Splunk Threat Intel IOC Integration via Lookups

Splunk Threat Intel IOC Integration via Lookups

Today most security teams have access to a lot of different information sources. On the one hand they collect log data from different sources and try to correlate them in a useful way in so-called SIEM systems. On the other hand they receive threat information from different sources like APT reports, public or private feeds or derive those indicators from their own investigations and during incident response.
Therefore one of the main tasks of security monitoring today is to combine these different data sources, which means to apply the threat intel information to the data that is already available in SIEM systems or scan for it on-demand using tools like my free IOC scanner LOKI or our APT Scanner THOR.
In this article I would like to describe a method to apply threat intel information to log data in Splunk using simple lookup definitions.
I recently integrated two different threat intel receivers in my free IOC scanner LOKI. One of them fetches all IOC (indicator of compromise) elements from AlienVault’s Open Threat Exchange platform OTX and saves them to a subfolder in the LOKI program folder in order to be initialized during startup.
This weekend I added a new option called “–siem” that instructs the receiver to generate a CSV file with header line and the correct format for a lookup definition in Splunk.
Example - Threat Intel Feed OTX Receiver (LOKI)

Example – Threat Intel Feed OTX Receiver (LOKI)


The resulting file for the hash IOCs looks like this:
Threat Intel CSV for Splunk Lookup

Threat Intel Hash CSV for Splunk Lookup


Using the “-o” parameter you are able to select an output folder. I chose the folder for the lookup definitions in the search app, which is “$SPLUNK_HOME/etc/apps/search/lookups”.
Threat Intel SIEM Integration CSV Lookup

Threat Intel CSV Files in Splunk Search App Lookup Folder


After saving the output files to this directory we can select the CSV file in the lookup definition settings dialog (Settings > Lookups > Lookup definitions > Add new). I named the lookup “otxhash”.
Splunk Threat Intel Integration Lookup Definition

Threat Intel CSV File Lookup Definition in Splunk


Now we can apply this lookup to all log data that contains file hash information like Antivirus logs, THOR and LOKI scan results or in this case the logs of Microsoft Sysmon.
Windows Sysmon Log Data in Splunk

Windows Sysmon Log Data in Splunk


Using the free Add-on for Microsoft Sysmon all the log fields will be extracted automatically. You will see a field named “Hash” that can be used in our search definitions to allow a direct lookup.
Windows Sysmon Log Data in Splunk

Windows Sysmon Log Data with Hash Values of Executables


The lookup compares the “Hash” field from the Sysmon event message with the “hash” field from the OTX threat intel CSV file and sets a new “threat_description” field with the value of the “description” field from the CSV.

index=windows_sysmon
| lookup otxhash hash AS Hash OUTPUT description AS threat_description
| search threat_description=*
| table UtcTime,ComputerName,User,Hash,ProcessId,CommandLine,threat_description

After the lookup I search for all entries that have a “threat_description” field set and display them in a easy-to-read table view. Only entries that had a “Hash” matching on a “hash” from the CSV will have this new field set. In the example below I had a match on an unwanted application called “Pantsoff” that I used in my Lab environment for this POC.

Threat Intel CSV Lookup in Splunk

Threat Intel Lookup in Splunk


I would define this search as an “Alert” that runs every 15 minutes and searches in log data of the last 15 minutes in order to get immediately informed if a blacklisted executable had been used. (avoid realtime searches/alerts in Splunk)
Furthermore the threat intel receiver should be scheduled via cron in order to run hourly/daily.
The two other files create by the threat intel receiver contain information on filenames and C2 server (hostnames, IPs) that can be applied in a similar way. The only small downer is that Lookups can only be used for “equal” matches and don’t allow to search for elements that “contain” certain fields of the CSV file. This is no problem in case of the C2 server definitions but for the filename definitions, which can be e.g. “AppData\\evil.exe”.
I’ll improve the Threat Intel Receivers in the coming weeks and add the “–siem” option to the MISP Receiver as well.
I hope you enjoyed the article and found it inspiring even if you don’t use Splunk or the other mentioned tools.
Besides: I am working on a RESTful web service with the working title “TRON” that allows to query for threat intel indicators and supports different comparison modes including including the missing “contains” supporting OpenIOC and STIX as input files. It is not ready yet but I’ll inform you as soon as there is something to show.
Follow me on Twitter via @Cyb3rOps

