Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Hunters ATT&CKing
With The Right Data
1
@Cyb3rWard0g
● Adversary Detection Analyst @SpecterOps
● Author:
○ ThreatHunter-Playbook
○ Hunting ELK (HELK)
○ ATTACK-Pyt...
@Cyb3rPandaH
● Cyber Security Student @NOVAcommcollege
● Author:
○ Tableau-ATTCK
● Contributor:
○ ThreatHunter-Playbook, H...
Agenda
● Current Threat Hunting & Data Overview
● Threat Hunting & ATT&CK
● What else do I need to know about ATT&CK data ...
Threat Hunting & Data
LOG IT ALL-> HUNT-> FIND EVIL- REPEAT … Right?,
Maybe?
5
Threat Hunting
What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics...
Threat Hunting
What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics...
Threat Hunting
What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics...
What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics
- Report Findi...
What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics
- Report Findi...
Data Swamps & Threat Hunting (Reality)
11
More data = More problems?
● This benefits security analysts from a data availability perspective!
● How do you prioritize...
Yeah, do you know your data?
But, do you know your logs?
13
Threat Hunting & ATT&C
How are you doing it?
14
Threat Hunting & ATT&CK
https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philo...
Threat Hunting & ATT&CK: Create Account
16https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attac...
What is a data source?
“Source of information collected by a sensor or logging system that may
be used to collect informat...
Threat Hunting & ATT&CK
Data SourcesHelp
detect
18https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mit...
Threat Hunting & ATT&CK
https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philo...
What else do I need to kn
about that?
20
Main Goals
● Expand on the current ATT&CK data sources (Extra Context)
● Help to prioritize the collection of event logs
●...
Defining a data mapping
methodology
What worked for us!
22
Our Methodology
● Explore ATT&CK data sources
● Document event logs related to ATT&Ck data sources
● Develop a data model
...
Explore ATT&CK Data So
What can we do with ATT&CK data sources?
24
How do I access ATT&CK Metadata?
25
ATTACK-Python-Client Github Project
● A Python module to access up to date ATT&CK content available in
STIX via public TAX...
ATTACK-Python-Client Installation
● Via PIP: pip install attackcti
● Or Straight from Source
○ git clone
https://github.co...
ATT&CK Metadata- Jupyter Notebook
https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 28
ATT&CK Techniques (478) and Data Sourc
● Almost 46% of techniques have
data sources defined
● Around 54% of techniques do ...
ATT&CK Techniques (478) and Data Sourc
https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 30
Looking for anything to do this weekend?
https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 31
ATT&CK Techniques with Data Sources (21
https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 32
Proce...
ATT&CK Techniques with Data Sources (21
https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 33
Proce...
ATT&CK Windows Data Sources & Platform
34https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
ATT&CK Techniques with Data Sources (21
https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 35
Proce...
Prioritization of ATT&CK Data Sources
36
Only 19 (9%)
techniques require
1 data source.
200 techniques
require at least 2
...
Prioritization of ATT&CK Data Sources (Top
37https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
Document Event Logs
What event logs are related to ATT&CK data sources
38
Windows Technique: Credential In Registry
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
39
Windows Security 4688- Process Creation
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
40
Windo...
Windows Security 4689- Process Termination
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
41
Wi...
Windows Sysmon 1- Process Create
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
42
Windows
Sysm...
Windows Sysmon 10- Process Accessed
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
43
Windows
S...
Data Dictionaries
44
Windows
Sysmon
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_S...
Another reason why I should document my
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverti...
Develop A Data Model
46
Defining data objects and their relationships
What is a data model?
● A data model basically determines the structure of data and the
relationships identified among eac...
Data Model Levels
https://www.1keydata.com/datawarehousing/data-modeling-levels.html 48
Conceptual Model Design Logical Mo...
Data Modeling & Cyber Threat Intelligence
https://oasis-open.github.io/cti-stix-visualization/?url=https://raw.githubuserc...
