hunting and detecting apts using
play

Hunting and detecting APTs using Sysmon and PowerShell logging TOM - PowerPoint PPT Presentation

Jan 08, 2023 •294 likes •1.45k views

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:> whoami /all Tom Ueltschi Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!) Focus & Interests: Malware Analysis, Threat Intel,

  1. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 54

  2. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 55

  3. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 56

  4. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 57

  5. Here’s that list of strings… BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 58

  6. SIGMA rule: Malicious PS keywords BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 59

  7. “Low FP/high TP” vs. “noisy” events (90 days) > > > YMMV !!! < < < not all strings are created equal  BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 60

  8. Renaming PS.exe (evasion technique?) BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 61

  9. RETEFE Malware sample BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 62

  10. DOC/macro copy/rename PS.exe to %TEMP%\rnd.exe BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 63

  11. ProcessCreate Event from PS-renamed Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 64

  12. Search for Description: Windows PowerShell Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 65

  13. Idea for detection • Search for processes with “ Description: Windows PowerShell ” • Exclude “ powershell.exe ” (the legitimate one) • Also exclude PowerShell ISE BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 66

  14. SIGMA Search for Description: PS without powershell.exe Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 67

  15. SIGMA Search for Description: PS without powershell.exe Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 68

  16. Hello, world! My name is NOT powershell.exe  BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 69

  17. PowerShell Empire Stager BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 70

  18. PS-SB BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 71

  19. Idea for detection • Search for any of 3 strings that are not obfuscated (performance reason)  $PSVERSionTaBle.PSVErSIOn.MAjoR  System.Management.Automation.Utils  System.Management.Automation.AmsiUtils • Remove obfuscation characters (simple de-obfuscation) • Search for any of 5 strings (unique, de-obfuscated)  EnableScriptBlockLogging  EnableScriptBlockInvocationLogging  cachedGroupPolicySettings  ServerCertificateValidationCallback  Expect100Continue BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 72

  20. PS-SB BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 73

  21. PS-Empire functions executed PS-TR • Pen- tester was having “fun” with Empire • PS-Empire functions with parameters found in PS transcript file • Searched for “ … | Out - String | %{… ” BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 74

  22. PS-Empire functions executed (top 60 funct’s ) PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 75

  23. PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 76

  24. PS-TR Discovery > User enumeration – how many? BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 77

  25. Unmanaged PowerShell BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 78

  26. Get-TimedScreenshots BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 79

  27. Get-TimedScreenshots BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 80

  28. Using powershell.exe vs. unmanaged PS (PowerPick) BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 81

  29. Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 82

  30. Re-test after enabling FileCreate for rundll32.exe Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 83

  31. Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 84

  32. PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 85

  33. PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 86

  34. Idea for detection • Search PowerShell Transcript Files for “ Host Application: ” which is NOT any of • powershell.exe • powershell_ise.exe • wsmprovhost.exe • and possibly very few others BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 87

  35. SIGMA PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 88

  36. Unmanaged PowerShell BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 89

  37. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 90

  38. BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 91

  39. Start-ClipboardMonitor BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 92

  40. PowerShell BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 93

  41. Idea for detection • Search for PowerShell EncodedCommands in command-lines • Base64 decode EncodedCommand on the fly • Search for known malicious strings / cmdlets in decoded commands BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 94

  42. Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 95

  43. Sysmon BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 96

  44. PowerPick BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 97

  45. PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 98

  46. Idea for detection • Search for known malicious strings (code snippets, even comments) in PowerShell ScriptBlock Logs and Transcript Files BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 99

  47. SIGMA PS-SB PS-TR BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 100

Recommend

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
APTS Applied Stochastic Processes Markov chains and reversibility Renewal processes and

APTS Applied Stochastic Processes Markov chains and reversibility Renewal processes and

APTS-ASP 1 APTS-ASP 2 APTS Applied Stochastic Processes Markov chains and reversibility Renewal processes and stationarity Nicholas Georgiou 1 &amp; Matt Roberts 2 nicholas.georgiou@durham.ac.uk and mattiroberts@gmail.com Martingales

982 views • 32 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
APTS Applied Stochastic Processes Nicholas Georgiou 1 &amp; Matt Roberts 2

APTS Applied Stochastic Processes Nicholas Georgiou 1 &amp; Matt Roberts 2

APTS-ASP 1 APTS Applied Stochastic Processes Nicholas Georgiou 1 &amp; Matt Roberts 2 nicholas.georgiou@durham.ac.uk and mattiroberts@gmail.com (Some slides originally produced by Wilfrid Kendall, Stephen Connor, Christina Goldschmidt and

3.38k views • 127 slides
Statistical Inference https://people.bath.ac.uk/masss/APTS/apts.html Simon Shaw University of

