114
Zeek your Windowz! Zeek European Workshop 2019
Zeek your Windowz!Zeek European Workshop 2019
How SSL works
How SSL works
How SSL works
How SSL works
How SSL works
How SSL works
Tools
TTPs
Artifacts
Domain Names
IP Addresses
Hash Values Har
der f
or th
reat
acto
rs to
chan
ge
Even
har
der t
o de
tect
Default Metasploit SSL Cert in Brox509.log
certificate.issuer:
CN=hrzvox.gov,
O=bdlOFqMXlUfgoNQljMuRWgiJ,
L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,
ST=WI,
C=US
Tools
TTPs
Artifacts
Domain Names
IP Addresses
Hash Values Har
der f
or th
reat
acto
rs to
chan
ge
Even
har
der t
o de
tect
How SSL works
First to the Key (2009)
Lee Brotherston (Derbycon 2015)
How SSL works
How SSL works
Microsoft Edge (Browser)
Dridex Malware (Banking Trojan)
Trickbot Malware (Banking Trojan)
Microsoft Edge (Browser)
Trickbot Malware (Banking Trojan)
Fingerprinting TLS Clients
Fingerprinting TLS - The JA3 Method
Fingerprinting TLS - The JA3 Method
Version
771
Fingerprinting TLS - The JA3 Method
Version,Ciphers
771,49172-157-156-61-53-47-10
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions
771,49172-157-156-61-53-47-10,0-5-10-11-13
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves
771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats
771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats
771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0
MD5 hash
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats
771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0
MD5 hash
JA3 = f4c4f050188e15839a6cd3af798b6c77
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats
771,49172-157-156-61-53-47-10,,,
MD5 hash
JA3 = 4dd4fca5534245b13b641d54a7035851
Fingerprinting TLS - The JA3 Method
771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0
JA3 = ce5f3254611a8c095a3d821d44539877
JA3 on TLS 1.3
JA3 on TLS 1.3
No Server, No Problem
Tools
TTPs
Artifacts
Domain Names
IP Addresses
Hash Values Har
der f
or th
reat
acto
rs to
chan
ge
Even
har
dere
r to
dete
ct
JA3
https://github.com/salesforce/ja3
pip install pyja3bro-pkg install ja3
Created by:John AlthouseJeff AtkinsonJosh Atkins
Concept and Inspiration from:Lee Brotherston
Fingerprinting for SSH Clients and ServersIdea and Concept by Ben Reardon
HASSH
HASSH
HASSH
HASSH
Fingerprinting SSH - The HASSH Method
Fingerprinting SSH - The HASSH Method
KeyExchange;
[email protected],diffie-hellman-group-exchange-sha256;
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;
[email protected],diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;
[email protected],diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression
[email protected],diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;[email protected],zlib,none
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression
[email protected],diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;[email protected],zlib,none
MD5 hash
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression
[email protected],diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;[email protected],zlib,none
MD5 hash
HASSH = 9c325a9bc631ff065307ccc05217c7da
Fingerprinting SSH - The HASSH Method
[email protected],diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,[email protected],diffie-hellman-group15-sha256,[email protected],[email protected],diffie-hellman-group16-sha256,[email protected],[email protected],[email protected];aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,blowfish-ctr,cast128-cbc,cast128-ctr,idea-cbc,idea-ctr,serpent128-cbc,serpent128-ctr,serpent192-cbc,serpent192-ctr,serpent256-cbc,serpent256-ctr,3des-cbc,3des-ctr,twofish128-cbc,twofish128-ctr,twofish192-cbc,twofish192-ctr,twofish256-cbc,twofish256-ctr,twofish-cbc,arcfour,arcfour128,arcfour256;hmac-sha1,hmac-sha1–96,hmac-md5,hmac-md5–96,hmac-sha2–256,hmac-sha2–512;[email protected],zlib,none
Fingerprinting SSH - The HASSH Method
