SEC350 Project 3 Threat Hunting - FlameSpyro/Tech-Journal GitHub Wiki

SEC350 - Project 3 - Threat Hunting

Introduce your threat actor and the specific TTPs you are looking for. Who are they and what is their attribution and motivation. Provide an overview of a specific incident attributed to this attacker. (5 Points)

  • The actor we're doing is the APT called "BRONZE BUTLER". The main TTPs that we're focusing on are Screen Capture (T1113), Scheduled Task (T1053.002 and T1053.005) and Command and Scripting Interpreter: Powershell (T1059.001). The goal is to simulate Screen Capture and System Time Discovery through Scheduled Tasks. BRONZE BUTLER is a Chinese cyber espionage group that tends to target Japanese organizations affiliated with the government, biotechnology, electronic manufacturing and industrial chemistry. An example of a specific incident would be Operation ENDTRADE. The general flow of the attack involved spearphishing for malware delivery, the creation of decoy documents designed to be opened with flashy filenames, and the use of steganography to hide malware payloads in photos.
  • Sources here and here

Create the conditions that generate the telemetry that are associated with at least three of your TTPs. This could be logs, active processes, strange use of powershell, files, callouts to specific IPs or DNS ,hashes etc…(5 points)

  • The condition we ended up using, specifically because our focus was with Task Scheduler, was to have Wazuh log any newly created scheduled tasks. All of our primary TTPs are focused around this, making it fairly simple to focus on. Alternatively, we could’ve logged powershell usage, and the use of specific executables that would be somewhat strange to open on a corporate PC. Sysmon was our method of collecting logs from task scheduler, which would then be integrated into the Wazuh dashboard through the agent installed on the targeted PC.

Wazuh Setup

  • So for our detection tool we just used wazuh which required a bit of setup and configuration before we could do anything.
  • First we needed to install sysmon on our target machines
  • Note ensure the XML is already on your machine which can be found here 
.\Sysmon.exe -accepteula -i .\sysmonconfig.xml
  • We are using the wks01 for the target which is already apart of the windows group on Wazuh. But going into the group configuration on the gui we need to add the following:
<agent_config os="windows">
  <localfile>
    <location>logs\scheduled-tasks.log</location>
    <log_format>syslog</log_format>
  </localfile>
</agent_config>
  • On the built-in, default group add the following:
<agent_config os="windows">
  <localfile>
    <location>Microsoft-Windows-Sysmon/Operational</location>
    <log_format>eventchannel</log_format>
  </localfile>
</agent_config>
  • Now that the group has been set up we need to add rules to the local_rules.xml file and add proper rules that will cause Wazuh to pick up a scheduled task on any device within the windows group:
  • Heres what we added:
<group name="windows,sysmon,">
 
  <rule id="115006" level="6">
    <if_group>windows</if_group>
    <field name="win.eventdata.ruleName" type="pcre2">^technique_id=T1053,technique_name=Scheduled Task$</field>
    <field name="win.eventdata.eventType" type="pcre2">^CreateKey$</field>
    <description>A Newly Scheduled Task has been Detected on $(win.system.computer)</description>
    <mitre>
        <id>T1053</id>
    </mitre>
  </rule>

  <rule id="115007" level="0">
    <if_sid>115006</if_sid>
    <field name="win.eventdata.targetObject" type="pcre2">^HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator$</field>
    <description>Suppression rule for scheduled task created by update orchestrator</description>
  </rule>

</group>
  • Next, we configured the wks01 machine to scan for task that have been created and run on the machine. This is located in our ossec agent files at C:\Program Files (x86)\ossec-agent\active-response\bin\analyze-scheduled-task.cmd
  • Calling it analyze-scheduled-task.cmd we added:
@echo off

setlocal enableDelayedExpansion

reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT


if %OS%==32BIT (
    SET logFile="%programfiles%\ossec-agent\logs\scheduled-tasks.log"
)

if %OS%==64BIT (
    SET logFile="%programfiles(x86)%\ossec-agent\logs\scheduled-tasks.log"
)

set input=
for /f "delims=" %%a in ('powershell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)

