hunting and detecting apts using sysmon and powershell logging · hunting and detecting apts using...
TRANSCRIPT
![Page 1: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/1.jpg)
Hunting and detecting APTs using Sysmon and PowerShell logging
TOM UELTSCHI BOTCONF 2018
![Page 2: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/2.jpg)
C:> whoami /all
• Tom Ueltschi
• Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!)
• Focus & Interests: Malware Analysis, Threat Intel, Threat Hunting, Red / Purple Teaming
• Member of many trust groups & infosec communities
• FIRST SIG member (malware analysis, red teaming, CTI)
• Twitter: @c_APT_ure
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 2
![Page 3: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/3.jpg)
BotConf Speaker history
• 2013 - My Name is Hunter, Ponmocup Hunter
• 2014 - Ponmocup Hunter 2.0 – The Sequel
• 2015 - LT: Creating your own CTI (in 3 minutes.. or 5 )
• 2016 - Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
• 2017 - LT: Sysmon FTW!
• 2018 - Hunting and detecting APTs using Sysmon and PowerShell logging
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 3
![Page 4: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/4.jpg)
Outline (remember, it’s a short 30min fast 40min talk)
• Introduction
• 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 4
![Page 5: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/5.jpg)
Motivation – why yet another talk?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 5
• Positive feedback is always nice and encouraging
![Page 6: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/6.jpg)
Motivation – why yet another talk?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 6
• Positive feedback is always nice and encouraging
![Page 7: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/7.jpg)
Motivationthe real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 7
![Page 8: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/8.jpg)
Motivationthe real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 8
![Page 9: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/9.jpg)
Motivation -- the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 9
![Page 10: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/10.jpg)
Motivation -- the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 10
![Page 11: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/11.jpg)
Motivation -- the real one
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 11
![Page 12: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/12.jpg)
SIGMA… say what?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 12
![Page 13: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/13.jpg)
SIGMA… say what?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 13
![Page 14: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/14.jpg)
Are you ready for a change?
Source: https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 14
![Page 15: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/15.jpg)
Are you ready for a change?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 15
![Page 16: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/16.jpg)
Our setup
• ~25’000 hosts
• ~150 GB/day
• Event logs
• Windows
• Sysmon
• Powershell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 16
![Page 17: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/17.jpg)
ATT&CK is the new {APT,Cyber,AI,ML,blockchain,etc}
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 17
![Page 18: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/18.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 18
![Page 19: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/19.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 19
![Page 20: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/20.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 20
![Page 21: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/21.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 21
![Page 22: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/22.jpg)
ATT&CKcon 2018
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 22
![Page 23: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/23.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 23
![Page 24: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/24.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 24
![Page 25: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/25.jpg)
Data Sources & Event Logs
• Sysmon
• PowerShell ScriptBlock Logging
• PowerShell Transcript Logging
SIGMA rule available
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 25
Sysmon
PS-SB
PS-TR
SIGMA
![Page 26: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/26.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 26
![Page 27: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/27.jpg)
Outline
• Introduction
• 1st of 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 27
![Page 28: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/28.jpg)
WMI Event Subscription (Persistence)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 28
![Page 29: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/29.jpg)
APT group named “Atomic Kittens”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 29
![Page 30: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/30.jpg)
WMI Event Subscription
Source: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 30
![Page 31: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/31.jpg)
WMI Event Subscription
Source: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 31
![Page 32: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/32.jpg)
WMI Event Subscription
Source: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 32
![Page 33: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/33.jpg)
WMI Event Subscription
• Generating test events using “PowerLurk” Github project
• Likely won’t catch many APTs searching for Register-MaliciousWmiEvent ;-)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 33
![Page 34: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/34.jpg)
How noisy is the Sysmon WmiEvent?
