osquery breach att&ck - macadmins conference
TRANSCRIPT
Breach → ATT&CK → OSQUERY
Learning from Breach Reports to Improve Cross-platform Endpoint Monitoring
I’m Guillaume RossUptycs - security analytics at scale using osquery@gepeto42 on Twitter
2
3
4
OVERVIEW● Too many « best practices »
unrelated to real attacks● MITRE ATT&CK is based in reality● Review a true attack with it● Improve detection with osquery● Monitor defensive controls
5
GOALS● Show that reading breach reports is
not just entertainment● Using osquery as an example, show
that the tools exist to prepare against similar attacks in your org
6
PEW PEW MAPS?
Nope
7
Nahh…Osquery 101
Cross-platformMac, Linux, Windows, Docker APIs
100%Amazing and open
229 TablesThat’s a lot of tables
9
OSQUERY: TRANSFORM YOUR OS INTO A VIRTUAL DB
⊗ Uses SQLite for query execution⊗ Executes scheduled queries, real-time queries,
and has an interactive mode⊗ Cross-platform⊗ Fast, reliable⊗ Flexible⊗ Originally from Facebook, name now owned by
Linux Foundation & Run by community
10
FACTS
11
LET’S REVIEW SOME CONCEPTSQuery Query Pack Outputs
12
Flags Tables Events
● ps ax | grep apache● SELECT * FROM processes WHERE name
LIKE ‘%apache%’;
No huge DB built over time on the agent. When queried, info is obtained (Plus: Streams of Events).
EXAMPLE ABSTRACTION
13
Know all the things via the use of SQL queries.
Now… what things should we know?
How do we prepare on the Mac side as well?
THAT’S IT
14
ATT&CK FRAMEWORK 101
Repository of adversarial tactics and techniquesBased on real-world attacks
Lets compare with NIST CSF (Framework for Improving Critical Infrastructure Cybersecurity)
FRAMEWORK TO BUILD ON
16
NIST CSF
18
19
CYBER KILL CHAIN®By
Lockheed Martin’s Intelligence Driven
Defense®(DRINK)
MITRE ATT&CK
THE ATT&CKS
SingHealth● Lots of details.● Lateral movement.● App servers, DBs, flat
networks● Reads like a novel
TWO DETAILED REPORTS
Equifax● Vulns● Management
Structure● We will use this one
less.
27
THE PROBLEM?
28
SingHealth Full Report
29
https://bit.ly/2RFgjVU
Nahh it’s not malware*
ATT&CKING The SingHealth Breach
30
https://bit.ly/2ReEtnE
Great Article by @mattnotmax
31
Initial Entry
⊗ Two workstations - one decommissioned⊗ Second one makes C2 callback on August 24
2017⊗ Powershell (T1086) / User Execution (T1204)⊗ Remnants of a “public RAT” found⊗ Password dumping capabilities⊗ Possibly T1192 or T1193 - spear phishing link or
attachment - but indications this might be Ruler exploit
32
⊗ Socket_events or Process_open_sockets against threat intel feeds
⊗ PowerShell logging with osquery (easy!)⊚ Mac: shell_history + process_events
⊗ Monitor process / parents ⊗ Office Hardening (Unclear - Possibly if phishing
was the entry point)⊚ Mac - almost no configuration possible
Initial Entry
33
Process_Open_Sockets
⊗ select * from process_open_sockets;⊗ Match remote_address against threat lists in
logs.⊗ Take specific attention to ports like 22, 3283,
445, 3389, including laterally - useful to detect weak FW config against lateral movement.
34
⊗ Script block logging: ON⊗ select * from powershell_events;⊗ Run queries for obvious bad keywords
⊚ Specific tools: gentilkiwi, mimikatz, Invoke-Shellcode (Powersploit)
⊚ Methods: SE_PRIVILEGE_ENABLED, TOKEN_PRIVILEGES, GetDelegateForFunctionPointer etc.
⊗ Shell_history and process_events cmdline can be used like this. Ex: Look for “grep Little\ Snitch”
PowerShell - T1086 - T1204
35
36
PowerShell - T1086 - T1204SELECT datetime, script_name, script_path, script_block_count FROM powershell_events;
⊗ Monitor script_block_count trends⊗ Shell_history and command line: monitor specific
keywords + trends on size as well⊗ Osx-attacks - look at the
Behavorial_Reverse_Shell detection, great example.
37
Behavorial_Reverse_Shell
38
Parent Process
⊗ Processes and Process_events include parent PID.⊗ Quick script to create process tree on Uptycs Blog
⊚ https://bit.ly/2KfarPO⊗ Query and join the table with itself to get the process name.⊗ Then, query for weirdness...start with Office applications and
browsers.
39
Parent Process
⊗ Select * from processes;⊗ Subqueries are your friends⊗ Select the processes table, for specific process names, look at the
parent, see what the parent is, log when unexpected. For example
40
Parent Process
What's 476? Wininit. Expected!
41
Parent Process
This example + MANY more can be found on Filippo Mottini’s GitHub:
https://bit.ly/2X9bAyy
42
Office Hardening - Potential T1192/1193
⊗ The registry table is our friend.⊗ User\software\policies\microsoft\office\16.0\App
⊗ WILDCARDS!
43
Office Hardening - Potential T1192/1193
44
SELECT * FROM registry WHERE key LIKE‘HKEY_USERS\%\Software\Policies\Microsoft\office\16.0\%\security’;
% = wildcard
Office Hardening - Potential T1192/1193
⊗ Not easy to see what user that is…⊗ But.. the SID is in the registry path!⊗ Split data on backslashes.
⊚ (It is Windows, after all!)
45
Office Hardening - Potential T1192/1193
46
Office Hardening - Potential T1192/1193
● If it was Ruler:○ Use same technique to check that
EnableUnsafeClientMailRules is not equal to 1 (disables the patch against malicious rules/code exec from rules)
○ Use programs table to ensure Outlook is 16.0.4534.1001 or above
47
Application Config - Mac Equivalent
● Managed_policies● Augeas● ATC
48
Application Config - Mac Equivalent
● For text-file based configs: leverage Augeas○ Ex: select * from augeas where path
= '/etc/ssh/sshd_config' AND label LIKE ‘Authorized%’;
● ATC (Auto Table Construction) to read SQLite files
49
Lateral movement & privilege escalation⊗ Over a period of +6 months⊗ Spread malware over shares (T1077 and T1105)⊗ Weak Local Admin credentials + stored in clear
(T1078 + T1081)⊗ Lateral movement + malware spread using
shares, remote desktop/Citrix (T1076)⊗ Attempts to access DB from Citrix with Domain
Admin failed⊗ Exploit SCM app to get service account
50
Lateral movement & privilege escalation⊗ Monitor lateral movement
⊚ Windows: 445, 3389⊚ Mac/Linux: 22
⊗ Ensure LAPS/macOSLAPS is deployed and effective
⊗ AD Binding?⊗ SSH Private Keys?⊗ Identify accounts logging in “wrong”⊗ SQL Audit logs via osquery?
51
Process_Open_Sockets - T1077/1105
SELECT * FROM process_open_socketsWHERE local_port=445 AND remote_address NOT LIKE '10.0.99%' AND remote_address NOT LIKE '0.0.0.0' AND remote_address NOT LIKE '::';
52
Local Admin - T1078/108153
Local Admin - T1078/1081Start with this..
SELECT data, path FROM registryWHERE key ='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd\';
54
LAPS / RegistryOr we can track a specific value as a maximum:
SELECT data, path FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd'AND name='PasswordLength' AND data < 31;
55
Account Policy Data56
Account Policy Data57
Lateral Movement / Account Abuse - T1078/108158
Lateral Movement / Account AbuseUse logon_sessions to track powerfull sessions.
59
Lateral Movement / Account AbuseLeverage naming conventions...
60
Lateral Movement / Account AbuseSo if your service accounts were say: *svc_servicename* - you could query. Do the opposite for non-svc accounts!
61
SQL Auditing
62
⊗ Ensure SQL can write to Event Logs (Application or Security, or anything else)
⊗ Look for login related event IDs such as 18456.⊗ Can be done for all Windows logs too
⊚ Selectively centralize workstation logs over TLS!
Logging in general
63
● Apple Logging System (ASL) also supported.● Syslog● Selinux events● Great when used with sysmon● One of my favorite ways of selectively picking
logs to centralize on workstations via TLS
MAP ATT&CK TO YOUR OSQUERY CONFIGAs shown, a few queries can help match many techniques from ATT&CK.
Do the same with preventive controls like hardening via MDM, EDR config, etc.
64
READ IR REPORTSThere’s always a tidbit you can use to improve your osquery deployment.
Worst case scenario? $$$
65
NOTHING BEATS OPEN SECURITY DATA FOR FLEXIBILITY AND MULTI-PLATFORM SUPPORT
66
FREE WORKSHOP!DEF CON 26
67
THANKS!Any questions?You can find me at:@gepeto42 on TwitterMacAdmins Slack
68