Stalking Hackers with Core Splunk Derek Arnold, CISSP

Senior Splunk Consultant

Derek Arnold •  12 years in security •  Enterprise IT •  Industries: Retail, medical tech, health insurance •  Specialties: Security operations, threat intelligence,

physical security, SIEM •  Certified Splunk admin •  Yoga, Pilates, running

Your Presenter

Agenda

Threat Realization

Anomaly Detection

Windows Searches

UNIX Searches

Networking and Remote Desktop Searches

Key Takeaways/Conclusion

THREAT REALIZATION Why beef up your detection?

Kevin Mitnick

Robert has a sense that he understands how IT and network security people work, and it’s not all that different from everyone else in the

working world. “The only way for them to notice [my going online] would have been going through the logs actively.” His view of IT security

people wasn’t very flattering. “People don’t read logs every morning. When you get to your desk, you sit down, have a coffee, read a few Web

sites of personal interest. You don’t go in and read logs and see who changed their passwords yesterday.”

Source: Kevin Mitnick, The Art of Intrusion

5

2014 Retail Breaches White Paper

In today’s corporations, there are many attack alerts that may possibly overwhelm the staff’s ability to react to them all. Companies must

implement and maintain Security Information and Event Management (SIEM), define events of interest (EOI) and train staff to assess whether the EOI poses a serious threat. Ignoring an alert is like driving a car with

the check engine light on because there are seemingly no other symptoms of a serious problem.

Source: http://www.accuvant.com/resources/ the-four-attack-vectors-to-prevent-or-detect-retailer-breaches

6

Sun Tzu

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

If you know neither the enemy nor yourself, you will succumb in every battle.”

Source: Sun Tzu, The Art of War, Ch. III

7

ANOMALY DETECTION Big word, big concept

Reconnaissance Weaponization Delivery Exploitation Command and

Control Exfiltration

•  30-90 day historical profile required

•  Shorten the dwell time

•  You’re using Universal Forwarder, RIGHT?

Anomaly Detection In order to know what is abnormal, we need to know what is normal

Data sources: §  Windows event logs §  File system changes §  WMI-based data §  Windows registry data §  Host information §  Network information

Use Cases §  File integrity monitoring: configuration files §  DNS resolution §  Downloads folders, temp folders, root folders §  Software installations §  Crashing processes, AV tampering §  Creation of new services §  Task scheduler activity

More information §  http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/MonitorWindowsdata §  http://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262

Universal Forwarder on Windows Harness the full capability

WINDOWS

Reconnaissance Weaponization Delivery Exploitation Command and

Control Exfiltration

Who is using local admin instead of a specific administrative user?

Local Admin Usage (description) Risk of escalation of privilege. Who is making the change? Shouldn’t they be using an ID trackable to a specific person?

Does the job role of this employee match their privileges?

sourcetype="WinEventLog:Security" "Sid=S-1-5-21-*-500"

Local Admin Usage

Risk of escalation of privilege. Who is making the change?

Domain Admin Changes (description)

Who is being added to the Windows domain admins group?

Does the job role of this employee match their privileges?

sourcetype=WinEventLog:Security Security_ID="YourDomain\\DomainAdminADGroupName"

(EventCode=4728 OR EventCode=632 OR EventCode=4729 OR EventCode=633) | eval ChangedBy=mvindex(Security_ID,0)

| eval Member=mvindex(Security_ID,1) | eval DestinationGroup=mvindex(Security_ID,2)

| search DestinationGroup="YourDomain\\DomainAdminADGroupName" | eval ActionTaken=if((EventCode=4729 OR EventCode=633), "A member was removed from a security-enabled global group.", ActionTaken) | eval ActionTaken=if((EventCode=4728 OR EventCode=632), "A member was added to a security-enabled global group.", ActionTaken) | table _time Member ActionTaken DestinationGroup ChangedBy

Domain Admin Changes (search) Adds/removes from W2k8 and W2k3

Assign variables for interesting fields

Parse event codes and rename to friendly format

Summarize activity in a table

•  After a threat actor has performed their task, wouldn’t they try to clean up their tracks?

