Threat Hunting with Application Logs and Sigma

Thomas Patzke, 14. November 2017

Agenda

Introduction to Threat Detection with Log Analysis

Log Traces of Application Attacks

Motivation for a Log Signature Format

Sigma – The Open Source Approach
– Rule Format
– Rule Examples
– Conversion to SIEM queries

How can developers, pentesters and security researches
contribute?
From Attack to Logfle
From Attack to Logfle

Attack Attempts
From Attack to Logfle

Attack Attempts

Application Errors
From Attack to Logfle

Attack Attempts

Application Errors

Error Logs
From Attack to Logfle

Attack Attempts

Application Errors

This is something we are able to detect!

Error Logs
Threat Hunting:
From Log File to Threat Detection
Threat Hunting:
From Log File to Threat Detection
Log Files
Threat Hunting:
From Log File to Threat Detection
Log Files
No standardized structure
Threat Hunting:
From Log File to Threat Detection
Log Files
No standardized structure

SIEM
Threat Hunting:
From Log File to Threat Detection
Log Files
No standardized structure
Decomposition of unstructured
log lines into fields (keys/values)

SIEM
Threat Hunting:
From Log File to Threat Detection
Log Files
No standardized structure
Decomposition of unstructured
log lines into fields (keys/values)

SIEM

Searches, Aggregations & Dashboards

Threat Hunting:
From Log File to Threat Detection
Log Files
No standardized structure
Decomposition of unstructured
log lines into fields (keys/values)
Where do they come from
SIEM and how to distribute
indicators?

Searches, Aggregations & Dashboards

Threat Hunting:
From Log File to Threat Detection
Log Files
No standardized structure
Decomposition of unstructured
log lines into fields (keys/values)
Where do they come from
SIEM and how to distribute
indicators?

Searches, Aggregations & Dashboards

Manual Analysis
Threat Detection with Log Monitoring:
Log Sources

Firewall Logs
– Successful/Filtered IP/TCP/UDP Communication

Operating System Logs
– Authentication
– Process Execution
– Resource Access

Proxy Logs

Web Server Access Logs
Threat Detection with Log Monitoring:
Signature Examples
Threat Detection with Log Monitoring:
Signature Examples

Authentication & Accounts:
– Large number of failed logon attempts
– Alternation and usage of specifc accounts (e.g. DSRM)
– SID history
Threat Detection with Log Monitoring:
Signature Examples

Authentication & Accounts:
– Large number of failed logon attempts
– Alternation and usage of specifc accounts (e.g. DSRM)
– SID history

Process Execution:
– Execution from unusual locations
– Suspicious process relationships
– Known executables with unknown hashes
– Known evil hashes
Threat Detection with Log Monitoring:
Signature Examples

Authentication & Accounts:
– Large number of failed logon attempts
– Alternation and usage of specifc accounts (e.g. DSRM)
– SID history

Process Execution:
– Execution from unusual locations
– Suspicious process relationships
– Known executables with unknown hashes
– Known evil hashes

Windows Events:
– Service installations with rare names in monitored environment
– New domain trusts
Threat Detection with Log Monitoring:
Signature Examples

Authentication & Accounts:
– Large number of failed logon attempts
– Alternation and usage of specifc accounts (e.g. DSRM)
– SID history

Process Execution:
– Execution from unusual locations
– Suspicious process relationships
– Known executables with unknown hashes
– Known evil hashes

Windows Events:
– Service installations with rare names in monitored environment
– New domain trusts

Network: Port Scans, Host Discovery (Ping Sweeps)
Threat Detection with Log Monitoring:
Application Events
Threat Detection with Log Monitoring:
Application Events

Web Server Access Logs:
– 4xx Errors: Enumeration and Reconnaissance activity
– 5xx Errors: Exploitation
Threat Detection with Log Monitoring:
Application Events

Web Server Access Logs:
– 4xx Errors: Enumeration and Reconnaissance activity
– 5xx Errors: Exploitation

Application Error Logs
– Exceptions
– Specifc messages
Some Application Error Examples
Some Application Error Examples

