Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Onion Conference - 2016


Published on

Uncovering Persistence with Autoruns & Security Onion

Published in: Technology
  • Be the first to comment

Security Onion Conference - 2016

  1. 1. Uncovering Persistence With Autoruns & Security Onion #SOCAugusta @DefensiveDepth
  2. 2. Autoruns Boot execute. / Appinit DLLs. / Explorer addons. Sidebar gadgets (Vista and higher) Image hijacks. Internet Explorer addons. / Known DLLs. Logon startups. / WMI entries. Winsock protocol and network providers.
  3. 3. Hijacks Image hijacks at the time of log generation ELSA Query: groupby:path - Closely review any entries
  4. 4. Goals Implementation Real-World Use
  5. 5. “Pertinax” Latin: “Persistent, Stubborn” Reference Architecture
  6. 6. 1) Generate 1) Tab-delimited CSV option autorunsc -ct 2) Verify Signatures autorunsc -s 3) Logfile is named with the hostname or IP Address of the source system “DD-HR” is the name of the log for the system DD- HR
  7. 7. 2) Collect for /f %%a in (host-list.txt) do ( psexec -accepteula %%a -c autorunsc.exe -accepteula -a * -s -m -t - h -ct * > Logs%%a.csv )
  8. 8. 3) Normalize -Removal of autoruns’ header rows -Addition of unique identifier to each message -Addition of src hostname to each message -Addition of runtime to each message -Conversion to ASCII -Replacement of TAB delimiter with a Pipe
  9. 9. 4) Import & Parse <localfile> <location>C:Logsar- normalized.log</location> <log_format>syslog</log_format> </localfile> ELSA Pattern & OSSEC Decoder -Hostname, DD-HR -Category, Logon -Entry, Skype -Profile, DD-HRadmin -Company, Skype Technologies -Path, C:program files.....Skype.exe - Signer / Version / Launch String / Hashes
  10. 10. 5) View
  11. 11. Real-World Use (Daily)
  12. 12. Diff 200 entries x 50 hosts = 10,000 entries/day to review Vs. Few Hundred
  13. 13. Clients Servers
  14. 14. ELSA Queries Stacking
  15. 15. Drivers All non-disabled drivers at the time of log generation ELSA Queries: groupby:path -system32 -syswow64 groupby:company (Look for unsigned drivers)
  16. 16. Logon Common Startup areas: Run & RunOnce keys, Start Menu ELSA Queries: groupby:path, +users - Stack groupby:company - Stack
  17. 17. Internet Explorer IE Addons at the time of log generation ELSA Queries: groupby:path - Stack
  18. 18. Explorer Shell extensions, addons, etc ELSA Queries: groupby:path - Stack
  19. 19. Tasks All registered tasks on the system ELSA Queries: groupby:path - Stack
  20. 20. Services All Autostart services on the system ELSA Queries: groupby:path - Show all results outside of the System32 Folder - Stack groupby:company - Stack
  21. 21. Codecs Other Autoruns’ Categories Network Providers Winlogon LSA Providers KnownDLL Print Monitors Boot Execute WMI Office Addins
  22. 22. Wrap-Up Future Possiblities: -Virus Total Integration -OSSEC Rulesets
  23. 23. Questions? @DefensiveDepth