Data Modeling & Cyber Threat Intelligence
https://oasis-open.github.io/cti-documentation/examples/threat-actor-leveraging-...
What about data modeling and security eve
51
Process
IPFile
What about data modeling and security eve
52
Process
IPconnected_toFile created
What about data modeling and security eve
53
Process
IPconnected_toFile created
process_name
process_command_line
process_...
What about data modeling and security eve
54
Process
IPconnected_toFile created
process_name
process_command_line
process_...
Sysmon Data Model After Documentation
55https://github.com/Cyb3rWard0g/presentations/blob/master/SANS_THIR_2018.pdf
Windows Technique: Credential In Registry
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
56
Windows Technique: Credential In Registry
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
57
Pro...
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
58
Process
C...
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
59
Process
C...
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
60
Process
C...
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
61
Process
C...
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
62
Registry
...
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
63
Registry
...
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
64
Registry
...
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
65
Registry
...
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
66
Registry
...
Map Event Logs To
ATT&CK Data Sources
Blue Teamer: What you have VS what you need!
Red Teamer: What you might look like!
67
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
68
ATT&CK Data Sources & Data Modeling
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
69
Process C...
ATT&CK Data Sources & Event Logs
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
70
Process Crea...
ATT&CK Data Sources & Event Logs
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
71
Process Crea...
ATT&CK Data Sources & Event Logs
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
72
Process Crea...
ATT&CK Data Sources & Event Logs
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
73
Process Crea...
Prioritization of ATT&CK Data Sources (Top
74https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
File& Process Monitoring (66 Techniques)
68
Process
Monitoring
File Monitoring
75
Process Creation Security 4688
Sysmon 1
...
File& Process Monitoring (Technique variat
68
Process
Monitoring
File Monitoring
76
Process Creation Security 4688
Sysmon ...
From an ATT&CK Data Sources to Event Lo
77
Where do I get this information?
78
● Data Dictionaries
○ Windows (Security, Sysmon, etc)
○ Carbon Black Logs
● Data Model...
Hunters ATT&CKing
with the right data!
Threat Hunting Operations
79
Threat Hunting Approach
80
Identify technique(s)
Define Technique
Variation
Generate Hypothesis
Simulate Technique
Variati...
Threat Hunting & Data
81
Identify technique(s)
Define Technique
Variation
Generate Hypothesis
Simulate Technique
Variation...
Hunters ATT&CKing
with the right data!
Detecting potential “overpass-the-hash” techniques
82
Identify Technique: Pass the Hash
“Pass the hash (PtH) is a
method of authenticating as a
user without having access to
th...
Define Technique Variation: Overpass-The-Hash
https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microso...
Technical Details: Normal kerberos Authent
https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys...
Technical Details: Overpass-the-hash
https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-...
Technical Details: Mimikatz- Overpass-The-Hash
https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth 87
● mimi...
Technical Details: Mimikatz- Overpass-The-Hash
https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth 88
Mimikatz- pth: Security Event 4673 (Client Si
89
Field Values
process_name mimikatz.exe
service_name Security
service_priv...
Mimikatz- pth: Security Event 4673 (Client Si
90
Field Values
process_name lsass.exe
service_name LsaRegisterLogonProcess(...
Mimikatz- pth: Security Event 4624 (Client Si
91
Field Values
logon_type 9
user_name cbrown
user_network_account_name pedr...
Mimikatz- pth: Security Event 4656 (Client Si
92
Field Values
process_name mimikatz.exe
process_granted_access 0x1010
targ...
Mimikatz- pth: Security Event 4656 (Client Si
93
Field Values
process_name mimikatz.exe
process_granted_access 0x1038
targ...
Mimikatz- pth: Security Event 5158 (Client Si
94
Field Values
process_name lsass.exe
src_ip 0.0.0.0
src_port 50066
Process...
Mimikatz- pth: Security Event 5156 (Client Si
95
Field Values
process_name lsass.exe
dst_ip 192.168.64.147
dst_port 88
Pro...
Mimikatz- pth: Sysmon Event 3 (Client Side)
96
Field Values
process_name lsass.exe
dst_ip 192.168.64.147
dst_port 88
user_...
Mimikatz- pth: Security Event 4648 (Client Si
97
Field Values
user_name cbrown
target_user_name pedro
target_host_name DC-...
Mimikatz- pth: Security Event 4768 (Server S
98
Field Values
user_name pedro
ticket_encryption_type 0x17
src_ip 192.168.64...
Mimikatz- pth: Security Event 4769 (Server S
99
Field Values
user_name pedro
ticket_encryption_type 0x12
src_ip 192.168.64...
Mimikatz- pth: Security Event 4769 (Server S
100
Field Values
user_name pedro
ticket_encryption_type 0x12
src_ip 192.168.6...
Mimikatz- pth: Security Event 4624 (Server S
101
Field Values
user_name pedro
logon_type 3
src_ip 192.168.64.137
service_n...
Mimikatz- pth: Security Event 5140 (Server S
102
Field Values
user_name pedro
share_name *C$
src_ip 192.168.64.137
Network...
Technical Details: Rubeus- Overpass-the-hash
https://github.com/GhostPack/Rubeus 103
● Rubeus is a C# re-implementation of...
Technical Details: Rubeus- Overpass-the-hash
https://github.com/GhostPack/Rubeus 104
Rubeus- ptt: Security Event 4673 (Client Side
105
Field Values
process_name rubeus.exe
service_privilege SeCreateGlobalPri...
Rubeus- ptt: Security Event 5158 (Client Side
106
Field Values
process_name rubeus.exe
src_ip 0.0.0.0
src_port 50209
Proce...
Rubeus- ptt: Security Event 5156 (Client Side
107
Field Values
process_name rubeus.exe
dst_ip 192.168.64.147
dst_port 88
P...
Rubeus- ptt: Sysmon 3 (Client Side)
108
Field Values
process_name rubeus.exe
dst_ip 192.168.64.147
dst_port 88
user_name c...
Rubeus- ptt: Security Event 4768 (Server Sid
109
Field Values
user_name pedro
ticket_encryption_type 0x17
service_name krb...
Rubeus- ptt: Security Event 4769 (Server Sid
110
Field Values
user_name pedro
ticket_encryption_type 0x12
service_name DC-...
Rubeus- ptt: Security Event 4624 (Server Sid
111
Field Values
user_name pedro
logon_type 3
logon_process Kerberos
src_ip 1...
Rubeus- ptt: Security Event 5140 (Server Sid
112
Field Values
user_name pedro
share_name *C$
src_ip 192.168.64.137
Network...
Mimikatz vs Rubeus- Kerberos Authentication
113
Mimikatz vs Rubeus- Kerberos Authentication
114
Mmmm… Who else connects to the DC via
115
Mmmm… Who else connects to the DC via
116
Mmmm… Who else connects to the DC via
117
Mmmm… Rubeus?
118
Mimikatz Data Mapping- Pass The Hash- T1075
119
T1075
Authentication
Logs
Process
Monitoring
User Account Successful Authe...
Rubeus Data Mapping- Pass The Hash- T1075
120
T1075
Authentication
Logs
Process
Monitoring
User Account Successful Authent...
Thank You! Muchas Grac
121
References
OSSEM:https://github.com/Cyb3rWard0g/OSSEM
HELK:https://github.com/Cyb3rWard0g/HELK
Rubeus: https://github.com/...
THREAT HUNTING SLACK CHANNEL
123
Upcoming SlideShare
Loading in …5
×

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student

2,351 views

Published on

With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.

This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.

