Category Archives: BlueTeam

Threat Hunting III – Pyramid of Pain

As we mentioned in the previous sessions, IoCs are crucial important for a proactive threat hunting process. Threat hunters should know most of the information of newly threats and implement them to their hunting processes. Pyramid of Pain classifies IoCs and helps us understand better the usefulness of them.

The pyramid of pain was created by David Bianco (Fireeye). He also has a Youtube video for presenting it.

Pyramid of Pain

This pyramid classifies the IoCs and with going up the pyramid, IoCs help us more to detect the suspicious. Also, as we go up, it is harder to obtain these IoCs. Now, lets check these IoC types shortly;

Hash Values: A hash value is a unique identifies of the data. In theory, the hash value of each data is expected to be unique to itself. So, it gets easier to identify a data, file with its hash value. As an example, you can see below the hash values (both md5 and sha256) of openvpn.exe.

Hash values of openvpn.exe

Hash values are at the bottom of the pyramid because it is very easy to change a file’s hash value and if you do not have the newly changed hash, that means you cannot detect this file anymore.

IP Addresses: IP blacklists still used by many different products, however it is also easy to change the IP address for an attacker. So, it is again does not help much to detect an adversary.

Domain Names: Everyday we can see that attackers can obtain new domain names very fast and can continue their attacks with ever changing domain names.

Network/Host Artifacts: These are the clues that adversaries left on the pc or network. These can be registery keys, processes, user agent strings, etc. Surely, to obtain such information, a forensic analysis need to be done in compromised pcs or networks.

Tools: Adversaries have their favorite tool to attacks, like pentesters have. It is important to know the tool that your enemy using and if you are good at detecting these tools, you can easily detect the attack or this situation forces the attackers use some other tools. This situation will slow down the attack and will save your time.

TTPs: Tactics, techniques and procedures are the patterns of activities or methods of a specific threat actor. As you all know, you can find all TTPs in the Mitre’s website and they are the most valuable data to identify an attack. If you know the TTPs of your enemy, it means you know what to check for a possible attack and mitigate.

Zone Identifier Commands

With Zone Identifier, we can say whether a file downloaded from internet or not.

A file with zone.identifier extension is an ADS (Alternate Data Stream) file that contains information about another file. It describes the security zone for the file. Zone identifier files are generated by Internet Explorer and Outlook when saving files to a Windows operating system. These files are normally hidden and cannot be opened directly.

Via powershell, we can find Zone Identifiers of a file;

PS C:\Progs\Forensics> Get-Content -Path C:\Progs\Forensics\autopsy-4.17.0-64bit.msi -Stream zone.identifier

PS C:\Progs\Forensics> Get-Item -Path C:\Progs\Forensics\autopsy-4.17.0-64bit.msi -Stream *

How To Remove Zone Identifier

For several reasons, you may choose to delete zone.identifiers. It is very easy to do it. Just right click the file and click “Unblock” tick in “Properties > General” menu.

If you want to remove multiple files, it is still easy. Just navigate to folder including files you want to remove with Powershell and type;

dir .* | Unblock-File

This will clear zone identifier from this folder.

Searching for IoC with Redline

Redline is a free tool for investigation malicious activity through memory and file analysis. It has a lot of features for investigation but in this post, we will only mention searching for IoCs in the endpoint with Redline.

In previous post, we created an IoC to detect WinSCP.exe. Now, we will search it with Redline as the example.

We will go on with “Create an IOC Search Collector” menu in the main page of Redline. For doing this, we browse the folder that including IoCs we want to search in the PC. We have only one IoC here but if you have more IoCs in the folder, you will see all of them in “Indicators” tab.

Then we create a folder for IoC Collector and after clicking “Next” button, we show this folder. Redline creates the IoC Collector in this folder. We will now use RunRedlineAudit.bat file with the command line. Once the bat file finishes running, it will create a folder called “Sessions” and save outputs to this folder in the same directory.

