SlideShare uma empresa Scribd logo

The Hunter Games: How to Find the Adversary with Event Query Language

R
Ross Wolf

Circle City Con 2019 and BSides SATX 2019 Abstract: How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic. In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.

Tecnologia
1 de 56
Baixar para ler offline
1ENDGAME THE HUNTER GAMES How to find the adversary with Event Query Language Ross Wolf
2ENDGAME chmod +rw bio Ross Wolf @rw_access Threat Researcher at Endgame - Develop detection frameworks and individual detections - Developed Event Query Language - Experience red- and blue-teaming
3ENDGAME EXAMPLE REPORT WOLF
4ENDGAME NOW WHAT?
5ENDGAME TALK OVERVIEW • Developing threat-based detections with ATT&CK and your data • Crash course through Event Query Language • Follow the trail of a generic threat actor, writing detections for each step • Explore threat hunting methods to find for the known unknown • Contribute back to the community
ENDGAME THREAT BASED DETECTION 01
7ENDGAME DETECTION PROCESS • Use ATT&CK to identify common behaviors, instead of just tools • Explore the mind of the attacker • Understand your data and visibility • Express detection logic for your platform • Continuously create, test, and refine analytics • Atomic Red Team, CALDERA, Red Team Automation, etc. • Evaluate against human red teams • Don't be afraid to retire analytics! https://www.mitre.org/publications/technical-papers/finding-cyber-threats-with-attck-based-analytics
8ENDGAME ATTACKER TRADECRAFT • Gain access to establish the initial foothold • Discover information about the endpoint • Persist to survive system reboots • Establish command and control (C2) • Gain additional privileges and credentials • Move between hosts and execute commands • Collect and exfiltrate sensitive information • Destroy data or negatively impact mission • All while evading monitoring and protections ATT&CK Tactics Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
9ENDGAME MITRE ATT&CK™ FRAMEWORK • Knowledge base that organizes behaviors (techniques) by objectives (tactics) • Most techniques are used by multiple groups and red teams • Hundreds of references to threat reports
10ENDGAME ATT&CK TECHNIQUE https://attack.mitre.org/techniques/T1193/
11ENDGAME KNOW YOUR DATA • Data originally gathered from Sysmon • Converted to a common schema • file, process, network, and registry event monitoring https://eqllib.readthedocs.io/en/latest/schemas.html command_line C:WindowsExplorer.EXE md5 ac4c51eb24aa95b77f705ab159189e24 parent_process_name userinit.exe parent_process_path C:Windowssystem32userinit.exe pid 2460 ppid 3052 process_name explorer.exe process_path C:Windowsexplorer.exe subtype create timestamp 131485997150000000 user_domain research user_name researcher
12ENDGAME INTRO TO EQL • Event Query Language is simple and concise • Schema-independent and OS-agnostic • Designed for real-time detection with stream processing • Supports multi-event behaviors, stacking and sifting through data • Function syntax instead of keyword explosion (e.g. length(field))
13ENDGAME SIMPLE QUERIES • Boolean and comparison logic and or not < <= == != >= > • Wildcard matching with * character • String comparisons are case-insensitive process where process_name == "svchost.exe" and (command_line != "* -k *" or parent_process_name != "services.exe") https://eql.readthedocs.io/en/latest/query-guide
14ENDGAME SEQUENCES • Multi-event behaviors with ordering • Match properties between events with by syntax • Time limits maxspan=1 hr • Sequences can be expired with an until condition sequence with maxspan=5m [ file where file_name == "*.exe"] by user_name, file_path [ process where true] by user_name, process_path
15ENDGAME JOINS • Match events specified, without time limits • Supports by and until syntax for additional matching or state • Unlike SQL, it finds adjacent pairs instead of cross-products join [file where file_path == "*System32Tasksh4x0r.xml"] [registry where registry_path == "*runonceh4xor"]
16ENDGAME JOINS join by source_ip, destination_ip [network where destination_port == 3389] // RDP [network where destination_port == 135] // RPC [network where destination_port == 445] // SMB • Match events specified, without time limits • Supports by and until syntax for additional matching or state • Unlike SQL, it finds adjacent pairs instead of cross-products
17ENDGAME PIPES AND OUTLIERS • Pipes can be used to transform or reduce output • Combine in various ways to perform stacking or reduce data set • count filter head sort tail unique unique_count process where true // Remove duplicate pairs | unique process_name, command_line // Count per process_name to get unique # of commands | count process_name | filter count < 5
18ENDGAME PROCESS LINEAGE network where process_name == "powershell.exe" and not descendant of [process where process_name == "explorer.exe"] • Natively tracks process lineage by monitoring create/terminate events • Supports descendant of, child of, and event of • Combine with other boolean logic
19ENDGAME • Natively tracks process lineage by monitoring create/terminate events • Supports descendant of, child of, and event of • Combine with other boolean logic PROCESS LINEAGE file where file_name == "*.exe" and event of [process where child of [process where process_name == "powershell.exe"]]
ENDGAME DETECT KNOWN BEHAVIORS 02
21ENDGAME APPROACH TO DETECTION • Understand common tactics employed by the adversary • Next, move to specific methods or techniques • From there we can craft detection logic • When necessary, understand operating system internals Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
22ENDGAME INITIAL ACCESS & EXECUTION • Technique Spearphishing Attachment (T1193) PowerShell (T1086) • Detection Scriptable child processes of Office products - PowerShell, VB script, cmd.exe process where parent_process_name in ("winword.exe", "excel.exe", "powerpnt.exe") and process_name in ("powershell.exe", "cscript.exe", "wscript.exe", "cmd.exe") Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
23ENDGAME INITIAL ACCESS & EXECUTION • Technique Spearphishing Attachment (T1193) • Detection Office creating a PE file that quickly executes sequence with maxspan=5m [file where file_name == "*.exe" and process_name in ("winword.exe", "excel.exe", "powerpnt.exe") ] by file_path [process where true] by process_path Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
24ENDGAME PERSISTENCE & PRIVILEGE ESCALATION • Technique Scheduled Task (T1053) • Detection The API is cumbersome, so many tools directly execute schtask.exe. Look for non-SYSTEM users creating tasks that run as SYSTEM process where process_name == "schtask.exe" and user_name != "SYSTEM" and (command_line == "* /ru system" or command_line == '* /ru "nt authority"') | unique user_name, command_line Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
25ENDGAME network where not destination_port in ( 1,3,4,6,7,9,13,17,19,20,21,22,23,24,25,26,30,32,33,37,42,43, 49,5370,79,80,81,82,83,84,85,88,89,90,99,100,106,109,110,111, 113,119,125,135,139,143,144,146,161,163,179,199,211,212,222, 254,255,256,259,264,280,301,306, /* many more? */) | unique destination_address, destination_port COMMAND AND CONTROL (C2) • Techniques Uncommonly Used Port (T1065) Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
26ENDGAME • Techniques Outgoing Connection from Abusable Process (T???) • Detection Look for network from abusable binaries Continuously tune to your environment COMMAND AND CONTROL (C2) Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact sequence by pid [process where subtype.create] [network where process_name in ( // known LOLBINS "powershell.exe", "mshta.exe", "installutil.exe", "msxsl.exe", "rundll32.exe") | unique events[0].process_path, events[1].destination_address, events[1].destination_port
27ENDGAME DEFENSE EVASION • Technique Masquerading (T1096) • Detection Look for executables matching names of known Windows binaries from system32, but in the wrong directory process where process_name in ( "csrss.exe", "dllhost.exe", "lsass.exe", "lsm.exe", "services.exe", "winlogon.exe", /* etc */ ) and not (process_path == "C:windowssystem32*" and process_path != "C:windowssystem32*") Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact https://www.endgame.com/blog/how-hunt-masquerade-ball
28ENDGAME DEFENSE EVASION • Technique Process Injection (T1096) Process Hollowing (T1093) • Detection Look for process creations from the wrong parent process where (process_name == "lsass.exe" and parent_process_name != "wininit.exe") or (process_name == "LogonUI.exe" and not parent_process_name in ("winlogon.exe", "wininit.exe")) or (process_name == "services.exe" and parent_process_name != "wininit.exe") or (process_name == "svchost.exe" and parent_process_name != "services.exe" and // the system32svchost.exe executes syswow64svchost.exe for 32-bit DLLs not (parent_process_path == "*system32svchost.exe" and process_path == "*syswow64svchost.exe")) Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
29ENDGAME CREDENTIAL ACCESS • Technique Access Sensitive Data or Credentials in Files (T1087) • Detection Look for commands to search for "password" process where process_name == "findstr.exe" and command_line == "*password*" | unique parent_process, command_line Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
30ENDGAME DISCOVERY • Technique Account Discovery (T1087) Remote System Discovery (T1096) System Account Discovery (T1033) • Detection Look for any users that run multiple different types of discovery commands join by user_name [process where process_name in ("ipconfig.exe", "hostname.exe", "whoami.exe")] [process where process_name == "net.exe" and (command_line == "*group*" or command_line == "* user*")] [process where process_name in ("tasklist.exe", "qprocess.exe", "sc.exe")] | unique user_name Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
31ENDGAME LATERAL MOVEMENT • Technique Windows Remote Management (T1028) PowerShell (T1086) • Approach Look for incoming WinRM connections with execution of the provider sequence with maxspan=2s [network where destination_port in (5985, 5986) and process_name == "svchost.exe"] [process where process_name == "wsmprovhost.exe" and command_line == "*embedding*"] | unique events[0].source_address,events[0].destination_address, events[1].user_name Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
32ENDGAME COLLECTION & EXFILTRATION • Technique Data Staged (T1074) Data Compressed (T1072) Data Encrypted (T1022) • Detection Look for known command lines for tools that indicate compression and encryption Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impactsequence by unique_pid with maxspan=5m [process where command_line == "* -hp*" or command_line == "* /hp*"] [file where file_name == "*.rar"] | unique events[0].process_path, events[1].file_name
33ENDGAME IMPACT • Technique Inhibit System Recovery (T1490) • Detection Monitor known command lines process where (process_name == "vssadmin.exe" and command_line == "*delete*") or (process_name == "wmic.exe" and command_line == "*shadow*delete*") or (process_name == "wevtutil.exe" and command_line == "* cl *") Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
ENDGAME HUNTING FOR THE UNKNOWN 03
35ENDGAME FUTURE THREAT REPORT
36ENDGAME FUTURE THREAT REPORT
37ENDGAME APPROACHES • We want to look proactively for evidence of an adversary • Often technique-agnostic, but still follow attacker lifecycle • Ask environment-oriented questions • Establish situational awareness and track deviations • Prevalence • Recency • Patterns is this threat hunting? 736c963c78ed5b4587f36ca6f70dfbcb
38ENDGAME UNUSUAL PARENT-CHILD RELATIONSHIPS What parent-child process relationships are rare and recent? process where subtype.create | unique_count parent_process_name, process_name | tail 100 | sort count | head 10 parent_process_name command_line MSI9BBF.tmp "C:Program Files (x86)Common FilesJavaJava Updatejaureg.exe" -u auto-update powershell.exe rundll32.exe C:UsersvagrantAppDataLocalcyzfc.dat, PointFunctionCall wuauclt.exe "C:WINDOWSSoftwareDistributionDownload InstallAM_Delta_Patch_1.293.2420.0.exe" WD /q AM_Delta_Patch_ 1.293.2420.0.exe C:WINDOWSsystem32MpSigStub.exe /stub 1.1.1 ...
39ENDGAME UNUSUAL PARENT-CHILD RELATIONSHIPS What parent-child process relationships are rare and recent? process where subtype.create and ( process_name in ("cmd.exe", "powershell.exe") or parent_process_name in ("cmd.exe", "powershell.exe")) | unique_count parent_process_name, process_name | tail 100 | sort count | head 10 parent_process_name command_line powershell.exe rundll32.exe C:UsersvagrantAppDataLocalcyzfc.dat, PointFunctionCall
40ENDGAME REMOTE ACCESS TOOLS What recently first-seen processes also made network connections? process_name command_line InstallUtil.exe C:WindowsMicrosoft.NETFramework64v4.0.30319 InstallUtil.exe /logfile= /LogToConsole=False /U mydotnet.exe OneDriveSetup.exe "C:UsersdeveloperAppDataLocalMicrosoftOneDrive UpdateOneDriveSetup.exe" /update /restart OfficeClickToRun.exe "C:Program FilesCommon FilesMicrosoft SharedClickToRunUpdates16.0.11601.20230 OfficeClickToRun.exe" /update join by process_path [process where subtype.create] [network where true] | unique events[0].process_path | tail 50 i'm in
41ENDGAME SUDDEN EXTROVERTS What processes have been seen before, but only recently made network activity? command_line msiexec.exe /quiet /i http://172.31.27.16:8000/bin/Installer.msi sequence by process_path [process where timestamp_utc < "2019-05-01"] [network where timestamp_utc > "2019-05-17"] until [network where timestamp_utc < "2019-05-17"] | unique process_path
42ENDGAME FILE SYSTEM WEAKNESSES What privileged files were modified by a user and but executed SYSTEM? user_name process_name file_path vagrant jusched.exe C:Windowssystem32infsvchost.exe zoom CptInstall.exe C:Program Files (x86)Common FilesZoomSupportCptService.exe sequence [file where subtype.create and file_name == "*.exe" and user_name != "SYSTEM"] by file_path [process where user_name == "SYSTEM"] by process_path | unique events[0].file_path
43ENDGAME REMOTE RECONNAISSANCE What enumeration commands were executed from processes with outgoing network activity? command_line process_name count whoami.exe powershell_ise.exe 1 hostname.exe dxdiag0732.exe 1 netstat.exe python.exe 1 process where process_name in ( "whoami.exe", "hostname.exe", "ipconfig.exe", "net.exe", "netstat.exe", "tasklist.exe" ) and child of [network where subtype.outgoing] | unique parent_process_path, process_name | unique_count parent_process_path *slaps eql* this hunt can find so many recon commands
44ENDGAME BRUTE FORCE ATTEMPTS Are there multiple logon failures and eventually a success from a remote host? sequence by ip_address with maxspan=1h [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4624 and logon_type in (3,5,10)] until [security where event_id == 4624] // success 4624 – failure 4625 - success
45ENDGAME WHYMI HERE? What commands were spawned from WMI remotely or as a different user? process where subtype.create | unique authentication_id | filter not user_name in ("SYSTEM", "NT AUTHORITY", "LOCAL SERVICE") and (process_name == "wmiprvse.exe" or parent_process_name == "wmiprvse.exe") | unique process_name command_line cmd /c "tasklist /svc > %SystemRoot%TEMPnessus_task_listIVC4798D.TMP & ren %SystemRoot%TEMPnessus_task_listIVC4798D.TMP nessus_task_listIVC4798D.TXT" recdiscm32.exe 10.1.2.3admin$system32taskchg16.exe 45ENDGAME WHYMI HERE? What commands were spawned from WMI remotely or as a different user? process where subtype.create | unique authentication_id | filter not user_name in ("SYSTEM", "NT AUTHORITY", "LOCAL SERVICE") and (process_name == "wmiprvse.exe" or parent_process_name == "wmiprvse.exe") | unique process_name command_line cmd /c "tasklist /svc > %SystemRoot%TEMPnessus_task_listIVC4798D.TMP & ren %SystemRoot%TEMPnessus_task_listIVC4798D.TMP nessus_task_listIVC4798D.TXT" recdiscm32.exe 10.1.2.3admin$system32taskchg16.exe
46ENDGAME SUSPICIOUS LATERAL MOVEMENT What endpoints remotely connected via SMB and RPC to potentially upload and execute? sequence by destination_address with maxspan=30s [network where subtype.incoming and destination_port == 445] [network where subtype.incoming and destination_port == 135] | unique source_address • Noisy on domain controllers • Incoming traffic to workstations is suspicious
ENDGAME EQL COMMUNITY04
48ENDGAME DOWNLOAD EQL • Install the python package (supports 2.7, 3.4+) with pip install eql • Built in CLI eql query with stdin/stdout redirection • Read the Getting Started blog post for more information • endgame.com/blog/technical-blog/getting-started-eql
49ENDGAME DEMO
50ENDGAME ANALYTICS LIBRARY • Browse the analytics library • eqllib.readthedocs.io • Contribute your detection and hunting logic • github.com/endgameinc/eqllib • 45+ analytics mapped to MITRE ATT&CK with contributions from Endgame and Red Canary • Multiple data sets to get your hands dirty • github.com/endgameinc/eqllib/tree/master/data
51ENDGAME ANALYTICS LIBRARY
52ENDGAME NORMALIZATION • Contribute schema mappings • Currently map to Microsoft Sysmon and MITRE Cyber Analytics Repository • Convert queries to mapped data sources $ eqllib convert-query -s "Microsoft Sysmon" 'process where subtype.create and process_name == "mshta.exe" and command_line == "* c:programdata*.hta"' process where EventId == 1 and Image == "*mshta.exe" and CommandLine == "* c:programdata*.hta" • Normalize from mapped data sources to sharable format
53ENDGAME WHAT'S NEXT? • Early June update to EQL 0.7 • Contains a schema validation with better error checking • Cleaner python API for integrating with other projects • Summer release of 75+ atomic analytics mapped to ATT&CK
54ENDGAME GET IN TOUCH • Follow EQL on Twitter • @eventquerylang • Chat on Gitter • gitter.im/eventquerylang/community • Email us • eql AT endgame.com
55ENDGAME RESOURCES • Getting started with EQL (blog) • endgame.com/blog/technical-blog/getting-started-eql • Endgame Guide to Threat Hunting (PDF) • pages.endgame.com/wc-guide-to-threat-hunting.html • Follow the guide for creating sophisticated queries • eql.readthedocs.io/query-guide • Documentation • eql.readthedocs.io • Clone it! • github.com/endgameinc/eql • github.com/endgameinc/eqllib
56ENDGAME ENDGAME ENDGAME@ENDGAMEINC ENDGAMEINC THANK YOU www.endgame.com