Published in: Technology

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student

  1. 1. Hunters ATT&CKing With The Right Data 1
  2. 2. @Cyb3rWard0g ● Adversary Detection Analyst @SpecterOps ● Author: ○ ThreatHunter-Playbook ○ Hunting ELK (HELK) ○ ATTACK-Python-Client ○ OSSEM (Open Source Security Event Metadata) ● Form er: Capital One - USA, Senior Threat Hunter 2https://github.com/Cyb3rWard0g
  3. 3. @Cyb3rPandaH ● Cyber Security Student @NOVAcommcollege ● Author: ○ Tableau-ATTCK ● Contributor: ○ ThreatHunter-Playbook, HELK, OSSEM ● Form er: UNACEM- Peru, Senior Business Intelligence Analyst 3https://github.com/Cyb3rPanda
  4. 4. Agenda ● Current Threat Hunting & Data Overview ● Threat Hunting & ATT&CK ● What else do I need to know about ATT&CK data sources? ● Defining a data mapping methodology ● ATT&CKing with the right data! ○ Data mapping examples 4
  5. 5. Threat Hunting & Data LOG IT ALL-> HUNT-> FIND EVIL- REPEAT … Right?, Maybe? 5
  6. 6. Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop HypothesisThreat Hunting 6
  7. 7. Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 7 Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  8. 8. Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 8 Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  9. 9. What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 9 Threat Hunting Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  10. 10. What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 10 Threat Hunting Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  11. 11. Data Swamps & Threat Hunting (Reality) 11
  12. 12. More data = More problems? ● This benefits security analysts from a data availability perspective! ● How do you prioritize collection of event logs? ● Do you know what you are collecting? ● Do you know the data you are collecting? ● Again, do you know the data you are collecting? 12
  13. 13. Yeah, do you know your data? But, do you know your logs? 13
  14. 14. Threat Hunting & ATT&C How are you doing it? 14
  15. 15. Threat Hunting & ATT&CK https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf 15 Threat Hunting Identify adversarial technique Develop a hypothesis
  16. 16. Threat Hunting & ATT&CK: Create Account 16https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
  17. 17. What is a data source? “Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions , or the results of those actions by an adversary .” https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf 17
  18. 18. Threat Hunting & ATT&CK Data SourcesHelp detect 18https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
  19. 19. Threat Hunting & ATT&CK https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf Data SourcesHelp detect 19
  20. 20. What else do I need to kn about that? 20
  21. 21. Main Goals ● Expand on the current ATT&CK data sources (Extra Context) ● Help to prioritize the collection of event logs ● Define a methodology to map event logs to ATT&CK data sources ● Allow blue teamers to understand what they could use to validate the detection of specific adversarial techniques ● Allow red teamers to understand what they might look like in the environment while using specific adversarial techniques ● Learn more about event logs and ATT&CK data sources 21
  22. 22. Defining a data mapping methodology What worked for us! 22
  23. 23. Our Methodology ● Explore ATT&CK data sources ● Document event logs related to ATT&Ck data sources ● Develop a data model ● Map event logs to ATT&CK data sources ● Validate data mappings 23
  24. 24. Explore ATT&CK Data So What can we do with ATT&CK data sources? 24
  25. 25. How do I access ATT&CK Metadata? 25
  26. 26. ATTACK-Python-Client Github Project ● A Python module to access up to date ATT&CK content available in STIX via public TAXII server. It leverages cti -python -stix2 and cti - taxii -client python libraries developed by MITRE. ● Goals ○ Allow the integration of ATT&CK content with other platform s ○ Allow security analysts to quickly explore ATT&CK content and apply it in their daily operations ○ Explore all available ATT&CK m etadata at once ○ Learn STIX2 and TAXII Client Python libraries https://github.com/Cyb3rWard0g/ATTACK-Python-Client 26
