EDR 之外的可見性（Greg Stachura 和 Alex Ioannidis）.pdf

1、Visibility Beyond EDRGreg StachuraSenior Manager Security Risk Advisors20+years in blue team operationsSpecializing in security operations,blue team tools,forensics and incident responseCertifications:GCFACISSPAzure Administrator AssociateCompTIA CySA+Alexandra IoannidisSenior Consultant Security Ri

2、sk Advisors6+years in blue team operationsSpecializing in EDR engineering,threat hunting and incident responseEducationGraduate of RIT with a degree in Computing SecurityCompTIA CySA+IntrosDisclaimerWe are not recreating EDRTip of the icebergYour mileage may vary based on:EDR capabilitiesCurrent sec

3、urity posture(crawl,walk,run)Tools availableEDRs have varying levels of visibilityContinue to get better,but there is still room to growVisibility vs detection engineeringNative logging missing,obscuredWhy are we here?Add additional EDR?Replace your EDR?Add additional logging and collect everything?

4、Add additional logging and collect what we need?Solutions?Organizational dependentPast incidentsPen testsIndustry-specific IntelRegulationsPurple teamingThreat huntingWhat do we need?Native EventsWindows loggingTurn on more extensive loggingSysmonOn-Demand forensicsGet creativeHow do we get more vis

5、ibility?Pipeline at the DestinationYour EnvironmentSIEMData LakeCRIBL/Rsyslog/TenzirRemove NoiseRemove SizeRoute IntelligentlyLog SourcesLogging OptionsFilter eventsRoute eventsPartial/On-Demand EventsEndpointsSIEMData LakePipeline at the SourceCombined PipelineHow to not break the bank?Pulling deta

6、iled logs when a potential incident happensKeeps logging volume downLogs are still being gathered,just not shippedNot all positives to this approach Run a script grab previously generated logs,and/or other important dataPS-RemotingPSExecEDR Command Line access!Ship logs back to your SIEM!On-Demand F

7、orensics ExampleKick off Logic App against hostFalcon API AuthFalcon API lookup hostFalcon API RTR Session Falcon API RTR Get Files Associated with RTR SessionFalcon API RTR Request Files Falcon API RTR Download File Unencrypt and uncompress filesShip to Sentinel(Log Analytics Workspace)Execute Powe

8、rShell ScriptFalcon API Run ScriptOn-Demand Forensics Example CrowdStrike to SentinelPowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR DeficiencyExample EDR Gaps PowerShell Script Block Logging Process Tampering IMPHASH Scheduled Task Service Creation EDR Deficiencies

9、 Log TamperingPowerShell Script BlockIMPHASHIMPHASHService CreationEDR DeficiencyProcess Tampering Some EDRs do not log any PowerShell script content MDE will partially log content CrowdStrike will not log script content,but will log commands run in the terminaloTo log terminal commands,you will nee

10、d to have the Script-based Execution Visibility prevention policy setting checked oUnable to develop custom IOAs on this data PowerShell Script Block LoggingCase Description:PowerShell Script BlockIMPHASHScheduled TasksService CreationEDR DeficiencyProcess Tampering#Generate a random number between

11、1 and 100$randomNumber=Get-Random-Minimum 1-Maximum 101#Generate a random string of 8 characters$randomString=-join(65.90)+(97.122)|Get-Random-Count 8|%char$_)#Output the random valuesWrite-Output Random number:$randomNumberWrite-Output Random string:$randomStringCase File:PowerShell Script Block Lo

12、ggingEvidence Item:Testing ScriptEvidence Description:PowerShell Script BlockIMPHASHScheduled TasksService CreationEDR DeficiencyProcess Tampering Discrepancies with logging this information Observed instances where all content was logged and other instances where only partial content was shown Was

13、unable to see the name of the script or file path in which the script was located in these eventsCase File:PowerShell Script Block LoggingEvidence Item:Microsoft Defender for EndpointEvidence Description:PowerShell Script BlockIMPHASHScheduled TasksService CreationEDR DeficiencyProcess Tampering Wil

14、l grab the contents of the entire script block Includes name and file path of the script Case File:PowerShell Script Block LoggingEvidence Item:Native Windows LoggingEvidence Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR Deficiency Involves manipulatin

15、g process memory Includes techniques such as process hollowing and process herpaderping End goals are privilege escalation and defense evasionProcess TamperingCase Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR Deficiency Sysmon Event ID 25 Process Imag

16、e Change Detects process hollowing and process herpaderping Able to use ProcessGuid to correlate these events with process creation events to gather additional contextCase File:Process TamperingEvidence Item:SysmonEvidence Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksSer

17、vice CreationEDR DeficiencyCase File:Process TamperingEvidence Item:Microsoft Defender for Endpoint/CrowdStrike FalconEvidence Description:Tested with ProcessHollowing.exe MDE and CrowdStrike detected the test binary being malicious but not the behavior MDE does not expose telemetry for this apart f

