Today, we’re announcing a new open-source contribution from Stamus Networks - a Suricata ruleset specifically focused on detecting lateral movement in Microsoft Windows environments. Lateral movement is a technique that cyber attackers use to expand their network presence in search of sensitive data and high-value assets.
Editorial Note: See subsequent blog post, Threat Hunting with the Open Lateral Movement Ruleset for Suricata, for more information.
During the course of the year, the Stamus Networks team participates in a number of trainings, workshops, and some of the biggest NATO live-fire cyber exercises. And of course, we regularly work with our customers to identify threats, compromises and unauthorized activity on their networks.
We incorporate a lot of knowledge from the field directly into our products.
We want to share this knowledge with blue teams around the globe to help out in any way we can. As such we contribute many useful open-source tools, analytics dashboards and visualizations on our GitHub repository https://github.com/StamusNetworks .
We are proud to now offer an open and free lateral detection ruleset for the Suricata community (specifically, those using version 6.0.6 and later).
What is the Ruleset and What’s In it?
The ruleset currently includes nearly 500 Suricata detection signatures highlighting SMB/DCERPC-related network activities.
The ruleset provides another abstract hunting layer on top of the detected SMB/DCERPC events. A few examples of the detections include:
- Remote creation of a net share
- Remove creation of scheduled tasks
- Remote creation of a service
- Remote installation of a printer driver
- DC enumeration
The ruleset is focused on highlighting and detecting Red Team or APT movements in windows SMB/DCERPC network environment.
Detection of remote configuration changes is possible due to Suricata’s recent SMB and DCERPC logging improvements which allow for easier alerting and provides more flexible detection. Remote configuration is not common in organizations and some of the operations are more often used by attackers than regular administrators.
In the SMB event below produced by Suricata (event_type:smb) we can see an example of a successful printer driver installation.
Since this is an SMB protocol log, we can also write a rule that will alert on any such occurrence.
From this reference, we can construct the following signature which is designed to detect the installation of a printer driver:
alert smb any any -> $HOME_NET any ( msg: "SN MS-RPRN service - RpcAddPrinterDriverEx"; flow: to_server, established; dcerpc.iface:12345678-1234-ABCD-EF00-0123456789AB; dcerpc.opnum:89; flowbits:set,stamus.rprn.service.RpcAddPrinterDriverEx; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/848b8334-134a-4d02-aea4-03b673d6c515; metadata:lateral_key dcerpc.iface, lateral_function , lateral_asset src_ip, stamus_classification stamus_critical_lateral, provider Stamus, created_at 2022_04_03, updated_at 2022_04_03; target:dest_ip; sid:3115579; rev:1;)
The example signature below will trigger on the remote opening of “OpenClassesRoot” (HKEY_CLASSES_ROOT) https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key in the registry.
The operation basically highlights the remote opening of a subsection of the windows machine registry settings that contains configurational default settings that apply to all users or the interactive user on the local machine. That by itself can highlight lateral movement if, for example, it comes from an unexpected location of the network.
alert smb any any -> $HOME_NET any ( msg: "SN MS-RRP service - OpenClassesRoot"; flow: to_server, established; dcerpc.iface:338CD001-2244-31F1-AAAA-900038001003; dcerpc.opnum:0; flowbits:set,stamus.rrp.service.OpenClassesRoot; reference:url,https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/053e8515-dbae-47ea-a7c6-6dc054e3a48f; metadata:lateral_key dcerpc.iface, lateral_function OpenClassesRoot, lateral_asset src_ip, stamus_classification stamus_lateral, provider Stamus, created_at 2022_03_23, updated_at 2022_03_27; target:dest_ip; sid: 3115137; rev:1;)
The example signature below will trigger on the remote addition of “NetrJobAdd” (adds a single AT task to the server's task store.)
In other words, we can highlight remotely adding a scheduled task to a windows machine. It can be especially interesting if done from an unexpected location or user account. That can also often be seen used by malware actors for persistence.
alert smb any any -> $HOME_NET any ( msg: "SN MS-TSCH service - ATSvc NetrJobAdd"; flow: to_server, established; dcerpc.iface:1FF70682-0A51-30E8-076D-740BE8CEE98B; dcerpc.opnum:0; flowbits:set,stamus.tsch.service.ATSvcNetrJobAdd; reference:url,https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/4d44c426-fad2-4cc7-9677-bfcd235dca33; metadata:lateral_key dcerpc.iface, lateral_function NetrJobAdd, lateral_asset src_ip, stamus_classification stamus_critical_lateral, provider Stamus, created_at 2022_03_23, updated_at 2022_03_27; target:dest_ip; sid:3115113; rev:1;)
Where to get the Ruleset
You may access the ruleset on the Stamus Labs threat intelligence server here:
https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz
https://ti.stamus-networks.io/open/stamus-lateral-rules-checksum.txt
LICENSE:
The "Lateral Movement Detection Ruleset for Suricata" from Stamus Labs is free threat intelligence: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3.0-or-later of the License. Read the terms here >>
sha256: 02117e28def7125933848107499b14f672023d18513de4b21ad5422c6815f98a
Feedback is welcome in our public and free discord channel:
https://discord.com/channels/911231224448712714/911238451842666546
Suricata provides other related logs
When a signature from this lateral movement ruleset triggers an alert, it can be useful to review all the SMB, and/or respective DCERPC, and flow logs. As we have written in many articles on this blog, Suricata produces not only IDS alerts but also produces protocol transaction logs, flow records, full packet capture and extracted files.
Suricata produces all relevant network security monitoring logs: protocol, flow, file transaction, and anomaly logs, including the ones related to an alert - but also independent of alerts. In the regular JSON logs that Suricata generates (eve.json), you will find something called “flow_id” that correlates the network protocol data and evidence that Suricata has logged - to an alert event and that alert’s metadata.
To read more about this, check out the related article, "Suricata Myth Busting: Alerts and NSM" here: https://www.stamus-networks.com/blog/suricata-myths-alerts-and-nsm
Happy hunting and make ’em sweat!