[email protected],diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,[email protected],diffie-hellman-group15-sha256,[email protected],[email protected],diffie-hellman-group16-sha256,[email protected],[email protected],[email protected];aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,blowfish-ctr,cast128-cbc,cast128-ctr,idea-cbc,idea-ctr,serpent128-cbc,serpent128-ctr,serpent192-cbc,serpent192-ctr,serpent256-cbc,serpent256-ctr,3des-cbc,3des-ctr,twofish128-cbc,twofish128-ctr,twofish192-cbc,twofish192-ctr,twofish256-cbc,twofish256-ctr,twofish-cbc,arcfour,arcfour128,arcfour256;hmac-sha1,hmac-sha1–96,hmac-md5,hmac-md5–96,hmac-sha2–256,hmac-sha2–512;[email protected],zlib,none
HASSH = 8a8ae540028bf433cd68356c1b9e8d5b
HASSH
https://github.com/salesforce/hassh
https://engineering.salesforce.com/
Created by:Ben Reardon @benreardonAdel Karimi @0x4d31John Althouse @4A4133Jeff Atkinson /in/anNh
Mapping JA3 to Client Application
https://github.com/salesforce/ja3/tree/master/lists
Mapping JA3 to Client Application
Mapping JA3 to Client Application
Baseline your sandboxhttps://github.com/gbarford/testssl
Win10-socket: c12f54a3f91dc7bafd92cb59fe009a35
Win10-socket-SNI: 3b5074b1b5d032e5620f69f9f700ff0e
Win10-powershell: fc54e0d16d9764783542f0146a98b300
Win10-powershell-SNI: 54328bd36c14bd82ddaa0c04b25ed9ad
Win10-iexplore: be6155e945a3e59a1dd0841b86f6c945
Win10-iexplore-SNI: 10ee8d30a5d01c042afd7b2b205facc4
Win2016-socket: 043c543b63b895881d9abfbc320cb863
Win2016-socket-SNI: 7c410ce832e848a3321432c9a82e972b
Win2016-powershell: 17b69de9188f4c205a00fe5ae9c1151f
Win2016-powershell-SNI: 235a856727c14dba889ddee0a38dd2f2
Win2016-iexplore: 4f2e9c50db9bd107439136bd24740c0d
Win2016-iexplore-SNI: f88610704d61a237aa9e5e0849573998
Over TLS
File Exfil Detection
Original Concept by Bob Rotsted
https://github.com/reservoirlabs/bro-scripts/tree/master/exfil-detection-framework
Normal Outbound Traffic
File Transfer Outbound
Threshold Byte Count and Byte Rate
Exfil Detection from the WireSource IP: 10.1.2.3Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 …Destination Port: 443Service: HTTPSDestination Certificate: CN=*.dropbox.com ...Certificate Valid: TrueFiles Transferred: 512TotalBytes Transferred: 2,048MB
Exfil Detection from the WireSource IP: 10.1.2.3Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 …Destination Port: 443Service: HTTPSDestination Certificate: CN=*.dropbox.com ...Certificate Valid: TrueFiles Transferred: 512TotalBytes Transferred: 2,048MBJA3: fa030dbcb2e3c7141d3c2803780ee8dbJA3ClientApplication: Dropbox
Exfil Detection from the WireSource IP: 10.1.2.3Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 …Destination Port: 443Service: HTTPSDestination Certificate: CN=*.dropbox.com ...Certificate Valid: TrueFiles Transferred: 512TotalBytes Transferred: 2,048MBJA3: fc54e0d16d9764783542f0146a98b300JA3ClientApplication: Powershell
Caution
Client Hello Tooling
Sergey Frolov & Eric WustrowUniversity of Colorado Boulder
The use of TLS in Censorship Circumventionhttps://tlsfingerprint.io/static/frolov2019.pdf
Client Hello Tooling
https://github.com/arlolra/meek/blob/master/READMEmeek is a blocking-resistant pluggable transport for Tor. It encodes adata stream as a sequence of HTTPS requests and responses. Requests are reflected through a hard-to-block third-party web server in order toavoid talking directly to a Tor bridge. HTTPS encryption hidesfingerprintable byte patterns in Tor traffic.
Client Hello Tooling
https://github.com/arlolra/meek/blob/master/READMEmeek is a blocking-resistant pluggable transport for Tor. It encodes adata stream as a sequence of HTTPS requests and responses. Requests are reflected through a hard-to-block third-party web server in order toavoid talking directly to a Tor bridge. HTTPS encryption hidesfingerprintable byte patterns in Tor traffic.
Client Hello Tooling
Client Hello ToolinguTLS - https://github.com/refraction-networking/utls/README.md
UTLS in actionfunc reverse(connectString string, fingerprint []byte) { config := &tls.Config{InsecureSkipVerify: true} dialConn, err := tls.Dial("tcp",connectString, config) if err != nil { fmt.Printf("net.Dail() failed: %+v\n", err) return } // Define which ClientHelloID you want here. conn := tls.UClient(dialConn, config, tls.HelloGolang) defer conn.Close() interactiveShell(conn)}
Client Hello Tooling
Client Hello Tooling
We can do better...