Recomendados

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 

Recomendados

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
Florian Roth
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control Activity
Sqrrl
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Automatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosAutomatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivos
Elasticsearch
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
MITRE ATT&CK
 

Mais conteúdo relacionado

Mais procurados

Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

Mais procurados (20)

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control Activity
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 

Semelhante a The Hunter Games: How to Find the Adversary with Event Query Language

Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
MITRE ATT&CK
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
Xavier Ashe
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 

Semelhante a The Hunter Games: How to Find the Adversary with Event Query Language (20)

Automatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosAutomatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivos
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 
Automatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivosAutomatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivos
 
Automatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsAutomatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifs
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Découvrir dtrace en ligne de commande.
Découvrir dtrace en ligne de commande.Découvrir dtrace en ligne de commande.
Découvrir dtrace en ligne de commande.
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTrace
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

The Hunter Games: How to Find the Adversary with Event Query Language

  • 1. 1ENDGAME THE HUNTER GAMES How to find the adversary with Event Query Language Ross Wolf
  • 2. 2ENDGAME chmod +rw bio Ross Wolf @rw_access Threat Researcher at Endgame - Develop detection frameworks and individual detections - Developed Event Query Language - Experience red- and blue-teaming
  • 5. 5ENDGAME TALK OVERVIEW • Developing threat-based detections with ATT&CK and your data • Crash course through Event Query Language • Follow the trail of a generic threat actor, writing detections for each step • Explore threat hunting methods to find for the known unknown • Contribute back to the community
  • 7. 7ENDGAME DETECTION PROCESS • Use ATT&CK to identify common behaviors, instead of just tools • Explore the mind of the attacker • Understand your data and visibility • Express detection logic for your platform • Continuously create, test, and refine analytics • Atomic Red Team, CALDERA, Red Team Automation, etc. • Evaluate against human red teams • Don't be afraid to retire analytics! https://www.mitre.org/publications/technical-papers/finding-cyber-threats-with-attck-based-analytics
  • 8. 8ENDGAME ATTACKER TRADECRAFT • Gain access to establish the initial foothold • Discover information about the endpoint • Persist to survive system reboots • Establish command and control (C2) • Gain additional privileges and credentials • Move between hosts and execute commands • Collect and exfiltrate sensitive information • Destroy data or negatively impact mission • All while evading monitoring and protections ATT&CK Tactics Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
  • 9. 9ENDGAME MITRE ATT&CK™ FRAMEWORK • Knowledge base that organizes behaviors (techniques) by objectives (tactics) • Most techniques are used by multiple groups and red teams • Hundreds of references to threat reports
  • 11. 11ENDGAME KNOW YOUR DATA • Data originally gathered from Sysmon • Converted to a common schema • file, process, network, and registry event monitoring https://eqllib.readthedocs.io/en/latest/schemas.html command_line C:WindowsExplorer.EXE md5 ac4c51eb24aa95b77f705ab159189e24 parent_process_name userinit.exe parent_process_path C:Windowssystem32userinit.exe pid 2460 ppid 3052 process_name explorer.exe process_path C:Windowsexplorer.exe subtype create timestamp 131485997150000000 user_domain research user_name researcher
  • 12. 12ENDGAME INTRO TO EQL • Event Query Language is simple and concise • Schema-independent and OS-agnostic • Designed for real-time detection with stream processing • Supports multi-event behaviors, stacking and sifting through data • Function syntax instead of keyword explosion (e.g. length(field))
  • 13. 13ENDGAME SIMPLE QUERIES • Boolean and comparison logic and or not < <= == != >= > • Wildcard matching with * character • String comparisons are case-insensitive process where process_name == "svchost.exe" and (command_line != "* -k *" or parent_process_name != "services.exe") https://eql.readthedocs.io/en/latest/query-guide
