Hunting for Unfriendly Easter Eggs-Astrich-Robinson-5-22

advertisement
Hunting for Unfriendly Easter Eggs
Capturing evidence of APT attacks
Michael Robinson & Craig Astrich
Introductions
Michael Robinson
Craig Astrich
Page 2
Historical Note
Defining Advanced Persistent Threat (APT)
•
Term originated within the U.S. Air Force in 2006.
•
Originally used so Air Force personnel could discuss a
series of attacks attributed to a specific set of actors
located in Asia-Pacific region with uncleared partners.
•
The term appeared more publicly in 2008-2009 in
conferences.
•
The term has hit mainstream media in 2010 with the
announcement of Operation Aurora.
•
Attacks from foreign adversaries occurred before 2006.
Page 3
APT Model
Cloppert’s Kill Chain
Model created in 2009.
Desire to break the chain as far to the left as possible.
Defensive/protective measures
Clean-up costs
Page 4
APT Model
Cloppert’s Kill Chain
Recognized, but the model has limitations.
Not effective in defining all of the characteristics of the life cycle.
Lots of activity
grouped together
Page 5
New de facto Model
Shift in Term’s Meaning
Specific
attacker/actor
Attack with
specific characteristics
ATTRIBUTION
Page 6
New de facto Model
Tremendous Confusion Over the Term’s Meaning
Is it a person or an attack type?
Are the attackers nation states, terrorists, organizations or individuals?
Does it necessarily involve zero day exploitation?
Is customized malware always involved?
Do these attacks frequently use social networking/phishing attacks?
Are targets information resources or financial repositories?
Is it marketing hype?
Page 7
APT Definition – What do these terms mean?
As a Proper Noun?
As malware?
Advanced
Skills that run the full gamut.
Capable of using basic tools
and writing custom code.
It isn’t detected by AV.
Persistent
Long-term interest and
continued targeting.
It survives reboots.
Threat
A person who mans the console
behind the attack, rather the
pre-configured malware (set it
and forget it).
It that could steal data that
would be harmful to the
organization.
Combined, do the terms clearly articulate the challenge?
Page 8
Redefining the Model
Move from the APT Kill Chain to the APT Life Cycle
Expand APT attacks into a full life cycle to obtain a better understanding.
The lifecycle recognizes the iterative process where an adversary obtains a deeper
foothold into the network through lateral movement.
Page 9
Redefining the Model
Move from the APT Kill Chain to the APT Life Cycle
Interpreting data associated with each step to be based on use cases rather opinion.
Page 10
Typical Attack
SMTP Relay;
Botnet
Mail Server
C2 Server
Domain Controller
Page 11
Example of an Attack
SMTP Relay;
Botnet
Indicators of Compromise (IOCs)
Inbound email with attachment
Attachment cached in OLK folder
Attachment executed – Prefetch
Outbound connection
Mailestablished
Server
File downloaded
File cached - Change Journal entry
File executed - Prefetch file created
New DLL created
Autostart/autorun locations modified
Restore Point modified
Service restarted with injected DLL
C2 Server
Indicators of Compromise (IOCs)
• Outbound connection
• New file downloaded
Lateral traffic
Domain •Controller
• Query of Domain Controller
• Existing accounts modified
Page 12
Example of an Attack
What a mess.
Page 13
Redefining the Model
Review of each step…
Page 14
Redefining the Model
…produces a comprehensive list of indicators.
Page 15
Redefining the Model
Results of Analysis
•
300+ Indicators of Compromise (IOCs) were identified.
•
IOCs were identified from multiple sources, i.e., disk, files,
memory, and network traffic.
•
The appearance of an individual IOC is likely to be insignificant.
•
When multiple IOCs appear within close proximity of each
other, i.e., clustering of events, the severity of an incident
increases and the likelihood of a false positive decreases.
•
Many IOCs are not monitored by typical security controls.
Page 16
APT Life Cycle
Step 1-1: Initial Reconnaissance
Profile information is acquired about the organization and it’s employees.
Sources of information about primary/secondary targets may come from
the following sources:
- Press releases
- Corporate websites
- Job postings
- Tech forums
- DNS records and registration
- Social network sites, e.g., Facebook, LinkedIn, Spokeo
- Pastebin
Page 17
APT Life Cycle
Step 1-2: External Weaponization
Two sets of tools may be leverages as weapons.
Custom malware may be developed based on targeted
intelligence obtained during the initial reconnaissance phase
that leverages the use of carefully choreographed social
engineering.
Generic tools to be used during a “shotgun” approach could
be used to “blast” all of the users of a network, as in a large
spam/phishing campaign.
Page 18
APT Life Cycle
Step 1-3: External Delivery
Malicious payload is delivered to a victim via online or physical
means.
The attack vectors may include:
- Spam/Phishing
- Spoofed e-mail/Spear Phishing/Whaling
- Social networking sites
- External media (USB storage media, CD/DVDs)
- Network probe via Wi-Fi
- An external resource, such as DNS cache, is modified.
Page 19
APT Life Cycle
Step 1-3: External Delivery
Indicators of Compromise may include:
- Identical spam in multiple users’ mailboxes
- E-mail where origin SMTP IP address does not match
domain name (reverse lookup)
- E-mail’s SMTP address originates from an open relay (which
accounts for 20% of spam on the Internet)
- Unauthorized use of USB ports
- Unauthorized network traffic
- Unauthorized CD/DVDs in the workplace
- Connections to websites with malicious content or sites
with known drive-by attacks
Page 20
APT Life Cycle
Step 1-4: Initial Exploitation
The malicious content has been sent to the target(s) and the payload is executed locally.
Examples of an initial exploitation activity include:
- A link that has been clicked by the user.
- An e-mail attachment that is opened.
- An object on a web page that is automatically executed by a browser or browser helper object (BHO).
- A CD/DVD is inserted into a computer and a file is open or executed.
Indicators of Compromise may include:
- Unresolved IP address and SMTP server
- Redirects to hostile websites
- Malicious JavaScript in a user’s cached Internet files
- Executable files in a user’s cached Internet files, which may include .exe files, Flash files, etc.
- PDFs with malicious content with OLK cache
- Changes to the MUI cache
- Modifications to the local HOSTS file
- LNK file appears
Page 21
Tangent: LNK Files
These timestamps are of the target file.
(Remember, these are stored within the
LNK file.Location
EnCase didn’t
of thequery
targetthe
file.target
file.)
MAC address of NIC on the
computer where the
Volume
Serial
Number
shortcut
was
created.
This should match the volume serial
number of this particular drive,
because the target path is C:\...
Page 22
APT Life Cycle
Step 1-5: Initial Installation
Malicious software is installed on the system that has been targeted and exploited.
This could result in the download and installation of a second-stage piece of malware.
The running of the malicious software may result in a new application running or a new file being injected into
a running process.
Indicators of Compromise may include:
- Objects in the Internet cache
- Files in OLK cache folder
- Attachments with executable code within e-mails
- Files with MZ header in the temp folder of the user’s profile or within C:\Windows\Temp.
- New Prefetch files which include references to new drivers or recently downloaded files
- Modifications to existing software drivers
- Artifacts for persistence, e.g., addition to the autorun locations within the Windows Registry
- Changes to $USN_Journal, especially code 0x0100
- Outbound network traffic in the form of a beacon or DNS lookup to confirm network connectivity.
(Lookups may use hostile sites, but may also use well-known sites with high up-time).
Page 23
Tangent: $USN Journal Codes
0x01
0x02
0x04
0x10
0x20
0x40
0x100
0x200
0x400
0x800
0x1000
0x2000
0x4000
0x8000
Data in one or more named data streams for the file was overwritten.
The file or directory was added to.
The file or directory was truncated.
Data in one or more named data streams for the file was overwritten.
One or more named data streams for the file were added to.
0x100 indicates a
One or more named data streams for the file was truncated.
file was created.
The file or directory was created for the first time.
The file or directory was deleted.
The user made a change to the file's or directory's extended attributes. These NTFS attributes are
not accessible to Windows-based applications.
A change was made in the access rights to the file or directory.
The file or directory was renamed, and the file name in this structure is0x200
the previous
name. a
indicates
The file or directory was renamed, and the file name in this structure is the new name.
file was
deleted.
A user changed the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute.
That
is, the user
changed the file or directory from one that can be content indexed to one that cannot, or vice versa.
A user has either changed one or more file or directory attributes or one or more time stamps.
0x80000000
0x2000 indicates a
0x80000000
A named stream has been added to or removed from the file, or a named stream has been
file wasa renamed.
indicates
file was
renamed.
The file or directory was closed.
closed.
Reference:
http://www.forensickb.com/2008/09/enscript-to-parse-usnjrnl.html
0x200000
Page 24
Tangent: $USN Journal Example
Action
A new file is created on the drive with the
name badcode.exe.
Content is added to badcode.exe.
badcode.exe is closed.
