Transcription

Copyright SeniorSalesEngineer,Splunk

ntainedinourforward- eSEC.Theforward- eatureorfuncFonalityinafuturerelease.2

lisFngOverviewTheSetupTheAWackTheDetecFonQuesFons

PersonalIntroducFon- Ninja!!

PersonalIntroducFon- etoalllayersofmanagement

tandrespondisimperaFve– FngisoTenseenasapanacea– yoperate– ogether– ImplementRule/Search- ‐ ReviewforFalsePosiFves- ‐ Improve– tstate

iceandsearchesthatfallintothefollowingcriteria– Areeasytoimplement– Willimproveyourvisibility– rningaboutyournetwork

epdiveintoeverytopicdiscussed

d

nkAWackerfirewallFileServerdesktop

alia(NSAEquivalent)NISTSP800- inthefollowingmanner– CryptographicHash(MD5/SHA)– File/FolderPath(C:\Windows\TrustedPath\*)– seAnFvirusisNOTDeadê PreferstowatchthelastseasonoftheRealworldTVshow

TheAWack–WhyItWorksLeveragingtrustedfunc onsoftrustedapplica gtaken– Veryopenallowrules– mingandoTenoverlooked

e

TheAWack- le /LogToConsole false/uservices.exe14

TheAWack–InternalRecon Persistencemechanismsaresetinplace PerformInternalReconnaissance– WhatusersareinAcFveDirectory– CantheaWackerobtainvalidcredenFals– Whathostsareonthenetwork– WhatdoestheaWackercurrentlyhaveaccessto– WhoisamemberoftheDomainAdminsgroup?15

TheAWack–InternalReconConFnued IdenFfywhattheaWackerhasaccessto CleartextPassword16

TheAWack–PivoFngu t

TheAWack–PivoFngConFnued ngisperformedandthetargetdataisfound WithvalidcredenFalsnoneedtousecustommalware

TheAWack- ‐DataExfiltraFon EnterDNSCat!!

n

fathreathunterandhowSplunkcanhelpyou– Detectinternalreconnaissance– DetectaWacksonyourhosts– IdenFfywhereyouareintheaWackcycle21

TheDefense- oodstart– Powershell.exespawningonausersmachine– Cmd.exespawningonausersmachine– ceProgram.Iewinword.exespawningpowershell.exe

rity,NewProcessCreated.- ‐LoggedonallWindowsMachines.Searchindex wineventlogsourcetype "WinEventLog:Security"EventCode 4688(New Process Name New Process Name .exe"ORNew Process Name "C:\\Users\\*"ORNew Process Name ") tableTme,Account Name,Account Domain,New Process Name,Process Command mon- erver2008 )

WhatDoesItLookLikeInSplunk?OperaFondetails:– AWackCycle:GainingaFoothold– Frequency:Everyhour- ‐25hour– Report/Alert:Report,runningasadashboard

sCreated.- ‐LoggedonallWindowsMachinesSearch:index wineventlogEventCode 4688sourcetype "WinEventLog:Security"Account Name! * delta meAS meDeltap 3 eval meDelta abs( meDelta) search meDelta 2 statsvalues(New Process Name),values(Process Command Line),values(Account Name),countby me,host wherecount Server2012)MicrosoTSysmon- erver2008 )

WhatDoesItLookLikeInSplunk?OperaFondetails:– AWackCycle:AppropriaFngPrivileges– Frequency:Everyhour- ‐2hour– Report/Alert:Alert

raFonwasperformedonanobject- ‐LoggedonDomainControllersSearch:index wineventlogsourcetype "wineventlog:security"EventCode 4662Object Type userAccount Name! * Object Name “CN Guest*” fields me,Security ID,Object Name table me,Security ID,Object unk TA winglineininputs.conf.GPO- ––blacklist1 EventCode "4662"Message "ObjectType:\s (?!groupPolicyContainer user)"blacklist2 EventCode "566"Message "ObjectType:\s (?!groupPolicyContainer)“––blacklist1 EventCode "4662"Object Type "(?!groupPolicyContainer user)"blacklist2 EventCode "566"Object Type "(?!groupPolicyContainer user)"ê To:

WhatDoesItLookLikeInSplunk?OperaFondetails:– AWackCycle:InternalReconnaissance– Frequency:Everyhour- ‐1hour– Report/Alert:Alert

TheDefense–ADUserReconnaissanceConFnued ndletoanObjectwasrequested- ‐LoggedonDomainControllers.Search:index wineventlogEventCode 4661Object Name *AdminsObject Type SAM GROUP map[searchindex wineventlogAccount Name Account Name Worksta on Name *] table me,host,Account Name,Worksta on Name,Source Network on»Policies»WindowsSe ngs»SecuritySe ngs»AdvancedAuditPolicy»ObjectAccess»AuditSAM Success,Failure

WhatDoesItLookLikeInSplunk?OperaFondetails:– AWackCycle:InternalReconnaissance– Frequency:Everyhour- ‐1hour– Report/Alert:Alert

TheDefense–ADUserReconnaissanceConFnued nObjectwasrequested- ‐LoggedonDomainControllers.Search:index wineventlogsourcetype "WinEventLog:Security"EventCode 4661Object Name *AdminsObject Type SAM GROUP map[searchindex wineventlogAccount Name Account Name Worksta on Name *] table me,host,Account Name,Worksta on Name,Source Network &on»Policies»WindowsSe ngs»SecuritySe ngs»AdvancedAuditPolicy»ObjectAccess»AuditSAM Success,Failure

WhatDoesItLookLikeInSplunk?OperaFondetails:– AWackCycle:InternalReconnaissance– Frequency:Everyhour- ‐1hour– Report/Alert:Alert

TheDefense–ADUserReconnaissanceConFnued curity,KerberosPre- ‐authenFcaFonfailed- ‐LoggedonDomainControllers– Search:index wineventlogsourcetype "WinEventLog:Security"EventCode 4771 statsvalues(user),dc(user)asDis nctbyClient Address whereDis nct e ngs»SecuritySe rosAuthen&ca&onService Success,Failure– ComputerConfigura&on»Policies»WindowsSe ngs»SecuritySe rosServiceTicketOpera&ons Success,Failure

WhatDoesItLookLikeInSplunk?OperaFondetails:– AWackCycle:AppropriaFngPrivileges– Frequency:Everyhour- ‐1hour,Onceaday- ‐25h– Report/Alert:Alert

guiseprocessesfromakeenSystemAdministratorHow:– EventCode:4688,Security,NewProcessCreated.- ‐LoggedonallWindowsMachines– Search:index wineventlogsourcetype "WinEventLog:Security"EventCode 4688 fields me,New Process Name,Account Name,Account Domain evalNew Process Name lower(New Process Name) evalFilename mvindex(split(New Process Name,"\\"),- ‐1) search[inputlookupprocesses.csv fieldsFilename dedupFilename] searchNOT[inputlookupprocesses.csv fieldsNew Process Name] table me,Filename,New Process Name,Account Name,Account Domain– ewFPsthatcanbeidenFfiedandremediated– table

WhatDoesItLookLikeInSplunk?OperaFondetails:– Frequency:Everyhour- ‐24h– Report/Alert:Report,runningasadashboard

AWordonDNSAWacks2PostExploitaFonScenarios– DNSTunneling(SSHoverDNS,TCPoverDNS)– nthistopic– BestBy- ‐RyanKovar–Splunk.conf2015PresentaFon- Fng the known unknowns with DNS.