This document outlines an presentation on indicators of compromise (IOCs). It discusses IOC standards like OpenIOC and STIX, how to mine and apply IOCs through case studies and practical tasks analyzing network traffic, HTTP logs, and antivirus logs. The document provides examples of IOCs like an exploit pack trace and a Nuclearsploit pack description.
A Beginners Guide to Building a RAG App Using Open Source Milvus
Compromise Indicator Magic
1. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Compromise Indicator Magic: Living with Compromise
Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin
PhDays 2014
Affilations: Academia Sinica, o0o.nu, chroot.org
May 22, 2014, Moscow
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
2. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Outline
Introduction
IOC Standards
V:IOCs
mining IOCs
Applying IOCs
Case studies
Categirizing Incidents
Practical tasks
Analysing Network traffic
Analyzing HTTP logs
Analyzing AV logs
Creating 0wn IOCs
EOF
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
3. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Everyone is p0wn3d :)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
4. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Challenges
Main Assumption: All networks are compromised
The difference between a good security team and a bad security team is that
with a bad security team you will never know that you’ve been compromised.
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
5. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Statistic speaks
about 40,000,000 internet users in Russia
for every 10,000 server hosts 500 hosts trigger redirects to malicious
content per week
about 20-50 user machines (full AV installed, NAT, FW) get ..affected
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
7. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Introduction:terminology
Indicators of Compromise
Indicator of compromise (IOC) in computer forensics is an artifact observed on
network or in operating system that with high confidence indicates a computer
intrusion.
http://en.wikipedia.org/wiki/Indicator_of_compromise
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
8. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Why Indicators of compromise
Indicators of Compromise help us to answer questions like:
is this document/file/hash malicious?
is there any past history for this IP/domain?
what are the other similar/related domains/hashes/..?
who is the actor?
am I an APT target?!!;-)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
9. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Workshop: hands-on part
If you’d like to try as we go, these are tools we are about to cover:
http://github.com/fygrave/ndf
http://github.com/fygrave/hntp
fiddler
elasticsearch && http://github.com/aol/moloch (vm)
yara (as moloch plugin)
hpfeeds
CIF
https://github.com/STIXProject/ - openioc-to-stix/
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
10. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOC representations
Multiple standards have been created to facilitate IOC exchanges.
Madiant: OpenIOC
Mitre: STIX (Structured Threat Information Expression), CyBOX
(CyberObservable Expression)
Mitre: CAPEC, TAXII
IODEF (Incident Object Description Format)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
11. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Standards: OpenIOC
OpenIOC - Mandiant-backed effort for unform representation of IOC (now
FireEye) http://www.openioc.org/
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
12. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
OpenIOCs
D i g i t a l Appendices / Appendix G ( D i g i t a l ) − IOCs$ l s
0c7c902c −67f8 −479c−9f44 −4d985106365a . i o c 6bd24113 −2922−4d25
ad521068−6f18 −4ab1−899c−11007a18ec73 . i o c
12 a40bf7 −4834−49b0−a419−6abb5fe2b291 . i o c 70 b5be0c−8a94−44b4
af5f65fc −e1ca −45db−88b1−6ccb7191ee6a . i o c
2106 f0d2−a260 −4277−90ab−edd3455e31fa . i o c 7c739d52−c669−4d51
Appendix G IOCs README. pdf
26213db6−9d3b−4a39−abeb −73656acb913e . i o c 7 d2eaadf−a5ff −4199
