Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.

1. A rootkits writer’s guide to defense
03.06.2019
Michal Purzynski
Threat Management

2. “Hey, so I got his email”
2

3. Looks phishy
Hey, so I got his email
3
“Hello, Mozillians”
<intro>
We’re asking employees to provide feedback...
<click here> <- landing page

4. 4
auth-mozilla.tld
auth.mozilla.tld

5. Looks phishy
Hey, so I got his email
5
Hi RedTeam, is that you? -> No
“oops”

6. Mozilla Confidential
Timing is everything
6
T+0000 - Emails land in GSuite
T+0234 - First report received
T+0241 - First DNS lookup for the landing domain (no bueno, training worked!!)
T+0253 - First victim

7. Mozilla Confidential
Response -> contain the attack
7
Stop the bleeding!!
If you break the glass & cut your hand
Stop the bleeding -> clean the wound
Gmail logs -> move away from user’s inboxes

8. Mozilla Confidential
Response
8
Data sourceDetection
Who received? ->
Who clicked? ->
Identify victims
and attacker’s IPs ->
Other emails?
Gmail logs -> move away from user’s inboxes
Zeek DNS logs -> Zeek DHCP logs / VPN logs-> Radius logs
Auth logs
Block + monitor sender + attacker’s IPs
lock accounts + kill sessions

9. Mozilla Confidential
Timing is everything
9
T+0309 - Attack contained
T+0327 - Threat Actor eradicated
T+late night - Pizza arrived

10. Mozilla Confidential
A dedicated infrastructure
10
21 domain names
Several hosting platforms
Multiple sources of credentials verification
Manually executed attack
Threat actors realized we’ve got them <- tried to “secure” access

11. Mozilla Confidential
This story ends here
11
Have access that you need
Be able to pull people into IR quickly
Deploy alerts quickly
Research after threat actor’s infrastructure
Are you prepared?

12. 12
There is one more story

13. Once upon a time
13

14. Kept scanning
internal networks
(simple-scan.bro)
Once upon a time there was a host...
14
Talked to known bad
domains (intel.log, MISP)
With broken TLS
Uploaded over 1GB
To Dropbox

15. Mostly failed and rejected connections
15

16. Gloves off - a query for not SSL/HTTP/DNS
16
Context matters

17. Do NOT destroy the
evidence
Rule number one of investigations
17
Hey, we have malware on X
laptop
No problem! Reinstalled!!
:(

18. 18
“Every intrusion introduces anomaly
into your environment”
@jackr

19. Our previous escalation framework
19

20. A cultural piece
AWPY??
20
are we fast yet . com

21. Many more
21

22. Are We Yet?
22
are we fun yet
are we pretty yet
are we slim yet

23. Are We Yet?
23
are we fun yet
are we chrome yet (?)
are we pretty yet
are we dead yet (??)
are we slim yet

24. Are We Pwned Yet? ;)
AWPY
24
1. Are We Pwned Yet? ;)
2. An alert analysis & response duty

25. Too many alerts
Challenges
25
Context-only alerts I cannot believe
X is not owned
A skilled threat actor looks like a skilled sysadmin :)
A skilled sysadmin looks like a skilled threat actor (:

26. Once upon a time
26

27. 27

28. Context-only alerts
28
New cron job / timer / service created

29. Mozilla Confidential 29
Fybis - Linux Sofacy backdoor
CVE-2016-0728
/bin/rsyncd or /bin/ksysdefd
~/.config/dbus-notifier/dbus-inotifier
/usr/lib/systemd/system/rsyncd.service
~/.config/autostart/dbus-inotifier.desktop
/usr/lib/cva-ssys
mozilla-plugins.com:80 / mozillaplagins:80
azureON-line.com:80 / 198.105.125.74

30. Mozilla Confidential 30
Fybis - Linux Sofacy backdoorDetection?
Unique file and process? ->
New systemd service ->
Writes to a TCB ->
Unique destinations ->
CVE-2016-0728
/bin/rsyncd or /bin/ksysdefd
~/.config/dbus-notifier/dbus-inotifier
/usr/lib/systemd/system/rsyncd.service
~/.config/autostart/dbus-inotifier.desktop
/usr/lib/cva-ssys
mozilla-plugins.com:80 / mozillaplagins:80
azureON-line.com:80 / 198.105.125.74

31. They are lame!!
AKA Sofacy
So are most analysis
Hi Kaspersky,
Palo Alto
TrendMicro
Speaking of the not-so-Fancy Bear
31
That Linux “Fysbis”
backdoor
Go read the phrack, will ya?
Stealthy as Rudy 102
I’ve seen better bitcoin miners

32. CnC: mozilla-plugins.com <- seriously, not cool
mozillaplagins.com
32

33. Where do I get those tactics from?
APT reports!!
33

34. 34
Party like it’s 90’s APT reports are like a journey in time
Wait, I’ve seen that before
But where...

35. Digging into Phrack!!

36. A Linux rootkit
from Turla
Phrack for life
36
Raw network traffic
Trivial to detect
LOKI2
Kaspersky’s analysis -> facepalm
At least it backdoors something!! <- crond, ntpd

37. Reused by a Chinese state-actor
Azazel
37
Hooks accept()
If src port == magic
Spawn shell
LD_PRELOAD
Is pretty lame

38. Michal vs Azazel
38

39. Umbreon
39
Raw network traffic
Non-promisc (needs CAP_NET_RAW)
LD_PRELOAD
Not that smart ;)
hooks dlsym()
Sniffs packets
SEQ = 0xc4
ACK=0xc500
IPID = 0x0fb1
<- Connect back
Hooks syscalls
PAM

40. Michal vs Umbreon
40
<- oops I’m not that smart anymore :(

41. What’s the magic code?
41
dlopen(“lib file”)
dlsym(“lib file”) == dlsym(RTLD_NEXT) <- clean system
dlsym(“lib file”) != dlsym(RTLD_NEXT) <- preloaded system
https://github.com/mozilla/are-syscalls-hooked-yet
http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
http://haxelion.eu/article/LD_NOT_PRELOADED_FOR_REAL/

42. Rootkits have bugs
42
echo -n > /etc/ld.so.preload <- no such file or directory (??)
strace() as root <- error
glibc() move faster than rootkits

43. Rootkit vs Rootkit
43
Umbreon - hooks dlsym()
Returns clean addresses
No detection?!?!
<- Pointer to original function

44. Rootkit vs Rootkit
44
Umbreon - hooks dlsym()
Returns clean addresses
No detection?!?!
<- Pointer to original function

45. Michal vs Umbreon
45

46. 46
Developer looking at
production logs after a
regression with downtime.
Oil canvas, circa 1580
Overheard: looks like Michał
Lessons learned

47. 47
The list goes on
Winti
HiddenWasp
Azazel <- to make it invisible
Custom code <- to do the job

48. 48
Most APT
More Persistent than Advanced
Look for commonalities
Identify patterns you can search for
<- Your $$$vendor will not tell you that

49. 49
<- Your $$$vendor will not tell you that
Threat Actors use publicly
available tools all the time!!

50. 50
<- Your $$$vendor will not tell you that
Old TTPs are lit (again)
You know why?
Because no one has detection for them!!

51. 51
<- Kaspersky
Ever heard about CAP_NET_RAW??
Analysis are lame
pcap_open_live()
“OMG non-root capture!!”

