toolsmith - Threats & Indicators: A Security Intelligence Lifecycle

 *borrowed directly from my parent team, thanks Elliot and Scott

Prerequisites

Microsoft .NET Framework, Version 3.5 or higher for IOCe

Python 2.7 interpreter for OpenIOC to STIX

Introduction

I’ve been feeling as if it’s time to freshen things up a bit with toolsmith and occasionally offer a slightly different approach to our time-tested process. Rather than always focusing on a single tool each month (fear not, we still will), I thought it might be equally compelling, perhaps more, if I were to offer you an end-to-end scenario wherein we utilize more than one tool to solve a problem. A recent series I wrote for the SANS Internet Storm Center Diary, a three-part effort called Keeping the RATs Out (Part 1, Part 2, Part 3), I believe proved out how useful this can be.

I receive and review an endless stream of threat intelligence from a variety of sources. What gets tricky is recognizing what might be useful and relevant to your organizations and constituencies. To that end I’ll take one piece of recently received intel and work it through an entire lifecycle. This intel came in the form of an email advisory via the Cyber Intelligence Network (CIN) and needs to remain unattributed. The details, to be discussed below, included malicious email information, hyperlinks, redirects, URL shorteners, ZIP archives, malware, command and control server (C2) IPs and domain names, as well as additional destination IPs and malicious files. That’s a lot of information but sharing it in standards-based, uniform formats has never been easier. Herein is the crux of our focus for this month. We’ll use Mandiant’s IOCe to create an initial OpenIOC definition, Mitre’s OpenIOC to STIX, a Python utility to convert OpenIOC to STIX, STIXviz to visualize STIX results, and STIX to HTML, an XSLT stylesheet that transforms STIX XML documents into human-readable HTML. Sounds like a lot, but you’ll be pleasantly surprised how bang-bang the process really is. IOC represents Indicators Of Compromise (in case you just finally just turned off your vendor buzzword mute button) and STIX stands for Structured Threat Information eXpression. STIX, per Mitre, is a “collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information.” It’s well worth reading the STIX use cases. You may recall that Microsoft recently revealed the Interflow project which incorporates STIX, TAXII (Trusted Automated eXchange of Indicator Information), and CybOX (Cyber Observable eXpression standards) to provide “an automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time.“ Interflow is still in private preview but STIX, OpenIOC, and all these tools are freely and immediately available to help you exchange threat intelligence.

The intel

As received from the undisclosed source via CIN, following is the aggregated threat telemetry:

·         Email Subject: Corporate eFax message

·         Email “Sender”: eFax Corporate

·         Malicious Email Link: hxxp://u932475.sendgrid.org/wf/click?upn=

·         Redirects to: hxxps://goo.gl/A4Q0QI (still active as this is written)

·         Expands to: hxxps://www.cubbyusercontent.com/pl/Fax_001_992819_12919.zip/_3f86d70bed3843eda9497a5d36ed8590

·         Drops: Temp1_Fax_001_992819_12919.zip

·         Contains: Fax_001_992819_12919.scr

o   Malware is CryptoWall variant:

§  MD5: 668ddc3b7f041852cefb688b6f952882

§  SHA1: 2bbab6731508800f3c19142571666f8cea382f90

·         C2:

o   hxxp://sanshu.mamgou.net/wp-content/themes/xs/iiaoeoix7c

o   hxxp://pannanawydaniu.com.pl/wp-content/themes/marriage/w8z0ana

o   hxxp://stephanelouis.com/wp-content/themes/gather/9a6ct47znvpi

o   hxxp://delices-au-chateau.fr/wp-content/themes/squash/9b0t1f0koe8

o   hxxp://amedsehri.com/wp-content/themes/exiportal/dh5x3a1815j

o   hxxp://ciltbakim.org/wp-content/themes/baywomen/0ebac31z

o   hxxp://papillon-northwan.com/wp-content/themes/dog02_l/3sab5

o   hxxp://gsxf119.com/wp-content/themes/live-color/k7eh5zug5vq7

·         Destination IPs and related domains

o   212.112.245.170

§  hxxps://www.abyrgvph4qwipb5w2zb.net

o   86.59.21.38

§  hxxps://www.kxglgw6f2fg2g.net

§  hxxps://www.fp5jrlfn5d6s.net

§  hxxps://www.3w64ehhmrz.net

o   213.186.33.17

§  hxxp://delices-au-chateau.fr/wp-content/themes/squash/9b0t1f0koe8

§  hxxp://nitrofirex.com/wp-content/uploads/2014/07/tor2800.tar

·         tor2800.tar

o   MD5: 14bbdcd889ec963d7468d26d6d9c1948

o   SHA1: 39d3bc26b8b6f681cc41304166f76f01eee5763b                      

Additional analysis in my malware sandbox yielded the following information:

·         Each time the .scr is executed it spawns a randomly named portable executable, negating the value of using said name as an indicator.

o   That said, the randomly generated PE spawns an additional PE file, consistently named dttey.exe

o   Dttey.exe deletes the randomly named PE that spawned it, and itself spawns vsspg.exe

o   There is extensive registry modification by all of the above mentioned PEs, some of which we can use for IOCs

o   Randomly named PE is Ransom:Win32/Crowti (CryptoWall)

§  Malware encrypts files on victim PC using a public key.

§  The files can be decrypted with a private key stored in a remote server.

§  Recovery of files is via a personal link that directs you to a Tor webpage asking for payment using BitCoin. The above mentioned IP, 86.59.21.38, is a TOR node. Netresec’s Erik Hjelmvik (CapLoader, Networkminer) covered this node as part of a deeper analysis well worth your reading.

·         Review the Anubis analysis as supplemental information

A compromised victim would be treated to a “service” to decrypt their files as seen in Figure 1. These spectacular @$$h@t$ even offer a very detailed instruction file that pops up, including an FAQ. What I wouldn’t do to these people…

FIGURE 1: CryptoWall decryption “service”

This is more than enough information with which to build a very useful and portable profile, starting with Mandiant’s OpenIOC and IOCe.

OpenIOC and IOCe

Per Mandiant, who created OpenIOC, it is “an extensible XML schema that enables you to describe the technical characteristics that identify a known threat” and allows for “quickly detecting, responding and containing targeted attacks.” Mandiant IOCe allows you to edit and create OpenIOC definitions with ease. Once downloaded and installed IOCe 2.2.0 opens to a fairly simple, rudimentary UI and workspace. Give the User Guide installed with IOCe a read, you’ll see a shortcut for it in your start menu. At first run you’ll need to establish a directory for your IOCs. Go grab the examples from the OpenIOC website as well (under Resources) and drop them in your newly created directory, they serve as good reference material as you begin to build your own.

I always include a description of the parent evil for which I’m populating indicators and give the .ioc a relevant name for the UI list. Recognize that the actual .ioc filename will be the GUID that IOCe generates for it. IOCe utilizes simple AND OR operators for its logic. Basic IOCs can be a collection of OR items; if you use the AND operator all connected elements must be true or the logic fails.

Given the data from the intel provided above, each entity would be added to the IOC definition via the Add: AND OR Item menu. The Item is an expending dropdown menu divided into multiple IOC families such as Email, FileItem, PortItem, and RegistryItem, all of which we’ll used given the data provided. You’’ find the MostCommonly Used Indicator Terms section of OpenIOC.org very useful to more easily search specific entries. Also keep in mind that both Mandiant Redline and Intelligent Response utilize and generate IOC definitions.

After generating all the related entries the resulting definition appears as seen in Figure 2.

FIGURE 2: IOC definition for CryptoWall variant created with IOCe

You can use this IOC definition with your Mandiant tools that consume it, or open it in IOCe to extract the indicators you may wish to add detection for via other tooling. This IOC, Ransom:Win32/Crowti (2a1b3f5d-b6ce-41d9-8500-153a1240a561.ioc) can be found on my website if you’d like to use it try these tools out.

We now have the opportunity to convert this .ioc file into STIX.

OpenIOC to STIX

OpenIOC to STIX conversion is easily accomplished with Mitre’s openioc_to_stix.py script which is simply and OpenIOC XML to STIX XML converter.

One note, as I was writing this I was having trouble with the two email entities we added to the IOC definition; openioc_to_stix.py crashed until I pulled those entries.
Update 7 AUG 2014:  The bug related to openioc_to_stix.py (was actually in ioc_observable.py)

has been repaired. Thanks to the Mitre team, Greg, Ivan, and Bryan for the outreach and rapid bug fix. See https://github.com/STIXProject/openioc-to-stix/commit/9869ad841dddb9c2479b8fc497e106bd52ad6682.

You’ll need a system with a Python 2.7 interpreter available and Pip installed. You’ll need to then use Pip to install the Python STIX and Cybox library dependencies:

pip install stix 

pip install cybox

Then download and unpack the openioc-to-stix ZIP package or use the Git clone option. Once you have dependencies met and the scripts in place you need only run python openioc_to_stix.py -i -o . To convert the IOC definition I created above I simply ran python openioc_to_stix.py -i 2a1b3f5d-b6ce-41d9-8500-153a1240a561.ioc -o CryptoWallVariant.xml after commenting out the email indicator related markup; I’ve also hosted this file for your use.

STIXViz

STIXViz is really easy to install and run. Just download and unpack the package appropriate for your system then execute (StixViz.exe for Windows).

STIXViz is best exemplified with a more complex STIX file such as a Cyber Information Sharing and Collaboration Program (CISCP) Consolidated Indicators as collected by the IT-ISAC (Information Sharing and Analysis Center) and sourced from US-CERT Current Activity data. Note that you need to be an IT-ISAC member for access to these. STIXViz is written by Mitre’s Abigail Gertner and Susan Lubar and for those of you who share my fondness for visualization will represent a wonderful vehicle to do so with threat data. STIXViz includes Graph, Tree, and Timeline views. The Tree view is likely to be deprecated but the Graph View includes linking and relationship labeling (think Maltego) while the Timeline View “shows timestamped STIX data, such as incidents and their associated events, in a zoomable, scrollable display” as noted in release notes. Simply open STIX and select the STIX XML you wish to visualize from your file system via the Choose Files button. Once opened, you can select indicators of interest. I selected exfiltration indicators as seen in Figure 3.

FIGURE 3: STIXVix visualizes CISCP Consolidated Indicators

You will definitely enjoy playing with STIXViz and manipulating the view options as you can pin, freeze, and group until you’ve perfected that perfect report snapshot.

Speaking of that report, want to turn threat data into nicely managed HTML? You can Show HTML in STIXViz or use the STIX XML to HTML transform.

STIX-to-HTML

STIX-to-HTML is an XSLT that transforms a STIX 1.0/1.0.1/1.1 document containing metadata and categorized top level items into HTML for easy viewing. As with STIXViz, download the ZIP, unpack it and grab Saxon as this tool requires an XSLT 2.0 engine. I downloaded Saxon HE which provides saxon9he.jar as described in STIX-to-HTML guidelines. I simply copied saxon9he.jar right in my STIX-to-HTML directory for ease and convenience. Thereafter I ran java -jar saxon9he.jar -xsl:stix_to_html.xsl -s:CryptoWallVariant.xml -o:CryptoWallVariant.html which resulted in the snippet seen in Figure 4, only a partial shot given all the indicators in this STIX file.

FIGURE 4: STIX-to-HTML transforms CryptoWall STIX into an HTML report

You can also customize the STIX-to-HTML transform and add new STIX and CybOX as noted on the Wiki associated with the STIX-to-HTML project page.

In Conclusion

Great tools from Mandiant and Mitre, all of which make the process of gathering, organizing, and disseminating threat intelligence and easier prospect than some might imagine.

This is an invaluable activity that you should be situating close to or within your security monitoring and incident management programs. If you maintain a security operations center (SOC) or a computer emergency response team (CERT) these activities should be considered essential and required. James Madison said “Knowledge will forever govern ignorance; and a people who mean to be their own governors must arm themselves with the power which knowledge gives.” Those words will ring forever true in the context of cyber and threat intelligence. Use the premise wisely and arm yourself.

Ping me via email if you have questions (russ at holisticinfosec dot org).

Cheers…until next month.

toolsmith: Redline, APT1, and you – we’re all owned

Prerequisites/dependencies

Windows OS and .NET 4

Introduction

Embrace this simple fact, we’re all owned. Maybe you aren’t right now, but you probably were at some point or will be in the future. “Assume compromise” is a stance I’ve long embraced, if you haven’t climbed aboard this one-way train to reality, I suggest you buy a ticket. If headlines over the last few years weren’t convincing enough, Mandiant’s APT1, Exposing One of China’s Cyber Espionage Units report should serve as your re-education. As richly detailed, comprehensive, and well-written as it is, this report is groundbreaking in the extent of insights on our enemy it elucidates, but not necessarily as a general concept. Our adversary has been amongst us for many, many years and the problem will get much worse before it gets better. They are all up in your grill, people; your ability to defend yourself and your organizations, and to hunt freely and aggressively is the new world order. I am reminded, courtesy of my friend TJ O’Connor, of a most relevant Patton quote: "a violently executed plan today is better than a perfect plan expected next week." Be ready to execute. Toolsmith has spent six and half years hoping to enable you, dear reader, to execute; take the mission to heart now more than ever.