c32b8af3 −28d0−47d3−801f−a2c2b0129650 . i o c
2 bff223f −9e46−47a7−ac35−d35f8138a4c7 . i o c 7 f9a6986−f00a −4071
c71b3305 −85e5−4d51−b07c−ff227181fb5a . i o c
2 fc55747 −6822−41d2−bcc1 −387fc1b2e67b . i o c 806 beff3 −7395−492e
c7fa2ea5 −36d5−4a52−a6cf−ddc2257cb6f9 . i o c
32b168e6−dbd6−4d56−ba2f −734553239 e f e . i o c 84 f04df2 −25cd−4f59
d14d5f09 −9050−4769−b00d−30fce9e6eb85 . i o c
3433dad8 −879e−40d9−98b3−92ddc75f0dcd . i o c 8695bb5e−29cd−41b9
d1c65316−cddd−4d9c−8efe −c539aa5965c0 . i o c
3e01b786−fe3a −4228−95fa−c3986e2353d6 . i o c 86 e9b8ec −7413−453bCompromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
13. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Standards: Mitre
Mitre CybOX: http://cybox.mitre.org/
https://github.com/CybOXProject/Tools
https://github.com/CybOXProject/openioc-to-cybox Mitre CAPEC:
http://capec.mitre.org/ Mitre STIX: http://stix.mitre.org/ Mitre
TAXII http://taxii.mitre.org/
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
14. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Mature: stix
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
15. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Indicators of Compromise
Complex IOCs covering all steps of attack
Dynamic creation of IOCs on the fly
Auto-reload of IOCs, TTLs
Dealing with different standards/import export
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
16. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Exploit pack trace
url ip mime type ref
http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html http://www.smeysyatu
http://cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html http://cuba.eanuncio
http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive -
http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive -
http://cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 - -
http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - -
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
17. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Nuclearsploit pack
{ ’ N u c l e a r s p l o i t p a c k ’ : {
’ step1 ’ : {
’ f i l e s ’ : [ ’ w z 3 u 6 s i 8 e 5 l h 7 k 2 t k 5 o x 4 n e 6 d 8 g . html ’ , ’ t 3 f 5 y 9 a 2 b b 3 d l 7 z 8 g c 4 o 6 f . html ’ , ’ z f 3 z 9 l r 6 a c 8 d i 6 r 4 k
’ domains ’ : [ ’ f a t h e r . f e r r e m o v i l . com ’ , ’ t h a i . a l o h a t r a n s l l c . com ’ , ’ cuba . e a n u n c i o s . net ’ , ’ duncan .
’ arguments ’ : [ ] ,
’ d i r e c t o r i e s ’ : [ ’ 1 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 0 1 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 0 3 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,
’ step2 ’ : {
’ f i l e s ’ : [ ’ 1 3 9 9 4 2 2 4 8 0 . htm ’ , ’1 39 97 047 20 . htm ’ , ’1 399 51 34 40 . htm ’ , ’13 99 51 40 40 . htm ’ ,
’1 39 97 73 30 0. htm ’ ] ,
’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ , ’ duncan . d i s e n o c o r p o r a t i v o . com . ar ’ , ’ homany . c o l l e c t i v e i t . com .
’ arguments ’ : [ ] ,
’ d i r e c t o r i e s ’ : [ ’ 2 9 0 9 6 2 0 9 6 8 ’ , ’ 1 ’ , ’507640988 ’ , ’940276731 ’ , ’3957283574 ’ , ’ 9 5 2 2 1 1 7 0 4 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,
’ step3 ’ : {
’ f i l e s ’ : [ ’ 1 3 9 9 4 2 2 4 8 0 . j a r ’ , ’1 39 95 13 44 0. j a r ’ ] ,
’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ , ’ homany . c o l l e c t i v e i t . com . au ’ ] ,
’ arguments ’ : [ ] ,
’ d i r e c t o r i e s ’ : [ ’ 2 9 0 9 6 2 0 9 6 8 ’ , ’ 1 ’ , ’ 9 4 0 2 7 6 7 3 1 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ ] } ,
’ step4 ’ : {
’ f i l e s ’ : [ ’ 2 ’ ] ,
’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ ] ,
’ arguments ’ : [ ] ,
’ d i r e c t o r i e s ’ : [ ’ f ’ , ’ 1 ’ , ’1399422480 ’ , ’2909620968 ’ , ’ 2 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ ] }
}
}
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
18. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Redirect (example)
http://mysimuran.ru/forum/kZsjOiDMFb/
http://mysimuran.ru/forum/kZsjOiDMFb/js.js?4231
http://c.hit.ua/hit?i=59278&g=0&x=2
http://f-wake.browser-checks.info:28001/d1x/3/87475b26a521024ce78d7ea73164140a/http%3A%2F%2Fagency.accordinga.pw%2Fremain%2Funknown.h
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
19. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Redirect Example
{ ’ 2 8 0 0 1 ’ : {
’ step1 ’ : {
’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ ] ,
’ arguments ’ : [ ] ,
’ f i l e s ’ : [ ’ ’ ] ,
’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,
’ domains ’ : [ ’ mysimuran . ru ’ ] } ,
’ step2 ’ : {
’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ , ’kJXshWOMNC’ ] ,
’ arguments ’ : [ ’ 4 2 3 1 ’ , ’7697 ’ , ’9741 ’ ] ,
’ f i l e s ’ : [ ’ j s . j s ’ , ’ c n t . html ’ ] ,
’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,
’ domains ’ : [ ’ mysimuran . ru ’ ] } ,
’ step3 ’ : {
’ d i r e c t o r i e s ’ : [ ] ,
’ arguments ’ : [ ’ i ’ , ’ g ’ , ’ x ’ ] ,
’ f i l e s ’ : [ ’ h i t ’ ] ,
’ ip ’ : [ ’ 8 9 . 1 8 4 . 8 1 . 3 5 ’ ] ,
’ domains ’ : [ ’ c . h i t . ua ’ ] } ,
’ step4 ’ : {
’ d i r e c t o r i e s ’ : [ ’ d1x ’ , ’ 3 ’ , ’87475 b26a521024ce78d7ea73164140a ’ , ’ d36eb1fc80ebe9df515d043be1557
’ arguments ’ : [ ] ,
’ f i l e s ’ : [ ’ h t t p%3A%2F%2Fagency . a c c o r d i n g a . pw%2Fremain%2Funknown . html%3Fmods%3D8%26i d%3D26 ’ ,
’ ip ’ : [ ’ 4 6 . 2 5 4 . 1 6 . 2 0 9 ’ ] ,
’ domains ’ : [ ’ f−wake . browser−c h e c k s . i n f o ’ , ’ a−o p r z a y . browser−c h e c k s . pw ’ ] }
}
}
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
20. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
21. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs3
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
22. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs viz
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
23. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs viz(02)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
24. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs viz(3)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
25. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs viz(4)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
26. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs viz(5)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
27. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Nuclear sploitpack
f u n c t i o n see_user_agent (){
var replace_user_agent =
[ ’ Lunascape ’ , ’ iPhone ’ , ’ Macintosh ’ , ’ Linux ’ , ’ iPad ’ , ’ Flock ’ , ’ Se
var low_user_agent = f a l s e ;
for ( var i in replace_user_agent ) {
i f ( s t r i p o s ( n a v i g a t o r . userAgent , replace_user_agent [ i ] ) ) {
low_user_agent = true ;
break ;
}
}
return low_user_agent
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
28. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Sourcing External IOCs
CIF - https:
//code.google.com/p/collective-intelligence-framework/
feeds (with scrappers):
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
29. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Sourcing External IOCs
feed your scrappers:
https://zeustracker.abuse.ch/blocklist.php?download=badips
http://malc0de.com/database/
https://reputation.alienvault.com/reputation.data . . .
VT intelligence
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
30. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Sourcing IOCs Internally
honeypot feeds
log analysis
traffic analysis
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
31. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Where to look for IOCs internally
Outbound Network Traffic
User Activities/Failed Logins
User profile folders
Administrative Access
Access from unsual IP addresses
Database IO: excessive READs
Size of responses of web pages
Unusual access to particular files within Web Application (backdoor)
Unusual port/protocol connections
DNS and HTTP traffic requests
Suspicious Scripts, Executables and Data Files
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
32. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Challenges
Why we need IOCs? because it makes it easier to systematically describe
knowledge about breaches.
Identifying intrusions is hard
Unfair game:
defender should protect all the assets
attacker only needs to ’poop’ one system.
Identifying targeted, organized intrusions is even harder
Minor anomalous events are important when put together
Seeing global picture is a mast
Details matter
Attribution is hard
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
33. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Use honeypots
Running honeypots gives enormous advantage in detecting emerging
threats
Stategically placing honeypots is extemely important
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
34. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
HPfeeds, Hpfriends and more
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
35. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
HPFeeds Architecture
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
36. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
HPFeeds API in nutshell:
import pygeoip
import hpfeeds
import json
HOST=’ broker ’
PORT = 20000
CHANNELS= [ ’ geoloc . events ’ ]
IDENT=’ i d e n t ’
SECRET=’ s e c r e t ’
g i = pygeoip . GeoIP ( ’ GeoLiteCity . dat ’ )
hpc = hpfeeds . new(HOST, PORT, IDENT , SECRET)
msg = { ’ l a t i t u d e ’ : g i . record_by_addr ( ip ) [ ’ l a t i t u d e ’ ] ,
’ l o n g i t u d e ’ : g i . record_by_addr ( ip ) [ ’ l o n g i t u d e ’ ] ,
’ type ’ : ’ honeypot ␣ h i t ’ }
hpc . p u b l i s h (CHANNELS, json . dumps(msg ))
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
37. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
hpfeeds integration
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
38. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
NTP probe collector
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
39. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
HPFeeds and honeymap
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
40. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Applying IOCs to your detection process
moloch moloch moloch :)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
41. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Tools for Dynamic Detection of IOC
Snort
Yara + yara-enabled tools
Moloch
Splunk/Log search
roll-your-own:p
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
42. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Moloch
Moloch is awesome:
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
43. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Open-source tools
OpenIOC manipulation
https://github.com/STIXProject/openioc-to-stix
https://github.com/tklane/openiocscripts
Mantis Threat Intelligence Framework
https://github.com/siemens/django-mantis.git Mantis supports
STIX/CybOX/IODEF/OpenIOC etc via importers:
https://github.com/siemens/django-mantis-openioc-importer
Search splunk data for IOC indicators:
https://github.com/technoskald/splunk-search
Our framework: http://github.com/fygrave/iocmap/
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
44. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
iocmap
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
45. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
MISP
http://www.secure.edu.pl/pdf/2013/D2_1530_A_Socha.pdf
https://github.com/MISP
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
46. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Tools for Dynamic Detection
Moloch
Moloch supports Yara (IOCs can be directly applied)
Moloch has awesome tagger plugin:
# tagger . so
# p r o v i d e s a b i l i t y to import t e x t f i l e s with IP and/ or hostn
# i n t o a sensor that would cause autotagging of a l l matching
p l u g i n s=tagger . so
t a g g e r I p F i l e s=b l a c k l i s t , tag , tag , tag . . .
taggerDomainFiles=domainbasedblacklists , tag , tag , tag
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
47. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Moloch plugins
Moloch is easily extendable with your own plugins
https://github.com/fygrave/moloch_zmq - makes it easy to
integrate other things with moloch via zmq queue pub/sub or push/pull model
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
48. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Moloch ZMQ example
CEP-based analysis of network-traffic (using ESPER):
https://github.com/fygrave/clj-esptool/
( esp : add " c r e a t e ␣ context ␣SegmentedBySrc␣ p a r t i t i o n ␣by␣ s r c ␣fro
WebDataEvent" )
( esp : add " context ␣SegmentedBySrc␣ s e l e c t ␣ src , ␣ r a t e (30) ␣ as ␣ ra
avg ( r a t e (30)) ␣ as ␣ avgRate ␣from␣WebDataEvent . win : time (30) ␣ havi
r a t e (30) ␣<␣avg ( r a t e (30)) ␣∗␣ 0.75 ␣ output ␣ snapshot ␣ every ␣60␣ sec
( future −c a l l s t a r t −counting )
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
49. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Sources of IOCs
ioc bucket:
http://iocbucket.com
Public blacklists/trackers could also be used as source:
https:
//zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https:
//zeustracker.abuse.ch/blocklist.php?download=domainblocklist
Eset IOC repository
https://github.com/eset/malware-ioc
more coming?
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
50. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
where to mine IOC
passive HTTP (keep your data recorded)
passive DNS
These platforms provide ability to mine traffic or patterns from the past based
on IOC similarity
show me all the packets similar to this IOC
We implemented a whois service for IOC look-ups
whois −h i o c . host . com a t t r i b u t e : value+a t t r i b u t e : value
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
51. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Mining IOCs from your own data
find and investigate incident
Or even read paper
determine indicators and test it in YOUR Environment
use new indicators in the future
see IOC cycle we mentioned earlier
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
52. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Example
If event chain leads to compromise
h t t p : / / l i a p o l a s e n s [ . ] i n f o / indexm . html
h t t p : / / l i a p o l a s e n s [ . ] i n f o / c o u n t e r . php ? t=f&v=win %2011 ,7 ,700 ,169& a=t r u e
h t t p : / / l i a p o l a s e n s [ . ] i n f o /354 RIcx
h t t p : / / l i a p o l a s e n s [ . ] i n f o /054 RIcx
What to do?
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
53. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Use YARA, or tune your own tools
r u l e susp_params_in_url_kind_of_fileless_bot_drive_by
{
meta :
date = " o c t ␣ 2013 "
d e s c r i p t i o n = " Landing ␣ hxxp : / / j d a t a s t o r e l a m e . i n f o / indexm . html ␣␣ 0 4 . 1 0 . 2 0 1 3 ␣ 1 3 : 1 4 ␣␣ 1 0 8 . 6
d e s c r i p t i o n 1 = "␣ Java ␣ S p l o i t ␣ hxxp : / / j d a t a s t o r e l a m e . i n f o /054 RIwj ␣␣␣␣␣"
s t r i n g s :
$ s t r i n g 0 = " h t t p "
$ s t r i n g 1 = " indexm . html "
$ s t r i n g 2 = " 054 RI "
c o n d i t i o n :
a l l o f them
}
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
54. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Use snort to catch suspicious traffic:
# many plugX d e p l o y m e n t s c o n n e c t to g o o g l e DNS when not i n use
a l e r t t c p ! $DNS_SERVERS any −> 8 . 8 . 8 . 8 53 ( msg : "APT␣ p o s s i b l e ␣ PlugX ␣ Google ␣DNS␣TCP
p o r t ␣53␣ c o n n e c t i o n ␣ attempt " ; c l a s s t y p e : misc−a c t i v i t y ; s i d : 5 0 0 0 0 0 1 1 2 ;
r e v : 1 ; )
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
55. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
GRR: Google Rapid Response:
http://code.google.com/p/grr/
Hunting IOC artifacts with GRR
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
56. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
GRR: Creating rules
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
57. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
GRR: hunt in progress
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
58. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Campaign walkthrough
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
59. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
An Example
A Network compromise case study:
Attackers broke via a web vuln.
Attackers gained local admin access
Attackers created a local user
Attackers started probing other machines for default user ids
Attackers launched tunneling tools – connecting back to C2
Attackers installed RATs to maintain access
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
60. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Indicators
So what are the compromise indicators here?
Where did attackers come from? (IP)
What vulnerability was exploited? (pattern)
What web backdoor was used? (pattern, hash)
What tools were uploaded? (hashes)
What users were created locally? (username)
What usernames were probed on other machines
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
61. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Good or Bad?