Smart DLL execution for Malware Analysis in Sandbox Systems

While analysing several suspicious DLL files I noticed that some of these files (which were obviously malicious) didn’t perform their malicious activity unless a certain function was triggered. The malware used a registry entry to execute a certain function that is exported by the DLL called “InstallM”. I had to run “rundll32.exe malware.dll,InstallM” to trigger the malicious activity.
In order to automate the process of A) analyzing the exported functions and B) run the various DLL functions I created a script called “DLLRunner”. What it does is rather simple:

  1. First, it uses the Python module pefile to analyze the PE and retrieve a list of all exported functions with name and ordinal.
  2. Second, it executes the various exported functions by name or ordinal
  3. Third, it passes a set of parameters to the function in order to satisfy requirements and trigger any activity (simple “fuzzing”)

This is what it does:

rundll32.exe path/to/file.dll,exportedfunc1
rundll32.exe path/to/file.dll,exportedfunc2
rundll32.exe path/to/file.dll,exportedfunc3

The simple fuzzing mode looks like this:

rundll32.exe path/to/file.dll,exportedfunc1 "0"
rundll32.exe path/to/file.dll,exportedfunc1 "1"
rundll32.exe path/to/file.dll,exportedfunc1 "http://evil.local"
rundll32.exe path/to/file.dll,exportedfunc1 "Install"
...

Examples

I tested the script on “url.dll” which is typically located in the system32 folder.

python dllrunner.py -f C:\Testing\url.dll --debug

Run DLL in Sandbox

DLLRunner executing all exported functions


It caused a function called “TelnetProtocolHandler” and “TelnetProtocolHandlerA” to pop a telnet shell.
DLL in Sandbox

DLLRunner popping telnet windows via exported function “TelnetProtocolHandler”


If you pass “–fuzz” DLLRunner will pass several params to the functions. This caused a function in “url.dll” to pop browser windows with a fuzz parameter “http://evil.local”.

python dllrunner.py -f C:\Testing\url.dll --debug --fuzz

DLLRunner in Fuzzing

Running DLLRunner in Fuzzing mode


I am still not sure if this is something useful. I have to do further testing to improve the fuzzing idea. I am open to any advice and would like to see something like this integrated in common sandboxes like cuckoo.

Download

DLLRunner on Github

How to Scan for System File Manipulations with Yara (Part 2/2)

How to Scan for System File Manipulations with Yara (Part 2/2)

As a follow up on my first article about inverse matching yara rules I would like to add a tutorial on how to scan for system file manipulations using Yara and Powershell. The idea of inverse matching is that we do not scan for something malicious that we already know but for anomalies within the system files. Chad Tilbury from Crowdstrike related to this method in his article describing a way to scan for this type of anomaly using their incident collection tool CrowdResponse. In my first article I described how we utilize this method in our incident response tool and promised a free solution based on available system tools.
The yara rules used to apply this method require the name of the observed file. Yara allows the file name to be passed via an external variable like in the following listing.

yara32.exe -d filename=iexplore.exe inverse-matching.yar iexplore.exe

But we have to define and pass this “filename” variable for every file we analyse while walking the directory tree.
So – what do we do?
First – we need a powershell script that walks a directory tree and feeds each file with an “.exe” extension together with the rule set and the file name as external variable to a yara32.exe. You could copy the script and paste it directly to the command line but I would recommend the following:
Prepare a folder with the following content:

  1. The powershell script as listed below – name it “inverse-scan.ps1”
  2. The ruleset listed below as “inverse-matching.yar”
  3. A version of Yara for Windows
  4. A batch script that invokes the powershell script with some parameters named “runit.bat”

The final result looks like this:

Yara Scan on Anomalies

Inverse Yara Matching Script Set


You can copy that folder to the target system, take it with you on a USB drive or provide a network share with its contents.
inverse-scan.ps1

Get-ChildItem -Recurse -filter *.exe C:\Windows 2> $null |
ForEach-Object { Write-Host -foregroundcolor "green" "Scanning"$_.FullName $_.Name; ./yara32.exe -d filename=$_.Name inverse-matching.yar $_.FullName 2> $null }

runit.bat

@ECHO OFF
powershell -ExecutionPolicy ByPass -File ./inverse-scan.ps1

inverse-matching.yar

rule iexplore_ANOMALY {
    meta:
        author = "Florian Roth"
        description = "Abnormal iexplore.exe - typical strings not found in file"
        date = "23/04/2014"
        score = 55
    strings:
        $upd_magic = { 44 43 }
        $win2003_win7_u1 = "IEXPLORE.EXE" wide nocase
        $win2003_win7_u2 = "Internet Explorer" wide fullword
        $win2003_win7_u3 = "translation" wide fullword nocase
        $win2003_win7_u4 = "varfileinfo" wide fullword nocase
    condition:
        not ( $upd_magic at 0 ) and not 1 of ($win*) and filename matches /iexplore\.exe/is
}
rule svchost_ANOMALY {
    meta:
        author = "Florian Roth"
        description = "Abnormal svchost.exe - typical strings not found in file"
        date = "23/04/2014"
        score = 55
    strings:
        $upd_magic = { 44 43 }
        $win2003_win7_u1 = "svchost.exe" wide nocase
        $win2003_win7_u3 = "coinitializesecurityparam" wide fullword nocase
        $win2003_win7_u4 = "servicedllunloadonstop" wide fullword nocase
        $win2000 = "Generic Host Process for Win32 Services" wide fullword
        $win2012 = "Host Process for Windows Services" wide fullword
    condition:
        filename matches /svchost\.exe/is and not 1 of ($win*) and not ( $upd_magic at 0 )
}
rule explorer_ANOMALY {
    meta:
        author = "Florian Roth"
        description = "Abnormal explorer.exe - typical strings not found in file"
        date = "27/05/2014"
        score = 55
    strings:
        $upd_magic = { 44 43 }
        $s1 = "EXPLORER.EXE" wide fullword
        $s2 = "Windows Explorer" wide fullword
    condition:
        filename matches /explorer\.exe/is and not 1 of ($s*) and not ( $upd_magic at 0 )
}
rule sethc_ANOMALY {
    meta:
        description = "Sethc.exe has been replaced - Indicates Remote Access Hack RDP"
        author = "F. Roth"
        reference = "http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf"
        date = "2014/01/23"
        score = 70
    strings:
        $upd_magic = { 44 43 }
        $s1 = "stickykeys" fullword nocase
        $s2 = "stickykeys" wide nocase
        $s3 = "Control_RunDLL access.cpl" wide fullword
        $s4 = "SETHC.EXE" wide fullword
    condition:
        filename matches /sethc\.exe/ and not 1 of ($s*) and not ( $upd_magic at 0 )
}
rule Utilman_ANOMALY {
    meta:
        author = "Florian Roth"
        description = "Abnormal utilman.exe - typical strings not found in file"
        date = "01/06/2014"
        score = 55
    strings:
        $upd_magic = { 44 43 }
        $win7 = "utilman.exe" wide fullword
        $win2000 = "Start with Utility Manager" fullword wide
        $win2012 = "utilman2.exe" fullword wide
    condition:
        filename matches /utilman\.exe/is and not 1 of ($win*) and not ( $upd_magic at 0 )
}
rule osk_ANOMALY {
    meta:
        author = "Florian Roth"
        description = "Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file"
        date = "01/06/2014"
        score = 55
    strings:
        $upd_magic = { 44 43 }
        $s1 = "Accessibility On-Screen Keyboard" wide fullword
        $s2 = "\\oskmenu" wide fullword
        $s3 = "&About On-Screen Keyboard..." wide fullword
        $s4 = "Software\\Microsoft\\Osk" wide
    condition:
        filename matches /osk\.exe/is and not 1 of ($s*) and not ( $upd_magic at 0 )
}
rule magnify_ANOMALY {
    meta:
        author = "Florian Roth"
        description = "Abnormal magnify.exe (Magnifier) - typical strings not found in file"
        date = "01/06/2014"
        score = 55
    strings:
        $upd_magic = { 44 43 }
        $win7 = "Microsoft Screen Magnifier" wide fullword
        $win2000 = "Microsoft Magnifier" wide fullword
        $winxp = "Software\\Microsoft\\Magnify" wide
    condition:
        filename matches /magnify\.exe/is and not 1 of ($win*) and not ( $upd_magic at 0 )
}
rule narrator_ANOMALY {
    meta:
        author = "Florian Roth"
        description = "Abnormal narrator.exe - typical strings not found in file"
        date = "01/06/2014"
        score = 55
    strings:
        $upd_magic = { 44 43 }
        $win7 = "Microsoft-Windows-Narrator" wide fullword
        $win2000 = "&About Narrator..." wide fullword
        $win2012 = "Screen Reader" wide fullword
        $winxp = "Software\\Microsoft\\Narrator"
        $winxp_en = "SOFTWARE\\Microsoft\\Speech\\Voices" wide
    condition:
        filename matches /narrator\.exe/is and not 1 of ($win*) and not ( $upd_magic at 0 )
}
rule notepad_ANOMALY {
    meta:
        author = "Florian Roth"
        description = "Abnormal notepad.exe - typical strings not found in file"
        date = "01/06/2014"
        score = 55
    strings:
        $upd_magic = { 44 43 }
        $win7 = "HELP_ENTRY_ID_NOTEPAD_HELP" wide fullword
        $win2000 = "Do you want to create a new file?" wide fullword
        $win2003 = "Do you want to save the changes?" wide
        $winxp = "Software\\Microsoft\\Notepad" wide
    condition:
        filename matches /notepad\.exe/is and not 1 of ($win*) and not ( $upd_magic at 0 )
}

