BZAR Hunting Adversary Behaviors with Zeek and ATT&CK · What we’ll talk about Background: ATT&CK...

©2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03621-8. MITRE

| 1 |

BZAR – Hunting Adversary

Behaviors with Zeek and ATT&CK

Mark Fernandez

John Wunder

@MITREattack

© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.

What we’ll talk about

▪ Background: ATT&CK and Threat Hunting

▪ Threat Hunting with BZAR

– Zeek Network Security Monitor

– How BZAR works and what it can see

▪ Examples

– Service Execution

– Remote File Copy to Windows Admin Shares

▪ Takeaways

| 2 |


| 3 |

Free, open,

and globally

accessible

A common language

Community-

driven

What is

?A knowledge base

of adversary behavior

Based on

real-world

observations


t al e

e ut o

e te e

le e alat o

e e e a o

e e t al e

o e

ate al o e e t

olle t o

o a o t ol

lt at o

a t

Ta t : the a e a ’ te h al oal

Tech

niq

ues:

ho

w t

he g

oals

are

ach

ieved

| 4 |

Procedures: Specific technique implementation


How can we seethese behaviors?

How can we identify the malicious ones?


| 5 |

Image Source: Pirates of the Caribbean

Image Source: Wikimedia Commons

How can we see these behaviors?

Perimeter monitoring is not enough


| 6 |

Initial Access

Execution PersistencePrivilege

EscalationDefense Evasion

Credential Access

DiscoveryLateral

MovementCollection

Command and Control

Exfiltration Impact

so we do endpoint monitoring.


| 7 |

Defense in depth, amirite?

Image Source: The Office

What can we do with internal network monitoring?


| 8 |

Initial Access

Execution PersistencePrivilege

EscalationDefense Evasion

Credential Access

DiscoveryLateral

MovementCollection

Command and Control

Exfiltration Impact

The Problem: Internal Network Traffic Can be Very Noisy

Server Message Block (SMB) protocol

Remote Procedure Call (RPC) protocol


| 9 |

The Technology: Bro / Zeek Network Security Monitor

Open-source, highly-customizable

Deep-packet inspection

The Result: B Z A R

Bro / Zeek ATT&CK-based Analytics and Reporting


| 10 |

Bizarre – very strange or unusual

BZAR – open-source Bro/Zeek scripts

https://github.com/mitre-attack/bzar

l ttle o e about Zeek…


| 11 |

• SMB Protocol Analyzero Message Types 145

• DCE-RPC Protocol Analyzero Interface Definitions 81

o Method Definitions 1,471

• Authentication Protocol Analyzerso Used in SMB and RPC Authentication

• File Extraction Analyzero Extract Files from Network Traffic

o Lateral Movement

How Many Exist in Windows?

How Many Exist in Windows?

Bonus!

Bonus!

ATT&CK Techniques Detected with BZAR


| 12 |

ATT&CK Techniques Detected with BZAR


| 13 |

Execution PersistenceDefense

Evasion

Credential

AccessDiscovery

Lateral

Movement

T1035 Service Execution

T1004 Winlogon Helper DLL

T1070 Indicator Removal Host

T1003 Credential

DumpingT1016 System Network Configuration

T1077 Windows Admin Shares

T1047 Windows Mgmt Instrum. (WMI)

T1013 Port Monitors

T1049 System Networks Connections

T1105 Remote File Copy

T1053 Scheduled Task T1018 Remote System

T1033 System Owner/User

T1069 Permission Groups

T1082 System Info

T1083 File and Directory

T1087 Account

T1124 System Time

T1135 Network Share

What ou a ee etwo k t a …

Techniques that necessarily generate

network traffic


| 14 |

Desktop 1

Desktop 2

Te h que that a e ’t normally executed over the network, but can be

Execution


T1047 Windows MgmtInstrumentation (WMI)

T1053 Scheduled Tasks

BZAR Example – Remote Execution


| 15 |


Evasion

Credential

AccessDiscovery

Lateral

Movement




T1003 Credential




T1013 Port Monitors






T1082 System Info


T1087 Account

T1124 System Time

T1135 Network Share


| 16 |

• Indicators: Four (4) RPC Functionso svcctl :: CreateServiceA

o svcctl :: CreateServiceW

o svcctl :: StartServiceA

o svcctl :: StartServiceW

• Analytics: Simpleo Detect any of the 4 RPC functions

o Zeek event handlers

• dce_rpc_request()

• dce_rpc_response()

Execution


BZAR Example – T1035 Service Execution


| 17 |

• Reporting: Write to Zeek Notice Logo “ :: ”

o “svcctl::StartServiceW”

o IP addresses & TCP/UDP ports

o Zeek connection ID

Execution


BZAR Example – T1035 Service Execution

Important: MUST be tuned for your environment!


| 18 |

Lateral Movement




Evasion

Credential

AccessDiscovery

Lateral

Movement




T1003 Credential




T1013 Port Monitors






T1082 System Info


T1087 Account

T1124 System Time

T1135 Network Share

BZAR Example – Lateral Movement


| 19 |

• Indicators: Two (2) SMB Commandso SMBv1 Write

o SMBv2 Write

• Analytics: Complexo Detect SMB Write to Windows Admin Shares

o ADMIN$ or C$ only

o Ignore IPC$ (e.g., names pipes)

o Zeek event handlers

• smb1_write_andx_response()

• smb2_write_request()


Lateral Movement




| 20 |

• Reporting: Write to Zeek Notice Logo “ ::Lateral_Movement”

o “ :: ”

o IP addresses & TCP/UDP ports

o Zeek connection ID

o Full Universal Naming Convention (UNC) path and file name

Lateral Movement



Important: MUST be tuned for your environment!


Summary

▪ Monitor your endpoints

– – ’

▪ Think outside the box

– – ’

▪ Think at different levels of abstraction

– – Low-fidelity indicators can help you build-up analytics and reporting

▪ Integrate into your overall monitoring approach

– – Network alerts and endpoint alerts can co-exist

▪ Tune for your environment!


| 21 |

| 22 |

attack.mitre.org

medium.com/mitre-attack

[email protected]

@MITREattack

https://github.com/mitre-attack/bzar


Date post:	22-Apr-2020
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times

BZAR Hunting Adversary Behaviors with Zeek and ATT&CK · What we’ll talk about Background: ATT&CK...

Documents