hidden empires of malware
TRANSCRIPT
![Page 1: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/1.jpg)
© 2017 SPLUNK INC.
The “Hidden Empires” of Malware
DaveRyan
International
Conference on
Cyber Security
January 2018
![Page 2: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/2.jpg)
© 2017 SPLUNK INC.
Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding
future events or the expected performance of the company. I often lie. Maybe this is a lie.
Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes
The wøndërful telephøne system And mäni interesting furry animals The characters and
incidents portrayed and the names used in this Presentation are fictitious and any similarity
to the names, characters, or history of any person is entirely accidental and unintentional.
Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus...
No realli! He was Karving his initials on the møøse with the sharpened end of an
interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and
star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of
Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our
roadmap outlines our general product direction and is subject to change at any time
without notice. Splunk undertakës no øbligation either to develøp the features or
functionality described or to include any such feature or functionality in a future release.
![Page 3: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/3.jpg)
© 2017 SPLUNK INC.
▶ 17 years of cyber security experience
▶ Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research
▶ Also investigating why printers are so insubordinate ಠ_ಠ3
Staff Security Strategist
Minster of the OODAloopers
@meansec
# whoami > Ryan KovarCISSP, MSc(Dist)
![Page 4: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/4.jpg)
© 2017 SPLUNK INC.
- 20+ years IT and security- Information security officer, security architect, pen tester, consultant, SE, system/network engineer
- Former SANS Mentor
- Co-creator of Splunk Boss of the SOC
Security Architect @splunk
@daveherrald
# whoami > Dave HerraldCISSP, GIAC G*, GSE #79
![Page 5: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/5.jpg)
© 2017 SPLUNK INC.
Agenda
▶ Answering some W ’s
• What are we talking about with “Hunting Empires”?
• What are SSL certificates and why do I care?
• What can I do with them?
▶ Talk about the “H”
• How can I get this data myself?
▶ And now another W
• Where can I get this awesome stuff!
5
![Page 6: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/6.jpg)
© 2017 SPLUNK INC.
![Page 7: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/7.jpg)
© 2017 SPLUNK INC.
On the shoulders of giants
![Page 8: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/8.jpg)
© 2017 SPLUNK INC.
Mark Parsons“Lord of SSL Pivoting”
@markpars0ns
▶ https://t.co/amyR9pU8o4
▶ https://medium.com/@mark.parsons/hunting-a-tls-certificate-series-post-1-6ad7adfebe44
▶ https://mpars0ns.github.io/bsidescharm-2016slides/
▶ https://mpars0ns.github.io/archc0n-2016-tls-slides/#/
▶ https://www.slideshare.net/MSbluehat/bluehat-v17-using-tls-certificates-to-track-activity-groups
![Page 9: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/9.jpg)
© 2017 SPLUNK INC.
What are these “Hidden” Empires?
![Page 10: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/10.jpg)
© 2017 SPLUNK INC.
POWERSHELL EMPIRE
10
![Page 11: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/11.jpg)
© 2017 SPLUNK INC.
• Similar to Metasploit
in user experience
• C2 functionality
• Second stage
infection/implant after
initial infection
• Used extensively for
lateral movement
![Page 12: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/12.jpg)
© 2017 SPLUNK INC.
Sometimes its hard to find evidence that
![Page 13: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/13.jpg)
© 2017 SPLUNK INC.
Place Holder PowerSploit Capabilities
13
![Page 14: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/14.jpg)
© 2017 SPLUNK INC.
Place Holder PowerSploit Capabilities
14
![Page 15: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/15.jpg)
© 2017 SPLUNK INC.
15
![Page 16: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/16.jpg)
© 2017 SPLUNK INC.
16
![Page 17: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/17.jpg)
© 2017 SPLUNK INC.
![Page 18: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/18.jpg)
![Page 19: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/19.jpg)
© 2017 SPLUNK INC.
SSL Certificates
![Page 20: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/20.jpg)
© 2017 SPLUNK INC.
What are SSL
certificates and
why do I care?
![Page 21: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/21.jpg)
© 2017 SPLUNK INC.
[SSL certificates are] Small
[unencrypted] data files that
digitally bind a cryptographic
key to an organization’s
details.” [1]
Sooo… SSL
Certificates?
[1] https://www.godaddy.com/help/what-is-an-ssl-
certificate-542
![Page 22: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/22.jpg)
© 2017 SPLUNK INC.
So that shows SSL
certificates?
![Page 23: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/23.jpg)
© 2017 SPLUNK INC.