52. 52
<- Seriously?
Analysis are lame
OMG a super-stealthy rootkit for
Linux
It escapes AV detection

53. 53

54. A new, systematic approach
54
I strongly believe people should write algorithms,
not execute them
Audit your visibility
Hunt for chains
Automate alerting on IOCs <- hi Eisenhower
Enrich your alerts

55. 55

56. 56
Not that perfect
ATT&CK
Windows focused
Linux attacks stuck in 1990’s
Not detailed enough
CAR AKA the art unrealistic detection

57. Step 1
57
Can you see X
happening?
Many tools, i.e.
github.com -> atomic-red-team
Unit test your alerts
Deadman your data sources

58. 58
Map data
sources to TTPs When CONFidence publishes these slides
Navigator JSONs will be attached

59. Network Security Monitoring
59

60. Audit-JSON
60

61. Syslog
61

62. Auth
62

63. Map YOUR alerts to TTPs <- Top Secret
63

64. 64
ONLY when 1 is OK
Execute threat
actor’s tools See what logs they generate
Goto 0.75

65. People have pets
65
Michal has a rootkit collection

66. 66

67. Michal: hold my wine
67

68. 68
Takes 10 minutes to find
on Tor and GitHub
iec56w4ibovnb4wc.onion

69. 69

70. Be disappointed
70
Write your own

71. Installation
• /tmp, /dev/shm, /run
• /bin, /usr/sbin
• /home
• /var
• Backdoor an ELF
What does a Linux rootkit do?
71
Persistence
• Cron
• .bashrc (some APTs)
• ~/.config/systemd/user
• Systemd timers / services
• Boring services (/etc/init.d)
• Rc.local, etc.

72. APTs, entertain me
72
If you were cool, you would
• Inject a code into a daemon’s memory <ptrace()>
• Load a kernel module
• Backdoor the kernel on disk
• Run a kernel exploit, backdoor the kernel in memory
• Backdoor your kernel with a direct write access through MSR <- hi Spender
• - in 2019 you cannot write to /dev/mem and /dev/kmem
• IO ports - ioperm()/iopl() <- hi HP
• Through ACPI methods (hardcore) <- Michal calls you cool ;)

73. 73
What if malware is really advanced
- It reinstalls itself on a shredded motherboard
- It attacks us from the cloud
- It hides under sysadmin’s skin
Detect steps that lead to the installation!!

74. • /bin, /usr/sbin
Detection - installation
74
• Write to the TCB <- Auditd, TH

75. • /tmp, /dev/shm, /run
• /bin, /usr/sbin
Detection - execution
75
• Execution from unusual place <- Auditd, TH
• Unusual binary executed <- Auditd, TH
• Unusual process running <- OSQuery, TH
How many of your servers run /sbin/kthread

76. • Cron - new or modify
• .bashrc
• ~/.config/systemd/user - new or modify
• Systemd timers / services - new or modify
• Boring services (/etc/init.d) - new or modify
• Rc.local - modify
Detection - persistence
76
• New cron jobs <- syslog - TH
• New systemd services <- syslog - TH
• TCB integrity <- TH
• Unusual process running <- OSQuery - TH
• Checksum crons/service desc/rc* <- automate

77. • Inject a code into a daemon’s memory
• Load a kernel module
• Backdoor the kernel on disk
• Run a kernel exploit, backdoor the kernel in
memory
• IO ports - ioperm()/iopl()
• Through ACPI methods
Detection - advanced persistence
77
• strace() <- Audit
• insmod/modprobe <- Auditd + kernel msg
• Write to a TCB <- Audit
• Execve() - unusual binary/dir/gcc <- Audit
• ??

78. 78
Rootkit - how do you hide?
Syscall hooking
(LD_PRELOAD)
Kernel hooking
<- are-syscalls-hooked-yet
<- Memory forensics
The Big Hammer
https://github.com/volatilityfoundation/volatility
https://github.com/google/rekall
https://github.com/504ensicsLabs/LiME

79. 79
Listen or poll
promisc
RAW socket - no promisc
listen + socket <- audit - unusual
syslog + auditd <- alert
audit <- whitelist, alert
Rootkit - how do you communicate?

80. Go grab these
80
https://github.com/gdestuynder/audisp-json

81. 81
Look for patterns <- reduce your set
Geolocation anomaly detection
Monitor local users and groups for changes
Monitor AD/LDAP admin users and groups
Do not destroy the evidence
Everything else
Go slowly!!

82. 82
QA in English and Polish
Slides will be online
With links

83. Thank You
Mozilla Confidential