Advance Hunting with RSA Netwitness

In this post I will quickly go through RSA Netwitness which is other solution specific for Threat Hunting. This solution has a complete different approach to other existent ones in the market. RSA Netwitness leverages the power of metadata, packet capture and logs to ease the Threat Hunting process.

RSA has developed Netwitness investigator in its ‘Community Edition’ that means you can download it, use it and also extend the license to release extra power in the solution.

https://community.rsa.com/community/products/netwitness/investigator

This ‘Community Edition’ is the child of their current Advance Threat Detection solution called RSA Netwitnes Logs and Packets.

https://www.rsa.com/en-us/products/threat-detection-and-response/rsa-netwitness-logs-packets

Besides their solution they also have an exciting catalogue of services from Incident Response to Risk Management and Education. If you are considering solutions, RSA is a serious contender, they do have the solution, the experience, and the education program. Their educational consultants are top notch professionals which will not only train your analyst to do real threat detection and IR with their platform, they will also support your analysts to understand current IR processes and threat actors TTP’s in order to be able to identify them in your network and reduce your organisation’s exposure.

After this brief background presentation let’s have a look at Netwitness Investisgator. This is how the solution looks like in it’s community edition,

To start working with it, it is as simple as creating a project and load the packet capture. It is also important to mention that the solution by itself can capture network traffic from your network.

intro

Zoomed content from the image above.

intro2

NetworkCapture

Threat detection in the network is a complex task and if you do not count with the right visibility and solutions it becomes even harder. Fortunately, Netwiness ease this task leveraging the packet capture’s metadata thanks to their powerful protocol decapsulation engine. Threat detection is difficult when you are  analysing network sessions however Netwitness elevates the analyst putting him into a higher abstraction layer in such a way that you can analyse network traces looking at different data such as,

  • Service Type
  • IP Source and Destination
  • Action Events
  • User Accounts
  • Protocols
  • Client Applications
  • Files and file extensions

and many more data contained in the network traces. Once the analyst has focused his attention in a particular set of metadata it is time to dig deeper into the session data. Normally this is where everybody starts, looking at session data… that may be possible with a small network capture however in today’s enterprise networks the amount of data is very big to start threat detection at that level and that’s where Netwitness demonstrates one of its strengths. This allows the analyst to reduce the detection time considerably as he can focuses on Users, Files, Protocols, etc… ultimately metadata and dig deeper into this data to uncover the attacker’s TTP’s but without that bird view of your data provided by Netwitness, detection becomes a very daunting task.

To get into more details and show the solution I am going to assume the following scenario in which I am going to start a hunting journey exploring my network data and looking at the type of data files traversing my network. This is a very easy start since I can have a bird view of all the files transferred in my network looking at different metadata such as,

Filename

ContentType

Extension.jpg

Ideally, you will be ingesting intelligence to support your threat detection, this is also possible with Netwitness investigator however I have not set this feature for this demonstration.

If I drill down into the ‘.exe’ files we get the following files present in this network capture.

EXEFile

As you may imagine ‘resume.pdf.exe’ is likely a malicious file, to get a better understanding of this file I am drilling down now into the sessions and its data. The current time-stamp is 17:02:09.

Sessions1

We can clearly see that there is a session in which resume.pdf.exe was transferred between the IP 172.30.200.50 and the attacker IP 223.25.233.248

resumepdfexe

This confirmes that the file isn’t indeed a PDF file but an executable file. Other advantage of using Netwiness Investigator is that the solution is capable of carving the packet capture and it calculates the hash of these files. Let’s have a quick view of this option,

dumpfiles.jpg

Surprise, an executable file in disguise as a PDF.

The above activity matches the first stage compromise of the network, the attacker tricking the user to click on a ‘PDF file’ that it is not a .pdf but an executable file as demonstrated above from the network trace. After the user clicked on the file the payload was deployed into the network to compromise the endpoint and achieve further penetration into the network.

Let’s see what else happened in this session and what else we can find after the initial compromised happened,

Current time-stamp is 17:06:00

sessions6

Let’s drill down into this section to understand what is happening,

response

The attacker is running commands in the compromised machine, what is the attacker doing in the machine he has just compromised? he is using base 64 encoding to evade detection, after decoding the strings we get the following results.

  1. whoami
  2. net user/domain
  3. net accounts
  4. net localgroup administrators
  5. net localgroup administrators /domain
  6. net view

He is getting some situational awareness and he is doing internal reconnaissance. Please, read the link below for further clarification.

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

What else happened? there is much more but let’s just focused on the significant steps that the attacker took to demonstrate the power of packet capture and RSA Netwitness.

Malware_Infection

Requested the following Base 64 encoded command,

‘QzpcV2luZG93c1xUZW1wPmNvcHkgZGxsaG9zdC5leGUgWjpcV2luZG93c1xUZW1wXA==’

The decoded string is the following,

C:\Windows\Temp>copy dllhost.exe Z:\Windows\Temp\

So the attacker is copying some sort of ‘malware’ into the temp directory of the victims machine to further extend the footprint in the machine and network.

