times of dormancy. • Scheduled Tasks, Jobs, etc. • Registry Persistence (most common) •Technique: Hash all referenced executables in registry and compare to Threat Intel Database • Boot Process Redirection (ie. Bootkits – very sophisticated!) •Technique: Evaluate raw MBR (first 512 bytes of disk0) for redirection to alternate boot loader
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Process Memory Injection • DLL Injection / Process Hallowing: 1. Allocate chunk of unprotected Read/Write/Execute (RWX) memory inside another legitimate process. 2. Load in a malicious DLL. 3. Redirect an execution thread. 4. Profit. •Adv. Technique: • Walk Process Memory looking for PE Headers in large chunks of unprotected memory (Use @mattifestation’s PSReflect) • False Positives will come from: 1. Just-in-Time (JIT) compilers – i.e. .NET and Java Apps 2. Security Software
That’s it for now. More to come…
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz PSHunt – Powershell Threat Hunting Chris Gerritz Co-Founder, Infocyte Twitter: @gerritzc Github: @singlethreaded NOTE: PSHunt will be posted on Github this week. Follow me:

Recomendados

Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 

Recomendados

Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 

Más contenido relacionado

La actualidad más candente

Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 

La actualidad más candente (20)

Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 

Similar a BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataRommel Garcia
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataGreat Wide Open
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Prossixdub
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 

Similar a BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz (20)

Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Pros
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
 

