SlideShare a Scribd company logo

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

Download as PPTX, PDF
Christopher Gerritz
Christopher Gerritz

BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.

Technology
1 of 30
Hunting on the Endpoint w/ Powershell Chris Gerritz
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Speaker Background Chris Gerritz Co-Founder, Infocyte Twitter: @gerritzc Github: @singlethreaded Prior: Chief, DCC Operations AFCERT Speaker Helped establish and led USAF’s Enterprise Hunt Team.  ~800,000 node playground Founded a company that develops hunt software and capabilities.
Threat Hunting 101
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz What is Hunt? The proactive search for threats hiding within a network you control.
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Why Hunt? Reconnaissance Exploitation Installation Command and Control Lateral Movement Exfiltration Persist Real-Time Prevention/Detection Threat Hunting Forensics Attack In Progress Breach Detection Gap Response The average breach goes undetected for more than 6+ months. Many are breached and don’t know it Network Breached Incident Discovered 6+ months average
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Hunt vs DFIR (tl;dr it’s sort of the same, but not) • Incident response and forensics (DFIR) tools and techniques can be used to hunt, but have some limitations: • 1. No bread crumb trail to follow • 2. Hunting requires scalability and reduced complexity • Especially if it’s to be done iteratively (think ROI) • Principle of Diminishing Returns: • The objective is not to perform a full forensics investigation • How do you know you aren’t hunting snipe? (aka something that doesn’t exist) Problem w/ focused or IOC-based hunts
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz The Hunter’s Tool Bag (Examples) • Endpoint Solutions • Scripting (Powershell, etc.) • Interactive Endpoint Hunt Solutions • Endpoint Response/Forensics Solutions • Network Analysis Solutions • passiveDNS Monitoring/Lookups • Wireshark (sort of?) • BroIDS • Data-Centric Solutions • i.e. Elastic, Hadoop, Splunk, SEIM, etc. • Fed by Endpoint Detection & Response (EDR) • Used to store/search centralized logs/events • Malware Analysis • PEStudio • Cuckoo Sandbox
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Data-centric Analysis Endpoint Validation • Enabled by centralized logging, long data retention + sophisticated security infrastructure and event visibility at all levels (network, host, etc.). • Endpoint methodology is independent of existing security infrastructure and can be performed on almost any network (aka, the rest of us) <> A Tale of Two Hunting Methodologies
PSHunt Powershell Threat Hunting Module
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz PSHunt Components/Modules • Scanners • Surveys • Discovery • Utilities • Transport & Execution functions, etc • Survey Analysis • File Analysis
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Scanners WMI Query PSHunt Remote Registry Query Scanners: Description: Used to rapidly scan remote systems for a single piece of information using remote queries. Input: Target (DNS or IP) Output: One Line (String or CSV) Invoke-RemoteScan
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey Deployment / Transport SMB /Schtasks PSHunt SMB SMB /WMI HTTP / FTP Utilities [Execution]: -> Start-RemoteProcess Download or Directly Encode Needed Libraries: Invoke-DownloadFile Convert-BinaryToString Convert-StringToBinary
Remote Execution & Transport Scanning Stuff
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Execution Methods • WMI (Process Call Create) • PSRemoting (Invoke-Command) • Probably not enabled…  • Remote Task Scheduler (Schtasks) • Remote Service Manager (PSExec) Domain credentials are used to enumerate and access endpoints. Protip: type this in every windows box you see:
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Discovery / Testing Access Discovery: Test-TCPPort Test-TCPPorts Get-RemoteArchitecture Get-RemotePowershellVersion Get-RemoteOperatingSystem Additions: Dsquery Powersploit -> Recon PowerView Ports and Protocols: •TCP 22 - SSH •TCP 135 - WMI / RPC •TCP 137 - NetBIOS (Name Resolution) •TCP 139 - SMB over NetBIOS •TCP 445 - Server Message Block (SMB) •TCP 5985 - PSRemoting (http) •TCP 1025 - 5000 - Legacy Win Dynamic Range •TCP 49152 - 65535 - Modern Win Dynamic Range
Windows Host Survey
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey: Collect from each host • Active Processes • Loaded Modules / Drivers • Floating/Injected Modules • Active Connections • Autostarts/Autoruns • Accounts • Key Event Logs (collect all the things) PSHuntSurveysSurvey.ps1 Description: Used to collect comprehensive information on the state of a windows host
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Active Processes/Modules/Drivers PSHunt’s Get-ProcessList = Get-WmiObject -Class Win32_Process + Get-Process –Module + Get-Hashes + Invoke-SigCheck (Sysinternals) + $Process.GetOwner()
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Persistence Mechanisms (Autostarts) Implementation: Wrapped Sysinternals Autorunsc* (Note: Interacting with the registry is still a pain in the ass in Powershell.) *currently best open source collection of autostart locations – unfortunately, it’s still not comprehensive
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Memory-resident Malware Analysis Description: Discover DLL Injection, Process Overwrites, etc. Uses: PSReflect Module • Uses Matt Graeber’s PSReflect Module to access Native Win32 APIs: • Implementation: VirtualQueryEx walk across process memory looking for PE Headers in RWX memory.
Survey Analysis
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey Analysis Modules • Initialize-ReputationData • Loads Data into $Global:FileReputation • Update-HostObject • Get-VTStatus • Get-VTReport • Group-HostObjects Survey Analysis: Description: Compare Survey Results against Reputation Data from local store and VirusTotal. Perform Outlier and Anomaly Analysis
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz VirusTotal (64+ AV Engines) Threat Intel Providers Survey.ps1 Survey Static Analysis Dynamic Analysis (Sandbox) Collect: - What’s running (i.e. Processes) - What’s triggered to run (i.e. autostarts) - Indicators of Compromise (IoCs) Reputation Database i.e. VirusTotal Cuckoo Sandbox Malwr.com File & Malware AnalysisReputation & Threat Intelligence - Hash Lookups - IP/DNS Lookups - IOC Lookups PSHunt Suspicious Executable PEStudio PowershellArsenal Survey.ps1 SurveySurvey.ps1
Finding Bad Things
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Active Processes/Modules/Drivers Some malware, even advanced types, attempt to “hide in plain sight” or within the noise of the multitude of programs running on your systems. • Initial Technique: Hash everything and compare to a signature and threat intelligence database like VirusTotal. This will clear all known-good and known-bads. • Adv. Technique: 1. Stack Remaining data and perform anomaly and outlier analysis 2. Perform static/dynamic analysis on the exe of any suspicious or out- of-place processes
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Digital Signatures? Digital Signatures: Most malware is not digitally signed by a legitimate Certificate Authority (CA). • Attackers may load their rogue CA into your local Trusted Root CA store at the time the malware is installed (requires root privileges) • Adv. Technique: • Check anomalous/outlier root CA’s serial number against whitelist or Google it for authenticity • WARNING: Some may digitally sign malware with a legitimate but compromised CA which renders this technique ineffective. - Example: The Feb ‘13 attack against Bit9 targeted their CA server
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Persistence Mechanisms Required to maintain the malware through reboots and in times of dormancy. • Scheduled Tasks, Jobs, etc. • Registry Persistence (most common) •Technique: Hash all referenced executables in registry and compare to Threat Intel Database • Boot Process Redirection (ie. Bootkits – very sophisticated!) •Technique: Evaluate raw MBR (first 512 bytes of disk0) for redirection to alternate boot loader
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Process Memory Injection • DLL Injection / Process Hallowing: 1. Allocate chunk of unprotected Read/Write/Execute (RWX) memory inside another legitimate process. 2. Load in a malicious DLL. 3. Redirect an execution thread. 4. Profit. •Adv. Technique: • Walk Process Memory looking for PE Headers in large chunks of unprotected memory (Use @mattifestation’s PSReflect) • False Positives will come from: 1. Just-in-Time (JIT) compilers – i.e. .NET and Java Apps 2. Security Software
That’s it for now. More to come…
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz PSHunt – Powershell Threat Hunting Chris Gerritz Co-Founder, Infocyte Twitter: @gerritzc Github: @singlethreaded NOTE: PSHunt will be posted on Github this week. Follow me:

Recommended

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 

Recommended

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 

More Related Content

What's hot

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 

What's hot (20)

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 

Similar to BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataRommel Garcia
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataGreat Wide Open
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Prossixdub
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 

Similar to BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz (20)

Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Pros
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

  • 1. Hunting on the Endpoint w/ Powershell Chris Gerritz
  • 2. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Speaker Background Chris Gerritz Co-Founder, Infocyte Twitter: @gerritzc Github: @singlethreaded Prior: Chief, DCC Operations AFCERT Speaker Helped establish and led USAF’s Enterprise Hunt Team.  ~800,000 node playground Founded a company that develops hunt software and capabilities.
  • 4. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz What is Hunt? The proactive search for threats hiding within a network you control.
  • 5. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Why Hunt? Reconnaissance Exploitation Installation Command and Control Lateral Movement Exfiltration Persist Real-Time Prevention/Detection Threat Hunting Forensics Attack In Progress Breach Detection Gap Response The average breach goes undetected for more than 6+ months. Many are breached and don’t know it Network Breached Incident Discovered 6+ months average
  • 6. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Hunt vs DFIR (tl;dr it’s sort of the same, but not) • Incident response and forensics (DFIR) tools and techniques can be used to hunt, but have some limitations: • 1. No bread crumb trail to follow • 2. Hunting requires scalability and reduced complexity • Especially if it’s to be done iteratively (think ROI) • Principle of Diminishing Returns: • The objective is not to perform a full forensics investigation • How do you know you aren’t hunting snipe? (aka something that doesn’t exist) Problem w/ focused or IOC-based hunts
  • 7. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz The Hunter’s Tool Bag (Examples) • Endpoint Solutions • Scripting (Powershell, etc.) • Interactive Endpoint Hunt Solutions • Endpoint Response/Forensics Solutions • Network Analysis Solutions • passiveDNS Monitoring/Lookups • Wireshark (sort of?) • BroIDS • Data-Centric Solutions • i.e. Elastic, Hadoop, Splunk, SEIM, etc. • Fed by Endpoint Detection & Response (EDR) • Used to store/search centralized logs/events • Malware Analysis • PEStudio • Cuckoo Sandbox
  • 8. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Data-centric Analysis Endpoint Validation • Enabled by centralized logging, long data retention + sophisticated security infrastructure and event visibility at all levels (network, host, etc.). • Endpoint methodology is independent of existing security infrastructure and can be performed on almost any network (aka, the rest of us) <> A Tale of Two Hunting Methodologies
  • 10. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz PSHunt Components/Modules • Scanners • Surveys • Discovery • Utilities • Transport & Execution functions, etc • Survey Analysis • File Analysis
  • 11. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Scanners WMI Query PSHunt Remote Registry Query Scanners: Description: Used to rapidly scan remote systems for a single piece of information using remote queries. Input: Target (DNS or IP) Output: One Line (String or CSV) Invoke-RemoteScan
  • 12. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey Deployment / Transport SMB /Schtasks PSHunt SMB SMB /WMI HTTP / FTP Utilities [Execution]: -> Start-RemoteProcess Download or Directly Encode Needed Libraries: Invoke-DownloadFile Convert-BinaryToString Convert-StringToBinary
  • 13. Remote Execution & Transport Scanning Stuff
  • 14. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Execution Methods • WMI (Process Call Create) • PSRemoting (Invoke-Command) • Probably not enabled…  • Remote Task Scheduler (Schtasks) • Remote Service Manager (PSExec) Domain credentials are used to enumerate and access endpoints. Protip: type this in every windows box you see:
  • 15. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Discovery / Testing Access Discovery: Test-TCPPort Test-TCPPorts Get-RemoteArchitecture Get-RemotePowershellVersion Get-RemoteOperatingSystem Additions: Dsquery Powersploit -> Recon PowerView Ports and Protocols: •TCP 22 - SSH •TCP 135 - WMI / RPC •TCP 137 - NetBIOS (Name Resolution) •TCP 139 - SMB over NetBIOS •TCP 445 - Server Message Block (SMB) •TCP 5985 - PSRemoting (http) •TCP 1025 - 5000 - Legacy Win Dynamic Range •TCP 49152 - 65535 - Modern Win Dynamic Range
  • 17. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey: Collect from each host • Active Processes • Loaded Modules / Drivers • Floating/Injected Modules • Active Connections • Autostarts/Autoruns • Accounts • Key Event Logs (collect all the things) PSHuntSurveysSurvey.ps1 Description: Used to collect comprehensive information on the state of a windows host
  • 18. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Active Processes/Modules/Drivers PSHunt’s Get-ProcessList = Get-WmiObject -Class Win32_Process + Get-Process –Module + Get-Hashes + Invoke-SigCheck (Sysinternals) + $Process.GetOwner()
  • 19. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Persistence Mechanisms (Autostarts) Implementation: Wrapped Sysinternals Autorunsc* (Note: Interacting with the registry is still a pain in the ass in Powershell.) *currently best open source collection of autostart locations – unfortunately, it’s still not comprehensive
  • 20. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Memory-resident Malware Analysis Description: Discover DLL Injection, Process Overwrites, etc. Uses: PSReflect Module • Uses Matt Graeber’s PSReflect Module to access Native Win32 APIs: • Implementation: VirtualQueryEx walk across process memory looking for PE Headers in RWX memory.
  • 22. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey Analysis Modules • Initialize-ReputationData • Loads Data into $Global:FileReputation • Update-HostObject • Get-VTStatus • Get-VTReport • Group-HostObjects Survey Analysis: Description: Compare Survey Results against Reputation Data from local store and VirusTotal. Perform Outlier and Anomaly Analysis
  • 23. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz VirusTotal (64+ AV Engines) Threat Intel Providers Survey.ps1 Survey Static Analysis Dynamic Analysis (Sandbox) Collect: - What’s running (i.e. Processes) - What’s triggered to run (i.e. autostarts) - Indicators of Compromise (IoCs) Reputation Database i.e. VirusTotal Cuckoo Sandbox Malwr.com File & Malware AnalysisReputation & Threat Intelligence - Hash Lookups - IP/DNS Lookups - IOC Lookups PSHunt Suspicious Executable PEStudio PowershellArsenal Survey.ps1 SurveySurvey.ps1
  • 25. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Active Processes/Modules/Drivers Some malware, even advanced types, attempt to “hide in plain sight” or within the noise of the multitude of programs running on your systems. • Initial Technique: Hash everything and compare to a signature and threat intelligence database like VirusTotal. This will clear all known-good and known-bads. • Adv. Technique: 1. Stack Remaining data and perform anomaly and outlier analysis 2. Perform static/dynamic analysis on the exe of any suspicious or out- of-place processes
  • 26. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Digital Signatures? Digital Signatures: Most malware is not digitally signed by a legitimate Certificate Authority (CA). • Attackers may load their rogue CA into your local Trusted Root CA store at the time the malware is installed (requires root privileges) • Adv. Technique: • Check anomalous/outlier root CA’s serial number against whitelist or Google it for authenticity • WARNING: Some may digitally sign malware with a legitimate but compromised CA which renders this technique ineffective. - Example: The Feb ‘13 attack against Bit9 targeted their CA server
  • 27. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Persistence Mechanisms Required to maintain the malware through reboots and in times of dormancy. • Scheduled Tasks, Jobs, etc. • Registry Persistence (most common) •Technique: Hash all referenced executables in registry and compare to Threat Intel Database • Boot Process Redirection (ie. Bootkits – very sophisticated!) •Technique: Evaluate raw MBR (first 512 bytes of disk0) for redirection to alternate boot loader
  • 28. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Process Memory Injection • DLL Injection / Process Hallowing: 1. Allocate chunk of unprotected Read/Write/Execute (RWX) memory inside another legitimate process. 2. Load in a malicious DLL. 3. Redirect an execution thread. 4. Profit. •Adv. Technique: • Walk Process Memory looking for PE Headers in large chunks of unprotected memory (Use @mattifestation’s PSReflect) • False Positives will come from: 1. Just-in-Time (JIT) compilers – i.e. .NET and Java Apps 2. Security Software
  • 29. That’s it for now. More to come…
  • 30. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz PSHunt – Powershell Threat Hunting Chris Gerritz Co-Founder, Infocyte Twitter: @gerritzc Github: @singlethreaded NOTE: PSHunt will be posted on Github this week. Follow me:

Editor's Notes

  1. Malware hunt came about because of the recognition that existing investments in services and technology – some very significant – were still failing to prevent malware from entering the department of defense networks. Quick detection post-infection was non existent and the type of behaviour that one would monitor for during the initial part of an attack would not be present after a successful malware installation. The malware often remained dormant for long period of time. Our founders not only established the first enterprise-scoped hunt team, but their success and technical processes became a cornerstone of the US DoD cyber defense strategy/posture. - Internally called the Enterprise Hunt Team, official name of the team was later changed to DCC (Defensive Counter-Cyber). Note on military terminology: Offensive Counter-Cyber = hack back, Defensive Counter-Cyber is defending and operating within home territory
  2. “Instead of conducting a penetration test to confirm that an attacker can compromise your environment (similar to confirming that water is indeed wet), you should conduct an assessment to determine which adversaries are already operating within your environment. “ - Rick Holland, Forrester (1/26/16)
  3. Security Trends: 2013 – Year of Next-Gen Firewall 2014 – Year of Threat Intel 2015 – Year of EDR 2016 – Year of Hunt
  4. I could spend all day on 1 box Focused / hypothesis-based hunts looking for one thing are usually a waste of time.
  5. Data Analytics relies on the organization already having sophisticated and complete data collection and retention of logs and events. Endpoint Hunt methodology does not rely on existing security infrastructure. Network Traffic Analysis – The perimeter is no longer well defined in networks with mobile, SaaS services, and ubiquitous encryption.
  6. This slide should only be used when in-front of a technical audience or if the question comes up. Infocyte Malware Hunter Platform (Simplified View) Server consists of three services and a database: API service is responsible for communication to the Infocyte Cloud Services Threat Intelligent Services, File Reputation Services (4.5+ Billion files) and Sandbox Services (as well as licensing) Worker service This is what deploys to endpoints and what collects endpoint scan reprots Core cervices Analytics services and the main communication bridge to the database and message broker services. Database Ports are customizable in the installer, but all communications from services and database are encrypted in a TLS 1.2 tunnel.
  7. To view your certificate stores, run certmgr.msc as described there. The "root" store contains the root CA, i.e. the CA which are trusted a priori. certmgr.msc shows you an aggregate view of all root CA which apply to the current user; internally, there are several relevant stores (the "local machine" stores apply to all users, the "current user" stores are specific to the current user; and there also are "enterprise" stores which are similar to "local machine" but meant to be filled automatically from the AD server of the current domain). See this page for a list of all CA that Microsoft puts in Windows by default; any discrepancy would be a local variation. The list is occasionally updated, and this is propagated to your computer through the normal Windows update mechanisms. http://security.stackexchange.com/questions/48437/how-can-you-check-the-installed-certificate-authority-in-windows-7-8 https://www.thawte.com/roots/
  8. Large = 2+ pages of memory (a page is 4kb). Meterpreter is around 650kb in memory, 150kb for the 1st stage but that’s big compared to most. Staged malware can be small but they won’t have very many features (i.e. communications, command parsing, search protocols) loaded at smaller sizes.