 Welcome to Project Obsidian, Scythian Hefton, Kill Chain One. The title of this is Go Fish, Visualizing Basic Malice. And this will be by myself, Salmanoske-X. A little bit about myself, who I am. I'm Salmanoske-X. I'm a tinkerer. I'm also a SOC team member for an organization. I am a blue team enthusiast, have been for many, many years. I am also an instructor, but most of all, I am also a student. So let's take a look at what we're going to be learning today. First of all, we're going to learn what fishing is and what is a fishing payload in context of fishing. We're going to be learning what visual basic for applications is. We're also going to learn what macros are and what does this have to do with fishing and threat hunting. And we'll also learn how to walk through the process from a hypothesis to tangible results during a threat hunt. Also, we're going to recognize what tools do we have in our arsenal and what can we do with it for our threat hunt. So let's take a look at fishing. So fishing is still one of the most common attack methods in use today. Generally what fishing means is that it's a way for an adversary to get credentials or information from an individual via nefarious or malicious means. A fishing payload is the method of getting that data. So a fishing payload could be a document, a zip file, a link and an email. We also are going to learn there are differences between these different types of payloads. We'll see that a little bit later. Here are a couple of examples of some fishing payloads that I've seen in my actual day to day experience. Here's an example. So this is an IT security update from the IT help desk. And if you look at this, it has so many warnings that a user would be, I'd be surprised if a user would actually click on the email link that's in it. However, let's take a look at it. Microsoft gives you an email header that says it's this person's from outside of your organization. They also have another one inside saying that the email was from an external source. The warnings are there. In the actual body of the email, we see it says your email account will be deactivated shortly to stop deactivation click here. Companies are not going to do that. They click on the, if somebody were to click on the click here button, it would take them to a site that would have them enter the credentials. Part of what makes fishing a little bit more concerning is that the attack the adversaries will try to use a sense of urgency or you need to do this immediately or you need to do this before the end of the day. Or you'll lose something or will charge you or something like that. Take another look at another one. Say the user clicks on a link that says, Hey, there's something that here's some money that you owe. We need you to review it. So they would click on the link, and it would get something like this. This is obviously inside of a webpage. And there's a box that says that your authentication is needed to log into this document. This is not legit. We have another one as well this is comes from goes back to the urgency that we discussed earlier. This is an invoice that's urgent. If you take a look at the spelling in the email. There's often misspellings that's not always a absolute tell, but it's one of those signs that could mean that it is potentially malicious. And then we have the invoice that DSTX, which is a Microsoft Word document that most likely has a malicious payload inside of via a macro, which we'll learn about later. So visual basic for applications. We call it BBA for short. Microsoft's generous gift for extensibility in office. So what this does this allows for adding functionality in Microsoft Word PowerPoint Excel, access Microsoft project, I believe, or publisher. But what that does is it allows the file to interact with the operating underlying operating system or other office applications to transfer data, or do different things between different applications automatically. That's it could be a good thing but it more than likely is a bad thing. We refer to these functions as macros. As I discussed, it's not limited in scope to just the office applications, which is what makes this kind of a bigger issue, except if it were not just limited to the office applications. As I said, this can be rather large concern with the amount of privilege and the actions that can be done with this functionality. This can actually be weaponized by adversaries, and we'll see an example that here shortly. The macros can perform the actions automatically and without sometimes without obvious signs just by opening a document or file that contains active macros. What are the implications. If a user downloads an email, a file from an email, and they open the document, and it clicked a button that could activate additional downloads of malicious files from an adversaries systems. What does the macro look like. Here's an example of a macro that is not legitimate. But this is what the macro interface looks like in Microsoft Office applications. Let's think a little bit about what our scenario is right now. Let's say I'm a new team member of the Magnum Tempest MT security team. I've been asked to build a threat hunt based on what I think might have been missed in the environment. I've never done a threat hunt before. Where do I start. So first things first, what you need to do is we need to start with a hypothesis. I'll put you to start with a hypothesis in mind because you need to know what you're looking for. For me, I'm focusing on macro usage in the environment so visual basic for applications macros. I'm going to start with a broad hypothesis. And I'm going to presume that Magnum Tempest employees receive malicious documents or malicious emails. This is a good starting point, but it's far too broad because malicious emails. Yes, we will get that, but we need to kind of refine that hypothesis a little more direct. So let's, let's refine. And what we come up with is Magnum Tempest employees are targeted with malicious Microsoft documents containing BBA macros the official email. And we're going to presume that some employees will download and open and detonate these malicious documents. What we're going to talk about this is that a lot of what we're going to be going over and doing here is specifically structured towards the Splunk query language. But these concepts can be applied to any platform, any query language. And there were also online applications or tools that will allow you to convert from one query language to another. I'm not asking that here, but that is available. So let's start with the threat hunt. So we need to start with a query in Splunk, but we need to know what sources we have available. So yeah, we could start by just going across the entire platform and just go index equals asterisk. You can see what we get when we do that. We're going to have index equals star. We have no, no hits right now. But that's because we need to go to the timeline here. And for, for lack of a better time, time period, let's go with all time. And then click on search. Interesting, we have nothing. So let's take a look. Let's kind of refine a little bit more. Let's see what we do. As you see, the search is increasing. This is more, these are more entries than we could ever want to go through and parse. And this number is just going to go higher and higher. Let's stop this right now. Let's go back to our drawing board. Let's see what else we can do. So this is bad practice to do the asterisk with a query. It's one, it's a great way to get server admins mad at you for slowing down the system. But you might also get not get exactly what you're expecting you might get more, and you won't be able to kind of refine your query as much. So let's take a look at a query that we could use. One will summarize all of the log sources that we have in Splunk. Now I'm going to cheat because I already have this as a search in my, my history. So I'm going to add that to my search. I'm going to do all time. And I'm going to search. Okay, so we see we have a number of different indexes we have 12 results. And the ones that kind of stand up to me right now is Zeke, because Zeke will allow me to get information about data that is being transmitted over the wire so over the network. Let's go back and look and see what we can do with that information. So this is what we saw. We're going to start with Zeke. Let's see what what files are transmitted over the network. So instead of putting the asterisk we're going to index the Zeke. And as I said previously we need to set a date range for the what we're going through. And for the example, we're going to use February 11 to February 13 of 2022 index equals Zeke. So we're going to set a date range between February 11 and February 13. I'm going to apply that. And then we're going to search. As you see, we still have a rather large amount of events. So we need to refine that a little bit better. So back to our drawing board. We know that we're dealing with Microsoft Office documents and with the macro behavior. So let's see what we can do. So our typical Microsoft document files that we typically see being transmitted over email and attacks are .doc.docx.xls and .xlsx. So Microsoft Word documents and Excel documents. Let's see if we can add that to the query like this. And next to .doc.or.doc.x or .xls or .xlsx. So let's add that to our query. And I have that here. Let's query that. Okay, we're getting better. We have 863 events. So let's scroll through and see what we can see. It's still a lot of documents. So we want to see if we can refine that a little bit better. See what we can do. As you see, we saw 863 events. What do we find? There were a lot of events. We can probably never done this more. So we've got the initial entry index. .doc.doc. These document formats. But this is also probably a great point to bring up something that's integral for mind hunting. Take notes. We need to know what we did, what worked, what didn't work. And for the purposes of this, we're keeping track as we go along. How could we refine this search? Since we're focusing on supposed phishing emails, we can look at common terms that are used in phishing documents. SAMHSA has a cool extensive list. It's not comprehensive, but it's very useful at this link here. And we can use some terms to fine tune the search. So let's add some of the ones that I found in voice. We see a lot of that for remit or payment or order. So let's go back to Splunk and see how that looks. So while these are common phishing email document names, or it could be part of emails, we're not getting very many hits. We're actually getting no hits. So let's go back to the drawing board. Let's try using another index. This is Sysmon. So what Sysmon will do, Sysmon is essentially giving you telemetry from the endpoint. That's how he gives you telemetry from the network. So let's add Sysmon to that and see if we have any hits. Again, no hits. So perhaps we should try a different approach. Let's go back. As you see, we had no event. Okay. What can we do to get better results? Again, we want to probably go back to our notes. Kind of see what we've done so far, what hasn't worked. And let's see what else we can do to kind of fine tune. Maybe do some external searching. See what we can kind of do to get better results. But we need to go back and remember what we're looking for when we started, right? We're looking for visual basic for applications, macro evidence tied to office documents obtained via email. Is there a way for us to determine via logs that a macro has been executed? Yes, obviously. The fans actually have a really nice explanation of registry entries that will indicate that the macro has been activated. According to sans, we can look for something called trust records. And this indicates macro execution on a system. And this is from the webpage from sans. It points out one of the few places where macro execution these traces is in the trust records entry in the registry. And we can see that right here in this box. And that's something that we can use in our search. So let's try to add that and see if we can try and find trust records in our query. So we're going to stick with our initial index in the consistent one. And we're going to add trust records to that. We're going to take this off. I'm going to do. And let's see what we did. So we get 48 events. Here we have a real look here. We see this as far right here. Employee conduct code of conduct. But this one appears on a file server. So let's take a look and see. Okay. This is evidence of a macro. Let's go back and look at this. Okay, we have a result. And the first event we see. It's a personal internal file share, as we noticed. What's the significance of it being a power share. It appears to be a company file share. We're looking for documents downloaded by a user via email. We're not going to likely see this on a file share, at least not initially. We would expect to see it on a user's desktop or endpoint. So let's take a look at see how many of these events are located on the file share. So by doing that and doing that, we're going to have the trust records, and then and files that magnum template, magnum tempest financial.com. Let's go back to our. Look. And I have that here. Magnum tempest.com. We get 26 events. Okay, employee code of conduct. Employee code of conduct. Marketing template. Marketing template. Okay, so at this point, I am fairly confident that that's not necessarily malicious could be, but going based off of my hypothesis of being from an email. I'm going to disregard these files for now. So going back to our, we saw 26 events. So associated with the file. Well, let's do the inverse. Removing the file share events from our query. So all we're going to change is not in the query. Let's give us 22 events, which is better because this is a little bit more for us to work with. Okay, so let's look at this. So the first one is trust records. Use of corporate downloads downloads. That's what we're looking for. Magnum tempest policy violation. Matt. So this one stands out because I would not expect to see a user's email. Address in a document. That is being sent from. A legitimate internal. Group. What we do know is that. Having. Templates and setting out the mass users. You might see the name like this. But having the entire email just kind of signifies that this might be. Could be malicious, but we need to kind of dig a little bit deeper. Let's see what else we have here. Okay, we have another similar one. From a different user. Amanda. Okay, so let's go back to our drawing board. So we ran the query. So we do have 22 events. Are we done? No. But we do have 22 events. And like I said, we do have that. File name stands out to me. As potentially an issue. And it stands out because the naming convention is odd. Why would there. Have an email address in the file name, right? The location indicates that it's downloaded on the user's endpoint and both scenarios. Downloads and desktop. What you'd expect if you were downloading an email from. On the actual endpoint. The, it also indicates that the trust record section was triggered for the file, which as we know indicates. Macro activity. Can we find similar files? Let's refine our query knowing that we know the file name. And what we may suspect to be a malicious file. So we're going to stick with indexing Zeke. And Sysmon. But we're going to go with. Magnum Tempest dash policy dash violation dash. And I see what this results. So we have 40 events for this. Let's take a look at this. I'm not sure what this is. This looks like these are. Logs, but these might not be parsed. So that could be an issue. But let's look down a little bit deeper. Okay. So we knew Amanda Nunes. Nunes. Download this file. And it looks like. It was caught. As a force authentication. However, we also know that this was not parsed as well. So that's another new force to add to our notes. And we scroll down. She more. Man, I mean, Nunes this. So she met Matt Tristeke again. And. That's a steep. So right now I wish he's met and Amanda. So let's go back and see. Can we refine this more? Well, we know we have 40 events available. We looked at what we saw in the first events. There's not been parsed. Let's notice. So we can notice in our findings. But like we said. We saw that there was one that had a drive by compromise. The program use was Thunderbird. And it fits the. Target's final name. That we were discussing previously. Now. I don't know a whole lot about the organization yet. But it appears that the organization uses Thunderbird as a male client. So can we refine that a little bit deeper. Knowing that. That little bit of information. So let's go back and we're going to add Thunderbird. To our query. Are we down to 12 events? Again, if we look at these, they're not done. They're not parked correctly. So that's something to note that. Going through Amanda downloaded it. Amanda. Karen. Mutants. Also appears to have downloaded this. So let's see what do we have. So go back. At this point. With a previous query, we see that we have 12 entries. Scrolling we see two additional users downloaded. Amanda Nunez. And. Karen mutants. What does this mean? At this point, we've validated. Our initial hypothesis that a Microsoft office document with downloaded. From email by the end users. And that it contained visual basic for applications, macros. Are we done? With can be. We've satisfied our hypothesis. And our investigation or our threat hunt. However, if you're like me, you like, might be interested in digging a bit deeper to see if you can find more information about these files. So. What does mean. We need to go deeper. So. What's next. So we have other tools available to us. That. Might be useful. We have access to the packet capture. For network traffic. That's done. That's a Zeke. But we can actually be able to. Look at. Traffic close and actually rebuild those traffic. Close. And that's what we call a packet capture. Or we call it P cap for short. A common tool that