The landscape of "threat hunting" has drastically changed due to the increase in TLS encrypted Internet traffic. The days of adversaries registering domains with their given names are gone and malicious actors increasingly use malware that takes advantage of TLS encryption to hide their tracks. Yet, even in this brave new world of altered TTPs, the adversaries leave clues that can expose their infrastructure. To find these clues, however, blue teams need to learn some new tricks.
Our talk focuses on expanding upon techniques that have been researched and presented on at various conferences by Mark Parsons, specifically, his methods for using TLS certificates to find malicious malware infrastructure. We will build upon Parsons' corpus of work and show how his approach to malware certificate hunting can be expanded upon to detect instances of PowerShell Empire servers that have self-generated SSL certs on port 443 and 8080. These certificates have a unique finger print that can be detected by leveraging tools like zmap/zgrep, python, and statistics/machine learning. The results of this research will show how network defenders can find previously unknown instances of malicious infrastructure communicating with their network and prevent them in the future. Finally, we will discuss our hypotheses creation, our code and techniques, methods of validation for verification, and release our tools and methodology for use by the community to explore other "hidden empires" of malware that may exist.
Learned System Administration in the US Navy
Worked in the UK/US in public/private sector
Most recently at DARPA using Splunk
Has a masters degree from University of Westminster
Focuses on Incident response, Threat intel, dry humor,
Ryan
Ryan
Discuss what powerShell Empire is
Steve
Who uses it? The usual Suspects
DeepPanda/APT19
Ryan
Poseidon Brazillian APT
Steve
Primarily used for corporate and government espionage for the purposes of financial gain. Estimated to have been operating since 2005.
Known to pose as Windows security consultants who, as part of their “service” run powershell scripts to gain a foothold and gather data.
APT28/Fancy Bear/Sofacy
Ryan
Gothic Panda/APT3
Ryan
But the internet is fast… and its hard to find things unless you have…
Hard evidence in a forensic investigation. But its good to be proactive
So we are going to use PowerSHell empire as an exmple of how to find “hidden” infrastrucutre using information in SSL Certificates and ALSO how to find things that are not so “hidden”
Two options when you are looking at SSL certificate data:
Hunting for known SSL certificates that have been found during the course of your research or incident
Hunting for unknnown things using statstical analysis or other methods
IN the course of your incident response or threat hunting you might find SSL certificates that are connected to malware.