ATT&CKing Koadic with EQL

Daniel Stepanic

11/2/2019

1

Bio

��Security Engineer at Elastic

• Develop detection capabilities based on latest adversary techniques
• Previous experience as SOC Analyst and Threat Hunter

�@DanielStepanic

2

Agenda

• Recent trends
• Benefits of open-source tooling for attackers/defenders
• Koadic overview
• Introduction to Event Query Language (EQL)
• Detecting Koadic using EQL

​

3

01 Recent Trends

4

4

Recent Trends

• Open-source/commercial frameworks continued to be adopted for financially motivated crimes and state sponsored activity�
• “Most of the re-emergent Chinese espionage groups have become increasingly reliant on publicly available malware, especially BEACON and EMPIRE”� M-Trends 2019 (FireEye)

​

https://content.fireeye.com/m-trends/rpt-m-trends-2019

5

Benefits for Attackers

• Low cost of resourcing/development costs�
• First-mover advantage�
• Plausible deniability�
• Fewer unique toolmarks

6

6

Benefits for Defenders

• Source code available for full review�
• Low barrier for defenders to re-produce behaviors�
• Knowledge transfer of behavioral techniques�
• Opportunity for future detections with similar modules

7

7

02 Koadic� Introduction

8

8

Koadic

• Released at Defcon 25 (Summer 2017) by RiskSense team
• Leverages Windows Script Host (VBScript + JScript)
• Uses COM

​

Post-exploitation framework similar to Empire

https://github.com/zerosum0x0/koadic

9

Koadic

Stagers��

Implants

Threat Groups�

6

44

4

Mshta

Regsvr32

Rundll32_js

Disk

Wmic

Bitsadmin

Credential Dumping

Collection

Discovery/Recon

Lateral Movement

Persistence

Privilege Escalation

MuddyWater

APT10/Stone Panda

APT28/Sofacy

FakeUpdates Campaign

10

Koadic

• Actor adoption timeline

​

https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks

https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal

https://www.fireeye.com/blog/threat-research/2019/10/head-fake-tackling-disruptive-ransomware-attacks.html

https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east

11

03 EQL

12

12

EQL: Event Query Language

• Schema-independent and OS-agnostic

​

• Real-time detection with stream processing

​

• Supports multi-event behaviors, stacking and sifting through data

​

• Function syntax instead of keyword explosion (e.g. length(field))

​

Simple and concise language for threat researchers

13

Simple Queries

• Boolean and comparison logic

and or not < <= == != >= >

• Wildcard matching with * character
• String comparisons are case-insensitive

​

process where process_name == "svchost.exe" and

(command_line != "* -k *" or parent_process_name != "services.exe")

https://eql.readthedocs.io/en/latest/query-guide

14

Sequences

• Multi-event behaviors with enforced order
• Match properties between events with by syntax
• Time limits maxspan=1 hr
• Sequences are stateful and can be expired with an until condition

​

sequence with maxspan=1m

[file where file_path == "*\\AppData\\*"] by file_path

[process where user_name == "SYSTEM"] by process_path

15

Joins

• Match events specified
• Similar to sequence, but finds the oldest non-overlapping pair
• Supports by and until syntax for additional matching or state
• No time bounding
• Unlike SQL, it finds adjacent pairs instead of cross-products

​

join

[file where file_path == "*\\System32\\Tasks\\h4x0r.xml"]

[registry where registry_path == "*\\runonce\\h4xor"]

16

Pipes and Outliers

• Pipes can be used to transform or reduce output
• Combine in various ways to perform stacking or reduce data set

count filter head sort tail unique unique_count

​

process where true

// Remove duplicate pairs

| unique process_name, command_line

​

// Count per process_name to get unique # of commands

| count process_name

| filter count < 5

17

Process Lineage

• Natively tracks process lineage by monitoring process creation/terminate events and tracking the ppid and pid
• Supports descendant of, child of, and event of
• Combine with other Boolean logic

​

​

network where process_name == "powershell.exe"

and not descendant of

[process where process_name == "explorer.exe"]

18

04 Detecting� Koadic Using� EQL

19

19

MITRE ATT&CK™ Framework

• Knowledge base that organizes behaviors (techniques) by objectives (tactics)
• Most techniques are used by multiple groups and red teams
• Hundreds of references to threat reports

​

20

MITRE ATT&CK™ Software

https://attack.mitre.org/techniques/T1193/

21

Initial Access & Execution

• Technique Spearphishing Attachment (T1193)
• APT28/Sofacy (June 2018)
• RTF file
• DDE
• Koadic

​

https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks

​

22

Initial Access & Execution

process where process_name == "mshta.exe"

and descendant of � [process where process_name == "outlook.exe"]

23

Initial Access & Execution

sequence with maxspan=5m� [file where file_name == "*.exe" and � process_name in ("winword.exe", "excel.exe", "powerpnt.exe")] by file_path� [process where true] by process_path

​

24

Defense Evasion & Execution

• Technique Mshta (T1170), Rundll32 (T1085)
• Detection Monitor process execution, command-lines,� network activity

​

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

HTML Application

25

Defense Evasion & Execution

• Technique Mshta (T1170), Rundll32 (T1085)
• Detection Monitor process execution, command-lines, � network activity

​

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

MSHTA Stager - Execution Chain

26

Defense Evasion & Execution

• Technique Mshta (T1170), Rundll32 (T1085)
• Detection Monitor process execution, command-lines, � network activity

​

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

sequence by unique_pid� [process where subtype.create and process_name in � ("mshta.exe", "regsvr32.exe", "rundll32.exe", "wmic.exe")]� [network where process_name in� ("mshta.exe", "regsvr32.exe", "rundll32.exe", "wmic.exe")]

​

​

27

Defense Evasion & Execution

• Cached stager in Temporary Internet Files directory

​

file where process_name in � ("mshta.exe","regsvr32.exe", "rundll32.exe", "wmic.exe") � and subtype.create and file_path == "*Content.IE5*"

​

28

Koadic Command and Control (C2)

29

Discovery

• Technique Account Discovery (T1087)� Remote System Discovery (T1096)� System Account Discovery (T1033)
• Detection Look for any users that run multiple different� types of discovery commands

macro KOADIC_DISCOVERY(name)

name in (

"arp.exe", "findstr.exe", "hostname.exe", "ipconfig.exe",

"nbtstat.exe", "net.exe", "net1.exe", "netsh.exe",

"nltest.exe", "ping.exe", "systeminfo.exe", "tasklist.exe", � "tracert.exe", "whoami.exe"

)

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

30

Discovery

• Technique Account Discovery (T1087)� Remote System Discovery (T1096)� System Account Discovery (T1033)
• Detection Look for any users that run multiple different� types of discovery commands

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

sequence by user_name with maxspan=10m

[process where subtype.create and KOADIC_DISCOVERY(process_name)]� [process where subtype.create and KOADIC_DISCOVERY(process_name)]� [process where subtype.create and KOADIC_DISCOVERY(process_name)]

| unique user_name

31

• Tie to grandchildren of processes (rundll32.exe)

sequence by user_name with maxspan=10m

[process where child of [process where parent_process_name == "rundll32.exe"] and � KOADIC_DISCOVERY(process_name)]

[process where child of [process where parent_process_name == "rundll32.exe"] and � KOADIC_DISCOVERY(process_name)]

[process where child of [process where parent_process_name == "rundll32.exe"] and � KOADIC_DISCOVERY(process_name)]� | unique user_name

32

• Tie to descendant of parent process (wmiprvse.exe)

sequence by user_name with maxspan=10m

[process where child of [process where parent_process_name == "rundll32.exe"] � and KOADIC_DISCOVERY(process_name) and � descendant of [process where parent_process_name == "wmiprvse.exe"]]

[process where child of [process where parent_process_name == "rundll32.exe"] � and KOADIC_DISCOVERY(process_name) and � descendant of [process where parent_process_name == "wmiprvse.exe"]]

| unique user_name

33

Command and Control (C2)

• Technique Rundll32 (T1085), Mshta (T1170)
• Detection Look for network activity from abusable binaries� Continuously tune to your environment

join by source_ip

[network where process_name == "rundll32.exe"]

[network where process_name == "mshta.exe"]

[file where process_name == "rundll32.exe" and file_path == "*Content.IE5*"]� [process where process_name == "rundll32.exe" and parent_process_name = "wmiprvse.exe"]� [process where process_name == "cmd.exe" and parent_process_name = "rundll32.exe"]�

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

34

UAC Bypass

• Overview
• Launched with Windows Vista
• Limit unauthorized activity without consent
• Most programs run with Medium integrity
• Objective
• Move from Medium to High�
• Requirements
• Must be member of Administrators group
• UAC settings are not set to High

Attackers can’t choose where they land

35

UAC Bypass

• 6 UAC Bypasses in Koadic
• Compdefaults
• Compmgmtlauncher
• Eventvwr
• Fodhelper
• Sdclt
• Slui
• Leverage sequencing to strengthen detection
• Focus efforts on registry modifications, artifacts before/after technique

​

​

36

Privilege Escalation

• Technique Bypass User Account Control (T1088)
• Detection Monitor registry file modifications based on � registry hijacking of CompMgmtLauncher.exe� (UAC technique discovered by enigma0x3)

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

sequence with maxspan=10s � [registry where length(bytes_written_string) > 0 and key_type in� ("sz", "expandSz") and key_path == "*\\mscfile\\shell\\open\\command\\" � and user_name != "SYSTEM"]

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

37

Privilege Escalation

• Technique Bypass User Account Control (T1088)
• Detection Monitor registry file modifications based on � registry hijacking of CompMgmtLauncher.exe� (UAC technique discovered by enigma0x3)

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

sequence with maxspan=10s � [registry where length(bytes_written_string) > 0 and key_type in� ("sz", "expandSz") and key_path == "*\\mscfile\\shell\\open\\command\\" � and user_name != "SYSTEM"]� [process where process_path == "C:\\Windows\\System32\\CompMgmtLauncher.exe"]

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

38

Privilege Escalation

• Technique Bypass User Account Control (T1088)
• Detection Monitor registry file modifications based on � registry hijacking of CompMgmtLauncher.exe� (UAC technique discovered by enigma0x3)

