THREAT HUNTING IN СALL TRACE
Andrey Skablonsky WHOAMI
• Senior Analyst @Kaspersky SOC R&D • Threat hunter • Ex- infosec admin • MSTU graduate • OSCP, GCTI
2 What is Threat hunting?
• Cyber threat hunting is the practice of searching iteratively through data to detect [advanced] threats that evade automatic security solutions
3 What is Threat hunting?
TTP-based based - TTPs* Tough! detection
TTP* detect Done automatically Tools Challenging by products
Networks/ Annoying Host Artifacts
Domain Names Simple signature, - Yara AM IP Addresses Easy
Hash Values Trivial
http://detect-respond.blogspot.mx/2013/03/the-pyramid-of-pain.html * TTP – tactics techniques and procedures 4 Process doppelgänging
• Attack technique was presented at BlackHat EU 2017 by Tal Liberman and Eugene Kogan (@enSilo); • Materials: https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction- Process-Doppelganging.pdf
5 Process doppelgänging
• Transactional NTFS (TxF) API: Transactional function Non transactional equivalent Description
CreateTransaction no Creation of transaction CreateFileTransacted CreateFile Creating (opening) a file CopyFileTransacted CopyFileEx Copy file MoveFileTransacted MoveFileWithProgress Moving a file or directory DeleteFileTransacted DeleteFile File deletion CreateDirectoryTransacted CreateDirectoryEx Create directory RemoveDirectoryTransacted RemoveDirectory Directory removal RollbackTransaction no Transaction rollback CommitTransaction no Transaction commit 6 Process doppelgänging
• Steps: 1. Create transasction: hTransaction = CreateTransaction(…); 2. Open “clean” file in transaction: hTransactedFile = CreateFileTransacted(“svchost.exe” , GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) 3. Overwrite “clean” file with malicious file: WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …) 4. Create section from malicious file: NtCreateSection(&hSection, …, PAGE_READONLY, SEC_IMAGE, hTransactedFile); 5. Rollback transaction (“clean” file restored to disk): RollbackTransaction(hTransaction);
7 Process doppelgänging
• Steps (continue): 6. Create process and thread (NtCreateProcessEx receives handle to created earlier section): NtCreateProcessEx(&hProcess, …, hSection, …); NtCreateThreadEx(&hThread, …, hProcess, MALICIOUS_EXE_ENTRYPOINT, …); 7. Create process parameters: RtlCreateProcessParametersEx(&ProcessParams, ...) 8. Write parameters to the address space of created process: VirtualAllocEx(hProcess, &RemoteProcessParams, …, PAGE_READWRITE); WriteProcessMemory(hProcess, RemoteProcessParams, ProcessParams, …); WriteProcessMemory(hProcess, RemotePeb.ProcessParameters, &RemoteProcessParams, …); 9. Start of substituted process: NtResumeThread(hThread, …)
8 Process doppelgänging
• Demo, replace notepad with Mimikatz:
9 Process doppelgänging
10 Process doppelgänging
• Result:
11 What is call stack?
• Example program: main() calls function1() calls function2() … calls function6() Call stack: function6() function5() function4() function3() function2() function1() main()
12 What is call stack?
• Example program:
13 What is call stack?
14 What is call stack?
15 How to view the call stack?
Debugging tools:
16 How to view the call stack?
• Process explorer/hacker:
17 How to view the call stack?
• Sysmon event ID 10 (ProcessAccess):
18 How to view the call stack?
• ETW:
19 Event Tracing for Windows (ETW)
ETW architecture:
Controllers
Events
Event tracing sessions Log files
Events Real-time delivery Events Pro P Providers Consumers
20 Event Tracing for Windows (ETW) Windows Kernel Trace provider:
21 Event Tracing for Windows (ETW)
Libraries for working with ETW: -C++ https://github.com/microsoft/krabsetw -C# https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent/
22 Process doppelgänging. Detection with calltrace • Calltrace:
23 Process doppelgänging. Detection with calltrace • Calltrace:
24 Process doppelgänging. Detection with calltrace • Event enrichment:
25 Process doppelgänging. Detection with calltrace • Event enrichment:
26 Process doppelgänging. Detection with calltrace • Search:
• Tagged event:
27 Emotet spam emails
• Winword.exe with macro -> WmiPrvSe.exe -> powershell.exe
28 Emotet spam emails
• VBA macro starts process via WMI:
29 Emotet spam emails
• VBA macro starts process via WMI:
30 Emotet spam emails
• Winword calltrace:
31 Emotet spam emails
• Winword calltrace:
32 Emotet spam emails
• Event enrichment:
33 Emotet spam emails
• Event enrichment hunts:
34 Keylogger
• Random keylogger from Github:
35 Keylogger
• Keylogger’s work:
36 Keylogger
• Calltrace:
37 Keylogger
• Calltrace:
38 Keylogger
• Event enrichment (add “calltrace” field):
39 Keylogger
• Tagged event:
40 Metasploit Incognito module
• Attacker got shell on the victim:
41 Metasploit Incognito module
• How does it work? 1. Enumerate current access tokens of processes and their privileges in the system using: -OpenProcess; -OpenProcessToken; -OpenThreadToken; -GetTokenInformation; 2. Create a new access token that duplicates an existing token: -DuplicateTokenEx; 3. Impersonate the security context of a selected token: -ImpersonateLoggedOnUser(HANDLE hToken);
42 Metasploit Incognito module
• Use of Incognito “list_tokens” and “impersonate_token” commands – got “SYSTEM” token:
43 Metasploit Incognito module
• Calltrace:
44 Metasploit Incognito module
• Calltrace:
45 Metasploit Incognito module
• Tagged event:
46 Lateral movement via DCOM
• What is DCOM? • DCOM is a proprietary Microsoft technology that allows a computer to interact with COM objects on a remote computer • COM terms: -CLSID - Class Identifier. Unique identifier for a COM class; -ProgID - Programmatic Identifier. Optional “user friendly” identifier for a CLSID; -AppID - Application Identifier. Specifies the configuration (privileges) for COM objects associated with the same executable;
47 Lateral movement via DCOM
• Enumerate DCOM applications:
48 Lateral movement via DCOM. Excel
• Execution through “Microsoft Excel Application” DCOM object:
49 Lateral movement via DCOM. Excel
• Calltrace:
50 Lateral movement via DCOM. Excel
• Calltrace:
51 Lateral movement via DCOM. Excel
• Tagged event:
52 Lateral movement via DCOM. Shellbrowserwindow • Execution through “ShellBrowserWindow” DCOM object:
53 Lateral movement via DCOM. Shellbrowserwindow • Calltrace:
54 Lateral movement via DCOM. Shellbrowserwindow • Calltrace:
55 Lateral movement via DCOM. Shellbrowserwindow • Tagged event:
56 Summary
• We presented new approach for detecting malicious activity with calltraces; • We described methods for collection calltraces; • Several examples of detection with calltraces were shown
57 THANKS FOR ATTENTION
@author