OpenSSH

“unexpected internal error”

“error in libcrypto”

“unexpected bytes remain
after decoding”
Some Application Error Examples

OpenSSH vsftpd

“unexpected internal error” 
“weird status”

“error in libcrypto” 
“Input line too long”

“unexpected bytes remain 
“syscall validate
after decoding” failed”
Some Application Error Examples

OpenSSH vsftpd

“unexpected internal error” 
“weird status”

“error in libcrypto” 
“Input line too long”

“unexpected bytes remain 
“syscall validate
after decoding” failed”
Some Application Error Examples

OpenSSH vsftpd

“unexpected internal error” 
“weird status”

“error in libcrypto” 
“Input line too long”

“unexpected bytes remain 
“syscall validate
after decoding” failed”
Problems?
Problems?

Source: https://github.com/iadgov/Event-Forwarding-
Guidance/tree/master/Events
Problems?

Source: https://adsecurity.org/?p=1714

Source: https://github.com/iadgov/Event-Forwarding-
Guidance/tree/master/Events
Problems?

Source: https://adsecurity.org/?p=1714

Source:
https://findingbad.blogspot.de/2017/01/hunti
ng-what-does-it-look-like.html

Source: https://github.com/iadgov/Event-Forwarding-
Guidance/tree/master/Events
Problems!
Problems!

Lack of standardized description format
– Great blog posts, log signatures as unstructured text
– No generic format like YARA or Snort rules
Problems!

Lack of standardized description format
– Great blog posts, log signatures as unstructured text
– No generic format like YARA or Snort rules

Heterogeneous environments:
– The n+1 SIEMs problem
– Efficient distribution of log signatures for different
systems
Problems!

Lack of standardized description format
– Great blog posts, log signatures as unstructured text
– No generic format like YARA or Snort rules

Heterogeneous environments:
– The n+1 SIEMs problem
– Efficient distribution of log signatures for different
systems

Different SIEM products cover different signatures
Problems!

Lack of standardized description format
– Great blog posts, log signatures as unstructured text
– No generic format like YARA or Snort rules

Heterogeneous environments:
– The n+1 SIEMs problem
– Efficient distribution of log signatures for different systems

Different SIEM products cover different signatures

Vendor lock-in

Generic signature format to describe interesting log
events

Open repository for Sigma signatures

Converter that builds queries from Sigma signatures
It’s open source!
Rule Format
Rule Format

Sigma rules are written in YAML
Rule Format

Sigma rules are written in YAML

Scope defnition: which log sources are relevant?
Rule Format

Sigma rules are written in YAML

Scope defnition: which log sources are relevant?

Search identifers: Event IDs, values, strings
– Lists of values
– Key-value pairs that associate a log feld with a value
Rule Format

Sigma rules are written in YAML

Scope defnition: which log sources are relevant?

Search identifers: Event IDs, values, strings
– Lists of values
– Key-value pairs that associate a log feld with a value

Condition:
– Logical connection of search identifers
– Aggregation/correlation of matched events
Rule Format

Sigma rules are written in YAML

Scope defnition: which log sources are relevant?

Search identifers: Event IDs, values, strings
– Lists of values
– Key-value pairs that associate a log feld with a value

Condition:
– Logical connection of search identifers
– Aggregation/correlation of matched events

Metadata: title, description, author, state, (severity) level,
reference, hints for identifcation of false positives
Example: HTTP Error Codes
Example: HTTP Error Codes
Example: Django Exceptions
Example: Django Exceptions
Example: Spring Framework Exceptions
Example:
Python PEP249 Exceptions
Example:
OpenSSH Error Messages
Rule Example:
Mimikatz Detection
Rule Example:
Mimikatz Detection
Sigma Converter
Sigma Converter
Conversion of a Sigma rule into three
different query languages:

Splunk

Elasticsearch

LogPoint
Sigma Converter
Conversion of a Sigma rule into three
different query languages:

Splunk

Elasticsearch

LogPoint
Sigma Converter
Conversion of a Sigma rule into three Conversion to frontend/tool
different query languages: confgurations:

