@mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X...
Transcript of @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X...
![Page 1: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/1.jpg)
Greg Castle@mrgcastle
![Page 2: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/2.jpg)
Who am I
GRR Developer, Google IR teamOS X SecurityFormer lives: pentesting, IR, security audits etc.
![Page 3: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/3.jpg)
Live forensics
![Page 4: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/4.jpg)
GET /beacon HTTP/1.1Host: evil.com
from Joe’s machine
![Page 5: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/5.jpg)
![Page 6: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/6.jpg)
Joe is on vacation with 3G internet
GET /beacon HTTP/1.1Host: evil.com
![Page 7: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/7.jpg)
New APT Report
![Page 8: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/8.jpg)
![Page 9: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/9.jpg)
New malware report BEAR EAGLE SHARK
LASER is out: check all the things
![Page 10: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/10.jpg)
New malware report BEAR EAGLE SHARK
LASER is out: check all the things
50+ IOCs for Win/Mac and “all the things” is the machines of a highly mobile global
organisation with 50k+ employees
![Page 11: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/11.jpg)
GRR: GRR Rapid ResponseOpen source live forensicsAgent -> Internet -> ServerDisk Forensics = SleuthkitMemory Forensics = RekallScalableStable, low-impact clientFull-time devs
![Page 12: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/12.jpg)
Why build?
Customize for our threats/detection/defense50 people analyzing 50 machinesMove as fast or faster than the attackerSupport Mac/Win/Linux
![Page 13: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/13.jpg)
![Page 14: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/14.jpg)
![Page 15: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/15.jpg)
Clients
Stable, robust, low impactMonitoredLimited10min poll
![Page 16: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/16.jpg)
Smart Server, basic client
Time travel backwardsFaster build/fix/deployLess updatingSimpler backwards compatibilityLeak less intent
![Page 17: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/17.jpg)
Server
Frontends pass messagesWorkers do the real workEverything is asynchronousQueue work on the server
![Page 18: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/18.jpg)
Datastore
Abstracted: easy to switchMySQL (x2) | MongoDB | SQLite (sharded)Versioned Data -> axis of time
![Page 19: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/19.jpg)
Demo
![Page 20: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/20.jpg)
![Page 21: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/21.jpg)
Authorization, Auditing
2-party authorization for machine accessDB loggingAudit eventsApproval emails with justifications
![Page 22: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/22.jpg)
Fast, reliable, remote.
Advanced live forensics at scale.
![Page 23: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/23.jpg)
Filesystem/Registry artifacts (Sleuthkit)Memory artifacts (Rekall)From difficult-to-specify locations
Be really really good at collecting
![Page 24: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/24.jpg)
SANS: “a combination of description, location, and
interpretation”
![Page 25: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/25.jpg)
I prefer“that stuff I want”
![Page 26: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/26.jpg)
As seen in the wildHardDrive\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default\History
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation
/Users/<user>/Library/Mail Downloads/
/home/user/.local/share/Trash/
![Page 27: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/27.jpg)
What do I do with these?HardDrive\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default\History
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation
/Users/<user>/Library/Mail Downloads/
/home/user/.local/share/Trash/
![Page 28: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/28.jpg)
Common language for interpolation%%users.localappdata%%\Google\Chrome\User Data\*\History
HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation
%%users.homedir%%/Library/Mail Downloads/
%%users.homedir%%/.local/share/Trash/
![Page 29: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/29.jpg)
Artifactname: ApplicationEventLogdoc: Windows Application Event log.collectors:- collector_type: FILE args: {path_list: ['%%environ_systemroot%%\System32\winevt\Logs\AppEvent.evt']}conditions: [os_major_version >= 6]labels: [Logs]supported_os: [Windows]urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)']
![Page 30: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/30.jpg)
Artifact repository: get it here
~100 artifacts: github.com/ForensicArtifacts/artifactsIndependent and reusable by any toolUsed and maintained by usReview, bug reports, patches very welcome
![Page 31: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/31.jpg)
Exporting data for analysis
Heavy data analysis outside GRRHTTP RPC APIsExport plugin system: CSV <elasticsearch or your plugin of choice here>
![Page 32: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/32.jpg)
What’s coming
Event triggered collectionC++ clientMore powerful artifact collection Client m’t: building, reporting, labelling ++
![Page 33: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/33.jpg)
Great, how do I try it?
● Get a 64bit ubuntu machine● Run the quickstart script from github.
com/google/grr● Open a browser● Download and install the client on a machine
![Page 34: @mrgcastle Greg Castle - storage.googleapis.com · Who am I GRR Developer, Google IR team OS X Security Former lives: pentesting, IR, security audits etc.](https://reader031.fdocuments.us/reader031/viewer/2022022507/5ac5c1b57f8b9a333d8e095f/html5/thumbnails/34.jpg)
GRR (and friends) links
github.com/google/grrgithub.com/ForensicArtifacts/artifactsrekall-forensic.complaso.kiddaland.net/github.com/google/timesketchgithub.com/libyal/libyal/wiki/Overview