Detect the Undetectable with Sysmon and PowerShell Logs

in France the European Union Institute, the European Economic Social Committee. So I'm a director of living in Belgium for the last 10 years. And one of the things that I'm doing is a small red team. And before I was working for 10 years here in Greece. And I think that you all remember this team. I call it the blue team of the Senate. That managed to own the Euro Cup. 13 years ago, and it was actually busy days, end of June. And one of the few times that the defenders win, and the football is like in cyber security, you have attackers and defenders. And the strategy of the course at that time, the result was to manage the attackers of

the other teams. And actually the modern defenders in cyber security πρέπει να κάνουν το ίδιο. Δεν να μάθουν τα πρόσφυγματα αλλά να μάθουν τα πρόσφυγματα. Αυτό μπορώ να δώσω μου προσφέστηση ως προσφέστης, μόνο ένα πρόβλημα. Μπορώ να πω ότι το σημαίνω είναι να αφήσω την παράδο και την αρχή. Αυτό είναι να κάνει δύσκολη για τους αγκούς να βγάλουν στον κοινό μου. In order to understand the perspective of my presentation, I would say that I'm always working in networks that they have high risk and they are facing all the risk in the non-pyramid of threats. So not only the trivial

ransomware attacks, but also attacks coming to determine, let's say, state sponsor attacks. Now, this is a presentation about window globes, and those of you that are working in this area, maybe know that the window globes can be fragile. So last year, the Minkert Summit of the Lodin does not know Minkert,

So this is a tool that is used by the hackers to still credential from the SS process of Windows. This is the most common use tool. And last year, MimCats, innovation of MimCats, so that it can stop all the logic. But stop all the logic is not something that is that cannot be detected. Because usually when you have a log manager system and you gather logs from thousands of systems, the first thing that you are doing is to have an alert when the system suddenly stops to send an attack. So, again April last year, Casey Smith is a non-researcher for his white list by partner. I have a control over the Sismon method. So, this means that he claimed that he was able to

control what me as a defender I will see in the event block. And when I saw it, I said, okay, this is the end of my Sismon advent. But few days later, Agrasinovich does not know Agrasinovich.

He replied admin equals game over. And hopefully, Sismon capture the initial event and event. And this is something that we have to remember from this presentation. If you have all of your users or the majority I think that the first thing that you have to do is to think how to solve this problem of having users not working with admin credentials and then see how you can use Sysmodel. Two months ago there was another tool that is available in GitHub, claiming that again can still kill the rules and this is something that can be protected in power-shared. So this is the power-shared tool. I said previously about the pyramid of the threads. Now, almost two

months ago, it presented the master pyramid of defective protocols. So all organizations that have on the bottom and on the bottom, I cannot patch in some download controls and not technical control, the awareness of end users and the awareness of management as the basic things that we have put in place. One level actually proposed the application of white listing in nine months. Application of white listing in a long month.

you have deployed application by listing. So what is an application by listing? You define which of the executables you are allowed to run in the system. And there are many different ways that you can do it. And in a low mode, you explicitly define what is having to be executed, and this can be executors, can be DLS, can be scripts. If you have application-wide listing, then most importantly, when you read the malware reports, you will say that, OK, this can be executed on my network. How many malware reports in the last year, they just say that the malware doped something in the user profile and then executed. So this is something that can be used by an application-wide list.

Of course it's very challenging and depends on the profile of the organization to implement it. In fact, if you have an IT company, you have developers, they all need an IT right, they have to write it too. So I understand the difficulty, but even in this case you can have application-wide listing in audit mode. and then you can look in the logs and find interesting stuff. Now, Sismon, I think that it's at this level of the pyramid. I agree that the defenders have to go from bottom to the afternoon, not jump directly to implement Sismon. And on the very top, you know, the top attacks operate entirely in the memory, like to be the top defender you have to

have the tools to detect things that are happening in the memory. One of the recent things that is available on GitHub presented by Jared Artison a month ago in the science conference, it's a tool for getting tested and can detect many interesting that malware does in memory like a flash injection detection, or memory mode. This is typical technique that malware is using. Now, Sismon is let's say a driver you install it and the reason why somebody has to install Sismon is because it provides capabilities that are not available in the standard world of blocking. I started with Sysmon in beginning 2015, after two and a half years. And my perspective was always to use the data provided by Sysmon for

hunting. It's a different thing to have Sysmon on your lab machine and do incident response and different things to deploy Sysmon in thousands of systems, collected data, and start your hand procedure to identify managed activity. It's free. You can download it from the system to the technique. I have put three in the codes because you don't pay the license but you need storage. Okay, storage chip. You may need two analyzer data that she wants to provide.

Again, you can use the real game. There are some free tools. But at the end, you have to pay people. The people that have the skills to do this thing are quite expensive. During the last month, the last six months, there is an explosion of resources about the Shizmo on the net. So this is a blog there as a blog. I have a nice presentation that we have done during the last year from Mark Arsinovic and some other guys. So I recommend if you want to start, go to this blog and we get proper information to start your season at best. The fact that we have this explosion of resources έχει ένα πιο πράγμα και μεγάλο

πράγμα. Για τους ανθρώπους είναι πολύ πιο εύκολο να ξεκινήσουν και να ξεκινήσουν, αλλά, με την άλλη πρώτη, οι αγκαλιάς είναι τώρα όπου, ότι περισσότερο πιο και περισσότερο πιο άνθρωποι έχουν δεξει τον ΣΥΜΟ και έχουν να ξεκινήσουν. Πρώτα είχαν να εξεχθεί αν ο ΣΥΜΟ είναι και, φυσικά, έχουν ήδη ήδη ήδη ήδη ήδη ήδη ήδη ήδη. When you install Sysmon on a system, it's not hidden. You can find this command here, it's available in GitHub, and then you can hide the Sysmon from the services. There are other ways that somebody can still identify that Sysmon installed, the process is there, the Sysmon log is created. So it's an interesting question if you can Skype Sysmon for the non-arming users and this is

my latest request to the Sysmon development team I hope that this will be a feature in the upcoming version so regarding the installation you download the executor Sysmon gets an XML file as a configuration and in the XML file you filter the events that are generated and there are two

Now, what are the events that Seismon

So we have process creation with the parent command line, the command line, the cast effects of the executor. When CISMON created in Endos 2014 in Windows, the event like C4688 didn't have the full parent command line and the command line. So at that time it was only CISMON

gave us the possibility to make detection based on relationships between parent and child processes but now this is available also in the standard windows loading another thing, interesting thing is that with Shizmon Lock you can have which process is doing the network connection so in the proxy locks we have the IPs, the username, the user agent, but we will know in the top logs if the connection is done by a browser or it was done by the regular PR or by any other except that maybe is real. So this is something that you can find in a lot. And then you have information about drivers, you have information about DLNs,

7 for me it works in Windows 7 and I think this is a general movement of course and huge performance issues so in Windows 10 I'm doing some testing now and it seems that the situation has been improved then you have event about create remote web when one process creates remote web and another process

Process Access File Create, then you have some events to Monotalk, the creation or the update registry values. My favorite event is 16, and I will play later for it. And in the latest version, the first sheet, we'll have some events from Namepipes. Now, suppose that you have downloaded the system, you get the configuration, you test, you deploy it on your account. How do you centralize the events? If you have 50,000 systems.

Any suggestions? We did Windows technology. Windows event forwarding. You create a good policy and then all the systems can send the events to some collectives and then we get them in your log management system. In 2009, 2016 and in 2017 Mark Varsinovich I gave two presentations about season 1 and last year he gave an example of how Microsoft actually a plus zero day based on the fact that Internet Explorer as a parent, he must respond as a CMD. Let me remember in 2015

the plus zero days was a big piece. There are many other sources where you can detect a parent, a type of relationship. We have an Excel or a Hoverboard that's called CMD or PowerShell or on the server we have the IIS that forces to call CMD. It's an easy thing that you can detect when you have these logs. And actually it's nice thing I think there is an overuse here, a child, and they don't know who is the parent. And it was since 2009 that it definitely went further. In the process three, you can actually proof the parent process. So we must have in mind that this is something that can be done, and if this in the past was

considered as an advantage, Now it's available for me, but I'm still thinking. So if Cobalt Strike, Cobalt Strike is a commercial offensive tool, usually in red team. And in the last version, you can have the possibility to do the final process of boosting and session fairing. And by session fairing, we mean which are the processes that you hold after you get in on the network you use as an attack vector the whole document with the whole object, then the first connection is done by Google board, . But then you can see what's happening on the system, and then you can execute commands, but on the process, command line appears as Internet Explorer. So this here, I say, I suppose, is presenting how to detect

Mimicad by using the SIL Monument ID 10, which gives access to

This is quite noisy, that's why you have to make a filtering based on some of the evidence inside the event. Two weeks ago, in the third quarter, Tom from the third post in Switzerland gave another nice presentation about schismo and splat and in the time some additional criteria where you can filter the traffic and detect more versions of Mimikatz because it's another thing to run the Mimikatz from the command line, meaning it can be detected by even antivirus but if you run the power cell version of Mimikatz then most probably you will bypass many of the antivirus in the market

Another example of this presentation was the SMB, how to detect SMB traffic to the whole station. This is the splat hole that the guy was presenting. My comment for this specific, I think, detecting lateral movement in the network is that first, as a defender, you have to block it. There is no way, there is no reason But this, through my knowledge, a workstation has to communicate with another workstation. So you can use the Windows Post Firewall to cut this. And then, okay, if somebody becomes admin and can modify the file, this is another scenario. But you make it more difficult. Now, one of the events, this is what is creating, I would say this, the create remote play. So

the use case here, last time I hope that everybody knows the KeePass. And then there is PowerShell tool available in GitHub that drives, is still from the memory, the master power of an open KeePass database. Attention, KeePass is not vulnerable. As the guy that did this proof of concept said, The idea is that if you have an open database, there is a way to still have memory. So I have done a test with that and one way to detect was by monitoring the target image of a .px. Of course, this is just one tool. Of course, you have a power cell that injects bone in the t-pass but it can be done in many other

ways and if you use t-pass maybe it is good to have the t-pass process under internet for example if you are using an internet for detecting more advanced attacks now this is another case again with create remote access

What we are trying to do here is to make a statistical analysis of the source processes that inject code in another process. So in this particular example we see that we have the Tiger process, the Internet Explorer. And this is a data set of thousands of systems for one day. And you have an LBC process to inject code within the Explorer. You have the WMI. and then in just one system the power of cell molecule was injected in the explorer. So this is something that you can detect. However, two months ago there was another article that says that okay, you can bypass this detection on other system. And the way that was proposed is to use damage

movement here in the solar field and what is proposed in order to detect the attempt to hide is to monitor how these executors are used in the region network. Now, Sezmo can detect resistance attempt, so this is the easiest, the most trivial resistance that Marlowe will use.

late-11 month or late-11 month, it's a alien user on the local machine. Another thing that I think is that we need DLS, so this is the DLS that are loading every time that the user has a DLS, this is the same in eight classes. you can detect, you can detect things that are put on startup folder you can detect the use of sdb.tfc and let everybody know what is this database now

with Sysmo you can also identify docker so if an A file is off somewhere in the user profile and you can use the event code 15 and have an alert of this type of file and then you can also see the attacks of the attacks. Now I'm going to repeat to the pyramid of chaos. So, power center match. It's a typical example, power center DHC by a position by pass, invoke expression down on the string, you can easily detect this by simple pattern magic. Then you have the minus encoding command. Here you can detect this thing by command length, because this is our length command, and by having regular expression for the minus encoding, because this can have many forms like minus in the character,

