Slides available live at bsidesdfw.murchie.me
The views and opinions expressed in this presentation are our own. They do not represent the views of the United States Air Force, Department of Defense or any other government entity. No official endorsement of the products/software shown in this presentation is implied.
“The process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions”1
“The proactive, analyst-driven process to search for attacker tactics, techniques and procedures (TTP) within an environment.”2
“Consists of searching iteratively through networks to detect indicators of compromise (IOCs) and threats such as Advanced Persistent Threats (APTs) evading your existing security system.”3
APT1337, FEISTY FELINE, has been observed targeting businesses in your industry. Reporting indicates they may be using malware which uses a high amount of CPU processing power.
APT1337 is using their new malware, which exhibits signs of high processor utilization, on our network and has gone undetected by our security stack.
Perform a Kolide query for the top 10 processes running on each host.
Review results looking for outliers.
Utilize our host logs in an attempt to obtain a better understanding of what regsvr32.exe is doing.
What is this odd process running out of Temp calling regsvr32? It may serve as an interesting pivot point.
Sysmon provides an MD5 hash of the executable for a quick check of what it may be.
Well this isn’t good.
APT101, AGELESS AARDVARK, previously gained access to your organization. Your infallible threat feed, Twitter.com, says they may be reusing old TTPs and dumping credentials and using the ADMIN$ share to move laterally and execute files.
Since our threat intelligence specifies executing files from the ADMIN$ share we can query ELK for anything to do with that share.
Reviewing the logs we see notepad.exe opening a text file stored in ADMIN$ of the Domain Controller.
Pivoting off this information we can search for events surrounding the execution of notepad.exe. We see that jpisano.adm, who is an admin as confirmed by the logon event code 4672, is the one who performed the action.
There is no reason at face value for jpisano.adm to do this. Maybe it wasn’t him? We know APT101 likes pass-the-ticket attacks which requires dumping credentials. Mimikatz is a popular tool for credential harvesting so we can use this as a pivot.
A simple query in ELK for Mimikatz shows our hunch was correct and have evidence of Mimikatz execution.
We can confirm our ELK logs with a Kolide query that the mimikatz binary is indeed sitting on the host.