Bad actors can hide almost anywhere, but the most cunning place for a Bad Actor to hide is in Plain Sight. A common tactic for Bad Actors and Penetration Testers alike is to walk in to a building, find an empty port under a desk and leave a tiny computer behind to act as a Jump Box. As Network Defenders how do we protect against these tiny hidden machines in our Network? One way to do that is to look under every desk in your building, but who has time for that? Instead what if we have the tools to run scans against our environment and alert on that data in a SIEM?
Enter, Tanium Discover and Cribl Logstream! Using Tanium Discover data we can easily see rogue endpoints in our environment. Today we’ll walk through how to do exactly that! Most Raspberry Pi’s will end up being remoted into by their owners or at least have that capability turned on. So let’s use Tanium Discover to scan our network for Port 22, and look for Raspberry Pi’s.
To get started, open Tanium Discover (If you do not own this module talk to your TAM about pricing or to request a demo). In Discover you are going to set up or configure an existing profile called NMAP Scan. Discovery Method will be set to Level 4. You are going to choose Top 1000 Ports. If you want to also look for Wild XbOxen on your network (xboxes) you can choose Top 1000 ports plus specified ports and add port 3074 (you might want to do this if you need to remain NDAA Compliant). It’s also probably not a bad idea to add Port 23 (Telnet) because who wants that in their network anyway? For simplicity under Scan Inclusions, I chose “All Networks”. If you only want to scan specific networks, you can specify them here. Under “Excluded Networks” you probably want to check “Isolated Subnets/Systems”. Under Schedule choose a time that yourself and the Network owners are comfortable with. I chose 4 hours and to distribute over 2 hours (we don’t want to DDoS ourselves after all do we?). Finally, under “Scan Window” you can leave this unchecked if you are okay scanning the network during business hours. If you or your stakeholders are not okay with that then check “Start scans during the specified time frames” and choose times that work for you to scan.
Note:
Choosing to only scan during non-business hours may leave you with some Blind Spots since many people may turn their computers off after hours.
So now that we have this data in Tanium, how to we get it into a system of analysis? That’s where Cribl comes in. You can create a Tanium Connect Job as described in this article: https://cjapi.io/2021/11/tanium-connect-jobs-to-cribl-logstream/ This time though you will choose “Tanium Discover” as the source and “Unmanageable” as the Report.
You can then import the Tanium Cribl Pack found here: https://github.com/administrativetrick/cribl-tanium-events
Using the Tanium Cribl Pack you can use the Discover Pipeline found inside to Send Data from your Tanium Discover Connect job that you create above into your preferred analysis tool. Once you have the data in your analysis tool you can look for the MacOrganization field to look for a value of “Raspberry Pi”
If you are unsure how to import a Tanium Pack you can see our article on how to do that here: https://cjapi.io/2021/11/how-to-import-cribl-packs/