Lumos! Illuminate the dark hacker attack trail

Slide 1

Slide 1 text

Lumos! Illuminate the dark hacker attack trail TeamT5 Will use Sigma rules to enhance threat hunting capabilities

Slide 2

Slide 2 text

Whoami ◆ Will Huang (@in0de_16) ◆ Security Researcher @ TeamT5 ◆ Focus on threat hunting, malware analysis

Slide 3

Slide 3 text

AGENDA Introduction - Threat Detection with Sigma 01 Creating Sigma Rules 02 Windows APT Attack detection with Sigma 03 Conclusion and Next Steps 04

Slide 4

Slide 4 text

TASK Hunting - Mimikatz Credentials Dump Hunting - PlugX RAT Infection Technique ◆ We’ll act as Threat Detection Team to defense three incident Hunting - Higaisa APT - Shortcut-Based (Lnk) Attacks

Slide 5

Slide 5 text

Env Setup - Download LAB ◆ The Lab can be run on any operating system (Windows/MacOS/Linux) ◆ Download the lab materials from here ◆ Please choose according to your operating system.

Slide 6

Slide 6 text

Introduction Threat Detection with Sigma

Slide 7

Slide 7 text

◆ IoC (Indicators of Compromise) ◆ Record the adversary’s information and use that information to detecting. ◆ Info: C2 IP, domain, malware, fi ngerprints, signatures. ◆ IoA (Indicator of Attack) ◆ Concern with the execution of behavior and step. ◆ Gather the intent of the adversary. ◆ Behavior: Process injection, data encrypted, lateral movement. Threat Detection

Slide 8

Slide 8 text

IoA: Walk into IoC: Tom’s fi ngerprint Threat Detection

Slide 9

Slide 9 text

Threat Hunting Network Signature Process Signature File Signature Ex: 10.10.1.1 -> 10.10.1.223 Ex: A process create B process Ex: C File has RSA encryption patten Snort Sigma Yara

Slide 10

Slide 10 text

Sigma Rule title: Test id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 status: test description: Detects behavior for CybersecLab references: author: iThome Cybersec date: 2023/04/14 tags: - attack.impact logsource: category: process_creation product: windows detection: Selection: - Image|endswith: '\run.exe' - CommandLine|contains: 'cybersec' condition: selection falsepositives: - Unknown level: high

Slide 11

Slide 11 text

Sigma Rule Cycle Sigma rules SELECT FROM WHERE * Info Image LIKE '/rm%' Queries EDR, SIEM product Convert Import

Slide 12

Slide 12 text

Sigma Rule Convert https://www.optiv.com/insights/source-zero/blog/sigma-rule-translation-and-automatic-queries

Slide 13

Slide 13 text

Sigma Rule Convert

Slide 14

Slide 14 text

Threat Hunting with Sigma LNK System event log CommandLine: .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" “exit" CommandLine: .\explorer.exe

Slide 15

Slide 15 text

Threat Hunting with Sigma detection: selection: CommandLine|contains: - 'privilege::debug' - ‘sekurlsa:logonpasswords' FileName: 'Mimikatz.exe' condition: selection and filter LNK Sigma Ruleset LNK System event log

Slide 16

Slide 16 text

Threat Hunting with Sigma System event log Real threat

Slide 17

Slide 17 text

Why Use Sigma ◆ Standardization ◆ Can use a converter to translate Sigma rule rules ◆ Collaboration ◆ Easy to read and write ◆ Flexibility ◆ Can shift from one technology to another more easily

Slide 18

Slide 18 text

Env Setup

Slide 19

Slide 19 text

Env Setup - Lab Contents Windows log

Slide 20

Slide 20 text

Placing the rules to be tested Placing the rule being written Env Setup - Lab Contents

Slide 21

Slide 21 text

Executing threat hunting using Chainsaw and the testing rules. Env Setup - Lab Contents

Slide 22

Slide 22 text

◆ (Crtl+`) Open VScode terminal ◆ Input the command below > cd .\task\0_EnvCheck\ > ls > .\run_hunt.cmd > cd ./task/0_EnvCheck/ > ls > ./run_hunt.sh Windows Mac/linux Env Setup - Lab Contents

