Watching Kittens at Play: Dissecting an Iranian Nation State Interactive Intrusion

we're going to start with some thread hunting fundamentals I'm going to talk a little bit about how crowdstrike does it um but keep in mind these techniques can be used for any company and so we think we're pretty good at what we do but I don't want you to think this is a sales pitch this is something I think can be applicable to most organizations uh then we're going to take a brief look at uh Pioneer kitten that's the adversary we're talking about today talk about who they are who they target and then get into the meat of of the actual presentation which is the intrusion overview or intrusion walkthrough and that's going to be kind of a step-by-step of what we've seen this actor do in a specific intrusion and the final pieces yeah that's great what do we do about it because that's going to be the recommendation piece of this so let's go and get started so once again this is going to be a little bit about how we do it and why we do it first up why why is it necessary why is threat hunting a piece that should be fundamental to organizations defense portfolio and realistically it comes down to a couple of different things you know um as Garrett said in the previous talk we have access Brokers as well as spear fishing becoming bigger and bigger threats and so no longer are people having to find ways to get into your environment that would trigger perimeter controls now they have keys to the front door and so you need somebody looking on the other side of that door and finding those indicators that they're already in the system the other piece is we see a lot of them using native tools this intrusion doesn't have a single piece of software pulled down from the Internet or or brought with the the attackers this is all using native binaries within the Windows system this is a trend we're seeing time and time again and uh it makes them a lot sneakier you're no longer matching on hashes or um you know those file downloads and so this is why we do it a little bit about the different ways we go about it the first piece is going to be your statistical analysis and so that's hey what's weird in my environment now we have a bit of a leg up here on this to be fair we've got a lot of environments but even within a single organization's uh environment you should be looking for those outliers right you need to find what what programs are people running what scheduled tasks are there um what's strange and so that's where we start we have to do some retrospective analysis we'll talk about this a little bit later that's going to be great we found a new technique wait a second we we weren't looking for that let's go do that now right and so as we discover new things let's apply that to our previous uh data sets the last piece is hypothesis testing and so this is really the human side of this um where you're thinking well you know I've seen this this uh binary be renamed but it has this interesting flag I wonder if I can go find other renamed binaries using this same unique flag and so that's kind of like a I wonder if and then following that up so this is our high level strategies but let's talk about what a good thread hunting process looks like and so the first step of this is going to be and that let me take one step back we use the acronym sense or military search here to describe this process once again I don't want people walking away from this thinking this isn't applicable to your organizations and so while this is specifically crowdstrike language these Concepts still apply so the first uh the first step is going to be sense and at this point we're just Gathering Telemetry we're not passing any judgment on it and that Telemetry has all different kinds of elements to it that could be processes that are being ran uh you know DNS requests could be scheduled tasks and you know from contracts perspective this is all endpoint Focus but if you're doing Network detection it needs to be Network focused what what connections are being reached out the duration those pieces of information the next step is we need to enrich this for somebody to find some use out of this we need to start applying some properties to these so where is that DNS request reaching out to what is that process that's being ran what is the scheduled task right and so what happens is we end up with what we call threat hunting leads and these are things that we know are a little suspicious but there's no way we could send these to a sock we we can't be alerting customers or or getting the instant response uh Team brought up on this for every single one of these because they're they're a lot looser than your typical detections right these are are commands like who am I being rammed uh these are sometimes account creations and so what we look for is we look for clusters of this information operating on a single host or uh that are related in some way and so that's this next stage is analyzed we start clustering this and we say great we we have these these hunting leads that we we know can sometimes be malicious what other pieces of telemetry have we gathered and are those malicious as well right what about those let's dive into those a little bit deeper and I I want to point out here we gather all of this without any judgment and that's in my opinion the best way to do it because if there's anyone in this room that can look at a bunch of telemetry and immediately make it a judgment call and if it's good or bad and be 100 right please come let me know we want to hire you right and so um you need to be gathering all that so that way you can analyze it after the fact next is we're reconstructing right we're taking a look at the attacker did step one two three four and what that usually leads to is actually new new detections being made you see them up here in the blue um and we say oh we didn't know this technique existed it was a variation on an existing technique and so now we've expanded what we know a little bit and I'll be honest this next step communicate this is why we do it whether you're an internal threat hunting team that's providing this feedback to your IR team or your crowdstrike you're providing it to clients you need to isolate that that intrusion and somehow package it up and make sure that it gets to the right stakeholders right at the end of the day now once again this is why we do it but to be better at this step we need to also hone this and so we found these new hunting leads maybe we turn these into existing ones and then there's that retrospective analysis we apply it to other pieces of telemetry and start to find