[20/05/21] May 20, 2021 Jess Garcia - One eSecurity Twitter: j3ssgarcia - LinkedIn: garciajess |
[ Full blog post series available here ]
In Part 1 of this blog post series, we presented the possibility to Hunt for Anomalies at scale, together with the need of a metrics mechanism, an Anomaly Classification/Score, which would allow us to classify the data from more to less anomalous, thus allowing us to plan our analysis resources.
In this blog post we will focus on a specific case study: the detection via Threat Hunting of an intrusion associated to a an unknown threat, for which we have no IOCs. As an example, we will use the recent Solarwinds/Sunburst case.
The Big Question
We will try to answer the following question:
The Hunting Methodology
As a Hunt methodology, we are going to define the following:
In order to define those Top 5 techniques we will be hunting for, we will use the Red Canary Top 20 Threat Report 2020 (Note: The 2020 report is no longer online, the report page is regularly updated with the latest report).
The 2020 Top 5 techniques outlined in that report are:
ID | Technique ID* | Name | % of Total Threat |
---|---|---|---|
1 | T1055 | Process Injection | 17% |
2 | T1053 | Scheduled Task/Jobs | 13% |
3 | T1021 | Windows Admin Shares | 13% |
4 | T1086 | PowerShell | 12% |
5 | T1105 | Remote File Copy | 9% |
*: MITRE ATT&CK Enterprise Technique
We will also assume that we only have analyst resources to review the Top 100 anomalies found in each category. This means that:
That is, our analysts would be able to identify that the activity observed was malicious and they would therefore conduct a full blown investigation which we will assume would allow them succeed in detecting the intrusion.
If, on the other hand, the anomalies are below the Top 100 mark, they wouldn't be able to detect the intrusion.
We will not elaborate about the Solarwinds/Sunburst Campaign here. We just want to know which ones of the Top 5 Techniques selected have actually been used in the Solarwinds/Sunburst Campaign.
Out of the long list of Techniques used in the Campaign, which you can find here, we can confirm that the campaign made use of 4 of the 5 top techniques:
ID | Technique ID* | Name | % of Total Threats |
---|---|---|---|
2 | T1053 | Scheduled Task/Jobs | 13% |
3 | T1021 | Windows Admin Shares | 13% |
4 | T1086 | PowerShell | 12% |
5 | T1105 | Remote File Copy | 9% |
For the purpose of this analysis we will select T1053.005, which is used by the actor in this campaign, and at the same time it was Red Canary Top 2 in the 2020 Threat Report, (at the time at which the Solarwinds/Sunburst Campaign was taking place).
The Solarwinds/Sunburst Campaign Scheduled Task, EventCacheManager, has been documented in multiple Threat Reports (e.g. FireEye or Volexity).
It was used for lateral movement and created via PowerShell:
$scheduler = New-Object -ComObject (“Schedule.Service”); $scheduler.Connect($env:COMPUTERNAME); $folder = $scheduler.GetFolder(“\Microsoft\Windows\SoftwareProtectionPlatform”); $task = $folder.GetTask(“EventCacheManager”); $definition = $task.Definition; $definition.Settings.ExecutionTimeLimit = “PT0S”; $folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5); echo “Done” C:\Windows\system32\cmd.exe /C schtasks /create /F /tn “\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager” /tr “C:\Windows\SoftwareDistribution\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_name]
In summary, the task characteristics are:
Task Name | \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager |
---|---|
Task File | C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager |
File Executed | C:\Windows\SoftwareDistribution\EventCacheManager.exe |
Task User | SYSTEM |
Task Schedule Type | ONSTART (The task runs every time the system starts). |
Once selected the artifacts (Task Scheduler event logs and C:\Windows\System32\Tasks file listing), how will detect the malicious Solarwinds/Sunburst Scheduled Task?
As we discussed previously, the idea is to run some type of Anomaly Detection mechanism on the selected artifacts and sort the results by a certain Anomaly Score, so the most anomalous events are at the top of the list. If the EventCacheManager task is listed in the Top 100 anomalies, then we can conclude that, after further investigation, our Threat Hunting Team would have successfully identified the intrusion after following the leads.
And what will be that Anomaly Detection mechanism that you are talking about?
Well, we will unveil that mystery in the upcoming parts of this blog post series!
Stay Tuned and contact us if you have any comment or question!
The scenario we are introducing here, the detection of the Solarwinds/Sunburst Campaign via Machine Learning Anomaly Detection, the rhetoric question asked, and the assumption that a well trained analyst would have detected the Solarwinds/Sunburst Campaign using this methodology are obviously a simplification introduced for the sake of framing the discussion and providing a fun and familiar case scenario on which we could apply the concepts proposed.
Detecting and fully unveiling an extremely sophisticated operation like the Solarwinds/Sunburst one is typically not as simple as detecting an anomalous Scheduled Task. There are many factors (technical, technological, operational, procedural, policy, resourcing, budget, etc.) that contribute to the overall detection capabilities of an organization, and therefore their real detection capabilities are a combination of those factors.
I want to acknowledge from here the amazing work carried out by so many colleagues, DFIR companies and teams (with a special mention to the Microsoft Intelligence Center - MSTIC) in the dissection of all the components of this Campaign and its associated NOBELIUM Threat Actor.
Said that, I hope the approach and technology proposed in these posts (and under the DS4N6 initiative as a whole), in the context of a solid Threat Hunting strategy, will help in the detection of similar future campaigns.
[ Full blog post series available here ]