> 90 days> 270 EP’s< 600 events4 diff types
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 34
Sysmon
![Page 35: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/35.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 35
Sysmon
SIGMA
![Page 36: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/36.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 36
Sysmon
SIGMA
![Page 37: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/37.jpg)
Outline
• Introduction
• 2nd of 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 37
![Page 38: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/38.jpg)
Logon Scripts (Persistence, Lateral Movement)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 38
![Page 39: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/39.jpg)
APT group named “Cuddly Panda Bears”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 39
![Page 40: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/40.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 40
![Page 41: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/41.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 41
![Page 42: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/42.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 42
![Page 43: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/43.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 43
![Page 44: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/44.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 44
![Page 45: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/45.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 45
![Page 46: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/46.jpg)
Idea for detection
• Search for child processes of “userinit.exe”
• Exclude “explorer.exe” (normal)
• Exclude logon scripts (after baselining & vetting)
• Possibly a small number of other legitimate executables, but feasible to enumerate and filter out
• Search for ProcessCreate or RegistryEvents with the registry key name “UserInitMprLogonScript”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 46
![Page 47: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/47.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 47
Sysmon
SIGMA
![Page 48: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/48.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 48
Sysmon
![Page 49: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/49.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 49
PS-TR
![Page 50: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/50.jpg)
Outline
• Introduction
• 3rd of 3 techniques from MITRE ATT&CK
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 50
![Page 51: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/51.jpg)
PowerShell (execution)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 51
![Page 52: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/52.jpg)
PowerShell (execution)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 52
![Page 53: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/53.jpg)
APT group named “Magic Hound”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 53
![Page 54: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/54.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 54
![Page 55: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/55.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 55
![Page 56: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/56.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 56
![Page 57: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/57.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 57
![Page 58: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/58.jpg)
Here’s that list of strings…
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 58
![Page 59: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/59.jpg)
SIGMA rule: Malicious PS keywords
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 59
![Page 60: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/60.jpg)
“Low FP/high TP” vs. “noisy” events (90 days)> > > YMMV !!! < < < not all strings are created equal
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 60
![Page 61: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/61.jpg)
Renaming PS.exe(evasion technique?)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 61
![Page 62: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/62.jpg)
RETEFE Malware sample
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 62
![Page 63: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/63.jpg)
DOC/macro copy/rename PS.exe to %TEMP%\rnd.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 63
![Page 64: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/64.jpg)
ProcessCreate Event from PS-renamed
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 64
Sysmon
![Page 65: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/65.jpg)
Search for Description: Windows PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 65
Sysmon
![Page 66: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/66.jpg)
Idea for detection
• Search for processes with “Description: Windows PowerShell”
• Exclude “powershell.exe” (the legitimate one)
• Also exclude PowerShell ISE
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 66
![Page 67: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/67.jpg)
Search for Description: PS without powershell.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 67
Sysmon
SIGMA
![Page 68: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/68.jpg)
Search for Description: PS without powershell.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 68
Sysmon
SIGMA
![Page 69: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/69.jpg)
Hello, world! My name is NOT powershell.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 69
![Page 70: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/70.jpg)
PowerShell Empire Stager
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 70
![Page 71: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/71.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 71
PS-SB
![Page 72: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/72.jpg)
Idea for detection
• Search for any of 3 strings that are not obfuscated (performance reason) $PSVERSionTaBle.PSVErSIOn.MAjoR
System.Management.Automation.Utils
System.Management.Automation.AmsiUtils
• Remove obfuscation characters (simple de-obfuscation)
• Search for any of 5 strings (unique, de-obfuscated) EnableScriptBlockLogging
EnableScriptBlockInvocationLogging
cachedGroupPolicySettings
ServerCertificateValidationCallback
Expect100Continue
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 72
![Page 73: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/73.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 73
PS-SB
![Page 74: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/74.jpg)
PS-Empire functions executed
• Pen-tester was having “fun” with Empire
• PS-Empire functions with parameters found in PS transcript file
• Searched for “… | Out-String | %{…”
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 74
PS-TR
![Page 75: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/75.jpg)
PS-Empire functions executed (top 60 funct’s)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 75
PS-TR
![Page 76: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/76.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 76
PS-TR
![Page 77: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/77.jpg)
Discovery > User enumeration – how many?
