Compromise Indicator Magic

Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing Network traffic Analyzing HTTP logs Analyzing AV logs Creating 0wn IOCs EOF

Compromise Indicator Magic: Living with Compromise

Vladimir Kropotov, Vitaly Chetvertakov, Fyodor YarochkinPhDays 2014

Affilations: Academia Sinica, o0o.nu, chroot.org

May 22, 2014, Moscow

Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org


OutlineIntroduction

IOC Standards

V:IOCs

mining IOCs

Applying IOCs

Case studies

Categirizing Incidents

Practical tasks

Analysing Network traffic

Analyzing HTTP logs

Analyzing AV logs

Creating 0wn IOCs

EOF



Everyone is p0wn3d :)



Challenges

Main Assumption: All networks are compromisedThe difference between a good security team and a bad security team is thatwith a bad security team you will never know that you’ve been compromised.



Statistic speaks

I about 40,000,000 internet users in RussiaI for every 10,000 server hosts 500 hosts trigger redirects to malicious

content per weekI about 20-50 user machines (full AV installed, NAT, FW) get ..affected



Campaigns

r*.ru News ~ 790 000ne*.com news ~ 590 000ga*.ru news ~ 490 000a*f.ru news ~ 330 000m*.ru news ~ 315 000v*.ru news ~ 170 000li*.ru news ~ 170 000top*s.ru news ~ 140 000



Introduction:terminology

Indicators of CompromiseIndicator of compromise (IOC) in computer forensics is an artifact observed onnetwork or in operating system that with high confidence indicates a computerintrusion.http://en.wikipedia.org/wiki/Indicator_of_compromise


http://en.wikipedia.org/wiki/Indicator_of_compromise


Why Indicators of compromise

Indicators of Compromise help us to answer questions like:

I is this document/file/hash malicious?I is there any past history for this IP/domain?I what are the other similar/related domains/hashes/..?I who is the actor?I am I an APT target?!!;-)



Workshop: hands-on part

If you’d like to try as we go, these are tools we are about to cover:I http://github.com/fygrave/ndfI http://github.com/fygrave/hntpI fiddlerI elasticsearch && http://github.com/aol/moloch (vm)I yara (as moloch plugin)I hpfeedsI CIFI https://github.com/STIXProject/ - openioc-to-stix/


http://github.com/fygrave/ndf

http://github.com/fygrave/hntp

http://github.com/aol/moloch

https://github.com/STIXProject/


IOC representations

Multiple standards have been created to facilitate IOC exchanges.I Madiant: OpenIOCI Mitre: STIX (Structured Threat Information Expression), CyBOX

(CyberObservable Expression)I Mitre: CAPEC, TAXIII IODEF (Incident Object Description Format)



Standards: OpenIOCOpenIOC - Mandiant-backed effort for unform representation of IOC (nowFireEye) http://www.openioc.org/


