As promised part two to this blog with some ideas, thoughts and suggestions for looking at artifacts on Linux and Mac systems.
We have recently seen an uptick in attackers changing time to cover their tracks, see this brilliant post from Rick McElroy discussing Data Integrity in particular how it involves maintaining the consistency, accuracy, and trustworthiness of data over its entire lifecycle.
When I read things like this I start to think how we can turn this around and use it as an identifier for potentially malicious activity. We should all be using ntp across our environments so I'd like to know if time has changed on an endpoint. As an exercise I would log onto servers with Carbon Black Enterprise EDR installed and try different ways of changing time, what happens? What events do I get in my console? How does this differ from a genuine time slip?
As we are talking here about Live Query though what is left behind after the event to tell me this happened? We could use the yara table to search the messages files for logs related to time changes, in this instance a chronyd log shows 'time jump detected'.
This example was actually on a virtual machine that is often turned off, but you can see how a time changed then changed back might raise an eyebrow, you wouldn't pick this up looking at the local time before or after the event.
One of my favorite hacks which I've used for 20 years to move around networks is ssh tunneling. You increasingly find that this is deactivated by default but really easy to enable, as above you could use yara to check the /etc/ssh/sshd_config file for 'AllowTcpForwarding yes'. We might also consider why would a linux server make an rdp connection unless it is an ssl vpn appliance?
On this occasion a pure stroke of luck I forgot to limit the query to my linux server and managed to pick up the endpoint making the connection. Note the windows device making a connection to the remote address 127.0.0.5, is that normal in your environment or has it triggered your curiosity? You could add 'AND remote_address LIKE "127.0.0.%"', before the semicolon of course.
It's quite rare to encounter customers that don't block root user access and rely on elevating privileges. My goto elevation is normally 'sudo bash', one command and I have an elevated shell, all subsequent commands are running as sudo. I would want to understand what is normal for sudoers in my environment and keep an eye on any changes, especially ones that can give privileges beyond a limited subset. Note here I am excluding root and the wheel group but want to know anyone else that has full privilege escalation.
I'm always of the opinion it is best to hide in plain site. With that view a glance through a list of users on a unix based system shows bin, daemon, sync, dbus, who is going to notice a user 'sbin'? It's a system binary directory, you see this all the time, there's nothing odd about that...
The user though isn't going to be much use to me with a shell /sbin/nologin/ though. There's an inbuilt query to help here, interesting to note "Carbon Black recommends that you run this query daily". You have been warned, know your users!
I am thinking that in a server segment or at least on premise environment that we will have a fairly static list of ip to mac address mappings. There is nothing new to arp cache poisoning but as earlier if I wanted to change time or direct a user to a different location then an ntp or dns server switch would be awesome. Who knows when we are all at home this might be easier than it has ever been? This query could be built out to include a list of servers, default gateway, dns, ntp, DC to name a few.
I hope this blog has given you a flavour of what is possible with Live Query. I have deliberately kept most of the queries quite simple but using table joins you can get some really funky queries and results. Don't stop at thinking security, troubleshooting issues or figuring out how many laptops have low spec cpu's are all par for the course. Throughout the two posts I have been trying to think about security threats and turn them on their head, where do we see adversaries showing their hand, for example now that we know time changes are an issue how can I monitor and prevent this happening?
As a next step I would also encourage anyone to check out what's possible when we combine multiple queries and use our API to push queries and pull reports, really powerful from an Incident response perspective. https://github.com/quincy7386/queryPacks