FOR508 Advanced Incident Response, Threat Hunting, & Digital Forensics PDF

© SANS Institute 2023 FOR508 | ADVANCED INCIDENT RESPONSE, THREAT HUNTING, & DIGITAL FORENSICS GIAC Certified Forensic Analyst (GCFA) 85e6b3459a4880d22ae915f851d0b463 508.2 4 02 ,2 09 Intrusion Analysis r be amritparmar55@hotmail_com m ce De > m co l_ 29230065 ho m t ai @ 55 ar rm Amrit Parmar pa rit m the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written m consent of SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way, co shape, or form to any person or entity without the express written consent of SANS Institute. l_ 29230065 ai If any provision of this CLA is declared unenforc.eable in any jurisdiction, then such provision shall be deemed to be severable m from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this Courseware. ho t @ SANS Institute may suspend and/or terminate User’s access to and require immediate return of any Courseware in connection with any (i) material breaches or material violation of this CLA or general terms and conditions of use agreed to by User; (ii) 55 technical or security issues or problems caused by User that materially impact the business operations of SANS Institute or ar other SANS Institute customers, or (iii) requests by law enforcement or government agencies. rm Amrit Parmar SANS Institute acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs presented in pa this Courseware are the sole property of their respective trademark/registered/copyright owners, including: rit m AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My Mac, Boot Camp, m co © 2023 SANS Institute | All Rights Reserved | Version I01_01 l_ 29230065 ho t m ai @ 55 Welcome to Section 2. ar rm Author Team: Amrit Parmar pa Rob Lee rit [email protected] m https://twitter.com/robtlee m co l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t @ 55 This page intentionally left blank. ar rm Amrit Parmar pa rit m m co l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 3 @ 55 This page intentionally left blank. ar rm Amrit Parmar pa rit m 3 m In-depth analysis on systems and malware to co further identify tradecraft and build IOCs. l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 4 @ 55 Your journey through FOR508 has been designed to follow a standard workflow for performing threat hunting, ar compromise assessments, and incident response activities. The roadmap we will use in this class follows: rm Threat Hunting & Assessment Amrit Parmar pa We will start our process by looking at the network using tools that can scale collection and analysis, focusing rit on occurrence stacking and outlier analysis. Most attendees have thousands of endpoints necessitating broad m scoping techniques at the start of an investigation. m co l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 5 @ 55 This page intentionally left blank. ar rm Amrit Parmar pa rit m command line options of certain programs (e.g., svchost.exe) m co 1024 prefetch files in Win8+ (limited to 128 files on Win7 and earlier) l_ 29230065 Prefetch files in Win10 and 11 are now compressed m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 6 @ 55 Prefetching is a process in which the operating system loads key pieces of data and code from disk into memory ar before it is needed. The Prefetch directory is populated with a.pf file after the first time an application is rm executed. The cache manager monitors all files and directories referenced for each application and records them Amrit Parmar into the corresponding.pf file. On Windows 7 and before, the Prefetch directory is limited to 128 files. On pa Windows 8 and above, there can be up to 1,024 files waiting for you in the Prefetch folder. rit m Windows workstation operating systems (not servers) have prefetching on by default to improve system Administrative Templates > Windows Components > Windows PowerShell. From here, right-click to select each property you wish to edit (see slide graphic). Note that Module Logging requires a list of modules to audit, and the most complete option is to select all (“*”). We previously discussed the additional steps necessary for logging PowerShell “Core” versions. Greater Visibility Through PowerShell Logging: http://for508.com/3a-kz © 2023 SANS Institute 163 Licensed To: Amrit Parmar December 09, 2024 © SANS Institute 2023 PowerShell Automatic Logging of Malicious Scripts 85e6b3459a4880d22ae915f851d0b463 4 02 ,2 r 09 be amritparmar55@hotmail_com m ce De > m co Example Blocklist l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 164 @ 55 One of the most exciting features of newer versions of PowerShell (v5+) is the ability to log entire script blocks. ar Although this capability would be incredibly useful when tracking an attacker or rogue administrator using rm PowerShell in your network, the security team at Microsoft realized that this will likely be one of those features Amrit Parmar that is often not looked at until after a bad event has occurred. Clearly, the usefulness of this capability rests on pa having it turned on before a malicious event occurs. Hence, a capability was added to automatically identify rit potentially malicious script blocks and automatically log them in the PowerShell/Operational log. Microsoft has m basically implemented an “alert list” of dangerous PowerShell commands that will auto-log when used. m co l_ 29230065 ho tm ai @ 55 ar rm Amrit Parmar pa rit m (New-Object m Download a file or script from a remote network location System.Net.Webclient).DownloadFile() co l_ -EncodedCommand (-E, -Enc) Accepts a base-64 encoded version of a script 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 166 @ 55 We have already seen many instances of suspicious PowerShell in this class. Like many attacker behaviors, ar there is a limited set of syntax frequently used to make malicious PowerShell activity more difficult to discover. rm This slide covers some of the most seen parameters in the wild. PowerShell syntax is very flexible, and Amrit Parmar parameters can be abbreviated in a mind-boggling number of ways. The abbreviations seen on this slide are pa only the beginning of what you might encounter. With luck, you might find an attacker (or script) that reliably rit uses the same abbreviations, but this flexibility is one of the reasons it is difficult to write indicators of m compromise for PowerShell usage. rundll32 Invoke-Command bitstransfer Invoke-CimMethod m co http syswow64 Reflection WebRequest l_ Look for obvious signs of encoding and obfuscation 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 167 @ 55 As PowerShell becomes ubiquitous in the enterprise, it is likely that you will find a lot of legitimate scripts ar recorded in the PowerShell/Operational log. Your task as an analyst is to find any evil that may be hiding among rm that legitimate activity. While EID 4104 events (script block logging) are the latest and greatest in the Amrit Parmar PowerShell auditing world, do not ignore the older EID 4103 (module logging) events. Both events log activity pa from different perspectives. Module logging focuses on PowerShell pipeline execution. Almost every command rit uses several modules or cmdlets, and EID 4103 events can include variables, commands, interim output, and m even some deobfuscation. Script logging (EID 4104) records the code blocks executed, providing excellent +${/.})} {${$./} =(${#/~}= ${#/~} + ${/.} )}{${)@}=( ${#/~}=${#/~}+${/.} )} { ${‘} m =(${#/~} =${#/~}+ ${/.}) } { ${;} = ( ${#/~}=${#/~} + ${/.}) } {${ *-}= ( co ${#/~}=${#/~}+${/.})} {${“[+} = ( ${#/~} =${#/~} +${/.} ) } … l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 168 @ 55 As antivirus, enterprise detection and response tools, and logging have improved on detecting suspicious ar PowerShell, attackers have developed ingenious ways to defeat simple keyword detection. PowerShell is rm incredibly flexible, and that flexibility allows a seemingly endless array of different ways to write the same Amrit Parmar script. Projects like Invoke-Obfuscation by Daniel Bohannon have paved the way to better understanding just pa how serious the problem is. Criminal syndicates and crimeware have pushed capabilities further, leading to rit examples like the one on this slide, which is nearly unintelligible. Believe it or not, you are looking at a variety m of variable names, such as ${#/~), that are being concatenated together to eventually spell out a PowerShell m co l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 169 @ 55 CyberChef is one of the more exciting tools to be released to the public for decoding an enormous range of data ar formats. The tool was open-sourced by the UK GCHQ and describes itself on its public GitHub page: rm Amrit Parmar “CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web pa browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, rit DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes m and checksums, IPv6 and X.509 parsing, changing character encodings, and much more. The tool is designed to m co l_ 29230065 ho tm ai @ 55 ar rm Amrit Parmar pa rit m m co l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 171 @ 55 PowerShell transcript logs have been available since PowerShell version 2, but they largely required the Start- ar Transcript command be executed before activity or placed in each user’s profile.ps1 file. PowerShell now rm natively includes transcription logging, and it is highly recommended for the modern enterprise. Transcription Amrit Parmar logging can be enabled globally using Group Policy in Computer Configuration/Administrative pa Templates/Windows Components/Windows PowerShell/Turn on PowerShell rit Transcription. m m co l_ 29230065 m ai About Group Policy Settings - PowerShell | Microsoft Docs: https://for508.com/05zvl ho t @ 55 ar rm Amrit Parmar pa rit m m co Output l_ Displayed 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 173 @ 55 Here we see a PowerShell transcript log example. The domain account spsql ran the command Get-Item for a ar registry key in the System hive. Along with the date and time of execution, the logs also record what was output rm to the terminal. In this case, we see the contents of the registry key queried. Times stored within PowerShell Amrit Parmar transcript logs are in local system time and need conversion to UTC to match native event log times. Times are pa stored in the format Year-Month-Day-Hour-Minute-Second (YYYYMMDDHHMMSS). rit m Transcript logs can be excellent places to learn specific attacker tradecraft, discover attacker tool names and m co l_ 29230065 ho tm ai @ 55 ar rm Amrit Parmar pa rit m m co l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 175 @ 55 PowerShell version 5 finally introduced good event logging, and they didn’t stop there. PSReadline is now a ar default module designed to log the last 4,096 commands typed in the PowerShell console. For those aware of rm Linux artifacts, it is the equivalent of Bash History, but now in Windows! Amrit Parmar pa The commands are stored locally in each user’s profile, using a file named ConsoleHost_history.txt. rit The file format is a flat text file. Even commands typed in an Administrator PowerShell console are recorded in m the currently logged-on user’s history file. Unfortunately, this file is not protected by Windows, so m co l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 176 @ 55 This page intentionally left blank. ar rm Amrit Parmar pa rit m Anti-Malware Log Windows-Defender/Operational 1116-1119 m co Command Lines Security | PowerShell/Operational 4688 | 4103–4104 l_ WMI 29230065 WMI-Activity/Operational ho tm ai 5857-5861 FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics 177 @ 55 A majority of the events discussed in this section are represented in this table. Keep in mind that this is just a ar taste, and there are many other events you will encounter and identify as useful to your investigations. The next rm section covers some excellent resources to help you in your journey. Amrit Parmar pa rit m m Windows Event Forwarding (WEF) co Winlogbeat l_ 29230065 m ai FOR508 | Advanced Incident Response, Threat Hunting, and Digital Forensics ho t 178 @ 55 To perform event log analysis, you need to collect logs. If you are lucky, the applicable logs will have already ar been forwarded to a collection server waiting for analysis. If not, you should prepare to collect logs from rm multiple sources. Amrit Parmar pa Live System Collection rit You have many options for exporting logs out of both live and offline systems. When working with a live m system, it is important to keep in mind that event logs are always in use and hence locked by the operating

FOR508 Advanced Incident Response, Threat Hunting, & Digital Forensics PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue