Differences

This shows you the differences between two versions of the page.

--- script:x509_ext_c2 [2018/02/08 23:11] – veera
+++ script:x509_ext_c2 [2018/02/08 23:51] – [Analysing the sample PCAP in Trisul] veera
@@ Line 11: / Line 11: @@
 Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into.
-- the Resource stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers
+  - the **Resource** stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers
-- the FTS stream: a nearly complete dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.
+  - the **FTS** stream: a complete text dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.
+You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events, Trisul provides a text document.
- it takes a different approach than Bro IDS.   Instead of providing fine grained  "events" like Bro, Trisul dumps the meta data into a canonical text format. Then the LUA script writer has to extract the
+==== Analysing the sample PCAP in Trisul ====
+The researchers have provided a [[https://github.com/fideliscyber/x509|sample PCAP file containing a POC]] of the channel (( GitHub page of POC https://github.com/fideliscyber/x509)). If you import the PCAP file into Trisul using ''trisulctl_probe importpcap mimikatz_sent.pcap'' and navigate to SSL Certs FTS and then search for Key" you can see the certificates in full text format. This is shown below.
+{{:script:big_ski-fts.png}}
+Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path//.  By moving this out of the //Fast Packet Path// (For more on Fast Path and Slow Path in Trisul LUA API see [[https://www.trisul.org/docs/lua/basics.html#stream_processing|"Stream Processing"]])) Trisul gives your scripts a large time budget a few seconds to process without incurring packet loss.  The Trisul LUA API provides the [[https://www.trisul.org/docs/lua/fts_monitor.html|FTS Monitor script]] for exactly this purpose.
+I just put together a quick [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/fts/c2-x509-fts.lua|FTS Monitor LUA script on GitHub]] that demonstrates how you can pick apart the cert using a simple regex. The snippet is shown below
+<code lua>
+    -- WHEN CALLED : a new FTS Document (X509 Cert) is seen
+    onnewfts  = function(engine, fts )
+      local _,_,ski = fts:text():find("X509v3 Subject Key Identifier:%s*(%S+)")
+      if ski and ski:len() > 32 then
+        T.count = T.count + 1
+        local hexski = ski:gsub("[:%s]","")
+        local outf = io.open("/tmp/c2ski-"..engine:instanceid().."-"..T.count,"w")
+        outf:write(hexski:hex2bin())
+        outf:close()
+      end
+    end,
+</code>
+What the above code snippet does is
+  - Use a Regex to capture the bytestring in // X509v3 Subject Key//
+  - If the SKI extension is greater than 32 characters then we suspect something fishy. You may even generate an alert at this point using the ''engine:add_alert(..)'' method.
+  - Open a tmp file the convert the hex to binary and dump the contents there.
+If you place this script in the LUA folder ''/usr/local/etc/trisul-probe/plugins/lua'' and re-run the PCAP file, then you would get a number of files in the tmp folder containing chunks of the Mimikatz binary. When you run the //file// command you can see the chunk that contain the PE Header show up. You can also do this as part of the script itself.
+{{:script:mimi1.png|}}
+==== Reassembling the Mimikatz payload ====
+This is a bit of a fun task. The C2  technique uses about 70+ certificates to transfer a payload of 785KB. The big issue for us is that the certificates show up in different TCP flows. It is a lot easier to do the reassembly in Network Miner or Wireshark but in live traffic analytics like Trisul the flows can go to different CPU/threads due to load balancing and there are no hints in the packets itself to order the payloads. The best option is to dump the chunks and then manually ''cat'' them later using a timestamp as a loose ordering.
+===== More about the Trisul Lua API =====
+The Trisul LUA API allows you to build your own real time analytics tools on top of the Trisul platform. Note that Trisul is Free to use forever, except that if you are using the Web Interface and Database backend, then only the most recent 3 days can be reported on.
+The [[https://github.com/trisulnsm/trisul-scripts|trisul-scripts GitHub repo]] contains dozens of example scripts of all kinds. The Documentation is Open and Free to use for all. Give it a go.