Académique Documents
Professionnel Documents
Culture Documents
Privilege Escalation
Lateral Movement
IBM Security / © 2019 IBM Corporation / Master Skills University Munich 2019 2
Mitre Attack Matrix
The full ATT&CK Matrix™ below includes techniques spanning Windows, Mac, and Linux platforms
and can be used to navigate through the knowledge base.
https://attack.mitre.org/matrices/enterprise/
Command & Control: List of Techniques
and Detection Methods
Commonly Used Ports Analyze network data for uncommon data flows (e.g., a client sending significantly more
Custom Command and Control Protocol data than it receives from a server).
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Fallback Channels
Multiband Communication
Multilayer Encryption
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer Protocol
Uncommonly Used Port
Web Service
Commonly Used Ports Analyze packet contents to detect communications that do not follow the expected protocol
Connection Proxy behavior for the port that is being used.
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Fallback Channels
Multiband Communication
Multilayer Encryption
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer Protocol
Uncommonly Used Port
Web Service
Communication Through Removable Media Monitor file access on removable media. Detect processes that execute when removable
media is mounted.
Connection Proxy Network activities disassociated from user-driven actions from processes that normally
require user direction are suspicious.
Connection Proxy Analyze network data for uncommon data flows (e.g., between clients that should not or
often do not communicate with one another
Custom Command and Control Protocol Analyze network traffic for ICMP messages or other protocols that contain abnormal data or
Standard Non-Application Layer Protocol are not normally seen within or exiting the network.
Custom Command and Control Protocol Monitor and investigate API calls to functions associated with enabling and/or utilizing
Standard Non-Application Layer Protocol alternative communication channels.
Custom Cryptographic Protocol If malware uses custom encryption with symmetric keys, it may be possible to obtain the algorithm and
Multilayer Encryption key from samples and use them to decode network traffic to detect malware communications signatures.
Standard Cryptographic Protocol
Analyze network data for uncommon data
flows: Detection
Data needed?
• Netflow
• CRE Rule looking for firewall web traffic events having byte-ratio mostly outbound
• CRE Rule looking for web traffic having byte-ratio mostly outbound
Command & Control: It's lab time - warm-up!
How can we detect if there is outbound web traffic?
Go to the Offenses tab and look for offenses having similar name
• You might use Remote Networks for that kind of tuning where you define upload sites
Add filter:
Command & Control: It's lab time - warm-up!
How to tune the rule for detecting outbound web traffic?
• You might use Remote Networks for that kind of tuning where you define upload sites
Command & Control: It's lab time - warm-up!
How to tune the rule for detecting outbound web traffic?
• You might use Remote Networks for that kind of tuning where you define upload sites
➔AQL
How to define an AQL statement to detect beaconing traffic on your QRadar CE edition?
Example:
SELECT
sourceip, destinationip, destinationport, "unique hours", "total events"
FROM (
SELECT
sourceip, destinationip, destinationport,
UNIQUECOUNT(DATEFORMAT(devicetime,'hh')) as "unique hours",
count(*) as "total events"
FROM events
WHERE eventDirection='L2R' AND destinationport in (80,443)
GROUP BY sourceip, destinationip, destinationport
last 24 hours
) WHERE "unique hours" > 20 and "total events" < 25
Command & Control: It's lab time!
▪ In our lab we do not have data from the last 24 hours.
▪ Instead we use 1 minute time slots to simulate this behavior
SELECT
sourceip, destinationip, destinationport, "unique hours", "total events"
FROM (
SELECT
sourceip, destinationip, destinationport,
UNIQUECOUNT(DATEFORMAT(devicetime,'mm')) as "unique hours",
count(*) as "total events"
FROM events
WHERE eventDirection='L2R' AND destinationport in (80,443)
GROUP BY sourceip, destinationip, destinationport
last 24 minutes
) WHERE "unique hours" > 20 and "total events" < 25
Command & Control: It's lab time!
What kind of tuning would be necessary?
