proper logging can catch breaches like retail pos

59

Upload: michael-gough

Post on 15-Jan-2017

121 views

Category:

Technology


1 download

TRANSCRIPT

Page 1: Proper logging can catch breaches like retail PoS
Page 2: Proper logging can catch breaches like retail PoS

Logging for Hackers

How Proper Logging Would Have Caught PoS Breaches

2

Page 3: Proper logging can catch breaches like retail PoS

Who am I – Michael Gough» Blue Team Defender Ninja, Malware Archaeologist, Logoholic

» I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How

Creator of

» Malware Management Framework

» Several Windows Logging Cheat Sheets

» Co-Creator of “Log-MD” – Log Malicious Discovery Tool

• With @Boettcherpwned – Brakeing Down Security PodCast

» @HackerHurricane and also my Blog

Page 4: Proper logging can catch breaches like retail PoS

Malware Archaeology

Page 5: Proper logging can catch breaches like retail PoS

» We discovered this in May 2012

» Met with the Feds ;-)

Why you should listen to me?

MalwareArchaeology.com

2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail

Page 6: Proper logging can catch breaches like retail PoS

Malware evolves

» So must we

» Darwin says• Evolve or die

» Well… Evolve or get breached anyways

» Getting breached means an RGE !!!• Resume Generating Event

Page 7: Proper logging can catch breaches like retail PoS

A quick look at

STATS

MalwareArchaeology.com

Page 8: Proper logging can catch breaches like retail PoS

DBIR 2016

» Why we are here…

MalwareArchaeology.com 8

Time it takes hackers to compromise you

Time it takes hackers to steal your data

Page 9: Proper logging can catch breaches like retail PoS

DBIR 2016

MalwareArchaeology.com 9

Hackers time to Compromise is getting faster

Than our ability to Discover them

Page 10: Proper logging can catch breaches like retail PoS

DBIR 2016

MalwareArchaeology.com 10

• The dreaded 3rd

party call and Law Enforcement notifications going up

• Fraud and Internal detection going down

Page 11: Proper logging can catch breaches like retail PoS

Chasing Hashes

MalwareArchaeology.com

• Malware hashes are no longer similar

• Malware is morphing or created unique by design for each system OR on reboot

Page 12: Proper logging can catch breaches like retail PoS

Symantec says…

MalwareArchaeology.com

Page 13: Proper logging can catch breaches like retail PoS

SANS says…

MalwareArchaeology.com

Page 14: Proper logging can catch breaches like retail PoS

Sophos Says…» 70% of malware is unique to 1 company (APT)» 80% of malware is unique to 10 or less (APT)» That means…» 20% of malware is what the AV industry focuses

on, but it is what most of you and everyone in this room sees and gets by:• Attachments in email• URL in email• Surfing the web

- Ads- WordPress, Drupal, Joomla…

MalwareArchaeology.com

Page 15: Proper logging can catch breaches like retail PoS

A quick look at

Advanced Malware

Artifacts

MalwareArchaeology.com

Page 16: Proper logging can catch breaches like retail PoS

Winnti - Malware Infection

Malware Launch

Hiding malwarein the Registry

Modify Service

Page 17: Proper logging can catch breaches like retail PoS

Escalate permissions obvious NOT your admin

Check the Service used

Modify Permissions

Push out malware using CMD Shell & CScript

Page 18: Proper logging can catch breaches like retail PoS

Using the Registry for storageUpdate Registry

Change Registry Permissions

Change permissions on files

Page 19: Proper logging can catch breaches like retail PoS

Bad behavior becomes obviousDoing Recon

Going after Terminal Services

Query Users

Page 20: Proper logging can catch breaches like retail PoS

You can even capture their Credentials

Caught THEIR Credentials!

Page 21: Proper logging can catch breaches like retail PoS

Persistence

» Avoided leaving key files behind like they did before, well one anyways… the persistence piece

Page 22: Proper logging can catch breaches like retail PoS

HKLM\Software\Clients» putfile

» file

» read

4D5A = MZ in HEXKey Size = 256k

Page 23: Proper logging can catch breaches like retail PoS

Persistence

» Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe)

» Altered system management binaries

• McAfeeFrameworkService

• BESClientHelper

• Attempted a few others, some failed

Page 24: Proper logging can catch breaches like retail PoS

Persistence» BAM! Got ya – PROCMon on bootup

Page 25: Proper logging can catch breaches like retail PoS

A quick look at

Commodity Malware

Artifacts

MalwareArchaeology.com

Page 26: Proper logging can catch breaches like retail PoS

Angler delivered Kovter

» Unique way to hide the persistence» Inserted a null byte in the name of the \Run key so that

RegEdit and Reg Query fail to read and display the value

» And a LARGE Reg Key (anything over 20k is large)

Page 27: Proper logging can catch breaches like retail PoS

Dridex Artifacts

Page 28: Proper logging can catch breaches like retail PoS

Dridex Persistence

» New method towards the end of 2015, nothing in the Registry showing persistence while system was running

» In memory only until system shutdown

• On shutdown the Run key was created

» On startup the malware loads and Run key deleted

Page 29: Proper logging can catch breaches like retail PoS

Dridex is Baaack

» 2016 variant

Page 30: Proper logging can catch breaches like retail PoS

How to Detect

Malicious Behavior

MalwareArchaeology.com

Page 31: Proper logging can catch breaches like retail PoS

Take Away

#1

MalwareArchaeology.com

Page 32: Proper logging can catch breaches like retail PoS

Where to start

» What am I suppose to set?

“Windows Logging Cheat Sheet”

“Windows File Auditing Cheat Sheet”

“Windows Registry Auditing Cheat Sheet”

“Windows Splunk Logging Cheat Sheet”

“Malware Management Framework”

» Find them all here:• MalwareArchaeology.com

Page 33: Proper logging can catch breaches like retail PoS

PowerShell

» It’s coming… in a BIG way - It’s already here» Ben Ten uses it (Not PowerShell)» Carlos uses it (MetaSploit)» Dave uses it (SET)» Kevin too (Pen Tester)» Dridex uses it» RansomWare uses it

» And logging SUCKS for it

Page 34: Proper logging can catch breaches like retail PoS

Take Away

#2

MalwareArchaeology.com

Page 35: Proper logging can catch breaches like retail PoS

So what do we do about PowerShell?

» The “Windows PowerShell Logging Cheat Sheet”

» Designed to catch the folks I just mentioned, and others ;-)

» Get it at:

• MalwareArchaeology.com

Page 36: Proper logging can catch breaches like retail PoS

Take Away

#3

MalwareArchaeology.com

Page 37: Proper logging can catch breaches like retail PoS

How to catch this stuff

Enable Command Line Logging !!!!

» At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2 had command line logging

» Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) SIX Commands

» Scripts too

Page 38: Proper logging can catch breaches like retail PoS

And this query - Splunk

» index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\\net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | evalMessage=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message | stats count > 2

Page 39: Proper logging can catch breaches like retail PoS

So how do you do this?

» Malware Management allowed us to setup alerts on artifacts from other malware analysis• MalwareManagementFramework.org

» Of course our own experience too

» Malware Discovery allowed us to find odd file hashes, command line details, registry locations

» Malware Analysis gave us the details

Page 40: Proper logging can catch breaches like retail PoS

What we all need to look for» Logs of course, properly configured - Events

• Command Line details• Admin tools misused – executions• New Services (retail PoS should know this)• Drivers used (.sys)

» New Files dropped anywhere on disk – Hashes• Infected management binary (hash changed)

» Delete on startup, write on shutdown – File & Reg Auditing» Scripts hidden in the registry – Registry Compare» Payload hidden in the registry – Large Reg Keys» Malware Communication – IP and WhoIS info» Expand PowerShell detection» VirusTotal Lookups

Page 41: Proper logging can catch breaches like retail PoS

So what did we

take away

from all of this?

MalwareArchaeology.com

Page 42: Proper logging can catch breaches like retail PoS

You basically have 3 options

» Do nothing – Eventually leading to an RGE

» Log Management / SIEM• Cost $$$ and storage

• But IS the best option, better than most security solutions if you want my opinion

» What if I don’t have Log Management or SIEM?

Page 43: Proper logging can catch breaches like retail PoS

It didn’t exist

So we created it!

So you can do it too!

43

Page 44: Proper logging can catch breaches like retail PoS

Take Away

#4

MalwareArchaeology.com

Page 45: Proper logging can catch breaches like retail PoS

» Log and Malicious Discovery tool

» When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system!

» So answers How to check for the What to set I already told you about

Page 46: Proper logging can catch breaches like retail PoS

Functions

» Audit Report of log settings compared to:• The “Windows Logging Cheat Sheet”• Center for Internet Security (CIS) Benchmarks• Also USGCB and AU ACSC

» White lists to filter out the known good• By IP Address• By Process Command Line and/or Process Name• By File and Registry locations (requires File and Registry auditing to be set)

» Full File System hash baseline and compare» Full Registry baseline and compare» Report.csv - data from logs specific to security

• 12 reports total

Page 47: Proper logging can catch breaches like retail PoS

Audit Settings Report

Page 48: Proper logging can catch breaches like retail PoS

Purpose» Malware Analysis Lab – Why we initially developed it

» Investigate a suspect system

» Audit the Windows - Advanced Audit Policy settings

» Help MOVE or PUSH security forward

» Give the IR folks what they need and the Feds too

» Take a full system (File and Reg) snapshot to compare to another system and report the differences

» Discover tricky malware artifacts (Large Keys, Null Byte, AutoRuns)

» Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc…

» Replace several tools we use today with one easy to use utility that does much more

» Replace several older tools and GUI tools

» To answer the question: Is this system infected or clean?

» And do it quickly - SPEED !

Page 49: Proper logging can catch breaches like retail PoS

Free Edition

» Audit your settings – Do you comply?» Harvest security relevant log data – 12 Reports» Whitelist log events by IP, Cmd Line, Process and File /

Registry audit locations» Perform a full file hash baseline of a system» Compare a suspect system to a Baseline or Dir» Perform a full Registry snapshot of a system» Compare a suspect system to a Reg Baseline» Look for Large Registry Keys for hidden payloads

Page 50: Proper logging can catch breaches like retail PoS

» Everything the Free Edition does and…» More reports, breakdown of things to look for» PowerShell report» Specify the Output directory» Harvest Sysmon logs» Harvest WLS Logs» Whitelist Hash compare results» Whitelist Registry compare results» Create a Master-Digest to exclude unique files» Free updates for 1 year, expect a new release every quarter» Manual – How to use LOG-MD Professional

Page 51: Proper logging can catch breaches like retail PoS

Future Versions – In the works!» WhoIs lookups of IP Addresses called» VirusTotal lookups of discovered files

» Find parent-less processes» Assess all processes and create a Whitelist» Assess all services and create a Whitelist» VirusTotal lookups of unknown or new processes and services» Other API calls to security vendors

Page 52: Proper logging can catch breaches like retail PoS

Let’s look

at some

LOG-MD

RESULTS

Page 53: Proper logging can catch breaches like retail PoS

Crypto Event

» C:\Users\Bob\AppData\Roaming\vcwixk.exe

» C:\Users\Bob\AppData\Roaming\vcwpir.exe

» C:\WINDOWS\system32\cmd.exe /c del C:\Users\Bob\AppData\Roaming\vcwixk.exe >> NUL

» C:\Windows\System32\vssadmin.exe delete shadows /all /Quiet

Page 54: Proper logging can catch breaches like retail PoS

Malicious Word Doc

DRIDEX

Page 55: Proper logging can catch breaches like retail PoS

Malicious Word Doc con’t

More DRIDEX

Page 56: Proper logging can catch breaches like retail PoS

Use the power of Excel

» The reports are in .CSV format » Excel has sorting and filters» Filters are AWESOME to thin out your results» You might take filtered results and add them to your

whitelist once vetted» Save to .XLS and format, color code and produce your

report» For .TXT files use NotePad++

Page 57: Proper logging can catch breaches like retail PoS

So what do we get?

» WHAT Processes executed » WHERE it executed from» IP’s to enter into Log Management to see WHO

else opened the malware» Details needed to remediate infection» Details to improve your Active Defense!» I did this in… 15 Minutes!

Page 58: Proper logging can catch breaches like retail PoS

Resources

» Websites• Log-MD.com The tool

» The “Windows Logging Cheat Sheet”• MalwareArchaeology.com

» Malware Analysis Report links too• To start your Malware Management program

» This presentation is on SlideShare and website• Search for MalwareArchaeology or LOG-MD

Page 59: Proper logging can catch breaches like retail PoS

Questions

You can find us at:

» Log-MD.com

» @HackerHurricane» @Boettcherpwned

» MalwareArchaeology.com» HackerHurricane.com (blog)» MalwareManagementFramework.Org

» http://www.slideshare.net – LinkedIn now