Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool


Published on

Windows remote PowerShell tool to deploy and retrieve scripts, utilities and tools for Incident Response and Threat Hunting

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool

  1. 1. Michael Gough – Co-Founder IMF
  2. 2. Whoami • Blue Team Defender Ninjas, Incident Responder, Threat Hunter, Logaholic • Michael – Creator of all those Windows Logging Cheat Sheets and the Malware Management Framework • Co-Creator of “Log-MD” – The Log and Malicious Discovery Tool • BDIR Podcast - “Brakeing Down Incident Response” • Special SHOUT OUT to – Olaf Hartong @OlafHartong – Josh Rickard @MSAdministrator
  3. 3. The Challenge
  4. 4. So what’s the problem? • There is an event • We would like to investigate it • We walk in with our laptops – Or you use one of your systems • What tools can you or we use to look across all your Windows systems? • Without installing anything!!!! • Using what is already on all Windows systems
  5. 5. What are our options? • Use what we already have like SCCM, BigFix, etc. • Install a tool with an agent, deal with more agent bloat and agent interaction • Remote into the system • Do a forensics acquisition • Use what is already on the system, living-off-the-land • What we need is already found on all Windows systems! • How can we share what we do with enterprise solutions? • Use something the community can contribute to
  6. 6. The Challenge • Whether you are a Blue Teamer investigating your own environment • Or a consultant investigating a client • We need a way to execute a wide range of tools, utilities and scripts remotely to 1, 100 or 1000 systems • It needs to be flexible enough to allow us to run, respond, and hunt for many things
  7. 7. Requirements • Fits on a thumb drive • Can run scripts • Can run tools (no GUI) • Can run utilities (no GUI) • Can run larger jobs (Hash/Registry snapshots) • Schedule Jobs that can run things on a regular basis
  8. 8. Requirements • Walk in with a laptop • Or use one of your systems • Domain attached and domain creds • No requirement to install anything • Well… we want you to upgrade to PowerShell v5 • PS v5 is the only way to get good PowerShell logging – You didn’t think I wasn’t going to mention the Malware Archaeology Cheat Sheets did you?
  9. 9. What do you have and use? • What tools do you use for Threat Hunting and Incident Response? • A bunch of utilities, tools, scripts? • An EDR/EPP solution? • Open Source tools and projects? • Do you have anything? • More importantly do you have budget?
  10. 10. My Top 10 List of tools 1. Log Management – Centralize data collection – Query all the data 2. BigFix or equivalent – Query anything you want on a system – Run scripts, utilities, tools, etc. – Run remediation jobs 3. LOG-MD – Log Harvesting – Hunting – AutoRuns – PowerShell – SRUM – Much more
  11. 11. My Top 10 4. 5. 6. 7. 8. 9. 10.
  12. 12. The problem I wanted to solve • I want to query all the things #2 • I want to run scripts, utilities, tools #2 • I want to have the option to centralize the data #1 • I want to query that data #1 • I don’t want to, or can’t install anything • Of course I want to run my favorite utility/tool – LOG-MD-Professional
  13. 13. The problem I wanted to solve • I am one of the creators of LOG-MD • It is a great utility/tool • It does a LOT of what I need to investigate a system • I just needed a way to run it remotely on 1, 100 or 1000 systems to do Threat Hunting and/or Incident Response • And pull back the reports and organize them • Maybe even collect them into a Log Management solution #1 • Without a enterprise solution like BigFix #2
  14. 14. Get to it
  15. 15. 3 years ago… • We announced LOG-MD at this very conference • Today we would like to announce the release of… • ATT&CK Remote Threat Hunting Incident Response
  16. 16. PowerShell? • PowerShell is on every Windows system • Can we use that? • But can we run our own special binaries? • We love our own tools • Create scripts • Something modular • Allows for community support
  17. 17. • A modular framework • Leverages an existing project that we modified to do what we wanted and needed • KANSA was good, but lacked some capabilities • I needed to run all features of LOG-MD and pull the reports back • KANSA did not work well at all for LOG-MD • And run other utilities, say Sysinternals
  18. 18. • So KANSA did some kewl stuff, just not enough • So we modified it • We had a couple issues • Olaf Hartong helped us with report retrieval • Josh Rickard helped us with scheduled tasks • Once these changes were added suddenly we had something that gave me a LOT of what BigFix could do
