Auteur Sujet: [FireEye]SilkETW: Because Free Telemetry is … Free!  (Lu 85 fois)

0 Membres et 1 Invité sur ce sujet

Hors ligne igor51

  • Admin
  • Mega Power Members
  • *****
  • Messages: 10329
[FireEye]SilkETW: Because Free Telemetry is … Free!
« le: mars 20, 2019, 20:00:20 »
SilkETW: Because Free Telemetry is … Free!

In the following example, we will collect process event data from the
  Kernel provider and use image loads to identify Mimikatz execution. We
  can collect the required data with this command:


 
   
     
SilkETW.exe -t kernel -kk
          ImageLoad -ot file -p

      C:\Users\b33f\Desktop\mimikatz.json

 

With data in hand it is easy to sort, grep and filter for the
  properties we are interested in (Figure 2).


 


 
 
 Figure 2: PowerShell event filtering


 

Yara Integration


 

SilkETW has a number of command line flags that allow the user to
  restrict the events that are captured. These include the event name,
  the process ID, the process name, and the opcode. To further enhance
  this capability, Yara support is included to filter or tag trace
  events. While Yara has immediate defensive connotations, the reader is
  reminded that Yara rules are equally useful to augment research capabilities.


 

In the following contrived example we will use a Yara rule to detect
    Seatbelt
  execution in memory through Cobalt Strike's execute-assembly.


 
   
     
rule
          Seatbelt_GetTokenInformation
  {
     
          strings:
          $s1 =
          "ManagedInteropMethodName=GetTokenInformation" ascii
          wide nocase
          $s2 =
          "TOKEN_INFORMATION_CLASS" ascii wide nocase
   
                $s3 = /bool\(native int,valuetype \w+\.\w+\/\w+,native
          int,int32,int32&/
          $s4 = "locals
          (int32,int64,int64,int64,int64,int32&
          pinned,bool,int32)" ascii wide nocase
 
     
          condition:
          all of ($s*)

        }

 

We can start collecting .NET ETW data with the following command
  (note here the "-yo" option indicating that we will only
  write the Yara matches to file!):


 
   
     
SilkETW.exe -t user -pn
          Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y

          C:\Users\b33f\Desktop\yara -yo matches -ot file -p
      C:\Users\b33f\Desktop\yara.json

 

We can see at runtime that our Yara rule was hit (Figure 3).


 


 
 
 Figure 3: Yara rule hit


 

Note also that we are only capturing a subset of the
  "Microsoft-Windows-DotNETRuntime" events (0x2038),
  specifically: JitKeyword, InteropKeyword, LoaderKeyword and NGenKeyword.


 

Roadmap


 

As outlined in the introduction, SilkETW is currently a research
  focused data-collection tool with robust yet rudimentary capabilities.
  Upcoming changes for SilkETW include, but are not limited to:


 
  • Offer users the option to
        write trace data to disk as *.etl files.
  • Create a separate
        instance of SilkETW that operates in a headless mode as a service
        and reads a configuration file.
  • Take input from the
        community on any features that would be beneficial to ETW
      research.

 

GitHub


 

SilkETW is currently available for     href="https://github.com/fireeye/SilkETW">download on GitHub.


 

Acknowledgement


 

Special thanks to the whole Advanced Practices team – and Nick Carr
  in particular – for their indulgence of my antics! Thanks also to
  Stephen Davis, Anthony Berglund and Kevin Boyd of the FireEye Labs and
  Data Science teams for their help on reviewing this project and their
  prior work on   href="https://www.fireeye.com/blog/threat-research/2017/09/pywintrace-python-wrapper-for-etw.html">pywintrace.
  If you are looking for Python ETW bindings you can use
  programmatically, definitely check out that project.


Source: SilkETW: Because Free Telemetry is … Free!

Security-X

[FireEye]SilkETW: Because Free Telemetry is … Free!
« le: mars 20, 2019, 20:00:20 »

Tags: