Host-Hunting on a Budget

the next presenter is Leo Bastidas and he's presenting host hunting on a budget I was going everyone I'm uh I just started speaking here at conferences this year I'm kind of nervous actually I'll be honest just because so many people Meyer and look up to you and I post it on Twitter I like ma'am I'm kind of nervous he knows a lot of people you know first time back in 15 years and they're like oh we'll give you a hug so I won't give my consent where he wants to give me a hug I accept blankey consent form I accept all hugs that want to be given that I'll be awesome man so I can use one and I

saw other people he used one man so yes hugs are welcome and my my personal space Oh whenever you want maybe one come up yeah man I need him in so yes sir man let's go let's go overhead thank you thank you thank you man thank you thank you so I'm glad to be back lot of memories came back I got the army two years ago I got pretty effed up so now I'm out in the private sector you know I would have gone I would have stayed in 30 years I'll be honest if I could but uh so that goes into my first slide Who am I I'm nobody special you know just a

little bit common sense a little bit initiative you know when I was in a big army it's a traditional army I had questions and that wasn't always allowed to ask question just do what I said not what I what I do you know type of stuff but that's where I learned my forensics for with law enforcement that's where I did my Linux system and stuff I did my instant response before there was a MOS or a specialty but then I joined Special Operations and it was the best time of my life it was awesome I see and now I work for a Japanese company and yeah I'll do threat hunting for my day job at

night I actually contribute for the last few years now for open stock it's a blue team CTF we were actually a black badge Def Con this year black badge event I was pretty cool we're part of blue team village and it was awesome it's a group of us most of us based out of Austin I live in Austin but we're spread throughout the u.s. open stock dot io if you wanna look at our projects we use open source tools to do blue team simulations that's what we do for fun and we love it it's awesome we build scenarios and we have people find breadcrumbs but today we're not gonna talk about that we're not gonna talk

about open stock open stock dot IO but we gonna talk about stand-up but so I got out the army two years ago you know I was real niche I profiled groups in West Africa I'm a French speaker so my whole job was to burn french-speaking actors or groups that's my whole job and so this company told me okay can't you stand over 300 platform for our company Global 500 and I'm like sure how hard could it be yeah it's very freaking hard but uh so I so I go in yeah you have no money you stand up the platform so wait can you do if you have no money you can beg you can beg them write you more like please give

me some money and justify somehow you can beg management your five managers you know can I have some money so I can stand up a security posture that's acceptable and so you can go to that route or are you wait for Brian Krebs to call up your company and then get on the earnings call or something and they're like oh crap do you know about this and then all of a sudden you have unlimited funds to get whatever you want fill it up so you can wait for Brian Krebs or you can use free or open source tools and that's what I'm going to talk about and that's what I did you can use system on my system turn on system on

its enrichment platform from windows logs and it's freeze now open source but it's free you can use ELQ stacks you stand up your sim right ELQ stack elastic log stash Cabana and a lot of play sym platforms they use the elk sack in the backend but they have their own front end right you can use OS queries awesome developed by Facebook trail there's some stuff on there 14 and you can use ger or you use velociraptor if you don't know about velociraptor you might want to check that out it's pretty it's a people that spins off girl and it's based on gir it's pretty though there's Moloch anybody that does full packet captures knows the retention is

horrible right we don't have the money to afford the full pcaps even two weeks is well it's real expensive mala gives you the the metadata of the packet capture of the network traffic so that's very good it's something you want to look at and it's pretty easy for level-1 level-2 analysts to use Marlo because there's a nice GUI web browser there's was out with OSX that's more for like the Linux Mac systems their snort you know open stores firewall or Shikata great log open source sim pfsense open source firewall so that's why I'm working with so sis Mon what is this mine so anybody has done any kind of forensics on a Windows system the the native window largely

there's a lot to be desired it's horrible it's hard to make what's going on you don't get all all the different logging that you could get it's not in the basic native logs out of the box you have to turn on audit log in you have to try to figure out which logs you want to turn on or what you want to turn off this mom makes that very easy they have about 18 events you can turn this simple blacklist whitelist filtering in a flat text file config file it's very easy I love system on I did it in the Army and I did it for you know in the private sector the return of investment is quick

and I love it my management loved it and there was a question recently so what if you have a EDR product do you still need system a free enrichment tool for windows login yes EDI was not gonna catch everything sis mom can help enrich your EDR especially if you have a central location collector that can accept login from different sources from different data sources so it's still valuable to deploy system on if you can because you can feed that into your EDR platform and you're eating our platform whatever it is it's not gonna capture everything and keep filling the gas with syslog so I went through that recently who ventus's mom right mark mark burnovich

he's a he's a as your CTO you know he's a famous Microsoft fellow he has sysinternals of de bottom at the bottom into Microsoft right and he had a partner tom of the greener their kernel hackers right hook up with the api windows api's and he's always updating but it's not officially supported by Microsoft so you have to know that it's gonna be a lot of maintenance a lot of upkeep and my break stuff hey I'll go into that at best practices and stuff I learned that I wish I would have known beforehand so hopefully somebody can learn if you are going to deploy system on and rich your windows login which DoD right 95% of our systems with windows

you know XP e7 you know servers so it was created in 96 believer all right so this is my scenario this is my used case I show up to a brand new organization I'm there for the first hundred days I'm gonna make it impact I want to help the team I was brought into standing up straight honey platform but I go in and I noticed data gaps so I get the label and I started getting you know visibility and creating analytics and I'll lie alright let's say I'll just drive any platform but I know is there's no end point in visibility there's no EDR there's no audit logging or enhance login turned on like crap what how am I going threat

harm when this is a big old gap on the endpoint you know we had a V but the AV was not at all it was a black box I can't I can look into it and look at the matrix and seeing what they're alerting on and how they're doing it they're saying this Magic III machine learning sinners it's pretty much signature based if a special if and then statement that's pretty much what it is and we can't use that for instant response we can see it when it gets alerted but we can't use it for investigators for level-1 level-2 stock analysts so that's where system on came in I was like crap I have experienced the points system on

that's a good quick return on investment long as I get buy-in so so that's what I did I missed the mobility my organization was eight percent in Windows 19 percent on Linux one percent Mac I'm like the 1% Mac by the way but uh so yeah so right there but crap no no employment ability I deployed system on before to a big owner station fifty thousand endpoints let's do system on let's do it small InfoSec team about so fifty thousand endpoints about five five and a half six InfoSec people in this organization so this organization is like real-deal D vibe so it was I knew how I maneuver real conservative you know I can't walk

in like this in the office I had a where's too I'm a remote user now thank God but uh cuz this is this I showed up and they looked at me and they're like that's too casual I like hey I'm not a stickler but that's too casual I'm like what do you mean this me dressed up but yeah so yeah so really think of that way have five different managers different organizations old-school they don't believe in the cloud so it was that type of environment I had to get buy-in from them so that's less I'm up against and different management are fighting are lobbying for political power cuz we're not all under one organization but we

are all under one company so that's my background there so what is this mine system on is an enhancement or enrichment tool for native window logging like I said and it's gonna be my second question so there's example is process recreation there's a there's a lot event ID in Windows for law creation does anybody know that event ID for a Windows log a process creations are process creation does anybody know the event ID in Windows what is it nope closed anyway no yes sir yes you get the Alpha don't hack nobody at the conference please you can capture packet capture with this it's pretty cool yeah so it's 46 88 yeah so there's 46 88 system on for process

creation is the event ID one they don't capture the same thing but the basic premise is there they both capture process creation about 46 X 80 a capture some information from the ADA environment sis mom doesn't and vice versa there's some stuff says mom captures for pastas creation and native logging doesn't so system on and enhances your windows login and it's great especially if there is there any forensic analysts they actually do timeline events on excel or some type of timeline do a show hands who do who do that it does that yeah so when you do a timeline analysis you know Excel is the number two number one tool in the forensics investigation you know next to

Google right and when you do a timeline and you look at the Windows Event log you're like what the heck is going on here it's really hard to decipher this mom makes that so easy and you can get a lot more processes does anybody know the Windows Event log ID so somebody clears the windows the security events what's the ID number for that does anybody know that you guys should be looking for this in your sim platform if somebody clears the event security logs it's gonna actually bring another event for actually telling you the security lies got cleared does everybody know the ID for that it yeah its 1102 I got something for you later

come see me afterwards 11:02 so when that security law gets cleared out sis mom is still there it's not part of a sickness or login it's a store somewhere else so that's another thing for system on it's great they do come you can look at the command-line arguments and the command line you can see what the attacker was doing in the command line and what they're using you can see network connections that's great network connections for the process is that's something you really want to see and generates events early in the boot process I can't say enough good things about this one and now with the latest latest update they're actually logging DNS events that's a whole other

discussion did anybody ever done didn't try to do some DNS logging it's horrible right and it's so now sis mom's doing that but the same same use case you're gonna get so many advanced to me alerts it's gonna take a lot of maintenance swift on security had it for two weeks before anybody else had it right during the beta and after two weeks her baseline was still not good enough for production so I mean and she's like the number one system on user right Swift on security follow her on Twitter okay so here here's one thing so I got to the environment I'm trying to get buy-in from for management I like a heck what