F i l e Name : RasTls . exe
F i l e S i z e : 105 kB
F i l e M o d i f i c a t i o n Date /Time : 2 0 0 9 : 0 2 : 0 9 1 9 : 4 2 : 0 5 + 0 8 : 0 0
F i l e Type : Win32 EXE
MIME Type : a p p l i c a t i o n / o c t e t −stream
Machine Type : I n t e l 386 o r l a t e r , and c o m p a t i b l e s
Time Stamp : 2 0 0 9 : 0 2 : 0 2 1 3 : 3 8 : 3 7 + 0 8 : 0 0
PE Type : PE32
L i n k e r V e r s i o n : 8 . 0
Code S i z e : 49152
I n i t i a l i z e d Data S i z e : 57344
U n i n i t i a l i z e d Data S i z e : 0
Entry P o i n t : 0 x3d76
OS V e r s i o n : 4 . 0
Image V e r s i o n : 0 . 0
Subsystem V e r s i o n : 4 . 0
Subsystem : Windows GUI
F i l e V e r s i o n Number : 1 1 . 0 . 4 0 1 0 . 7
Product V e r s i o n Number : 1 1 . 0 . 4 0 1 0 . 7
F i l e OS : Windows NT 32− b i t
Object F i l e Type : E x e c u t a b l e a p p l i c a t i o n
Language Code : E n g l i s h (U . S . )
C h a r a c t e r Set : Windows , L a t i n 1
Company Name : Symantec C o r p o r a t i o n
F i l e D e s c r i p t i o n : Symantec 8 0 2 . 1 x S u p p l i c a n t
F i l e V e r s i o n : 1 1 . 0 . 4 0 1 0 . 7
I n t e r n a l Name : d o t 1 x t r a y
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
62. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
It really depends on context
RasTls . DLL
RasTls . DLL . msc
RasTls . exe
http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx
Dynamic-Link Library Search Order
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
63. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Catagorization based on public souces
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
64. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Catagorization based on historical data
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
65. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Catagorization based on cross source correlation
Visualizing the Threats
Filtering noisy extras
Making decisions
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
66. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Investigating using known IOCs
Investigating Static host based IOCs
Investigating Dynamic host based IOCs
Investigating Static network IOCs
Investigating Dynamic network IOCs
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
67. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing network traffic and DNS
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
68. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
analyzing HTTP traffic
User agents
suspicious domains
static analysis of HTTP headers
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
69. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing AV logs
23.01.13 19:56 Detected : Trojan−Spy . Win32 . Zbot . aymr
C:/ Documents and S e t t i n g s / user1 / A p p l i c a t i o n Data/
Sun/ Java /Deployment/ cache /6.0/27/4169865b−641d53c9/UPX
23.01.13 19:56 Detected : Trojan−Downloader . Java . OpenConnec
C:/ Documents and S e t t i n g s / user1 / A p p l i c a t i o n Data/
Sun/ Java /Deployment/ cache /6.0/48/38388 f30 −4a676b87/bpac/b . cl
23.01.13 19:56 Detected : Trojan−Downloader . Java . OpenConnec
C:/ Documents and S e t t i n g s / user1 / A p p l i c a t i o n
Data/Sun/ Java /Deployment/ cache /6.0/48/38388 f30 −4a676b87/ ot / p
23.01.13 19:58 Detected : HEUR: E x p l o i t . Java .CVE−2013−0422.g
C:/ Documents and S e t t i n g s / user1 / Local S e t t i n g s /
Temp/ jar_cache3538799837370652468 . tmp
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
70. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing AV logs
01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/ pictures/dem
01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/pictures/de
01/14/13 06:57 PM 178.238.141.19 http://loretaa0-shot.co/career...45
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
71. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing AV logs
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
72. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing AV logs
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
73. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing AV logs
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
74. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Creating host based IOCs
hashes, mutexes, threatexpert
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
75. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Questions
And answers :)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org