Slide 23

Slide 23 text

Env Setup - Hunting ◆ Since no rules have been added yet, the tool will display that there are no detectable rules

Slide 24

Slide 24 text

Env Setup - Hunting ◆ Move the fi les under the 'rule' directory to the 'test' directory

Slide 25

Slide 25 text

Env Setup - Hunting ◆ Run it again to check if any events have been captured by our hunting

Slide 26

Slide 26 text

Creating Sigma Rules https://sigmahq.github.io/sigma-speci fi cation/Sigma_speci fi cation.html

Slide 27

Slide 27 text

Sigma Writing Steps 1.information gathering The fi rst step to building a Sigma rule is deciding what activity you need to fi nd

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Sigma Writing Steps 1.information gathering The fi rst step to building a Sigma rule is deciding what activity you need to fi nd 2. Rule Creation Compose Sigma rules based on events recorded in the system log 3. Detection testing and improvement Perform testing of the rule for false positives in both standard and anomalous system environments https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/ proc_creation_win_hktl_mimikatz_command_line.yml

Slide 30

Slide 30 text

Rule Identi fi cation ◆ Rule should be identi fi ed Sigma title: Test id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 status: test description: Detects behavior for CybersecLab references: author: iThome Cybersec date: 2023/04/14 tags: - attack.impact logsource: category: process_creation product: windows detection: Selection: - Image|endswith: '\run.exe' - CommandLine|contains: 'cybersec' condition: selection falsepositives: - Unknown level: high

Slide 31

Slide 31 text

Rule Detail ◆ Status: Declares the status of the rule ◆ Description: A short description of the rule ◆ References: Ref to the source that the rule was derived from ◆ Date: Creation date of the rule Sigma title: Test id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 status: test description: Detects behavior for CybersecLab references: author: iThome Cybersec date: 2023/04/14 tags: - attack.impact logsource: category: process_creation product: windows detection: Selection: - Image|endswith: '\run.exe' - CommandLine|contains: 'cybersec' condition: selection falsepositives: - Unknown level: high

Slide 32

Slide 32 text

Detection Logic ◆ Log Source: describes the log data on which the detection is meant to be applied to. ◆ category: ◆ Ex: fi rewall, antivirus ◆ product ◆ Ex: win, apache ◆ service ◆ Ex: sushi, applocker Sigma title: Test id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 status: test description: Detects behavior for CybersecLab references: author: iThome Cybersec date: 2023/04/14 tags: - attack.impact logsource: category: process_creation product: windows detection: Selection: - Image|endswith: '\run.exe' - CommandLine|contains: 'cybersec' condition: selection falsepositives: - Unknown level: high

Slide 33

Slide 33 text

Detection Logic ◆ Detection: A set of search- identi fi ers that represent properties of searches on log data. ◆ List and maps Sigma title: Test id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 status: test description: Detects behavior for CybersecLab references: author: iThome Cybersec date: 2023/04/14 tags: - attack.impact logsource: category: process_creation product: windows detection: Selection: - Image|endswith: '\run.exe' - CommandLine|contains: 'cybersec' condition: Selection falsepositives: - Unknown level: high

Slide 34

Slide 34 text

Detection Logic - List ◆ Starting with a hyphen ◆ All items of a list are logically linked with ‘OR’ Selection: - Image: '\run.exe' - CommandLine: 'cybersec' Selection: - '\run.exe' - 'cybersec' Log contains ‘\run.exe’ OR ‘cybersec’ Image is ‘\run.exe’ OR CommandLine is ‘cybersec’ key-value pair String

Slide 35

Slide 35 text

Detection Logic - Maps ◆ Starting without a hyphen ◆ All elements of a map are joined with a logical ‘AND’ Selection: Image: '\run.exe' CommandLine: 'cybersec' Selection: '\run.exe' 'cybersec' Log contains ‘\run.exe’ AND ‘cybersec’ Image is ‘\run.exe’ AND CommandLine is ‘cybersec’

