This guide will provide you with a step-by-step of all the commands we will use throughout this workshop. Please reference it as we move forward. If you have questions, feel free to ask your group moderator.
In this lab we will actually be building the lab environment we will be using Virtual Box and Windows.
- VirtualBox
- Microsoft Windows 10 Enterprise Evaluation Copy (download 64 bit)
- LimaCharlie Docs
-
Download and install VirtualBox on you laptop if you do not already have it, install the appropriate version for your operating system.
-
Download the Microsoft Windows 10 Enterprise Evaluation Copy ISO (64 bit) and save it in a folder on your system called "EDR_Workshop"
-
Open VirtualBox and click on "New" to create a new VM
- Configure your new VM.
- For "Folder" navigate to the "EDR_Workshop" folder you created (where the Windows ISO was saved).
- For "ISO" navigate to the actual Windows ISO you downloaded.
- The "Edition" should automatically populate.
- Select "Skip Unattended Installation"
- Click on "Next"
- On the "Hardware" screen bump the memory up to around 8GB if you system has the RAM available (2GB will still work...things will just be slow)
- Leave the "Virtual Hard disk" screen with the defaults.
-
On the next screen review and click "Finish" and then click "Start"
-
Go through the install process for Windows
-
When asked to "Sign in with Microsoft" click on "Domain join intead" in the lower left hand corner and create a local username and password.
-
In VirtualBox go to the top menu and go to "Devices -> Insert Guest Additions CD image"
-
Navigate via explorer to the now mounted CD drive and access the "VirtualBox Guest Additions" and double click on "VBoxWindowsAdditions-amd64" and follow the wizard to install and let the Windows system reboot.
- Go to the top menu in VirtualBox and go to "Machine -> Take Snapshot" and name it "Base Install"
We will use the free tier of LimaCharlie for our lab, this will allow us to easily deploy an agent to start gathering telemetry from our Windows system, and then start writing and deploying detection and response rules.
- Create a free LimaCharlie account (please select BSides Austin for the first option, feel free to use a burner email).
- Once you have an organization setup in LimaCharlie, log into your LimaCharlie account on your Windows Virtual Machine on VirtualBox . Then got to your organization and then to "Sensors" and click on "+ Add Sensor"
- Next go to "Endpoint" and click on the Windows option.
- You will be asked to select an installation key, as this is our first sensor we will need to create one, so click on "Create New", in the "Description" enter "Windows1" then click "Create"
- Next we will need to select the specific agent for our operating system, in this case we will select the "x86-64(.exe)" option, next we click on the "Download the selected installer" link to start the download to your Windows system. Find the download in your downloads folder and move it to your desktop.
- Go to your Windows VM and open the Command Prompt and "Run as administrator" navigate to your desktop and run the installer executable from the Command Prompt with the command line argument with the installer key to install the agent.
-
Log into your LimaCharlie account and go to the menu on the left and navigate to "Automation -> D&R Rules"
-
Click the "+ New Rule" button to create a new detection rule
-
Name the rule "First Detection - [YOUR FIRST AND LAST NAME] "
-
In the "Detect" window copy and past this YAML detection code:
event: DNS_REQUEST
op: is
path: event/DOMAIN_NAME
value: superevildomain.comIn the "Response" window enter this YAML response code:
- action: report
name: DNS Hit superevildomain.comSave the detection and ensure it is enabled.
-
Go to your Windows Virtual Machine in VirtualBox and open a browser and visit the superevildomain.com
-
After a minute go to your LimaCharlie account and navigate to "Detections" on the left hand navigation. You should see an alert for your new detection rule.
So now we will create a more useful rule for Windows, we will use our EDR agent to detect if Windows Defender is disabled on a system. However, we will first need to add Windows Event Logs (WEL) to the telemetry we collect from the system.
- In LimaCharlie on the left side navigation menu go to "Sensors -> Artifact Collection" and click on the "+ Add Artifact Collection Rule" button and give it the name of "windows-logs"
- In the patterns field we will add several Windows Event Logs that our EDR sensor will send to LimaCharlie which we can then write detections for. Enter each of these in the pattern field:
wel://application:*wel://security:*wel://system:*wel://Microsoft-windows-Windows Defender/Operational:*Set the "Platform(s)" field to "windows" and save your Artifact Collection Rule
- Now we will write a new rule that will detect when Windows Defender is disabled, go back to your D&R Rules (Automation -> D&R Rules) and click "+ New Rule" and enter this YAML for the detection logic:
event: WEL
op: is
path: event/EVENT/System/EventID
value: '5001'Then enter this YAML for a basic reporting response:
- action: report
name: Windows Defender Malware Disabled
Save your new detection make sure you add [YOUR FIRST AND LAST NAME] in the name.
- Go into your Windows Virtual Machine in VirtualBox and disable Windows Defender (search Defender in the search box in the main nav)
We will setup a single YARA rule that will run on the endpoint at regular intervals.
-
In your LimaCharlie account go to "Automation -> YARA Rules" and click on the "+ Add Yara Rule" button
-
You can write your own YARA rule, or leverage rules built by the community, in this exercise we will use Florian Roth's God Mode YARA rule.
-
In the name field enter "God Mode" and then copy and paste the YARA rule:
/*
_____ __ __ ___ __
/ ___/__ ___/ / / |/ /__ ___/ /__
/ (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
\ \/ / _ | / _ \/ _ | / _ \__ __/ /__
\ / __ |/ , _/ __ | / , _/ // / / -_)
/_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/
Florian Roth - v0.8.1 August 2024 - Merry Christmas!
