Security Onion Conference - 2015
-
Upload
defensivedepth -
Category
Technology
-
view
24.005 -
download
1
Transcript of Security Onion Conference - 2015
![Page 1: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/1.jpg)
#SOCAugusta @DefensiveDepth
Sysmon & Security Onion
![Page 2: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/2.jpg)
• Why?
• Sysmon
• Detection Techniques
Roadmap
![Page 3: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/3.jpg)
-Sysinternal’s Tool (released 8/14, current v3.1)
-Installed as a Windows Service, logs:-Process creation with full command line-Parent Process with full command line-Hash of process image file (SHA1 + more)-Network Connections, tied to process-Loaded Drivers & DLLs (sigs & hashes)-File Creation Time+More!
Sysmon
![Page 4: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/4.jpg)
Sysmon
![Page 5: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/5.jpg)
sysmon.exe –i -acceptuela
Sysmon - Deployment
![Page 6: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/6.jpg)
Sysmon – Filtering
![Page 7: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/7.jpg)
Sysmon – Collection & Parsing
![Page 8: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/8.jpg)
Real-Time Alerting:OSSEC + SGUIL/ELSA
Historical/Investigation:ELSA
Detection
![Page 9: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/9.jpg)
-Image Locationsvchost.exe System32/syswow64
-Run Assvchost.exe Local System, Network Service, Local Service
-Parent Processsvchost.exe Services.exe
-How many instances?svchost.exe 5+
-Othersvchost.exe -k “param”
Detection:Process Abnormalities
![Page 10: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/10.jpg)
Poweliks• Image: dllhost.exe
• Command Line: none• ParentImage: Powershell.exe
• Command Line: /Processid:{}• ParentImage: svchost.exe
Detection:Process Abnormalities
![Page 11: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/11.jpg)
-cmd.exe, powershell.exe, at.exe
-Context Specific!
Detection:Abnormal Application Usage
![Page 12: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/12.jpg)
Detection:Abnormal Application Usage
![Page 13: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/13.jpg)
Detection:Suspicious Application Usage
![Page 14: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/14.jpg)
-OSSEC CDB List Lookup
-IOCs
-Sysinternal’s PsExec (Context Specific!)
-2011 – 2014 Hashes
Detection:Hash Lookups
![Page 15: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/15.jpg)
-Certain apps that should never initiate connections?
-Processes initiating connections on 80/443?
Detection:Network Connections
![Page 16: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/16.jpg)
Detection:Process Injection
![Page 17: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/17.jpg)
Detection:Loaded Drivers
![Page 18: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/18.jpg)
-Plan & Filter Events
-Event Forwarding - Finicky
Visibility!
Running in Production
![Page 19: Security Onion Conference - 2015](https://reader036.fdocuments.in/reader036/viewer/2022062400/587059b61a28aba2118b62e7/html5/thumbnails/19.jpg)
-Rulesets (Sysmon + OSSEC)-Process Abnormalities-Abnormal Applications-Network Connections-Process Injections outside of norm
-Loading Drivers outside of norm
Future Work