  19. 19. MITRE ATT&CKTM
  20. 20. What does ATT&CK have to do with it? • We LOVE MITRE ATT&CK • It is a GREAT place to map your hunts to • Or what to detect and hunt for • It’s what your adversaries ACTUALLY do in their attacks • If you can detect and/or hunt for the techniques in MITRE ATT&CK… you are WAY ahead of most
  21. 21. MITRE ATT&CKTM • The A in ARTHIR stands for ATT&CKTM • The idea here is to encourage you and anyone making modules to map their efforts to MITRE ATT&CK • Help us Help the rest of us • Take this information and any other detection and hunting you can do and add it to YOUR own ATT&CK Matrix
  22. 22. Add your ATT&CK Mappings • Check MITRE ATT&CK Tactics and Techniques and add them to the ARTHIR module • Map them to an overall matrix
  23. 23. Cheat Sheets • We released two ATT&CK cheat sheets as a part of my SANS THIR talk in NOLA last year • The goal was to see how good, or bad really good logging would be for detecting or hunting the techniques in ATT&CK • It was shocking how much coverage there was • Over 80%
  24. 24. Fill out YOUR ATT&CK Matrix
  25. 25. Remote • The R in ARTHIR stands for Remote • We need to be able to hunt and respond remotely • Execute what we want on 1, 10, 100, or 1000 systems • And not 1 by 1 like you would have to with RDP or some EDRs • Bring back results to a central system • Like BigFix can do
  26. 26. Threat Hunting • The TH in ARTHIR stands for Threat Hunting • We need to be able to hunt for artifacts from the techniques the adversaries use • Run additional tools and utilities to hunt • Centrally send results to say… log management
  27. 27. Incident Response • The IR in ARTHIR stands for Incident Response • We need to be able to respond to an attack • Do additional investigation from an alert • Run additional tools and utilities • Centrally send results to say… log management
  28. 28. Modular • We used the KANSA framework • Even ported a few of the KANSA modules • This framework design worked for us, no reason to totally reinvent the wheel • Create a module, add it to modules.conf • Run the execution parameters • Retrieve the reports
  29. 29. RECON • We provided some PowerShell scripts to get system names from Active Directory • You need to build a list of systems • And we provided a Ping script so you can test those system names are alive • Add these to Hosts.txt to run your modules against
  30. 30. Available modules • Several more popular KANSA modules have been converted • More will we done as we move forward and need them • We provided templates so YOU can do it too • Remember that ‘community can contribute’ statement from earlier?
  31. 31. Root Directory ATT&CK Documentation Known 3rd-Party Modules Recon ARTHIR.ps1 Hosts.txt Some ATT&CK Matrix you can use How To Documentation Known 3rd party modules for ARTHIR Where all the modules are and modules.conf Where Recon scripts live The main ARTHIR script Where you places hosts to run modules on
  32. 32. Module types Bin Cleanup Info Kansa_Legacy LOG-MD LOG-MD_Tasks Sysinternals Templates Where you place .EXE and Zip files Module(s) to delete ARTHIR remnants Modules to collect info about a system Converted KANSA modules All LOG-MD modules Modules to schedule LOG-MD hourly/daily Converted KANSA Sysinternals modules Templates to make your own modules
  33. 33. KANSA converted modules ### Configuration modules # Kansa_LegacyConfigGet-Anti-MW-HealthStatus.ps1 # Kansa_LegacyConfigGet-Anti-MW-InfectionStatus.ps1 # Kansa_LegacyConfigGet-Hotfix_Patches.ps1 # Kansa_LegacyConfigGet-Local_Accounts.ps1 # Kansa_LegacyConfigGet-Local_Admin_Accounts.ps1 ### Log modules # Kansa_LegacyLogGet-AppCompatCache.ps1 # Kansa_LegacyLogGet-CBS_Log.ps1
  34. 34. KANSA converted modules ### Network modules # Kansa_LegacyDiskGet-Temp_Dir_Listing.ps1 # Kansa_LegacyDiskGet-User_Name_Dir_Listing.ps1 # Kansa_LegacyDiskGet-User_Name_Dir_Listing_List_of_Extensions.ps1 # Kansa_LegacyDiskGet-Users_Dir_Listing.ps1 ### Network modules # Kansa_LegacyNetGet-Arp.ps1 # Kansa_LegacyNetGet-DNS-Cache.ps1 # Kansa_LegacyNetGet-Net-IP-Interface.ps1 # Kansa_LegacyNetGet-Netstat.ps1 ### Cleanup/Delete ARTHIR folders # CleanupGetDelete_ARTHIR_Folders.ps1
  35. 35. Templates • Get-Binary-Template.ps1 • Get-Script-Template.ps1 • Get-Task-Template-Daily.ps1 • Get-Task-Template-Hourly.ps1 • Get-Zip-Template.ps1 • Variables used to make editing/changing modules easier than KANSA
  36. 36. Modules for Utility/Tools • LOG-MD… Duh • LOG-MD Free Edition • LOG-MD-Professional, all features • LOG-MD-Professional Tasks, Hourly & Daily • Sysinternals – Sigcheck • Sysinternals - Handle
  37. 37. DEMO
  38. 38.
