Saturday, January 16, 2016

Notes on "No Easy Breach" talk at Shmoocon by Mandiant Guys

This was a very informative talk on a seriously epic breach investigation by Matthew Dunwoody (@matthewdunwoody) and Nick Carr (@itsreallynick) of Mandiant. They were part of a 4-person team investigating/remediating a big APT/nation-state breach of an unspecified organization. The below are sort of stream-of-consciousness notes, so sorry if it's a bit of a mess.

The initial breach was via an "EFax" spearphishing message -- sweet!

1039 compromised systems
1000+ unique malware samples
1000+ unique C2 domains/IPs
7000+ attacker files including scripts & tools

Pace: Infected ~10 systems/day

Client insisted on pulling systems offline when infection found, despite responders' urging not to do so.

Due to the volume and pace of machines compromised, the team had to abbreviate the typical deep-dive forensic analysis to just quick triage.
Developed indicators to assist with more efficient analysis.

Focused on:

  • lateral mvmt
  • data theft
  • New back doors, etc.
  • deviations from typical known attacker TTPs


Used client personnel to assist with monitoring and analysis.
Leveraged SCCM to look for known files, directories, etc.

Attacker used anti-forensic techniques

  • secure deletion, moved from system to systems every 3 days or so
  • used strong crypto in C2, used exclusively compromised 3rd party sites and social media
"Rolling Remediation" showed our hand to the attacker and allowed them to know which evasion techniques were working and which weren't.
Client used varying technology across business units -- made analysis difficult.

Attacker used sysInternals "sdelete" tool, but that leaves a EULA Accept key in the registry.

Team emphasized the use of automation to find new examples of known IOCs.

Sparklines used for documenting and visualizing time & volume of activity

Lesson: "Add Visibility & Never Stop Looking"

Network time provides a reliable chronology.

"Once an attacker is found, fight to maintain line-of-sight" 

Persistence: run keys, .LNK files, services, WMI, scheduled tasks, overwriting existing scheduled tasks, over-writing legitimate files 

Unique malware (by hash, file name, file size, and C2) per host!

Bro IDS' ssl.log shows a lot of info on SSL sessions even if you can't decode them. One element is the cypher in use, and the attacker here was using an unusual cypher. Bro also showed the email used for the key and automatically ID'ed self-signed certs.

Prioritize the UNKNOWN

"Methodology IOCs" helped identify systems that had no known malware on them.

PyInstaller or Py2Exe, then packed w/ UPX

Advanced Techniques:
- used WMI to persist backdoors and schedule backdoors to be extracted and executed MONTHS IN THE FUTURE
- used PowerShell for backdoors and ran Invoke-Mimikatz (evaded AV)
- embedded PowerShell code in WMI class properties to execute on remote systems
- attacked Kerberos tickets to make tracking of lateral mvmt difficult

WMI forensics: parsed the objects.data strings on the endpoint (Willi Ballenthin has Python modules for parting this now on his Github)

Team enabled PowerShell 4.0 logging.

Final takeaway:
"You must match or exceed the attackers' intensity"











No comments:

Post a Comment