10
Temet Nosce: Know Thy Endpoint Through and Through Thomas V. Fischer
Temet Nosce: Know Thy Endpoint Through and Through Thomas V. Fischer
I am …
Threat Researcher
25+ years experience in InfoSec
Spent number years in IR team positions
Contact • [email protected]
• @Fvt
A Journey
Transformation of a tool
Real time actionable intelligence
(re)Enabling the end point as an active defence mechanism
Detecting behaviour…
Public 3
Are we in the Wrong Place
Network based solutions
Post incident end point technology
Forensics ~ what changed != necessarily what happened
Public 4
Those Cool Tools…
Current Arsenal & Key Tools
Procexp; procmon; tcpview
Public 5
Single Footprint Intelligence
Arsenal tools on steroids
High level of visibility: • File ops
• Network ops
• Registry ops
• DLL activity
• Process data
Application DNA ~ identifiable events
Public 6
Real Time Forensics Evidence
Detect compromise events
Log the foot prints
Public 7
Initial Entry Vector Entry Vector Attack (EVA) Alert Subsequent Attack Stages Indicator of Compromise Alert
Base Rules Correlated Alerts Base Rules – Exploit/Installation Correlated AlertsBase Rules - Recon Base Rules – C&C
Em
ail –
Ma
licio
us
PD
F
Co
rre
late
d A
lert
s
Em
ail –
Ma
licio
us
Off
ice
Fil
e
Co
rre
late
d A
lert
s
Bas
e R
ule
s
Co
rre
late
d A
lert
s
ATP522-Email attachment saved
via Outlook
ATP521-Email attachment saved
via Outlook (tagged)
ATP505-User double-clicks on
Outlook attachment
ATP506-Office app opens
attachment via Outlook
ATP8003-Office opens email attachment
ATP523-Office opens saved email
attachment
ATP307-Office spawns CMD or Powershell via
WSH
ATP103-Office macro call ing
WSH
ATP507-Office macro call ing
WMI
ATP306-WMI spawns CMD or
PowershellATP906-
Suspected Office macro phishing
ATP9005-Office executes code
ATP1010-Detect both RTLO and
LTRO in file
ATP505-User double-clicks on
Outlook attachment
ATP101-Acrobat opens PDF
attachment via Outlook
ATP102-Acrobat process tree saving EXE
ATP304-CMD running batched
commands
ATP405-Process launched from
CMD or Powershell
ATP522-Email attachment saved
via Outlook
ATP521-Email attachment saved
via Outlook (tagged)
ATPxxxx-Acrobat opens saved email
attachment
ATPxxxx-Acrobat opens email attachment
ATPxxxx-Acrobat executes code
ATP904-Suspected PDF phishing attack
ATP1011-Detect multiple spaces
before executable
ATP1012-Detect RTLO in File
ATP1014-Create c:\program.exe
ATP9201-IOC Persistence
Detected
ATP3101-Execute c:\program.exe
file
ATP3212-SVCHOST not
child process of services.exe
ATP1204-Suspicious
process modifying local hosts file
ATP3103-Application with
obfuscated extension launch
ATP9102-GEN.IOC Process
ATP9101-GEN.IOC File Manipulation
ATP2101-SMB scanning over short period ATP9xxx-Indicator
of Infection Detected
ATP9104-IOC.NET Enumeration
ATP2xxx-Port scanning detected
ATP9202-IOC Network Activity
DetectedATP2xxx-NET.OUT Malicious
component list
ATP2xxx-NET.OUT Malicious
component l ist
ATP9103-GEN.IOC Outbound Network
ATP2xxx-Suspicious child process creating
network op ATP2xxx-High risk application netop after suspicious
event
ATP9xxx-Correlated IOC
Alert
The correlated IOC alert triggers from an IOC alert
that then looks to see if an EVA triggered, and if so,
alerts itself
If IOC Alert fired, check for EVA
fired. If yes, fire correlated IOC
Alert
Likelybenign
Almost
certainly
malicious
Definitely
malicious
Riskofdata
exfiltration
It’s Doing This so Probably Suspicious
Enable behavioural analysis
phishing :- (a+b),(c,(d|e)),!(x,y,z)
Response ? Kill any point in the chain
Public 8
Keeping the Story Alive
Increase Visibility: • More DLL events
• Memory events
Capture More…
Public 9