  • 14. 14ENDGAME SEQUENCES • Multi-event behaviors with ordering • Match properties between events with by syntax • Time limits maxspan=1 hr • Sequences can be expired with an until condition sequence with maxspan=5m [ file where file_name == "*.exe"] by user_name, file_path [ process where true] by user_name, process_path
  • 15. 15ENDGAME JOINS • Match events specified, without time limits • Supports by and until syntax for additional matching or state • Unlike SQL, it finds adjacent pairs instead of cross-products join [file where file_path == "*System32Tasksh4x0r.xml"] [registry where registry_path == "*runonceh4xor"]
  • 16. 16ENDGAME JOINS join by source_ip, destination_ip [network where destination_port == 3389] // RDP [network where destination_port == 135] // RPC [network where destination_port == 445] // SMB • Match events specified, without time limits • Supports by and until syntax for additional matching or state • Unlike SQL, it finds adjacent pairs instead of cross-products
  • 17. 17ENDGAME PIPES AND OUTLIERS • Pipes can be used to transform or reduce output • Combine in various ways to perform stacking or reduce data set • count filter head sort tail unique unique_count process where true // Remove duplicate pairs | unique process_name, command_line // Count per process_name to get unique # of commands | count process_name | filter count < 5
  • 18. 18ENDGAME PROCESS LINEAGE network where process_name == "powershell.exe" and not descendant of [process where process_name == "explorer.exe"] • Natively tracks process lineage by monitoring create/terminate events • Supports descendant of, child of, and event of • Combine with other boolean logic
  • 19. 19ENDGAME • Natively tracks process lineage by monitoring create/terminate events • Supports descendant of, child of, and event of • Combine with other boolean logic PROCESS LINEAGE file where file_name == "*.exe" and event of [process where child of [process where process_name == "powershell.exe"]]
  • 21. 21ENDGAME APPROACH TO DETECTION • Understand common tactics employed by the adversary • Next, move to specific methods or techniques • From there we can craft detection logic • When necessary, understand operating system internals Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  • 22. 22ENDGAME INITIAL ACCESS & EXECUTION • Technique Spearphishing Attachment (T1193) PowerShell (T1086) • Detection Scriptable child processes of Office products - PowerShell, VB script, cmd.exe process where parent_process_name in ("winword.exe", "excel.exe", "powerpnt.exe") and process_name in ("powershell.exe", "cscript.exe", "wscript.exe", "cmd.exe") Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  • 23. 23ENDGAME INITIAL ACCESS & EXECUTION • Technique Spearphishing Attachment (T1193) • Detection Office creating a PE file that quickly executes sequence with maxspan=5m [file where file_name == "*.exe" and process_name in ("winword.exe", "excel.exe", "powerpnt.exe") ] by file_path [process where true] by process_path Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  • 24. 24ENDGAME PERSISTENCE & PRIVILEGE ESCALATION • Technique Scheduled Task (T1053) • Detection The API is cumbersome, so many tools directly execute schtask.exe. Look for non-SYSTEM users creating tasks that run as SYSTEM process where process_name == "schtask.exe" and user_name != "SYSTEM" and (command_line == "* /ru system" or command_line == '* /ru "nt authority"') | unique user_name, command_line Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  • 25. 25ENDGAME network where not destination_port in ( 1,3,4,6,7,9,13,17,19,20,21,22,23,24,25,26,30,32,33,37,42,43, 49,5370,79,80,81,82,83,84,85,88,89,90,99,100,106,109,110,111, 113,119,125,135,139,143,144,146,161,163,179,199,211,212,222, 254,255,256,259,264,280,301,306, /* many more? */) | unique destination_address, destination_port COMMAND AND CONTROL (C2) • Techniques Uncommonly Used Port (T1065) Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  • 26. 26ENDGAME • Techniques Outgoing Connection from Abusable Process (T???) • Detection Look for network from abusable binaries Continuously tune to your environment COMMAND AND CONTROL (C2) Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact sequence by pid [process where subtype.create] [network where process_name in ( // known LOLBINS "powershell.exe", "mshta.exe", "installutil.exe", "msxsl.exe", "rundll32.exe") | unique events[0].process_path, events[1].destination_address, events[1].destination_port
  • 27. 27ENDGAME DEFENSE EVASION • Technique Masquerading (T1096) • Detection Look for executables matching names of known Windows binaries from system32, but in the wrong directory process where process_name in ( "csrss.exe", "dllhost.exe", "lsass.exe", "lsm.exe", "services.exe", "winlogon.exe", /* etc */ ) and not (process_path == "C:windowssystem32*" and process_path != "C:windowssystem32*") Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact https://www.endgame.com/blog/how-hunt-masquerade-ball
