Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool

634 Aufrufe

Veröffentlicht am

Windows remote PowerShell tool to deploy and retrieve scripts, utilities and tools for Incident Response and Threat Hunting

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool

  1. 1. Michael Gough – Co-Founder IMF Security.com LOG-MD.com
  2. 2. Whoami • Blue Team Defender Ninjas, Incident Responder, Threat Hunter, Logaholic • Michael – Creator of all those Windows Logging Cheat Sheets and the Malware Management Framework • Co-Creator of “Log-MD” – The Log and Malicious Discovery Tool • BDIR Podcast - “Brakeing Down Incident Response” • Special SHOUT OUT to – Olaf Hartong @OlafHartong – Josh Rickard @MSAdministrator LOG-MD.com
  3. 3. The Challenge LOG-MD.com
  4. 4. So what’s the problem? • There is an event • We would like to investigate it • We walk in with our laptops – Or you use one of your systems • What tools can you or we use to look across all your Windows systems? • Without installing anything!!!! • Using what is already on all Windows systems LOG-MD.com
  5. 5. What are our options? • Use what we already have like SCCM, BigFix, etc. • Install a tool with an agent, deal with more agent bloat and agent interaction • Remote into the system • Do a forensics acquisition • Use what is already on the system, living-off-the-land • What we need is already found on all Windows systems! • How can we share what we do with enterprise solutions? • Use something the community can contribute to LOG-MD.com
  6. 6. The Challenge • Whether you are a Blue Teamer investigating your own environment • Or a consultant investigating a client • We need a way to execute a wide range of tools, utilities and scripts remotely to 1, 100 or 1000 systems • It needs to be flexible enough to allow us to run, respond, and hunt for many things LOG-MD.com
  7. 7. Requirements • Fits on a thumb drive • Can run scripts • Can run tools (no GUI) • Can run utilities (no GUI) • Can run larger jobs (Hash/Registry snapshots) • Schedule Jobs that can run things on a regular basis LOG-MD.com
  8. 8. Requirements • Walk in with a laptop • Or use one of your systems • Domain attached and domain creds • No requirement to install anything • Well… we want you to upgrade to PowerShell v5 • PS v5 is the only way to get good PowerShell logging – You didn’t think I wasn’t going to mention the Malware Archaeology Cheat Sheets did you? LOG-MD.com
  9. 9. What do you have and use? • What tools do you use for Threat Hunting and Incident Response? • A bunch of utilities, tools, scripts? • An EDR/EPP solution? • Open Source tools and projects? • Do you have anything? • More importantly do you have budget? LOG-MD.com
  10. 10. My Top 10 List of tools 1. Log Management – Centralize data collection – Query all the data 2. BigFix or equivalent – Query anything you want on a system – Run scripts, utilities, tools, etc. – Run remediation jobs 3. LOG-MD – Log Harvesting – Hunting – AutoRuns – PowerShell – SRUM – Much more LOG-MD.com
  11. 11. My Top 10 4. 5. 6. 7. 8. 9. 10. LOG-MD.com
  12. 12. The problem I wanted to solve • I want to query all the things #2 • I want to run scripts, utilities, tools #2 • I want to have the option to centralize the data #1 • I want to query that data #1 • I don’t want to, or can’t install anything • Of course I want to run my favorite utility/tool – LOG-MD-Professional LOG-MD.com
  13. 13. The problem I wanted to solve • I am one of the creators of LOG-MD • It is a great utility/tool • It does a LOT of what I need to investigate a system • I just needed a way to run it remotely on 1, 100 or 1000 systems to do Threat Hunting and/or Incident Response • And pull back the reports and organize them • Maybe even collect them into a Log Management solution #1 • Without a enterprise solution like BigFix #2 LOG-MD.com
  14. 14. Get to it LOG-MD.com
  15. 15. 3 years ago… • We announced LOG-MD at this very conference • Today we would like to announce the release of… • ATT&CK Remote Threat Hunting Incident Response ARTHIR.com
  16. 16. PowerShell? • PowerShell is on every Windows system • Can we use that? • But can we run our own special binaries? • We love our own tools • Create scripts • Something modular • Allows for community support ARTHIR.com
  17. 17. • A modular framework • Leverages an existing project that we modified to do what we wanted and needed • KANSA was good, but lacked some capabilities • I needed to run all features of LOG-MD and pull the reports back • KANSA did not work well at all for LOG-MD • And run other utilities, say Sysinternals ARTHIR.com
  18. 18. • So KANSA did some kewl stuff, just not enough • So we modified it • We had a couple issues • Olaf Hartong helped us with report retrieval • Josh Rickard helped us with scheduled tasks • Once these changes were added suddenly we had something that gave me a LOT of what BigFix could do ARTHIR.com
  20. 20. What does ATT&CK have to do with it? • We LOVE MITRE ATT&CK • It is a GREAT place to map your hunts to • Or what to detect and hunt for • It’s what your adversaries ACTUALLY do in their attacks • If you can detect and/or hunt for the techniques in MITRE ATT&CK… you are WAY ahead of most ARTHIR.com
  21. 21. MITRE ATT&CKTM • The A in ARTHIR stands for ATT&CKTM • The idea here is to encourage you and anyone making modules to map their efforts to MITRE ATT&CK • Help us Help the rest of us • Take this information and any other detection and hunting you can do and add it to YOUR own ATT&CK Matrix ARTHIR.com
  22. 22. Add your ATT&CK Mappings • Check MITRE ATT&CK Tactics and Techniques and add them to the ARTHIR module • Map them to an overall matrix ARTHIR.com
  23. 23. Cheat Sheets • We released two ATT&CK cheat sheets as a part of my SANS THIR talk in NOLA last year • The goal was to see how good, or bad really good logging would be for detecting or hunting the techniques in ATT&CK • It was shocking how much coverage there was • Over 80% ARTHIR.com
  24. 24. Fill out YOUR ATT&CK Matrix ARTHIR.com
  25. 25. Remote • The R in ARTHIR stands for Remote • We need to be able to hunt and respond remotely • Execute what we want on 1, 10, 100, or 1000 systems • And not 1 by 1 like you would have to with RDP or some EDRs • Bring back results to a central system • Like BigFix can do ARTHIR.com
  26. 26. Threat Hunting • The TH in ARTHIR stands for Threat Hunting • We need to be able to hunt for artifacts from the techniques the adversaries use • Run additional tools and utilities to hunt • Centrally send results to say… log management ARTHIR.com
  27. 27. Incident Response • The IR in ARTHIR stands for Incident Response • We need to be able to respond to an attack • Do additional investigation from an alert • Run additional tools and utilities • Centrally send results to say… log management ARTHIR.com
  28. 28. Modular • We used the KANSA framework • Even ported a few of the KANSA modules • This framework design worked for us, no reason to totally reinvent the wheel • Create a module, add it to modules.conf • Run the execution parameters • Retrieve the reports ARTHIR.com
  29. 29. RECON • We provided some PowerShell scripts to get system names from Active Directory • You need to build a list of systems • And we provided a Ping script so you can test those system names are alive • Add these to Hosts.txt to run your modules against ARTHIR.com
  30. 30. Available modules • Several more popular KANSA modules have been converted • More will we done as we move forward and need them • We provided templates so YOU can do it too • Remember that ‘community can contribute’ statement from earlier? ARTHIR.com
  31. 31. Root Directory ATT&CK Documentation Known 3rd-Party Modules Recon ARTHIR.ps1 Hosts.txt ARTHIR.com Some ATT&CK Matrix you can use How To Documentation Known 3rd party modules for ARTHIR Where all the modules are and modules.conf Where Recon scripts live The main ARTHIR script Where you places hosts to run modules on
  32. 32. Module types Bin Cleanup Info Kansa_Legacy LOG-MD LOG-MD_Tasks Sysinternals Templates ARTHIR.com Where you place .EXE and Zip files Module(s) to delete ARTHIR remnants Modules to collect info about a system Converted KANSA modules All LOG-MD modules Modules to schedule LOG-MD hourly/daily Converted KANSA Sysinternals modules Templates to make your own modules
  33. 33. KANSA converted modules ### Configuration modules # Kansa_LegacyConfigGet-Anti-MW-HealthStatus.ps1 # Kansa_LegacyConfigGet-Anti-MW-InfectionStatus.ps1 # Kansa_LegacyConfigGet-Hotfix_Patches.ps1 # Kansa_LegacyConfigGet-Local_Accounts.ps1 # Kansa_LegacyConfigGet-Local_Admin_Accounts.ps1 ### Log modules # Kansa_LegacyLogGet-AppCompatCache.ps1 # Kansa_LegacyLogGet-CBS_Log.ps1 ARTHIR.com
  34. 34. KANSA converted modules ### Network modules # Kansa_LegacyDiskGet-Temp_Dir_Listing.ps1 # Kansa_LegacyDiskGet-User_Name_Dir_Listing.ps1 # Kansa_LegacyDiskGet-User_Name_Dir_Listing_List_of_Extensions.ps1 # Kansa_LegacyDiskGet-Users_Dir_Listing.ps1 ### Network modules # Kansa_LegacyNetGet-Arp.ps1 # Kansa_LegacyNetGet-DNS-Cache.ps1 # Kansa_LegacyNetGet-Net-IP-Interface.ps1 # Kansa_LegacyNetGet-Netstat.ps1 ### Cleanup/Delete ARTHIR folders # CleanupGetDelete_ARTHIR_Folders.ps1 ARTHIR.com
  35. 35. Templates • Get-Binary-Template.ps1 • Get-Script-Template.ps1 • Get-Task-Template-Daily.ps1 • Get-Task-Template-Hourly.ps1 • Get-Zip-Template.ps1 • Variables used to make editing/changing modules easier than KANSA ARTHIR.com
  36. 36. Modules for Utility/Tools • LOG-MD… Duh • LOG-MD Free Edition • LOG-MD-Professional, all features • LOG-MD-Professional Tasks, Hourly & Daily • Sysinternals – Sigcheck • Sysinternals - Handle ARTHIR.com
  37. 37. DEMO ARTHIR.com
  38. 38. LOG-MD.com
  39. 39. You will make PowerShell noise • Since ARTHIR uses PowerShell… • The adversaries uses PowerShell • You will add events to the PowerShell logs • So test and whitelist the scriptblocks that ARTHIR creates • Make it easier to hunt the bad • LOG-MD provides a Whitelist_PowerShell.txt with many exclusions ARTHIR.com
  40. 40. Some ARTHIR PS Exclusions # ARTHIR related items to exclude known ARTHIR components # *ARTHIR - * *## ARTHIR* *$ARTHIR_Dir* *CODE ARTHIR* *ARTHIR* *$ARTHIR_OutputDir* *value="ProcessName. ProcId. HandleId. Owner. Type. Perms. Name* *Write-Output "Prefetch not enabled on* # # More generic ARTHIR scriptblocks # *PackageManagement.format.ps1xml* *NestedModules="Microsoft.PowerShell.Commands.Management.dll* *RootModule = "Microsoft.PowerShell.PackageManagement.dll* *System.Management.Automation.PSDriveInfo] $driveInfo* *Microsoft.PowerShell.ManagementTest-Path $pathToValidate* *Microsoft.PowerShell.ManagementTest-Path $getPathItems* *function PSCopyFileFromRemoteSession* *function PSGetFileMetadata* *function PerformCopyFileFromRemoteSession* *function PSSourceSupportsAlternateStreams* *indentString = "+ PSComputerName : " + $originInfo.PSComputerName* *-ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView* *# .ExternalHelp System.Management.Automation.dll-help.xml* LOG-MD.com
  41. 41. Conclusion • Try it you’ll like it • Mikey does… • Contribute • Send us ideas • It’s Open Source on GitHub • www.ARTHIR.com ARTHIR.com
  42. 42. Resources ARTHIR.com
  43. 43. Cheat Sheets • Windows ATT&CK Logging Cheat Sheet • Windows ATT&CK LOG-MD Cheat Sheet – www.MalwareArchaeology.com/cheat-sheets • ATT&CK Matrix Spreadsheet template – Comes with ARTHIR Get ARTHIR • www.ARTHIR.com • https://github.com/MalwareArchaeology/ARTHIR LOG-MD.com
  44. 44. MITRE ATT&CKTM Sites MITRE ATTACK • https://attack.mitre.org/ Enterprise • https://attack.mitre.org/techniques/enterprise/ ATT&CK Navigator • https://mitre.github.io/attack-navigator/enterprise/ LOG-MD.com
  45. 45. Recommend Sites OSSEM - Open Source Security Events Metadata • https://github.com/Cyb3rWard0g/OSSEM SOCPrime SIGMA to SIEM convertor • https://uncoder.io/ SIGMA - Generic Signature Format for SIEM Systems • https://github.com/Neo23x0/sigma Red Canary Atomic Red Team • https://atomicredteam.io/ MATE - MITRE ATT&CK® Technique Emulation • https://github.com/fugawi/mate Atomic Threat Coverage • https://github.com/krakow2600/atomic-threat-coverage LOG-MD.com
  46. 46. Recommend Sites The ThreatHunter-Playbook • https://github.com/Cyb3rWard0g/ThreatHunter- Playbook OLAF Hartong ThreatHunting | A Splunk app mapped to MITRE ATT&CK to guide your threat hunts • https://github.com/olafhartong/ThreatHunting Sysmon-modular | A Sysmon configuration repository for everybody to customize • https://github.com/olafhartong/sysmon-modular LOG-MD.com
  47. 47. Videos MITRE ATT&CKCon • https://www.youtube.com/playlist?list=PLkTA pXQou_8JrhtrFDfAskvMqk97Yu2S2 LOG-MD.com
  48. 48. Questions • You can find us on the Twitters – @HackerHurricane • LOG-MD.com • MalwareArchaeology.com • Preso will be on SlideShare and linked on MalwareArchaeology.com • Listen to the PodCast to hear the rest of this topic – http://www.brakeingdownir.libsyn.com/ LOG-MD.com