Slide 36

Slide 36 text

Detection Logic - Modi fi ers ◆ contains -> The sentence contains a certain keyword ◆ endswith -> Expect at the end of the fi eld’s content ◆ startwith -> Expect at the beginning of the fi eld’s content Selection: Image|contains: '\run.exe' CommandLine|contains: 'cybersec'

Slide 37

Slide 37 text

Detection Logic - condition selection_a: - Image: '\run.exe' - CommandLine: ‘cybersec' selection_b: - Image: '\good.exe' - CommandLine: ‘malware' condition: 1 of selection*

Slide 38

Slide 38 text

Detection Logic - Examples ◆ What does this code aim to convey? detection: selection_cscript: Image|endswith: '\cscript.exe' CommandLine|contains: '.vbs /shell ' selection_csvde: CommandLine|contains: - 'csvde -f C:\windows\web\’ - ‘cscript.exe’ condition: 1 of selection_*

Slide 39

Slide 39 text

Task Introduction

Slide 40

Slide 40 text

Threat Hunting with Sigma System Recorder Logging Strategy Sysmon con fi g https://github.com/ SwiftOnSecurity/sysmon-con fi g Sysmon Logs, Processes, Registry, Filesystem Threat Hunting Model Sigma Rules Hunting by chainsaw tool

Slide 41

Slide 41 text

Sysmon ◆ Sysmon is a system monitoring tool developed by Microsoft that can record various events on Windows systems ◆ Uses Windows Event Tracing (ETW) to log events, ensuring that events are captured in a standardized format that can be easily parsed and analyzed

Slide 42

Slide 42 text

Sysmon Event ID

Slide 43

Slide 43 text

Sysmon Log File ◆ Path ◆ C:\Windpws\System32\winevt\Logs

Slide 44

Slide 44 text

Threat Hunting with Sigma System Recorder Logging Strategy Threat Hunting Model Sigma Rules Hunting by chainsaw tool Sysmon con https://github.com/ SwiftOnSecurity/sysmon-con fi Sysmon Logs, Processes, Filesystem, Packets, Devices

Slide 45

Slide 45 text

Chainsaw ◆ Rapidly Search and Hunt through Windows Forensic Artefacts(.evtx) ◆ https://github.com/WithSecureLabs/chainsaw

Slide 46

Slide 46 text

Task1: Mimikatz Dump Credentials

Slide 47

Slide 47 text

Subject cyberattack incident Event description The client's IT personnel discovered successful remote login records in AD, indicating a possible theft of passwords. Additionally, they found evidence of Mimikatz execution in the log fi les. Remediation approach Request the Threat Detection Team to design Sigma rules based on the provided syslog to prevent other clients from experiencing the same attack. Comments Provide the sysmon log fi le (.evtx) for analysis. Incident Contents

Slide 48

Slide 48 text

Mimikatz Credentials Dump ◆ Dump plaintext password ◆ Dump NTLM hash

Slide 49

Slide 49 text

◆ Process Creation: Dump plaintext password from lsass Process Memory (1) Study Sysmon Event Log Record 1995 { "EventData": { "CommandLine": "\"C:\\Users\\user\\Desktop\\x64\\mimikatz.exe\" privilege::debug sekurlsa::logonpasswords exit", "Image": "C:\\Users\\user\\Desktop\\x64\\mimikatz.exe", "OriginalFileName": "mimikatz.exe", "ParentCommandLine": "\"C:\\Windows\\System32\ \WindowsPowerShell\\v1.0\\powershell.exe\" ", "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\ \powershell.exe", }, "System": { "EventID": 1,

Slide 50

Slide 50 text

◆ Process Creation: Dump plaintext password from lsass Process Memory (1) Study Sysmon Event Log Commandline: .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" “exit"

Slide 51

Slide 51 text

◆ Save hklm\security hklm\sam registry ◆ Mimikatz read dump fi les (1) Study Sysmon Event Log Record 2380 { "EventData": { "CommandLine": "\"C:\\Windows\\system32\\reg.exe\" save hklm\ \sam SamBkup.hiv", "Company": "Microsoft Corporation", "CurrentDirectory": "C:\\Users\\user\\Desktop\\x64\\", "Image": "C:\\Windows\\System32\\reg.exe", "OriginalFileName": "reg.exe", "User": "WIN10-PRO-22H2-\\user", "UtcTime": "2023-04-27 03:32:47.015" }, "System": { "EventID": 1,

Slide 52

Slide 52 text

reg save hklm\sam SamBkup.hiv reg save hklm\security SystemBkup.hiv .\mimikatz.exe "privilege::debug" “token::elevate" "log hash.txt" “lsadump::sam SamBkup.hiv SystemBkup.hiv" "exit" ◆ Save hklm\security hklm\sam registry ◆ \SAM contains local user account and local group membership information, including their passwords. ◆ \SECURITY stores the Lsass policy database (1) Study Sysmon Event Log

Slide 53

Slide 53 text

(3) Writing Rule ◆ Note: ◆ Focus on interesting behavior ◆ Process creation with abnormal string ◆ Registry Save ◆ … ◆ Are there any unique characteristics speci fi c behavior?

Slide 54

Slide 54 text

Hunting: Process Create detection: filter: - EventID: 1 selection: CommandLine|contains: - 'privilege::debug' - 'privilege::driver' - 'sekurlsa::' - ……… condition: selection and filter 3 events hit

Slide 55

Slide 55 text

Hunting: Reg Save detection: filter: - EventID: 1 selection: CommandLine|contains: - 'save hklm\sam' - 'save hklm\security' OriginalFileName|contains: 'reg.exe' condition: selection and filter 5 events hit

Slide 56

Slide 56 text

Hunting: Process Access https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN detection: filter: - EventID: 10 selection: TargetImage|contains: 'lsass.exe' GrantedAccess: - '0x1410' - '0x1010' condition: selection and filter 2 events hit

Slide 57

Slide 57 text

APT Attack detection with Sigma

Slide 58

Slide 58 text

Task2: Hunting PlugX RAT

Slide 59

Slide 59 text

Incident Contents Subject Cyberattack incident Event description MDR team identi fi ed a YARA rule for PlugX during regular scanning, con fi rming that the client is a ff ected by the PlugX malware. Remediation approach Request the Threat Detection Team to design Sigma rules based on the provided information in order to prevent other clients from experiencing the same attack Comments Provide the sysmon log fi le (.evtx) for analysis. https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate- windows.html

Slide 60

Slide 60 text

PlugX ◆ First seen: 2008 ◆ A RAT with modular plugins ◆ Used by many Chinese APT groups ◆ APT41, APT27, DragonOK ◆ Various PlugX variants https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf

Slide 61

Slide 61 text

(1) Study Sysmon Event Log ◆ Process Creation: DLL Sideload ◆ DLL Search Order Hijacking T1574.001 ◆ DLL Sideload is a technique that involves loading and executing an external Dynamic Link Library (DLL) in a Windows application X32dbg.exe EXE DLL x32bridge.dll Import lib

Slide 62

Slide 62 text

(1) Study Sysmon Event Log ◆ File Creation: move malware to three paths Record 15317 { "EventData": { "CreationUtcTime": "2023-04-29 05:37:11.531", "Image": "C:\\Users\\user\\Desktop\\release\\x32\\x32dbg.exe", "ProcessGuid": "CAB8CBF0-AD07-644C-CD02-000000000F00", "ProcessId": 5256, "TargetFilename": "C:\\ProgramData\\UsersDate\\Windows_NT\ \Windows\\User\\Desktop\\x32dbg.exe", }, "System": { "EventID": 11,

Slide 63

Slide 63 text

(1) Study Sysmon Event Log ◆ File Creation: move malware to three paths ◆ C:\ProgramData\UsersDate\Windows_NT\Windows\User\Desktop ◆ C:\Users\Public\Public Mediae\ ◆ C:\Users\\Users\

Slide 64

Slide 64 text

(1) Study Sysmon Event Log ◆ Persistence: Scheduled Task Record 15325 { "EventData": { "CommandLine": "schtasks /create /sc minute /mo 5 /tn LKUFORYOU_1 /tr C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\ \Desktop\\x32dbg.exe /f", "Image": "C:\\Windows\\SysWOW64\\schtasks.exe", "OriginalFileName": "schtasks.exe", "ParentCommandLine": "C:\\ProgramData\\UsersDate\\Windows_NT\ \Windows\\User\\Desktop//x32dbg.exe", "UtcTime": "2023-04-29 05:37:11.653” } "System": { "EventID": 1,

Slide 65

Slide 65 text

(1) Study Sysmon Event Log ◆ Persistence: Scheduled Task ◆ T1053 Scheduled Task/Job ◆ "schtasks" is a command-line tool used to con fi g scheduled tasks ◆ Scheduled Task allows the malware to continue running even after the system has been rebooted, making it more di ffi cult to remove `schtasks /create /sc minute /mo 5 /tn LKUFORYOU_1 /tr C:\\ProgramData\\UsersDate\\Windows_NT\ \Windows\\User\\Desktop\\x32dbg.exe /f`

Slide 66

Slide 66 text

(1) Study Sysmon Event Log ◆ Persistence: Registry Set Record 15326 { "EventData": { "Details": "C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\ \User\\Desktop\\x32dbg.exe", "EventType": "SetValue", "Image": "C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\ \User\\Desktop\\x32dbg.exe", "TargetObject": "HKU\ \S-1-5-21-1924812608-2403969082-1162371674-1001\\SOFTWARE\\Microsoft\ \Windows\\CurrentVersion\\Run\\x32dbg", }, "System": { "EventID": 13,

Slide 67

Slide 67 text

(1) Study Sysmon Event Log ◆ Persistence: Registry Set ◆ Windows Run keys ◆ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ◆ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ◆ `RUN` key allows the malware to continue running even after the system has been rebooted.

Slide 68

Slide 68 text

(1) Study Sysmon Event Log ◆ System Binary Proxy Execution: Rundll32 Record 15324 { "EventData": { "CommandLine": "rundll32 SHELL32.DLL, ShellExec_RunDLL rundll32 C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\ \akm.dat,Start", "Image": "C:\\Windows\\SysWOW64\\rundll32.exe", "OriginalFileName": "RUNDLL32.EXE", "ParentCommandLine": "C:\\ProgramData\\UsersDate\\Windows_NT\ \Windows\\User\\Desktop//x32dbg.exe", "UtcTime": "2023-04-29 05:37:11.645" }, “System": { "EventID": 1,

Slide 69

Slide 69 text

(1) Study Sysmon Event Log ◆ System Binary Proxy Execution: Rundll32 ◆ Attackers often use Rundll32 to execute malicious code by creating a DLL with a speci fi c exported function ◆ With rundll32, the attacker can execute their malicious code using a trusted system binary, making it more di ff i cult to detect and block "rundll32 SHELL32.DLL, ShellExec_RunDLL rundll32 C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\ \User\\Desktop\\akm.dat,Start",

Slide 70

Slide 70 text

(2) Attack Summary X32dbg.exe x32bridge.dll DLL Sideload X32dbg.exe File Move akm.dat \\Run\\x32dbg x32dbg.exe Proxy run DLL Registry Set Scheduled Task DLL DLL

Slide 71

Slide 71 text

(3) Writing Rule ◆ Note: ◆ The fi le x32dbg.exe is a legitimate executable of a debugging software ◆ Focus on interesting behavior ◆ Scheduled Task ◆ Registry Set ◆ Rundll32 ◆ … ◆ Are there any unique characteristics speci fi c behavior?