  • 28. 28ENDGAME DEFENSE EVASION • Technique Process Injection (T1096) Process Hollowing (T1093) • Detection Look for process creations from the wrong parent process where (process_name == "lsass.exe" and parent_process_name != "wininit.exe") or (process_name == "LogonUI.exe" and not parent_process_name in ("winlogon.exe", "wininit.exe")) or (process_name == "services.exe" and parent_process_name != "wininit.exe") or (process_name == "svchost.exe" and parent_process_name != "services.exe" and // the system32svchost.exe executes syswow64svchost.exe for 32-bit DLLs not (parent_process_path == "*system32svchost.exe" and process_path == "*syswow64svchost.exe")) Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  • 29. 29ENDGAME CREDENTIAL ACCESS • Technique Access Sensitive Data or Credentials in Files (T1087) • Detection Look for commands to search for "password" process where process_name == "findstr.exe" and command_line == "*password*" | unique parent_process, command_line Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  • 30. 30ENDGAME DISCOVERY • Technique Account Discovery (T1087) Remote System Discovery (T1096) System Account Discovery (T1033) • Detection Look for any users that run multiple different types of discovery commands join by user_name [process where process_name in ("ipconfig.exe", "hostname.exe", "whoami.exe")] [process where process_name == "net.exe" and (command_line == "*group*" or command_line == "* user*")] [process where process_name in ("tasklist.exe", "qprocess.exe", "sc.exe")] | unique user_name Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  • 31. 31ENDGAME LATERAL MOVEMENT • Technique Windows Remote Management (T1028) PowerShell (T1086) • Approach Look for incoming WinRM connections with execution of the provider sequence with maxspan=2s [network where destination_port in (5985, 5986) and process_name == "svchost.exe"] [process where process_name == "wsmprovhost.exe" and command_line == "*embedding*"] | unique events[0].source_address,events[0].destination_address, events[1].user_name Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  • 32. 32ENDGAME COLLECTION & EXFILTRATION • Technique Data Staged (T1074) Data Compressed (T1072) Data Encrypted (T1022) • Detection Look for known command lines for tools that indicate compression and encryption Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impactsequence by unique_pid with maxspan=5m [process where command_line == "* -hp*" or command_line == "* /hp*"] [file where file_name == "*.rar"] | unique events[0].process_path, events[1].file_name
  • 33. 33ENDGAME IMPACT • Technique Inhibit System Recovery (T1490) • Detection Monitor known command lines process where (process_name == "vssadmin.exe" and command_line == "*delete*") or (process_name == "wmic.exe" and command_line == "*shadow*delete*") or (process_name == "wevtutil.exe" and command_line == "* cl *") Initial Access Execution Persistence Privilege Escalation Command and Control Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
  • 37. 37ENDGAME APPROACHES • We want to look proactively for evidence of an adversary • Often technique-agnostic, but still follow attacker lifecycle • Ask environment-oriented questions • Establish situational awareness and track deviations • Prevalence • Recency • Patterns is this threat hunting? 736c963c78ed5b4587f36ca6f70dfbcb
  • 38. 38ENDGAME UNUSUAL PARENT-CHILD RELATIONSHIPS What parent-child process relationships are rare and recent? process where subtype.create | unique_count parent_process_name, process_name | tail 100 | sort count | head 10 parent_process_name command_line MSI9BBF.tmp "C:Program Files (x86)Common FilesJavaJava Updatejaureg.exe" -u auto-update powershell.exe rundll32.exe C:UsersvagrantAppDataLocalcyzfc.dat, PointFunctionCall wuauclt.exe "C:WINDOWSSoftwareDistributionDownload InstallAM_Delta_Patch_1.293.2420.0.exe" WD /q AM_Delta_Patch_ 1.293.2420.0.exe C:WINDOWSsystem32MpSigStub.exe /stub 1.1.1 ...
  • 39. 39ENDGAME UNUSUAL PARENT-CHILD RELATIONSHIPS What parent-child process relationships are rare and recent? process where subtype.create and ( process_name in ("cmd.exe", "powershell.exe") or parent_process_name in ("cmd.exe", "powershell.exe")) | unique_count parent_process_name, process_name | tail 100 | sort count | head 10 parent_process_name command_line powershell.exe rundll32.exe C:UsersvagrantAppDataLocalcyzfc.dat, PointFunctionCall
  • 40. 40ENDGAME REMOTE ACCESS TOOLS What recently first-seen processes also made network connections? process_name command_line InstallUtil.exe C:WindowsMicrosoft.NETFramework64v4.0.30319 InstallUtil.exe /logfile= /LogToConsole=False /U mydotnet.exe OneDriveSetup.exe "C:UsersdeveloperAppDataLocalMicrosoftOneDrive UpdateOneDriveSetup.exe" /update /restart OfficeClickToRun.exe "C:Program FilesCommon FilesMicrosoft SharedClickToRunUpdates16.0.11601.20230 OfficeClickToRun.exe" /update join by process_path [process where subtype.create] [network where true] | unique events[0].process_path | tail 50 i'm in
