Bechtel Customer Presentation

1. Copyright © 2014 Splunk Inc.
Security Opera;ons:
Hun$ng Wabbits,
Possum, and APT
Ryan Chapman
Bechtel Corpora;on

2. 2
Disclaimer
During the course of this presenta;on, we may make forward looking statements regarding future
events or the expected performance of the company. We cau;on you that such statements reflect our
current expecta;ons and es;mates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in the this presenta;on are being made as of the ;me and date of its live
presenta;on. If reviewed aRer its live presenta;on, this presenta;on may not contain current or
accurate informa;on. We do not assume any obliga;on to update any forward looking statements we
may make.
In addi;on, any informa;on about our roadmap outlines our general product direc;on and is subject to
change at any ;me without no;ce. It is for informa;onal purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obliga;on either to develop the features
or func;onality described or to include any such feature or func;onality in a future release.

3. 3
Agenda
• Intro to Bechtel
• Who’s This Guy?
• Overview of Security @ Bechtel
• Why Splunk?
• Hun$ng Tips and Tricks

4. 4
Bechtel Corpora;on
• Largest Engineering, Construc;on, & PM Company in the U.S.
• 55,400 colleagues | 25,000 projects | 160 countries | 7 con;nents
• Target Rich Environment – Global Threats
• 2012 Goal: Develop World-Class SOC

5. 5
Ryan J. Chapman
• Computer Incident Response Team (CIRT)
– Network Security Monitoring Analyst
• Incident Handler
• CIRT / SOC Liaison
• “Did You Check Splunk?” Guy
ê No, Really. Did You Check Splunk?
@rj_chap

6. 6
It Takes A Village!
• We ALL Par$cipate in Hun$ng
• Bechtel SOC & CIRT
– SOC: Time Allocated
– CIRT: Required During On-Call
• Tribal Training + “Security Blitz” + “Tech Talks”
• Example of a Rockstar:
– Keith Tyler (@keithtyler)
ê FANTASTIC Hunter!

7. Security @ Bechtel

8. 8
Post Remedia;on Structure

9. 9
APT Events
Use Case BEFORE
SPLUNK
AFTER
SPLUNK
Event
Escala$on
to CIRT
• 99% of Events • 2013-2014:
< 3%
• 2015:
< 1%
APT Events
Detected
• 1 APT Event • 2013: 269 APT Events
• 2014: 82 APT Events

10. 10
The Security Stack
External
Intense Monitoring
Full Packet Capture
DNS Protec$on
Network Event Parsing
Firewall
Applica$on Firewall
Email Blocking
Behavior Analysis
APT Detec$on
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter

11. 11
Why Splunk?
• Beuer than GREP?
• Parsing Individual Logs?
– 2.35TB/day License
• Primary Uses:
– Alert Genera;on
– Incident Handling / Response
ê The “5 W’s”
– HUNTING
Because it’s Awesome!

12. 12
Obligatory Splunk Quote
“We wouldn’t be able to do our jobs
without Splunk.”

13. Hun;ng Tac;cs

14. 14
• Ask Ques;ons
– BE INQUISITIVE NOSY
– Read Ar;cles / Twiuer / OSINT
• Develop Queries
– Create Baselines / Tune Queries
• Implement Saved Searches
• Allocate Time for Hun$ng
The Hunter Mentality
Be like water… but also mimic a nosy neighbor

15. Go Home Word,
You’re Drunk

16. 16
Word Up!
Tell Your Brother, Your Sister, and Your Momma Too…
• Word Files = Common Carrier File
• Easy to Weaponize
– VBA / Macro
– CVE-based Exploit (Metasploit)
• Weaponized Files Launch…
– All The Things
Q: Is Word Launching… Stuff?

17. 17
The Sobriety Test
index=wls* EventID=4688
CreatorProcessName="WINWORD" Signed=False
NOT (NewProcessName="C:Windows*" OR
NewProcessName="C:Progra*")
| table _time, host, SubjectUserName,
BaseFileName, CommandLine, NewProcessName,
MD5
NOTE: “Audit Process Crea0on” must be enabled

18. 18
Test Results: INEBRIATED
_$me host Base
FileName
NewProcessName MD5
11/9/15
15:35
[DERP] Purchase
Order rd2015
oct-dec
#40098.exe
C:Users[DERP]
AppDataLocal
TempPurchase
Order rd2015 oct-
dec #40098.exe
EFF6EBFD48A
669FE9C2E62
B0E82561CE

19. 19
What’cha Drinking?

20. 20
What About Malicious Scripts?
THE LAUNCH CODES ARE BAD! DO NOT LAUNCH!
• Common Script Handlers:
– cscript / wscript / powershell ß These Run Scripts
• Carrier File Handlers:
– Word (doc)
– Excel (xls)
– PowerPoint (ppt)
– Adobe Reader (pdf)
– Etc.

21. 21
The Pwnie Express
index=wls EventID=4688
(CommandLine="*cscript*" OR CommandLine="*wscript*" OR
CommandLine="*powershell*")
(CreatorProcessName="WINWORD" OR
CreatorProcessName="POWERPNT" OR
CreatorProcessName="EXCEL" OR
CreatorProcessName="Adobe*")
| table _time, host, SubjectUserName,
CreatorProcessName, BaseFileName, CommandLine
‘Cause They Are Carrier Files!

22. 22
I “C” A Script
_$me host Creator
Process
Name
Base
FileName
CommandLine
01/24/16
22:49:03
[DERP] EXCEL cscript.exe cscript 'C:Users
[DERP]Desktop
Databases_Public
Loto Permit Excel
reg_seing.vbs'

23. Scheduled Tasks
via at.exe

24. 24
Scheduled Tasks
SCHTASKS vs. AT
• schtasks.exe – Common Task Scheduler/Viewer
• at.exe
– Deprecated, but Available Through Windows 7
– Historically Used for Privilege Escala;on (WinXP)
ê Ajackers S$ll Love It (Older Admins Too)
– Creates `%System_Root%/Tasks/at[0-9].job` Files
ê Sweep Enterprise for These & Analyze!
Q: Anyone Running at.exe?

25. 25
The Query
Anyone Running at.exe?
index=wls EventID=4688
BaseFileName="at.exe"
CommandLine="*"
NOT BaseFileName="[known good]"
NOT CommandLine="[known good]"
| table …

26. 26
Nothing Silly Recently
But A Few Years Ago…
_$me host Base
FileName
CommandLine Creator
Process
Name
06/06/11
04:01
[DERP] at.exe at 04:03 /interac$ve
cmd /c cmd.exe
cmd

27. Remote
Powershell

28. 28
PowerShell Shenanigans
Auackers LOVE PowerShell
Why Are Auackers Using PowerShell?
– Powerful, Built-in Tool – (Nearly) Always Available
– Can Execute in Memory (Diskless)
– Easy to Avoid Detec;on
ê A Hacker’s Best Toolkit = Tools on the Box!
PowerShell is a Growing Concern
– See: PowerSploit Framework

29. 29
PowerShell Snooping
Brainstorming
Discussion: Event Code 4688 vs. 4103/4
We Already Look for Encoded PS Commands
– See: “Splunk Live! Santa Clara 2015” Talk
What About Remote PS Access Methods?
– PowerShell Can Run Remote Scripts
Q: Is Anyone Running Remote PS Commands?

30. 30
Remote PowerShell
Just a Few Samples…
Common Remote Methods:
Get-Service winrm
Enable-PSRemoting
New-PSSession
Enter-PSSession
Invoke-Command –computername
General use of: –computer
NOTE: -computer can specify 127.0.0.1)

31. 31
PowerShell: WSMan

32. 32
PowerShell Search
Remote Methods = Auacker’s Forte
index=wls* EventID=4688
BaseFileName=powershell.exe
(CommandLine="*winrm*" OR
CommandLine="*psremoting*" OR
CommandLine="*pssession*" OR
CommandLine="*invoke-command*" OR
CommandLine="*wsman*"
[OR CommandLine="*-computer*"])
| table …

33. 33
PowerShellMafia’s PowerSploit
Dirty Dirty Tricks
Open Source PowerShell Auack Framework
– Becoming More and More Common
We Can Enumerate All PowerSploit PS Modules
– And Look For Them
ê And yell/cry/smile if we find any
Q: Is Anyone Running PowerSploit? (BETTER NOT BE!)

34. 34
“A PowerShell Post-Exploita;on Framework”

35. 35
Enumerated PowerSploit Modules
index=wls* EventID=4688 (BaseFileName=powershell.exe OR BaseFileName=cmd.exe)
(CommandLine="*powersploit*" OR CommandLine="*Invoke-DllInjection*" OR
CommandLine="*Invoke-ReflectivePEInjection*" OR CommandLine="*Invoke-Shellcode*" OR
CommandLine="*Invoke-WmiCommand*" OR CommandLine="*Out-EncodedCommand*" OR
CommandLine="*Out-CompressedDll*" OR CommandLine="*Out-EncryptedScript*" OR
CommandLine="*Remove-Comments*" OR CommandLine="*New-UserPersistenceOption*" OR
CommandLine="*New-ElevatedPersistenceOption*" OR CommandLine="*Add-Persistence*" OR
CommandLine="*Install-SSP*" OR CommandLine="*Get-SecurityPackages*" OR
CommandLine="*Find-AVSignature*" OR CommandLine="*Invoke-TokenManipulation*" OR
CommandLine="*Invoke-CredentialInjection*" OR CommandLine="*Invoke-NinjaCopy*" OR
CommandLine="*Invoke-Mimikatz*" OR CommandLine="*Get-Keystrokes*" OR
CommandLine="*Get-GPPPassword*" OR CommandLine="*Get-TimedScreenshot*" OR
CommandLine="*New-VolumeShadowCopy*" OR CommandLine="*Get-VolumeShadowCopy*" OR
CommandLine="*Mount-VolumeShadowCopy*" OR CommandLine="*Remove-VolumeShadowCopy*" OR
CommandLine="*Get-VaultCredential*" OR CommandLine="*Out-Minidump*" OR
CommandLine="*Set-MasterBootRecord*" OR CommandLine="*Set-CriticalProcess*" OR
CommandLine="*PowerUp*" OR CommandLine="*Invoke-Portscan*" OR CommandLine="*Get-
HttpStatus*" OR CommandLine="*Invoke-ReverseDnsLookup*" OR CommandLine="*PowerView*")
| table …

36. Quick Example:
Rogue svchost.exe

37. 37
svchost.exe w/Bad Parent
smss.exe -> wininit.exe -> services.exe -> svchost.exe
index=wls EventID=4688
BaseFileName="svchost.exe"
NOT CreatorProcessName="services"
| table …

38. Quick Example:
CLI> blah [IPv4] blah

39. 39
IPv4 Addresses in CLI
The Internet is a Scary Place
index=wls* EventID=4688 CommandLine="*"
NOT BaseFileName=cscript.exe OR
BaseFileName=nslookup.exe OR
BaseFileName=cmd.exe OR
BaseFileName=ping.exe OR
BaseFileName=nblookup.exe OR
BaseFileName=route.exe)
| regex CommandLine="sd{1,3}.d{1,3}.
d{1,3}.d{1,3}s"

40. 40
Recap & Takeaways
• Ask Ques$ons
– Read Ar$cles / Twijer Feeds / OSINT Reports / etc.
– “Does This Happen Here?”
• Develop Queries
• Establish Baselines
– Tune Over Time
• Create Saved Searches
• Allocate Time For Hun$ng!
Keep Hun;n’!

41. 41
Resources
• Windows Logging Service (WLS) Home Page
– By Jason McCord (@digira;82)
– hups://digira;82.com/wls-informa;on/
• “Know your Windows Processes or Die Trying”
– Ar;cle by Patrick Olsen, 2014/01/18
– hup://sysforensics.org/2014/01/know-your-windows-processes/
• Bechtel Splunk Live! Santa Clara 2015 Preso
– hup://www.slideshare.net/Splunk/bechtel-customer-presenta;on
Keep Hun;n’!

42. Thank You
Security Opera;ons:
Hun$ng Wabbits, Possum,
and APT
Ryan Chapman – @rj_chap
Bechtel QUESTIONS?