Slide 72

Slide 72 text

(4) Writing Rule: Scheduled Task eventid: EventID: 1 selection_sch_name: - Image|endswith: 'schtasks.exe' selection_sch_command: - Commandline|contains: - /create - /sc - /mo selection_plugx_signature: - CommandLine|contains: - 'LKUFORYOU_1' - 'x32dbg.exe' - ‘C:\\ProgramData\\UsersDate\\Windows_NT\\Windows' condition: 1 of selection_sch* and selection_plugx_signature and eventid

Slide 73

Slide 73 text

Hunting: Scheduled Task 23 events hit

Slide 74

Slide 74 text

(4) Writing Rule: Registry Set eventid: EventID: 13 EventType: 'SetValue' selection_reg: - TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - TargetObject|endswith: 'x32dbg' selection_file: - Image|startswith: 'C:\\ProgramData\\UsersDate\\Windows_NT\\Windows' - Image|contains: 'x32dbg' condition: 1 of selection* and eventid

Slide 75

Slide 75 text

Hunting: Registry Set 1 events hit

Slide 76

Slide 76 text

(4) Writing Rule: rundll32 eventid: EventID: 1 selection_rundll32_name: - Image|endswith: 'rundll32.exe' selection_rundll32_command: - Commandline|contains|all: - 'ShellExec_RunDLL' - 'SHELL32.DLL' selection_plugx_signature: - CommandLine|contains: - 'Start' - ParentImage|contains: - 'x32dbg.exe' - 'C:\\ProgramData\\UsersDate\\Windows_NT\\Windows' condition: 1 of selection_rundll32* and selection_plugx_signature DLL

Slide 77

Slide 77 text

Hunting: rundll32 2 events hit DLL

Slide 78

Slide 78 text

Task3: Hunting Higaisa APT - Shortcut-Based (Lnk) Attacks

Slide 79

Slide 79 text

Incident Contents Subject Cyberattack incident Event description The MDR team has identi fi ed suspicious lnk commands being executed on the system, along with indications of connections to a malicious C2 server Remediation approach Request the Threat Detection Team to design Sigma rules based on the provided information in order to prevent other clients from experiencing the same attack Comments Provide the sysmon log fi le (.evtx) for analysis. https://www.malwarebytes.com/blog/news/2020/06/higaisa

Slide 80

Slide 80 text

LNK File ◆ Shell Link Binary File Format (.LNK) contain metadata about the executable fi le, including the original path to the target application https://www.resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise

Slide 81

Slide 81 text

LNK File ◆ LNK fi les typically look legitimate, and may have an icon the same as an existing application or document. https://www.resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise

Slide 82

Slide 82 text

(1) Study Sysmon Event Log ◆ User Execution: Malicious File ◆ Rely upon a user opening a malicious fi le in order to gain execution ◆ Determine which commands are executed behind the lnk fi le cmd.exe EXE LNK International English….pdf.lnk Click

Slide 83

Slide 83 text

(1) Study Sysmon Event Log Record 14978 { "EventData": { "CommandLine": “\”C:\\windows\\System32\\cmd.exe\" ... ... ”, "Company": "Microsoft Corporation", "CurrentDirectory": "C:\\Users\\user\\Desktop\\mal\\", "Image": "C:\\Windows\\System32\\cmd.exe", "OriginalFileName": "Cmd.Exe", "ParentCommandLine": "C:\\Windows\\Explorer.EXE", "ParentImage": "C:\\Windows\\explorer.exe", "UtcTime": "2023-04-29 04:39:33.239" }, "System": { "EventID": 1, ◆ User Execution: Malicious File

Slide 84

Slide 84 text

(1) Study Sysmon Event Log copy "International English Language Testing System certificate.pdf.lnk" C:\\Users\\user\\AppData\\Local\\Temp\\g4ZokyumB2DC4.tmp /y for /r C:\\Windows\\System32\\ %%i in (*ertu*.exe) do copy %%i C:\ \Users\\user\\AppData\\Local\\Temp\\gosia.exe /y ◆ User Execution: Malicious File ◆ LNK Commandline analysis ◆ Copy decoy ink fi le to tmp folder and rename to “g4ZokyumB2DC4.tmp” ◆ Find fi le *ertu*.exe and copy to tmp folder and rename to “gosia.exe”