powershell -command "$string = '%input%'; $match = select-string 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree.*\\\\(\S*)\\r\\n' -inputobject $string; $taskName = $match.Matches.groups[1].value; $task = Get-ScheduledTask | where TaskName -EQ $taskName; $jsonTask = $task.Actions | ConvertTo-Json -Compress; try{$stream = [System.IO.StreamWriter]::new( '%logFile%', $true );'{\"ScheduledTaskAR\": ' + $jsonTask + ', \"TaskName\": \"' + $taskName + '\"}' | ForEach-Object{ $stream.WriteLine( $_ ) }}finally{$stream.close()}; exit"
  • Located in the ossec folder under Program files(x86) look for a document called C:\Program Files (x86)\ossec-agent\local_internal_options.conf and add the following
wazuh_command.remote_commands=1
  • Lastly, we configured the ossec configuration files at /var/ossec/etc/ossec.conf 
<command>
   <name>analyze-scheduled-task</name>
   <executable>analyze-scheduled-task.cmd</executable>
   <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
   <disabled>no</disabled>
   <command>analyze-scheduled-task</command>
   <location>local</location>
   <rules_id>115006</rules_id>
</active-response>
  • Once this has all been setup run the following command on wazuh
systemctl restart wazuh-manager
  • Also restart the Wazuh service through the services application on wks01 image

Task Scheduler Setup

  • The Tasks we chose to schedule mimicked some of the actions of our Threat Group. Overall, we had 3 tasks scheduled
    1. Opens Snipping Tool (we’re using Snipping Tool as a proxy for something like CobaltStrike, because our Threat Group has taken screen captures on compromised machines
    2. Closes Snipping Tool (Just a followup to the prior, so that there is some form of evasion)
    3. Runs pingscript.ps1 and outputs the results to ping.txt on the Desktop (the script is below, but it just outputs any IPs that returned successful pings on the 172.16.150.0/24 network and the output file is sent to the Desktop for ease of access)
$ipRange = 1..254 | ForEach-Object { “172.16.150.$_” }
$outputFile = “$env:USERPROFILE\Desktop\ping.txt”
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
foreach ($ipAddress in $ipRange) {
	$pingResult = Test-Connection -ComputerName $ipAddress -Count 1 -Quiet
	if ($pingResult) {
		“$ipAddress is reachable” | Out-File -FilePath $outputFile -Append
	}
}
  • To create a scheduled task do the following -
    • Open Task Scheduler
    • Navigate to where you want the task to be made (ours were in Task Scheduler/Microsoft/Windows
    • Right-click the space on the upper half of the window and select “Create New Task”
    • Name the task and add a description if desired
    • For all of our tasks, we had a few default options set.
    • Firstly, in the “General” tab, have the task Run only when user is logged on with Run with highest privileges
    • In the “Conditions” tab, disable the settings in the “Power” section
    • In the “Settings” tab make sure only the following settings are ticked on
      • Allow task to be run on demand
      • Stop the task if it runs longer than: 1 hour
      • If the running task does not end when requested, force it to stop
    • All of our Scheduled Tasks ran on time-based triggers.
      • The pingscript.ps1 task runs once-daily at 2:26 PM.
      • The Snipping Tool open and close tasks run hourly after 5:00 PM every day, with the close tasks happening 2 minutes after the open task
    • For the pingscript.ps1 task configuration, make sure to have the actions set properly
      • Action: Start a program
      • Program/script: - browse to the file location of powershell.exe
      • Add arguments (optional): ExecutionPolicy Bypass C:\Location\of\script.ps1
      • Start in (optional): C:\location\of\directory

Lastly, If you were on a team, discuss who did what and any difficulties encountered in the project.(1 point)

  • For the work we split it up mostly into two different parts however we crossover here and there mostly in the cases of troubleshooting.
    • Attack (Max): I set up the scheduled tasks and did the research for our APT (BRONZE BUTLER) and the TTPs we chose. I also helped with the Wazuh/Sysmon initial configuration and troubleshooting.
    • Defence (Eric): I setup and configured the Wazuh agent’s rules, sysmon install, and local rules on both the Wazuh machine and wks01 target station.
⚠️ **GitHub.com Fallback** ⚠️