Over the past couple of months I’ve been preparing a talk entitled ‘Beer, Bacon and Blue Teaming’. It covers building solid defense on a shoestring budget, with an outline along the lines of:

  • OSINT sources.
  • Spam traps.
  • Honeypots.
  • Automated analysis.
  • Dissecting LuminosityLink:
    • IDS.
    • Sysmon.
    • Configuration extraction.
    • Yara rule creation.

In this short blog post I’ll run over a few of the items in brief detail.

security onion

Built for one purpose and one that it does incredibly well, Security Onion is my go-to tool for network intrusion detection and forensics. Not only am I running it as a standalone server in my labs, but also in a distributed model where it compliments other detection methods in place at my workplace of 300+ people, and doesn’t cause nearly as much pain as some bulkier, more complex SIEM’s do.

In the case of Dreambot, Snort was able to detect and alert on both the C2 connection and subsequent TOR traffic:

ids_2

sysmon + graylog

Many thanks to this awesome project by SwiftOnSecurity and ionstorm, sysmon can serve as a very effective tool in a blue teamers toolkit. For those who don’t know, sysmon is a part of the Sysinternals suite and is a driver that is able to perform very detailed security logging – defined by an XML configuration. For example, it can log:

  • File creation, deletion and modification.
  • Process creation, deletion, execution and network communications.
  • Registry key creation, deletion and modification.
  • Remote thread creation.

Armed with such information, building up a picture of how a compromise took place becomes a fairly effortless task. Another project by ionstorm assists in setting up sysmon log shipping and processing in Graylog. An example here, for a portion of a njRAT compromise:

nj_1
Dropped file is executed (note the hash).
nj_2
Process grants itself access through the firewall.
nj_3
Persistence is attempted via a ‘run’ key in the registry.
nj_4
Process makes a call out to the C2 server.

Although it’s still in it’s infancy, the threat intelligence plugin for graylog looks very promising. It utilises OSINT sources such as AlienVault OTX and abuse.ch blacklists to identify and alert on suspect network connections. For example, a Dreambot C2 connection through TOR where the node was recorded in an OTX Pulse:

sysmon_21

unpacking luminositylink

The sample I’ll be demonstrating the unpacking of – to extract the config – was packed and obfuscated using several tools:

  • Confuser 1.9
  • RPX + CryptoObfuscator
  • ConfuserEx

As plain LuminosityLink payloads can be detected by upwards of 75% of standard signature-based antivirus engines, obfuscation is practically a given with any sample in the wild.

The tools used were:

If you’re interested in learning more about the configuration of this particular variety of malware, I’d recommend having a read of this blog post by Unit42.

list of tools

The following list is intended to be a reference for those who have attended the talk and wish to look more into specific (or all) tools that I’ve discussed or illustrated:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s