Legend
Below is the skeleton from SAN508 course description. I am using it to make up my study plan. For each step of this plan I estimate my current level of training and I am also collecting resourced for this topic under Resources.
🫑 - level 0. I know nothing and not even where to start. I might have some embarrassingly fundamental knowledge which is not good enough even for the start.
🥒 - level 1. I know something about the subject, but this only gives me an approximate plan and kind of things to look for.
🥗 - level 2. I know something about the subject, I’ve even read something about it. But no hands-on eperience.
🌮 - level 3. I know quite a lot about the subject, I’ve read something about it and some hands-on eperience.
🥘 - level 4. I know a lot about the subject and quite a decent experience. This one I will only use when I am done preparing and have the first mock exam. Bonus - 🍭 real-life expreience (not just labs).
🗒- Topic specific plan. 👌-done, 🚧 - in progress
🗂 - references and resources.
🎯- objectives.
🏺- artifacts
🛠 - tools to learn/use.
Exercises
- Forensic Lab Setup and Orientation Using the SIFT Workstation 🥒 - level
1. - Malware Persistence Detection and Analysis 🗂 [2], 🌮 - level
3+ 🍭 - Scaling Data Collection and Analysis 🫑 - level
0. - Finding and Analyzing Malicious WMI attacks 🫑 - level
0.
Topics
Real Incident Response Tactics
Preparation
Key tools, techniques, and procedures that an incident response team needs to respond properly to intrusions
Identification/Scoping
Proper scoping of an incident and detecting all compromised systems in the enterprise. First stages of IR is mostly about cleaning up using frequency analysis, leaving for the worst scenario everything less likely. So, in case there are no clues or traces left with the frequency analysis you are moving to the those, that seem less suspicious or not suspicious at all. So, in IR it’s not like you are supposed to investigate every single process on the machine and determine whether it’s malicious or not. This is the worst case scenario and it’s mostly about forensics, I think.
Containment/Intelligence Developmen
Restricting access, monitoring, and learning about the adversary in order to develop threat intelligence
Eradication/Remediation
Determining and executing key steps that must be taken to help stop the current incident and the move to real-time remediation
Recovery
Recording of the threat intelligence to be used in the event of a similar adversary returning to the enterprise.
Avoiding “Whack-A-Mole” Incident Response
Going beyond immediate eradication without proper incident scoping/containment. It’s very bad to do so, since without proper scoping/containment you can’t know the whole picture and you risk leaving some vulnerability unpatched or some machine unrecovered. Moreover, now the attack knows how you behave and that you know and can act appropriately.
[1] The End Of Whac-A-Mole: From Incident Response To Strategic Intelligence
[1] Incident Response book (Packt) + several others + NIST.
Threat Hunting
Hunting versus Reactive Response
[1] SANS+IBM brochure on hunting.
Hunting is usually better since it allows targeted response. Reactive response means that you are looking for everything, even if it’s not really relevant for your enterprise. For example, monitoring log4j vulnerability when you don’t use this framework at all.
Intelligence-Driven Incident Response
[1] SANS poster, Threat Intelligence
So, each time a IR process is triggered + third-party informaiton collected, we “draw” a picture of the most likely threats for this particular organization.
Building a Continuous Incident Response/Threat Hunting Capability
Forensic Analysis versus Threat Hunting Across Endpoints
[1] use VPN to access
Forensic Analysis is time and resources-costly. That’s why you don’t use for every investigation for every machine. Threat hunting can be though of as an immune system, B lymphocytes mark “bad” cells with antibodies and macrophages eat them. So, threat hunting shows the most likely suspects, most likely actors and most likely attack startegies, mark the workstations and forensics is to validate and investigate deeper.
Threat Hunt Team Roles
[1] Find Evil, [2] SecOps, [3] Where Does Threat Hunting Fit?, [4] Building your team
ATT&CK - MITRE’s
[1] is the main website on the topic.
Threat Hunting in the Enterprise
Identification of Compromised Systems
Finding Active and Dormant Malware
[1] TripWire article (short) about dormant malware
Digitally Signed Malware
Malware Characteristics
Common Hiding Mechanisms
Finding Evil by Understanding Normal
[1] My article about Super Novas
[2] SANS poster about Normal and Abnormal
Incident Response and Hunting across Endpoints
WMIC & PowerShell
[1] Read here
Offline. Detect all registered Event Consumers from an OBJECTS.DATA.
PyWMIPersistenceFinder.py <path\to\OBJECTS.DATA>
Offline. Kansa analysis of WMI
Get-LogparserStack.ps1 -FilePattern *WMIEvtFilter.csv -Delimeter "," -Direction asc -OutFile WMIEvt-stackfiles.csv
# Open with Timeline Explorer
PowerShell Remoting Scalability
Initiate a remote session:
# session created, command run, session terminated
Invoke-Command -ComputerName <pcname> -ScriptBlock {Get-Process | Where-Object -Property name -eq somethingbad}
# session created, commands run, session terminated when the user says it does
Enter-PSSession -ComputerName <pcname> -Credential <login>
# or
# create a session
New-PSSession -Credentials
# use it with the Invoke-Command as a -Session parameter
It used to be Get-WMIInstance, now it’s Get-CIMInstance to use with other CIM-based servers.
⚠️ Kept getting Access Denied on any Get-WMIInstance Win32Process or Get-CIMInstance -ClassName Win32Process
powershell.exe -NoP -NonI -W Hidden -E. You won’t usually
PowerShell Remoting Credential Safeguards
Kansa PowerShell Remoting IR Framework
Running Kansa across multiple PCs.
mkdir Results && cd Results
# check kansa.ps1 for the modules that will be run
.\kansa.ps1 -Pushbin -Target localhost [-TargetList <listoftargets>] -Credential <login> -Authentication Negotiate
Malware Defense Evasion and Identification
Service Hijacking/Replacement
[1] My presentations in injections, part 1
[2] My presentations in injections, part 2
Frequent Compilation
Binary Padding
Packing/Armoring
[1] Incident involving armouring.
My own notes about packing (not ready yet)
Dormant Malware
[1] TripWire article (short)
Signing Code with Valid Certificates
Anti-Forensics/Timestomping
Malware Persistence Identification
https://www.hexacorn.com/blog/2017/01/28/beyond-good-ol-run-key-all-parts/
AutoStart Locations, RunKeys
Kansa Framework. Collection of the autorun locations
# Step 1. Run autorunsc (or Kansa script) on every machine, getting csv file for each one
# autorun.exe command in Kansa for autoruns search
# a * - all possible locations
# c - codecs as well
# h - generate hashes
# s - verify digital signatures
# '*' - all user profiles
autorunsc.exe /accepteula -a * -c -h -s '*' -nobanner
# Collection with Kansa
kansa.ps1 -Pushbin -Target <IP|localhost|filewithIPs> -Credential username -Authentication Negotiate
# don't pass the password here. Type when asked
# Step 2. open the file generated in TimeLine Explorer for analysis.
# Step 3. Choose files from untrusted vendors and (Blank).
# Step 4. Look at the images paths (compare with the Find Evil poster)
# Step 5. Look at the hashes, eliminate the known good.
# Step 6. Stacking (generate on file from all csv)
Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1 > stackedData.csv
# Step 6. Perfom frequency analysis. What stands out?
# Step 7. Use Select-String or grep to identify machines for each suspicuios entry
Service Creation/Replacement
Stacking services with Kansa
Get-LogparserStack.ps1 -FilePattern *services.csv -Delimeter "," -Direction asc|dsc -OutFile allServicesStack.csv
# For each GROUP BY type the column for ordering
# For example Name or Path
# quit for quit
Service Failure Recovery
Scheduled Tasks
DLL Hijacking
[1] My own presentation and corresponding articles
WMI Event Consumers
[1] PhDays 2019, Persistance mechanisms on Windows. Review and put down.
Investigating WMI-Based Attacks
WMI Overview
Since Win2000. Web-based enterprise management. CIM - common information model. It’s both a db of system informaiton AND means to automate its collection. wmic - commandline interface for WMI. It runs with SYSTEM privileges.
Moving laterally: remote desktop or netuse. To code execute from A to B, is one of the core techniques for that.
Can be used in privilege escalation when finding a service that has a unquoted path, for example. Or can be used with rundll32.exe and process call create.
Creating a WMI consumer:
# Step 1. Create an event filter that's going to monitor the systems and events and do something once certain conditions are met.
$FilterArgs = @{name='Pentestlab-WMI';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
# Step 2. Create an Event Consumer that's the action that's going to take place once the conditions specified by the even filter are met.
$ConsumerArgs = @{name='Pentestlab-WMI'; CommandLineTemplate="$($Env:SystemRoot)\System32\pentestlab.exe";}
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
# Step 3. Bind the Filter to the Consumer.
$FilterToConsumerArgs = @{
Filter = [Ref] $Filter;
Consumer = [Ref] $Consumer;
}
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
The above steps can be specified in a MOF file and compiled. So, either use Powershell or mofcomp.exe. Get-WmiObject and Remover-WmiObject to detect and remove suspicious entries.
Just create a process with wmic:
wmic process call create "path\to\process"
Tools 🛠: Event Logs, Sysmon and commercial tools like Falcon, CarbonBlack, Tanium.
Get-WmiObject -Namespace root\Subscription -Class __EventFilter
Get-WmiObject -Namespace root\Subscription -Class __EventConsumer
Get-WmiObject -Namespace root\Subscription -Class __FilterToConsumerBinding
Kansa includes the scripts for these commands for autocollection.
There are several types of event consumers:
- 🎯
ActiveScriptEventConsumer. Execute a predefined VB or JScript. This one is frequently used by attackers.scrcons.exe-> cmd.exe -> schticks.exe -> ActiveScript Event Consumer. - 🎯
CommandLineEventConsumer. Launch a process. This one is also frequently used by attackers.wmiprvse.exeis the parent process.svchost->services->wmiprvse.exe-> CommandLine Event Consumer. LogFileEventConsumer. Write to atxt.NTEventLogEventConsumer. Log a message to Event Log.SMTPEventConsumer. Email a message via SMTP.Custom. Requires custom COM object.
WMI Attacks Across the Kill Chain
APT29. Used for privilege escalation and lateral movement.
Auditing the WMI Repository
Create and delete entries. Windows\System32\wbem\Repository\OBJECTS.DATA - objects, managed by WMI. INDEX.BTR - Binary Tree Index of the files in OBJECTS. MAPPING[1-3].MAP - correlates data between OBJECTS and INDEX.BTR.
Known good 😇: SCM Event, BVTFilter, TSlogonEvents.vbs, TSLogonFilter, RAevent.vbs, RmAssistEventFilter, KernCap.vbs, NTEventLogConsumer, WSCEAA.exe (for Dell devices).
WMI File System and Registry Residue
MOF files - compiled versions of event consumers. Can be located anywhere and named lots of diffreent things. But by default: %SystemRoot%\System32\wbem.
⚠️ Original
moffile can be deleted after it’s added to the repo.
Set-WmiInstance can be used instead of mof files.
Autorecover. Pragma autorecover in config.mof. If this option is included, a copy is saved C:\Windows\System32\wbem\AutoRecover. Most of the adversaries use this setting. The time and dates are usually different for this backup than for other backups.
CIMOM. HKLM\SOFTWARE\Microsoft\Wbem\CIMOM. Use the Autorecover MOFs to see the original MOF files names.
Command-Line Analysis and WMI Logs
If something malicious was found on the system and is likely to be present on other systems:
wmic process where name="somethingbad" delete
# or with Powershell:
PyWMIPersistenceFinder.py is used for offline analysis of OBJECTS file. If data is deleted from the DB, the data might be still there. And this script parses the db, even the unallocated entries of this db.
Stacking with Kansa
Get-LogparserStack.ps1 -FilePattern *wmisFilters.csv|wmisEvents.csv|wmisConsumers.csv -Delimeter "," -Direction asc|dsc -OutFile wmisStack.csv
# GROUP BY Name or/and query
# Use Select-String or grep to identify the machines for suspiction entries
WMI Process Anomalies
svchost->services->wmiprvse.exe-> CommandLine Event Consumer. If wmiprvse.exe has another parent or unusuall child (powershell) it’s suspicious.scrcons.exe-> cmd.exe -> schticks.exe -> ActiveScript Event Consumer.- Encoded command lines
Invoke-WmiMethodandInvoke-CimMethod/node:wmic process call create
Create a baseline for what’s normal for your systems.
Resources
[1] About some APT groups
[2] Practical Malware Analysis book
[3] Tips on SANS For508