 Hello and welcome to project obsidian. This station is a cyber threat hunting station The title of this section is called sniffing compromise Hunting for bloodhound presented by me cereal or serial killer a Little bit about myself. I've been in the security space for about five years. I Also enjoy playing video games. I enjoy music. I used to love playing live as DJ When I'm not doing those things. I am trying to expand my knowledge of all things security technology and life in general In this section, we will learn Briefly about threat hunting or at least an intro into threat hunting What is bloodhound? What it does what it's used for? We'll also be talking about what the ingester is What it actually does wouldn't the ingester's ran a brief overview of the UI not too much but Yeah We will also be covering how to hunt for bloodhound, right? And we'll be using network and hostable activity to detect this So threat hunting. What is it? to me threat hunting is a practice to Proactively look and search and understand what you know, and we don't know within an environment right, you can use start hunting to confirm that Windows event logs are actually going to your scene right that would have been unknown unknown and Unknown would be if somebody within your organization had to turn off the shipping of those logs from windows to your scene And you could use threat hunting to discover that Or if some of the data is misconfigured corrupted any of that kind of stuff Now that we have a short understanding of what threat hunting is Let's talk about bloodhound so bloodhound is a tool used by Many security professionals. They're either on the red team or blue team But it's also used by adversaries and the reason for this is because bloodhound gives a Great view of the data when it comes to Windows Active Directory So it's used for enumeration. It gives you access to information like user groups Workstations servers that are connected to a Windows AD It also gives you the ability to query this data with its own query language So bloodhound is comprised of two components the UI or the GUI the graphic user interface, which this is usually installed on Workstations that are ingesting the data and this is what it looks like. There is a search at the top left Each thing within an AD is represented as a node. So here we have three user nodes on the left to hand side and a group node on the right hand side The lines between them is a relationship between them so you can query for Misconfigurations and relationships between different nodes or different OUs users servers so on and so forth and You can see this picture on the bloodhound read the docs website The other part is the ingester or the collector right, so the ingester the collector, right? It's Usually binary egg or a script There are two There's like three methods of ingesting the ones that we are currently looking at is the dot exe which is called sharp pound and The PowerShell script which is sharp pound PS1 The ingester or collector what it does it queries domain controllers via LDAPS and It's trying to gather information using Windows APIs For user information to create groups domain join workstations and servers The other thing that it does is that it connects to workstations that are online And it talks to them via RPC via SMB and What it's trying to collect is user sessions logged on users more workstation information and local group members Now that we have a Good understanding of what Bloodhound is and the various parts of it and the components of it Let's talk about how it's used or what it's used Usually it's used by adversaries After a compromise has happened or once they get into a network Let's say they get access to a server or workstation This is when they would run bloodhound to see if they can find a misconfiguration an overly permissive security group or a user that has access to a lot Any of those things the other way that it's used is By security teams and they do an audit of a Windows AD or at least some of the organizations I've worked with That's what they do but For us what this means is that if we are hunting for bloodhound we are assuming That the adversary has gotten it Right, and we want to see if we want to know if they have Brand bloodhound or if they're if they have it What how can we tell if they Will right like what kind of detections we can set up there so Now that we've talked about bloodhound and how it's being used and a little bit of about what threat hunting is I Say let's go hunt. Let's go find this within the data set that we have Didn't want to use too many slides. So this is gonna be a somewhat prerecorded live demo. So let's go hunt Okay We are now inside my Virtual machine that has access to our Splunk instance that's containing the data that we're gonna be working with today So on the top Left hand side under apps we have search and reporting. This is where we want to go so that we can conduct searches Well, the first thing we want to know it is What kind of indexes or data we're working with? So we're gonna go over here and go to date range. We're gonna choose between and we're gonna select February 18th through The 20th I'm doing this because this is when we ran to our simulation and the simulation is just a An activity with Somebody within your organization or third party comes in and pretends that they are an adversary It's a good way to test your detections and your threat hunting. Alrighty. So let's start with what I'm entering here is a Query that I found online to get all the indexes and That exists within this time frame. Awesome So here we see you have HTML main OS query p-caps summary sir kata syslog sysmon Velociraptor one event lines and Zeke Awesome Alrighty, now that we know what kind of data we have available to us. Let's start with a simple Query let's start with bloodhound Okay, so we get a singular hit It's happened on Saturday for every 19th, but if we look at this This is Not well parsed So there's probably a problem here Okay, so we see that this is an imposter, right? Well, I always like to take notes on everything that I do Especially for threat hunting like notes are very important So let's go over here to visual studio code