Hunting With ELK And Mapping With MITRE Framework PART -1
Hello everybody. In this blog post I will analyze cyber attacks by using ELK. I simulated realcase APT attacks tactics and tools in my lab enviorenment. Nowadays I am prepearing Incident Response and Threat Hunting online training for broadcasting on Udemy. I can finished 3 modules of training and 4 modules left. I will be completed within two months at the latest. Actually, I originally set up the lab shown in belowto test the products of the companies that I gave consultancy for product development. But later I decided to create an APT analysis training over this lab. Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;
Ok lets start!! I am staring with matching network connections and processes so I selected destination IP, Port, source IP and process.name as I Show the Picture below;
As you see there are a lot of weird exe files process are displayed in the screen. Wscript is used for executing macros and other executables are suspicious.
When I go on analysing and scroll down I saw rundll32 has opened a connection through TCP 443 port and it is anormally for me. I will investigate it at following analysis steps.
I also see schtask.exe was used dor creating Schedule tasks and sc for service creating;
Before I continue my analysis with ELK I found the one of the weird and suspicious exe file at tmp directory;
Then I reverse it for finding something is useful form y analysing step. As you see GetAsyncKeyState function is used for hooking keystrokes and vkey most probably gets the key strokes variable and prelog process can be shown in the code.
I decided to examine strings of the file and I cann see some keyboard buttoms name. I goto function which one of the string is used inside and I use xref for it;
Great this is a keylogger, If you notice program compare 11h ( CTRL ASCII keyboard code ) with arg0, IF they are the same that means zero flag is set by 1 and result 0 print the [CTRL] in the screen with fprint otherwise program jump the loc_4013A0 for testing PAUSE key and goes on. Good!!!
But I should investigate how this drop under tmp directory? What happened before keylogger was created? What does cause it? Before I investigate, I continue inspectng processes network connection behaviours. Rundll32.exe opens two suspicious connections;
And I detect Microsoft_putty.exe file it is not signed by the Microsoft; These ara suspicious connections too;
I detected more malicious connection of powershell, lsass processed. Lsass dont use SMTP port powershell goes unknown IP address from TCP 80 but when Network forensic team analysisi this traffic from pcap they said that they had detected anormal http connections.
I filtered event id 1 for retrewing process create incidents.
I focus wscript.exe file and I choose process.name, process. parent name, process parent executable for relating the incidents.
When I disaplay the incident I saw that wscript.exe executed a vbc file under temp directory;
I noted for investigating and I go on with rundll32.exe process. Cmd.exe is the parent and I will inspect the command line parameter of this process;
As you see rundll32.exe was used for executing command with java script as HTMLapplication. This is lolbas method and it is used for evading security systems such as AV. When I serach in the MITRE framework I learnt that MITRE mapped this as Technique 1085.
Then I come up a scheduled task. When I display the incident I saw that attacker used mispelling for pretending analyst and malicious binary seems like svchost. This is persistency method for scheduling execution the RAT;
MITRE mapped this as technique 1053;
When I displayed sc.exe incident I detected the adversary creating a backdoorservice for stealthy and persistent connection. In MITRE framework it described as Technique 1031. As you see nc.exe runs as a service in the compromised system.
In the analysis made so far, the events that stand out from a quick perspective were examined. But analysis needs to be done in more detail. As an analyst, you cannot look at each record line by line. Instead, you need to write appropriate filters and analyze them from an aggressive perspective. Running vbs with wscript made me suspect of a pest in the word file or a code downloaded with powershell and I decided to review the WINWORD process. For this purpose I filtered event id 1 process creation and filter WINWORD.EXE.
As you see some files executed from Explorer.exe. When I exeamine the incident I saw that Customer Agreement_ASAP and Visa Payment document .doc files were executed in the desktop environment.
I implement time analysis for connection relation between incidents so I analyze the pcap file which is captured by suricata, we are lucky because for pcap collection is applied by the network security team.
I can find the file in the SMTP traffic In april time period and deliver time of this file and incident time is so close. So I most probably say victim download this file via his webmail. I filtered wscript.exe process and I see the same, wscript parent process is the same.
When I inspect the Command Line of the incident I detect a malicious vbs file is executed with Wscript.exe file.
And the malicious vbs execute the malicious exe file under the temp folder;
The next step I tried to collect something is useful about powershell process creation.
First I catched an incident that powershell is executed by the rundll.exe it is not normal and I displayed the incident and I saw a dll file was executed by the rundll32 and it is spawned by the powershell;
MACRO invoking WMI to create a new process, which changes the execution flow from for instance winword.exe spawning cmd.exe to wmiprvse.exe spawning cmd.exe (winword.exe spawning nothing, thus bypassing standard detection rules):
During macro execution, winword.exe will load 4 WMI related modules, which is not very common and can be used to detect this technique:
- C:\Windows\System32\wbem\wmiutils.dll
- C:\Windows\System32\wbemcomn.dll
- C:\Windows\System32\wbem\wbemdisp.dll
- C:\Windows\System32\wbem\fastprox.dll
By using this information I investigate Wmiprvse.exe processes;
Bingo I have already detected the malicious powershell code;
When you follow the steps you can get that the macro belongs to VISA PAYMENT phishing file. I found and analyze the files. When I opened the file I saw phishing buttom in the document.
MITRE framework mapped this attack with Technique 1024;
I analyzed the Office document in Remnux and extract their macro code;
As we see they are the same with before we analyzed with ELK. Thank you for reading. In the next week I will published therat hunting part 2 and we will analyze tunneling and pivoting techniques. See you firends….