Although the string descriptors list only some of the windows versions we’ve tested it against the following versions:
Windows 2000
Windows 2003 Server
Windows 7 (x64)
Windows 2008 R2
Windows 2012
What you get as result is a small anomaly scanner made completely with Windows tools and Yara. An administrator would just have to click the Batch file and run the script with admin rights. The following screenshot shows a scan on the Windows folder with a prepared malicious “iexplore.exe” in the subfolder “C:\Windows\AA_Testing”.

Yara Anomaly Scanner

Yara Inverse Matching Anomaly Scanner in Action


You could remove the section “Write-Host -foregroundcolor “green” “Scanning”$_.FullName $_.Name;” to show only the alerts or modify the script that it writes a log file.
We use all of these rules in our APT Scanner THOR and added further rules matching 3rd party tools attackers tend to replace or rename.

Howto detect Ebury SSH Backdoor

Die folgende Yara Signatur kann für die Erkennung der Ebury SSH Backdoor verwendet werden.

rule Ebury_SSHD_Malware_Linux {
meta:
description = "Ebury Malware"
author = "Florian Roth"
hash = "4a332ea231df95ba813a5914660979a2"
strings:
$s0 = "keyctl_set_reqkey_keyring" fullword
$s1 = "recursive_session_key_scan" fullword
$s2 = "keyctl_session_to_parent" fullword
$s3 = "keyctl_assume_authority" fullword
$s4 = "keyctl_get_security_alloc" fullword
$s5 = "keyctl_instantiate_iov" fullword
$s6 = "keyutils_version_string" fullword
$s7 = "keyctl_join_session_keyring" fullword
$a1 = "%[^;];%d;%d;%x;"
condition:
all of them
}

Wer kein Yara verwenden möchte, kann auf diesen Workaround zurückgreifen.

find /lib -type f -size -50k -exec strings -f {} \; | grep '%\[^;\];%d;%d;%x;'

Weitere Informationen zur Erkennung von Ebury CERT Bund.

