Scribd Logo
Upload

Welcome to Scribd!

  • Endpoint Hunting Techniques for Detecting Anti-EDR Tactics

    Uploaded by

    rajesh
    34 views67 pages
    The document discusses endpoint hunting techniques in an anti-EDR world, providing examples of how adversaries misdirect from their true activities using techniques like process chain spoofing, command line spoofing, WMI execution, and binary renaming to evade detection, and offers detection recommendations like collecting all WMI child events and binary attributes to identify these techniques.

    Original Description:

    Original Title

    2019-06-26-AntiEDR.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses endpoint hunting techniques in an anti-EDR world, providing examples of how adversaries misdirect from their true activities using techniques like process chain spoofing, command line spoofing, WMI execution, and binary renaming to evade detection, and offers detection recommendations like collecting all WMI child events and binary attributes to identify these techniques.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    34 views67 pages

    Endpoint Hunting Techniques for Detecting Anti-EDR Tactics

    Uploaded by

    rajesh
    The document discusses endpoint hunting techniques in an anti-EDR world, providing examples of how adversaries misdirect from their true activities using techniques like process chain spoofing, command line spoofing, WMI execution, and binary renaming to evade detection, and offers detection recommendations like collecting all WMI child events and binary attributes to identify these techniques.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 67

    ENDPOINT HUNTING IN

    AN ANTI-EDR WORLD_
    INTRODUCTION_

    whoami: @mgreen27
    > Matt Green
    > IR Practice Lead @ Cybereason
    > DFIR and detection guy
    > Powershell and scripting ++
    > Doing EDR before it was a thing
    AGENDA_
    Background
    > Data
    > EDR
    > Anti-EDR
    Practical examples:
    > Commodity / WMI
    > APT / Binary Rename
    > Detection use cases
    Wrap up
    > Goals
    BACKGROUND_

    BACKGROUND
    DATA BACKGROUND_
    Current State
    • Running Process
    • Network connections
    • Loaded files
    • In-memory artefacts
    Traditional DFIR
    Data at rest
    • Files on disk
    • Registry entries
    • Event logs / logs
    • System configuration

    Event telemetry
    • Process
    Modern EDR focus •

    Network / DNS
    File / Registry activity
    • Driver loads
    • URL / Web
    • Security Events
    EDR BACKGROUND_

    ●Telemetry
    ○ Process visibility!
    ●Reputation
    ●Behaviour based
    ●Memory / Injection
    ●Anomaly Detection
    ○ Frequency analysis
    ○ Machine Learning
    ●Powershell / .NET / AMSI
    ●Live Response
    ○ Isolation
    EDR BACKGROUND
    Kernel User Land

    Vs

    ●Low level ●Windows API


    ●Accuracy ●Performance & Stability
    ●Risk? ●Accuracy?
    ●Event Tracing For Windows
    (Microsoft-Windows-Threat-Intelligence ETW provider)
    ANTI-EDR BACKGROUND_

    ANTI-EDR
    ANTI-EDR BACKGROUND_

    ●Misdirection
    ●Minimise footprint
    ●Blending in
    ** Wild West Hackin’ Fest 2018: Red Teaming in the EDR age - Will Burgess
    HUNTING PAIN_

    ● Encoded powershell ● Administrators and ● Systems management


    ● LOL Bins developers behaving tools
    ● Office Process Chain badly ● Security Tools
    ● New binary / unknown ● Remote access ● Business Applications
    malware software ● Business User
    ● Unexpected network ● Applications behaving behaviour
    connections badly ● Startup scripts
    ● Custom scripts

    EVIL UNKNOWN GOOD

    ** Wild West Hackin’ Fest 2018: Red Teaming in the EDR age - Will Burgess
    PROCESS CHAIN MISDIRECTION_

    Single easy to detect chain Innocent looking chains


    PROCESS CHAIN MISDIRECTION_

    Process Chain spoofing


    ● API Based
    ● Very detectable

    What we see:
    ● Minimal in wild
    ● Alternate methods
    ○ WMI
    ○ Scheduled Tasks
    ○ Exploit
    PROCESS CHAIN MISDIRECTION_
    PROCESS CHAIN MISDIRECTION_
    Event Tracing for Windows
    PROCESS CHAIN MISDIRECTION_
    Event Tracing for Windows
    COMMAND LINE MISDIRECTION_

    Example 1: legitimate Powershell

    Example 1: Powershell download cradle

    Example 2: WMIC download cradle


    Example 2: legitimate WMIC
    COMMAND LINE MISDIRECTION_

    Command Line spoof


    ● Trivial to modify
    ● Collection dependent
    ● CLI generally less trusted

    What we see
    ● Rare / Red teams
    ● Combination with parent
    spoofing
    ● Other data points :)
    https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
    VERY SHORT WMI BACKGROUND_
    Windows Management Interface is a Windows administration
    feature that provides a uniform environment for local and remote
    access to Windows system components.

