Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Hunting on the Endpoint
w/ Powershell
Chris Gerritz
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Speaker Background
Chris Gerritz
Co-Founder...
Threat Hunting
101
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
What is Hunt?
The proactive search for thre...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Why Hunt?
Reconnaissance Exploitation Insta...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Hunt vs DFIR (tl;dr it’s sort of the same, ...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
The Hunter’s Tool Bag (Examples)
• Endpoint...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Data-centric Analysis Endpoint Validation
•...
PSHunt
Powershell Threat Hunting
Module
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
PSHunt Components/Modules
• Scanners
• Surv...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Scanners
WMI
Query
PSHunt
Remote Registry
Q...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Survey Deployment / Transport
SMB
/Schtasks...
Remote Execution & Transport
Scanning Stuff
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Execution Methods
• WMI (Process Call Creat...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Discovery / Testing Access
Discovery:
Test-...
Windows Host Survey
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Survey: Collect from each host
• Active Pro...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Active Processes/Modules/Drivers
PSHunt’s G...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Persistence Mechanisms (Autostarts)
Impleme...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Memory-resident Malware Analysis
Descriptio...
Survey Analysis
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Survey Analysis Modules
• Initialize-Reputa...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
VirusTotal
(64+ AV Engines)
Threat Intel
Pr...
Finding Bad Things
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Active Processes/Modules/Drivers
Some malwa...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Digital Signatures?
Digital Signatures: Mos...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Persistence Mechanisms
Required to maintain...
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
Process Memory Injection
• DLL Injection / ...
That’s it for now.
More to come…
BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz
PSHunt – Powershell Threat Hunting
Chris Ge...
Nächste SlideShare
Wird geladen in …5
×

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

8.044 Aufrufe

Veröffentlicht am

BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.

Veröffentlicht in: Technologie
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

  1. 1. Hunting on the Endpoint w/ Powershell Chris Gerritz
  2. 2. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Speaker Background Chris Gerritz Co-Founder, Infocyte Twitter: @gerritzc Github: @singlethreaded Prior: Chief, DCC Operations AFCERT Speaker Helped establish and led USAF’s Enterprise Hunt Team.  ~800,000 node playground Founded a company that develops hunt software and capabilities.
  3. 3. Threat Hunting 101
  4. 4. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz What is Hunt? The proactive search for threats hiding within a network you control.
  5. 5. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Why Hunt? Reconnaissance Exploitation Installation Command and Control Lateral Movement Exfiltration Persist Real-Time Prevention/Detection Threat Hunting Forensics Attack In Progress Breach Detection Gap Response The average breach goes undetected for more than 6+ months. Many are breached and don’t know it Network Breached Incident Discovered 6+ months average
  6. 6. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Hunt vs DFIR (tl;dr it’s sort of the same, but not) • Incident response and forensics (DFIR) tools and techniques can be used to hunt, but have some limitations: • 1. No bread crumb trail to follow • 2. Hunting requires scalability and reduced complexity • Especially if it’s to be done iteratively (think ROI) • Principle of Diminishing Returns: • The objective is not to perform a full forensics investigation • How do you know you aren’t hunting snipe? (aka something that doesn’t exist) Problem w/ focused or IOC-based hunts
  7. 7. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz The Hunter’s Tool Bag (Examples) • Endpoint Solutions • Scripting (Powershell, etc.) • Interactive Endpoint Hunt Solutions • Endpoint Response/Forensics Solutions • Network Analysis Solutions • passiveDNS Monitoring/Lookups • Wireshark (sort of?) • BroIDS • Data-Centric Solutions • i.e. Elastic, Hadoop, Splunk, SEIM, etc. • Fed by Endpoint Detection & Response (EDR) • Used to store/search centralized logs/events • Malware Analysis • PEStudio • Cuckoo Sandbox
  8. 8. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Data-centric Analysis Endpoint Validation • Enabled by centralized logging, long data retention + sophisticated security infrastructure and event visibility at all levels (network, host, etc.). • Endpoint methodology is independent of existing security infrastructure and can be performed on almost any network (aka, the rest of us) <> A Tale of Two Hunting Methodologies
  9. 9. PSHunt Powershell Threat Hunting Module
  10. 10. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz PSHunt Components/Modules • Scanners • Surveys • Discovery • Utilities • Transport & Execution functions, etc • Survey Analysis • File Analysis
  11. 11. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Scanners WMI Query PSHunt Remote Registry Query Scanners: Description: Used to rapidly scan remote systems for a single piece of information using remote queries. Input: Target (DNS or IP) Output: One Line (String or CSV) Invoke-RemoteScan
  12. 12. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey Deployment / Transport SMB /Schtasks PSHunt SMB SMB /WMI HTTP / FTP Utilities [Execution]: -> Start-RemoteProcess Download or Directly Encode Needed Libraries: Invoke-DownloadFile Convert-BinaryToString Convert-StringToBinary
  13. 13. Remote Execution & Transport Scanning Stuff
  14. 14. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Execution Methods • WMI (Process Call Create) • PSRemoting (Invoke-Command) • Probably not enabled…  • Remote Task Scheduler (Schtasks) • Remote Service Manager (PSExec) Domain credentials are used to enumerate and access endpoints. Protip: type this in every windows box you see:
  15. 15. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Discovery / Testing Access Discovery: Test-TCPPort Test-TCPPorts Get-RemoteArchitecture Get-RemotePowershellVersion Get-RemoteOperatingSystem Additions: Dsquery Powersploit -> Recon PowerView Ports and Protocols: •TCP 22 - SSH •TCP 135 - WMI / RPC •TCP 137 - NetBIOS (Name Resolution) •TCP 139 - SMB over NetBIOS •TCP 445 - Server Message Block (SMB) •TCP 5985 - PSRemoting (http) •TCP 1025 - 5000 - Legacy Win Dynamic Range •TCP 49152 - 65535 - Modern Win Dynamic Range
  16. 16. Windows Host Survey
  17. 17. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey: Collect from each host • Active Processes • Loaded Modules / Drivers • Floating/Injected Modules • Active Connections • Autostarts/Autoruns • Accounts • Key Event Logs (collect all the things) PSHuntSurveysSurvey.ps1 Description: Used to collect comprehensive information on the state of a windows host
  18. 18. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Active Processes/Modules/Drivers PSHunt’s Get-ProcessList = Get-WmiObject -Class Win32_Process + Get-Process –Module + Get-Hashes + Invoke-SigCheck (Sysinternals) + $Process.GetOwner()
  19. 19. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Persistence Mechanisms (Autostarts) Implementation: Wrapped Sysinternals Autorunsc* (Note: Interacting with the registry is still a pain in the ass in Powershell.) *currently best open source collection of autostart locations – unfortunately, it’s still not comprehensive
  20. 20. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Memory-resident Malware Analysis Description: Discover DLL Injection, Process Overwrites, etc. Uses: PSReflect Module • Uses Matt Graeber’s PSReflect Module to access Native Win32 APIs: • Implementation: VirtualQueryEx walk across process memory looking for PE Headers in RWX memory.
  21. 21. Survey Analysis
  22. 22. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Survey Analysis Modules • Initialize-ReputationData • Loads Data into $Global:FileReputation • Update-HostObject • Get-VTStatus • Get-VTReport • Group-HostObjects Survey Analysis: Description: Compare Survey Results against Reputation Data from local store and VirusTotal. Perform Outlier and Anomaly Analysis
  23. 23. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz VirusTotal (64+ AV Engines) Threat Intel Providers Survey.ps1 Survey Static Analysis Dynamic Analysis (Sandbox) Collect: - What’s running (i.e. Processes) - What’s triggered to run (i.e. autostarts) - Indicators of Compromise (IoCs) Reputation Database i.e. VirusTotal Cuckoo Sandbox Malwr.com File & Malware AnalysisReputation & Threat Intelligence - Hash Lookups - IP/DNS Lookups - IOC Lookups PSHunt Suspicious Executable PEStudio PowershellArsenal Survey.ps1 SurveySurvey.ps1
  24. 24. Finding Bad Things
  25. 25. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Active Processes/Modules/Drivers Some malware, even advanced types, attempt to “hide in plain sight” or within the noise of the multitude of programs running on your systems. • Initial Technique: Hash everything and compare to a signature and threat intelligence database like VirusTotal. This will clear all known-good and known-bads. • Adv. Technique: 1. Stack Remaining data and perform anomaly and outlier analysis 2. Perform static/dynamic analysis on the exe of any suspicious or out- of-place processes
  26. 26. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Digital Signatures? Digital Signatures: Most malware is not digitally signed by a legitimate Certificate Authority (CA). • Attackers may load their rogue CA into your local Trusted Root CA store at the time the malware is installed (requires root privileges) • Adv. Technique: • Check anomalous/outlier root CA’s serial number against whitelist or Google it for authenticity • WARNING: Some may digitally sign malware with a legitimate but compromised CA which renders this technique ineffective. - Example: The Feb ‘13 attack against Bit9 targeted their CA server
  27. 27. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Persistence Mechanisms Required to maintain the malware through reboots and in times of dormancy. • Scheduled Tasks, Jobs, etc. • Registry Persistence (most common) •Technique: Hash all referenced executables in registry and compare to Threat Intel Database • Boot Process Redirection (ie. Bootkits – very sophisticated!) •Technique: Evaluate raw MBR (first 512 bytes of disk0) for redirection to alternate boot loader
  28. 28. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz Process Memory Injection • DLL Injection / Process Hallowing: 1. Allocate chunk of unprotected Read/Write/Execute (RWX) memory inside another legitimate process. 2. Load in a malicious DLL. 3. Redirect an execution thread. 4. Profit. •Adv. Technique: • Walk Process Memory looking for PE Headers in large chunks of unprotected memory (Use @mattifestation’s PSReflect) • False Positives will come from: 1. Just-in-Time (JIT) compilers – i.e. .NET and Java Apps 2. Security Software
  29. 29. That’s it for now. More to come…
  30. 30. BSides Las Vegas 2016 – Powershell-fu: Hunting on the Endpoint – Chris Gerritz PSHunt – Powershell Threat Hunting Chris Gerritz Co-Founder, Infocyte Twitter: @gerritzc Github: @singlethreaded NOTE: PSHunt will be posted on Github this week. Follow me:

×