Tanner Payne - Doomsday Preppers APT Edition

had an opportunity to go out to the F lockpick Village that be pretty has anybody gone out there awesome did anybody learn to pick a lock for the first time today look at that that's awesome is that the coolest experience ever well one of the coolest experiences like that uh so we definitely got lots of fun stuff to do today from all the the giveaways that we're doing all these great talks the fail lock P Village uh don't forget about the capture of the flag event going on on uh so lots of great things to do today in addition to all these great talks so I I want to say thank you once again to all of our sponsors

especially Geor University so if you see Joanne seon please make sure you say thank you uh for all of her work in making this event happen especially making this great facility happen for us uh so our next talk is called Newsday preer AP Edition it's kind of be a great talk because it's got AP in it right uh so ladies and Gentlemen please please join me welcoming Mr T

Payne all right thank you guys for having me uh I've recently learned this is a fire talk so get ready for a shotgun blast of information it's about an hour and a half talk and I'm going to cram it into a 30d that uh so uh like I said I'm Tanner pan and I I've been working for m at fire ey for a little over 3 years and uh the title of my talk is around prepping for hum and this relates to some work I've recently done with with some clients and uh it focuses on shedding old habits of uh Sim related blog collection and what actually needs to be collected versus uh how useful and how uh how polled it is

so uh I want to just go over some methods and and uh and give you some ideas on what to collect for uh facilitating detection and investigation so before we get started just to clear the air apparently there is another T Pain out there uh you know we're not the same person we're not even related uh actually never met but uh we do have a few things in common we both have Twitter handles uh we like to keep it real uh we I don't know what he tweets about but uh I'll be tweeting the link to these slides as well as some supporting information okay uh stockpiling for survival so I I've kind of made a light

comparison between uh these uh these two things here so uh preparing for the end of the world uh a lot of you seen this this show called Doomsday Preppers on National Geographic and it revolves around they profile these wack job individuals or groups that that you know stockpile food water weapons for some upcoming uh uh scenario of of disaster you the end of the world as we know tiaki or shift or there several different names for it uh but they at the end they grade these people on how they how they're they prepared for a certain scenario and how effective it would be uh on the other hand on the right we've got uh you know preparing a

corporate Enterprise preparing for an AP incident uh it's kind of uh the same thing there's stockpiling logs events alerts in order in order to uh facilitate some unlikely scenario that you can't really uh predict so uh wouldn't it be nice if we could grade these guys on a similar basis that these doomsday prepers get get graded on so what are the common challenges to Preparing this uh first off most just don't prepare at all and this whether it's uh due to ignorance is bliss or uh perceive resource limitations they basically do nothing so in the real world that would be I walk my front door and I I carry a glass of water up to bed

with me in case I get thirsty um and you know just common sense in the in the corporate world that would be I've got a firewall I've got antivirus maybe I collect some logs maybe I look at them from time to time but again bare minimum uh next uh many of those who do try it's an utter failure so a lot of these Doom State Preppers they go through all this they spend time money effort and prepare and then they just get ripped Treads when when they're they're analyzed on the on the corporate side that would be um you know actually collecting things collecting all this information uh all these all this data logs uh and then

when it comes to actually using them they're either they've been collecting the wrong stuff or it's inaccessible in a timely manner and you can't be used for investigation so third uh fortunately there is a strategic hope so this picture is a a guy named James Wesley R who's probably one of the most infamous prefers uh uh in this recent time he has few books out he's got a website called survivalblog.com and he he lays out these uh different scenarios and what you can actually do in a real world to prepare for these disasters uh on the corporate side this would be really focusing on collecting the right information having it success uh accessible and uh uh you know going from

there but there's really no way to apply it until something actually happens so what I want to focus on from here is collecting the right things how do we do that so my Approach is starting with a model so there's a lot of models out there uh everybody hopefully knows killchain it's probably the most popular it's been around for almost 10 years um and another one is miters attack uh Matrix and it's more of an interactive searchable uh type model and uh next is a Mania intact life cycle model so what we're going to do is take that model and then find common observable actions that uh occur at each stage of the attack life cycle things like credential

dumping internal uh reconnaissance lateral movement uh on and on and then from there we want to identify data sources that capture those actions so these data sources need to be uh existing or obtainable so they're already being generated on on the network or they can easily be obtainable through configuration changes for adding sensors uh next they need to be easily interpretable so a minimal amount of hex codes that need to be translated or arbitrary nids that need to be correlated and uh last they need to be self-sufficient so uh within one data source a minimal requirement to correlate between uh multiple events within that same data source good example of of something that's not very