  27. 27. ATTACK-Python-Client Installation ● Via PIP: pip install attackcti ● Or Straight from Source ○ git clone https://github.com/Cyb3rWard0g /ATTACK-Python-Client ○ cd ATTACK-Python-Client ○ pip install . ● Jupyter Notebooks Available ○ pip install -r requirements.txt ○ cd notebooks ○ jupyter lab https://github.com/Cyb3rWard0g/ATTACK-Python-Client 27
  28. 28. ATT&CK Metadata- Jupyter Notebook https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 28
  29. 29. ATT&CK Techniques (478) and Data Sourc ● Almost 46% of techniques have data sources defined ● Around 54% of techniques do NOT have data sources defined ● Pre-ATT&CKdata sources m aybe? ● Opportunities to collaborate and define those without data sources? https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 29
  30. 30. ATT&CK Techniques (478) and Data Sourc https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 30
  31. 31. Looking for anything to do this weekend? https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 31
  32. 32. ATT&CK Techniques with Data Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 32 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
  33. 33. ATT&CK Techniques with Data Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 33 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
  34. 34. ATT&CK Windows Data Sources & Platform 34https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  35. 35. ATT&CK Techniques with Data Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 35 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
  36. 36. Prioritization of ATT&CK Data Sources 36 Only 19 (9%) techniques require 1 data source. 200 techniques require at least 2 data sources to analyze them … MORE CONTEXT https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  37. 37. Prioritization of ATT&CK Data Sources (Top 37https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  38. 38. Document Event Logs What event logs are related to ATT&CK data sources 38
  39. 39. Windows Technique: Credential In Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 39
  40. 40. Windows Security 4688- Process Creation T1214 Windows Registry Process Monitoring Process Command-Line Parameters 40 Windows Security
  41. 41. Windows Security 4689- Process Termination T1214 Windows Registry Process Monitoring Process Command-Line Parameters 41 Windows Security
  42. 42. Windows Sysmon 1- Process Create T1214 Windows Registry Process Monitoring Process Command-Line Parameters 42 Windows Sysmon
  43. 43. Windows Sysmon 10- Process Accessed T1214 Windows Registry Process Monitoring Process Command-Line Parameters 43 Windows Sysmon
  44. 44. Data Dictionaries 44 Windows Sysmon https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf
  45. 45. Another reason why I should document my https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf 45
  46. 46. Develop A Data Model 46 Defining data objects and their relationships
  47. 47. What is a data model? ● A data model basically determines the structure of data and the relationships identified among each other. ● MITRE Data Model: ○ Strongly inspired by CybOX, is an organization of the objects that m ay be m onitored from a host-based or network-based perspective. https://car.m itre.org/wiki/Data_Model ● STIX™ Version 2.0. Part 4: Cyber Observable Objects ○ http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part4-cyber- observable-objects.htm l 47
  48. 48. Data Model Levels https://www.1keydata.com/datawarehousing/data-modeling-levels.html 48 Conceptual Model Design Logical Model Design Physical Model Design
  49. 49. Data Modeling & Cyber Threat Intelligence https://oasis-open.github.io/cti-stix-visualization/?url=https://raw.githubusercontent.com/oasis-open/cti- documentation/master/examples/example_json/threat-actor-leveraging-attack-patterns-and-malware.json 49
  50. 50. Data Modeling & Cyber Threat Intelligence https://oasis-open.github.io/cti-documentation/examples/threat-actor-leveraging-attack-patterns-and-malware 50
  51. 51. What about data modeling and security eve 51 Process IPFile
  52. 52. What about data modeling and security eve 52 Process IPconnected_toFile created
  53. 53. What about data modeling and security eve 53 Process IPconnected_toFile created process_name process_command_line process_guid file_name file_directory process_guid dst_ip src_ip process_guid
  54. 54. What about data modeling and security eve 54 Process IPconnected_toFile created process_name process_command_line process_guid file_name file_directory process_guid dst_ip src_ip process_guid
  55. 55. Sysmon Data Model After Documentation 55https://github.com/Cyb3rWard0g/presentations/blob/master/SANS_THIR_2018.pdf
  56. 56. Windows Technique: Credential In Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 56
  57. 57. Windows Technique: Credential In Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 57 Process Creation Process Termination Process Write To Process Process Access
  58. 58. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 58 Process Creation Process Termination Process Write To Process Process Access Process Processcreated
  59. 59. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 59 Process Creation Process Termination Process Write To Process Process Access Process User Processcreated terminated Process
  60. 60. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 60 Process Creation Process Termination Process Write To Process Process Access Process Process Process Process created wrote_to User terminated Process
  61. 61. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 61 Process Creation Process Termination Process Write To Process Process Access Process Process Process Process Process Process created wrote_to accessed User terminated Process
  62. 62. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 62 Registry Creation Registry Deletion Registry Modification Registry Access Process Registrycreated
  63. 63. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 63 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Registrycreated deleted Registry
  64. 64. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 64 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Process Registrycreated modified deleted Registry Registry
  65. 65. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 65 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Process Process Registrycreated modified accessed deleted Registry Registry Registry
  66. 66. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 66 Registry Creation Registry Deletion Registry Modification Registry Access Process User User User Registrycreated modified accessed deleted Registry Registry Registry
  67. 67. Map Event Logs To ATT&CK Data Sources Blue Teamer: What you have VS what you need! Red Teamer: What you might look like! 67
  68. 68. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 68
  69. 69. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 69 Process Creation Process created Process Process Write To Process Process wrote_to Process Process Access Process accessed Process Process Termination user terminated Process
  70. 70. ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 70 Process Creation Process created Process Process Termination user terminated Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Process wrote_to accessed
  71. 71. ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 71 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Process Termination user terminated Process wrote_to accessed
  72. 72. ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 72 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Sysmon 8 Process Termination user terminated Process wrote_to accessed
  73. 73. ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 73 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Process Termination user terminated Process wrote_to accessed
  74. 74. Prioritization of ATT&CK Data Sources (Top 74https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  75. 75. File& Process Monitoring (66 Techniques) 68 Process Monitoring File Monitoring 75 Process Creation Security 4688 Sysmon 1 Process Termination Process Write To Process Process Access File Creation File Access Request File Deletion Request File Access File Deletion Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Sysmon 11 Security 4656 Security 4663
  76. 76. File& Process Monitoring (Technique variat 68 Process Monitoring File Monitoring 76 Process Creation Security 4688 Sysmon 1 Process Termination Process Write To Process Process Access File Creation File Access Request File Deletion Request File Access File Deletion Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Sysmon 11 Security 4656 Security 4663
  77. 77. From an ATT&CK Data Sources to Event Lo 77
  78. 78. Where do I get this information? 78 ● Data Dictionaries ○ Windows (Security, Sysmon, etc) ○ Carbon Black Logs ● Data Models ○ Relationships ● ATT&CK Data Sources ○ Definitions & Data Mapping ● Common Information Model https://github.com/Cyb3rWard0g/OSSEM
  79. 79. Hunters ATT&CKing with the right data! Threat Hunting Operations 79
  80. 80. Threat Hunting Approach 80 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
  81. 81. Threat Hunting & Data 81 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
  82. 82. Hunters ATT&CKing with the right data! Detecting potential “overpass-the-hash” techniques 82
  83. 83. Identify Technique: Pass the Hash “Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.” https://attack.mitre.org/wiki/Technique/T1075 83
  84. 84. Define Technique Variation: Overpass-The-Hash https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf 84 ● Authentication via Kerberos ○ Authentication Protocol based on keys and tickets ● “Upgrading a NT hash into a full Kerberos ticket” ● It requires elevated privileges (privilege::debug or SYSTEM account) ○ (Depends on how this attack is perform ed. You m ight not need)
  85. 85. Technical Details: Normal kerberos Authent https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it 85
  86. 86. Technical Details: Overpass-the-hash https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it 86
  87. 87. Technical Details: Mimikatz- Overpass-The-Hash https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth 87 ● mimikatz can perform the well -known operation 'Pass -The-Hash' to run a process under another credentials with NTLM (or AES128/156_HMAC) hash of the user’s password, instead of its real password. ● For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password). ● DEMO
  88. 88. Technical Details: Mimikatz- Overpass-The-Hash https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth 88
  89. 89. Mimikatz- pth: Security Event 4673 (Client Si 89 Field Values process_name mimikatz.exe service_name Security service_privilege SeTcbPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
  90. 90. Mimikatz- pth: Security Event 4673 (Client Si 90 Field Values process_name lsass.exe service_name LsaRegisterLogonProcess() service_privilege SeTcbPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
  91. 91. Mimikatz- pth: Security Event 4624 (Client Si 91 Field Values logon_type 9 user_name cbrown user_network_account_name pedro User Account Successful Authentication User Authenticated Host
  92. 92. Mimikatz- pth: Security Event 4656 (Client Si 92 Field Values process_name mimikatz.exe process_granted_access 0x1010 target_process_name lsass.exe Process Access Process Accessed Process
  93. 93. Mimikatz- pth: Security Event 4656 (Client Si 93 Field Values process_name mimikatz.exe process_granted_access 0x1038 target_process_name lsass.exe Process Access Process Accessed Process
  94. 94. Mimikatz- pth: Security Event 5158 (Client Si 94 Field Values process_name lsass.exe src_ip 0.0.0.0 src_port 50066 Process Network Local Port Bind Allow Process bound_to Port
  95. 95. Mimikatz- pth: Security Event 5156 (Client Si 95 Field Values process_name lsass.exe dst_ip 192.168.64.147 dst_port 88 Process Network Connection Allow Process connected_to Ip
  96. 96. Mimikatz- pth: Sysmon Event 3 (Client Side) 96 Field Values process_name lsass.exe dst_ip 192.168.64.147 dst_port 88 user_name SYSTEM dst_host DC-WD-001 Process Network Connection Allow Process connected_to Ip
  97. 97. Mimikatz- pth: Security Event 4648 (Client Si 97 Field Values user_name cbrown target_user_name pedro target_host_name DC-WD-001 user account authentication with explicit credential User authenticated host
  98. 98. Mimikatz- pth: Security Event 4768 (Server S 98 Field Values user_name pedro ticket_encryption_type 0x17 src_ip 192.168.64.137 Kerberos TGT Request User requested Ticket
  99. 99. Mimikatz- pth: Security Event 4769 (Server S 99 Field Values user_name pedro ticket_encryption_type 0x12 src_ip 192.168.64.137 service_name krbtgt Kerberos Service Ticket Request User requested Ticket
  100. 100. Mimikatz- pth: Security Event 4769 (Server S 100 Field Values user_name pedro ticket_encryption_type 0x12 src_ip 192.168.64.137 service_name DC-WD-001$ Kerberos Service Ticket Request User requested Ticket