what I do they're real conservative and all of a sudden I see my opportunity I see your malicious beacon that was it I see a malicious beacon going outbound to some type of situ server and that was it if we have a you know a sim real expensive sitting platform but no endpoint visibility so what can I do as a analyst Intel guy what can I do I deployed system on to these malicious beacons the two workstations are doing this malicious beaconing i deploy with with PowerShell to like ten workstations and I query with PowerShell against the SIS model events BAM I'm able to capture commodity of malware nobody catches or nobody cares about commodity malware except the

organization EDR is not gonna catch it they don't care about commodity malware big vendors they don't care about it there oh it's not now it's not worth their time but I'm gonna get buy-in from management cuz I'm gonna sell this to management but look I can capture see to events going on outbound and these these ten workstations are going through malicious IPs look sis Mon caught that BAM I got my buy-in from different IT ops DevOps engineering BAM I show them how I did it and you can you know a quick script and I noticed that my Microsoft executable is invoking PowerShell so that's what that's what this is and this is some quick dirty PowerShell script I'm not a

PowerShell guru at all but if I'm able to do a script to look at the login of system on or any event log on Windows you guys can you guys in and you people can actually do it if I can do it because I'm not advanced at all on PowerShell and that was just my script that uh I query against system on logs after I deploy them to detect ten workstations when is it needed when it's this one needed when would you want to deploy system on to your environment when you want a hand login when you're struggling with endpoint visibility system on is used for like routine logging want to find uh hopefully you can find the attack vector

with system on that's very good you can improve your time and instant response that's what you want to deploy if you're taking if it's taking you two days to figure out do it to do an initial triage of incidence response that's when you want want to deploy system on it can help with lateral movement it can help with a lot of areas where's it's just mom deployed six miles only windows it's only deployed on Windows systems you know if you want to do Mack in and Linux systems you gonna look at all sec and always query you can deploy it with servers you can add what you gonna care if you want to deploy the

server's it's it gonna take up lousy few cycles it's gonna hold up my system is it gonna bog down my system at my it depends this last update on system on actually was leaking memory and you had a way for the next update so make sure you have a dev test environment to deploy system on when you do up with the update so that's where the logs are maintained in the system on operational log files and standard is 65 megabytes you can move it up as 200 megabytes you can do whatever you want you can you can adjust the size limit and its first is a FIFO first-in first-out login mechanism so all your is gonna

keep rotating out to the special to the requirements that you wanna so you want to raise the the logging requirements to 200 megabytes but think about you're gonna do some math if there's like 20k systems for the case systems and they're all having about two weeks or three weeks or logging of from system on about 200 megabytes it's gonna add up so that's something you're taking to consideration and if if I'm talking too fast or if anybody got any questions please just raise your hand in the middle I do not mind so the question is do you deploy as a service you do and it's a Windows driver and it's not an agent you know there's not a little icon

on the bottom right of your windows system but it is a service it gets spammed opens service it can get shut down the service it auto runs to the service and you actually deploy a driver a real small Windows driver into the Windows system so hopefully everybody got that question yes is it a service yes it's not an agent because my my employment would not let me deploy any kind of agents that's what the first thing they ask is that Asiana is another agent on the system no it's a driver and the service like anything else on a Windows system okay so why is it needed it's a free alternative to EDR it's not replacement to EDR tool oh man

okay this time I got ten minutes okay it's not it's not going to replace EDR it's not going to replace a B it's gonna give you a retroactive retrospective on an incident on logging it's gonna take about 15 minutes to update so it's not a live query against the system it's a retroactive just keep that in mind and a lot of the research was done but these people switched on security these you want you might want to follow everybody on here Robert Rodriguez cyber war dog awesome threat hunter leading the field and threat hunting swift on security she's the main person you know for for system on and Windows security in general she's awesome Jessica Payne changed my life she used

to be in a Windows Defender team I'm not sure what team she's on now and Microsoft but her her mommy what matters changed my life like literally Erica piano from reclining full stack and open sock he's taught me a lot and Olaf does a lot a lot of advanced queries against system on and Splunk so Olaf is another person you might want to follow and these slides are on my blog cyber go psyops comm so how is it deployed right well you can deploy it to GPO and that's what I did I needed something quick SCCM administrators couldn't deploy it so I'm like look I can deploy it to GPO and that's what did I deployed to GPO and the only thing