18、rom the NtProtectVirtualMemoryApiCallaction PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR Deficiency Import Hash(ImpHash)is a hashing method for PE executable filesoDetermined based on the files import table Used for malware analysis and correlation Can solve the

19、problem of attackers updating files which changes other hash values(ex.SHA256)Useful for threat intel and hunting for malicious binariesIMPHASHCase Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR Deficiency Only works on PE filesoWill not work on PDFs,Mi

20、crosoft Office files,etc.Limited to Windows False positives and negatives ImpHash ManipulationCase File:IMPHashEvidence Item:LimitationsEvidence Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR DeficiencyCase File:IMPHashEvidence Item:SysmonEvidence Descr

21、iption:Tested with Keylogger Event ID 1 lists MD5,SHA256,and IMPHASHPowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR DeficiencyCase File:IMPHashEvidence Item:ExampleEvidence Description:SHA256 of the keylogger did not return any results on VirusTotal but the IMPHASH

22、does PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksEDR DeficiencyService Creation Persistence mechanism used by attackers Can be accomplished via command-line or GUI Evidence of GUI scheduled tasks looks different than command-line creationScheduled TasksCase Description:PowerShell S

23、cript BlockProcess TamperingIMPHASHScheduled TasksEDR DeficiencyService Creation CrowdStrike will log the creation of new scheduled tasks when done via PowerShell commands or via the GUI#event_simpleName:ScheduledTaskRegistered This telemetry data is not alerted on natively and cannot be accessed vi

24、a the custom IOAs to create a detection ruleCase File:Scheduled TasksEvidence Item:CrowdStrikeEvidence Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksEDR DeficiencyService Creation Gap can be addressed with windows event id 4698 Will be able to see all scheduled tasks bein

25、g created no matter what method they were added Can use this data to create detectionsCase File:Scheduled TasksEvidence Item:Native Windows LoggingEvidence Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR Deficiency Persistence mechanism used by attackers

26、 Unlike Scheduled Tasks there is no native GUI creation tool Use of sc.exe(command prompt)or New-Service(PowerShell)can be used to create ServicesService CreationCase Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR Deficiency Microsoft Defender for Endpo

27、int logs potentially new services with:ActionType=ServiceInstalled Overly verbose,thus false positive proneCase File:Service CreationEvidence Item:Microsoft Defender for EndpointEvidence Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR Deficiency No speci

28、fic event created in CrowdStrike to highlight this type of activity Requires keying off command line of a process event to catch this activityCase File:Service CreationEvidence Item:CrowdStrike FalconEvidence Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationE

29、DR Deficiency Gap can be addressed with windows event ID 7045(System event)Will be able to see all new service creation events being created no matter what method they were added Can use this data to create detectionsCase File:Service CreationEvidence Item:Native Windows LoggingEvidence Description:

30、PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR Deficiency EDR can be bypassed or tampered with to inhibit it from working as expected May involve killing security software processes,modifying the tools so that they do not operate properly,etc.Can be achieved throug

31、h stopping services,PowerShell cmdlets,via the Registry,or other methodsEDR DeficienciesCase Description:Log TamperingPowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR Deficiency Microsoft-Windows-Windows Defender/Operational Event ID 5001 signals the disabling of Def

32、enders Real-Time Protection Event ID 5013 signals when Defender setting changes were blocked Windows Event code 7036 from the System log identifies if a service has stopped or started MITRE:(source=WinEventLog:System EventCode=7036)ServiceName=Windows Defender OR ServiceName=Windows Firewall AND Ser

33、viceName=stopped*Case File:EDR BypassEvidence Item:Microsoft Defender for Endpoint and Windows FirewallEvidence Description:Log TamperingPowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR DeficiencyLog Tampering Defense evasion technique to avoid detection and obstruct

34、 investigations Includes modifying,falsifying,or deleting logs Can be cleared by various means including PowerShell,Wevtutil,and the event viewer GUILog TamperingCase Description:PowerShell Script BlockProcess TamperingIMPHASHScheduled TasksService CreationEDR DeficiencyLog Tampering Clearing Logs E

35、xample:wevtutil cl Security,Clear-EventLog,Remove-EventLog Detected by:Security Event ID 1102 or System Event ID 104 Will also be able to use Event ID 4104 to monitor for this activity in PowerShell script blocks Disable the Event Log Service Example:sc stop EventLog Detected by:Service Control Mana

36、ger Event ID 7035Case File:Event Log Clearing/DisablingEvidence Item:Microsoft WindowsEvidence Description:Conclusion Most EDRs have differing levels of visibility Sysmon and native Windows event logging can help augment gaps observed with EDR More robust logging can also provide additional telemetry data that may be useful during investigations and incident response Questions?Preso Info(coming soon):https:/ Us