Logit – Windows Log Tool für Eventlog und MySQL

Logit – Windows Log Tool für Eventlog und MySQL

Die neue Version 0.3 des Kommandozeilenwerkzeugs zur Protokollierung von Programmausgaben in Dateien und das Windows Eventlog namens Logit unterstützt jetzt auch die Protokollierung in MySQL Datenbanken.
Logit erwartet einen Ausgabestrom oder führt selbst ein Programm aus und protokolliert alle Ausgaben des Programms. Es konnte bisher bereits in Dateien und das Windows Eventlog schreiben. Neu ist die Funktion der Protokollierung in eines MySQL Datenbanktabelle.
Ein Besipiel:

tasklist | logit -p mysqltest -my

Log Windows MySQL

Logit Daten in MySQL Datenbank

Hier die Übersicht über die Funktionen von Logit im Gegensatz zu Neolog – dem anderen Werkzeug der Collection.

NeoLog Collection Übersicht

NeoLog Collection Übersicht

Die Werkzeuge befinden sich in unserer Download-Sektion inklusive einer genauen Beschreibung.

Plesk 0-day Workaround

Ein kürzlich bekannt gewordener 0-day Exploit für Plesk bedroht zahlreiche Server-Installationen. Betroffen sind vorasussichtlich alle Versionen vor Plesk 11. Die Lücke soll bereits genutzt worden sein, um tausende Installationen zu unterwandern. Über das ausgenutzte Plesk lassen sich weitreichende Rechte auf dem System erlangen.
Da bisher kein offizieller Patch bereit steht, empfehlen wir, den Plesk Zugriff per Firewall Regel zu unterbinden.

Plesk in aktivierter Plesk-Firewall deaktivieren – von der Kommandozeile

Die Plesk Firewall konfigurieren

vi /usr/local/psa/var/modules/firewall/firewall-active.sh

Darin die Zeilen für den Zugriff auf Plesk auskommentieren – z.B.:

#/sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

Dann Plesk-Firewall neu starten:

/etc/init.d/psa-firewall restart

Plesk per iptables Regel unzugänglich machen

Zuerst sollte man prüfen, welche Regeln aktiv sind:

iptables -L -vn --line-numbers

Dort Ausschau halten nach Zeilen mit Zielport 8443 und 8880.
Wenn kaum Zeilen zu sehen sind, dann ist die Firewall nicht konfiguriert und man sollte beispielsweise eine Werkzeug wie “lokkit” verwenden, um Basisregeln auf einfache Weise auf das System zu bringen.
Wenn zahlreiche Firewall-Regeln konfiguriert sind, lohnt es sich herauszufinden, von welchem Werkzeug die Regeln auf dem System erzeugt wurden. Manchmal lässt sich das an den “Chain”-Namen ableiten.
Für schnelle Hilfe bis zu einem Restart, geht man folgendermaßen vor, wenn man ACCEPT-Zeilen für die Plesk Dienste gefunden hat.

iptables -D Chain-Name Nummer-der-Regel

also z.B.

ipatbles -D INPUT 5

Wenn man keine Firewall definiert hat oder keine Regel findet, die Plesk explizit verbietet, gibt man folgendes ein:

iptables -I INPUT 1 -p tcp --dport 8443 -j DROP
iptables -I INPUT 2 -p tcp --dport 8880 -j DROP

Das fügt ganz oben in den INPUT Chain die Regeln ein, dass niemand auf Plesk Zugriff bekommt.
Man kann die Regeln immer wieder löschen und beispielsweise nur der eigenen IP Zugriff auf Plesk geben.
Löschen

iptables -D INPUT 1
iptables -D INPUT 2

Nur eigener Zugriff (eigene IP hier als “87.12.34.56” definiert)

iptables -I INPUT 1 -p tcp -s 87.12.34.56 --dport 8443 -j ACCEPT
iptables -I INPUT 2 -p tcp -s 87.12.34.56 --dport 8880 -j ACCEPT
iptables -I INPUT 3 -p tcp --dport 8443 -j DROP
iptables -I INPUT 4 -p tcp --dport 8880 -j DROP

Die Änderungen an der Firewall sollten immer auch getestet werden, indem man versucht, die Seite aufzurufen.