Splunk 
Kibana searches

Elasticsearch 
Elastic X-Pack Watcher alerts

LogPoint
Sigma Converter
Conversion of a Sigma rule into three Conversion to frontend/tool
different query languages: confgurations:

Splunk 
Kibana searches

Elasticsearch 
Elastic X-Pack Watcher alerts

LogPoint
Demo Time!
Demo Time!
Demo Time!
Demo Time!
Demo Time!
Demo Time!
Demo Time!
Challenges in Rule Conversion
Challenges in Rule Conversion


Usage of different feld names
– Solution: feld name mappings from Sigma rule feld
names to SIEM/environment specifc names
Challenges in Rule Conversion


Usage of different feld names
– Solution: feld name mappings from Sigma rule feld
names to SIEM/environment specifc names

Inconsistent feld names, multiple felds for one
purpose
– Solution: 1:n feld name mappings
Challenges in Rule Conversion


Usage of different feld names
– Solution: feld name mappings from Sigma rule feld
names to SIEM/environment specifc names

Inconsistent feld names, multiple felds for one
purpose
– Solution: 1:n feld name mappings

Field names depend on event type, e.g. LogPoint has
four names for SubjectAccountName or UserName.
– Solution: Conditional feld name mappings
Challenges in Rule Conversion


Usage of different feld names
– Solution: feld name mappings from Sigma rule feld names to
SIEM/environment specifc names

Inconsistent feld names, multiple felds for one purpose
– Solution: 1:n feld name mappings

Field names depend on event type, e.g. LogPoint has four names for
SubjectAccountName or UserName.
– Solution: Conditional feld name mappings

Log sources match to subsets of indexed log data: you don’t want to
search web server logs for Windows security events
– Solution: match category/product/service tuples to index patterns and
conditions
Challenges in Rule Conversion

Usage of different feld names
– Solution: feld name mappings from Sigma rule feld names to SIEM/environment specifc
names

Inconsistent feld names, multiple felds for one purpose
– Solution: 1:n feld name mappings

Field names depend on event type, e.g. LogPoint has four names for
SubjectAccountName or UserName.
– Solution: Conditional feld name mappings

Log sources match to subsets of indexed log data: you don’t want to search web
server logs for Windows security events
– Solution: match category/product/service tuples to index patterns and conditions

Rules refer to subsets of values which are environment-specifc, e.g. client systems
– Solution: place holders
Current State & Future

Rules
– Many rules for Windows/OS and network events
– Few application rules, room for improvement!

Sigma Converter
– Some backends, but more required
– Further improvements

Further tool ideas:
– Sigma Rule Builder Webapp
– Automatic rule building from log samples
How can you Contribute?
How can you Contribute?

Developers
– Log verbosely!
●
Access check violations
●
Failing security checks (wrong CSRF token, ...)
●
If requests are wrong (too many, too few parameters, wrong
value types, ...)
●
Unexpected states (skipped workfow steps, …)
– Provide Sigma rules with your project
How can you Contribute?

Developers
– Log verbosely!
●
Access check violations
●
Failing security checks (wrong CSRF token, ...)
●
If requests are wrong (too many, too few parameters, wrong value
types, ...)
●
Unexpected states (skipped workfow steps, …)
– Provide Sigma rules with your project

Pentesters & Security Researchers
– Check logs for attack traces and build Sigma rules
How can you Contribute?

Developers
– Log verbosely!
●
Access check violations
●
Failing security checks (wrong CSRF token, ...)
●
If requests are wrong (too many, too few parameters, wrong value types, ...)
●
Unexpected states (skipped workfow steps, …)
– Provide Sigma rules with your project

Pentesters & Security Researchers
– Check logs for attack traces and build Sigma rules

Code/Tool contributions are always welcome!
Questions?

Rules + Code: https://github.com/Neo23x0/sigma

Documentation: https://github.com/Neo23x0/sigma/wiki

Thomas Patzke
@blubbfction
[email protected]

Florian Roth
@cyb3rops

https://www.bsk-consulting.de/2017/07/06/the-best-
possible-monitoring-with-sigma-rules/