    • The “guts” of widows


    • Collect current state, performance statistics
    • Configure and take actions
    • Data Store
    • Persistence
    • Local and remote execution
    • SMB and RPC over port 135 for remote access
    • Minimal Forensics Windows Management Instrumentation
    • Interesting trade-off for anti-forensics https://attack.mitre.org/techniques/T1047/
    VERY SHORT WMI BACKGROUND_
    Offensive application:
    • WMIC.EXE
    • Powershell
    ○ *-WMIObject
    ○ *-CimInstance
    • Impacket WMIEXec
    • Vbscript
    • Other
    ○ Visual basic
    ○ Golang
    ○ Python
    ○ .NET Windows Management Instrumentation
    ○ C ++ https://attack.mitre.org/techniques/T1047/
    PRACTICAL EXAMPLES_

    PRACTICAL EXAMPLES
    COMMODITY
    WMI MISDIRECTION_
    ANTI-EDR_

    THE REAL ANTI-EDR


    THE HUMANS
    WMIEXEC - ANTI-EDR_
    WMIEXEC - ANTI-EDR_
    WMIEXEC - ANTI-EDR_
    WMIEXEC - ANTI-EDR_
    WMIEXEC DETECTION_
    Destination machine
    cmd.exe /c <COMMAND> > C:\wmi.dll 2>&1
    cmd.exe /c <COMMAND> > C:\wmil.dll /F > nul 2>&1
    cmd.exe /c <COMMAND> 1>C:\windows\system32\normpnhsn.nls 2>>&1

    Note:
    • file output modifiable!
    • early tool default file was wmi.dll
    • later versions norm<random>.nls for more blending in

    Detection advice:
    • Be broader than the tool!
    • Data stack ALL WMI child events!
    • Parent: wmiprvse.exe
    WMI UNSKILLED RED_
    WMI SKILLED RED_
    BINARY RENAME_
    Bypass rigid path based application whitelisting and detections.
    My use case is sub tactic, expanding the “Living of the Land”
    concept.
    Used across the whole attack
    lifecycle
    • Download Cradles
    • Persistence
    • Reconnaissance
    • Privilege Escalation
    • Lateral Movement
    • Exfiltration ATT&CK T1036 - Masquerading
    https://attack.mitre.org/techniques/T1036/
    MALDOC - BINARY RENAME_
    MALDOC - BINARY RENAME_
    MALDOC - BINARY RENAME_
    MALDOC - BINARY RENAME_
    MALDOC - BINARY RENAME_
    MALDOC - BINARY RENAME_

    scriptlet payload: VBscript


    MALDOC - BINARY RENAME_
    MALDOC - BINARY RENAME_

    DETECTION?
    MALDOC - BINARY RENAME_
    MALDOC - BINARY RENAME_

    Reputation
    ● Reliable?
    ● What about targeted?
    EXECUTION ATTRIBUTES - BINARY RENAME_
    EXECUTION ATTRIBUTES - BINARY RENAME_

    Resilient?
    ● cmd-obfuscation
    ● WSH engine
    ● CLSID reference
    FILE ATTRIBUTES - BINARY RENAME_
    WEBSHELL - BINARY RENAME_
    BINARY RENAME_

    DETECTION?
    DETECTION - BINARY RENAME_
    DETECTION - BINARY RENAME_
    DETECTION - BINARY RENAME_
    DETECTION - BINARY RENAME_
    DETECTION - BINARY RENAME_
    DETECTION - BINARY RENAME_
    Collect all executed Processes with:

    Binary Attributes
    1. Original Name is (nocase):
    cmd.exe,powershell.exe,psexec.c,cscript.exe,wscript.exe,mshta.exe,regsvr32.exe,
    wmic.exe,certutil.exe,rundll32.exe,cmstp.exe,msiexec.exe,7z.exe,WinRAR.exe

    2. File Name is not (nocase):


    cmd.exe,powershell.exe,Psexec.exe,PsExec64.exe,psexesvc.exe,cscript.exe,
    wscript.exe,mshta.exe,regsvr32.exe,wmic.exe,certutil.exe,rundll32.exe,cmstp.exe,
    msiexec.exe,7z.exe,WinRAR.exe

    3. is signed
    4. is verified
    5. signer contains Microsoft
    DETECTION - BINARY RENAME_
    True positive or noise?
    YARA - DETECTION

    Note: whilst effective yara used in this way may


    invoke performance limitations.
    POWERSHELL - DETECTION
    DETECTION - BINARY RENAME_
    Novel: Create your own EDR!
    ● ETW
    ● WMI Eventing!

    Blue Team Hacks - Binary Rename


    https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    OTHER DETECTION - BINARY RENAME_
    Other dynamic events.
    OTHER DETECTION - BINARY RENAME_
    Other dynamic events.
    OTHER DETECTION - BINARY RENAME_
    Rest of attack chain
    ROBUST DETECTION IDEAS_
    Note: Filtering required!

    Collect all executed Processes with:


    1. Binary Attributes:
    Original Name NOT (nocase): iexplore.exe,chrome.exe,<ADD MORE>
    2. File write to:
    C:\Users\<USER>\AppData\*\INetCache\*,
    C:\Users\<USER>\AppData\*\Temporary Internet Files\*

    Collect all executed Processes with:


    1. External Connection: TRUE OR Internal Connection: TRUE (WmiExec)
    2. Module load is:
    jscript.dll,jscript9.dll,vbscript.dll, scrobj.dll
    3. Binary Attributes:
    Original Name is (nocase): cscript.exe,wscript.exe, wmic.exe
    WMIEXEC DETECTION_

    Destination machine Source machine


    1. Parent Process: wmiprvse.exe 1. Internal Connection: TRUE
    2. Command Line not: \CCM 2. Module load is:
    3. Binary Attributes: jscript.dll,jscript9.dll,vbscript.dll
    Original Name is (nocase): 3. Binary Attributes:
    cmd.exe,powershell.exe,cscript.exe, Original Name is (nocase):
    wscript.exe,mshta.exe,regsvr32.exe, cscript.exe,wscript.exe
    wmic.exe,certutil.exe,rundll32.exe

    Note:
    2>>&1 & 2>&1 slightly more targeted
    CAVEAT DETECTION_
    OTHER DETECTION_
    Limitations: Tooling

    Telemetry: Static:
    ●Process ●Strings
    ●Module load ●Binary Attributes
    ●File / Reg ○ Version info
    ●Persistence ○ Resources
    ●Named Pipe ○ Size
    ●Network connection ○ Timestamps
    ●Injection ●Forensic artefacts
    HUNTING PAIN_

    ● Encoded powershell ● Administrators and ● Systems management


    ● LOL Bins developers behaving tools
    ● Office Process Chain badly ● Security Tools
    ● New binary / unknown ● Remote access ● Business Applications
    malware software ● Business User
    ● Unexpected network ● Applications behaving behaviour
    connections badly ● Startup scripts
    ● Custom scripts

    EVIL UNKNOWN GOOD

    ** Wild West Hackin’ Fest 2018: Red Teaming in the EDR age - Will Burgess
    HUNTING GOAL_

    ● Encoded powershell ● Administrators and ● Systems management


    ● LOL Bins developers behaving tools
    ● Office Process Chain badly ● Security Tools
    ● New binary / unknown ● Remote access ● Business Applications
    malware software ● Business User
    ● Unexpected network ● Applications behaving behaviour
    connections badly ● Startup scripts
    ● Custom scripts

    EVIL UNDERSTAND
    Leverage the home ground advantage
    TAKEAWAYS_

    ●Visibility king!
    ○ Think in data points.
    ○ Telemetry AND point in time.
    ○ Consider all available tools.
    ●Focus on a use case.
    ○ Develop detection anchors.
    ○ ATT&CK or other framework.
    ●Learn something.
    ○ Finding evil is the main goal.
    ○ Learning maintains motivation.
    RESOURCES

    https://attack.mitre.org/

    https://lolbas-project.github.io/

    @cyb3rops
    @ItsReallyNick
    @Hexacorn
    @mattifestation
    @subTee

    https://virustotal.github.io/yara/
    https://github.com/Neo23x0/sigma
    https://github.com/Neo23x0/yarGen
    Thank you_

    You might also like