Over the past couple of months I’ve been preparing a talk entitled ‘Beer, Bacon and Blue Teaming’. It covers building solid defense on a shoestring budget, with an outline along the lines of:
- OSINT sources.
- Spam traps.
- Automated analysis.
- Dissecting LuminosityLink:
- Configuration extraction.
- Yara rule creation.
In this short blog post I’ll run over a few of the items in brief detail.
Built for one purpose and one that it does incredibly well, Security Onion is my go-to tool for network intrusion detection and forensics. Not only am I running it as a standalone server in my labs, but also in a distributed model where it compliments other detection methods in place at my workplace of 300+ people, and doesn’t cause nearly as much pain as some bulkier, more complex SIEM’s do.
In the case of Dreambot, Snort was able to detect and alert on both the C2 connection and subsequent TOR traffic:
sysmon + graylog
Many thanks to this awesome project by SwiftOnSecurity and ionstorm, sysmon can serve as a very effective tool in a blue teamers toolkit. For those who don’t know, sysmon is a part of the Sysinternals suite and is a driver that is able to perform very detailed security logging – defined by an XML configuration. For example, it can log:
- File creation, deletion and modification.
- Process creation, deletion, execution and network communications.
- Registry key creation, deletion and modification.
- Remote thread creation.
Armed with such information, building up a picture of how a compromise took place becomes a fairly effortless task. Another project by ionstorm assists in setting up sysmon log shipping and processing in Graylog. An example here, for a portion of a njRAT compromise:
Although it’s still in it’s infancy, the threat intelligence plugin for graylog looks very promising. It utilises OSINT sources such as AlienVault OTX and abuse.ch blacklists to identify and alert on suspect network connections. For example, a Dreambot C2 connection through TOR where the node was recorded in an OTX Pulse:
The sample I’ll be demonstrating the unpacking of – to extract the config – was packed and obfuscated using several tools:
- Confuser 1.9
- RPX + CryptoObfuscator
As plain LuminosityLink payloads can be detected by upwards of 75% of standard signature-based antivirus engines, obfuscation is practically a given with any sample in the wild.
The tools used were:
If you’re interested in learning more about the configuration of this particular variety of malware, I’d recommend having a read of this blog post by Unit42.
list of tools
The following list is intended to be a reference for those who have attended the talk and wish to look more into specific (or all) tools that I’ve discussed or illustrated: