Successfully reported this slideshow.

Security Onion Conference - 2016

2

Share

1 of 23
1 of 23

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Security Onion Conference - 2016

  1. 1. Uncovering Persistence With Autoruns & Security Onion #SOCAugusta @DefensiveDepth
  2. 2. Autoruns live.sysinternals.com Boot execute. / Appinit DLLs. / Explorer addons. Sidebar gadgets (Vista and higher) Image hijacks. Internet Explorer addons. / Known DLLs. Logon startups. / WMI entries. Winsock protocol and network providers.
  3. 3. Hijacks Image hijacks at the time of log generation ELSA Query: groupby:path - Closely review any entries
  4. 4. Goals Implementation Real-World Use
  5. 5. “Pertinax” Latin: “Persistent, Stubborn” Reference Architecture
  6. 6. 1) Generate 1) Tab-delimited CSV option autorunsc -ct 2) Verify Signatures autorunsc -s 3) Logfile is named with the hostname or IP Address of the source system “DD-HR” is the name of the log for the system DD- HR
  7. 7. 2) Collect for /f %%a in (host-list.txt) do ( psexec -accepteula %%a -c autorunsc.exe -accepteula -a * -s -m -t - h -ct * > Logs%%a.csv )
  8. 8. 3) Normalize -Removal of autoruns’ header rows -Addition of unique identifier to each message -Addition of src hostname to each message -Addition of runtime to each message -Conversion to ASCII -Replacement of TAB delimiter with a Pipe
  9. 9. 4) Import & Parse <localfile> <location>C:Logsar- normalized.log</location> <log_format>syslog</log_format> </localfile> ELSA Pattern & OSSEC Decoder -Hostname, DD-HR -Category, Logon -Entry, Skype -Profile, DD-HRadmin -Company, Skype Technologies -Path, C:program files.....Skype.exe - Signer / Version / Launch String / Hashes
  10. 10. 5) View
  11. 11. Real-World Use (Daily)
  12. 12. Diff 200 entries x 50 hosts = 10,000 entries/day to review Vs. Few Hundred
  13. 13. Clients Servers
  14. 14. ELSA Queries github.com/defensivedepth/Pertinax/wiki/Persistence-Categories Stacking
  15. 15. Drivers All non-disabled drivers at the time of log generation ELSA Queries: groupby:path -system32 -syswow64 groupby:company (Look for unsigned drivers)
  16. 16. Logon Common Startup areas: Run & RunOnce keys, Start Menu ELSA Queries: groupby:path, +users - Stack groupby:company - Stack
  17. 17. Internet Explorer IE Addons at the time of log generation ELSA Queries: groupby:path - Stack
  18. 18. Explorer Shell extensions, addons, etc ELSA Queries: groupby:path - Stack
  19. 19. Tasks All registered tasks on the system ELSA Queries: groupby:path - Stack
  20. 20. Services All Autostart services on the system ELSA Queries: groupby:path - Show all results outside of the System32 Folder - Stack groupby:company - Stack
  21. 21. Codecs Other Autoruns’ Categories Network Providers Winlogon LSA Providers KnownDLL Print Monitors Boot Execute WMI Office Addins
  22. 22. Wrap-Up Future Possiblities: -Virus Total Integration -OSSEC Rulesets
  23. 23. Questions? @DefensiveDepth github.com/defensivedepth/Pertinax

×