  39. 39. You will make PowerShell noise • Since ARTHIR uses PowerShell… • The adversaries uses PowerShell • You will add events to the PowerShell logs • So test and whitelist the scriptblocks that ARTHIR creates • Make it easier to hunt the bad • LOG-MD provides a Whitelist_PowerShell.txt with many exclusions
  40. 40. Some ARTHIR PS Exclusions # ARTHIR related items to exclude known ARTHIR components # *ARTHIR - * *## ARTHIR* *$ARTHIR_Dir* *CODE ARTHIR* *ARTHIR* *$ARTHIR_OutputDir* *value="ProcessName. ProcId. HandleId. Owner. Type. Perms. Name* *Write-Output "Prefetch not enabled on* # # More generic ARTHIR scriptblocks # *PackageManagement.format.ps1xml* *NestedModules="Microsoft.PowerShell.Commands.Management.dll* *RootModule = "Microsoft.PowerShell.PackageManagement.dll* *System.Management.Automation.PSDriveInfo] $driveInfo* *Microsoft.PowerShell.ManagementTest-Path $pathToValidate* *Microsoft.PowerShell.ManagementTest-Path $getPathItems* *function PSCopyFileFromRemoteSession* *function PSGetFileMetadata* *function PerformCopyFileFromRemoteSession* *function PSSourceSupportsAlternateStreams* *indentString = "+ PSComputerName : " + $originInfo.PSComputerName* *-ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView* *# .ExternalHelp System.Management.Automation.dll-help.xml*
  41. 41. Conclusion • Try it you’ll like it • Mikey does… • Contribute • Send us ideas • It’s Open Source on GitHub •
  42. 42. Resources
  43. 43. Cheat Sheets • Windows ATT&CK Logging Cheat Sheet • Windows ATT&CK LOG-MD Cheat Sheet – • ATT&CK Matrix Spreadsheet template – Comes with ARTHIR Get ARTHIR • •
  44. 44. MITRE ATT&CKTM Sites MITRE ATTACK • Enterprise • ATT&CK Navigator •
  45. 45. Recommend Sites OSSEM - Open Source Security Events Metadata • SOCPrime SIGMA to SIEM convertor • SIGMA - Generic Signature Format for SIEM Systems • Red Canary Atomic Red Team • MATE - MITRE ATT&CK® Technique Emulation • Atomic Threat Coverage •
  46. 46. Recommend Sites The ThreatHunter-Playbook • Playbook OLAF Hartong ThreatHunting | A Splunk app mapped to MITRE ATT&CK to guide your threat hunts • Sysmon-modular | A Sysmon configuration repository for everybody to customize •
  47. 47. Videos MITRE ATT&CKCon • pXQou_8JrhtrFDfAskvMqk97Yu2S2
  48. 48. Questions • You can find us on the Twitters – @HackerHurricane • • • Preso will be on SlideShare and linked on • Listen to the PodCast to hear the rest of this topic –