Censys.io
![Page 24: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/24.jpg)
© 2017 SPLUNK INC.
Circl.lu
![Page 25: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/25.jpg)
© 2017 SPLUNK INC.
Passivetotal.org
![Page 26: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/26.jpg)
© 2017 SPLUNK INC.
Splunk!
![Page 27: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/27.jpg)
© 2017 SPLUNK INC.
Internet-Wide Scan Data Repository
▶ Public archive of research data
▶ Hosted by the Censys team at the University of Michigan
▶ Perform scans, and host results from other teams
▶ The data on the site is restricted to non-commercial use
▶ https://scans.io (https://scans.io/json)
![Page 28: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/28.jpg)
© 2017 SPLUNK INC.
Exploring scans.io Studies
Web Interface
https://scans.io
JSON
https://scans.io/jsonCommand Line
$ python ./download.py --liststudieshttps://github.com/daveherrald/scansio-sonar-splunk
![Page 29: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/29.jpg)
© 2017 SPLUNK INC.
Project Sonar by Rapid7
https://sonar.labs.rapid7.com/
▶ Many studies
• SSL Certificates
• HTTP Content
• HTTPS Content
• DNS
• Various TCP/UDP services (SSH, SMB, Telnet, etc.)
▶ Hosted at scans.io
▶ Please review Project Sonar TOS
▶ Thanks to Rapid7 Labs!
![Page 30: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/30.jpg)
© 2017 SPLUNK INC.
SSL Certificates Study (sonar.ssl)
▶ October 30, 2013 – Present
▶ Raw size
• Entire data set: 315 GB compressed (as of 02JAN2017)
• Weekly: ~1.5 - 2.0 GB compressed
▶ Entire data set indexed in Splunk: ~1.2TB
▶ Scan the entire Internet (TCP/443 only)
▶ Comprised of:
• Observed certificates *
• Observed IP address / certificate *
• Names
• Endpoints
![Page 31: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/31.jpg)
© 2017 SPLUNK INC.
sonar.ssl Certificates
2 Column CSV
SHA1 Hash + Base64 Encoded DER
Decoded DER
( https://gchq.github.io )
![Page 32: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/32.jpg)
© 2017 SPLUNK INC.
sonar.ssl Certificate in Splunkindex=sonarsslcert earliest=0 hash_id=b4c68c2fe3e689bd51c3676c69c02454be1f545f
![Page 33: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/33.jpg)
© 2017 SPLUNK INC.
sonar.ssl Hosts
2 Column CSV
IP Address + Certificate hash (SHA1)
Host, IP Address, Observation Date
Enriched with Country and ASN via Maxmind
![Page 34: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/34.jpg)
© 2017 SPLUNK INC.
sonar.ssl First/Last seen
Search for a hash, or pivot here from search
![Page 35: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/35.jpg)
© 2017 SPLUNK INC.
HTTPS (TCP/443) (sonar.https)
▶ July 25, 2016 – Present
▶ Raw size
• Entire data set: ~3.2 TB compressed (as of 02JAN2017)
• Weekly: ~25 GB compressed
▶ Entire data set indexed in Splunk: ~10TB
▶ Scan the entire Internet (TCP/443 only)
▶ Comprised of:
• IP
• Path
• Port (Always 443)
• Certificate Subject
• Payload!
![Page 36: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/36.jpg)
© 2017 SPLUNK INC.
HTTPS (TCP/443) (sonar.https) in Splunk
index=sonarhttps earliest=0
![Page 37: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/37.jpg)
© 2017 SPLUNK INC.
[1] David Bianco http://detect-respond.blogspot.com/2013/03/the-
pyramid-of-pain.html
![Page 38: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/38.jpg)
© 2017 SPLUNK INC.
![Page 39: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/39.jpg)
© 2017 SPLUNK INC.
openssl req -new -x509 -keyout
../data/empire-priv.key -out
../data/empire-chain.pem -days
365 -nodes -subj "/C=US"
>/dev/null 2>&1
![Page 40: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/40.jpg)
© 2017 SPLUNK INC.
![Page 41: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/41.jpg)
© 2017 SPLUNK INC.
VS
![Page 42: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/42.jpg)
© 2017 SPLUNK INC.
And I care why?
![Page 43: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/43.jpg)
© 2017 SPLUNK INC.
One of these is not like the others
![Page 44: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/44.jpg)
We use Splunk
But you don’t have to!
![Page 45: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/45.jpg)
© 2017 SPLUNK INC.
▶DAVE. DONE UP TO HERE
But what do
we do with it?
![Page 46: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/46.jpg)
© 2017 SPLUNK INC.
You can do at least two things with SSL Certificate information
Known
Unknown
![Page 47: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/47.jpg)
© 2017 SPLUNK INC.
THE SSL CERTIFICATES IN YOUR
INCIDENTS ARE REAL.
![Page 48: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/48.jpg)
© 2017 SPLUNK INC.
Start with some known naughty SSL SHA1 fingerprints
![Page 49: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/49.jpg)
© 2017 SPLUNK INC.
Gozi Trojan
8fc4a51bb808d0050a85f55de93b3aa9db4fef90
![Page 50: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/50.jpg)
© 2017 SPLUNK INC.
![Page 51: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/51.jpg)
© 2017 SPLUNK INC.
![Page 52: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/52.jpg)
© 2017 SPLUNK INC.
![Page 53: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/53.jpg)
© 2017 SPLUNK INC.
![Page 54: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/54.jpg)
© 2017 SPLUNK INC.
“As we know, there are known
knowns; there are things we know we
know. We also know there are known
unknowns; that is to say we know
there are some things we do not
know. But there are also unknown
unknowns – the ones we don't know
we don't know. And when someone
tries to hunt in CyberSpace the
known unknowns are the hardest
to find ”
- Donald “Cybersfeld”
![Page 55: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/55.jpg)
© 2017 SPLUNK INC.
Hunting PowerShell Empire
![Page 56: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/56.jpg)
© 2017 SPLUNK INC.
C=US is weird…
![Page 57: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/57.jpg)
© 2017 SPLUNK INC.
![Page 58: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/58.jpg)
© 2017 SPLUNK INC.
![Page 59: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/59.jpg)
© 2017 SPLUNK INC.
![Page 60: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/60.jpg)
© 2017 SPLUNK INC.
![Page 61: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/61.jpg)
© 2017 SPLUNK INC.
![Page 62: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/62.jpg)
© 2017 SPLUNK INC.
200MM IPs
90 suspect
3 PSE
:-)
![Page 63: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/63.jpg)
© 2017 SPLUNK INC.
63
Oh… Just
one more
thing…
![Page 64: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/64.jpg)
© 2017 SPLUNK INC.
Splunk-based Certificate Research Platform
Splunk Indexers QTY=3
i3.2xlarge
8 TB EBS Volume (10,000
IOPs)
Elastic IP
Splunk Search Head
QTY=1
c3.4xlarge
Elastic IP
Data Staging and Load
QTY=1
i3.16xlarge
8 TB EBS Volume (10,000
IOPs)
Elastic IP
Elastic Load Balancer
TCP/8088
Splunk HTTP Event
Collector
Internet –Wide Scans
Repository https://scans.io
Processing and Load
Metrics
6,000 Certificates /
Second
25,000 Hosts / Second
![Page 65: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/65.jpg)
© 2017 SPLUNK INC.
Certificate Research Platform Resources
https://github.com/daveherrald/scansio-sonar-splunk
• Download any scans.io study, load sonar.ssl & sonar.https into Splunk for analysis
https://github.com/mpars0ns/scansio-sonar-es
• Download sonar.ssl load into Elasticsearch
![Page 66: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/66.jpg)
© 2017 SPLUNK INC.
Splunk Licensing
Free: 500MB / day
Enterprise Trial: 500MB / Day
Developer: 10 GB/Day
Enterprise Dev/Test: 50GB/day
Splunk Enterprise
Each approach has its pros and cons, but recall:
![Page 67: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/67.jpg)
© 2017 SPLUNK INC.
Can we wrap
this up?
![Page 68: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/68.jpg)
© 2017 SPLUNK INC.
Conclusion
68
▶ SSL certificates can be a great way to track adversary behavior
▶ Consider tracking from known and unknown
▶ Think about bringing SSL certificates “in house” to use and run greater analysis against with temporal knowledge
![Page 69: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/69.jpg)
© 2017 SPLUNK INC.
Special Thanks
69
▶ Mark Parsons
▶ IKBD
▶ Rapid 7
▶ Censys team at University of Michigan
▶ ICCS Conference
▶ Fordham University
▶ The FBI
![Page 70: Hidden empires of malware](https://reader031.vdocument.in/reader031/viewer/2022030318/5a651b2b7f8b9a223a8b4b55/html5/thumbnails/70.jpg)
© 2017 SPLUNK INC.
Dave Herrald
@daveherrald
Ryan Kovar
@meansec
Contact info(Come see us at SANS CTI where we talk about ML against SSL data!)