Staff Picks for Splunk Security Reading: June 2018

Ryan Kovar

"I've got schnitzel on my mind"
@meansec

CyberChef & DFIR by @mattnotmax

I evangelize Cyberchef so much I feel like I should get a kickback from GCHQ. If you haven't used this tool, it is legit awesome for DFIR and OSINT work. Whenever I work an incident, I have an instance running in a tab. If you haven't used Cyerchef before, take a look at the blog post above by @mattnotmax. He describes some high-level use cases and walks through some kick ass examples of cyber badassery. Dave Herrald and I gave a talk at the SANS SIEM, and Tactical Analysis summit called "10 Holiday Gifts for the SOC Who Has Everything" where (among nine other topics) we describe how to integrate Cyberchef into Splunk. Dave even released a Cyberchef TA :-) If you aren't looking at Cyberchef today, I sure hope we have changed your mind.

James Brodsky

"Why wouldn't I bring my laptop camping?"
@james_brodsky

The Tale of SettingContent-ms Files by Matt Nelson @enigma0x3

"Build some cool endpoint stuff that is new and relevant into BOTS this year..." said Ryan. "We want those BOTS competitors to be challenged, enamored, and mystified." So off I went, while flying on international flights (okay fine, Calgary...it counts) to see what some of the latest and greatest techniques concerning exploitation and installation of nefarious code on Windows systems was, hoping to find something easily detectable with Splunk. So here's one. It turns out on Windows 10 there's a new file format ".settingcontent-ms" that can be used to launch Windows settings pages. But you can also abuse that format to launch...whatever you want. And you can chain executables so it looks like the program you expected to launch did. And you can embed them as OLE objects in Office documents and bypass Windows 10's ASR safeguards easily. How to detect? Well, besides watching your Windows Security 4688 or Sysmon 1 events for executables launched by Office binaries like Word and Excel like we've talked about for years, you can also look for ".settingcontent-ms" executables running from paths that are NOT C:\Windows\ImmersiveControlPanel. All of this maps well to the first and third stages of Splunk's Security Journey and experience for yourself in our Security Essentials app.

Dave Herrald

"Everything's Phantastic"
@daveherrald

Automating Atomic Red Team: How to Scale and Improve Testing

If you've seen my previous picks for this series, my choice this month will probably come as no surprise. I and fellow Splunkers Kyle Champlin and Tim Frazier have been busy preparing for our adversary simulation talk for .conf18 in October. This means full immersion in all things associated with MITRE ATT&CK™ and the related Atomic Red Team community project created by Red Canary. "Automating Atomic Red Team: How to Scale and Improve Testing" is a webinar that details the substantial changes recently completed by the Atomic Red Team community to transform their library of tests to support automation. Suffice to say that the new YAML format is as easy to parse in code as the markdown version has been (and still is) for a human to read. This unlocks a world of possibility to automate testing of your detections against the entire library of attacker techniques in Atomic Red Team. The webinar also includes an introduction to the MITRE Caldera project which seeks to more realistically emulate the decisions that a human attacker is likely to make while operating in a Microsoft Windows environment in a post-compromise situation. A big thanks to presenters Casey Smith (@subTee), Mike Haag (@M_haggis), Brian Beyer (@brianebeyer), and Blake Strom (@stromcoffee) for sharing these updates with the community.

John Stoner

"I like to think of myself as a serious man"
@stonerpsu

Endpoint detection Superpowers on the cheap --- part 3 --- Sysmon Tampering by Olaf Hartong

My selection this month is part three of a multiple part series on Sysmon that Olaf Hartong is posting on Medium. Why just part three? Don't get me wrong, parts one and two are great and as he adds to it, you will likely hear more, but the reason I really like part three is because he tackles some monitoring techniques to identify when Sysmon is being tampered with. We love Sysmon because of the insight it provides, but what happens when a determined adversary (or anyone with ill intent) tries to mask their actions? They could start by turning off the service, changing the configuration, or even using tools like Invoke-Phant0m to kill threads but leaving the service running? Olaf covers all of this as well as provides tips to protect your Sysmon service and configuration, as well as some handy searches in Splunk to monitor for this kind of behavior. For anyone who is using Sysmon or considering it, check out these tips to ensure your Sysmon data will always be accurate and available when you need it the most!