© 2017 SPLUNK INC.

The “Hidden Empires” of Malware

DaveRyan

International

Conference on

Cyber Security

January 2018

© 2017 SPLUNK INC.

Disclaimer

2

During the course of this presentation, we may make forward looking statements regarding

future events or the expected performance of the company. I often lie. Maybe this is a lie.

Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes

The wøndërful telephøne system And mäni interesting furry animals The characters and

incidents portrayed and the names used in this Presentation are fictitious and any similarity

to the names, characters, or history of any person is entirely accidental and unintentional.

Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus...

No realli! He was Karving his initials on the møøse with the sharpened end of an

interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and

star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of

Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our

roadmap outlines our general product direction and is subject to change at any time

without notice. Splunk undertakës no øbligation either to develøp the features or

functionality described or to include any such feature or functionality in a future release.

© 2017 SPLUNK INC.

▶ 17 years of cyber security experience

▶ Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research

▶ Also investigating why printers are so insubordinate ಠ_ಠ3

Staff Security Strategist

Minster of the OODAloopers

@meansec

# whoami > Ryan KovarCISSP, MSc(Dist)

© 2017 SPLUNK INC.

- 20+ years IT and security- Information security officer, security architect, pen tester, consultant, SE, system/network engineer

- Former SANS Mentor

- Co-creator of Splunk Boss of the SOC

Security Architect @splunk

@daveherrald

# whoami > Dave HerraldCISSP, GIAC G*, GSE #79

© 2017 SPLUNK INC.

Agenda

▶ Answering some W ’s

• What are we talking about with “Hunting Empires”?

• What are SSL certificates and why do I care?

• What can I do with them?

▶ Talk about the “H”

• How can I get this data myself?

▶ And now another W

• Where can I get this awesome stuff!

5

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

On the shoulders of giants

© 2017 SPLUNK INC.

Mark Parsons“Lord of SSL Pivoting”

@markpars0ns

▶ https://t.co/amyR9pU8o4

▶ https://medium.com/@mark.parsons/hunting-a-tls-certificate-series-post-1-6ad7adfebe44

▶ https://mpars0ns.github.io/bsidescharm-2016slides/

▶ https://mpars0ns.github.io/archc0n-2016-tls-slides/#/

▶ https://www.slideshare.net/MSbluehat/bluehat-v17-using-tls-certificates-to-track-activity-groups

© 2017 SPLUNK INC.

What are these “Hidden” Empires?

© 2017 SPLUNK INC.

POWERSHELL EMPIRE

10

© 2017 SPLUNK INC.

• Similar to Metasploit

in user experience

• C2 functionality

• Second stage

infection/implant after

initial infection

• Used extensively for

lateral movement

© 2017 SPLUNK INC.

Sometimes its hard to find evidence that

© 2017 SPLUNK INC.

Place Holder PowerSploit Capabilities

13

© 2017 SPLUNK INC.

Place Holder PowerSploit Capabilities

14

© 2017 SPLUNK INC.

15

© 2017 SPLUNK INC.

16

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

SSL Certificates

© 2017 SPLUNK INC.

What are SSL

certificates and

why do I care?

© 2017 SPLUNK INC.

[SSL certificates are] Small

[unencrypted] data files that

digitally bind a cryptographic

key to an organization’s

details.” [1]

Sooo… SSL

Certificates?

[1] https://www.godaddy.com/help/what-is-an-ssl-

certificate-542

© 2017 SPLUNK INC.

So that shows SSL

certificates?

© 2017 SPLUNK INC.

Censys.io

© 2017 SPLUNK INC.

Circl.lu

© 2017 SPLUNK INC.

Passivetotal.org

© 2017 SPLUNK INC.

Splunk!

© 2017 SPLUNK INC.

Internet-Wide Scan Data Repository

▶ Public archive of research data

▶ Hosted by the Censys team at the University of Michigan

▶ Perform scans, and host results from other teams

▶ The data on the site is restricted to non-commercial use

▶ https://scans.io (https://scans.io/json)

© 2017 SPLUNK INC.

Exploring scans.io Studies

Web Interface

https://scans.io

JSON

https://scans.io/jsonCommand Line

$ python ./download.py --liststudieshttps://github.com/daveherrald/scansio-sonar-splunk

© 2017 SPLUNK INC.

Project Sonar by Rapid7

https://sonar.labs.rapid7.com/

▶ Many studies

• SSL Certificates

• HTTP Content

• HTTPS Content

• DNS

• Various TCP/UDP services (SSH, SMB, Telnet, etc.)

▶ Hosted at scans.io

▶ Please review Project Sonar TOS

▶ Thanks to Rapid7 Labs!

© 2017 SPLUNK INC.

