Fastening the Seatbelt on.. Threat Hunting for Seatbelt

-

 

Quick blog entry on detections for the Ghostpack discovery/reconnaissance tool Seatbelt.

This entry will focus on looking at command line parameters that can be caught even if the executable itself is renamed, if I have time we can delve into other event log artefacts another time.

From the Seatbelt github repo:

Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

So essentially what the tool does is retrieve local system information that might have security or safety implications.

In terms of commands that can be tacked on to Seatbelt there are a literal ton of options.


But what we are going to focus on here are the command groups, which break the many, many available commands down into categories, so we have: All, User, System, Slack, Chromium, Remote, Misc.

The groups above are invoked like this, if you wanted to run all checks:

Seatbelt.exe -group=all

And so on and so forth. As well as specifying a group of checks to run an adversary is also going to want to specify an output file, as otherwise they will be left scrolling back through screenfulls of dense text in their Windows terminal.

Let's combine both of these into an executable name agnostic detection for Splunk:


index=<winlogs-index> EventCode=4688 Process_Command_Line IN (*-group\=all, *-group\=user, *-group\=system, *-group\=slack, *-group\=chromium, *-group\=remote, *-group\=misc, *-outputfile\=\"*.json\", *-outputfile\=\"*.txt\")

| stats min(_time) as earliest max(_time) as latest values(Process_Command_Line) AS Process_Command_Line BY Account_Name New_Process_Name ComputerName

| convert ctime(earliest) ctime(latest)

| table earliest latest ComputerName Account_Name New_Process_Name Process_Command_Line

Please note the escaped "=" in the SPL and the liberal sprinkling of necessary asterisks.

You may get some false positives depending on how many programs you run that use a similar command line syntax to what I've outlined above, testing will be required in your environment.

If it works you wind up with something like this:

 
Happy hunting everyone.


Popular posts from this blog

Capturing Pcap driver installations

-
Image
Today we're looking at Network Sniffing , ATT&CK technique T1040. This is very much a signature based rule but if you are ingesting WinEventlog:Security (and of course you are, right?) and specifically EventCode 4697 ("A service was installed in the system") then you can take the barebones splunk SPL from below and make it work for you. So how are we going to detect network sniffing on Windows endpoints? The installation of the drivers for the various Pcap variants. index=win10 sourcetype="wineventlog:security" EventCode=4697 AND Service_File_Name IN ("*pcap*", "*npcap*", "*npf*", "*nm3*", "*ndiscap*", "*nmnt*", "*windivert*", "*USBPcap*", "*pktmon*") | table _time Account_Name Computer_Name Originating_Computer Service_Name Service_File_Name   The Service_File_Name list is derived from looking at the names of .sys files associated with the most popular packet capture o
read more »