  • 41. 41ENDGAME SUDDEN EXTROVERTS What processes have been seen before, but only recently made network activity? command_line msiexec.exe /quiet /i http://172.31.27.16:8000/bin/Installer.msi sequence by process_path [process where timestamp_utc < "2019-05-01"] [network where timestamp_utc > "2019-05-17"] until [network where timestamp_utc < "2019-05-17"] | unique process_path
  • 42. 42ENDGAME FILE SYSTEM WEAKNESSES What privileged files were modified by a user and but executed SYSTEM? user_name process_name file_path vagrant jusched.exe C:Windowssystem32infsvchost.exe zoom CptInstall.exe C:Program Files (x86)Common FilesZoomSupportCptService.exe sequence [file where subtype.create and file_name == "*.exe" and user_name != "SYSTEM"] by file_path [process where user_name == "SYSTEM"] by process_path | unique events[0].file_path
  • 43. 43ENDGAME REMOTE RECONNAISSANCE What enumeration commands were executed from processes with outgoing network activity? command_line process_name count whoami.exe powershell_ise.exe 1 hostname.exe dxdiag0732.exe 1 netstat.exe python.exe 1 process where process_name in ( "whoami.exe", "hostname.exe", "ipconfig.exe", "net.exe", "netstat.exe", "tasklist.exe" ) and child of [network where subtype.outgoing] | unique parent_process_path, process_name | unique_count parent_process_path *slaps eql* this hunt can find so many recon commands
  • 44. 44ENDGAME BRUTE FORCE ATTEMPTS Are there multiple logon failures and eventually a success from a remote host? sequence by ip_address with maxspan=1h [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4625 and logon_type in (3,5,10)] [security where event_id == 4624 and logon_type in (3,5,10)] until [security where event_id == 4624] // success 4624 – failure 4625 - success
  • 45. 45ENDGAME WHYMI HERE? What commands were spawned from WMI remotely or as a different user? process where subtype.create | unique authentication_id | filter not user_name in ("SYSTEM", "NT AUTHORITY", "LOCAL SERVICE") and (process_name == "wmiprvse.exe" or parent_process_name == "wmiprvse.exe") | unique process_name command_line cmd /c "tasklist /svc > %SystemRoot%TEMPnessus_task_listIVC4798D.TMP & ren %SystemRoot%TEMPnessus_task_listIVC4798D.TMP nessus_task_listIVC4798D.TXT" recdiscm32.exe 10.1.2.3admin$system32taskchg16.exe 45ENDGAME WHYMI HERE? What commands were spawned from WMI remotely or as a different user? process where subtype.create | unique authentication_id | filter not user_name in ("SYSTEM", "NT AUTHORITY", "LOCAL SERVICE") and (process_name == "wmiprvse.exe" or parent_process_name == "wmiprvse.exe") | unique process_name command_line cmd /c "tasklist /svc > %SystemRoot%TEMPnessus_task_listIVC4798D.TMP & ren %SystemRoot%TEMPnessus_task_listIVC4798D.TMP nessus_task_listIVC4798D.TXT" recdiscm32.exe 10.1.2.3admin$system32taskchg16.exe
  • 46. 46ENDGAME SUSPICIOUS LATERAL MOVEMENT What endpoints remotely connected via SMB and RPC to potentially upload and execute? sequence by destination_address with maxspan=30s [network where subtype.incoming and destination_port == 445] [network where subtype.incoming and destination_port == 135] | unique source_address • Noisy on domain controllers • Incoming traffic to workstations is suspicious
  • 48. 48ENDGAME DOWNLOAD EQL • Install the python package (supports 2.7, 3.4+) with pip install eql • Built in CLI eql query with stdin/stdout redirection • Read the Getting Started blog post for more information • endgame.com/blog/technical-blog/getting-started-eql
  • 50. 50ENDGAME ANALYTICS LIBRARY • Browse the analytics library • eqllib.readthedocs.io • Contribute your detection and hunting logic • github.com/endgameinc/eqllib • 45+ analytics mapped to MITRE ATT&CK with contributions from Endgame and Red Canary • Multiple data sets to get your hands dirty • github.com/endgameinc/eqllib/tree/master/data
  • 52. 52ENDGAME NORMALIZATION • Contribute schema mappings • Currently map to Microsoft Sysmon and MITRE Cyber Analytics Repository • Convert queries to mapped data sources $ eqllib convert-query -s "Microsoft Sysmon" 'process where subtype.create and process_name == "mshta.exe" and command_line == "* c:programdata*.hta"' process where EventId == 1 and Image == "*mshta.exe" and CommandLine == "* c:programdata*.hta" • Normalize from mapped data sources to sharable format
  • 53. 53ENDGAME WHAT'S NEXT? • Early June update to EQL 0.7 • Contains a schema validation with better error checking • Cleaner python API for integrating with other projects • Summer release of 75+ atomic analytics mapped to ATT&CK
  • 54. 54ENDGAME GET IN TOUCH • Follow EQL on Twitter • @eventquerylang • Chat on Gitter • gitter.im/eventquerylang/community • Email us • eql AT endgame.com
  • 55. 55ENDGAME RESOURCES • Getting started with EQL (blog) • endgame.com/blog/technical-blog/getting-started-eql • Endgame Guide to Threat Hunting (PDF) • pages.endgame.com/wc-guide-to-threat-hunting.html • Follow the guide for creating sophisticated queries • eql.readthedocs.io/query-guide • Documentation • eql.readthedocs.io • Clone it! • github.com/endgameinc/eql • github.com/endgameinc/eqllib