and let's start a note. I like to use markdown for everything that I do You choose your preferred method So what did we do? We ran ran bloodhound And the result is an unparced But we do get a hostname, right? So let's save that name rdp0 well now that we have this well usually when bloodhound has run it's either Ran in memory or it's ran from disk In order to run it from disk or from memory. We need to download something so I remember back when we did the other search That we had cisp on and win event logs. I know From working with cisp on and win event logs that cisp on has an event ID For file creation. So let's see if we can find that First let's figure out What do we have inside those indexes? So here I put index in so this makes it an array that it's searching in both All right, uh another way that you could do this Is by using or so you could do index equals cisp on or capital or index Equaled when event logs This will give us the same results I just prefer the other way that I did it It's much cleaner to read Alrighty, so looking at these events we see that this is a file created It has These fields a directory an extension a name a path It seems useful for what we're trying to get But this I don't want to keep looking through Every single event like this So let's see if we can come up with another query that will help us and clear things up a bit So we can do index in and then Let's do stats Let's get a count by win got event ID so this will give us the The count like how many times a certain windows event log ID Has happened during this time period Okay, so we get a bunch of them here With event ID one we got 3,000. Oh, no 5,000 keeps going up So we'll give this a little bit for it to finish Alrighty, so we see A lot of different windows event IDs here But I specifically said sysmon, right? So let's let's see if we could figure out sysmon file create event event ID Here we go. So like sysmon event ID 11 is for file create Okay, taking this let's go And put this into our search Right All right, so if you want to So we can append this to the top of our search So win log dot event underscore id equals 11 That means we're looking specifically really at windows sysmon event ID 11 Let's see how many we get Okay, looks like we get around 8,000 events 7,000, I know 77 7,000 events, okay, that's quite a bit of events Okay, we can look at the events over here. That's the same we got file information Let's see if we can make this into a pretty table that will help us identify a bit more as what's going on here Okay, let's add the table So what things do we want to table? And I'm pretty curious about this information So let's do host dot name. Let's see where it lives file dot name File dot path I think that's good for now to start Okay, we get a bunch of Events a lot of dat files Looks like some sort of health check That's cool We see that there is a File dot extension So maybe we can use that To our benefit, right? We're just looking for dot exes and dot ps ones which is power shelf scripts So let's go back up here And let's add file dot extension All right, let's do the same thing. Let's do in exe and ps one Right, let's see All right, that's much better. We got four thousand thousand events a little bit over We get a bunch of information on exe's a lot of temp files Probably updates who knows But this is a much smaller data set that we can work with. Let's see if we can Continue scoping down our search and seeing if we can figure something out If you remember we did take notes So let's see if we can use this to help us with our search Well, we have this hostname that we know Showed a singular log that Had bloodhounded it so Let's why not just take this and uh Put it in our search I mean, this is a place that we suspect Let's see, okay We get some results 700 730 ish Not been But still looking at all this Nothing really pops out and we can go through all this or we can You know Look for file name and we can do something like bloodhound Dot exe Oh, but is it bloodhound dot exe? I don't think so. Let's go look at The github. Let's go see what the collector is actually called Then we have these collectors here. Oh, it's sharp hound. Let's copy that over here See if we get any results No The other one is dot ps1 Let's give that a shot Doesn't look like it Maybe it's case sensitive or insensitive who knows Let's try try it all It's okay So looking at this doesn't seem Like sharp hound was downloaded or created on the system But we do get a lot of different Events here, right? so myself being detection engineer something that I would set up here is Hey, I want to know if and when sharp hound dot exe or sharp hound dot ps1 Is being ran within my environment So we could do something like this where we have this type of search Maybe not this host name All right, but we would look for file name in We can do sharp hound dot exe sharp hound dot ps1 And then if this ever returns a result Hey notified so Since this is a pretty good Search I'll put this over here in my notes our file creation This is markdown I'm gonna do this right So this gave us no result Either we did not log this or bloodhound Such a sharp Memory right Okay So what do we do now? well If we think back to it to our first query When we were looking at indexes we did have pcaps Zeke We know his query, right So maybe sharp hound will work there So let's just do a broader search Oh Get this So this Is coming from Windows PowerShell logging awesome That's another way we can search for this right Windows PowerShell logging Let's see if some things are being run And here's another event that doesn't look parsed but Looks like most of this is Yeah executing a remote command From the same host name This is coming from WinLog event logs, right? Yep, WinLog event logs WinLog event 4104 Interesting Interesting Okay, so index Equals WinEventMogs What is the event ID? 410 Okay Yeah 1,000 Results from this Okay Okay This is cool But we're looking specifically for sharp hound This is Doesn't Like maybe this There's a couple places where this sharp hound's showing up So this is another way that we can set up a detection for this All right, we can do There's not much We get the scripts, but it's not