Slide 85

Slide 85 text

(1) Study Sysmon Event Log ◆ User Execution: Malicious File ◆ LNK Commandline analysis ◆ Copy decoy ink fi le to tmp folder and rename to “g4ZokyumB2DC4.tmp” ◆ Find fi le *ertu*.exe and copy to tmp folder and rename to “gosia.exe” certutil.exe https://lolbas-project.github.io/lolbas/Binaries/Certutil/

Slide 86

Slide 86 text

(1) Study Sysmon Event Log findstr.exe /b \"TVNDRgA\" C:\\Users\\user\\AppData\\Local\\Temp\ \g4ZokyumB2DC4.tmp>C:\\Users\\user\\AppData\\Local\\Temp\\cSi1rouy4.tmp C:\\Users\\user\\AppData\\Local\\Temp\\gosia.exe -decode C:\\Users\ \user\\AppData\\Local\\Temp\\cSi1rouy4.tmp C:\\Users\\user\\AppData\ \Local\\Temp\\o423DFDS4.tmp ◆ LNK Commandline analysis ◆ Deobfuscate/Decode Files or Information ◆ Search for fi le contents starting with the string “TVNDRgA\”, then save the str ◆ Use gosia.exe (certutil.exe) decode the new fi le then store into “o423DFDS4.tmp”

Slide 87

Slide 87 text

(1) Study Sysmon Event Log & expand C:\\Users\\user\\AppData\\Local\\Temp\\o423DFDS4.tmp -F:* C:\ \Users\\user\\AppData\\Local\\Temp & "C:\\Users\\user\\AppData\\Local\\Temp\\International English Language Testing System certificate.pdf" ◆ LNK Commandline analysis ◆ Deobfuscate/Decode Files or Information ◆ Extract the fi le “o423DFDS4.tmp” ◆ Open the decoy pdf https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/expand

Slide 88

Slide 88 text

(1) Study Sysmon Event Log copy C:\\Users\\user\\AppData\\Local\\Temp\\66DF3DFG.tmp C:\\Users\ \Public\\Downloads\\66DF3DFG.tmp Wscript C:\\Users\\user\\AppData\\Local\\Temp\\34fDFkfSD38.js exit ◆ LNK Commandline analysis ◆ Scripting Interpreter: JavaScript ◆ Copy “66DF3DFG.tmp” to Download folder ◆ Use Wscript run “34fDFkfSD38.js”

Slide 89

Slide 89 text

(1) Study Sysmon Event Log Record 14987 { "EventData": { "CommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c ipconfig>C:\ \Users\\Public\\Downloads\\d3reEW.txt & copy C:\\Users\\user\\AppData\ \Local\\Temp\\svchastd.exe \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\ \Windows\\Start Menu\\Programs\\Startup\\Officeupdated.exe\" ... ...”, "ParentCommandLine": "Wscript C:\\Users\\user\\AppData\\Local\\Temp\ \34fDFkfSD38.js", "ParentImage": "C:\\Windows\\System32\\wscript.exe", "UtcTime": "2023-04-29 04:39:33.818" }, "System": { "EventID": 1, ◆ Process Creation: Wscript execute cmd.exe

Slide 90

Slide 90 text

(1) Study Sysmon Event Log ipconfig>C:\\Users\\Public\\Downloads\\d3reEW.txt ◆ JS Commandline analysis ◆ System Network Con fi guration Discovery: ipcon fi g ◆ Save the system’s network information to ‘d3reEW.txt’

Slide 91

Slide 91 text

(1) Study Sysmon Event Log copy C:\\Users\\user\\AppData\\Local\\Temp\\svchastd.exe \"C:\\Users\ \Public\\Downloads\\Officeupdated.exe\" schtasks /create /SC minute /MO 120 /TN \"Office update task\" /TR "C:\ \Users\\Public\\Downloads\\Officeupdated.exe" ◆ JS Commandline analysis ◆ Persistence: schtasks ◆ Copy the fi le 'svchostd.exe' that was just extracted to this directory ◆ Use schtasks to set autorun

Slide 92

Slide 92 text

(2) Attack Summary cmd.exe Inte….pdf.lnk O ffi ceupdated.exe o423DFDS4.tmp Run Copy LNK ZIP Certutil.exe Decode .JS schtasks 34fDFkfSD38.js Read con fi g Move svchastd.exe Ipcon fi g.exe

Slide 93

Slide 93 text

(3) Writing Rule ◆ Note: ◆ Focus on interesting behavior ◆ Process creation with LNK fi le ◆ certutil.exe, svchastd.exe copy and use ◆ Process creation with JS fi le ◆ System con fi g read

Slide 94

Slide 94 text

(3) Writing Rule: LNK fi le execution detection: eventid: EventID: 1 lnk_behavior: CommandLine|contains: '.lnk' ParentImage: 'C:\Windows\explorer.exe' Image|contains: - 'cmd.exe' - 'powershell.exe' selection_HigaisaAPT_signature: - CommandLine|contains: - 'gosia.exe' - 'svchastd' - 'Officeupdated' LNK

Slide 95

Slide 95 text

(3) Hunting: LNK fi le execution LNK 1 event hit

Slide 96

Slide 96 text

(4) Writing Rule: Script Execution eventid: EventID: 1 script_image: Image|endswith: - '\wscript.exe' - '\cscript.exe' selection_file_extenstion: CommandLine|contains: - '.jse' - '.vbe' - '.js' falsepositive: ParentImage|contains: '\winzip' condition: eventid and script_image and 1 of selection* and not falsepositive .JS

Slide 97

Slide 97 text

(4) Writing Rule: Script Execution .JS 1 event hit

Slide 98

Slide 98 text

(4) Writing Rule: decode payload eventid: EventID: 1 certutil_copy_behavior: CommandLine|contains: - 'certutil.exe' - 'copy ' OriginalFileName: - 'cmd.exe' certutil_behavior: - OriginalFileName: - 'certutil.exe' - CommandLine|contains: - '-decode ' - '/decode ' - '-decodehex ' - '/decodehex ' selection_HigaisaAPT_signature: - CommandLine|contains: .JS

Slide 99

Slide 99 text

(4) Writing Rule: decode payload .JS 2 events hit

Slide 100

Slide 100 text

(4) Writing Rule: System con fi g read eventid: EventID: 1 ipconfig_binary: - OriginalFileName|contains: - 'ipconfig' ipconfig_behavior: CommandLine|contains|all: - 'ipconfig' - '>' Image|contains: 'cmd.exe' selection_HigaisaAPT_signature: - CommandLine|contains: - 'gosia.exe' - 'svchastd' - 'Officeupdated' - ParentCommandLine|contains: - '.js' condition: eventid and 1 of ipconfig* .JS

Slide 101

Slide 101 text

(4) Writing Rule: System con fi g read .JS 1 events hit

Slide 102

Slide 102 text

Conclusion ◆ Provide a detailed explanation of how to use Sigma rules ◆ Understand the role of Sigma rules in threat hunting ◆ Practically integrate sysmon and sigma to hunt for various attack methods ◆ Simulated three threat scenarios and attempted to detect these attacks

Slide 103

Slide 103 text

Take Away ◆ The content of the command line is rich in information but also very cluttered ◆ The act of deobfuscation is often more apparent to blue team ◆ Detection methods always depend on the event logging mechanism ◆ Sigma rules are widely used and powerful in the fi eld of threat hunting.

Slide 104

Slide 104 text

Similar rules ◆ https://github.com/SigmaHQ/sigma/blob/master/rules/windows/ process_creation/proc_creation_win_certutil_decode.yml ◆ https://github.com/SigmaHQ/sigma/blob/master/rules/windows/ process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml ◆ https://github.com/SigmaHQ/sigma/blob/master/rules/windows/ process_creation/proc_creation_win_ fi ndstr_lnk.yml

Slide 105

Slide 105 text

Will Will@teamt5.org THANK YOU!

Slide 106

Slide 106 text

No content