security onion conference - 2016
TRANSCRIPT
Uncovering Persistence With Autoruns & Security Onion
#SOCAugusta@DefensiveDepth
Autorunslive.sysinternals.com
Boot execute. / Appinit DLLs. / Explorer addons.
Sidebar gadgets (Vista and higher)
Image hijacks.
Internet Explorer addons. / Known DLLs.
Logon startups. / WMI entries.
Winsock protocol and network providers.
HijacksImage hijacks at the time of log
generationELSA Query: groupby:path - Closely review any entries
GoalsImplementation
Real-World Use
“Pertinax”Latin: “Persistent, Stubborn”
Reference Architecture
1) Generate
1) Tab-delimited CSV option
autorunsc -ct
2) Verify Signatures
autorunsc -s
3) Logfile is named with the hostname or IP
Address of the source system
“DD-HR” is the name of the log for the system DD-
HR
2) Collectfor /f %%a in (host-list.txt) do ( psexec -accepteula \\%%a -c autorunsc.exe -accepteula -a * -s -m -t -h -ct * > Logs\%%a.csv)
3) Normalize -Removal of autoruns’ header rows
-Addition of unique identifier to each message
-Addition of src hostname to each message
-Addition of runtime to each message
-Conversion to ASCII
-Replacement of TAB delimiter with a Pipe
4) Import & Parse
<localfile> <location>C:\Logs\ar-normalized.log</location> <log_format>syslog</log_format></localfile>
ELSA Pattern & OSSEC Decoder
-Hostname, DD-HR
-Category, Logon
-Entry, Skype
-Profile, DD-HR\admin
-Company, Skype Technologies
-Path, C:\program files\.....\Skype.exe
- Signer / Version / Launch String / Hashes
5) View
Real-World Use(Daily)
Diff
200 entries x 50 hosts = 10,000 entries/day to review
Vs.
Few Hundred
Clients Servers
ELSA Queriesgithub.com/defensivedepth/Pertinax/wiki/Persistence-
Categories Stacking
DriversAll non-disabled drivers at the time of log
generation
ELSA Queries:
groupby:path -system32 -syswow64
groupby:company (Look for unsigned drivers)
LogonCommon Startup areas: Run & RunOnce
keys, Start Menu
ELSA Queries:
groupby:path, +users - Stack
groupby:company - Stack
Internet Explorer
IE Addons at the time of log generation
ELSA Queries:
groupby:path - Stack
ExplorerShell extensions, addons, etc
ELSA Queries:
groupby:path - Stack
TasksAll registered tasks on the system
ELSA Queries:
groupby:path - Stack
ServicesAll Autostart services on the system
ELSA Queries:
groupby:path - Show all results outside of the System32 Folder - Stack
groupby:company - Stack
Codecs
Other Autoruns’ CategoriesNetwork
Providers
Winlogon
LSA Providers
KnownDLL
Print MonitorsBoot
Execute WMI
Office Addins
Wrap-Up
Future Possiblities: -Virus Total Integration-OSSEC Rulesets
Questions?@DefensiveDepth
github.com/defensivedepth/Pertinax