THREAT HUNTING IN СALL TRACE Andrey Skablonsky WHOAMI • Senior Analyst @Kaspersky SOC R&D • Threat hunter • Ex- infosec admin • MSTU graduate • OSCP, GCTI 2 What is Threat hunting? • Cyber threat hunting is the practice of searching iteratively through data to detect [advanced] threats that evade automatic security solutions 3 What is Threat hunting? TTP-based based - TTPs* Tough! detection TTP* detect Done automatically Tools Challenging by products Networks/ Annoying Host Artifacts Domain Names Simple signature, - Yara AM IP Addresses Easy Hash Values Trivial http://detect-respond.blogspot.mx/2013/03/the-pyramid-of-pain.html * TTP – tactics techniques and procedures 4 Process doppelgänging • Attack technique was presented at BlackHat EU 2017 by Tal Liberman and Eugene Kogan (@enSilo); • Materials: https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction- Process-Doppelganging.pdf 5 Process doppelgänging • Transactional NTFS (TxF) API: Transactional function Non transactional equivalent Description CreateTransaction no Creation of transaction CreateFileTransacted CreateFile Creating (opening) a file CopyFileTransacted CopyFileEx Copy file MoveFileTransacted MoveFileWithProgress Moving a file or directory DeleteFileTransacted DeleteFile File deletion CreateDirectoryTransacted CreateDirectoryEx Create directory RemoveDirectoryTransacted RemoveDirectory Directory removal RollbackTransaction no Transaction rollback CommitTransaction no Transaction commit 6 Process doppelgänging • Steps: 1. Create transasction: hTransaction = CreateTransaction(…); 2. Open “clean” file in transaction: hTransactedFile = CreateFileTransacted(“svchost.exe” , GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) 3. Overwrite “clean” file with malicious file: WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …) 4. Create section from malicious file: NtCreateSection(&hSection, …, PAGE_READONLY, SEC_IMAGE, hTransactedFile); 5. Rollback transaction (“clean” file restored to disk): RollbackTransaction(hTransaction); 7 Process doppelgänging • Steps (continue): 6. Create process and thread (NtCreateProcessEx receives handle to created earlier section): NtCreateProcessEx(&hProcess, …, hSection, …); NtCreateThreadEx(&hThread, …, hProcess, MALICIOUS_EXE_ENTRYPOINT, …); 7. Create process parameters: RtlCreateProcessParametersEx(&ProcessParams, ...) 8. Write parameters to the address space of created process: VirtualAllocEx(hProcess, &RemoteProcessParams, …, PAGE_READWRITE); WriteProcessMemory(hProcess, RemoteProcessParams, ProcessParams, …); WriteProcessMemory(hProcess, RemotePeb.ProcessParameters, &RemoteProcessParams, …); 9. Start of substituted process: NtResumeThread(hThread, …) 8 Process doppelgänging • Demo, replace notepad with Mimikatz: 9 Process doppelgänging 10 Process doppelgänging • Result: 11 What is call stack? • Example program: main() calls function1() calls function2() … calls function6() Call stack: function6() function5() function4() function3() function2() function1() main() 12 What is call stack? • Example program: 13 What is call stack? 14 What is call stack? 15 How to view the call stack? Debugging tools: 16 How to view the call stack? • Process explorer/hacker: 17 How to view the call stack? • Sysmon event ID 10 (ProcessAccess): 18 How to view the call stack? • ETW: 19 Event Tracing for Windows (ETW) ETW architecture: Controllers Events Event tracing sessions Log files Events Real-time delivery Events Pro P Providers Consumers 20 Event Tracing for Windows (ETW) Windows Kernel Trace provider: 21 Event Tracing for Windows (ETW) Libraries for working with ETW: -C++ https://github.com/microsoft/krabsetw -C# https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent/ 22 Process doppelgänging. Detection with calltrace • Calltrace: 23 Process doppelgänging. Detection with calltrace • Calltrace: 24 Process doppelgänging. Detection with calltrace • Event enrichment: 25 Process doppelgänging. Detection with calltrace • Event enrichment: 26 Process doppelgänging. Detection with calltrace • Search: • Tagged event: 27 Emotet spam emails • Winword.exe with macro -> WmiPrvSe.exe -> powershell.exe 28 Emotet spam emails • VBA macro starts process via WMI: 29 Emotet spam emails • VBA macro starts process via WMI: 30 Emotet spam emails • Winword calltrace: 31 Emotet spam emails • Winword calltrace: 32 Emotet spam emails • Event enrichment: 33 Emotet spam emails • Event enrichment hunts: 34 Keylogger • Random keylogger from Github: 35 Keylogger • Keylogger’s work: 36 Keylogger • Calltrace: 37 Keylogger • Calltrace: 38 Keylogger • Event enrichment (add “calltrace” field): 39 Keylogger • Tagged event: 40 Metasploit Incognito module • Attacker got shell on the victim: 41 Metasploit Incognito module • How does it work? 1. Enumerate current access tokens of processes and their privileges in the system using: -OpenProcess; -OpenProcessToken; -OpenThreadToken; -GetTokenInformation; 2. Create a new access token that duplicates an existing token: -DuplicateTokenEx; 3. Impersonate the security context of a selected token: -ImpersonateLoggedOnUser(HANDLE hToken); 42 Metasploit Incognito module • Use of Incognito “list_tokens” and “impersonate_token” commands – got “SYSTEM” token: 43 Metasploit Incognito module • Calltrace: 44 Metasploit Incognito module • Calltrace: 45 Metasploit Incognito module • Tagged event: 46 Lateral movement via DCOM • What is DCOM? • DCOM is a proprietary Microsoft technology that allows a computer to interact with COM objects on a remote computer • COM terms: -CLSID - Class Identifier. Unique identifier for a COM class; -ProgID - Programmatic Identifier. Optional “user friendly” identifier for a CLSID; -AppID - Application Identifier. Specifies the configuration (privileges) for COM objects associated with the same executable; 47 Lateral movement via DCOM • Enumerate DCOM applications: 48 Lateral movement via DCOM. Excel • Execution through “Microsoft Excel Application” DCOM object: 49 Lateral movement via DCOM. Excel • Calltrace: 50 Lateral movement via DCOM. Excel • Calltrace: 51 Lateral movement via DCOM. Excel • Tagged event: 52 Lateral movement via DCOM. Shellbrowserwindow • Execution through “ShellBrowserWindow” DCOM object: 53 Lateral movement via DCOM. Shellbrowserwindow • Calltrace: 54 Lateral movement via DCOM. Shellbrowserwindow • Calltrace: 55 Lateral movement via DCOM. Shellbrowserwindow • Tagged event: 56 Summary • We presented new approach for detecting malicious activity with calltraces; • We described methods for collection calltraces; • Several examples of detection with calltraces were shown 57 THANKS FOR ATTENTION @author.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages58 Page
-
File Size-