additional intrusions that we wouldn't have otherwise stopped so this is the the threat hunting methodology and once again this is what our OverWatch team does a traditional threat hunting team would do the same thing and the output this team is communication so speed is important brevity is important in those reports in terms of uh what mitigations need to be be done next I don't work on the OverWatch team I work on a fun team that sits in between that communicate and hone stage so my team is the Tactical intrusion research team and what we do is we do post mortem analysis on intrusions have been found and so the way I usually explain it is uh you know the hunters are finding the needles in in the haystack and then they're just handing us piles of needles and so from an exposure perspective it's pretty cool I get a great signal to noise ratio on what I get to look at and this presentation is a direct result of being in the middle of that process so a brief bit about Pioneer kitten first of all Garrett once again mentioned this I'm going to keep referencing him because he had a lot of good points um adversary attribution is actually really difficult it becomes really fuzzy and so there's two pieces of this um that become important you have your Atomic indicators that are things like IP addresses and domains um those can be easily faked those can be easily subverted right if we think about the Pyramid of pain those are easy for an adversary to swap out on the other side though these behavioral indicators are actually way more interesting a little bit more nuanced as well because not only are we looking at techniques and tools right um normally you know do a raise of hands here but I'm going to make the assumption that in this room we've had a lot of people go to different classes for either blue team or Red Team Tools you invested time you invested money to learn those techniques and if somebody said well yeah great I need you to do the same task you've been doing but I need to use a different tool there'd be a substantial investment required for you to pick up an alternative tool and the same thing is true for our adversaries and so figuring out what techniques they use and what tools you're using on a regular basis can help kind of cluster that activity around an actor the next thing up is command flag because you'd be surprised a lot of these companies I say companies criminal organizations like Conti have run books and so sometimes those operators are not actually as skilled as we may think and so when they see netstat Dash Nao they are always going to run the dash Nao in that order and so depending on order those flags are in or what types of flags right maybe they're using a dash dash and then a word we can start to get those patterns down the the one that I love is command mistakes we actually have some some tracking that looks at hey who's trying to run an interpreter command inside of a normal shell that tells us that whatever group this is is used to running interpreter and so there's all these little pieces that help identify that so specifically though today now keep in mind please don't ask me a ton of attribution questions I'm not on the Intel team um I I do get this information and we can use this to hunt deeper but today we're going to be looking at Pioneer kitten Pioneer kitten is a Iranian threat actor and um ideally they're they're targeting um IP r d they're looking for information so you know very different than Conti their motivation was clearly Financial um this this team is is targeting um countries all over the world quite frankly um but mainly um you know the US uh Israel and then some other Middle East these countries um maybe that's a little bit more politically motivated they're targeting uh Industries such as uh government uh Healthcare technology and defense and all those are surrounded um and focused on because of the information they have not necessarily the money they have right so a little bit of a few caveats here first things first I'm I'm not up here to rebuild a play-by-play second by second of this intrusion um I'm here to focus on the techniques that they use and so that's what we're going to be doing we'll be jumping and kind of clustering those in ways that make sense logically the other thing is I'm not too interested if whether it's falcon or whatever technique was blocked Maybe by Windows that's less relevant to me as well because these are techniques that are being attempted everyone's organization is going to be different your controls are going to be different and so I want to let you know what's being used out there in the wild um that's whether it impacted this particular client um you know negatively or not is irrelevant to everyone in this room so and the last piece is obviously we've redacted some information so anytime you see something in blue um that is an indication that's been replaced I didn't want to put big old redacted things it doesn't doesn't make those commands look super great and may confuse some people on where to look for for some of these files so let's Dive In first up now you know I should have learned from Garrett these these should be a little bit larger good news I don't need you to read these commands or their output what we see here is we see an adversary running some Discovery commands net user they found a user and then they went net user and actually pulled information specifically about a single user now this seems super basic and it is so why is it in the slide deck well you'd be shocked about how many adversaries land on a box and immediately start running Discovery commands whether that's netstat who am I uh net group net user it is something we see almost universally across all of our intrusions and so I don't want to underplay this this is a very important piece and um think about what users in your organization are also running these commands maybe admins you got an accounting shouldn't be running who am I he probably doesn't even know what that is right and so keep an eye on your your Discovery commands we saw a few others we saw netstat being ran which is going to pull live connections and that tells a you know an organization a little bit about where Services may be running on other boxes where other hosts may be or what services are running locally and the last piece is Q user this will come in important in a bit this is a query user command and this lets lets them know who's actively connected to the box and so that'll be relevant here in a bit next we saw some pretty basic uh persistence so we saw an account creation and then that account immediately got added to local administrators