Restrict to client network
Exclude trusted targets
SELECT
sourceip, destinationip, destinationport, "unique hours", "total events"
FROM (
SELECT
sourceip, destinationip, destinationport,
UNIQUECOUNT(DATEFORMAT(devicetime,'hh')) as "unique hours",
count(*) as "total events"
FROM events
WHERE NETWORKNAME(SourceIP, DomainID)='Office' AND
NOT referencesetcontains('TrustedWebServers',
eventDirection='L2R' "destinationIP") AND
AND destinationport in (80,443)
eventDirection='L2R' AND destinationport
GROUP BY sourceip, destinationip, in (80,443)
destinationport
GROUP BY sourceip, destinationip, destinationport
last 24 hours
last 24 hours
) WHERE "unique hours" > 20 and "total events" < 25
) WHERE "unique hours" > 20 and "total events" < 25
Command & Control: Using AQL to find traffic
in constant intervals
An alternative would be to search for traffic in constant intervals
For example malware like DRIDEX, ICEID, TRICKBOT and ZEUS call home in regular intervals e.g.,
every 300 seconds and vary in message content
AQL Function "GAP" reports the number of flows with similar gaps in a row
Parameters: lastpackettime,sourceip,destinationip,destinationport,deviation
Deploy on QRadar:
1. Copy file to your QRadar /root folder
2. Import the file using command:
/opt/qradar/bin/contentManagement.pl -a update -f /root/Interval.xml.zip
Command & Control: It's lab time!
You should have the AQL Function "GAP" already in your QRadar instance.
Example:
Data Sources:
DNS logs
Detection:
DGA
Tunneling
Beaconing
Squatting
Command & Control: It's lab time!
We pre-installed DNS Analyzer on QRadar CE for you
In the meantime you should see some results reported by DNS Analyzer
Search for events using filter "Log Source is IBM DNS Analyzer"
Command & Control: It's lab time!
Command & Control: Detection (Page 3)
Techniques Detection Method
Multi-Stage Channels Host data that can relate unknown or suspicious process activity using a network connection is important to supplement
Web Service any existing indicators of compromise based on malware command and control signatures and infrastructure and
infrastructure or the presence of strong encryption.
Multi-Stage Channels Relating subsequent actions that may result from Discovery of the system and network information or Lateral
Movement to the originating process may also yield useful data.
Multi-hop Proxy When observing use of Multi-hop proxies, network data from the actual command and control servers could allow
correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be
detected by alerting on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses
this technique.
Multiband Communication Correlating alerts between multiple communication channels can further help identify command-and-control behavior.
Domain Fronting If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it
matches the HTTPS SNI or against a blacklist or whitelist of domain names.
Port Knocking Record network packets sent to and from the system, looking for extraneous packets that do not belong to established
flows.
Connection Proxy Network activities disassociated from user-driven actions from processes that normally require user direction are
suspicious.
Connection Proxy Analyze network data for uncommon data flows (e.g., between clients that should not or often do not communicate with
one another
Remote File Copy Monitor for file creation and files transferred within a network over SMB.
Remote File Copy Unusual processes with external network connections creating files on-system may be suspicious
Remote File Copy Use of utilities, such as FTP, that does not normally occur may also be suspicious.
Command & Control: Detecting Client-To-
Client Traffic
Clients Servers
Dev/Test Core Banking
QRadar QRadar
UBA Asset Mgmt
What kind of data do we need to detect this kind
SW Developer of traffic?
Identity
Core Banking
Command & Control: Detecting Client-To-
Client Traffic
Implementation:
If the communications channel is unencrypted, compressed files can be detected in transit during
exfiltration with a network intrusion detection or data loss prevention system analyzing file
headers.
Data Encrypted Encryption software and encrypted files can be detected in many ways. Common utilities that may be
present on the system or brought in by an adversary may be detectable through process monitoring and
monitoring for command-line arguments for known encryption utilities. This may yield a significant
amount of benign events, depending on how systems in the environment are typically used. Often the
encryption key is stated within command-line invocation of the software.
A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or
verification of file signatures.
Network traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. If
the communications channel is unencrypted, encrypted files of known file types can be detected in
transit during exfiltration with a network intrusion detection or data loss prevention system
analyzing file headers.
Monitor for and investigate changes to host adapter settings, such as addition and/or replication of
communication interfaces.
Scheduled Transfer Monitor process file access patterns and network behavior. Unrecognized processes or scripts that
appear to be traversing file systems and sending network traffic may be suspicious. Network
connections to the same destination that occur at the same time of day for multiple days are suspicious.
– AQL:
select "file name", SUBSTRING("file name",STRLASTPOS("file name", '.', 1)+1,
STRLEN("file name")) as "File type"
from flows
where "file name" is not NULL
last 24 HOURS
– AQL:
select "content type", APPLICATIONNAME(applicationid) as "Application“
from flows
where "file name" is not NULL
group by Application
last 24 HOURS
If the communications channel is unencrypted, compressed files can be detected in transit during
exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.
Data Encrypted Encryption software and encrypted files can be detected in many ways. Common utilities that may be
present on the system or brought in by an adversary may be detectable through process monitoring and
monitoring for command-line arguments for known encryption utilities. This may yield a significant
amount of benign events, depending on how systems in the environment are typically used. Often the
encryption key is stated within command-line invocation of the software.
A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or
verification of file signatures.
Network traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. If
the communications channel is unencrypted, encrypted files of known file types can be detected in
transit during exfiltration with a network intrusion detection or data loss prevention system analyzing
file headers.
3. Yara
– E.g. https://github.com/BayshoreNetworks/yextend/blob/master/libs/bayshore_file_type_detect.yara
– Windows or ELF executable files based on magic header:
rule yar_windows_executable
{
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550
}
rule yar_elf_executable
{
condition:
uint16(0) == 0x457f
}
rule yar_encrypted_archive_rar
{
meta:
ref =
"https://github.com/BayshoreNetworks/yextend/blob/master/libs/bayshore_file_type_detect.yara"
strings:
$encrypted_rar_archive = { 52 61 72 21 1a 07 00 }
condition:
$encrypted_rar_archive
}
If the communications channel is unencrypted, compressed files can be detected in transit during
exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.
Data Encrypted Encryption software and encrypted files can be detected in many ways. Common utilities that may be
present on the system or brought in by an adversary may be detectable through process monitoring and
monitoring for command-line arguments for known encryption utilities. This may yield a significant
amount of benign events, depending on how systems in the environment are typically used. Often the
encryption key is stated within command-line invocation of the software.
A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or
verification of file signatures.
Network traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. If
the communications channel is unencrypted, encrypted files of known file types can be detected in
transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file
headers.
▪ https://en.wikipedia.org/wiki/Entropy_(information_theory)
▪ Higher value means more random (non-uniform) data
– Compressed files, packed executables
– Encrypted files, containers, volumes
– Executables with decryption routines
▪ 0 <= entropy <= 8 (Shannon equation)
▪ AQL:
– AQL:
select "file name", "file entropy",
avg("file entropy") as FEAvg,
stdev("file entropy") as FEStdev,
SUBSTRING("file name", STRLASTPOS("file name", '.', strlen("file name"))+1,
STRLEN("file name")) as "File type“
from flows
where "file entropy" is not NULL
GROUP BY "File type"
having ("file entropy" - FEAvg - (2 * FEStdev)) > 0
last 24 HOURS
Privilege Escalation
The adversary is trying to gain higher-level permissions.
To define a custom application in QRadar for Flow Analysis and Rules based on Port Only
Steps
1. Create a Custom AppID for the new Protocol, then Deploy
2. Map the Custom AppID to the User Defined Application Ports, then Deploy
3. Test
login to QRadar through the CLI It should look something like below
Using the QWorkbench Play “Scada Port Test Traffic” session and observe the application tag in the
“Network Activity” Tab. Note: it may take a minute or two to start displaying in the ”Network Activity” Tab.
Before After
Answer “phishman”
▪ Notice when you mouse over the Source IP and the Destination IP addresses that the source IP
address is on the OT Level 4 (Enterprise) Network. The User account “PhishMan” was used to gain
access to a Linux System on the OT Level 3.5 DMZ Network. The DMZ network is the gateway into the
OT network. If a system is compromised here, then it is possible to gain access to OT Systems.
▪ Once Access was gained to the Destination IP address of 10.10.11.232, the attacker was able to
uncover and Escalate from PhishMan to account “Skywalker”
▪ Notice that several failed Escalations were tried and failed, followed by a successful Escalation.
▪ Notice that an Offense was created for the Privilege Escalation.
The Offense
User “skywalker” tried to access the firewall, but was unable to. The attacker found the credentials for
“skywalker-a” and was then able to access the firewall.
Clear the “Authentication” filter and Group by Event Name to see all of the events collected.
Monitor for spawning of processes associated with COM objects, especially those invoked by a user
different than the one currently logged on.
Monitor for influx of Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic
Exploitation of Remote Services Detecting software exploitation may be difficult depending on the tools available. Software exploits may
not always succeed or may cause the exploited process to become unstable or crash. Also look for
behavior on the endpoint system that might indicate successful compromise, such as abnormal
behavior of the processes. This could include suspicious files written to disk, evidence of Process
Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may
indicate additional tools transferred to the system.
Logon Scripts Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added
or modified by unusual accounts outside of normal administration duties.
Pass the Hash Audit all logon and credential use events and review for discrepancies. Unusual remote logins that
correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious
activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not
anonymous logins are suspicious.
Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT
password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates
the action has failed due to "Integrity check on decrypted field failed" and indicates misuse by a
previously invalidated golden ticket.
Remote Desktop Protocol Use of RDP may be legitimate, depending on the network environment and how it is used. Other
factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or
malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally
access or access patterns to multiple systems over a relatively short period of time.
Also, set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k
or cmd.exe /c in its arguments to prevent RDP session hijacking.
Remote File Copy Files may be copied from one system to another to stage adversary tools or other files over the course
of an operation. Files may be copied from an external adversary-controlled system through the
Command and Control channel to bring tools into the victim network or through alternate protocols with
another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp,
rsync, and sftp.
Remote Services Correlate use of login activity related to remote services with unusual behavior or other malicious or
suspicious activity. Adversaries will likely need to learn about an environment and the relationships
between systems through Discovery techniques prior to attempting Lateral Movement.
Frequently scan shared network directories for malicious files, hidden files, .LNK files, and other file
types that may not typical exist in directories used to share specific types of content.
The same investigation process can be applied here as with other potentially malicious activities where
the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze
the process execution trees, historical activities from the third-party application (such as what types of
files are usually pushed), and the resulting activities or events from the file/binary/script pushed to
systems.
Often these third-party applications will have logs of their own that can be collected and correlated with
other data from the environment. Audit software deployment logs and look for suspicious or
unauthorized activity. A system not typically used to push software to clients that suddenly is used for
such a task outside of a known admin function may be suspicious.
Perform application deployment at regular times so that irregular deployment activity stands out. Monitor
process activity that does not correlate to known good software. Monitor account login activity on the
deployment system.
Windows Admin Shares Ensure that proper logging of accounts used to log into systems is turned on and centrally collected.
Windows logging is able to collect success/failure for accounts that may be used to move laterally and
can be collected using tools such as Windows Event Forwarding. [29] [30] Monitor remote login events
and associated SMB activity for file transfers and remote process execution. Monitor the actions of
remote users who connect to administrative shares. Monitor for use of tools and commands to connect
to remote shares, such as Net, on the command-line interface and Discovery techniques that could be
used to find remotely accessible systems.
Server IP is 10.4.0.161
Your Mission: Monitor this server for unauthorized access. Ensure SOC is alerted if any
unauthorized Person or persons attempts to access this server.
Who?
Follow us on: © Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for
informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of
direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives.
ibm.com/security IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines
Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
securityintelligence.com Statement of Good Security Practices: IT system security involves protecting systems and information through
prevention, detection and response to improper access from within and outside your enterprise. Improper access can
result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your
systems, including for use in attacks on others. No IT system or product should be considered completely secure and no
ibm.com/security/community single product, service or security measure can be completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a lawful, comprehensive security approach, which will
necessarily involve additional operational procedures, and may require other systems, products or services to be most
xforce.ibmcloud.com effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise
immune from, the malicious or illegal conduct of any party.
@ibmsecurity
youtube/user/ibmsecuritysolutions