so there are many ways that an attacker can cause the minus and positive and actually in the paper that was published by Paulo Adler, 82% of thousands of modelos that they are detecting, it was the minus CNC, but I think this will change. Now we have some more fiscations that you can detect by gouging the special gougers in this command Then we have the PowerShell Minus version 2 PowerShell in version 5 provides good log with a couple of bits but someone can call the Minus version 2 and bypass the log in version 5 you can use the event ID for how to check any version of the text and then you have the Arma PowerShell the case where

not the part that is used and you can maybe detect it and on the top of the pyramid you can see if you want to be exploding if you follow this video it is from besides San Francisco where this is here we have some techniques like this and they are providing real advanced tasks Now the PowerShell nodes, there are three locations in the windows. If you want to look, I ask you what to look, then there are two good songs, one from ABC Twitter.org, so Metcalf has done a research on how to detect offensive PowerShell and other ones from the Australian said on how to secure PowerShell in Nevermind. Now, I'll talk quickly. I'm going to

create a categorizing domain in order to bypass all the controls that may be on your proxy. Maybe I can use the domain plotting that is available in Empire or Power Strike. I create my HTTPS of DNS record. I basically use it for it. This is a user, the user is the X key. The X key drop. The concept is used. both in GXP to DLL, call-reviews are 32 to 100 DLL, bingo. Windows 10, fully patched, application quite easy, allow mode for a secure dock and combo mic. So, if you don't have endpoint logs, the firewall admin will say that security is good, the firewall admin will say that it's a very secure morning, The idea that means he will receive the security and the manager

will be to be sold. Now let's go to another routine that looked at the endpoint logs, we need certain information, so when John Lappert, general manager from Microsoft, tweeted a few months ago that we have to use the self-control monitor for the routine, we can use his money ID to baseline the It was in April 2016 that Alex's network was doing it as another statement of the century that we have said it can be used as communication. You can detect this in the system with the event called Greece and then you can monitor network connections from other people. When an attacker can run a lot of formats, like NetJune, One-Mite, and Lease. These are formats of the administrator,

but you don't expect someone to run all these formats within five minutes, so if you have an analytical lab, you can detect this type of thing. And the Japanese set as a publisher paper, for the commands that are usually used by attackers so this is a list that you can have a lookup, have ability and to see how these executors are used in your network some of them will create some positive my network is not like yours so you have to tune for example how the WMIT is used. Command line logs are not enough, you have to go to the PowerShell logs because now for example this Inboxhost recon tool that you can achieve reconnaissance by hiding from the command line and

actually there was a human error very recent that

saying how the PowerShell argument is directed and how the command line logs This is an example, a real example where PowerShell.exe gets an argument for all these things and maybe you can detect this by counting the special characters but you can also look in PowerShell logs and detect

I think we already know that it's going to be a good one month ago there was a guy who said that we can bypass the power set for the warming level who have still a lot of power sets a little bit more noisy and the volume can be balanced I think and I have finished my presentation and on Sunday morning this guy again says that he found something about power cell loading and maybe he can bypass it. So maybe this is another way, I don't know the details yet but probably we'll have to use some additional detection method to take this way to bypass power cell. So if you ever feel satisfied about the detection, then

somebody else trying to attack your tool. Something you might have in mind that in PowerShell, the end user is knowing that people have access to PowerShell load, so you have to secure it. However, in this phase in the technet, this is another reason I talked about activating a malware.

however and that easily can be detected with this one AI 11 of things and I like also this way to hide power cells and you know from online so you want power cells and then you hide what you want on your website or TXT record of DNS and then you run this from us so there are good bread tips for everyone from this hardware. And you should not forget yet that your goal if you are independent is to detect the adversaries and not the adversaries. I will upload an extended version of this presentation to my website. Thanks for you, I think, to have time for questions but you can go out and ask for if you are working in this area and you can discuss things.

Thanks a lot.