SSL Certificates Study (sonar.ssl)

▶ October 30, 2013 – Present

▶ Raw size

• Entire data set: 315 GB compressed (as of 02JAN2017)

• Weekly: ~1.5 - 2.0 GB compressed

▶ Entire data set indexed in Splunk: ~1.2TB

▶ Scan the entire Internet (TCP/443 only)

▶ Comprised of:

• Observed certificates *

• Observed IP address / certificate *

• Names

• Endpoints

© 2017 SPLUNK INC.

sonar.ssl Certificates

2 Column CSV

SHA1 Hash + Base64 Encoded DER

Decoded DER

( https://gchq.github.io )

© 2017 SPLUNK INC.

sonar.ssl Certificate in Splunkindex=sonarsslcert earliest=0 hash_id=b4c68c2fe3e689bd51c3676c69c02454be1f545f

© 2017 SPLUNK INC.

sonar.ssl Hosts

2 Column CSV

IP Address + Certificate hash (SHA1)

Host, IP Address, Observation Date

Enriched with Country and ASN via Maxmind

© 2017 SPLUNK INC.

sonar.ssl First/Last seen

Search for a hash, or pivot here from search

© 2017 SPLUNK INC.

HTTPS (TCP/443) (sonar.https)

▶ July 25, 2016 – Present

▶ Raw size

• Entire data set: ~3.2 TB compressed (as of 02JAN2017)

• Weekly: ~25 GB compressed

▶ Entire data set indexed in Splunk: ~10TB

▶ Scan the entire Internet (TCP/443 only)

▶ Comprised of:

• IP

• Path

• Port (Always 443)

• Certificate Subject

• Payload!

© 2017 SPLUNK INC.

HTTPS (TCP/443) (sonar.https) in Splunk

index=sonarhttps earliest=0

© 2017 SPLUNK INC.

[1] David Bianco http://detect-respond.blogspot.com/2013/03/the-

pyramid-of-pain.html

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

openssl req -new -x509 -keyout

../data/empire-priv.key -out

../data/empire-chain.pem -days

365 -nodes -subj "/C=US"

>/dev/null 2>&1

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

VS

© 2017 SPLUNK INC.

And I care why?

© 2017 SPLUNK INC.

One of these is not like the others

We use Splunk

But you don’t have to!

© 2017 SPLUNK INC.

▶DAVE. DONE UP TO HERE

But what do

we do with it?

© 2017 SPLUNK INC.

You can do at least two things with SSL Certificate information

Known

Unknown

© 2017 SPLUNK INC.

THE SSL CERTIFICATES IN YOUR

INCIDENTS ARE REAL.

© 2017 SPLUNK INC.

Start with some known naughty SSL SHA1 fingerprints

© 2017 SPLUNK INC.

Gozi Trojan

8fc4a51bb808d0050a85f55de93b3aa9db4fef90

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

“As we know, there are known

knowns; there are things we know we

know. We also know there are known

unknowns; that is to say we know

there are some things we do not

know. But there are also unknown

unknowns – the ones we don't know

we don't know. And when someone

tries to hunt in CyberSpace the

known unknowns are the hardest

to find ”

- Donald “Cybersfeld”

© 2017 SPLUNK INC.

Hunting PowerShell Empire

© 2017 SPLUNK INC.

C=US is weird…

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

200MM IPs

90 suspect

3 PSE

:-)

© 2017 SPLUNK INC.

63

Oh… Just

one more

thing…

© 2017 SPLUNK INC.

Splunk-based Certificate Research Platform

Splunk Indexers QTY=3

i3.2xlarge

8 TB EBS Volume (10,000

IOPs)

Elastic IP

Splunk Search Head

QTY=1

c3.4xlarge

Elastic IP

Data Staging and Load

QTY=1

i3.16xlarge

8 TB EBS Volume (10,000

IOPs)

Elastic IP

Elastic Load Balancer

TCP/8088

Splunk HTTP Event

Collector

Internet –Wide Scans

Repository https://scans.io

Processing and Load

Metrics

6,000 Certificates /

Second

25,000 Hosts / Second

© 2017 SPLUNK INC.

Certificate Research Platform Resources

https://github.com/daveherrald/scansio-sonar-splunk

• Download any scans.io study, load sonar.ssl & sonar.https into Splunk for analysis

https://github.com/mpars0ns/scansio-sonar-es

• Download sonar.ssl load into Elasticsearch

© 2017 SPLUNK INC.

Splunk Licensing

Free: 500MB / day

Enterprise Trial: 500MB / Day

Developer: 10 GB/Day

Enterprise Dev/Test: 50GB/day

Splunk Enterprise

Each approach has its pros and cons, but recall:

© 2017 SPLUNK INC.

Can we wrap

this up?

© 2017 SPLUNK INC.

Conclusion

68

▶ SSL certificates can be a great way to track adversary behavior

▶ Consider tracking from known and unknown

▶ Think about bringing SSL certificates “in house” to use and run greater analysis against with temporal knowledge

© 2017 SPLUNK INC.

Special Thanks

69

▶ Mark Parsons

▶ IKBD

▶ Rapid 7

▶ Censys team at University of Michigan

▶ ICCS Conference

▶ Fordham University

▶ The FBI

© 2017 SPLUNK INC.

Dave Herrald

@daveherrald

Ryan Kovar

@meansec

Contact info(Come see us at SANS CTI where we talk about ML against SSL data!)