Friday, August 12, 2016

Threat Hunting Techniques - AV, Proxy, DNS and HTTP Logs

Inspired by talk the from Davis sharpe Me19 Intrusion Hunting for the Masses A Practical Guide. Following techniques were developed along with few other techniques that I commonly used for hunting.

Hunting Technique
AV - To identify known password dumpers, droppers and backdoors (Both Deleted and not deleted)
To identify known password dumpers, droppers and backdoors (Both Deleted and not deleted)
AV - Execution of binary from users APP Data directory
Requires Profiling and remove FP, Example - C:\Users\*\AppData\Local\Temp\*.exe
AV - process launching without parent process or services
Svchost.exe launching without Services.exe being its parent process
AV - Scheduled jobs to perform known malicious behaviour
scheduled AT jobs (at.exe) and review command line entries. Adding registry keys, executing processes, transferring executables
AV - Alerts for executable on web or application server
Enter and persist in your environment, establish and maintain C2.
Requires Profiling and remove FP : File Extension: .jsp, .war, .asp, .aspx, .php, .cmf (or as cuctom as required)
AV - Process launch from odd directory locations
Processes launching from odd directory locations: %windows\fonts, %windows\help, %windows\wbem, %windows\addins, %windows\debut, %windows\system32\tasks
Known webshell filenames, Anything running under a system directory (%WINDOWS%, %RECYCLER%) or other unusual locations (the webroot)
Proxy -  Find regular HTTP beaconing behavior which may indicate malware C2
Malware C2 often utilizes regular request intervals ("beacons") to maintain control with the attacker's infrastructure. Pattern can be observed and alerted based on examining the intra-request times between requests to the same resource by the same source IP and visualizing the results
Proxy/DNS/HTTP - Identify potential C2 activity
Outgoing logs that contain info about domains visited by internal clients, such as DNS query or HTTP proxy logs.
You will also need a list of dynamic DNS provider domain names.

DNS and/or HTTP Proxy logs can contain information about unique hosts and dynamic DNS. Isolation of the log entries that contain domains hosted on dynamic DNS providers. Alert on sites visited by a low number of unique hosts (IP addresses). Utilize a list or feed of known dynamic DNS (DDNS) domains to query against data
Windows Application - Identify potential 0-day exploits by looking for things blocked by EMET
Windows Application Event logs (which contain EMET logs)
EMET crash logs – 1 & 2

Window's Enhanced Mitigation Experience Toolkit (EMET) is a set of technologies that monitor for and block certain conditions that commonly arise as the result of common exploit patterns. It's commonly used on endpoints (but is also available on servers). 
The idea here is to examine the EMET logs to find things that it has blocked (processes it has killed before they could become dangerous). These may be simple bugs in legit applications, or they could be indications of exploit attempts.
Proxy/DNS/HTTP - Identify malware by analyzing the User-Agent strings they present
HTTP proxy data; list of known-bad UAs (optional)
 Stack counting, String matching, tokenization, outlier detection

Alert for abnormally short or long strings,
Alert on known bad User agent,
Profile user agent length and alert on abnormally short or long user agents, rare user agents,
tokenizing the string and focusing on strings with the lowest number of tokens
Proxy/DNS/HTTP Identify common patterns of HTTP-based attacks
* Profile server logs for repeated requests from same source by attacker_ip, rare_url (HFP). Large numbers of request could indicate:Attempts to create a working exploit for a supposed vulnerability or Attempts to use a web shell embedded in the web content directory
* Identify URI resources that has vulnerability (from vuln scans and pentest) in the front end or back-end application
* Profile the http_request length and alert on abnormally short or long user agents
Proxy/DNS/HTTP - Monitor the inbound POST requests that have no referrer.  Then identify the number of posts.  Multiple command execution/http requests in a very short amount of time can indicate malicious requests.
Log Source: Webserver logs
Method: POST
Referrer: None
Count > 10
Duration: 30 Min
Byte counts vary in size
Single or multiple src ip's
Step: Establish and maintain C2
Web shell Detection - Identify actions taken by attacker when a webshell is initially placed on a webserver

Windows security event logs (4688/592 events), HIPS or other related host monitoring solution that provides audit information about process creation