Bro-OSQuerySteffen Haashttps://github.com/bro/bro-osquery
Monitor Changes to Host systemsUses a customized binaryQueries are scheduled every minute
https://svs.informatik.uni-hamburg.de/publications/2018/2018-05-31-Haas-QueryCon-Bro-Osquery.pdf
Bro-OSQueryGoal:
Map Linux processes to JA3
Logs Needed:● Zeek JA3 ssl.log● OSQuery socket_events
Bro-OSQuery
Socket_events
SELECT action, pid, path, family, protocol, local_address, remote_address, local_port, remote_port, time, success FROM socket_events
{ "action": "added", "columns": {
"time": "1527895541", "success": "1", "remote_port": "443", "action": "connect", "auid": "1000", "family": "2","local_address": "", "local_port": "0","path": "/usr/bin/curl","pid": "30220", "remote_address": "212.13.197.231"
}, "unixTime": 1527895545, "hostIdentifier": "vagrant", "name": "socket_events" }
Bro-OSQuery
Bro-OSQueryWarning
Read The Docs….
“(socket) table is not automatically enabled when process_events are enabled because it can introduce considerable load on the system.”
Bro-OSQuery
Only able to implement on Linux & OSX.
Due to dependencies of CAF and Broker being compiled
Introduction to Broker
Broker Demo
Ping / Ponghttps://docs.zeek.org/projects/broker/en/stable/python.html#exchanging-bro-events
How can we monitor Windows Hosts?
Integrate Windows Sysmon into Zeek
Bro-Sysmon
Bro-SysmonGoal:
Map Windows processes to JA3
Logs Needed:● Zeek JA3 ssl.log● Sysmon Event ID 3: Network Connection
Bro-SysmonSysmon Event ID 3:
Network Connection
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> <EventID>3</EventID> <Version>5</Version> <Level>4</Level> <Task>3</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2017-04-28T22:12:23.657698300Z" /> <EventRecordID>10953</EventRecordID> <Correlation /> <Execution ProcessID="3216" ThreadID="3976" /> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>rfsH.lab.local</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="UtcTime">2017-04-28 22:12:22.557</Data> <Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data> <Data Name="ProcessId">13220</Data> <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data> <Data Name="User">LAB\rsmith</Data> <Data Name="Protocol">tcp</Data> <Data Name="Initiated">true</Data> <Data Name="SourceIsIpv6">false</Data> <Data Name="SourceIp">192.168.1.250</Data> <Data Name="SourceHostname">rfsH.lab.local</Data> <Data Name="SourcePort">3328</Data> <Data Name="SourcePortName"> </Data> <Data Name="DestinationIsIpv6">false</Data> <Data Name="DestinationIp">104.130.229.150</Data> <Data Name="DestinationHostname"> </Data> <Data Name="DestinationPort">443</Data> <Data Name="DestinationPortName">https</Data> </EventData></Event>
Bro-Sysmon
Bro-Sysmon
Bro-Sysmon
Bro-Sysmon
Bro-Sysmon
Windows SysmonInstall, configure and get Results:
Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state changed
Event ID 5: Process terminated
Event ID 6: Driver loaded
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 9: RawAccessRead
Event ID 10: ProcessAccess
Event ID 11: FileCreate
Event ID 12: RegistryEvent (Object create and delete)
Event ID 13: RegistryEvent (Value Set)
Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 15: FileCreateStreamHash
Event ID 17: PipeEvent (Pipe Created)
Event ID 18: PipeEvent (Pipe Connected)
Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
Event ID 255: Error
Windows Sysmon
Warning - can be very noisy
Example Logging levels:https://github.com/salesforce/bro-sysmon/blob/master/sysmon-verbose.xml
6347 - 60s of idle time28083 - 300s of idle time
Swiftonsecurity! - https://github.com/SwiftOnSecurity/sysmon-config2268 - 60s of idle time11492 - 300s of idle time 35% -40%
Windows SysmonCreate your own filter! Filter events based on Event ID name Use conditionals to include or exclude
<NetworkConnect onmatch="exclude"> <Image condition="contains">iexplore.exe</Image> </NetworkConnect>
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Danger!Legitimate processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
Install WinLogBeat & Configure
winlogbeat.event_logs:
- name: Microsoft-Windows-Sysmon/Operational
output.logstash:
# The Logstash hosts
hosts: ["192.168.200.1:9000"]
WinLogBeats
Running Command line