SIDMaster Windows SID to Username Tool

SIDMaster Windows SID to Username Tool

Das Werkzeug “SIDMaster” ermöglicht, einen Windows Benutzernamen in eine SID (Windows Security Identifier) aufzulösen. Das Programm ist einige Kilobyte groß und benötigt keine Installation. Es erfordert ein installiertes .NET 3.5 oder 4.0 auf dem System, auf dem es ausgeführt wird.
SIDMaster Man Page

SIDMaster Man Page


Folgende Funktionen sind integriert:

  • SID to User name
  • User name to SID
  • All user info inklusive SIDs
  • Liste mit allen Benutzernamen und SIDs

Beispiele

SID to User

User to SID

Download

Sie finden die aktuelle Version von SIDMaster in der Download Sektion.

Neue Version 0.5 unseres Windows Syslog Client "NeoLogger"

Neue Version 0.5 unseres Windows Syslog Client "NeoLogger"

Die neue Version 0.5 von NeoLogger überwacht jetzt auch ein Verzeichnis (-dir) und Unterverzeichnisse (-sub) auf Änderungen an Dateien mit Endung “.log” (-ff) und sendet alle neuen Zeilen (-tail) mit dem Dateinamen der geänderten Datei als Prefix (-fn) an den angegebenen Server (-t) per Syslog.
neolog.exe -d -t 10.0.0.1 -dir “C:\logfiles” -sub -ff “*.log” -fn -tail
Das sieht dann so aus:

Sending to 127.0.0.1 Port 514 : C:\logfiles\test.log : First new line in log file
Sending to 127.0.0.1 Port 514 : C:\logfiles\test.log : Second new line in log file
Sending to 127.0.0.1 Port 514 : C:\logfiles\subdirectory\another.log : Another line in a log file

Neologger überwacht das Verzeichnis (-d) auf Änderungen (-watch) und zeigt an, mit welcher Datei WAS passiert ist. (Changed, Created, Deleted, Renamed)
nelog.exe -d -t 10.0.0.1 -dir “C:\fileshare” -watch
Das sieht dann so aus:

Sending to 127.0.0.1 Port 514 : NeoLogger: File C:\logfiles\windows.log - Changed
Sending to 127.0.0.1 Port 514 : NeoLogger: File C:\logfiles\super.log - Deleted
Sending to 127.0.0.1 Port 514 : NeoLogger: File C:\logfiles\readme.txt C:\logfiles\readme-new.txt - Renamed

NeoLogger finden Sie in unserer Download Sektion. Eine ausführliche Beschreibung aller Funktionen findet sich hier.

Plesk Sicherheitsproblem mit Microupdates lösen

Plesk Sicherheitsproblem mit Microupdates lösen

Ein Sicherheitsproblem im Server-Management-Werkzeug Plesk bedroht viele über dieses System gemanagte Serversysteme. In einem heute veröffentlichten heise-Alert wird das Problem beschrieben und auch auf die Workarounds für ältere Systeme verlinkt. Die Lücke wird nach Angaben heises bereits aktiv ausgenutzt.
Alte Plesk Versionen können mit Hilfe des “Autoinstallers” für Micro-Updates mit dem Fix versorgt werden.
Konkret empfiehlt sich folgendes Vorgehen:
1. Plesk Home Directory finden bzw. Version feststellen

dpkg -l | grep plesk

bzw.

find / -name "autoinstaller*"

2. In das “sbin” Verzeichnis wechseln
z.B.

cd /opt/psa/admin/sbin/

3. dann folgenden Befehl ausführen

autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base

Auf diese Weise können Sie Ihre Plesk Installation schnell fixen.