Security Onion Conference - 2016
-
Upload
defensivedepth -
Category
Technology
-
view
624 -
download
0
Transcript of Security Onion Conference - 2016
![Page 1: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/1.jpg)
Uncovering Persistence With Autoruns & Security Onion
#SOCAugusta@DefensiveDepth
![Page 2: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/2.jpg)
Autorunslive.sysinternals.com
Boot execute. / Appinit DLLs. / Explorer addons.
Sidebar gadgets (Vista and higher)
Image hijacks.
Internet Explorer addons. / Known DLLs.
Logon startups. / WMI entries.
Winsock protocol and network providers.
![Page 3: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/3.jpg)
HijacksImage hijacks at the time of log
generationELSA Query: groupby:path - Closely review any entries
![Page 4: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/4.jpg)
GoalsImplementation
Real-World Use
![Page 5: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/5.jpg)
“Pertinax”Latin: “Persistent, Stubborn”
Reference Architecture
![Page 6: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/6.jpg)
1) Generate
1) Tab-delimited CSV option
autorunsc -ct
2) Verify Signatures
autorunsc -s
3) Logfile is named with the hostname or IP
Address of the source system
“DD-HR” is the name of the log for the system DD-
HR
![Page 7: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/7.jpg)
2) Collectfor /f %%a in (host-list.txt) do ( psexec -accepteula \\%%a -c autorunsc.exe -accepteula -a * -s -m -t -h -ct * > Logs\%%a.csv)
![Page 8: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/8.jpg)
3) Normalize -Removal of autoruns’ header rows
-Addition of unique identifier to each message
-Addition of src hostname to each message
-Addition of runtime to each message
-Conversion to ASCII
-Replacement of TAB delimiter with a Pipe
![Page 9: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/9.jpg)
4) Import & Parse
<localfile> <location>C:\Logs\ar-normalized.log</location> <log_format>syslog</log_format></localfile>
ELSA Pattern & OSSEC Decoder
-Hostname, DD-HR
-Category, Logon
-Entry, Skype
-Profile, DD-HR\admin
-Company, Skype Technologies
-Path, C:\program files\.....\Skype.exe
- Signer / Version / Launch String / Hashes
![Page 10: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/10.jpg)
5) View
![Page 11: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/11.jpg)
Real-World Use(Daily)
![Page 12: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/12.jpg)
Diff
200 entries x 50 hosts = 10,000 entries/day to review
Vs.
Few Hundred
![Page 13: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/13.jpg)
Clients Servers
![Page 14: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/14.jpg)
ELSA Queriesgithub.com/defensivedepth/Pertinax/wiki/Persistence-
Categories Stacking
![Page 15: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/15.jpg)
DriversAll non-disabled drivers at the time of log
generation
ELSA Queries:
groupby:path -system32 -syswow64
groupby:company (Look for unsigned drivers)
![Page 16: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/16.jpg)
LogonCommon Startup areas: Run & RunOnce
keys, Start Menu
ELSA Queries:
groupby:path, +users - Stack
groupby:company - Stack
![Page 17: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/17.jpg)
Internet Explorer
IE Addons at the time of log generation
ELSA Queries:
groupby:path - Stack
![Page 18: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/18.jpg)
ExplorerShell extensions, addons, etc
ELSA Queries:
groupby:path - Stack
![Page 19: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/19.jpg)
TasksAll registered tasks on the system
ELSA Queries:
groupby:path - Stack
![Page 20: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/20.jpg)
ServicesAll Autostart services on the system
ELSA Queries:
groupby:path - Show all results outside of the System32 Folder - Stack
groupby:company - Stack
![Page 21: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/21.jpg)
Codecs
Other Autoruns’ CategoriesNetwork
Providers
Winlogon
LSA Providers
KnownDLL
Print MonitorsBoot
Execute WMI
Office Addins
![Page 22: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/22.jpg)
Wrap-Up
Future Possiblities: -Virus Total Integration-OSSEC Rulesets
![Page 23: Security Onion Conference - 2016](https://reader030.fdocuments.us/reader030/viewer/2022020314/5878e2d51a28abfa038b4d7d/html5/thumbnails/23.jpg)
Questions?@DefensiveDepth
github.com/defensivedepth/Pertinax