about the point to GPL you might not get the matrix of how many end points actually have system on so if you do SCCM in the Windows environment you get that metrics from that IT ops love their metric so how many how many endpoints has so-and-so packages so that's one advantage of SCM GPO I can get done right away you can use other automation tools P exact powershell chocolaty whatever your deployment platform is you can deploy it just create a package here's us to small here's an example example layout where and that's what i'm mirrored i use the windows on that collector and i did the i sort of a subscription forwarder on each on each

endpoint and they're sending their native when any kind of login on Windows platform extended to the Windows Event collector so all this is subscription through GPO turn on Windows and went for 14 web and send it to a server 20 2008 2016 2019 Windows Server and that will act as your window collector and from your collector graduating 50 K endpoints you can you can forward it to Splunk gray log elks that you can deploy to any sim but you are gonna have a collector that captures that pools or subscriptions from the different endpoints so just keep that in mind this is what I use I use a server 2016 server for as a month window collector we

deployed system on through GPO we try SSE M but for whatever reason the package was failing sir so it's a cat-and-mouse game yes it's a cat-and-mouse game follow Carlos Perez dark operator he does some advanced stuff with Spector ops oh no trust stack sorry he he does some advanced training system on he knows how to attack system on is a cat-and-mouse game it can be turned off it can be attacked you can actually log into it and and and with WS man it's it's a cat-and-mouse game and even mark russinovich the creator of system on he says it's not secure so you're gonna have a alternate have a backup means of having process to stop and create have

have a alternate backup plan of but yeah it could be attacked very easily so he was asking can it be attacked or like malicious software yes it's very easy to attack sis mom so this I created though the web server the Windows Event collector I configure win RM I make sure it had access to the security logs I created a GPO event forwarding policy in GPO and that was it says mom was deployed through GPO it was that easy and make sure you have a some type of file share or batch script so that way it can pull the system on executable and the drivers and the service it can deploy it to the different endpoints so

make sure you you're pulling that system on from a central location you can create elke stack instead of so if you don't have a sim platform you can create elke stack and that's what we did there's a lot of maintenance a lot of upkeep but we're trying to stand up the 300 platform so we use the L stack and for Windows to pushing the logs and windows through an Elk's stack we use win log beat so I'm gonna talk real quick about all this query I got a few minutes here so oh oh it's query is a little bit different from system on so with system on and always query you have an ad hoc makeshift EDR platform really

you just got to get a central location of where you want to get all your analytics from but it's pretty good if you have no money oh it's this mana always query and always query you can act act elite very end points and gay like the running processes you don't have to remote into the each workstation you can get active information from each end point with always queries it's pretty great it's actively maintained by Facebook and a few contributors and it's cross-platform Windows Linux and Macs so always query is awesome it's open source so that's pretty great and there is a front end called collide oh I'm not wearing to share there's a front end to

make it real easy but always query natively using the command-line but you need to have a collide front end as well make it a nice little GUI but you can use it as a file integrity monitor you can use it to see what's running on the system you can query against systems running processes you can do some thread hunting with OS query and system on and that's what we use in our environment and it's great you know so what would what would have done differently after our deploy 250k workstations what did I learn from that well sis mom config file is is a simple flat text file and it's a it's a config with a simple blacklist

whitelist what what do you want stood up what do you want to capture what don't you want to capture I wish originally that was source controlled oh my god that would have helped out a lot instead of just having the txt file on the desktop or in the sharepoint or something like that and some of the updates you don't know was being updated source control will help with that especially we have different engineers working on the config file so you definitely want to source control your config somehow to annotate changes for every update that's done what else do i learn well have different configurations for endpoints for users servers and domain controllers you're not going to don't want to capture the

same thing from a DC that you do from a user a remote user you want to capture different different logins different actions so you want to keep different config files so I have about six config file in my environment I have a three test and three production users domain controllers and servers all different all different captures have a test group for every domain for every department because you can really get really advanced in your in your logging if you if you capturing a certain thing for Finance versus IT ops and supplement with audit logging turn turn on your your firewall logs turn on your your PowerShell scripting don't just use system and that's it it is it's a 100

percent silver bullet no have auto log-in turned on look up like planner planner enhance our logging and supplement that with system on and vice versa those IDI article responsibilities of system are I talked about that they they supplement each other their companions and a great resource is Roberto Rodriguez's osm miter map and I'll tell you what log a maps to what mitre technique will you be my friends so I'm I'm telling me times up so any questions sir yes I am oh the for ders is a subscription on the endpoint I'm using event collectors to catch room and then from the wins collectors I'm sending a motor elk stack yeah so we had it we had to do a lot we

got multiple this talk afterwards okay I think times up sorry come talk to me [Applause]