In this stage the attacker continues to copy additional tools into the victim’s machine.

sshbat

– copy ssh.bat Z:\Windows\Temp\

ninikatz

– copy ninikatz.ps1 Z:\Windows\Temp\

I do not know any tool called ninikatz but I know of one that sounds familiar…

cbat

–  C:\Windows\Temp\c.bat

Interesting script, what would it be the c.bat for? we will see later on.

Current time-stamp is 17:07:35

Other executable file is transferred into the victim,

x64exe-malware

‘QzpcV2luZG93c1xUZW1wXHg2NC5leGU’

Decoding the string we can see the following,

C:\Windows\Temp\x64.exe

Let’s look at the same session in hexadecimal,

hexa_x86

Requesting additional tools, it can be malware or a hacking tool. For the purpose of this demonstratin it is clear the steps that the attacker is taking.

A bit further down in the session we can get a sense of what the file transferred can do.

API

Let’s look into some of the DLL’s imported by the executable.

  • OpenProcess
  • ReadProcessMemory
  • GetProcessHeap
  • NtQueryInformationProcess
  • NtQuerySystemInformation
  • WriteFile
  • CreateFile

Current timestamp is 17:08:51

Creating a service and persistence for SSH through a .VBS script adding the host key to the registry and the attackers IP in 223.25.233.248

rereply.JPG

putty

process

 

Current timestamp is 17:11:41

Mimikatz is executed between attacker and victim to dump credentials.

Mimikatz

 

The final performance is for the c.bat script. In here we can see the attacker performing anti – forensics in the machine he has just compromised. Deleting Windows prefetch, Windows event logs, MuiCache and all the artifacts that would be useful to study his activity in the system. This is another reason if possible to rely on packet capture, if it is gone from the endpoint you may still reconstruct the attackers activity as it went through the wire.

 

anti

So far, we have investigated on a high level the activity that happened in the machine compromised. Let’s make use of the searching capabilities of RSA Netwitness to uncover additional activity around the same period of time between the attacker and the rest of the network.

 

search

It seems now we have also 2 accounts associated to the activity in the IP seen above, this account it’s ‘jpage’ and ‘jpag’.

account

If we drill down into the ‘jpage’ account we can see the follwing data associated to it.

account2

Apparently ‘Jpage’ account has logged into the IP’s above…  drilling down into each of the destination IP’s it is confirmed that the account was used for lateral movement and the first IP reached from 172.30.200.50 after the initial compromised was 172.30.200.15 at 17:11 after that the attacker reached to 172.30.200.19 at 17:21 and at 17:25 landed in 172.30.200.25

lat_mov1

This is consistent with the phases of an initial compromise and lateral movement through network shares for this particular scenario. The attacker performed a similar activity in 172.30.200.15, 172.30.200.19 and 172.30.200.25 as he initially did in 172.30.200.50.

A metadata view of the activity between 172.30.200.50 and 172.30.200.19 shows how the attacker accessed confidential documentation in this machine.

 

files1

file3

Current timestamp is 17:25:05

Let’s have a look at this session a bit closer. RSA Netwitness allows you to see the session as a PCAP opening it in Wireshark.

 

openpcap

Session as a PCAP,

emailaspx

It seems 172.30.200.50 is creating a file in the remote system 172.30.200.25 in the following directory,

inetpub\wwwroot\email.aspx

What would that file be? let’s keep moving forward to see how it is used.

Current time-stamp 17:29:44

There is activity between the attacker in 223.25.233.248 and the system 172.30.200.25 which seems to be a web server. Let’s have a look at the session as a pcap again.

webshellsession

sharkwebshell

Attacker sent a http post to the system in 172.30.200.25

evalzoomed

This seems to be webshell activity with base 64 encoding, let’s decode the string.

webdecoded64

Running trough a beautifier we get the following code,

beautifier.JPG

The response from the server is the following,

serverresponse1

Interesting, so the server has access to the system sitting on 200.15 and 200.157.

Some Advance APT’s compromise the web server of the organisation during the attack. Wether it is as an entry point into the network or as an entrenchment technique within the network is not really important for us now. The technique is very stealthy  to the AV and it sets a re-entry point into the network and further pivot into the rest of the network as demonstrated above. There isn’t any need to deployed a C2 to re-entry into the network so detection gets even more complicated.

Let’s keep drilling down into the sessions above in which we can see other http post request to the server,

post2

In here we can see the response from the server. We can see for the first time the webshell as email.aspx and a very suspicious indicator such as the date of the file 08/01/2013. This seems some sort of anti-forensics time-stomping? we will need to investigate that file more closely if we get access to the hard drive.

As demonstrated in this post, RSA Netwiness is a powerful hunting solution  especially when handling packet capture. The solution elevates teh gunter over the data he has available to detect anomalies. It  does not maintain the analyst tied to the data but support his efforts to understand behaviours and anomalies present in your network.  Once these anomalies are detected it also allows the hunter to drill down to  the lowest level of your ingested data. In case where traffic is encrypted you may be still ingest logs and other data sets from other parts of your network to still maintain detection effective and contextual without relying entirely in packet capture. The solution is not the sexiest but it works well, this short demonstration is not by far an extensive one as there are other capabilities that I have not demonstrated such as its reporting and searching capabilities however if you are interesting you can download it and test it from their website.

 

Ref: https://www.rsa.com/en-us/products/threat-detection-and-response

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s