Renames should always
The file is renamed from badcode.exe to
appear in pairs.
svchost.exe
Name
File ID
Code
Time
badcode.exe
89245
0x100
05/28/12 09:28:25
89245
0x100
+ 0x02
0x102
05/28/12 09:28:27
0x102
At this point, the file is closed and
+ 0x80000000
there is no activity on89245
the disk. 0x80000102
badcode.exe
05/28/12 09:28:27
badcode.exe
badcode.exe
89245
0x1000
05/28/12 09:28:29
svchost.exe
89245
0x2000
05/28/12 09:28:29
89245
0x2000
+ 0x80000000
0x80002000
05/28/12 09:28:29
The same file svchost.exe
identifier was
used throughout the process.
Page 25
APT Life Cycle
Step 1-6: Command & Control Activity
The infected computer establishes a connection with a remote computer. While
this may involve creation of listener that responds to an inbound connection, it
will likely be an executable or injected process that creates an outbound
connection to a remote host. The remote host may be a command and control
server, it could be a proxy server, or an infected computer that is part of a botnet.
Indicators of Compromise may include:
- New running processes
- Restarted running processes which contain injected code
- New Prefetch files which include references to new drivers or recently
downloaded files
- Disabling of normal services, e.g., anti-virus engines or the local firewall
- Outbound network traffic
- Network connections stored on the infected computer to non-legitimate
sources.
Page 26
Tangent: Prefetch Files
08/19/09
01:22:19PM
Page 27
Prefetch File Analysis: WinPrefetchView
Page 28
APT Life Cycle
Step 2-1: Internal Reconnaissance
Information is gained about the infected computer and LAN.
Sources of information used during reconnaissance may include:
- OS footprint
- User name and profile information
- IP addresses/DHCP information
- Domain name
- Names of network, e.g., list of domain controllers, internal DNS servers, and network services
- Network connections
Indicators of Compromise may include:
- Connectivity to an Internet-based resource used to deliver commands to the infected computer
- Lateral network traffic and PINGs
- Connections to network shares
- Abnormal running services/processes
- Creation of Prefetch files for network diagnostic tools, such as netstat
- Additions to the UserAssist Registry keys
- Installation of administrator tools on the infected computer to perform reconnaissance activities
Page 29
APT Life Cycle
Step 2-2: Internal Weaponization
The tools used to internally compromised are not necessarily the same as those
used to gain initial access to the system.
These tools may be administrator tools, such as PSEXEC. Some may be
customized.
Indicators of Compromise may include:
- Connectivity to an Internet-based resource used to deliver commands to
the infected computer
- Installation of new executable files to the user’s profile or
C:\Windows\System32 directory.
- Changes to $USN_Journal, especially code 0x0100
- Creation of Prefetch files to indicate existing administration tools were run.
Page 30
APT Life Cycle
Step 2-3: Internal Delivery
Tools used for the advancement throughout the network are
copied to the infected computer.
Indicators of compromise may include:
- Connectivity to an Internet-based resource used to
deliver commands to the infected computer
- New files on the file system
- Modifications to timestamps; inconsistencies between
$SIA and $FN portions of the $MFT
- Changes to the $USN_Journal, especially code 0x0100
- Changes to the list of network connections maintained
within memory of the infected computers
- Internal, lateral network traffic
Page 31
Tangent: Timestamps
All eight timestamps are in $MFT.
$STANDARD_INFORMATION
Type: 0x10
Min Size: 0x30
Max Size: 0x48
$FILE_NAME
Type: 0x30
Min Size: 0x44
Max Size: 0x242
Read offset to attribute content
and add:
• Created (0x00)
• Last Modified (0x08)
• MFT Entry Modified (0x10)
• Last Accessed (0x18)
Read offset to attribute content
and add:
• Created (0x08)
• Last Modified (0x10)
• MFT Entry Modified (0x18)
• Last Accessed (0x20)
Page 32
Tangent: Timestamps
Standard Information Attribute
Created:
12/29/2011 9:00:00AM
Last Modified:
12/29/2011 9:00:00AM
Last Access:
12/29/2011 9:00:00AM
MFT Entry:
01/13/2012 11:15:30AM
File Name Attribute
Created:
01/13/2012 11:13:18AM
Last Modified:
01/13/2012 11:13:18AM
Last Access:
01/13/2012 11:13:18AM
MFT Entry:
01/13/2012 11:13:18AM
Standard
Information
Attribute
File
Name
Attribute
Page 33
APT Life Cycle
Step 2-4: Internal Exploitation
During internal exploitation an attacker positions himself to move laterally by
compromising the integrity of another system within the network. This may
involve obtaining escalated privileges, exploiting the operating system, user
application, or implanting code that will execute.