http://www.openioc.org/


OpenIOCsD i g i t a l Append ices /Appendix G ( D i g i t a l ) − IOCs$ l s0 c7c902c−67f8−479c−9f44−4d985106365a . i o c 6bd24113−2922−4d25−b490−f 727 f47ba948 . i o cad521068−6f18−4ab1−899c−11007 a18ec73 . i o c12 a40bf7−4834−49b0−a419−6abb5fe2b291 . i o c 70 b5be0c−8a94−44b4−97a4−1e95b09498a8 . i o ca f 5 f 6 5 f c−e1ca−45db−88b1−6ccb7191ee6a . i o c2106 f0d2−a260−4277−90ab−edd3455e31fa . i o c 7c739d52−c669−4d51−ac15−8ae66305e232 . i o cAppendix G IOCs README. pdf26213db6−9d3b−4a39−abeb−73656 acb913e . i o c 7 d2eaadf−a5 f f −4199−996e−af6258874dad . i o cc32b8af3−28d0−47d3−801 f−a2c2b0129650 . i o c2 b f f 2 23 f −9e46−47a7−ac35−d35f8138a4c7 . i o c 7 f9a6986−f00a−4071−99d3−484c9158beba . i o cc71b3305−85e5−4d51−b07c−f f 2 27181 fb5a . i o c2 fc55747 −6822−41d2−bcc1−387 fc1b2e67b . i o c 806 be f f 3 −7395−492e−be63−99a6b4a550b8 . i o cc7fa2ea5 −36d5−4a52−a6cf−ddc2257cb6f9 . i o c32b168e6−dbd6−4d56−ba2f −734553239 e f e . i o c 84 f04d f2 −25cd−4f59−a920−448d8843b6fc . i o cd14d5f09−9050−4769−b00d−30 fce9e6eb85 . i o c3433dad8−879e−40d9−98b3−92ddc75f0dcd . i o c 8695bb5e−29cd−41b9−b8b1−a0d20a6b960d . i o cd1c65316−cddd−4d9c−8e fe−c539aa5965c0 . i o c3e01b786−fe3a −4228−95 fa−c3986e2353d6 . i o c 86 e9b8ec−7413−453b−a932−b5fb95a8dba6 . i o cd4f103f8−c372−49d1−b9f4−e127d61d0639 . i o c4 a2c5f60−f4c0−4844−ba1f−a14dac9 fa36c . i o c 86 f988b7−fa02−46df−8e19−e50c e37 f 0 f ed . i o cd5e49501−c30d−41ae−b381−c3c473040c39 . i o c4 d1ced5f−fe47−4ba4−be0e−81d547f3aa8a . i o c 8900 aa6b−883d−48d3−a07d−d49b0429dd2b . i o cd8240090−a f f d −466e−a39c−64add5b98813 . i o c5477b392−e565−45c5−9cb4−f561d6daeddc . i o c 8dd23e0a−a659−45b4−a168−67e4b00944fb . i o ce928aac0−9f71−4adf −9978−4177345 ec610 . i o c547 e4128−9d f f −45d9−b90f−081ce3966dee . i o c 9 c9368cd−3a1f−4200−b093−adb97d5f1 f5d . i o ceb91abad−afe0−4bd6−80f2−850d14a99308 . i o c56468547−6 cf5−4c66−af56 −2543d4271482 . i o c a1f02cbe−7d37−4f f 8−bad7−c5 f 9 f 7 ea63a3 . i o cece1846e−98d3−4ddc−a520−0dcda4866989 . i o c6091 c4ce−6d73−4202−a7a8−b52406fa4d77 . i o c a461f381−8612−4ce1−a0dc−68bcaca028d0 . i o cfabdf553−b3ed−4bc9−9ac6−13d6bd174dad . i o c61695156−298c−4d77−ad7f−48 f eb562 fb75 . i o c a486d837−9f05−4360−908e−b4244c24723d . i o cfd fb2c22−d0c4−4bf0−8ea4−27d8d51f98ea . i o c



Standards: Mitre

Mitre CybOX: http://cybox.mitre.org/https://github.com/CybOXProject/Toolshttps://github.com/CybOXProject/openioc-to-cybox Mitre CAPEC:http://capec.mitre.org/ Mitre STIX: http://stix.mitre.org/ MitreTAXII http://taxii.mitre.org/


http://cybox.mitre.org/

https://github.com/CybOXProject/Tools

https://github.com/CybOXProject/openioc-to-cybox

http://capec.mitre.org/

http://stix.mitre.org/

http://taxii.mitre.org/


Mature: stix



Indicators of Compromise

I Complex IOCs covering all steps of attackI Dynamic creation of IOCs on the flyI Auto-reload of IOCs, TTLsI Dealing with different standards/import export



Exploit pack trace

url ip mime type refhttp://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html http://www.smeysyatut.ru/ 118162 413 200

http://cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 37432 441 200

http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive - 18451 323 200http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive - 18451 280 200http://cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 - - 115020 244 200http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - - 327 246 200


