Recommended
Recommended
More Related Content
Recently uploaded
Recently uploaded (20)
Featured
Featured (20)
Detecting Malicious Activity on a Budget
- 1. Presented to fulfill degree requirements for the SANS Technology Institute’s Master of Science Detecting Malicious Activity on a Budget Presented by Sean D. Goodwin GSEC, GCIH, GCIA Master’s Degree Candidate at the SANS Technology Institute
- 2. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Objectives Identify a toolset that SMBs can implement to reduce resources needed to detect malicious activity on hosts Minimize cost and time spent analyzing event logs Minimize time spent vetting alerts for false-positive events
- 3. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Insufficient Detection Resources Small and Mid-sized Businesses (SMBs) typically lack detection capabilities Tools Training & analyst skills Inability to detect malicious actors Seeking a “plug-and-play” solution for host-based detection
- 4. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Reliance on Existing Tools Security Onion Syslog Wazuh Microsoft Sysmon SwiftOnSecurity configuration Malware Archeology Audit Policy
- 5. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Testing for Known Attacks MITRE Caldera Simulate known attack methods PsExec Pass-the-Hash xCopy (file collection for exfiltration)
- 6. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu TestCorp Network
- 7. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Adversary One: PsExec 5145: AUDIT_SUCCESS Relative Target Name: PSEXESVC-5501- WKSTN1-4020-stdout
- 8. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Adversary Two: Pass-the-Hash 4624: AUDIT_SUCCESS Logon Process: NtLmSsp Logon Type: 3 Key Length: 0
- 9. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Adversary Three: xCopy 5142: AUDIT_SUCCESS Account Name: admin02 Share Name: *Documents Share Path: C:Usersadmin02Documents
- 10. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Results Data is available, but detection is not easy All three attacks could be identified after the fact “Living off the land” makes detection harder
- 11. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
- 12. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
- 13. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
- 14. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
- 15. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
- 16. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
- 17. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Summary SMBs continue to struggle detecting host-based attacks Not a “plug and play” solution for detecting all attacks Custom rules will aid in automating recurring log investigations Additional data points (network traffic) may help
Editor's Notes
- Limited resources means many SMBs cannot afford high-end commercial systems to analyze event logs and provide high quality alerts. Often, the free or low cost solutions do little analysis, leading to hours spent reviewing event logs and chasing down events that are determined to be false positives in the end. This case study sought to use no-cost software, configured with industry-accepted settings to reliably alert on malicious activity via host-based event logs. The alert dashboard should flag suspicious activity worthy of investigation, without overburdening the analyst with false-positives.
- According to the 2018 Verizon Data Breach Investigations Report, 50% of breach victims were categorized as small businesses 68% of breaches took “months or longer to discover” To make matters worse, a large percentage of small and medium-sized businesses (SMBs) identify restricted budgets as the greatest challenge to security (Untangle, n.d.). Another significant concern identified in the survey was not having enough staff to “monitor and manage security”. Identifying a toolset that minimizes cost and complexity while providing actionable alerts will enable an SMB to reduce the time required to identify a breach. 2018 Data Breach Investigations Report (Rep.). (n.d.). Verizon. Untangle. (n.d.). 2018 SMB It Security Report. Retrieved from https://www.untangle.com/2018-smb-it-security-report/
- This research focused on using existing tools and “best-practice” configurations in the spirt of getting as close as possible to a “plug-and-play” configuration. This would allow an SMB to devote minimal resources to getting a solution implemented and operational, and hopefully providing useful detection data. Security Onion was installed with the default detection rules. To provide the event log data for analysis, Windows Audit Policy was configured following the guidance of Malware Archaeology. To support these event logs, Microsoft Sysinternals Sysmon was also installed, and the SwiftOnSecurity configuration file was used. Security Onion. (n.d.). Retrieved from https://securityonion.net/ Sysmon-Config [Brochure]. (n.d.). Retrieved from https://github.com/SwiftOnSecurity/sysmon-config Sysmon - Windows Sysinternals. (2019, February 18). Retrieved from Wazuh - The Open Source Security Platform. (n.d.). Retrieved from https://wazuh.com/ WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012 [Brochure]. (n.d.). Retrieved from https://www.malwarearchaeology.com/cheat-sheets Version 1.0 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2019 [Brochure]. (n.d.). Retrieved from https://www.malwarearchaeology.com/cheat-sheets Version 2.3
- Caldera was used to simulate attacks due to the automated nature and ability to test different detection capabilities without significant effort in launching each attack. Three (3) different attacks were chosen for testing, each of which represents real-world attacks as documented in the MITRE ATT&CK Framework. Mitre. (n.d.). Mitre/caldera. Retrieved from https://github.com/mitre/caldera PsExec MITRE ATT&CK: https://attack.mitre.org/software/S0029/ Pass-the-Hash MITRE ATT&CK: https://attack.mitre.org/techniques/T1075/ xCopy (file collection) MITRE ATT&CK: https://attack.mitre.org/techniques/T1039/
- The Test Corp network was designed to be a fair representation of a “typical” SMB network. This was a Windows domain network, using Server 2016 and Windows 10 workstations. Important Considerations: Some users ran a low-privilege domain user account with local admin rights to their workstation A Domain Admin had left their account logged in to the DC to simulate a user that closes an RDP connection instead of logging out Network monitoring was not used
- This Caldera campaign: Enumerates the domain to which the initial system is connected. Enumerates the privileged accounts of the domain to which the initial system is connected. Checks the system for credentials stored in memory. Executes PsExec using privileged credentials to start a RAT on another domain-joined machine. The details of this event log show that this is classified as priority “notice” by syslog, as this event is a legitimate administration tool being used by a legitimate user. Due to the Audit Policy, events that fall under Object Access – Detailed File Share (Success) (Event ID 5145) will be recorded. This will log any successful mapping of file shares. This can capture plenty of legitimate uses, so to filter this down, an analyst should look for instances of the inclusion of “PSEXECSVC” in the log data. This data can be parsed by user, to aid in identifying suspicious uses. An example of this would be looking for instances of an administrator (admin02) using PsExec on non-typical machines or at non-standard times.
- This Caldera campaign: Enumerates the domain to which the initial system is connected. Enumerates the privileged accounts of the domain to which the initial system is connected. Checks the system for credentials stored in memory. Uses the hashed password retrieved from memory to transfer a file to a remote host. Uses the hashed password retrieved from memory to start a Windows service to transfer a file to a remote host. Pass-the-Hash is another example of a legitimate action taken by users that can be leveraged by attackers. David Kennedy provides a set of data fields and values that can be used to filter a large number of authentication logs down to a manageable set for investigation (Kennedy, 2016). Specifically: Windows Event ID 4624 Logon Type = 3 Logon Process = NtLmSsP Key Length = 0 Security ID should be null (Security ID: S-1-0-0)
- This Caldera campaign: Enumerates the domain to which the initial system is connected. Enumerates the privileged accounts of the domain to which the initial system is connected. Mounts a remote network share from a second machine. Transfers a CALDERA RAT. Transfers a local file to the mounted network share. This level of filtering is time-consuming, as filters must be written to only show suspicious connections, which are likely to be buried in the white noise of valid file share access on the SMB network.
- All of the data needed to investigate these attacks was recorded in the Security Onion device, but alerts were not always generated. This is largely due to the fact that these attacks take advantage of legitimate administrative software, which makes detection harder by “hiding” among valid activities. If your team does not use features/tools – remove them from your environment, and then create custom rules to trigger in the event they are used.
- A custom rule can be created to reduce the number of queries needed by an analyst to detect potential incidents. An example of one such custom rule is shown to follow the detection advice for potential abuse of Pass-the-Hash events. Note: this will also flag legitimate uses of pass-the-hash, so additional steps may need to be added to this rule based on your environment.
- Our initial trigger is a default rule that searches for a successful Windows logon.
- Step One in our custom rule checks for our target Security ID (S-1-0-0). If this string is not found, this custom rule stops processing the log. If this string is found, the log is passed onto the next step.
- Step Two searches for our string of “Logon Type: 3”. If this string is not found, this custom rule stops processing the log. If found, the log is passed on to the next step.
- Step Three searches for our string of “Logon Process: NtLmSsp”. If this string is not found, this custom rule stops processing the log. If this string is found, the log is passed onto the next step.
- The fourth and final step of our custom rule searches for the string “Key Length: 0”. If this string is not found, this custom rule stops processing the log. If this string is found, a level 7 alert is generated.
- This project did not result in finding an easy “plug and play” solution that a SMB could implement with little effort and rely on for detection of these specific attacks. This toolset did aid in the investigation efforts after an incident, but this is not enough to satisfy the thesis of this case study, as these SMBs are already struggling with resources, which includes analyst hours. Additional data points, such as those provided via Zeek or the newly implemented DNS logs in Sysmon may provide additional context for alert generation. If you’re interested in discussing this more, I can be reached at: SeanGoodwin@protonmail.ch **** Include a link to your posted research paper. ****