Purple Packets - BSides Austin 2019

Transcript

1. Purple Packets Effective Network Defense Against Real-World Attacks BSides Austin

   2019 Aaron Soto & Matt Bromiley

2. Today’s Agenda Who We Are The Importance of Red vs

   and Blue Why Packets? Traffic Examples ATTACK! Choose Your Weapon Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

3. Who We Are

4. Who We Are Aaron Soto * Exploit Developer * CCDC

   Coach/Mentor * OpenSOC Volunteer * Ham Radio Nerd Lover of exploits and open source tools. Matt Bromiley * Incident Responder * SANS Instructor * OpenSOC Volunteer * Nerdy ink Lover of DFIR and open source tools. Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

5. The Importance of Red and Blue

6. The Importance of Red and Blue • In many situations,

   red and blue are often thought of as rivals - not teammates. • Blue gains strength by learning how red operates. • Red gains strength by learning how blue detects. Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

7. The Importance of Red and Blue • In many situations,

   red and blue are often thought of as rivals - not teammates. • Blue gains strength by learning how red operates. • Red gains strength by learning how blue detects. Increased security and environment awareness! Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

8. Why Packets?

9. Why Packets? There is a significant focus on detection via

   host-based artifacts, indicators, and tools. There is also a significant focus on developing techniques to evade host-based detection! Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

10. Why Packets? • Many attacks/malware will utilize unique and novel

    techniques to obfuscate/hide from endpoint detection tools. • Attackers often ignore/assume network traffic or “lightly” encrypt/obfuscate. ◦ Some attackers will create novel network techniques - this only provides more opportunity for detection! ◦ Some techniques are inherently encrypted (PowerShell, RDP, etc.). Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

11. Why Packets? • Unfortunately - network traffic is often also

    ignored or mishandled by enterprises. • This leaves an effective detection technique under (or not!) utilized. ..as always, this is easier said than done. Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

12. Traffic Examples

13. Traffic Examples: “Commodity” Malware

14. “Commodity Malware” • “Commodity” malware (think TrickBot, Emotet, Qakbot, etc.)

    are often SUPER noisy - this makes for excellent network detection. • Detecting initial callout is preferred to detecting post-spread! • Initial callout/download is likely plaintext - grab malware before encryption kicks in. Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley Huge thanks to Brad (@malware_traffic) for this sample: https://isc.sans.edu/forums/diary/Malspam+pushes+Emotet+with+Qakbot+as+the+followup+malware/24738/

15. Traffic example: Qakbot/Emotet Initial Callout (1) Purple Packets - BSides

    Austin - Aaron Soto & Matt Bromiley

16. Traffic example: Qakbot/Emotet Initial Callout (2) Purple Packets - BSides

    Austin - Aaron Soto & Matt Bromiley

17. Traffic Examples: Reverse Shells

18. Shells • Primary mechanism of gaining & maintaining access in

    an environment • Get a user to run ${thing}, and attacker gets a call-back • Attacker can hardcode an IP address or domain, but may also move to dynamic (read: potentially harder to detect) C2 Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

19. Traffic example: reverse_tcp meterpreter over port 80 Purple Packets -

    BSides Austin - Aaron Soto & Matt Bromiley

20. Traffic example: reverse_http meterpreter over port 80 (1) Purple Packets

    - BSides Austin - Aaron Soto & Matt Bromiley

21. Traffic example: reverse_http meterpreter over port 80 (2) Purple Packets

    - BSides Austin - Aaron Soto & Matt Bromiley

22. Traffic example: reverse_http meterpreter over port 80 (3) Purple Packets

    - BSides Austin - Aaron Soto & Matt Bromiley

23. ATTACK!

24. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

25. Initial Access Social Engineering tools make it easy • Social

    Engineering Toolkit (SET) • Phishing Frenzy • GoPhish Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

26. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

27. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

28. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

29. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

30. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

31. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

32. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

33. LEGIT Purple Packets - BSides Austin - Aaron Soto &

    Matt Bromiley

34. FAKE Purple Packets - BSides Austin - Aaron Soto &

    Matt Bromiley

35. Initial Access Methods of detection: • Email: Monitoring for previously

    identified malicious emails or suspicious emails targeting high-profile employees • DNS: Watch for resolution of unique hosts • HTTP: Watch for transfer of potentially malicious file formats • User agents: Watch for uncommon, unique, or malformed strings • Failed attempts: HTTPS aborted connections, HSTS failures Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

36. Acquiring credentials Mimikatz is the best game in town •

    Integrated into PowerShell Empire and Metasploit Framework ◦ Note: Metasploit Framework calls it `kiwi` for x64 systems • Mimikatz supports 24 methods for credential gathering, escalation, and more! ◦ DCsync is my favorite so far... Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

37. • lsadump is a module that targets the Local Security

    Authority • lsadump::dcsync uses the Directory Replication Service (DRS) to trigger update naming context (NC) between hosts . ◦ Includes SID, along with current and previous password hashes • TL;DR: We pretend to be another domain controller. Acquiring credentials Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

38. Acquiring credentials meterpreter > getuid Server username: GOTHAM\batman meterpreter >

    dcsync GOTHAM\\batman [DC] 'gotham.packets.dev' will be the domain [DC] 'packets-dc01.gotham.packets.dev' will be the DC server [DC] 'GOTHAM\batman' will be the user account Object RDN : batman ** SAM ACCOUNT ** [...] Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

39. Acquiring credentials [...] SAM Username : batman Account Type :

    30000000 ( USER_OBJECT ) User Account Control : 00000200 ( NORMAL_ACCOUNT ) Account expiration : 1/1/1601 12:00:00 AM Password last change : 3/10/2019 8:50:18 AM Object Security ID : S-1-5-21-552993230-966223408-4019343230-500 Object Relative ID : 500 Credentials: Hash NTLM: 6a8656b60d12f872cd1ef7006578e28c Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

40. Acquiring credentials Purple Packets - BSides Austin - Aaron Soto

    & Matt Bromiley

41. Acquiring credentials Purple Packets - BSides Austin - Aaron Soto

    & Matt Bromiley DRSGetNCChanges

42. Acquiring credentials Purple Packets - BSides Austin - Aaron Soto

    & Matt Bromiley

43. Acquiring credentials Purple Packets - BSides Austin - Aaron Soto

    & Matt Bromiley DRSGetNCChanges

44. Acquiring credentials Purple Packets - BSides Austin - Aaron Soto

    & Matt Bromiley DRSGetNCChanges

45. • Meterpreter's mimikatz / kiwi only targets one account at

    a time ◦ An attacker wants everything (all users, machine accounts, service accounts, etc.) • DCsync supports the '/all' option ◦ Large or multi-fragment responses indicate a full DCsync dump, potentially containing hashes for all users and workstations. kiwi_cmd \"log debug.log\" \"lsadump::dcsync /all\" exit Acquiring credentials Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

46. Acquiring credentials Purple Packets - BSides Austin - Aaron Soto

    & Matt Bromiley

47. Acquiring credentials Purple Packets - BSides Austin - Aaron Soto

    & Matt Bromiley

48. Acquiring credentials Purple Packets - BSides Austin - Aaron Soto

    & Matt Bromiley

49. Acquiring credentials Purple Packets - BSides Austin - Aaron Soto

    & Matt Bromiley

50. Methods of detection: • Workstations should never use DRSUAPI /

    DCERPC opnum 3 • DRSGetNCChanges is a characteristic of DCSync ◦ (and also of domain controllers syncing) • Watch for DRSUAPI / DCERPC opnum 3 from an untrusted host ◦ also known as DSGetNCChanges or DRSGetNCChanges() Reference: https://blogs.technet.microsoft.com/askds/2012/01/24/rpc-over-itpro/ Acquiring credentials Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

51. How about that shell? • Our Aattacker (hint hint) used

    a reverse_https shell. • HTTPS = encryption. If it’s encrypted, it’s not worth analyzing. Right? Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