* As part of IIS layer, the other SUC2 techniques can indicate the malicious request.
* In endpoint (windows/linux), detect for process created whose parent is webserver (eg apache and w3wp.exe) and whether they came from PHP or functionlike exec(),  shell_exec(), eval(), bind(), etc..
* subsequent monitoring for webroot folders for detection of new file addition and/or file modification , for example using inotify(apache), FileSystemWatcher(IIS)
* Monitor for parameters passed to image files (eg, /.bad.png?xx=ls)
* Monitor for windows security events -  (4688/592 events)
* Montior for commands executed on the endpoint like cmd.exe, powershell.exe in a short time of detected the above
* Monitor for additional tools uploaded/downloaded on the host with extensions like .zip, .exe, .rar, .7z
Endpoint - Malicious binary execution - Log Source: Windows security event logs (Event code 4688 or 592)
 * Monitor for windows security events -  (4688/592 events), When a webshell/malicious binary is placed on a machine, the commands executed will run under the context of user owning the webserver process and a child process of the web server process is a indication of lateral movement.  
Lateral Movement with explicit credentials - Detect lateral movement in a Windows environment

A logon was attempted using explicit credentials
 whitelisting / filtering
* Monitor for windows security events - 4648/552 events, To monitor for event logs for instances of explicit credentials being used (as with the batch processes being spawned, users using the Runas command or via pass-the-hash attacks). Whitelist the recurring instances that are known to be authorized, Investigate any instances of explicit credential authentication that may be left.

* monitor for event IF 4728, 4732, 4756 for user added to privileged group. Escalation of privilege occurs once a attacker achieve foothold within the environment
Endpoint Authentication based lateral movements - To detect authentication-based lateral movement in Windows environments
 Not all of these events are enabled by default, so you may need to change your audit policy
·         Monitor the following to detect windows authentication based lateral movements. Occurrence of excessive event from the below mentioned category within the same user context in a short span indicates potentially malicious behavior. 
 Successful Logon (ID 4624)
Failed Logon (ID 4625)
Kerberos Authentication (ID 4768)
Kerberos Service Ticket (ID 4776)
Assignment of Administrator Rights (ID 4672)
Unknown username or password (ID 529)
Account logon time restriction violation (ID 530)
Account currently disabled (ID 531)
User account has expired (ID 532)
User not allowed to logon to the computer (ID 533)
User has not been granted the requested logon type (ID 534)
The account's password has expired (ID 535)
The NetLogon component is not active (ID 536)
The logon attempt failed for other reasons (ID 537)
Account lockout (ID 539)
Endpoint - Malicious binary execution - Find threat actors moving laterally in the network by looking for examples of common techniques they use to orient themselves on new systems.
* Monitor for windows process creation events 4688/592. Several legitimate windows binaries executing within a specified time frame may indicate lateral movement.
* Monitor for process created by binaries in unusal locations such as, %windows%\fonts, %windows%\help, %windows%\wbem, %windows%\addins, %windows%\debut, %windows%\system32\tasks
* As an adversary moves from machine to machine they will often want to know things like: who they are, what level of access do they have, what services are running on the machine, what other machines are around them
* Adversaries achieve this by using legitimate windows binaries. Ran across sevral mins to hours apart as determined in the script. Typical commands are net.exe, ipconfig.exe, whoami.exe, nbstats.exe. Cluster the x number of process executing within a 10 minutes timeframe. Verify whether the parent process and its legitimacy, verify who owns the process and whether the user has history of running these process in the past.
Lateral Movement - Potenial privilege escalation attempts - Detect potential privilege escalation attempts
* Monitor for event ID 4728 and 4756 in Domain Controller logs
* Monitor for 4732 on both the Domain controller and Windows workstation
* Adding a non-privileged account to a privileged group is a common method for attackers to gain more access to a compromised system or domain
Lateral Movement- Access to Remote shares - Find instances of psexec service (remote command execution) on Windows sytems by examining event logs pertaining to access control for remote shares.
* Monitor for event ID 5145. Which indicates, A network share object was checked to see whether client can be granted desired access. Filter for events where the share is IPC$ and the service is PSEXECSVC-*. Cross reference by examining the 5145 events for access to the ADMIN$ share for tool/file copies and execution events.
RDP External Connections -Identify abnormal incoming RDP requests
* Monitor for event ID 4624 (Type 10)  and 4778. Thic oculd potentially identify abnormal incoming RDP requests with two primary goals. Comprimised user credentials, internet facing assets running the RDP serveice that are being illegitimately accessed. Baselining is the effective technique for identifying abnormal request. for example, If a client accesses the network at an abnormal time or if user credentials are used on a client that has never been seen on the network