Just run the “RunRedlineAudit.bat” file and wait for finishing. Then, open the “Sessions” folder. Each IoC sweep placed in its own folder calle “AnalysisSessionX”. This was our first sweep, so we click on “AnalysisSession1” folder. Our IoC report will be in “AnalysisSession1.mans” file. So, we click on this file, and it will take some time it generates the report.

When IoC report generated, we can see it on Redline tool, “IOC Reports” tab. As you can see in the screenshot, our WinSCP Indicator IoC got hits. When we click on it, we can see why this IoC got hit. Here, our IoC catch the file with its MD5 hash value and file name. With clicking on “View Details” button, we can see more details about the hit.

Data Collection with Redline

As we discuss before, Redline is a great tool for investigating endpoints. In this post, we will explain how to collect memory data with Redline.

First, in the main page of Redline, we click on “Create a Standard Collector” button. In the opened window, we click on “Edit your script” label and be sure we choose all we need for memory analysis. Then we create a folder for analysis and show it with browsing in the Redline window.

This process will create the data collector in the folder we choose. Then we open a cmd and run “RunREdlineAudit.bat” script in this folder.

Once the script starts to run, you can see some analysis created in “Audit” folder. Sure, it will take some time to finish the analysis.

When it finishes, click on “AnalysisSessionX.mans” file in the “Audit” folder and this will open Redline again.

This file provides us all the information that we checked at the beginning (Edit your script).

Creating IoCs with Mandiant IOCe

In “Open Threat Exchange” post we mentioned that shared IoCs by other parties on Open Threat Exchange. Open IoCs are nice since they are manufacturer independent and can be used in a lot of different technologies for detecting threats.

Viewing Existing IoCs

In this post, we will mention on Mandiant IOC Editor. First of all, Mandiant IOCe could be used to view open IoCs which you downloaded from different sources. Here, we will show a simple example to view an existing IoC. So, as example, we download an IoC from Open Threat Exchange. This is the IoCs of malicious files found on Pulse Connect Secure devices. This is an xml file downloaded and has 108 IoCs containing 36 MD5, 36 SHA1, and 36 SHA256 hash values. You know, IoCs are not only hashes. They can contain a lot of different attributes about the attack, but in this example, we only have hash values. Later in this post, we will create IoC with different attributes also.

After we download the IoCs as xml file, from File > New > Indicator From File menu and choose the xml file. Here, we can see all the IoCs we downloaded and if we want we can change, delete or add IoCs in that file.

Output of the xml file

Create an IoC

It is also so easy to create IoC with Mandiant IOCe. We start from File > New > Indicator menu. Firstly, IOCe provides us to give a name and description for the IoC. As the example, we will create IoC for detecting WinSCP file. Let’s check hash values of WinSCP.exe file first. MD5 and SHA256 is enough for us now.

MD5 and SHA256 values of WinSCP.exe file

From Item > File Item menu, we choose File MD5 and paste the MD5 value of the file. Let’s do the same for File sha256 menu. Additionally, we add File Name in OR logic.

Then, we can add more attributes from hundreds of items in IOCe. We tried to show some of them in the screenshot below.

Creating IoC with Mandiant IOCe

Do not forget that attributes you choose should be unique to the file, so it can be detectable and less false positives occur. Description is important while creating an IoC, since open IoC is developed to be used by everyone, and if you create an IoC, it is better to write enough description to understand by others.

Open Threat Exchange

Open Threat Exchange is a threat intelligence platform from Alien Vault. It is not limited to use this platform to get intel information.

When you register and log in to OTX, you can easily see the summary of the threats in “Subscribed Pulses” section.

Let’s choose a threat, called “Wiper luring the Olympic Games”. When we click, we can see details of the threat like a brief description, reference, tags for searching easily later, and TTP Id for Att&ck.

In the same page, in Indicator of Compromise section, we see IoCs of this threat. For this example, we have an MD5, a SHA1 and a SHA256 hash values as IoC. These IoCs have more details and you can easily see the details with blue “go to details” button at the right of the IoC.

We have more details here like file type, size, different hash values, metadata information, and VirusTotal check.

In the main page of the pulse, you can download the IoCs in different forms. You can easily download and use these IoCs to detect the threats.

In the Browse tab of OTX, it is classified by pulses, groups, indicators, malware families, industries and adversaries. It is valuable to search for specific threat actors and their TTPs, and IoCs to detect them.

OTX also provides to create pulses and API connection. It has a simple user interface so do not want to touch all menus here.

Threat Hunting II – Recommendations

An effective threat hunting is critical because it is hard to think like attackers and to search for the unknown in an enterprise network. This post may help organizations for an effective and successful threat hunting.

Knowledge of Topology and Environment

The purpose of threat hunting is to find the anomalies and their sources in the network and endpoint. So, a threat hunter should know what is normal and so can understand what is not normal.

From the risk management point of view, critical assets – servers, applications, data – should be known to protect more effectively. With the knowledge of the environment, the threat hunter knows the critical assets and hunts according to this. If there is segmentation in network, it is also critical to know the network topology and networks – or vlans – of these critical assets.

It is also necessary to know which application is running on which operating system, so the threat hunter can know the weaknesses of the system and can search according to these weaknesses.

Effective Endpoint Management

For threat hunting, the most used tools are EDRs. Organizations should be sure that they installed endpoint security tools to all endpoints and detect when they removed or stopped. Asset management is something more than CMDB. It must be managed by security teams whose understanding the criticality of the lack of endpoint security tool in an endpoint.

Intel

Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats. Many malicious are produced and detected every day. This situation causes a lot of noises about intel. To avoid this noise, hunters should get valuable intelligence about their organization’s sector and geolocation, and integrate these IoCs with SIEM, EDR, etc..

Personnel

We all know that new tactics and techniques are created by attackers in general. The most important reason for this is while security professionals in organizations have to deal with so many different things, attackers can only focus on their target. Even if it so important to have valuable/experienced personnel, if they are dealing with different organizational missions while they are working, it will be difficult for them to think like an hacker and detect the unknown in the network. Threat hunters should focus to their mission to create their methodology and hunt. So, there should be dedicated personnels for threat hunting.

Coordination Across the Organization

Yes, threat hunters work in a strange mission, think like a hacker and search across the network but they must not work alone. A threat hunter should have a good relationships with key personnel in IT departments like network and system admins, help desk personnel and so on. With these relationships, they better understand the network, systems and more importantly the company’s and personnels’ way of doing business. For organization’s perspective, when a threat hunter finds a weaknesses during the hunting process, they inform critical IT personnel for remediation. This team working will result as a success in remediation phase of the incidents or weaknesses.

TTPs

Pyramid of Pain

Intelligence is critical for hunting for the known threats but hunters should be familiar with the TTPs of the attackers against the zero day threats. Threat hunters also should be aware of the updated or newly TTPs. Only with this knowledge hunters can act like an attacker. TTPs are at the top of Pyramid of Pain (defined by David Bianco).

Tools

To disclose the anomaly or malicious activity, threat hunters should use advanced tools like EDR, NDR, SIEM, FIM, etc.. These tools will help hunter to find abnormal activities if configured properly. In different posts, we tried to explain why they should be used.

Threat Hunting I – Understanding Threat Hunting

Although Threat Hunting is nothing new, it is a very hot topic lately. Even if you have perimeter and endpoint security devices and SIEM for collecting and correlating logs from them, it is not a good way to wait for incidents coming. Without Threat Hunting, dwell time is increasing more than 150 days, and this is not acceptable anymore. While attackers are working proactively and developing new techniques day by day, security teams need to be more proactive too. Threat Hunting is the most proactive approach in an organization’s security structure and improves its security posture.