necessarily parsed And there's no file name to this either So I think this would be a broader Detection The other place how we can look for Is in Zeke Network telemetry or network index So let's see what's going on With Zeke Okay, I get a bunch of information Well If you remember back to my slides We know that Bloodhound uses SMB and L Dap S I know that SMB Uses 4, 4, 4, 5 and 1, 3, 9 So let's see If we can find any of this Okay This search shows us About 11,000 events. That's quite a bit It looks like we have a pretty big spike here So let's see if we can manipulate this data So we can understand it a bit better And now we're going to do Values And this is just so that we are looking for a specific Account of a certain value I'm going to do id. Response Port And I'm getting this from This right here Okay, so let's see Oh, awesome This is Pretty indicative that something's going on with rdp 01 Like 340 counts for using 4, 4, 5 Is an rdp host. That's Pretty strange, right? Let's see if we can use other Stats here I remember that there was Type There's an IP address And there's very different types of source types. This is these are connections So let's see what type of source type zcabs source By service Okay So there's a bunch of connection Just do my source type actually That didn't work Sorry about that Okay, so we have connection three connection summary dns files and tlm SMB SMB mapping Let's see if we can find the events for this Okay So this is for A file A file server File open, file open Okay close use Until that let's let's see what this has I guess it is connections from Workstations to our file server. Oh, this is interesting So this is rdp talking to workstations Okay So maybe We keep this source type Let's see if we can do a stats Okay, let's find values Using a host name Right Let's see a host name by server dns computer Did I misspell something? Oh, there we go. Awesome So if we look here We see that rdp01 has been getting around Bunch of events going to workstation One two three So on and so forth it looks like mostly all of them That's interesting So I think this is another Query we should probably save in our notes This looks like Interesting Connection right It's me like something like this is something that will also try and convert into a detection, right? especially When or I guess it depends on your environment A rdp host or a jump host is making these types of connections Like I expect something like files To have this many connections from various different hosts But all these hosts to have Connections from an rdp host when it's not an smb server or something That's sort of Abnormal so That's Probably a good way to detect this right Even this could even cover Not bloodhound this could cover Manual enumeration from an attacker if they are trying to be stealthy and they don't want to trigger downloading bloodhound They could do a manual enumeration But we could still see this on the network side and all these types of connections I think I have shown Different ways that we can be hunting for bloodhound and Or other windows enumeration. This has been pretty interesting But now that we I think we have concluded that rdp host 01 Has been compromised and has been doing this type of telemetry. We would have the forensics team run Forensics on it or Seeing what other kind of things we can hunt for Let's close this out. I think we should do it cover The threat hunting template So this is something that I like to use and other members of the blue team villains like to use It comes with threat hunting And it's pretty basic. Yeah, there's a playbook title the matter of tactic the matter sub technique The hypothesis, we didn't really go into detail about hypothesis, but There are other recordings and other stations Or within this station That will go over hypothesis And then there is a proposed detection query Simulation details if there are any The limitations Observation notes from what we conducted right like we did find certain things like Certain logs not being parsed or Not being able to find certain logs Yeah and then our Conclusion right our findings of like what we found when we're going through this So we can fill this out right We're going to title this title this bloodhound being run thin art I don't think I spelled that correctly so the mitre tactic All right, so we can do A quick search mitre All right, so mitre is a framework for different techniques and attack paths and Uh, there are plenty of resources out there on understanding what mitre is But what we need from here is What tactic is going on here? All right, so there's a bunch of them here Usually the one I go for is this one, which is A count discovery because that's the best use case at least in my eyes For this so there is This Which this is just a count discovery And local count discovery to be specific at least with the sub technique my hypothesis And a event System Attacker Yeah So what is our proposed detection query at least for on the network side we'd have something like this Is this actually Maybe we can switch this around Do this and then Do post name here Yes, right there you go This is much nicer So let's take this or actually let's uh do this where count Is above and what's like This is like when it comes to Files right like we're gonna get some false positives here, but anything. Let's see above 100 Like we want to get alerted on Let's take this Put this detection query here Markdown There are no no simulation details here Um, what are some observations and limitations? So a limitation that we add here is Some logs were parsed incorrectly and the person correctly Did not Failed creation For the bloodhound binaries, right? I think that's both correct It is So What else can we say that we observed? I think that covers it mostly As to findings well, we found that rdp Mosto one has been making Various connections to other workstations, right? This is Normal for This type of workstation, right? And that's it. That's our Threat hunting template filled out With everything needed And I want to say thank you for joining me on this journey And if you feel like continuing this conversation, please join us On the blue team village of discord Thank you