Event Logs Cleared (description)

sourcetype=wineventlog:* (EventCode=1102 OR EventCode=517) LogName=Security

| table _time ComputerName EventCodeDescription Client_User_Name src_user

Event Logs Cleared (search)

Look for event logs cleared event codes

Display the important info in a table

Suspicious Processes (description) Install malware using a name of a trusted process

Look for trusted process names in non-standard folders

Can’t install it in a system directory without sharing violation/system instability

sourcetype=wineventlog:security "new process has been created" | eval Process_Name=coalesce(Image_File_Name,New_Process_Name)

| fields Message, Process_Name, User_Name, ComputerName | search ((Process_Name=*cmd.exe NOT Process_Name="C:\\WINDOWS\\system32\\cmd.exe" NOT Process_Name="C:\\Windows\\SysWOW64\\cmd.exe" NOT Process_Name="C:\\Windows\\System32\\inetsrv\\appcmd.exe" OR

(Process_Name=*svchost.exe NOT Process_Name="C:\\WINDOWS\\system32\\svchost.exe") OR (Process_Name=*explorer.exe NOT Process_Name="C:\\WINDOWS\\explorer.exe") OR

(Process_Name=*msiexec.exe NOT (Process_Name="C:\\WINDOWS\\system32\\msiexec.exe" OR Process_Name="C:\\Windows\\SysWOW64\\msiexec.exe")) OR (Process_Name=*taskmgr.exe NOT Process_Name="C:\\WINDOWS\\system32\\taskmgr.exe") OR

(Process_Name=*at.exe NOT Process_Name="C:\\WINDOWS\\system32\\at.exe" NOT Process_Name="C:\\WINDOWS\\system32\\netstat.exe") OR (Process_Name=*gpupdate.exe NOT Process_Name="C:\\WINDOWS\\\system32\\gpupdate.exe") OR

(Process_Name=*regedt32.exe NOT Process_Name="C:\\WINDOWS\\\system32\\regedt32.exe") OR

(Process_Name=*iexplore.exe NOT Process_Name="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" NOT Process_Name="C:\\Program Files\\Internet Explorer\\iexplore.exe") OR Process_Name="* *" OR Process_Name=*scvhost.exe OR Process_Name=*iexplorer.exe OR Process_Name=*svcdost.exe)

Suspicious Processes (search) Gather data fields

Look for key system process names not running in their system folder

Blank or misspelled

UNIX

Reconnaissance Weaponization Delivery Exploitation Command and

Control Exfiltration

sourcetype=unix_syslog ((failed password) OR (authentication failure) )

| stats count by user host

| where count>2

| sort - count

UNIX Failed Logins

Failed login attempts

More than 2 failed attempts per user sorted by count

NETWORKING AND REMOTE DESKTOP

Reconnaissance Weaponization Delivery Exploitation Command and

Control Exfiltration

RDP Logins (description)

Who is logging in remotely to servers?

Does the job role of this employee match their privileges?

Do the logins match expected usage patterns? Time of day, departments, change records…

sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=528) AND (Logon_Type=10)

| dedup Source_Network_Address dest Security_ID

| eval Security_ID=mvindex(Security_ID,1)

| table _time Security_ID Logon_Type Source_Network_Address Dest_Server

RDP Logins (search) Successful interactive logins

Remove duplicates

Formatting and table

FTP Outbound (description)

Where are your files being sent?

Are the usernames a match to expected naming conventions?

Do the filenames and destinations match expected business applications?

sourcetype=cisco_asa FTP "Stored file" | rex field=_raw "(?i)user (?P<user>.*) Stored file"

| rex field=_raw "(?i)Stored file (?P<file>.*)"

| rex field=_raw "(?i):(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}+)/"

| rex field=_raw "(?i):(?P<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}+)/21"

| search NOT dest_ip=10.0.0.0/8 NOT dest_ip=172.16.0.0/12

| geoip dest_ip

| fields - dest_ip_latitude, dest_ip_longitude, dest_ip_postal_code, dest_ip_region_name, dest_ip_country_code, dest_ip_country_name, dest_ip_city

| rename geo_info AS dest_ip_geo_info

| eval time=strftime(_time, "%m/%d %H:%M:%S")

| stats values(time) AS Time values(user) AS Username values(file) AS Filename values(dest_ip) AS dest_ip values(dest_ip_geo_info) AS "Dest IP Geo info" by src_ip

FTP Outbound (search) File upload

Extract user, file, source and dest

Outbound activity only

Get geolocation of dest and timestamp

For format and clarity

KEY TAKEAWAYS/CONCLUSION

Know Your Environment Understand the kill chain theory

Key Takeaways/Conclusion

Baseline the past 30-90 days of activity

Tune continuously

Search and alert on anomalies

29

Security office hours: 11:00 AM – 2:00 PM @Room 103 Everyday

Geek out, share ideas with Enterprise Security developers Red Team / Blue Team - Challenge your skills and learn new tricks Mon-Wed: 3:00 PM – 6:00 PM @Splunk Community Lounge Thurs: 11:00 AM – 2:00 PM

Learn, share and hack

Birds of a feather- Collaborate and brainstorm with security ninjas Thurs: 12:00 PM – 1:00 PM @Meal Room

Derek Arnold darnold@accuvant.com

http://www.linkedin.com/in/derekarnold @DerekPArnold

1125 17th Street, Suite 1700, Denver, CO 80202

800.574.0896 sales@accuvant.com www.accuvant.com