http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html

http://www.smeysyatut.ru/

http://cuba.eanuncios.net/2909620968/1/1399422480.htm

http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html

http://cuba.eanuncios.net/2909620968/1/1399422480.jar

http://cuba.eanuncios.net/2909620968/1/1399422480.jar

http://cuba.eanuncios.net/f/1/1399422480/2909620968/2

http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2


Nuclearsploit pack{ ’ Nu c l e a r s p l o i t p a c k ’ : {’ s tep1 ’ : {’ f i l e s ’ : [ ’ wz3u6s i8e5 lh7k2tk5ox4ne6d8g . html ’ , ’ t 3 f 5 y9a2bb3d l 7 z8gc4o6 f . html ’ , ’ z f 3 z 9 l r 6 a c8d i 6 r 4 kw2 r 0hu3ee8ad . html ’ , ’ r x 3 v b 9 q g 6 l q 8 l l 6 i j 4 u 2 s a 0 x x 3 l n 8 l e . html ’ , ’ k2qx3dv0ey7 l o3 rp8q6ce4 lw0 fp0z . html ’ , ’ k z6 tp7k4cx3h4 j 8k r3za5a . html ’ , ’ wq6 ln7o4z j3d4 fu8zc3a5sw . html ’ , ’ z2c8mg6h0df2n2ss8kd2e6k7y . html ’ ] ,’ domains ’ : [ ’ f a t h e r . f e r r em o v i l . com ’ , ’ t h a i . a l o h a t r a n s l l c . com ’ , ’ cuba . e anunc i o s . net ’ , ’ duncan . d i s e n o c o r p o r a t i v o . com . ar ’ , ’ homany . c o l l e c t i v e i t . com . au ’ , ’ p r i v a c y . t e r a p i a . o rg . ar ’ ] ,

’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ 1 ’ ] ,

’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 0 1 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 0 3 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,’ s tep2 ’ : {’ f i l e s ’ : [ ’ 1399422480 . htm ’ , ’1399704720 . htm ’ , ’1399513440 . htm ’ , ’1399514040 . htm ’ ,’1399773300 . htm ’ ] ,’ domains ’ : [ ’ cuba . e anunc i o s . net ’ , ’ duncan . d i s e n o c o r p o r a t i v o . com . ar ’ , ’ homany . c o l l e c t i v e i t . com . au ’ , ’ p r i v a c y . t e r a p i a . o rg . ar ’ ] ,’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ 2909620968 ’ , ’ 1 ’ , ’507640988 ’ , ’940276731 ’ , ’3957283574 ’ , ’ 952211704 ’ ] ,’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,’ s tep3 ’ : {’ f i l e s ’ : [ ’ 1399422480 . j a r ’ , ’1399513440 . j a r ’ ] ,’ domains ’ : [ ’ cuba . e anunc i o s . net ’ , ’ homany . c o l l e c t i v e i t . com . au ’ ] ,’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ 2909620968 ’ , ’ 1 ’ , ’ 940276731 ’ ] ,’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ ] } ,’ s tep4 ’ : {’ f i l e s ’ : [ ’ 2 ’ ] ,’ domains ’ : [ ’ cuba . e anunc i o s . net ’ ] ,’ arguments ’ : [ ] ,’ d i r e c t o r i e s ’ : [ ’ f ’ , ’ 1 ’ , ’1399422480 ’ , ’2909620968 ’ , ’ 2 ’ ] ,’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ ] }}}



Redirect (example)

http://mysimuran.ru/forum/kZsjOiDMFb/ 89.111.178.33 http://agency.accordinga.pw/remain/unknown.html?mods=8&id=26,text/htmlhttp://mysimuran.ru/forum/kZsjOiDMFb/js.js?4231 89.111.178.33 http://mysimuran.ru/forum/kZsjOiDMFb/,text/plainhttp://c.hit.ua/hit?i=59278&g=0&x=2 89.184.81.35 http://mysimuran.ru/forum/kZsjOiDMFb/,image/gifhttp://f-wake.browser-checks.info:28001/d1x/3/87475b26a521024ce78d7ea73164140a/http%3A%2F%2Fagency.accordinga.pw%2Fremain%2Funknown.html%3Fmods%3D8%26id%3D26 46.254.16.209 http://mysimuran.ru/forum/kZsjOiDMFb/,text/html


http://mysimuran.ru/forum/kZsjOiDMFb/

http://agency.accordinga.pw/remain/unknown.html?mods=8&id=26,text/html

http://mysimuran.ru/forum/kZsjOiDMFb/js.js?4231

http://mysimuran.ru/forum/kZsjOiDMFb/,text/plain

http://c.hit.ua/hit?i=59278&g=0&x=2

http://mysimuran.ru/forum/kZsjOiDMFb/,image/gif

http://f-wake.browser-checks.info:28001/d1x/3/87475b26a521024ce78d7ea73164140a/http%3A%2F%2Fagency.accordinga.pw%2Fremain%2Funknown.html%3Fmods%3D8%26id%3D26

http://mysimuran.ru/forum/kZsjOiDMFb/,text/html


Redirect Example{ ’28001 ’ : {’ s tep1 ’ : {

’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ ] ,’ arguments ’ : [ ] ,’ f i l e s ’ : [ ’ ’ ] ,’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,’ domains ’ : [ ’ mysimuran . ru ’ ] } ,’ s tep2 ’ : {

’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ , ’kJXshWOMNC’ ] ,’ arguments ’ : [ ’ 4231 ’ , ’7697 ’ , ’9741 ’ ] ,’ f i l e s ’ : [ ’ j s . j s ’ , ’ cnt . html ’ ] ,’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,’ domains ’ : [ ’ mysimuran . ru ’ ] } ,’ s tep3 ’ : {’ d i r e c t o r i e s ’ : [ ] ,’ arguments ’ : [ ’ i ’ , ’ g ’ , ’ x ’ ] ,’ f i l e s ’ : [ ’ h i t ’ ] ,’ ip ’ : [ ’ 8 9 . 1 8 4 . 8 1 . 3 5 ’ ] ,’ domains ’ : [ ’ c . h i t . ua ’ ] } ,’ s tep4 ’ : {’ d i r e c t o r i e s ’ : [ ’ d1x ’ , ’ 3 ’ , ’87475 b26a521024ce78d7ea73164140a ’ , ’ d36eb1fc80ebe9df515d043be1557f57 ’ ] ,’ arguments ’ : [ ] ,’ f i l e s ’ : [ ’ h t tp%3A%2F%2Fagency . a c c o r d i n g a . pw%2Fremain%2Funknown . html%3Fmods%3D8%26i d%3D26 ’ , ’ h t tp%3A%2F%2Fs t ruck . l ookeda . pw%2Fcongre s s%2Fp r e s i d e n t . html%3F lo s e%3D21%26amid%3D463 ’ ] ,’ ip ’ : [ ’ 4 6 . 2 5 4 . 1 6 . 2 0 9 ’ ] ,’ domains ’ : [ ’ f−wake . browser−checks . i n f o ’ , ’ a−oprzay . browser−checks . pw ’ ] }

}}



IOCs



IOCs3



IOCs viz



IOCs viz(02)



IOCs viz(3)



IOCs viz(4)



IOCs viz(5)



Nuclear sploitpack

f u n c t i o n see_user_agent ( ){va r r ep lace_use r_agent =

[ ’ Lunascape ’ , ’ iPhone ’ , ’ Macintosh ’ , ’ L inux ’ , ’ iPad ’ , ’ F l ock ’ , ’ SeaMonkey ’ , ’ Nokia ’ , ’ S l imBrowser ’ , ’AmigaOS ’ , ’ Andro id ’ , ’ FreeBSD ’ , ’ Chrome ’ , ’ IEMob i l e ’ , ’ S e r i e s 4 0 ’ , ’ SymbianOS ’ , ’ Avant ’ , ’ Chromium ’ , ’ F i r e f o x ’ , ’Maxthon ’ , ’ B l a ckBe r r y ’ ] ;va r low_user_agent = f a l s e ;f o r ( va r i i n r ep lace_use r_agent ) {i f ( s t r i p o s ( n a v i g a t o r . userAgent , r ep lace_use r_agent [ i ] ) ) {low_user_agent = true ;break ;

}}return low_user_agent



Sourcing External IOCsI CIF - https:

//code.google.com/p/collective-intelligence-framework/I feeds (with scrappers):


https://code.google.com/p/collective-intelligence-framework/

https://code.google.com/p/collective-intelligence-framework/


Sourcing External IOCsI feed your scrappers:

https://zeustracker.abuse.ch/blocklist.php?download=badipshttp://malc0de.com/database/https://reputation.alienvault.com/reputation.data . . .

I VT intelligence


https://zeustracker.abuse.ch/blocklist.php?download=badips

http://malc0de.com/database/

https://reputation.alienvault.com/reputation.data


Sourcing IOCs Internally

I honeypot feedsI log analysisI traffic analysis



Where to look for IOCs internally

I Outbound Network TrafficI User Activities/Failed LoginsI User profile foldersI Administrative AccessI Access from unsual IP addressesI Database IO: excessive READsI Size of responses of web pagesI Unusual access to particular files within Web Application (backdoor)I Unusual port/protocol connectionsI DNS and HTTP traffic requestsI Suspicious Scripts, Executables and Data Files



Challenges

Why we need IOCs? because it makes it easier to systematically describeknowledge about breaches.

I Identifying intrusions is hardI Unfair game:

I defender should protect all the assetsI attacker only needs to ’poop’ one system.

I Identifying targeted, organized intrusions is even harderI Minor anomalous events are important when put togetherI Seeing global picture is a mastI Details matterI Attribution is hard



Use honeypots

I Running honeypots gives enormous advantage in detecting emerging

threatsI Stategically placing honeypots is extemely important



HPfeeds, Hpfriends and more



HPFeeds Architecture



HPFeeds API in nutshell:

import pygeo ipimport hp f e ed simport j s o n

HOST=’ b rok e r ’PORT = 20000CHANNELS= [ ’ g eo l o c . e v en t s ’ ]IDENT=’ i d e n t ’SECRET=’ s e c r e t ’g i = pygeo ip . GeoIP ( ’ GeoL i t eC i t y . dat ’ )hpc = hp f e ed s . new (HOST, PORT, IDENT , SECRET)msg = { ’ l a t i t u d e ’ : g i . record_by_addr ( i p ) [ ’ l a t i t u d e ’ ] ,

’ l o n g i t u d e ’ : g i . record_by_addr ( i p ) [ ’ l o n g i t u d e ’ ] ,’ t ype ’ : ’ honeypot ␣ h i t ’ }

hpc . p u b l i s h (CHANNELS, j s o n . dumps (msg ) )



hpfeeds integration



NTP probe collector



HPFeeds and honeymap



Applying IOCs to your detection processmoloch moloch moloch :)



Tools for Dynamic Detection of IOC

I SnortI Yara + yara-enabled toolsI MolochI Splunk/Log searchI roll-your-own:p



Moloch

Moloch is awesome:



Open-source tools

OpenIOC manipulationhttps://github.com/STIXProject/openioc-to-stixhttps://github.com/tklane/openiocscriptsMantis Threat Intelligence Frameworkhttps://github.com/siemens/django-mantis.git Mantis supportsSTIX/CybOX/IODEF/OpenIOC etc via importers:https://github.com/siemens/django-mantis-openioc-importerSearch splunk data for IOC indicators:https://github.com/technoskald/splunk-searchOur framework: http://github.com/fygrave/iocmap/


https://github.com/STIXProject/openioc-to-stix

https://github.com/tklane/openiocscripts

https://github.com/siemens/django-mantis.git

https://github.com/siemens/django-mantis-openioc-importer

https://github.com/technoskald/splunk-search

http://github.com/fygrave/iocmap/


iocmap



MISP

I http://www.secure.edu.pl/pdf/2013/D2_1530_A_Socha.pdfI https://github.com/MISP


http://www.secure.edu.pl/pdf/2013/D2_1530_A_Socha.pdf

https://github.com/MISP


Tools for Dynamic Detection

I MolochI Moloch supports Yara (IOCs can be directly applied)I Moloch has awesome tagger plugin:

# tagge r . so# p r o v i d e s a b i l i t y to impor t t e x t f i l e s w i th IP and/ or hostnames# i n t o a s e n s o r t ha t would cause au to t agg i ng o f a l l matching s e s s i o n sp l u g i n s=tagge r . sot a g g e r I p F i l e s=b l a c k l i s t , tag , tag , tag . . .t a gge rDoma inF i l e s=doma i n b a s e db l a c k l i s t s , tag , tag , tag