Indicators of compromise may include:
- Connectivity to an Internet-based resource used to deliver commands from
the infected computer
- New files on the file system
- Modifications to timestamps; inconsistencies between $SIA and $FN
portions of the $MFT
- Changes to the $USN_Journal, especially code 0x0100
- Modifications to the autorun locations, which would allow an executable to
launch or inject malicious code with a known process, e.g., explorer.exe
- Internal, lateral network traffic
Page 34
Lateral Connections within the LAN
C:\Users\robinson>netstat -ano
Active Connections
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
Local Address
0.0.0.0:135
0.0.0.0:445
0.0.0.0:912
0.0.0.0:3389
10.201.152.21:139
10.201.152.21:49269
10.201.152.21:49724
10.201.152.21:52100
10.201.152.21:64561
127.0.0.1:7778
127.0.0.1:16386
Foreign Address
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
10.50.5.207:5061
10.201.152.18:8080
173.194.73.147:80
10.50.4.128:2310
0.0.0.0:0
127.0.0.1:52444
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
ESTABLISHED
ESTABLISHED
ESTABLISHED
CLOSE_WAIT
LISTENING
TIME_WAIT
PID
964
This4 IP address is for
a neighboring
PC.
3624
Why?
1492
4
5708
7340
1320
4784
3136
0
Page 35
APT Life Cycle
Step 2-5: Internal Installation
During the internal installation phase an attacker compromises the integrity of
another system within the network. This may involve exploiting the operating
system, exploiting a user application, or implanting malicious code that will
execute. The insertion of this code would circumvent intrusion detection
systems. The use of known, legitimate administration tools would not be
captured by anti-virus software.
Indicators of compromise may include:
- Connectivity to an Internet-based resource from the initially infected
computer.
- Connectivity to an Internet-based resource used to deliver commands to
the newly infected computer
- New running processes
- Restart of existing processes to include injected code
- Creation of Prefetch files to indicate existing administration or malicious
tools were run.
- Internal, lateral network traffic
Page 36
APT Life Cycle
Step 2-6: Persistence
An attacker establishes persistence on a network when he maintains a presence in the
network as various machines go offline or as incident response procedures are implemented.
This will frequently involve establishing connectivity with multiple hosts on the compromised
network.
Indicators of compromise may include:
- Connectivity to an Internet-based resource from the initially infected computer.
- Connectivity to an Internet-based resource from the multiple computers. This may be a
beacon to test connectivity, e.g., DNS lookups, etc.
- Outbound network traffic from computers that don’t typically communicate to the
Internet, e.g., print servers, domain controllers
- New running processes
- Restart of existing processes to include injected code
- Addition of Prefetch files
- Internal, lateral network traffic
- New user accounts on local hosts or within a domain controller
- Change of permissions/rights/roles of existing network accounts.
Page 37
APT Life Cycle
Iterative Process
Once inside the network, the attacker engages in an iterative process to retain a foothold
within the compromised network.
This can result in:
- New malware being launched within the network to upgrade existing malware that may
be detected by anti-virus software
- Disabling network security safeguards to avoid detection
- Erasing artifacts, such as log files, etc.
- Lateral traffic between computers.
Page 38
APT Life Cycle
Indicators of Compromise may include:
Iterative Process
- Connectivity to an Internet-based resource from the multiple computers.
- Outbound network traffic from computers that don’t typically communicate to the Internet, e.g., print
servers, domain controllers
- New running processes
- Restart of existing processes to include injected code
- Creation of Prefetch files to indicate existing administration or malicious tools were run.
- Internal, lateral network traffic
- New user accounts on local hosts or within a domain controller
- Change of permissions/rights/roles of existing network accounts.
- Reinfection of previously cleaned computers
- Exfiltration data files on computers. This may include the presence of empty files that are re-used.
Page 39
APT Life Cycle
2-7: Mission Fulfillment
An attacker successfully fulfills his mission, which may include:
- the exfiltration of data from the network
- launching a denial of service attack
- incorporate infected computers into a botnet
Indicators of compromise may include:
- Connectivity to an Internet-based resource from the multiple computers.
- Outbound network traffic from computers that don’t typically communicate to
the Internet, e.g., print servers, domain controllers
- New running processes
- Restart of existing processes to include injected code
- Addition of Prefetch files
- Internal, lateral network traffic
- New user accounts on local hosts or within a domain controller
- Change of permissions/rights/roles of existing network accounts.
Page 40
Hunting for Unfriendly Easter Eggs
Capturing evidence of APT attacks
Michael Robinson & Craig Astrich
Download