Ep 011 - ARTHIR - ATT&CK Remote Threat Hunting Incident Response tool

Formerly the Brakeing Down Incident Response Podcast

Recorded Sept 2019

TOPIC: ARTHIR - ATT&CK Remote Threat Hunting Incident Response tool

OUR GUEST WILL BE:

  • Olaf Hartong, Co-Founder Falcon Force

  • @olafhartong and @FalconForceTeam

  • Blog - https://medium.com/@olafhartong

  • Github - https://github.com/olafhartong/ThreatHunting

  • Website - https://www.falconforce.nl

OUR SPONSORS:

NEWS-WORTHY:

ISO Files via EMAIL???

  • https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/

French Police take dowN Botnet

Over 10 billion malware attacks detected in 2018

91% Of Cyberattacks Start With A Phishing Email

  • According to a new report from PhishMe that found that 91% of cyberattacks start with a phish, the top reasons people are duped by phishing emails are curiosity (13.7%), fear (13.4%), and urgency (13.2%), followed by reward/recognition, social, entertainment, and opportunity.

GUEST Story - Dutch helped with Stuxnet

  • https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html

SITE-WORTHY:

TOOL-WORTHY:

MALWARE OF THE MONTH:

URSNif

  1. https://www.sentinelone.com/blog/ursnif-polymorphic-delivery-mechanism-explained/

  2. https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/

    1. This analysis list the MITRE ATT&CK used - very nice

  3. SentinelOne did a good write up about it

  4. Typical Word document delivery

  5. Winword calling PowerShell - Always BAD

  6. Base64 PowerShell executed - Always Bad

  7. VBScript then downloads the payload

  8. Stores it where else, under the User directory structure

  9. Mutates on download, so you won’t find the same hash if multiple users open the document

Key Detection points

  1. AutoRuns of course, but created on shutdown like Dridex

    1. So File and Registry auditing might help catch it on shutdown and boot up… there is a Cheat Sheet for that ;-)

  2. Winword calling PowerShell

  3. PowerShell Base64 encoding

  4. Random named executable

  5. Injects into the browsers

PREVENTION

  1. Scan email attachments

  2. Block Macro execution

  3. Application Whitelist Users directory

  4. Lock down PowerShell

  5. EDR

TOPIC OF THE DAY:

ARTHIR - ATT&CK Remote Threat Hunting Incident Response Tool

What is the problem ARTHIR is trying to solve?

  1. Run LOG-MD remotely and get back the reports is how it started without using an enterprise type solution.

  2. How do you run one or more of your favorite tools remotely against a system and get back the results?

  3. During Incident Response this is an easy tweak to GPO to get it enabled on all machines, nothing to purchase, you already have it

  4. It’s FREEEEeeeeeeee

What project was this forked from?

What improvements were added to make it ARTHIR?

  1. Notes for MITRE ATT&CK Technique IDs

  2. Scheduled task creation on remote systems running PS v2 thru v6

  3. Push a binary to a folder other than the Kansa default C:\Windows

  4. Cleanup module to delete the stuff you run, leave no trace

  5. Run any binary tool you want and get back the native reports

  6. Of course all the old Kansa capabilities

  7. It is fairly easy to use

Why did you take this on and how did you solve the shortcomings of Kansa?

  1. Shout-out to Olaf Hartong and Josh Ricard for their parts in this

    1. Olaf on the report retrieval

    2. Josh on the Schedule Task portion

  2. Get back reports of utility or tool, in our case LOG-MD

  3. Kansa only pulls back PowerShell console output

  4. ARTHIR can do PS console as Kansa did, or the native reports in the native format of the tool, and Kansa is no longer supported by the creator.

What are the requirements for someone wanting to use ARTHIR in a domain and no domain?

  1. Windows Remote Management or WinRM, aka PowerShell Remoteing which is built into all versions of Windows 7 and later

  2. Uses the power of PowerShell v2 thru v5

  3. Domain creds for Domain

  4. Local creds with Authentication being Negotiate for non-domain

What are some use cases for ARTHIR?

  1. Incident Response obviously

  2. Auditing

  3. Threat Hunting

  4. Configuration validation

  5. Manual tweaks, security improvements

  6. Remediation

  7. A way to schedule one of more tasks of your favorite tools, like LOG-MD

Documentation?

  1. WinRm guide

  2. And how to use info too

  3. LOG-MD Professional you get a more detailed guide and all the modules for all the features of LOG-MD Professional and Consulting ships with LOG-MD Pro

Where do people get it?

  1. You can find ARTHIR HERE:

  2. Try it

  3. Contribute

  4. And MAP things to MITRE ATT&CK

Other Articles:

-------------------

Original Kansa Project