  101. 101. Mimikatz- pth: Security Event 4624 (Server S 101 Field Values user_name pedro logon_type 3 src_ip 192.168.64.137 service_name DC-WD-001$ logon_process kerberos User Account Successful Authentication User authenticated Host
  102. 102. Mimikatz- pth: Security Event 5140 (Server S 102 Field Values user_name pedro share_name *C$ src_ip 192.168.64.137 Network Share Access User accessed Network share
  103. 103. Technical Details: Rubeus- Overpass-the-hash https://github.com/GhostPack/Rubeus 103 ● Rubeus is a C# re-implementation of some of the functionality from Benjamin Delpy’s Kekeo project ○ Kerberos structures built by hand… ○ Rubeus works nicely with execute -assembly ○ So why not use Kekeo? Because ASN.1! ■ Requires a commercial ASN.1 library to customize/rebuild the Kekeo codebase ● Author: Will Schroeder @harmj0y @SpecterOps ● DEMO
  104. 104. Technical Details: Rubeus- Overpass-the-hash https://github.com/GhostPack/Rubeus 104
  105. 105. Rubeus- ptt: Security Event 4673 (Client Side 105 Field Values process_name rubeus.exe service_privilege SeCreateGlobalPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
  106. 106. Rubeus- ptt: Security Event 5158 (Client Side 106 Field Values process_name rubeus.exe src_ip 0.0.0.0 src_port 50209 Process Network Local Port Bind Allow Process bound_to port
  107. 107. Rubeus- ptt: Security Event 5156 (Client Side 107 Field Values process_name rubeus.exe dst_ip 192.168.64.147 dst_port 88 Process Network Connection Allow Process connected_to Ip
  108. 108. Rubeus- ptt: Sysmon 3 (Client Side) 108 Field Values process_name rubeus.exe dst_ip 192.168.64.147 dst_port 88 user_name cbrown dst_host DC-WD-001 Process Network Connection Allow Process connected_to Ip
  109. 109. Rubeus- ptt: Security Event 4768 (Server Sid 109 Field Values user_name pedro ticket_encryption_type 0x17 service_name krbtgt src_ip 192.168.64.137 Kerberos TGT Request User requested Ticket
  110. 110. Rubeus- ptt: Security Event 4769 (Server Sid 110 Field Values user_name pedro ticket_encryption_type 0x12 service_name DC-WD-001$ src_ip 192.168.64.137 Kerberos Service Ticket Request User requested Ticket
  111. 111. Rubeus- ptt: Security Event 4624 (Server Sid 111 Field Values user_name pedro logon_type 3 logon_process Kerberos src_ip 192.168.64.137 User Account Successful Authentication User authenticated Host
  112. 112. Rubeus- ptt: Security Event 5140 (Server Sid 112 Field Values user_name pedro share_name *C$ src_ip 192.168.64.137 Network Share Access User accessed Network share
  113. 113. Mimikatz vs Rubeus- Kerberos Authentication 113
  114. 114. Mimikatz vs Rubeus- Kerberos Authentication 114
  115. 115. Mmmm… Who else connects to the DC via 115
  116. 116. Mmmm… Who else connects to the DC via 116
  117. 117. Mmmm… Who else connects to the DC via 117
  118. 118. Mmmm… Rubeus? 118
  119. 119. Mimikatz Data Mapping- Pass The Hash- T1075 119 T1075 Authentication Logs Process Monitoring User Account Successful Authentication Security 4624 User Account Authentication With Explicit Credentials Process Access Process Network Local Port Bind Allow Process Network Connection Allow Security 4648 Sysmon 10 Security 4656 Process Use of Network Security 5158 Security 5156 Sysmon 3 Kerberos TGT Request Kerberos Service Ticket Request Security 4768 Security 4769 Sensitive Privileged Service Operation Security 4673
  120. 120. Rubeus Data Mapping- Pass The Hash- T1075 120 T1075 Authentication Logs Process Monitoring User Account Successful Authentication Security 4624 User Account Authentication With Explicit Credentials Process Access Process Network Local Port Bind Allow Process Network Connection Allow Security 4648 Sysmon 10 Security 4656 Process Use of Network Security 5158 Security 5156 Sysmon 3 Kerberos TGT Request Kerberos Service Ticket Request Security 4768 Security 4769 Sensitive Privileged Service Operation Security 4673
  121. 121. Thank You! Muchas Grac 121
  122. 122. References OSSEM:https://github.com/Cyb3rWard0g/OSSEM HELK:https://github.com/Cyb3rWard0g/HELK Rubeus: https://github.com/GhostPack/Rubeus Mimikatz: https://github.com/gentilkiwi/mimikatz/wiki/module -~-sekurlsa#pth 122
  123. 123. THREAT HUNTING SLACK CHANNEL 123

×