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

sequence with maxspan=10s � [registry where length(bytes_written_string) > 0 and key_type in� ("sz", "expandSz") and key_path == "*\\mscfile\\shell\\open\\command\\" � and user_name != "SYSTEM"]� [process where process_path == "C:\\Windows\\System32\\CompMgmtLauncher.exe"]� [process where process_name in ("mshta.exe","rundll32.exe") and� integrity_level == "high"]

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

39

Collection & Exfiltration

• Redirects STDOUT/STDERR to temporary txt file
• Reads content of file into implant then deletes file (1s)

​

​

cmd.exe" /q /c chcp 437 & time 1> C:\Users\IEUser\AppData\Local\Temp\95fe63d2-e79d-2706-2e89-2084a225343e.txt 2>&1

cmd.exe /q /c chcp 437 & hostname 1> C:\Users\IEUser\AppData\Local\Temp\9909f618-4fb5-eb66-745d-f40143687330.txt 2>&1

cmd.exe" /q /c chcp 437 & whoami /groups 1> C:\Users\IEUser\AppData\Local\Temp\2a0f4991​-​b684​-​afe0​-​63e6​-​207e58ac4af8​.​txt 2>&1

File Write Example - 95fe63d2-e79d-2706-2e89-2084a225343e.txt

40

Collection & Exfiltration

• Technique Data from Local System (T1005)� Remote System Discovery (T1096)� System Owner/User Discovery (T1033)
• Detection Look for text file modifications by command � shells with redirection

file where file_name == "*.txt" and

event of [process where process_name == "cmd.exe" and command_line == "*>*"]

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

41

Collection & Exfiltration

• Get more context by adding different event types

sequence with maxspan=5s by unique_pid

[process where process_name == "cmd.exe" and command_line == "*>*"] � [file where file_name == "*.txt" and

event of [process where process_name == "cmd.exe" and command_line == "*>*"]] �

42

Collection & Exfiltration

• Get tighter detections based on process lineage

sequence with maxspan=5s by unique_pid

[process where process_name == "cmd.exe" and command_line == "*>*"] � [file where file_name == "*.txt" and

event of [process where process_name == "cmd.exe" and command_line == "*>*"] � and descendant of [process where parent_process_name == "wmiprvse.exe"]]�

43

Execution

• Technique Execution through Module Load (T1129)
• Detection Monitor image loads from Koadic stager/C2� processes used to add new capabilities

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

44

Execution

• Technique Execution through Module Load (T1129)
• Detection Monitor image loads from Koadic stager/C2� processes used to add new capabilities

sequence by unique_pid

[process where process_name in ("mshta.exe", "rundll32.exe")]

[image_load where image_name in ("jscript9.dll", "msxml6.dll", � "npmproxy.dll", "winhttp.dll", "wmiutils.dll")]

​

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

45

Lateral Movement

• Technique Windows Management Instrumentation (T1047)
• Detection Match PID process from source host to� Client Process ID on destination host looking � for process creations

join by pid, arguments.ClientProcessId

[process where true]� [wmi where arguments.Operation == "*Win32_Process::Create*"]�| filter events[0].hostname != events[1].hostname

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

46

Lateral Movement

• Technique Windows Management Instrumentation (T1047)
• Detection Match PID process from source host to� Client Process ID on destination host looking � for process creations

join by pid, arguments.ClientProcessId

[process where true] //Source Host � [wmi where arguments.Operation == "*Win32_Process::Create*"] //Dest Host�| filter events[0].hostname != events[1].hostname

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

47

Persistence

• Technique WMI Event Subscription (T1084)
• Detection Look for the installation and configuration of � event filter, event consumer, and binding by � same PID

join by unique_pid

[wmi where arguments.Operation == "*IWbemServices::PutInstance*EventFilter*"]

[wmi where arguments.Operation == "*IWbemServices::PutInstance*EventConsumer*"]

[wmi where arguments.Operation == "*IWbemServices::PutInstance*FilterToConsumerBinding*"]

​

Initial Access

Execution

Persistence

Privilege Escalation

Command and Control

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Impact

48

05 EQL Community

49

49

Download EQL

• Install the python package (supports 2.7, 3.4+)
• Built in CLI eql query with stdin/stdout redirection
• Read the Getting Started blog post for more information
• endgame.com/blog/technical-blog/getting-started-eql

pip install eql

50

Eqllib

• Library of analytics mapped to MITRE ATT&CK™
• Including:
• 119 analytics
• Atomic Blue

​

https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html

Eqllib Analytic - Bypass UAC via Fodhelper.exe

51

Resources

• Getting started with EQL (blog)
• endgame.com/blog/technical-blog/getting-started-eql
• Endgame Guide to Threat Hunting (PDF)
• pages.endgame.com/wc-guide-to-threat-hunting.html
• Follow the guide for creating sophisticated queries
• eql.readthedocs.io/query-guide
• Documentation
• eql.readthedocs.io
• Clone it!
• github.com/endgameinc/eql
• github.com/endgameinc/eqllib

52

Questions?

​

53