self-sufficient Windows DNS logs a lot of times you need to corate between multiple events in order to get the source IP the resource they requesting and the associated response so what I want to do is uh go back up to these models and uh contrast two of them so first is a kill chain uh it's really focused on early detection in uh the pre- compromised stage and uh uh detection is difficult at that stage at pre compromise and it really uh requires a a mature Intel shop in in order to be able to detect uh this Recon weaponization delivery exploitation installation stages so I'm not I'm not knocking the killchain model at all but it's really focused on on a different

area so on the other hand we've got the Mandy attack life cycle model which almost oversimplifies that that uh pre compromise stage and the one just initial compromise but after that it really uh expands on on what happens after the compromise and breaks down that stage by stage so in a way it almost assumes compromise and what it allows us to do is understand that in that initial compromise there's a huge Vector of options uh as far as methods of attack methods to get initial control of a host but once an attacker has a control of that host they've got somewhat finite options as far as how to carry out their mission so so uh what we want to do is exploit that uh

that set of attacker needs once they have control of a host so remember that uh that multicolor pyramid that we all had to learn in uh in elementary school the maso's hierarchy of needs we can kind of apply that to to what's happening here so uh once control is established an attacker is going to need certain things they're going to need orientation they're going to need to understand where they have landed in an environment what they're after and where it is and then uh the optional paths in order to get from A to B they're also going to need credentials so in order to get from made to be they're going to need uh credentials and access to get there

and these can be effective credentials the uh what was involved in the initial compromise uh that can be local credentials what's available on the Local Host that they have or that can be remote what's uh immediately accessible within an enclave and uh last they need tools to to carry out the rest of the mission these can be exogenous tools things they have to pull down after they have control uh in order to carry out the mission or they can be in Dodges so things that are on a host that are available and can be used in a malicious sense so what I going to do is I I'm going to take the mandant model and uh

take it through stage by stage and identify some uh try to understand what's going on at the stage uh give some indicators that may capture this activity and identify some data sources that may capture these individual indicators so let's start with the initial compromise the goal here is to gain initial access to a system uh you know it's usually going to involve some combination of a vulnerability an exploit and a user initiated action and whatever that may be it's going to blow down to uh causing a a machine to execute arbitrary code now just to stop here you see divided the data sources into three logical silos we've got Network post and infrastructure uh the

initial stage is is going to be have some uh some vertical traffic uh through an Ingress point so the network stage is going to or the network St is going to be pretty important so for initial compromise there there's a a a diverse set of data sources we could use uh to capture some of this information and it really depends on your architecture sometimes a firewall log is going to is going to actually capture a domain and uh Source IP and some uh some supporting information so we see at the top under firewall we've got a checkpoint firewall Lo log in those things uh other environments the firewall may be layer three only so uh we've got to go to

proxy logs that maybe auor ative uh source for for domain activity so at at the top we see under web proxy we've got blue code proxy SG at the top logging domain Source IP and also we have a csto iron board blog basically logging the same thing and other environments are going to have to rely on DNS logs and again we've got a a buy DNS log at the top and we have a ro DNS log right below it virtually logging the same useful data next is establish a foothold so an attacker here is going to seek more reliable control of a host so that means you know they may migrate into a more stable or reliable process on a host and

pull down additional tools they need to complete the mission and uh once they do that they're they're equipped for the rest of uh the mission so useful data here is can be Windows Firewall activity which uh is in the security log 5025 may not be useful on its own but if you combine that with some basic service operations uh like 7036 from the system log which uh Lo has logged here a oddl looking service that's entered the running State use these combine these two together and it may show a pattern of attacker activity next is escalate privileges so the goal here is to collect artifacts uh used for Authentication so these can be hashes tickets that can either be

cracked or passed and the goal or the result would be to gain Authority and move freely within a network or within a system so notice that the the network Silo is pretty much out of play here the control has been established uh privilege escalation or cred dumping is going to be uh carried out on the host or from host to host in a lateral sense so this is a good example of data sources relative value it may be extremely important in detecting the initial compromise but it may be once C2 is is established it may be Irrelevant for for detecting uh privilege escalation so here we have um the execution of of credential stealing tools uh this can be detected by file

name image name md5 but it really uh this is a stage that there most uh tool Reliance so there's a lot of uh tools already out there that that you know can be downloaded and use Windows credential editor PW dump GC dump things like that they're they're often often seen in this stage and uh through process creation uh actually this is a CIS monit uh if we can log the file and hash and uh and the associated data next is internal Recon so the idea here is to get oriented with with a a victim's environment and have a better sense of of of where they need to go uh this is often uh involved with using