I’ve covered Mandiant tools before for good reason: RedCurtain in 2007, Memoryze in 2009, and Highlighter in 2011. I stand accused of being a fanboy and hereby render myself guilty. If you’ve read the APT1 report you should have taken immediate note of the use of Redline and Indicators of Compromise (IOCs) in Appendix G. 

Outreach to Richard Bejtlich, Mandiant’s CSO, quickly established goals and direction: “Mandiant hopes that our free Redline tool will help incident responders find intruders on their network. Combining indicators from the APT1 report with Redline’s capabilities gives responders the ability to look for interesting activity on endpoints, all for free.” Well in keeping with the toolsmith’s love of free and open source tools, this conversation led to an immediate connection with Ted Wilson, Redline’s developer, who kindly offered his perspective:

“Working side by side with the folks here at Mandiant who are out there on the front lines every day is definitely what has driven Redline’s success to date.  Having direct access to those with firsthand experience investigating current attack methodologies allows us stay ahead of a very fast moving and quickly evolving threat landscape.  We are in an exciting time for computer security, and I look forward to seeing Redline help new users dive headfirst into computer security awareness.

Redline has a number of impressive features planned for the near future.  Focusing first on expanding the breadth of live response data Redline can analyze.  Some highlights from the next Redline release (v1.8) include full file system and registry analysis capabilities, as well as additional filtering and analysis tools around the always popular Timeline feature.  Further out, we hope to leverage that additional data to provide expanded capabilities that help both the novice and the expert investigators alike.”

Mandiant’s Lucas Zaichkowsky, who will have presented on Redline at RSA by the time you read this, sums up Redline’s use cases succinctly:

1.       Memory analysis from a live system or memory image file. Great for malware analysis.

2.       Collect and review a plethora of forensic data from hosts in order to investigate an incident. This is commonly referred to as a Live IR collector.

3.       Create an IOC search collector to run against hosts to see if any IOCs match.

He went further to indicate that while the second scenario is the most common use case, in light of current events (APT1), the third use case has a huge spotlight on it right now. This is where we’ll focus this discussion to utilize the APT1 IOC files and produce a collector to analyze an APT1 victim.

Installation and Preparation

Mandiant provides quite a bit of material regarding preparation and use of Redline including an extensive user guide, and two webinars well worth taking the time to watch. Specific to this conversation however, with attention to APT1 IOCs, we must prepare Redline for a targeted Analysis Session. The concept here is simple: install Redline on an analysis workstation and prepare a collector for deployment to suspect systems.

To begin, download the entire Digital Appendix & Indicators archive associated with the APT1 report.

Wesley McGrew (McGrew Security) put together a great blog post regarding matching APT1 malware names to publicly available malware samples from VirusShare (which is now the malware sample repository). I’ll analyze a compromised host with one of these samples but first let’s set up Redline.

I organize my Redline file hierarchy under \tools\redline with individual directories for audits, collectors, IOCs, and sessions. I copied Appendix G (Digital) – IOCs from the above mentioned download to APT1 under \tools\redline\IOCs.

Open Redline, and select Create a Comprehensive Collector under Collect Data. Select Edit Your Script and enable Strings under Process Listing and Driver Enumeration, and be sure to check Acquire Memory Image as seen in Figure 1.

Figure 1: Redline script configuration

I saved the collector as APT1comprehensive. These steps will add a lot of time to the collection process but will pay dividends during analysis. You have the option to build an IOC Search Collector but by default this leaves out most of the acquisition parameters selected under Comprehensive Collector. You can (and should) also add analysis inclusive of the IOCs after acquisition during the Analyze Data phase.