Moloch pluginsMoloch is easily extendable with your own plugins

I https://github.com/fygrave/moloch_zmq - makes it easy tointegrate other things with moloch via zmq queue pub/sub or push/pull model


https://github.com/fygrave/moloch_zmq


Moloch ZMQ example

CEP-based analysis of network-traffic (using ESPER):https://github.com/fygrave/clj-esptool/

( esp : add " c r e a t e ␣ con t e x t ␣SegmentedBySrc␣ p a r t i t i o n ␣by␣ s r c ␣ fromWebDataEvent" )( esp : add " con t e x t ␣SegmentedBySrc␣ s e l e c t ␣ s r c , ␣ r a t e (30) ␣ as ␣ ra t e ,avg ( r a t e ( 30 ) ) ␣ as ␣ avgRate ␣ from␣WebDataEvent . win : t ime (30) ␣ hav ingr a t e (30) ␣<␣avg ( r a t e ( 30 ) ) ␣∗␣ 0 .75 ␣ output ␣ snapshot ␣ e v e r y ␣60␣ sec " )( f u t u r e−c a l l s t a r t−coun t i ng )


https://github.com/fygrave/clj-esptool/


Sources of IOCs

I ioc bucket:

http://iocbucket.com

I Public blacklists/trackers could also be used as source:

https://zeustracker.abuse.ch/blocklist.php?download=ipblocklisthttps://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

I Eset IOC repository

https://github.com/eset/malware-iocmore coming?


http://iocbucket.com

https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

https://github.com/eset/malware-ioc


where to mine IOC

I passive HTTP (keep your data recorded)I passive DNS

These platforms provide ability to mine traffic or patterns from the past basedon IOC similarityshow me all the packets similar to this IOCWe implemented a whois service for IOC look-ups

whois −h i o c . ho s t . com a t t r i b u t e : v a l u e+a t t r i b u t e : v a l u e



Mining IOCs from your own data

I find and investigate incidentI Or even read paperI determine indicators and test it in YOUR EnvironmentI use new indicators in the future

see IOC cycle we mentioned earlier



Example

If event chain leads to compromiseht tp : // l i a p o l a s e n s [ . ] i n f o / indexm . html

h t tp : // l i a p o l a s e n s [ . ] i n f o / coun t e r . php? t=f&v=win%2011 ,7 ,700 ,169&a=t r u e

ht tp : // l i a p o l a s e n s [ . ] i n f o /354 RIcx

h t tp : // l i a p o l a s e n s [ . ] i n f o /054 RIcx

What to do?



Use YARA, or tune your own tools

r u l e susp_params_in_ur l_k ind_of_f i l e l e ss_bot_dr ive_by{

meta :date = " oct ␣2013"d e s c r i p t i o n = "Landing ␣hxxp :// j d a t a s t o r e l ame . i n f o / indexm . html ␣␣ 04 .10 . 2013 ␣ 13 :14 ␣␣ 108 . 62 . 112 . 84 ␣␣"d e s c r i p t i o n 1 = "␣Java ␣ S p l o i t ␣ hxxp :// j d a t a s t o r e l ame . i n f o /054RIwj ␣␣␣␣␣"

s t r i n g s :$ s t r i n g 0 = " ht tp "$ s t r i n g 1 = " indexm . html "$ s t r i n g 2 = "054RI"

c o n d i t i o n :a l l o f them

}



Use snort to catch suspicious traffic:

# many plugX dep loyments connect to goog l e DNS when not i n usea l e r t tcp !$DNS_SERVERS any −> 8 . 8 . 8 . 8 53 (msg : "APT␣ p o s s i b l e ␣PlugX␣Google ␣DNS␣TCPpo r t ␣53␣ connec t i o n ␣ attempt " ; c l a s s t y p e : misc−a c t i v i t y ; s i d : 500000112 ;r e v : 1 ; )



GRR: Google Rapid Response:http://code.google.com/p/grr/Hunting IOC artifacts with GRR


http://code.google.com/p/grr/


GRR: Creating rules



GRR: hunt in progress



Campaign walkthrough



An Example

A Network compromise case study:I Attackers broke via a web vuln.I Attackers gained local admin accessI Attackers created a local userI Attackers started probing other machines for default user idsI Attackers launched tunneling tools – connecting back to C2I Attackers installed RATs to maintain access



Indicators

So what are the compromise indicators here?

I Where did attackers come from? (IP)I What vulnerability was exploited? (pattern)I What web backdoor was used? (pattern, hash)I What tools were uploaded? (hashes)I What users were created locally? (username)I What usernames were probed on other machines



Good or Bad?F i l e Name : RasTls . exeF i l e S i z e : 105 kBF i l e Mod i f i c a t i o n Date/Time : 2009 :02 :09 19 :42 :05+08:00F i l e Type : Win32 EXEMIME Type : a p p l i c a t i o n / octe t−st reamMachine Type : I n t e l 386 or l a t e r , and compa t i b l e sTime Stamp : 2009 :02 :02 13 :38 :37+08:00PE Type : PE32L i n k e r Ve r s i on : 8 . 0Code S i z e : 49152I n i t i a l i z e d Data S i z e : 57344U n i n i t i a l i z e d Data S i z e : 0Entry Po in t : 0 x3d76OS Ve r s i on : 4 . 0Image Ve r s i on : 0 . 0Subsystem Ve r s i on : 4 . 0Subsystem : Windows GUIF i l e Ve r s i on Number : 1 1 . 0 . 4 0 10 . 7Product Ve r s i on Number : 1 1 . 0 . 4 0 10 . 7F i l e OS : Windows NT 32− b i tObject F i l e Type : Execu tab l e a p p l i c a t i o nLanguage Code : Eng l i s h (U. S . )Cha r a c t e r Set : Windows , La t i n1Company Name : Symantec Co rpo r a t i o nF i l e D e s c r i p t i o n : Symantec 802 .1 x Supp l i c a n tF i l e Ve r s i on : 1 1 . 0 . 4 0 10 . 7I n t e r n a l Name : do t 1 x t r a y



It really depends on contextRasTls . DLLRasTls . DLL . mscRasTls . exe

http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspxDynamic-Link Library Search Order


http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx


Catagorization based on public souces



Catagorization based on historical data



Catagorization based on cross source correlation

Visualizing the Threats

Filtering noisy extras

Making decisions



Investigating using known IOCs

Investigating Static host based IOCs

Investigating Dynamic host based IOCs

Investigating Static network IOCs

Investigating Dynamic network IOCs



Analyzing network traffic and DNS



analyzing HTTP traffic

I User agentsI suspicious domainsI static analysis of HTTP headers



Analyzing AV logs

23 . 01 . 13 19 :56 Detected : Trojan−Spy . Win32 . Zbot . aymrC: / Documents and S e t t i n g s / u s e r 1 / App l i c a t i o n Data/Sun/ Java /Deployment/ cache /6.0/27/4169865b−641d53c9/UPX23 . 01 . 13 19 :56 Detected : Trojan−Downloader . Java . OpenConnect ion . ckC: / Documents and S e t t i n g s / u s e r 1 / App l i c a t i o n Data/Sun/ Java /Deployment/ cache /6.0/48/38388 f30−4a676b87/bpac/b . c l a s s23 . 01 . 13 19 :56 Detected : Trojan−Downloader . Java . OpenConnect ion . c sC : / Documents and S e t t i n g s / u s e r 1 / App l i c a t i o nData/Sun/ Java /Deployment/ cache /6.0/48/38388 f30−4a676b87/ ot / p i z d i . c l a s s23 . 01 . 13 19 :58 Detected : HEUR: E x p l o i t . Java .CVE−2013−0422. genC: / Documents and S e t t i n g s / u s e r 1 / Loca l S e t t i n g s /Temp/ jar_cache3538799837370652468 . tmp



Analyzing AV logs

01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/ pictures/demos/OAggq application/x-java-archive01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/pictures/demos/OAggq application/x-java-archive01/14/13 06:57 PM 178.238.141.19 http://loretaa0-shot.co/career...45 application/octet-stream


http://machete0-yhis.me/

http://machete0-yhis.me/pictures/demos/OAggq

http://loretaa0-shot.co/career...45


Analyzing AV logs



Analyzing AV logs



Analyzing AV logs



Creating host based IOCs

hashes, mutexes, threatexpert



Questions

And answers :)


Technology

Compromise Indicator Magic