Statistical Inference https://people.bath.ac.uk/masss/APTS/apts.html Simon Shaw University of

Statistical Inference https://people.bath.ac.uk/masss/APTS/apts.html Simon Shaw University of Bath APTS, 16-20 December 2019 Simon Shaw (University of Bath) Statistical Inference APTS, 16-20 December 2019 1 / 95 Principles for Statistical

1.34k views • 95 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil the Lion, Hwange National Park, Zimbabwe, 2013 Yann Prisner-Levyne WILD FAUNA= NATURAL RESOURCES UNDER INTERNATIONAL LAW Principle of permanent

400 views • 21 slides
Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm Licensing (Briefly) Hunting on Traditional Territory Hunting off Traditional Territory Applying for a FWID and BCEID Metis Hunting in BC

377 views • 13 slides
Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

TABAKOV TROPHY HUNTING Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in Catalonia that the hunting area of El Vedat is situated, only 45mn of Barcelona. The territory extends on more than 3000 ha of

385 views • 10 slides
Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in popularity; Several Youtube channels (THLR.NO, EuLRH) have attracted a considerable number of followers; A riflescope is a must-have ; Often

649 views • 11 slides
APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who we are? Ali Abbasi : PhD student in Distributed and Embedded System Security Group

921 views • 43 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting in the mountains No need to overstretch the neck while using it Can be used without a tripod The user simply puts the scope on the top of

229 views • 9 slides
THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal Intent Value Targets APT Approach &amp; 4 Emergence of 3 Ransomware Ransomhacks 5 YARA Hunting for 5 Key Takeaways Crypto Implementations ~whoami

363 views • 32 slides
Du Cercle The APTs That Werent La cuadrature du cercle La cuadratura del circulo Die

Du Cercle The APTs That Werent La cuadrature du cercle La cuadratura del circulo Die

La Quadrature Du Cercle The APTs That Werent La cuadrature du cercle La cuadratura del circulo Die Quadratur des Kreises Squaring the circle Marion Marschalek marion@cyphort.com @pinkflawd What makes

701 views • 41 slides
Survival Analysis APTS 2015/16 Ingrid Van Keilegom Institut de statistique, biostatistique et

Survival Analysis APTS 2015/16 Ingrid Van Keilegom Institut de statistique, biostatistique et

Survival Analysis APTS 2015/16 Ingrid Van Keilegom Institut de statistique, biostatistique et sciences actuarielles Universit catholique de Louvain Glasgow, August 22-26, 2016 Basic concepts Nonparametric estimation Hypothesis testing

10.27k views • 183 slides
Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Inno Innovative Materials tive Materials Air Force Research Center for Nondestructive Testin Testing T Tech chnologies, es, I Inc. c. Laboratory Evaluation Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft

308 views • 12 slides
Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process Poisson process George V. Moustakides Outline Overview of the change detection problem CUSUM test and Lordens criterion The Poisson

454 views • 28 slides
Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware January 13,

Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware January 13,

Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware January 13, 2016 Mark Mager US-CERT Code Analysis Team Homeland National Cybersecurity and Communications Integration Center Security Agenda About Me

348 views • 22 slides
Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt?

Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt?

Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt? Squirrels are hunted in the fall, when the weather isnt too cold or hot Not a lot of expensive gear/equipment required Hunting doesnt require

578 views • 26 slides
Compsci 201 201 Exam 2 2 Re Review, C , Compar arat ator ors, A , APTs Par art 1 1 of

Compsci 201 201 Exam 2 2 Re Review, C , Compar arat ator ors, A , APTs Par art 1 1 of

Compsci 201 201 Exam 2 2 Re Review, C , Compar arat ator ors, A , APTs Par art 1 1 of of 4 Susan Rodger April 8, 2020 4/8/2020 Compsci 201, Spring 2020 1 U is for Unix Basis for Linux and Android and GNU and

872 views • 35 slides
What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda

What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda

What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda Effective Threat Hunting? Current state of threat hunting programs Graph Theory Definition Origins Types Graph

1.69k views • 75 slides
M is for Linked-List Code and APTs Markov, Maps Assignment you are working on

M is for Linked-List Code and APTs Markov, Maps Assignment you are working on

Compsci 201 M is for Linked-List Code and APTs Markov, Maps Assignment you are working on Method A function by any other name Memory New Node, New ArrayList, Susan Rodger February 26, 2020 2/26/2020 CompSci 201,

643 views • 12 slides
Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior Researcher CERT Polska/NASK/ Warsaw University of Technology piotr.bialczak@cert.pl Twitter: @bialczakp 2 Malware hunting A mouse and cat game? 3

828 views • 28 slides

More recommend