native tools that are already on the Windows system and the attacker's goal is to get a better understanding of the environment this often referred to as living off the land so the example here we have collected by uh Windows process tracking logs is uh first they use the the the net command to run a net group domain controllers SL Adit so this can be run by by any user with domain user credentials no no elevating credentials needed uh next he runs a net time wack whack uh Windows 2008 ad server so they've got the list of domain controllers picked one uh that they want toh focus on uh run a remote command to give me the current time on the domain

controller and then next you see a command. exe that's calling task list. exe and piping the output to a log file so this is uh they've probably identified the main controllers got what time it is scheduled a task that's a little bit into the future and told that task to run task list which is also a a endogenous uh tool on a server workstation and pipe it out to a text file so now you've got all the TXS running on a domain controller you use that to find something that's uh uh that that's exploitable or use that to uh hide behind something that we we know is running on the system next is to move laterally uh uh

they want to navigate towards the target from A to B and use the valid credentials they've gained in earlier steps in order to map drives transfer files and access other host so uh this is you know the result would be to Clos in on the Target and uh and the associated data here I focused on uh map Drive activity uh so by enabling net log on service debug logs on a domain controller it's logs to a text file any uh interaction with the net log on service so in this uh example if you are moving or mapping a drive from host a to host B using a passing in certain credentials if host B has never seen those credentials and has

them cached then it will query the net loging on service and the domain controller and it'll give you a oneliner uh showing the credentials used the source host and the destination host definitely useful here and that uh the oso return code means that the the MC was successful there's also another X code that will show if it's failure next is to maintain presence uh this is to ensure persistent access to targets over time and this actions can include spreading backwards among multiple hosts or pivoting to valid remote access uh and the idea here is to maintain access uh given that they've already spent a lot of time and resources getting to this point the last

thing T wants to do is do something uh potentially noisy and uh and get identified and and remediated and then they're back to to step one so they can be uh spreading back doors to multiple hosts uh uh pivoting to remote access web shells Etc so here we show scheduled as scheduled task activity um here it's you it's captured by cismon and they're using the at. .exe tool which is a legacy carryover from the Windows XP days and it's a way to uh Leverage The the windows Tas schedule the schedule local or remote task so here they've uh they've run system 32 evil.exe on a remote host uh the other option that that I have is uh

app Locker which can can uh really uh log some good information about uh evidence of execution so app Locker being something that's somewhat difficult to implement uh you have a policy you imp implemented it inadvertently blocks something that needs to be run so they have this app Locker audit mode which is is for testing your policies but it also is a great data source of of looking at anything that's being executed so in this case we have condo stud exe being uh run from the environment variable uh system system 32 KOST ixe we also have uh the same thing being run from when here so that that translates to C Windows system 32 task or conhost or C Windows conhost

which if you know may not stand on stand out on its own but if you are looking at hundreds or thousands of workstations or hosts and you see this one instance of con host running from a different directory as the other ones it immediately stands out as as something to look into last is complete mission so uh the the idea is to extract the targeted data from from the victim's Network and they do this by staging compressing encrypting and uh transferring files out of the network and the end goal is to actually take possession of the data they've identified so you see the network data sources have come back into play so another example of relative

value during some of the middle stages network was was irrelevant now since there's data actually moving vertically and leaving the network they're they're back into play so we're focused here on things leaving a network and this can be captured as uh suspicious connections or suspicious file types so at the top we've got Pro FTP logs uh showing FTP connection to external IP address and the internal IP Associated hopefully you're not allowing uh uh external FTP connections but but if they are allowed then this is useful data to have and also suspicious file types so in this case we have uh roow files that's uh that's logging information about about files traversing a sensor and one of the

most useful Fields within this is the Mind type so the M type will show roughly what type of file it is so in this case it's a raar uh leaving the network which kind of um is not normal in everyday activity all right pulling it all together the ideal scenario would be to decorate all these stages with useful data sources that facilitate detection as well as investigation uh detection helps you identify identify the stage of the attack because you strategically selected data sources based on a stage once you detect you can Peg it to a stage and then use the adjacent stages to more or less walk the model and identify additional attacker activity and to to leave you with this many data

sources are already present within the system they they just may not be collected and others are just a matter of of configuration all right I appreciate your time and uh I'll turn it back over great [Applause] job