Saturday, June 22, 2024
HomeMicrosoft WindowsHuman Habits In Digital Forensics, pt III

Human Habits In Digital Forensics, pt III

Thus far, components I and II of this collection have been printed, and at this level, there’s one thing that we actually have not talked about.

That’s, the “So, what?”. Who cares? What are the advantages of understanding human habits rendered by way of digital forensics? Why does it even matter?

Digital forensics can present us perception right into a menace actor’s sophistication and situational consciousness, which may, in flip, assist us perceive their intent. Are they new to the setting, and attempting to get the “lay of the land”, or are their actions extraordinarily environment friendly, and do they look like going on to the information they’re on the lookout for, as if they’ve been right here earlier than or had detailed prior information?

Observing the menace actor’s actions (or the impacts thereof) helps us perceive not simply their intent, however what else we must be on the lookout for. For instance, observing the Samas ransomware menace actors in 2016 revealed no obvious curiosity in information assortment or theft; there was no looking out or discovery, no information staging, and many others. That is in distinction to the Non-PCI Case from my earlier weblog publish; the menace actor was apparently serious about information, however didn’t seem to have an understanding of the infrastructure they’d accessed (looking for “banking” in a healthcare setting).

Carrying this ahead, we will then use what we study concerning the menace actor, by observing their actions and impacts, to raised perceive our personal management efficacy; what labored, what did not, and what can work higher at stopping, or detection and responding to, the menace actor?

Per the graphic to the left, understanding human habits rendered by way of digital forensics is assumed to offer perception into future assaults…however can it actually? And if this is the case, how so?

Nicely, we have identified for a while that there is actually no single actor or group that focuses solely on one sort of goal. Think about this weblog publish from 2015, making it nearly 9 yrs outdated on the time of this writing. The findings introduced within the weblog publish stay true, and are repeated, even at the moment. 

So, “profiling” a menace actor could not mean you can anticipate who (what goal infrastructure) they’ll assault subsequent, however inside a restricted window, it is going to present a substantial amount of perception into how one can count on them to conduct the follow-on phases of an assault. The goal is probably not identified, however the actions taken, significantly within the close to time period, shall be illuminated by what was noticed on a earlier assault.

In 2016, the staff I used to be with responded to about half a dozen Samas ransomware assaults, throughout a variety of verticals; they have been concentrating on susceptible JBoss CMS techniques, whatever the underlying enterprise. What we discovered by trying throughout these a number of assaults allowed us to establish different potential targets, in addition to reply to and shut down some assaults that have been underway; we noticed that the menace actors took a mean of 4 months to go from preliminary entry to deploying the ransomware. Throughout this time, there was no obvious curiosity in information staging or theft; the intent gave the impression to be to establish “crucial” techniques inside the infrastructure, and acquire the mandatory privileges to deploy ransomware to these techniques.

Reacting to Stimulus

Further perception could be discovered by observing how a menace actor reacts to “stimulus”. There could also be instances when a menace actor’s actions are unfettered; they proceed about their actions with out being inhibited or blocked in anyway. They don’t seem to be blocked by EDR instruments, nor AV. From these incidents, we will study a very good deal concerning the menace actor’s playbook, and we may even see the way it evolves over time. Nevertheless, there could also be instances the place the menace actor encounters points, both with safety tooling blocking their efforts, or instruments they convey in from the surface crashing and never executing on the endpoint. It is throughout these incidents that we get a extra expansive view of the menace actor, as we observe their actions in response to stimulus.

Whereas I used to be with Crowdstrike, we would frequently “see”, by way of the EDR telemetry, the actions taken by numerous menace actors when the Crowdstrike product blocked their processes from executing. In a single occasion, the Crowdstrike agent stopped the menace actor’s course of, and their response was to aim to disable and take away Home windows Defender. They then moved to a different endpoint, and once they encountered the identical problem, they tried to take away an AV product that was not put in anyplace inside the infrastructure. They lastly moved to a 3rd endpoint, and when their makes an attempt continued to be blocked, they ran a batch file meant to take away a number of AV merchandise, none of which have been put in on the endpoint. Apparently, they left the infrastructure with out ever working a command to see what processes have been working, nor what purposes have been put in.

We noticed menace actors on endpoints monitored by the Crowdstrike agent doing queries to see if Carbon Black was put in. To be clear, the instructions weren’t basic, “…give me a listing of processes…” instructions, however have been particular to figuring out Carbon Black.

In one other occasion, we noticed the menace actor land on a monitored endpoint, and start querying different endpoints inside the infrastructure to see in the event that they have been working the Falcon agent. They reached out to fifteen endpoints, and whereas we couldn’t see the responses, we knew from our dashboard that the agent was solely on 4 of the queried endpoints. The menace actor then moved to one of many endpoints that didn’t have an agent put in. The fascinating factor about this was that once they landed on the monitored endpoint, we noticed no instructions run nor every other indication of the menace actor checking that endpoint for the agent; it was as in the event that they already knew. 

Even with out EDR or AV blocking the menace actor’s makes an attempt, we should still be capable to observe how the menace actor responds to stimulus. I’ve seen various instances the place a menace actor will try to run one thing, and Home windows Error Reporting kicks off as a result of their EXE crashes. What do they do? I’ve seen ransomware menace actors unable to encrypt information on an endpoint, and working their device with the “–debug” command swap, a number of instances. They could additionally try to obtain newer or totally different copies of their instruments, and check out working them once more. 

In different cases, I’ve seen instructions fail, and the menace actor attempt one thing else. I’ve additionally seen instruments crash, and the menace actor take no motion. Seeing how a menace actor responds to the problems they encounter, watching their habits and whether or not they encounter any points, offers vital perception into their intent.

Different Features of the Assault

There are different facets of an assault that we will look to to raised perceive the menace actor. For instance, when the menace actor initially accesses an endpoint, how do they achieve this? RDP? MSSQL? Another software, like TeamViewer?

Is the entry preceded by failed login makes an attempt, or does the supply IP handle for the menace actors profitable entry to the system not seem on the checklist of IP addresses for failed login makes an attempt?

As soon as they’ve entry, what do they do, how quickly/quick do they do it, and the way do they go about their actions? In the event that they entry the endpoint by way of RDP, do they use all GUI instruments, do they go to PowerShell, do they use cmd.exe, and many others.? Do they use WSL, if it is put in? Do they use native utilities/LOLBins? Do they use batch information? 

Did they create any extra persistence? If that’s the case, what do they do? Create consumer accounts? Add providers or Scheduled Duties? Do they lay any “booby traps”, akin to the Focused Menace Actor from my earlier weblog publish?

Throughout their time on the endpoint, do they appear ready, or do they “muck about”, as in the event that they’re wandering round a darkish room, getting the lay of the land? Do they make errors, and if that’s the case, how do they overcome them? 

After they disconnect their entry, how do they go about it? Do they merely break the connection and sign off, or do they “salt the earth”, clearing Home windows Occasion Logs, deleting information, and many others.?

An necessary caveat to those facets is now we have to be very cautious about how we view and perceive the actions we observe. There have been various instances the place I’ve labored with analysts with purple staff expertise, and have heard them say, “…if I have been the attacker, I might have…”. This kind of bias could be detrimental to understanding what’s truly happening, and may result in sources being deployed within the flawed course. 

As Blade acknowledged in the course of the first film (quote 3), “…whenever you perceive the character of factor, you recognize what it is able to.” Understanding a menace actor’s nature offers perception into what they’re able to, and what we must be on the lookout for on endpoints and inside the infrastructure.

This additionally helps us perceive management efficacy; what controls did now we have in place for prevention, detection, and response? Did they work, or did they fail? How might these controls be improved, or higher carried out? 



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments