Argus detecting historical APT1 activity #3 cont

Dave Edelman dedelman at iname.com
Sat Apr 13 07:42:35 EDT 2013 

Craig,
 
In the category of first catch your rabbit . recreating the packet is not
very hard as long as you have captured it. Argus has (at least) two ways of
doing this. The one that I haven't tried actually allows you to create pcap
files external to the argus flow record file. The one that I have been doing
for years is to turn on a bunch of things in my /etc/argus/config file
including capture the MAC addresses and capture some amount of user data (I
have that amount set to 2048 bytes.) Remember that the capture data is based
on flows, not packets and there is a snap length parameter (but that may be
for the parallel pcap file process) I don't have any auditors at home so I
don't do snap length as a matter of principle. 
 
There is a client called radump which will do a basic tcpdump decode of the
user data.
 
radump -X -L -1 -n -s stime proto saddr  sport daddr dport suser:100   -r
file.gz - tcp and port 80
   00:02:46.852460    tcp          10.1.1.34.19507         96.17.10.79.80
s[100]="GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1..Cache-Control:
max-age = 900..Connect"
   00:02:47.055554    tcp          10.1.1.34.19508      173.194.74.121.80
s[100]="GET /17A0CDC1E441B63A5B3BCB459DBD1CC298FA8658
HTTP/1.1..Cache-Control: max-age = 3600..Conn"
   00:02:47.430059    tcp          10.1.1.34.19509       70.37.129.243.80
s[100]="GET /pki/mscorp/crl/mswww(5).crl HTTP/1.1..Cache-Control: max-age =
900..Connection: Keep-A"
   00:04:22.637669    tcp          10.1.1.34.19507         96.17.10.79.80
s[20]="L3.P5.fs....P......."
   00:04:22.637676    tcp          10.1.1.34.19508      173.194.74.121.80
s[20]="L4.P.....O*sP......."
   00:06:06.456771    tcp          10.1.1.34.19514        173.194.43.1.80
s[100]="POST
/safebrowsing/downloads?client=navclient-auto-ffox&appver=13.0.1&pver=2.2&wr
key=AKEgNi"
   00:06:06.524754    tcp          10.1.1.34.19515        173.194.43.5.80
s[100]="GET
safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEY0b4FINK-BTIFUV8BAAM
HTTP/1.1..Host: sa"
 
radump -X -L -1 -n -s stime proto saddr sport daddr dport suser:100   -r
file.gz - port 123
   00:00:48.413277    udp         10.1.1.124.1024         199.4.29.166.123
s[24]="NTPv4, Client, length 96"
   00:00:57.037448    udp         10.1.1.121.1024          38.229.71.1.123
s[24]="NTPv4, Client, length 48"
   00:01:52.468434    udp         10.1.1.124.1024         199.4.29.166.123
s[24]="NTPv4, Client, length 96"
   00:02:01.104532    udp         10.1.1.121.1024          38.229.71.1.123
s[24]="NTPv4, Client, length 48"
   00:02:56.513067    udp         10.1.1.124.1024         199.4.29.166.123
s[24]="NTPv4, Client, length 96"
   00:03:05.171666    udp         10.1.1.121.1024          38.229.71.1.123
s[24]="NTPv4, Client, length 48"
   00:04:00.557897    udp         10.1.1.124.1024         199.4.29.166.123
s[24]="NTPv4, Client, length 96"
   00:04:09.238938    udp         10.1.1.121.1024          38.229.71.1.123
s[24]="NTPv4, Client, length 48"
 
>From a live feed:
radump -X -n -S localhost:561 -s stime proto saddr daddr sport dir dport
suser:100
         StartTime  Proto            SrcAddr            DstAddr  Sport   Dir
Dport                                                   srcUdata
 
   11:38:49.458966    udp         10.1.1.101           10.1.1.8 65228    <->
161   s[17]=" GetRequest(33)  "
   11:38:49.738871    udp         10.1.1.101           10.1.1.8 50615    <->
161   s[17]=" GetRequest(33)  "
   11:38:50.258162    tcp          10.1.1.50          10.1.1.45 10425     ->
22
s[100]=".....q.\."/X.n.lv...|.:..:C..kum.7..X...........k...?KXM..[...&K. at ty
........[..b.=...n.x..k"
   11:38:51.615806    udp          10.1.1.50         10.1.1.126 137       ->
137   s[49]="NBT UDP PACKET(137): REFRESH(8); REQUEST; UNICAST"
   11:38:52.168951    arp          10.1.1.45          10.1.1.68          who
s[32]="who-has 10.1.1.68 tell 10.1.1.45"
   11:38:52.677394    udp         10.1.1.124       199.4.29.166 1024      ->
123   s[24]="NTPv4, Client, length 48"
   11:38:53.050306    arp          10.1.1.53         10.1.1.126          who
s[33]="who-has 10.1.1.126 tell 10.1.1.53"
   11:38:53.261136    udp          10.1.1.45     209.236.69.170 123      <->
123   s[25]="NTPv4, Client, length 144"
   11:38:53.446513    tcp          10.1.1.45          10.1.1.10 36969     ->
445
s[100]="...D.SMB2.......................d.7......................B..........
.......J.SMB2.........."
   11:38:54.452377    tcp         10.1.1.101           10.1.1.8 61858     ->
8080   s[66]="GET /DevMgmt/ConsumableConfigDyn.xml HTTP/1.1..Host:
localhost...."
   11:38:54.642306    tcp         10.1.1.101           10.1.1.8 61859     ->
8080   s[63]="GET /DevMgmt/ProductStatusDyn.xml HTTP/1.1..Host:
localhost...."
 
There are other tools and tricks as well but I am running very late. More
later.
 
--Dave
 
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Craig Merchant
Sent: Friday, April 12, 2013 5:57 PM
To: Argus
Subject: Re: [ARGUS] Argus detecting historical APT1 activity #3 cont
 
Carter, thank you very much for writing such thorough and thoughtful emails
on this subject.  I've shared them with the entire security team at work.
 
I've been thinking a bit on how Argus could be used to do more proactive
alerting of these kinds of threats.  As you know, I'm not a programmer *at
all*.  I had a couple of ideas and was wondering what it would take to
implement them.
 
How difficult is it to reassemble a file from payload data?  I'm imagining
being able to reassemble executable files from HTTP connections to external
hosts, generating an MD5 of that file, and then use dig to query the malware
database from:
 
 <http://www.team-cymru.org/Services/MHR/#dns>
http://www.team-cymru.org/Services/MHR/#dns
 
For APT threats that don't drop a file and write directly to some vulnerable
part of memory, what kind of payload data would be indicative of that kind
of attack?  Looking through some of our Snort rules, I see patterns that
look like:
 
Heapspray example:
|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|
 
Shellcode examples:
|90 90 90 E8 C0 FF FF FF|/bin/sh
|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|
\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01lanattacks_(start_dhcp|reset_dhcp|
set_dhcp_option|stop_dhcp|dhcp_log|start_tftp|reset_tftp|add_tftp_file|stop_
tftp)
 
How would you use Argus to detect those types of attacks without generating
a ton of false positives?  It doesn't seem like the types of patterns above
should be all that common in normal HTTP traffic.  
 
How much of the payload would Argus need to look at to reliably identify
those types of attacks?  
 
Thanks.

Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130413/f00670d2/attachment.html>

More information about the argus mailing list