Redline, IOCs, and a live sample

I grabbed the binary 034374db2d35cf9da6558f54cec8a455 from VirusShare, described in Wesley’s post as a match for BISCUIT malware. BISCUIT is defined in Appendix C – The Malware Arsenal from Digital Appendix & Indicators as a backdoor with all the expected functionality including gathering system information, file download and upload, create or kill processes, spawn a shell, and enumerate users. 

I renamed the binary gc.exe, dropped it in C:\WINDOWS\system32, and executed it on a virtualized lab victim. I rebooted the VM for good measure to ensure that our little friend from the Far East achieved persistence, then copied the collector created above to the VM and ran RunRedlineAudit.bat. If you’re following along at home, this is a good time for a meal, walking the dog, and watching The Walking Dead episode you DVR’d (it’ll be awhile if you enabled strings as advised). Now sated, exercised, and your zombie fix pulsing through your bloodstream, return to your victim system and copy back the contents of the audits folder from the collector’s file hierarchy to your Redline analysis station, select From a Collector under Analyze Data, and choose the copied audit as seen in Figure 2.

Figure 2: Analyze collector results with Redline

Specify where you’d like to save your Analysis Session (D:\tools\redline\sessions if you’re following my logic). Let Redline crunch a bit and you will be rewarded with instant IOC goodness. Right out of the gate the report details indicated that “2 out of my 47 Indicators of Compromise have hit against this session.”

Sweet, we see a file hash hit and a BISCUIT family hit as seen in Figure 3.

Figure 3: IOC hits against the Session

Your results will also be written out to HTML automatically. See Report Location at the bottom of the Redline UI. Note that the BISCUIT family hit is identified via UID a1f02cbe. Search a1f02cbe under your IOCs repository and you should see a result such as D:\tools\redline\IOCs\APT1\a1f02cbe-7d37-4ff8-bad7-c5f9f7ea63a3.ioc.

Open the .ioc in your preferred editor and you’ll get a feel for what generates the hits. The most direct markup match is:

034374db2d35cf9da6558f54cec8a455

In the Redline UI, remember to click the little blue button with the embedded i (information) associated with IOC hit for highlights on the specific IndicatorItem that triggered the hit for you and displays full metadata specific to the file, process, or other indicator.

But wait, there’s more. Even without defined, parameterized IOC definitions, you can still find other solid indicators on your own. I drilled into the Processes tab, and selected gc.exe, expanded the selection and clicked Strings.  Having studied Appendix D – FQDNs, and checked out the PacketStash APT1.rules file for Suricata and Snort (thanks, Snorby Labs), I went hunting (CTRL-F in the Redline UI) for strings matches to the known FQDNs. I found 11 matches for purpledaily.com and 28 for newsonet.net as seen in Figure 4.

Figure 4: Strings yields matches too

Great! If I have alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"[SC] Known APT1 domain (purpledaily.com)"; content:"|0b|purpledaily|03|com|00|"…snipped enabled on my sensors I should see all the other systems that may be pwned with this sample. 

Be advised that the latest version of Redline (1.7 as this was written) includes powerful, time-related filtering options including Field Filters, TimeWrinkle, and TimeCrunch. Explore them as you seek out APT1 attributes. There are lots of options for analysis. Read the Redline Users Guide before beginning so as to be full informed. J

In Conclusion

I’m feeling overly dramatic right now. Ten years now I’ve been waiting for what many of us have known or suspected all along to be blown wide open. APT1, presidential decrees, and “it’s not us,” oh my. Mandiant has offered both the fodder and the ammunition you need to explore and inform, so awake! I’ll close with a bit of the Bard (Ariel, from The Tempest):

While you here do snoring lie,

Open-ey'd Conspiracy

His time doth take.

If of life you keep a care,

Shake off slumber, and beware.

Awake, awake!

I am calling you to action and begging of your wariness; your paranoia is warranted. If in doubt of the integrity of a system, hunt! There are entire network ranges that you may realize you don’t need to allow access to or from your network. Solution? Ye olde deny statement (thanks for reminding me, TJ). Time for action; use exemplary tools such as Redline to your advantage, where advantages are few.

Ping me via email if you have questions or suggestions for topic via russ at holisticinfosec dot org or hit me on Twitter @holisticinfosec.

Cheers…until next month.

Acknowledgements

To the good folks at Mandiant:

Ted Wilson, Redline developer

Richard Bejtlich, CSO

Kevin Kin and Lucas Zaichkowsky, Sales Engineers