Último

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

  • 1. Hunting on the Endpoint w/ Powershell Chris Gerritz
  • 2. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Speaker Background Chris Gerritz Co-Founder, Infocyte Twitter: @gerritzc Github: @singlethreaded Prior: Chief, DCC Operations AFCERT Speaker Helped establish and led USAF’s Enterprise Hunt Team.  ~800,000 node playground Founded a company that develops hunt software and capabilities.
  • 4. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz What is Hunt? The proactive search for threats hiding within a network you control.
  • 5. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Why Hunt? Reconnaissance Exploitation Installation Command and Control Lateral Movement Exfiltration Persist Real-Time Prevention/Detection Threat Hunting Forensics Attack In Progress Breach Detection Gap Response The average breach goes undetected for more than 6+ months. Many are breached and don’t know it Network Breached Incident Discovered 6+ months average
  • 6. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Hunt vs DFIR (tl;dr it’s sort of the same, but not) • Incident response and forensics (DFIR) tools and techniques can be used to hunt, but have some limitations: • 1. No bread crumb trail to follow • 2. Hunting requires scalability and reduced complexity • Especially if it’s to be done iteratively (think ROI) • Principle of Diminishing Returns: • The objective is not to perform a full forensics investigation • How do you know you aren’t hunting snipe? (aka something that doesn’t exist) Problem w/ focused or IOC-based hunts
  • 7. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz The Hunter’s Tool Bag (Examples) • Endpoint Solutions • Scripting (Powershell, etc.) • Interactive Endpoint Hunt Solutions • Endpoint Response/Forensics Solutions • Network Analysis Solutions • passiveDNS Monitoring/Lookups • Wireshark (sort of?) • BroIDS • Data-Centric Solutions • i.e. Elastic, Hadoop, Splunk, SEIM, etc. • Fed by Endpoint Detection & Response (EDR) • Used to store/search centralized logs/events • Malware Analysis • PEStudio • Cuckoo Sandbox
  • 8. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Data-centric Analysis Endpoint Validation • Enabled by centralized logging, long data retention + sophisticated security infrastructure and event visibility at all levels (network, host, etc.). • Endpoint methodology is independent of existing security infrastructure and can be performed on almost any network (aka, the rest of us) <> A Tale of Two Hunting Methodologies
  • 10. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz PSHunt Components/Modules • Scanners • Surveys • Discovery • Utilities • Transport & Execution functions, etc • Survey Analysis • File Analysis
  • 11. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Scanners WMI Query PSHunt Remote Registry Query Scanners: Description: Used to rapidly scan remote systems for a single piece of information using remote queries. Input: Target (DNS or IP) Output: One Line (String or CSV) Invoke-RemoteScan
  • 12. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey Deployment / Transport SMB /Schtasks PSHunt SMB SMB /WMI HTTP / FTP Utilities [Execution]: -> Start-RemoteProcess Download or Directly Encode Needed Libraries: Invoke-DownloadFile Convert-BinaryToString Convert-StringToBinary
  • 13. Remote Execution & Transport Scanning Stuff
  • 14. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Execution Methods • WMI (Process Call Create) • PSRemoting (Invoke-Command) • Probably not enabled…  • Remote Task Scheduler (Schtasks) • Remote Service Manager (PSExec) Domain credentials are used to enumerate and access endpoints. Protip: type this in every windows box you see:
  • 15. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Discovery / Testing Access Discovery: Test-TCPPort Test-TCPPorts Get-RemoteArchitecture Get-RemotePowershellVersion Get-RemoteOperatingSystem Additions: Dsquery Powersploit -> Recon PowerView Ports and Protocols: •TCP 22 - SSH •TCP 135 - WMI / RPC •TCP 137 - NetBIOS (Name Resolution) •TCP 139 - SMB over NetBIOS •TCP 445 - Server Message Block (SMB) •TCP 5985 - PSRemoting (http) •TCP 1025 - 5000 - Legacy Win Dynamic Range •TCP 49152 - 65535 - Modern Win Dynamic Range
  • 17. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey: Collect from each host • Active Processes • Loaded Modules / Drivers • Floating/Injected Modules • Active Connections • Autostarts/Autoruns • Accounts • Key Event Logs (collect all the things) PSHuntSurveysSurvey.ps1 Description: Used to collect comprehensive information on the state of a windows host
  • 18. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Active Processes/Modules/Drivers PSHunt’s Get-ProcessList = Get-WmiObject -Class Win32_Process + Get-Process –Module + Get-Hashes + Invoke-SigCheck (Sysinternals) + $Process.GetOwner()
  • 19. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Persistence Mechanisms (Autostarts) Implementation: Wrapped Sysinternals Autorunsc* (Note: Interacting with the registry is still a pain in the ass in Powershell.) *currently best open source collection of autostart locations – unfortunately, it’s still not comprehensive
  • 20. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Memory-resident Malware Analysis Description: Discover DLL Injection, Process Overwrites, etc. Uses: PSReflect Module • Uses Matt Graeber’s PSReflect Module to access Native Win32 APIs: • Implementation: VirtualQueryEx walk across process memory looking for PE Headers in RWX memory.
  • 22. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey Analysis Modules • Initialize-ReputationData • Loads Data into $Global:FileReputation • Update-HostObject • Get-VTStatus • Get-VTReport • Group-HostObjects Survey Analysis: Description: Compare Survey Results against Reputation Data from local store and VirusTotal. Perform Outlier and Anomaly Analysis
  • 23. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz VirusTotal (64+ AV Engines) Threat Intel Providers Survey.ps1 Survey Static Analysis Dynamic Analysis (Sandbox) Collect: - What’s running (i.e. Processes) - What’s triggered to run (i.e. autostarts) - Indicators of Compromise (IoCs) Reputation Database i.e. VirusTotal Cuckoo Sandbox Malwr.com File & Malware AnalysisReputation & Threat Intelligence - Hash Lookups - IP/DNS Lookups - IOC Lookups PSHunt Suspicious Executable PEStudio PowershellArsenal Survey.ps1 SurveySurvey.ps1
  • 25. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Active Processes/Modules/Drivers Some malware, even advanced types, attempt to “hide in plain sight” or within the noise of the multitude of programs running on your systems. • Initial Technique: Hash everything and compare to a signature and threat intelligence database like VirusTotal. This will clear all known-good and known-bads. • Adv. Technique: 1. Stack Remaining data and perform anomaly and outlier analysis 2. Perform static/dynamic analysis on the exe of any suspicious or out- of-place processes
  • 26. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Digital Signatures? Digital Signatures: Most malware is not digitally signed by a legitimate Certificate Authority (CA). • Attackers may load their rogue CA into your local Trusted Root CA store at the time the malware is installed (requires root privileges) • Adv. Technique: • Check anomalous/outlier root CA’s serial number against whitelist or Google it for authenticity • WARNING: Some may digitally sign malware with a legitimate but compromised CA which renders this technique ineffective. - Example: The Feb ‘13 attack against Bit9 targeted their CA server
  • 27. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Persistence Mechanisms Required to maintain the malware through reboots and in times of dormancy. • Scheduled Tasks, Jobs, etc. • Registry Persistence (most common) •Technique: Hash all referenced executables in registry and compare to Threat Intel Database • Boot Process Redirection (ie. Bootkits – very sophisticated!) •Technique: Evaluate raw MBR (first 512 bytes of disk0) for redirection to alternate boot loader
  • 28. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Process Memory Injection • DLL Injection / Process Hallowing: 1. Allocate chunk of unprotected Read/Write/Execute (RWX) memory inside another legitimate process. 2. Load in a malicious DLL. 3. Redirect an execution thread. 4. Profit. •Adv. Technique: • Walk Process Memory looking for PE Headers in large chunks of unprotected memory (Use @mattifestation’s PSReflect) • False Positives will come from: 1. Just-in-Time (JIT) compilers – i.e. .NET and Java Apps 2. Security Software
  • 29. That’s it for now. More to come…
  • 30. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz PSHunt – Powershell Threat Hunting Chris Gerritz Co-Founder, Infocyte Twitter: @gerritzc Github: @singlethreaded NOTE: PSHunt will be posted on Github this week. Follow me:

Notas del editor

  1. Malware hunt came about because of the recognition that existing investments in services and technology – some very significant – were still failing to prevent malware from entering the department of defense networks. Quick detection post-infection was non existent and the type of behaviour that one would monitor for during the initial part of an attack would not be present after a successful malware installation. The malware often remained dormant for long period of time. Our founders not only established the first enterprise-scoped hunt team, but their success and technical processes became a cornerstone of the US DoD cyber defense strategy/posture. - Internally called the Enterprise Hunt Team, official name of the team was later changed to DCC (Defensive Counter-Cyber). Note on military terminology: Offensive Counter-Cyber = hack back, Defensive Counter-Cyber is defending and operating within home territory
  2. “Instead of conducting a penetration test to confirm that an attacker can compromise your environment (similar to confirming that water is indeed wet), you should conduct an assessment to determine which adversaries are already operating within your environment. “ - Rick Holland, Forrester (1/26/16)
  3. Security Trends: 2013 – Year of Next-Gen Firewall 2014 – Year of Threat Intel 2015 – Year of EDR 2016 – Year of Hunt
  4. I could spend all day on 1 box Focused / hypothesis-based hunts looking for one thing are usually a waste of time.
  5. Data Analytics relies on the organization already having sophisticated and complete data collection and retention of logs and events. Endpoint Hunt methodology does not rely on existing security infrastructure. Network Traffic Analysis – The perimeter is no longer well defined in networks with mobile, SaaS services, and ubiquitous encryption.
  6. This slide should only be used when in-front of a technical audience or if the question comes up. Infocyte Malware Hunter Platform (Simplified View) Server consists of three services and a database: API service is responsible for communication to the Infocyte Cloud Services Threat Intelligent Services, File Reputation Services (4.5+ Billion files) and Sandbox Services (as well as licensing) Worker service This is what deploys to endpoints and what collects endpoint scan reprots Core cervices Analytics services and the main communication bridge to the database and message broker services. Database Ports are customizable in the installer, but all communications from services and database are encrypted in a TLS 1.2 tunnel.
  7. To view your certificate stores, run certmgr.msc as described there. The "root" store contains the root CA, i.e. the CA which are trusted a priori. certmgr.msc shows you an aggregate view of all root CA which apply to the current user; internally, there are several relevant stores (the "local machine" stores apply to all users, the "current user" stores are specific to the current user; and there also are "enterprise" stores which are similar to "local machine" but meant to be filled automatically from the AD server of the current domain). See this page for a list of all CA that Microsoft puts in Windows by default; any discrepancy would be a local variation. The list is occasionally updated, and this is propagated to your computer through the normal Windows update mechanisms. http://security.stackexchange.com/questions/48437/how-can-you-check-the-installed-certificate-authority-in-windows-7-8 https://www.thawte.com/roots/
  8. Large = 2+ pages of memory (a page is 4kb). Meterpreter is around 650kb in memory, 150kb for the 1st stage but that’s big compared to most. Staged malware can be small but they won’t have very many features (i.e. communications, command parsing, search protocols) loaded at smaller sizes.