This is a bit of an odd one.
While on an assessment, I was tasked with evading detection from an external perspective. I noticed some weird things this industry is doing to make external evasion easier for us attackers. As usual, I could be entirely wrong.
Perhaps one of the largest issues when it comes to SIEM is noise. In other words, a ton of offenses that are false positives or not of any business concern. Generally speaking, this is where companies will 'tune' a SIEM. This involves creating rule sets, specifying thresholds, etc.
When it comes to the Internet, there is A LOT of noise. Honestly, a large portion of the noise is automated garbage. Regardless, I found that it created an interesting opportunity. Call it 'an Aha! moment'.
Hiding in plain sight?
Remember that time scanning behind Tor was cool? I do. The issue is that 'next-gen' stuff got smart and started flagging traffic from known Exit Nodes. Same goes for a lot of the free SOCKS proxies out there. With the latest advancement in sharing IPs known for stuff, hiding behind other IPs got difficult*.
* Note that I did not say it was impossible.
Naturally, I got curious. I wondered if I, with just a standard nmap scan, could be low and slow enough to hide within the general noise of the Internet. Sadly, I did. Many infosec veterans and nmap gurus will already know how (go ahead and Google the term 'nmap firewall evasion'...you'll get a ton of results). Nmap has this amazing
-T is for timing template) option. The following scan was run:
nmap -sS -T2 -p 21,22,23,80,443,8080,8888,8443 --randomize-hosts --data-string "I'm scanning you.....I'm scanning you....." xxx.xxx.xxx.xxx/24
This is an INCREDIBLY basic scan. Just an TCP SYN scan with a few ports, randomizing the order hosts are scanned in, appending a data string, and a low timing.
Additionally, here is the entire 'Timing' section from nmap's man page if you are curious:
TIMING AND PERFORMANCE: Options which take <time> are in seconds, or append 'ms' (milliseconds),'s' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <numprobes>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long --scan-delay/--max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per second --max-rate <number>: Send packets no faster than <number> per second
When discussing with the client, it became known that I had not been detected--even though I ran a ton of scans. After a few further inquiries, they saw me being detected by the firewall, however, zero (0) offenses in their SIEM were created. Why? It was too slow. By time I would scan either another host or hit another port, another %something% would scan them externally.
There's no way this is consistent, right? Surely this is just this one client over tuning their SIEM. Yea, I thought that too. Then I tried this on another client's external range...and another one. Sure enough, they saw firewall logs noticing scanning behavior, however, nothing consistent to create an alert on.
It was interesting to me that, with all the time and money spent on SIEM and the like, evading it was way too easy. Sadly, it seems that as we increase attack complexity, evading defenses is strangely getting...easier?
Edit: I did this on two internal assessments and their SIEM also did not register an actual offense. Nothing like missing targeted scanning because it's so low and slow that enabling being able to see it would overwhelm people.
Hey...wait. We're just talking about not seeing scans...
Please keep in mind that detection was only not observed for scanning activity. Just because you were not observed scanning a network does not mean that you won't be if you pop a shell remotely.
On a side note, I would have thought in 2017 that we'd be able to detect scanning activity regardless of some weird timing intervals.
I'm honestly curious to know if anyone that reads my blog has done/tried this. What were your results? What kind of scan did you run?
Thank you for stopping by and reading!