1. Bro, I Can See You Moving Laterally
Introduce myself. Thank everyone for coming out to the talk, and BSidesNoVA for having me.
Richie Cyrus
@rrcyrus

2. Who Am I? Defender - Incident Responder @ CME Group
Network Security Monitoring (NSM) Fanboy
A healthy obsession with finding malicious activity, and new ways to go about doing so.
@rrcyrus

3. Do You Even “Bro”? Bro Logs Bro SMB analyzer Bro Scripting
Ask how many people are familiar with Bro. Discuss some of the items that will mentioned in this talk.

4. Post Compromise Activity (Lateral Movement)
Discuss this as a problem statement. Often lack the visibility inside our networks to resolve this problem.
Review of Lateral Movement (What it is)
Why we want to track things in this stage? - Find one issue, start IR process

5. SMB Protocol Used for File Sharing MS-SQL Printing, etc.
SMB Version 2.x
File and printer sharing over SMB enabled. Host/network firewalls not blocking SMB ports between source and destination.
Use of domain account in administrator group on remote system or default system admin account.
Shamoon - searched for admin shares, move executable to network share to be run by a scheduled task.
Lazarus Group - SierraAlfa - made use of the ADMIN$ share
Ke3chang - known to copy files to network shares to move laterally
Version 3.x for Windows 10 etc

6. Methods Typically Used
alert tcp any any -> $HOME_NET [139,445] (msg:”ET POLICY PsExec? service created”; flow:to_server, established; content:”|5c e |”; reference:url, xinn.org/Snort-psexec.html; reference:url, doc.emergingthreats.net ; classtype:suspicious-filename-detect; sid:201781; rev:2;)
IDS: Snort rules detecting the use of admin shares, or psexec
Windows event logging& forwarding: Turning on auditing GPO - for remote shares (Event ID 5140, 5142, 5145 etc)
Feeding those events to a SIEM, Windows side can get noisy.
Windows Event Logging:
Event ID 5140, 5142, 5145, etc

7. Bro Network Security Monitor
Metadata - Network Protocols
File metadata
Alerting
ASCII - Easy to grep/ bro-cut, ingest into SIEM
Bro as an alternative detection method. Explain that bro can be used as a standalone, or within a corporate setting. I’ve used it via SecurityOnion, in a mimic of a production environment.

8. Example of Bro Log
Enter in an example of the logs that are generated with Bro, and then an example of one of those logs. For instance HTTP log. Less -s to view the log better, or bro-cut to get particular fields of interest.

9. Bro & SMB Policy not enabled by default
Uncomment policy in /opt/bro/share/bro/site/local.bro
smb_cmd.log ,smb_files.log, smb_mapping.log, ntlm.log, dce_rpc.log
Not enabled by default on version Talk about how to enable the policy.
Screen shot of the new logs SMB.

10. Bro Scripting Built on C++ Notice framework: Allows for alerting
Files Framework: Grabs file metadata
We now have additional visibility, however we want the alerting capabilities as an alternative to IDS or Windows logging. Sent to SIEM. Event driven scripting language (c++). Can read data from external files(blacklists).

11. SMB Files to VirusTotal
VT API key - Free Version
Uses Files Framework
Detects known malicious files transferred over SMB
Key only allows for 4 request per minute, limited in nature. Grabs the hash of the file seen over SMB and checks the hash against VirusTotal. Why you wouldn't want to submit the file to VT.

12. Accessing SMB Admin Shares
Detects attempts to access IPC$, ADMIN$, C$, D$, etc
Sends alert to notice.log
Normal users should not be accessing these files/directories.

13. Rogue Hostname Detection
SECNET- WINHVA001
Any hostname in NTLM.log not matching the naming convention of a particular company.

14. DEMO Malicious Attacker (Post Compromise) vs Defender

15. Bro Detecting the “Bro”
From no visibility to having a new way to catch attackers during post compromise. Catching bro in the act (picture). Incident Response hierarchy of needs.

16. Questions? Slides: securityneversleeps.net
Scripts: Scripts