we use to browse and hunt. In a P cap file. It's called. Let's load up. Well, with the appropriate P cap. And let's see what we can find. Once we load the P cap. We're going to be able to. Start searching for some information that we located in our hunt. Let's look back and remember. That we found a file name. That was opened. By multiple users. And the file name was. Magnum Tempest. That's policy. That's violation. That's user email. Dot doc. Okay. So we know that. Knowing that the company's name is Magnum Tempest. So. We probably should avoid using that because it's possible we could end up with other. Events that we were not really interested in. What stands out to me in this. Would be the policy that's violation. Dash. It could be very unique. To the file name. So let's proceed. We're searching for this because if you remember, we only had 12 hits. For that file name. Let's load up. Wireshark. So I already have Wireshark already. Up and ready to go. What we want to do. If you want to. You can call out. We'll change this. It starts off the packet list. Packet details. This starts off as display filter. We're going to switch this. I already have policy violation in here, but if you didn't have anything in there, it would be read. So you would type policy. Violation. Dash. And you hit enter. And it's going to take a little bit of time to search for it. But we did. We found one right here. So if you see. We're going to. We're going to switch this thing. I already have policy violation in here, but if you didn't have anything in there, it would be read. So you would type policy. We found one right here. So if you see here says action required. Internal IT policy violation. From legal dash internal. At magnum tempest. Financial. At this point, we can right click. We can follow PCP stream. So what this will do, this will bring up the. Stream of data. That is. Associated with this particular packet. So see that now. This will take a little bit. To load. Go back to our. Dr. So here's an explanation of how to switch the. This play filter the string. So as we saw, we saw action required internal IT policy violation. From legal dash internal. At magnum tempest financial. As we saw. Again, this is where we will right click and follow. PCP stream. Again, PCP stream will give you the actual data. Flow for that particular packet where it's. Exists. The colors indicate whether data was sent or received. Let's go back to our operation. So there's a lot of data here. But so if we scroll a little bit, we will see. The. Our original, the email that we're referring to the subject. Is actually required internal IT policy violation. From legal dash internal at magnum tempest. Financial. So this one was sent to. So, so this. So let's say. So this file. This is the email itself, the actual email text. That was sent. What stands out here is this is. Network traffic. Network traffic by. In a, in a. Good network should be encrypted, especially with emails. She never be able to see email text over a. Over a network. That's a security issue. That's also something to note. When you're. Keeping track. What we see here too, this is the. File name that we were expecting. Megan tempest. Policy violation. And then we have the username here. That doc is what we expected. And then what we have here is a base 64 encoded. Lobo text. But what this will do. Is if you were to take this. And send this to. The base 64 encryption. What will happen is. You can recreate this attachment, this document. That contains the macro. Files. So let's go back to our. So like we said, we needed to scroll a little bit to get to the. What we needed. Again, so let's take a look at what we said and one and two, we're seeing the subject and the. And the from. That we saw before. And number three, we're seeing what appears to be the email contents. In plain text. This is concerning as I said previously that. Unencrypted. Email over the wire is not a good thing. Could be a misconfiguration. By the server admins when they set up email. In number four at five, we noticed that this is a base 64 encoded attachment. And the file name matches what we would expect to see based on what we did in Splunk. Again, it's important to recognize that. Because it's basically for we have the ability to turn that into an actual document or file. At this point, what's next. At this point, we could dive further investigate. We could try to download the attachment and see what. What we want to do is go for our playbook. Our playbook title is going to be detecting enterprise macro activity from emails. The minor tactic is T. 1566. But it might be a good point for us to stop. And pass off to the next team. To forgive with their investigation or their threat hunt. But it's also a chance for us to take a look and. Check our notes. What we want to do is go for our playbook. Our playbook title is going to be detecting enterprise macro activity from emails. To forgive with their investigation. So we're going to go for our playbook. 1566, which is fishing. But we're also going to use the sub technique. Zero zero one spear phishing attachment. Because based on what we've known so far. This could be. A spear phishing attachment. So we're going to take our initial hypothesis. Which is that employees are targeted with malicious documents. With VBA macro code. And some employees will open the documents and detonate the data as the case. The proposed detection query is index in. Zeke insist log. Dot doc. Or XLS or dot dot X or XLS X trust records. And not files dot magnum tempest financial.com. We have no simulation details. And for the hunter limitations observation notes. We discovered that there were log sources that were not properly parsed. Which made finding details difficult. Hunt findings. Three users download the malicious document. Two users appear to have been affected by the payload. And that brings us to the end of the talk. Thank you so much. To join the conversation. Join us at. Discord dot blue team village dot org. Thank you.