Dwell time is the dirty metric nobody wants to talk about in cyber security. It signifies the amount of time threat actors go undetected in an environment, and the industry stats about it are staggering.
Source: Extrahop

In its simplest definition, Threat Hunting is detecting abnormal activities on endpoints and network. But, what to look for hunting threats?

What to Hunt?

Threat Hunting is a continuous process. Hunters should check anything that could be an evidence of an incident.

  • Processes: Processes are important components of OSs. Adversaries may inject malicious code into hijacked processes. Therefore, hunters should check processes and child processes regularly.
  • Binaries: Hunters should check binaries with their checksum, name and other specifications.
  • Network: Network activities to specific destinations and anomalies in network should be checked.
  • Registery: Hunters should check registery key additions and modifications.

The Team

For a continuous hunting, organizations need to have threat hunters in their CSIRT. The difference between analysts and threat hunters is the proactive approach as mentioned before. Also in smaller organizations, SOC analysts may work on threat hunting but actually, a threat hunter may has more specifications than an analyst. In larger organizations, it is important to have a dedicated threat hunting leader and team. This team should has detailed knowledge about;

  • OSs: The Threat Hunting team should have knowledge about OSs that organization is using. This knowledge must include process structures, files, permissions, and registery depending on the OS. This is important because malicious files and attackers make changes in OS here. A threat hunter need to understand what is normal and what is not. Something is not normal could be a sign of an intrusion. For having this knowledge, baselines could be created for all critical systems. These baselines will help to know the normal and the anomalies.
  • Apps: Threat Hunters should have knowledge about the applications used in the organization. It is also important to know perimeter and endpoint security devices and applications used by organization.
  • Business: Threat Hunting team should have knowledge about the organization’s business so they need to follow adversaries working on the organization’s sector and geographical location. It is also important to know third party companies the organization works and communication ways with them.
  • Network: In a big and segmented network structure, it is important to know where the critical assets are.
  • The Lockheed Martin Cyber Kill Chain: Also known as APT phases, represents the phases of an advanced attack.
  • TTPs: IoCs are important components for hunting but they provide to detect “known knowns”. TTPs are at the top of Pyramid of Pain (defined by David Bianco) and especially adversaries’ techniques and tactics should be known those are threatening the organization’s sector and location.
  • Threat Hunting Tools: In CSIRT plan, it needs to be included that which tools and techniques can be used for threat hunting. Threat hunters should have knowledge of these tools and techniques.
  • IR&H Plan: Threat hunting is only a step of proactive approach. If threat hunters successfully find an intrusion or anomaly in systems, they need to know the next step. Who should they inform? What should be done?..etc..

Requirements

  • Threat Intelligence: Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats.
  • EDR: Threat hunters need IoCs but also need to know how to use these IoCs. After gathering the most recent IoCs from TI platforms, an IoC sweep must be made on endpoints.
  • NDR: Just like endpoints, network traffic also need to be checked with the latest IoCs. For doing this, CSIRT need to collect all east-west and south-north network traffic. NDR devices those have AI capabilities also detect anomalies in the network.
  • SIEM: Depending on the hunt’s scope, the threat hunter may need to check IPS/IDS, proxy, DNS, firewall or some other tools’ logs. Because logs are coming from different sources, CSIRT need to collect and correlate these logs in SIEM and feeding SIEM with the latest IoCs, these logs will more meaningful.
  • FIM: We said that baselines must be created for critical systems. FIM solutions will help CSIRT to create baselines for OSs and alert analysts when an unauthorized transaction is made.

Prometei Exploits MS Exchange Vulnerabilities

A new malicious called Prometei has been determined, that including Exchange servers have ProxyLogon vulnerability to cryptocurrency network. Prometei is a modular malicious code and has different features like credential dumping, usage of the system for cryptocurrency minning, and lateral movement. Prometei has two different versions for both Windows and GNU/Linux.

