L1120-Blue BloodHound and SharpHound

• Hunt in Kibana
  • Login to Member Server (WS01)
  • Access Kibana on the (H)ELK SIEM
  • Initial Search
  • Keep Looking
• Think Critically. Hunt Intentionally.
• Refining the Process of of IOC Identification
  • Sketchy PowerShell
  • Add Table Columns
  • Saving a Query
• Off-Roading with BloodHound
  • Hunting in Time Windows
    • Event ID 800
    • Event IDs 4103, 4104
    • Event ID 4799
    • EventID 11
    • Full-Text Searching
• Reasonable & Actionable Life-cycle Adjustments

The BloodHound tools are based in part on the Active Directory Control Paths project. The toolkit enumerates a wide array of information available from Active Directory. Coupled with the Neo4j interface, this is an incredible tool with varied implications for both blue and red teams. From a red team perspective, the BloodHound toolkit can assist a tester with visually mapping the fastest paths to a domain admin or other specific high-interest target. Blue teams can use this tool to keep an eye on paths, privileged sessions, account usage, group membership, and more. In this lab, we will run BloodHound's data ingestors, then hunt for the interaction that the ingestor had on the Domain. The BloodHound data collector makes many queries on the domain. Having visibility of anomalous traffic can be valid hunting method.

• Catch this execution in Elastic stack.
• Catch sketchy PowerShell usage in Elastic consistently (regardless of toolkit)

Search for the execution of the script in the Optics Infrastructure.

Hunt in Kibana

Login to Member Server (WS01)

Connect via Remote Desktop to the Member Server (WS01).
See Lab L0200 for connection instructions.

Access Kibana on the (H)ELK SIEM

Using Chrome or Internet Explorer on Member Server, access the Kibana URI and login using the credentials below.

URL: https://10.10.98.20
Username: helk
Password: hunting

Initial Search

Check the Elastic dashboard (Kibana) for related events. Search the term "powershell" on the logs-* index.

powershell

BloodHound invocation is incredible noisy. Just searching "powershell" isn't enough.

Keep Looking

Next Switch the selected log index to logs-endpoint-winevent-powershell-* and search for the term "bloodhound" and "sharphound". Many documents (results) should be returned. Spend a few moments hunting for suspicious activity.

bloodhound
sharphound

Using those search terms you likely identified where Sysmon caught the file creation for SharpHound.

• Could events can be indicators of compromise?

Think Critically. Hunt Intentionally.

Searching for "bloodhound" isn't necessarily a great way to propose a mature IOC definition however, despite they have the initial appearance of working well to identify a potential threat. What if the adversary simply renamed the tools, or used a different tool entirely?

Think about the attack, not what tools were used in the attack:

• Can you locate logs generated when BloodHound was Invoked Directly from memory (IEX)?
• Are you able to find the Invoke-WebRequest where the BloodHound package was downloaded from the Internet?
• Can you find the Expand-Archive* command that extracted the BloodHound archive?
• Are these types of PowerShell operations typical in a day-to-day business? How could you use ELK to find out?

Continue to the next step of the lab to identify another method of discovery that may help answer questions above.

Refining the Process of of IOC Identification

Check the Calendar control filter to ensure this lab's evidence documents will be within the scope of hunting. Refer to Lab L0350 for information on controlling Kibana query filters.

Sketchy PowerShell

A more general and inclusive query for sketchy PowerShell that may be helpful "iex or invoke or import". To continue hunting, change the selected index to logs-* and use the provided search string below.

iex or invoke or import

The number of results will likely vary from what is seen below but results should be similar.

This appears to be a reasonable query to catch potentially sketchy PowerShell execution. Continue in this hunt by searching the contents of the returned documents.

• What are some useful fields that could be made column headers and perhaps filtered further?

Add Table Columns

Expand several of the returned documents and Toggle the columns for param1, and host_name. If you have trouble finding a document that includes these fields, you may use the full field list on the left of the table to add it directly.

Next find a document with contents in the "para1" column. Expand the document and find "param1" in the expanded document. Next to "param1" are four icons. The fourth icon allows us to filter for the presence of the param1 field in the current query. Press the fourth icon to filter out records without the param1 field.

Collapsing the document demonstrates a view like the following. Command line invocation was captured along with the computer name where the suspect command was executed.

Saving a Query

Save this query for future use. Name it something recognizable and click Save.

You have successful completed launching BloodHoundAD data ingestors via multiple methods and were able to find evidence in the platform of those executions. What can be gained from this experience?

Can you identify the dependencies necessary to migrate this potential IOC model into your production environment?

Off-Roading with BloodHound

Sometimes the hunt involves following leads that take you off-course, off-road, and into the weeds. With strong (verbose) threat optics, you begin to see how adversarial tools interact with the systems they attack. Some methodologies of hunts will require you to investigate and analyze what is happening in certain time periods were you know tool interaction exist.

Hunting in Time Windows

By adding event logs to the table columns, you may also have noticed some interesting event-ids within the specific time that you know the Bloodhound ingestor was invoked.

After some deep dive, you may find some interesting BloodHound interactions:

Event ID 800

• 800 – PowerShell Pipeline Execution Details

event_id : 800 and bloodhound

Event IDs 4103, 4104

By adding event logs to the table columns, you may also have noticed some interesting event-ids:

• 4103 – Command Execution Pipeline
• 4104 – Script block text

event_id : 4103 or event_id : 4104 and bloodhound

Event ID 4799

By adding event logs to the table columns, you may also have noticed some interesting event-ids:

• 4799 – A security-enabled local group membership was enumerated
  • This is BloodHound asking for group membership information.

 event_id : 4799

Event ID 11

Searching now through Sysmon logs (logs-endpoint-winevent-sysmon-* index) – let's catch any ps1 files caught to writable and monitored disk locations.

• 11 - File Create

event_id : 11 and *.ps1

Full-Text Searching

Let's also search for GitHub.

github*

Results: PowerShell events calling scripts from GitHub, DNS queries captured via Sysmon logs.

Reasonable & Actionable Life-cycle Adjustments

After the hunting expedition, you may have found multiple methods of identification of similar invocations. Think about the LifeCycle adjustments that might be necessary if your goal was to identify or block the invocation of the Bloodohound data collector. Solutions:

1. Limit outbound access to GitHub unless access controlled.
2. Restrict PowerShell and CMD with AppLocker.
3. Trigger using SIGMA rules.

You have completed this lab.