52. Traffic example: reverse_https meterpreter over port 8443 Purple Packets -

    BSides Austin - Aaron Soto & Matt Bromiley

53. Pro Tip: Fingerprint the Encrypted Traffic • Just because you

    cannot read the traffic, doesn’t mean you can’t make use of the traffic. • Encrypted traffic can be fingerprinted: ◦ SSL/TLS: JA3 and JA3S hashes ◦ SSH: HASSH • Examine x.509 details for key indicators Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

54. JA3 Hash • Created by John B. Althouse, Jeff Atkinson,

    Josh Atkins (see the JAs?) • Provides a fingerprint for Client Hello • Hashes Decimal Values of: ◦ SSL Version ◦ Cipher ◦ SSL Extension ◦ Elliptic Curve ◦ Elliptic Curve Point Format Reference: https://github.com/salesforce/ja3 Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

55. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

56. JA3S Hash • Also Created by John B. Althouse, Jeff

    Atkinson, Josh Atkins (see the JAs?) • Provides a fingerprint for Server Hello • Hashes Decimal Values of: ◦ SSL Version ◦ Cipher ◦ SSL Extension Reference: https://github.com/salesforce/ja3 Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

57. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

58. X.509 • X.509 is the standard that describes public key

    certificates • As attackers encrypt their traffic, they are needing to create (or steal) certificates. This leaves behind even more metadata! • Attackers will also reuse certificates (who’s checking anyways, right?) across multiple domains/infrastructure. Check out: https://threatconnect.com/using-fancy-bear-ssl-certificate-information-t o-identify-their-infrastructure/ Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

59. X.509 X.509 Fields of Interest: • Issuer Name • Subject

    • Validity Period (Before and After) • Algorithm Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

60. X.509 X.509 Fields of Interest: • Issuer Name ◦ I

    want trustworthy issuers • Subject • Validity Period (Before and After) • Algorithm Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

61. X.509 X.509 Fields of Interest: • Issuer Name ◦ I

    want trustworthy issuers • Subject ◦ Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State or Province (S), Country (C) • Validity Period (Before and After) • Algorithm Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

62. X.509 X.509 Fields of Interest: • Issuer Name ◦ I

    want trustworthy issuers • Subject ◦ Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State or Province (S), Country (C) • Validity Period (Before and After) • Algorithm Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

63. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

64. Let’s return to our reverse_https traffic: Purple Packets - BSides

    Austin - Aaron Soto & Matt Bromiley

65. Let’s return to our reverse_https traffic: Purple Packets - BSides

    Austin - Aaron Soto & Matt Bromiley JA3 Hashes

66. Choose Your Weapon

67. Zeek Zeek (formerly Bro) is a network security analysis framework.

    • Originally developed in 1994 • Zeek focuses on protocol analysis, logging, and data correlation, as opposed to simple data dump/capture. • Open source, highly-scriptable, and fast! http://zeek.org/ Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

68. Zeek (cont.) Zeek output: Purple Packets - BSides Austin -

    Aaron Soto & Matt Bromiley

69. Zeek (cont.) • Example logs: ◦ conn.log - closest thing

    to NetFlow ◦ dns.log - DNS lookups ◦ files.log - Observed file details ◦ http.log - Observed HTTP data ◦ smtp.log - Observed SMTP data ◦ ssl.log - Observed SSL/TLS data ◦ x509.log - Observed x509 data Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

70. Zeek (cont.) • Every Zeek log entry has a uuid

    that correlates to additional data sets Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

71. Network Monitoring - Moloch Moloch is a large scale, open

    source full PCAP monitoring and analysis tool. Moloch provides a unique web interface that allows for PCAP analysis in the browser. Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

72. Purple Packets - BSides Austin - Aaron Soto & Matt

    Bromiley

73. Conclusion While host-based analysis has earned a place, we quickly

    forget the power of packet analysis. • Protect your network in a single effort. • Don't shy away from encrypted traffic. • Obfuscated or deviations from well-established protocols make attackers stand out more. Purple Packets - BSides Austin - Aaron Soto & Matt Bromiley

74. Questions? Thanks for joining us this afternoon! Keep in touch

    after the talk: Aaron: @_surefire_ Matt: @mbromileyDFIR