Modules are typically work in Powershell directly. “Get-Module” command can be used to see imported modules.
“Get-Module -ListAvailable” command show the modules available.
For the additional modules we want to use, we should import them first. Once we import the module, we can use its all commands anymore. We will add PowerSploit as example. PowerSploit project is a project no longer supported but sometimes we may want to use its capabilities. For importing, we firstly download the package from here. After downloading the module, we need to copy it to one of the module folders in PC. There are different module locations and we can see them with “$Env:PSModulePath” command.
We create a folder called PowerSploit and copy all files here from the downloaded package.
“Import-Module PowerSploit” command will install the module and all its commands will be available for us to use.
“Get-Command -Module PowerSploit” command can list all commands of this module.
“Get-Help <command>” command will show you the usage of the commands.
An effective threat hunting is critical because it is hard to think like attackers and to search for the unknown in an enterprise network. This post may help organizations for an effective and successful threat hunting.
Knowledge of Topology and Environment
The purpose of threat hunting is to find the anomalies and their sources in the network and endpoint. So, a threat hunter should know what is normal and so can understand what is not normal.
From the risk management point of view, critical assets – servers, applications, data – should be known to protect more effectively. With the knowledge of the environment, the threat hunter knows the critical assets and hunts according to this. If there is segmentation in network, it is also critical to know the network topology and networks – or vlans – of these critical assets.
It is also necessary to know which application is running on which operating system, so the threat hunter can know the weaknesses of the system and can search according to these weaknesses.
Effective Endpoint Management
For threat hunting, the most used tools are EDRs. Organizations should be sure that they installed endpoint security tools to all endpoints and detect when they removed or stopped. Asset management is something more than CMDB. It must be managed by security teams whose understanding the criticality of the lack of endpoint security tool in an endpoint.
Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats. Many malicious are produced and detected every day. This situation causes a lot of noises about intel. To avoid this noise, hunters should get valuable intelligence about their organization’s sector and geolocation, and integrate these IoCs with SIEM, EDR, etc..
We all know that new tactics and techniques are created by attackers in general. The most important reason for this is while security professionals in organizations have to deal with so many different things, attackers can only focus on their target. Even if it so important to have valuable/experienced personnel, if they are dealing with different organizational missions while they are working, it will be difficult for them to think like an hacker and detect the unknown in the network. Threat hunters should focus to their mission to create their methodology and hunt. So, there should be dedicated personnels for threat hunting.
Coordination Across the Organization
Yes, threat hunters work in a strange mission, think like a hacker and search across the network but they must not work alone. A threat hunter should have a good relationships with key personnel in IT departments like network and system admins, help desk personnel and so on. With these relationships, they better understand the network, systems and more importantly the company’s and personnels’ way of doing business. For organization’s perspective, when a threat hunter finds a weaknesses during the hunting process, they inform critical IT personnel for remediation. This team working will result as a success in remediation phase of the incidents or weaknesses.
Intelligence is critical for hunting for the known threats but hunters should be familiar with the TTPs of the attackers against the zero day threats. Threat hunters also should be aware of the updated or newly TTPs. Only with this knowledge hunters can act like an attacker. TTPs are at the top of Pyramid of Pain (defined by David Bianco).
To disclose the anomaly or malicious activity, threat hunters should use advanced tools like EDR, NDR, SIEM, FIM, etc.. These tools will help hunter to find abnormal activities if configured properly. In different posts, we tried to explain why they should be used.
Although Threat Hunting is nothing new, it is a very hot topic lately. Even if you have perimeter and endpoint security devices and SIEM for collecting and correlating logs from them, it is not a good way to wait for incidents coming. Without Threat Hunting, dwell time is increasing more than 150 days, and this is not acceptable anymore. While attackers are working proactively and developing new techniques day by day, security teams need to be more proactive too. Threat Hunting is the most proactive approach in an organization’s security structure and improves its security posture.
Dwell time is the dirty metric nobody wants to talk about in cyber security. It signifies the amount of time threat actors go undetected in an environment, and the industry stats about it are staggering. Source: Extrahop
In its simplest definition, Threat Hunting is detecting abnormal activities on endpoints and network. But, what to look for hunting threats?
What to Hunt?
Threat Hunting is a continuous process. Hunters should check anything that could be an evidence of an incident.
Processes: Processes are important components of OSs. Adversaries may inject malicious code into hijacked processes. Therefore, hunters should check processes and child processes regularly.
Binaries: Hunters should check binaries with their checksum, name and other specifications.
Network: Network activities to specific destinations and anomalies in network should be checked.
Registery: Hunters should check registery key additions and modifications.