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 77
PS-TR
![Page 78: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/78.jpg)
Unmanaged PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 78
![Page 79: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/79.jpg)
Get-TimedScreenshots
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 79
![Page 80: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/80.jpg)
Get-TimedScreenshots
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 80
![Page 81: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/81.jpg)
Using powershell.exe vs. unmanaged PS (PowerPick)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 81
![Page 82: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/82.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 82
Sysmon
![Page 83: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/83.jpg)
Re-test after enabling FileCreate for rundll32.exe
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 83
Sysmon
![Page 84: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/84.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 84
Sysmon
![Page 85: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/85.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 85
PS-TR
![Page 86: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/86.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 86
PS-TR
![Page 87: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/87.jpg)
Idea for detection
• Search PowerShell Transcript Files for “Host Application:” which is NOT any of• powershell.exe
• powershell_ise.exe
• wsmprovhost.exe
• and possibly very few others
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 87
![Page 88: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/88.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 88
PS-TR
SIGMA
![Page 89: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/89.jpg)
Unmanaged PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 89
![Page 90: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/90.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 90
![Page 91: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/91.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 91
![Page 92: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/92.jpg)
Start-ClipboardMonitor
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 92
![Page 93: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/93.jpg)
PowerShell
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 93
![Page 94: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/94.jpg)
Idea for detection
• Search for PowerShell EncodedCommands in command-lines
• Base64 decode EncodedCommand on the fly
• Search for known malicious strings / cmdlets in decoded commands
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 94
![Page 95: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/95.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 95
Sysmon
![Page 96: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/96.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 96
Sysmon
![Page 97: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/97.jpg)
PowerPick
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 97
![Page 98: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/98.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 98
PS-TR
![Page 99: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/99.jpg)
Idea for detection
• Search for known malicious strings (code snippets, even comments) in PowerShell ScriptBlock Logs and Transcript Files
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 99
![Page 100: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/100.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 100
PS-SB
PS-TR
SIGMA
![Page 101: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/101.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 101
PS-TR
![Page 102: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/102.jpg)
Detecting known bad vs. hunting unknown
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 102
![Page 103: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/103.jpg)
Obfuscate-Mimikatz.sh only random strings
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 103
![Page 104: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/104.jpg)
Detection vs. Hunting
• So far we looked at known malicious strings or behaviors
• Now let’s hunt for the unknowns
• Enumerate legitimate PS script files and function names
Build a whitelist to filter out legitimate functions
• Search for rarest function names in PS logs (apply whitelist filtering)
• Use stacking, long tail analysis, LFO to find interesting stuff
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 104
![Page 105: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/105.jpg)
Enumerate PS script files and function names
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 105
![Page 106: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/106.jpg)
Enumerate PS script files and function names
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 106
![Page 107: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/107.jpg)
Search for rarest PS script files
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 107
![Page 108: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/108.jpg)
Search for rarest PS function names
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 108
![Page 109: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/109.jpg)
Create whitelist lookup with known good
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 109
![Page 110: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/110.jpg)
Create blacklist lookup with known bad
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 110
![Page 111: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/111.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 111
![Page 112: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/112.jpg)
SIGMA rules (contributions coming soon…)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 112
![Page 113: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/113.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 113
![Page 114: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/114.jpg)
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 114
![Page 115: Hunting and detecting APTs using Sysmon and PowerShell logging · Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018](https://reader031.vdocuments.mx/reader031/viewer/2022020105/5e129fd8b838976c7257a319/html5/thumbnails/115.jpg)
Thanks for your attention!!
Time left for questions?
• Twitter: @c_APT_ure
• Blog: http://c-apt-ure.blogspot.com/2017/12/is-this-blog-still-alive.html
many resources about Sysmon linked in one place
BotConf 2018 | Tom Ueltschi | Hunting and Detecting APTs using Sysmon and PowerShell Logging | TLP-WHITE 115