- Testing Config
.\winlogbeat.exe test config -c .\winlogbeat.yml -e
- Running in foreground
.\winlogbeat.exe -c .\winlogbeat.yml
Install service
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1
WinLogBeats
LogstashConfigure/etc/logstash/conf.d/winlogbeat_receiver.conf
input { beats { port => 9000 }}
output { file { path => "/home/logstash/bro-sysmon/WindowsSysmon.json" }}
Start ServiceSystemctl start logstash
Python & Broker BindingsEstablish connection with Zeek
import brokerep = broker.Endpoint()ep.peer("127.0.0.1", 9999)
Parse JSON object
Send to function to parse JSON event data
create Zeek event
Python & Broker BindingsSysmon ID3: Network Connection message = broker.bro.Event( 'sysmon_networkConnection', winevt.get('computer_name').encode('ascii','ignore'), evt_data.get('ProcessId','None').encode('ascii','ignore'), evt_data.get('Protocol','None').encode('ascii','ignore'), evt_data.get('SourceIp','None').encode('ascii','ignore'), evt_data.get('SourcePort','None').encode('ascii','ignore'), evt_data.get('DestinationIp','None').encode('ascii','ignore'), evt_data.get('DestinationPort','None').encode('ascii','ignore'), evt_data.get('Image','None').encode('ascii','ignore'), return message
Bro EventsEvents are received by Broker and raised to script land
event sysmon_networkConnection(computerName: string, processId: string, proto: string, srcip: string, srcprt: string, dstip: string, dstprt: string, procImage: string)
Default scripts output to filesystem
fingerprint_mapping
Fingerprint_mappingsysmon/__load__.bro
@load ./fingerprint_mapping
sysmon/fingerprint_mapping/__load__.bro@load ./trackNewPid.bro@load ./trackNewConns.bro@load ./mapJA3_Proc.bro#@load ./mapHASSH.bro
Bro-Sysmon
Bro-SysmonSysmon-Broker.py Bro
| |
| ------ Establish Peering ------> |
| <----- Establish Peering ------- |
| <----- Subscirbe /sysmon ------- |
| |
Receive Sysmon JSON --> | |
| |
| -- Parse JSON |
| -- Build Event |
| ------ Publish to /sysmon ------> |
| | --> Bro Scipt to Log
| |
| | --> Bro Script Build Map JA3 to Application
Bro-Sysmon
ProblemsRace conditions of event typesDistributed environmentsEats up your memory in large deployments
But wait, there’s more
Install WinLogBeat & Configure
Winlogbeat.event_logs:
- name: Application
- name: Security
- name: System
- name: Microsoft-Windows-Sysmon/Operational
output.logstash:
# The Logstash hosts
hosts: ["192.168.200.1:9000"]
WinLogBeats
Current handler message = broker.bro.Event( 'WindowsEvent', str(winevt.get('computer_name')), str(winevt.get('log_name')), int(winevt.get('event_id')), str(winevt.get('opcode')), str(winevt.get('task', 'None')), str(winevt.get('message', 'None')), str(winevt.get('event_data', 'None')), )
WinLogBeats
Current Bro Event event WindowsEvent(computerName: string,
log_name: string, event_id: int, task: string, opcode: string, message: string, event_data: string)
TODO: Extend to handle in more detail.
WinLogBeats
Demo or it didn’t happen
Accurately Map JA3 to Client Application
for YOUR environment
Mapping JA3 to Client Application
Mapping JA3 to Client Application
"""search index=Bro_SSL DestinationPort=443 JA3!=null JA3Ciphers!=null ConnectionEstablished=true
Mapping JA3 to Client Application
"""search index=Bro_SSL DestinationPort=443 JA3!=null JA3Ciphers!=null ConnectionEstablished=true
search index=lots-o-logs sourcetype=OSQuery LogType=procs_on_internet Outcome=added
SourcePort!=0 DestinationAddr!=0 IPSource!=0 DestinationPort=443 Protocol=6
ClientApplication!=null
Mapping JA3 to Client Application
"""search index=Bro_SSL DestinationPort=443 JA3!=null JA3Ciphers!=null ConnectionEstablished=true
| join SourcePort, DestinationPort, SourceAddr, DestinationAddr max=1 type=inner
[
search index=lots-o-logs sourcetype=OSQuery LogType=procs_on_internet Outcome=added
SourcePort!=0 DestinationAddr!=0 IPSource!=0 DestinationPort=443 Protocol=6
ClientApplication!=null
| fields IPSource,SourcePort,DestionationAddr,DestinationPort,ClientApplication
]
| fields JA3, JA3Ciphers, ClientApplication
| stats values(ClientApplication) by JA3"""
https://github.com/salesforce/bro-sysmonhttps://github.com/salesforce/ja3
https://github.com/salesforce/hassh
Jeff Atkinsonneslogf<at>gmail<dot>com@4a7361in/anNh