For a continuous hunting, organizations need to have threat hunters in their CSIRT. The difference between analysts and threat hunters is the proactive approach as mentioned before. Also in smaller organizations, SOC analysts may work on threat hunting but actually, a threat hunter may has more specifications than an analyst. In larger organizations, it is important to have a dedicated threat hunting leader and team. This team should has detailed knowledge about;
OSs: The Threat Hunting team should have knowledge about OSs that organization is using. This knowledge must include process structures, files, permissions, and registery depending on the OS. This is important because malicious files and attackers make changes in OS here. A threat hunter need to understand what is normal and what is not. Something is not normal could be a sign of an intrusion. For having this knowledge, baselines could be created for all critical systems. These baselines will help to know the normal and the anomalies.
Apps: Threat Hunters should have knowledge about the applications used in the organization. It is also important to know perimeter and endpoint security devices and applications used by organization.
Business: Threat Hunting team should have knowledge about the organization’s business so they need to follow adversaries working on the organization’s sector and geographical location. It is also important to know third party companies the organization works and communication ways with them.
Network: In a big and segmented network structure, it is important to know where the critical assets are.
TTPs: IoCs are important components for hunting but they provide to detect “known knowns”. TTPs are at the top of Pyramid of Pain (defined by David Bianco) and especially adversaries’ techniques and tactics should be known those are threatening the organization’s sector and location.
Threat Hunting Tools: In CSIRT plan, it needs to be included that which tools and techniques can be used for threat hunting. Threat hunters should have knowledge of these tools and techniques.
IR&H Plan: Threat hunting is only a step of proactive approach. If threat hunters successfully find an intrusion or anomaly in systems, they need to know the next step. Who should they inform? What should be done?..etc..
Threat Intelligence: Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats.
EDR: Threat hunters need IoCs but also need to know how to use these IoCs. After gathering the most recent IoCs from TI platforms, an IoC sweep must be made on endpoints.
NDR: Just like endpoints, network traffic also need to be checked with the latest IoCs. For doing this, CSIRT need to collect all east-west and south-north network traffic. NDR devices those have AI capabilities also detect anomalies in the network.
SIEM: Depending on the hunt’s scope, the threat hunter may need to check IPS/IDS, proxy, DNS, firewall or some other tools’ logs. Because logs are coming from different sources, CSIRT need to collect and correlate these logs in SIEM and feeding SIEM with the latest IoCs, these logs will more meaningful.
FIM: We said that baselines must be created for critical systems. FIM solutions will help CSIRT to create baselines for OSs and alert analysts when an unauthorized transaction is made.
Attackers may need to download some tools to perform different actions on victim machine. Mostly, these can be some tools to help scan networks to move laterally, or make the attacker permanent on the victim machine. Whatever itself, there are many ways to do it and all of them are very easy to perform.
Here, my victim machine is a Windows 10 client, and I assume that we already exploited the victim’s machine and have a reverse connection. Now, I will create a web server on the attacker machine, so I can download from my web server in victim’s machine. (These works will be a demo for T1105)
Then I copied putty.exe to transfer to the victim. I am checking whether the web server is working or not;
Ingress File Transfer with Powershell
The first way to transfer file we try is powershell. Let’s execute the command below in our C&C terminal to download putty.exe in the victim’s machine and check the file;
“iwr” in the command stands for Invoke-Web Request which is a command in MS Powershell utility. Used to send HTTP and HTTPS request to a web page or a web service.
Attackers uses certutil.exe as a memory-only downloader via built-in -ping argument (Founded by researcher Casey Smith (@SubTee)).
Let’s type the command on C&C connection in the victim’s machine;
This command will download putty.exe that we located in our web server at the beginning.
IoC for Detecting Downloading via Certutil
Everyone can create their own IoC to detect this method, according to their own structure. This IoC looks for -ping and -urlcache arguments in certutil.exe (Src: fireeye.com).
Ingress File Transfer with wget
wget is a package supports downloading files via HTTP, HTTPS, FTP and FTPS. It can be used easily in scripts since it has a nonn-interactive structure. With using C&C connection, let’s run the command below on the victim’s machine;
“.. a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. It premiered at BSidesLV in 2015.” ReadMe file of Empire
Empire is a publicly available post-exploitation framework used by nation state threat actors and red teams. This demo is about gaining C&C and associated to MITRE ATT&CK (r) Tactic: Command and Control and Technique: T1086, T1071.
It is important to install Empire with this command to use all functions of it;
After installing Empire, we are creating a listener on port 80. I am using Ubuntu for this demo.
After enabling listener, we must use a stager. Here, we are using a batch stager;
With executing the commands above, a malicious batch file has been created in /tmp/ folder. When the victim executed this file in his/her machine, we get a session. With the “agents” command, we can see active sessions like below. Then with the “interact <agent id>” command, we can get the C&C connection to the victim.
Empire is a good and fast framework for C&C. But if we do not make obfuscation, it is very possible to detect these processes for defense teams. In EventViewer, we can find logs of the malicious behaviors;
For defense, it is important to use an EDR solution on endpoint machine. You can find here is my EDR Choosing Guide post.