March 15

Webinar takeaway – The Ins and Outs of RITA

Security

0  comments

My key takeaways

  • RITA is made to detect beacons and long connections
    • open source tool
  • Signature based detection of malicious code is outdated
    • Average detect time is over 6 month
    • > 50% of compromised systems are detected by outsiders
  • RITA is behaviour based
    • Needs a bunch of pakets to work on
    • min 1h, default 24h time frame
    • high secure env: 1 week
    • most commercial tools use just 20min time frames
  • Requirements are minimal
    • Ubuntu 18 max at the moment
  • Typical setup
    • Zeek to collect data
    • Rita to analyse
    • Rita installer will Zeek as well if not yet available
  • Zeek puts logs daily into /opt/zeek/logs/
  • Mini run through as demonstrated
    • mkdir rita
    • wget install.sh for Rita
    • chmod +x install.sh
    • sudo ./install.sh
    • logout / login
    • download pcap e.g from https://www.activecountermeasures.com/category/malware-of-the-day/
    • translate pcap to Zeek-log by zeek -C -r <name.pcap>
    • rita import rita import *.log <name of dataset>
    • seems like rita is hanging, it's OK
    • rita list to show databases
    • rita show-beacons <dataset>
      • Output percent, source ip, dest ip, amount connection,...
    • the closer the percent to 1.0, the more certain that it is a persistant connection
    • rita show-strobes <dataset> is to find very short and often connection
    • rita show-long-connections <dataset>
    • rita show-exploded-dns <dataset> to see suspicous DNS traffic
    • rita show-useragents <dataset> to find uncommon often connections with a certain maybe uncommon useragents
  • Rita is configured by the file /etc/rita/config.yaml
    • rita test-config | less to show config read only

Env

additional links

User comments

  • Chodeng — heute um 19:37 Uhr will limiting zeek's capture to headers only and ignoring data in the frame (for space/operational considerations), will it impact rita's effectiveness?

    wstearns-ACM — heute um 19:39 Uhr Yes, this will affect Rita. Rita needs payload information to analyze dns traffic, User agents, etc.

  • is there min zeek 'verboseness' requirement to effectively use rita?

    • wstearns-ACM — heute um 19:40 Uhr You need the conn, dns, http, ssl, x509, and known_certs files at a minimum.

Tags

beacon, C2, packet capture, threathunting

You may also like

Webinar takeaway – Shellcode Execution with Python

teaser for this Webcast, which made me attend Imagine you are pen testing a company and gain access to a Windows application server. You discover the server has application allow listing deployed, and strong EDR/XDR defensive solutions. To your excitement, you find there is a Python interpreter installed. It would be really great if you

Read More

Webinar takeaway – Applying The Threat Hunter’s Runbook

My key takeaways threat hunting runbook Identify connection persistency Identify if there is a business need Protocol analysis Investigate external IP address Investigate internal IP address Threat hunting is stealthy only when in IR mode, the adversary should be allowed to notice we are after him set the TCP timeout from 5min to 1h in

Read More
Leave a Comment