The 'God Mode Rule' is a proof-of-concept YARA rule designed to
identify a wide range of security threats. It includes detections for
Mimikatz usage, Metasploit Meterpreter payloads, PowerShell obfuscation
and encoded payloads, various malware indicators, and specific hacking
tools. This rule also targets ransomware behaviors, such as
shadow copy deletion commands, and patterns indicative of crypto mining.
It's further enhanced to detect obfuscation techniques and signs of
advanced persistent threats (APTs), including unique strings from
well-known hacking tools and frameworks.
*/
rule IDDQD_God_Mode_Rule {
meta:
description = "Detects a wide array of cyber threats, from malware and ransomware to advanced persistent threats (APTs)"
author = "Florian Roth"
reference = "Internal Research - get a god mode rule set with THOR by Nextron Systems"
date = "2019-05-15"
modified = "2024-01-12"
score = 60
strings:
$ = "sekurlsa::logonpasswords" ascii wide nocase /* Mimikatz Command */
$ = "ERROR kuhl" wide xor /* Mimikatz Error */
$ = " -w hidden " ascii wide nocase /* Power Shell Params */
$ = "Koadic." ascii /* Koadic Framework */
$ = "ReflectiveLoader" fullword ascii wide xor /* Generic - Common Export Name */
$ = "%s as %s\\%s: %d" ascii xor /* CobaltStrike indicator */
$ = "[System.Convert]::FromBase64String(" ascii /* PowerShell - Base64 encoded payload */
$ = "/meterpreter/" ascii xor /* Metasploit Framework - Meterpreter */
$ = / -[eE][decoman]{0,41} ['"]?(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA|cgBlAG)/ ascii wide /* PowerShell encoded code */
$ = / (sEt|SEt|SeT|sET|seT) / ascii wide /* Casing Obfuscation */
$ = ");iex " nocase ascii wide /* PowerShell - compact code */
$ = "Nir Sofer" fullword wide /* Hack Tool Producer */
$ = "impacket." ascii /* Impacket Library */
$ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject)/ nocase /* Hack Tool Output Pattern */
$ = "0000FEEDACDC}" ascii wide /* Squiblydoo - Class ID */
$ = "vssadmin delete shadows" ascii nocase /* Shadow Copy Deletion via vssadmin - often used in ransomware */
$ = ".exe delete shadows" ascii nocase /* Shadow Copy Deletion via vssadmin - often used in ransomware */
$ = " shadowcopy delete" ascii wide nocase /* Shadow Copy Deletion via WMIC - often used in ransomware */
$ = " delete catalog -quiet" ascii wide nocase /* Shadow Copy Deletion via wbadmin - often used in ransomware */
$ = "stratum+tcp://" ascii wide /* Stratum Address - used in Crypto Miners */
$ = /\\(Debug|Release)\\(Key[lL]og|[Ii]nject|Steal|By[Pp]ass|Amsi|Dropper|Loader|CVE\-)/ /* Typical PDB strings found in malware or hack tools */
$ = /(Dropper|Bypass|Injection|Potato)\.pdb/ nocase /* Typical PDP strings found in hack tools */
$ = "Mozilla/5.0" xor(0x01-0xff) ascii wide /* XORed Mozilla user agent - often found in implants */
$ = "amsi.dllATVSH" ascii xor /* Havoc C2 */
$ = "BeaconJitter" xor /* Sliver */
$ = "main.Merlin" ascii fullword /* Merlin C2 */
$ = "\x48\x83\xec\x50\x4d\x63\x68\x3c\x48\x89\x4d\x10" xor /* Brute Ratel C4 */
$ = "}{0}\"-f " ascii wide /* PowerShell obfuscation - format string */
$ = "HISTORY=/dev/null" ascii /* Linux HISTORY tampering - found in many samples */
$ = " /tmp/x;" ascii /* Often used in malicious linux scripts */
$ = /comsvcs(\.dll)?[, ]{1,2}(MiniDump|#24)/ /* Process dumping method using comsvcs.dll's MiniDump */
$ = "AmsiScanBuffer" base64 base64wide /* AMSI Bypass */
$ = "AmsiScanBuffer" xor(0x01-0xff) /* AMSI Bypass */
$ = "%%%%%%%%%%%######%%%#%%####% &%%**#" ascii wide xor /* SeatBelt */
condition:
1 of them
}
-
Next we will add the rule to a scanner. In LimaCharlie navigate to "Automation -> YARA Scanners" and click the "+ Add YARA Scanner"
-
In the drop down you should see the God Mode YARA rule we just created select it. For platforms select "windows" and "linux" and click "Save".
Now let's build on what we have learned in the first lab, writing a detection for a single domain is great to test our initial setup, but not particularly practical. Let's add a threat intelligence feed to our LimaCharlie environment and use it in a detection.
-
In the top navigation click on "Add-ons" and search for "ransomware" you should see a "ransomware-domains" threat list and subscribe to it for your org
-
Now go back to our org and navigate back to Automation -> D&R Rules and click "New Rule" in the upper right hand corner add [YOUR FIRST AND LAST NAME] to the title of the rule
-
For our detection this time we will now do a lookup on the ransomware domain threat feed:
event: DNS_REQUEST
op: lookup
path: event/DOMAIN_NAME
resource: 'lcr://lookup/ransomware-domains'
- Let's assume that we have a high confidence in our threat intel feed, if a device contacts a domain we are going to not only trigger an alert, but also isolate the host, in the response section of the detection add:
- action: report
name: Ransomware Domain Detection Hit
- action: isolate network
Your detection should look like this:
For credit show your instructor you completed detection rules.