bzar hunting adversary behaviors with zeek and att&ck · what we’ll talk about background:...
TRANSCRIPT
©2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03621-8. MITRE
| 1 |
BZAR – Hunting Adversary
Behaviors with Zeek and ATT&CK
Mark Fernandez
John Wunder
@MITREattack
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
What we’ll talk about
▪ Background: ATT&CK and Threat Hunting
▪ Threat Hunting with BZAR
– Zeek Network Security Monitor
– How BZAR works and what it can see
▪ Examples
– Service Execution
– Remote File Copy to Windows Admin Shares
▪ Takeaways
| 2 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 3 |
Free, open,
and globally
accessible
A common language
Community-
driven
What is
?A knowledge base
of adversary behavior
Based on
real-world
observations
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
t al e
e ut o
e te e
le e alat o
e e e a o
e e t al e
o e
ate al o e e t
olle t o
o a o t ol
lt at o
a t
Ta t : the a e a ’ te h al oal
Tech
niq
ues:
ho
w t
he g
oals
are
ach
ieved
| 4 |
Procedures: Specific technique implementation
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
How can we seethese behaviors?
How can we identify the malicious ones?
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 5 |
Image Source: Pirates of the Caribbean
Image Source: Wikimedia Commons
How can we see these behaviors?
Perimeter monitoring is not enough
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 6 |
Initial Access
Execution PersistencePrivilege
EscalationDefense Evasion
Credential Access
DiscoveryLateral
MovementCollection
Command and Control
Exfiltration Impact
so we do endpoint monitoring.
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 7 |
Defense in depth, amirite?
Image Source: The Office
What can we do with internal network monitoring?
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 8 |
Initial Access
Execution PersistencePrivilege
EscalationDefense Evasion
Credential Access
DiscoveryLateral
MovementCollection
Command and Control
Exfiltration Impact
The Problem: Internal Network Traffic Can be Very Noisy
Server Message Block (SMB) protocol
Remote Procedure Call (RPC) protocol
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 9 |
The Technology: Bro / Zeek Network Security Monitor
Open-source, highly-customizable
Deep-packet inspection
The Result: B Z A R
Bro / Zeek ATT&CK-based Analytics and Reporting
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 10 |
Bizarre – very strange or unusual
BZAR – open-source Bro/Zeek scripts
https://github.com/mitre-attack/bzar
l ttle o e about Zeek…
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 11 |
• SMB Protocol Analyzero Message Types 145
• DCE-RPC Protocol Analyzero Interface Definitions 81
o Method Definitions 1,471
• Authentication Protocol Analyzerso Used in SMB and RPC Authentication
• File Extraction Analyzero Extract Files from Network Traffic
o Lateral Movement
How Many Exist in Windows?
How Many Exist in Windows?
Bonus!
Bonus!
ATT&CK Techniques Detected with BZAR
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 12 |
ATT&CK Techniques Detected with BZAR
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 13 |
Execution PersistenceDefense
Evasion
Credential
AccessDiscovery
Lateral
Movement
T1035 Service Execution
T1004 Winlogon Helper DLL
T1070 Indicator Removal Host
T1003 Credential
DumpingT1016 System Network Configuration
T1077 Windows Admin Shares
T1047 Windows Mgmt Instrum. (WMI)
T1013 Port Monitors
T1049 System Networks Connections
T1105 Remote File Copy
T1053 Scheduled Task T1018 Remote System
T1033 System Owner/User
T1069 Permission Groups
T1082 System Info
T1083 File and Directory
T1087 Account
T1124 System Time
T1135 Network Share
What ou a ee etwo k t a …
Techniques that necessarily generate
network traffic
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 14 |
Desktop 1
Desktop 2
Te h que that a e ’t normally executed over the network, but can be
Execution
T1035 Service Execution
T1047 Windows MgmtInstrumentation (WMI)
T1053 Scheduled Tasks
BZAR Example – Remote Execution
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 15 |
Execution PersistenceDefense
Evasion
Credential
AccessDiscovery
Lateral
Movement
T1035 Service Execution
T1004 Winlogon Helper DLL
T1070 Indicator Removal Host
T1003 Credential
DumpingT1016 System Network Configuration
T1077 Windows Admin Shares
T1047 Windows Mgmt Instrum. (WMI)
T1013 Port Monitors
T1049 System Networks Connections
T1105 Remote File Copy
T1053 Scheduled Task T1018 Remote System
T1033 System Owner/User
T1069 Permission Groups
T1082 System Info
T1083 File and Directory
T1087 Account
T1124 System Time
T1135 Network Share
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 16 |
• Indicators: Four (4) RPC Functionso svcctl :: CreateServiceA
o svcctl :: CreateServiceW
o svcctl :: StartServiceA
o svcctl :: StartServiceW
• Analytics: Simpleo Detect any of the 4 RPC functions
o Zeek event handlers
• dce_rpc_request()
• dce_rpc_response()
Execution
T1035 Service Execution
BZAR Example – T1035 Service Execution
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 17 |
• Reporting: Write to Zeek Notice Logo “ :: ”
o “svcctl::StartServiceW”
o IP addresses & TCP/UDP ports
o Zeek connection ID
Execution
T1035 Service Execution
BZAR Example – T1035 Service Execution
Important: MUST be tuned for your environment!
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 18 |
Lateral Movement
T1077 Windows Admin Shares
T1105 Remote File Copy
Execution PersistenceDefense
Evasion
Credential
AccessDiscovery
Lateral
Movement
T1035 Service Execution
T1004 Winlogon Helper DLL
T1070 Indicator Removal Host
T1003 Credential
DumpingT1016 System Network Configuration
T1077 Windows Admin Shares
T1047 Windows Mgmt Instrum. (WMI)
T1013 Port Monitors
T1049 System Networks Connections
T1105 Remote File Copy
T1053 Scheduled Task T1018 Remote System
T1033 System Owner/User
T1069 Permission Groups
T1082 System Info
T1083 File and Directory
T1087 Account
T1124 System Time
T1135 Network Share
BZAR Example – Lateral Movement
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 19 |
• Indicators: Two (2) SMB Commandso SMBv1 Write
o SMBv2 Write
• Analytics: Complexo Detect SMB Write to Windows Admin Shares
o ADMIN$ or C$ only
o Ignore IPC$ (e.g., names pipes)
o Zeek event handlers
• smb1_write_andx_response()
• smb2_write_request()
BZAR Example – Lateral Movement
Lateral Movement
T1077 Windows Admin Shares
T1105 Remote File Copy
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 20 |
• Reporting: Write to Zeek Notice Logo “ ::Lateral_Movement”
o “ :: ”
o IP addresses & TCP/UDP ports
o Zeek connection ID
o Full Universal Naming Convention (UNC) path and file name
Lateral Movement
T1077 Windows Admin Shares
T1105 Remote File Copy
Important: MUST be tuned for your environment!
BZAR Example – Lateral Movement
Summary
▪ Monitor your endpoints
– – ’
▪ Think outside the box
– – ’
▪ Think at different levels of abstraction
– – Low-fidelity indicators can help you build-up analytics and reporting
▪ Integrate into your overall monitoring approach
– – Network alerts and endpoint alerts can co-exist
▪ Tune for your environment!
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.
| 21 |
| 22 |
attack.mitre.org
medium.com/mitre-attack
@MITREattack
https://github.com/mitre-attack/bzar
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-14.