Prometei exploits the ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858) and uploads China Chopper web Shell. After uploading China Chopper, attackers downloads the zsvc.exe on the victim’s machine with PowerShell. After gaining persistence, another malicious file called sqhost.exe is downloade by attacker. With sqhost.exe, attackers can use the victim system for Monero minning with using XMRig open source code. However, Prometei uses Mimikatz for lateral movement.

A more detailed investigation of Prometei can be found on the cybereason blog page. It looks like threat actors still keep using Prometei. To avoid of this risk, exchange vulnerabilities need to be eliminated fastly, and these IoCs can be used to detect and prevent Prometei.

IoCs:

File Hashs – SHA256

f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4

D8e3e22997533300c097b47d71feeda51dca183c35a0d818faa12ee903e969d5

b0e743517e7abf75a80b81bb7aadc9c166ac47ba89c0654ba855dda1e4d96c3e

55fc69a7e1b2371d8762be0b4f403d32db24902891fdbfb8b7d2b7fd1963f1b4

e4bd40643f64ac5e8d4093bddee0e26fcc74d2c15ba98b505098d13da22015f5

fb8f100e646dec8f19cb439d4020b5f5f43afdc2414279296e13469f13a018ca

e961c07d534bc1cb96f159fce573fc671bd188cef8756ef32acd9afb49528331

2f114862bd999c38b69b633488bcbb6c74c9a11e28b7ef335f6c77bba32ed2d6

5de7afdde08f7b8ba705c8332c693747d537fd5b1bb0e7b0c757c0f364a60eb8

dc73a88f544efc943da73c9f6535facdb61800f6205ad3dddb9adb7c6ab229ab

XSS Detection and Prevention

XSS is a common and very popular vulnerability also took place in Owasp Top10 from the beginning. XSS is hard to detect and very dangerous since an attacker can gain the ability what user can do and see like passwords, financial information, etc.

XSS has two mail types called Stored XSS which is when malicious script directly injected to the vulnerable application, and Reflected XSS which involves reflecting malicious script into the page, and it would be activeted when the link has been clicked.

It is hard to detect XSS attacks, I try to give some detection and prevention suggestions.

Detection:

Common XSS attacks use HTML tags like <script></script>, <BODY>, <INPUT>, or <IMG>. Atackers also can use encoding to bypass safeguards like below;

XSS Script: <script>alert(“XSS”)</script>

HEX encoded: %3cscript%3ealert(“XSS”)%3c/script%3e

It is important to check logs to detect these tags to detect an XSS attack. Double encoding can be also used by attackers since some WAFs can detect encoding on the traffic;

Double encoded: %253cscript%253ealert(1)%253c/script%253e

Some applications can block the lower case strings, so attackers can toggle the code to bypass hem;

Toggle case: <sCRipT>alert(“XSS”)</ScRiPt>

It is also possible to detect XSS attacks in logs with some regex;

To detect an attack like; <script>alert(1)</script>

It is possible to check with this regex; ((\3C)|<)(\2F)|\/*(script)((\%3E)|>)

Prevention:

  • To prevent against XSS attacks, web application must perform HTML encoding on the output sent to the users. Thus, in the user side, web browsers can only display but cannot run the scripts placed in the request. HTML encoding prevents the execution of the response
  • WAF is the most important prevention method against XSS. WAFs can also detect and block similar attacks like file injection
  • All non-alphanumeric characters must be checked before displaying the users’ input in the web application
  • PKI must be used for authentication
  • A security review of the code is needed to identify XSS vulnerabilities and search all of the places where the input from an HTTP request comes
  • Attackers can use different HTML tags, so vulnerability scanners provides ease to check all of them in the web application
  • Check headers, cookies, string form and hidden fields in the code with a security perspective
  • Input fields should be limited to a maximum character count when you allow user input in the web application
  • Do not publish users’ input directly in forums and comment fields, all comments should be reviewed with a security perspective firstly
  • A proxy and web content filtering must be used in the organization to filter unnecessary websites, especially like forums
  • Do not trust HTTPS when it comes to XSS