once again nothing crazy here that's going to be a running theme throughout this um we will get this more Technical and more interesting things but at no point was I like yeah the they went from this box to this box using magic um these adversaries are limited by the same TCP stocks and operating systems as we are and so a little bit of this is to demystify what they're using right sure are there more advanced versions of these techniques yeah absolutely but a lot of time we're seeing some Garden variety stuff even from nation state actors so a little bit more interesting um piece here for the persistence is they used a web show now something interesting depending on how an EDR agent or how you're collecting things from a host is working if they RDP into a box you may actually not see the commands ran because they're not using a you know a CMD they're not using a terminal they may be clicking through windows and so the you know all these previous ones the net user the account creation all that was done using command line and all of it was captured uh very clearly what if they just click on something how do we track that and so we're not this is not a forensics course this is not a forensics talk so we're not going to dive super deep into this um but I'm going to convince you by the end of this talk that Windows is spying on you and we can use that to our advantage so over here uh I have what I consider a mini start menu and so when you right click on an application it'll show you what you've opened recently with that super convenient anytime there's any of that convenience built in inherently we all know in this room that Windows must be tracking that somewhere and so this is called a jump list and this is it's kind of interesting because they don't make it super obvious um what jump list is associated with what application but this string up here this hideous string equates to notepad now how do we know that there are people who um have put in a lot more dedication a lot more time than I have and they've gone through and they've they've identified over 500 different applications um and what jump lists are associated with those uh I've got the the site down here now of course that's unreadable for those of you in the back and then probably not useful for anyone wanting to jot it down but those jump list um indexes exist and it's super useful if you're wanting to kind of step back into something here so what we know from this slide is that they open Notepad that doesn't necessarily mean that they created a local web show but now we have link files link files are just shortcut files and anytime you see anything inside of the recent files section in your your Explorer you can actually navigate there you can go to your app data roaming Microsoft Windows recent and you can see what files have recently been accessed matter of fact I have what now seems to be a very small GIF a kind of showcasing this I'm opening things using the GUI and we're seeing them populate here we're not seeing it well but that's okay um and we also see a jump list being created here and as a result now we can leverage that and so keep in mind anytime there's Microsoft knows what you want to do whether that's from a performance perspective or a convenience perspective that's probably documented somewhere so they created a web show that's interesting on the local box right but then we start to see remote uh web show creation and this is something that I'll be honest I wasn't aware that you could do you can run notepad followed by a UNC path and you can just write a file it opens up notepad right on your machine you're modifying it you save it and boom it goes over to the other file pre-slick logical right I'm not surprised by this I just had never done it and so they did that across multiple machines I think five in total impacting multiple as uh PX files which are related to uh in this case an ISS server so of course they've modified configuration files now they need to restart the service and so I'm not going to go into this slide and how ugly this is but the things you need to know is there's a cache creation a task ran and a task deletion now if we make that a little bit easier to read we can see in here that they created something called server managements with an S not not sure why they they thought that was super stealthy um they're the schedule they're going to run it once and the command is ISS restart is really what it is they're resetting that server they have remote systems they have the admin credentials uh in this case it's a it's a fill-in but they have some user credentials and they want to run it as system and the start time is six o'clock it's now we think great now we just wait oh no they they created it and then they ran a command to run it and then they deleted it and so it's really just a way to execute a command on another machine so if this is I think an important piece here now they waited 27 minutes between the file modification and the scheduled task creation um the piece here is that if you're running periodic queries on your scheduled task you may think that you're able to find anything related to scheduled tasks but if you're running it at five minute intervals there's a pretty good chance you actually missed this one it was only alive for about a minute God forbid you're doing every 30 minutes and so those types of defenses are work great against a long-term persistence if they're wanting to re-establish a a shell but in this case you probably missed it because it was just up for a second to execute something foreign we switched from persistence to lateral movement because it's it's complicated it's complicated when you start bucketizing things but it's that same technique they use for persistence now they're moving laterally uh and able to get those web shows on other boxes so this is an interesting one this is interesting because I was 100 wrong about what I thought it did this is a registry key along the top and it's for terminal services and the value is I'm sorry the key is shadow and you can actually set this Shadow value to one or zero through four so you have five options and it equates to um you know going through the system and actually modifying uh my spotlight's not working but on the right hand side you see the GUI version of that it allows you to say hey when I Shadow a session either I can full out deny remote control I can obtain the user permission to view or edit or um I can just bypass that and don't ask for anything and that's absolutely what they did they set it to two now when I went to go test this I said great this is for RDP completely ignoring