SlideShare una empresa de Scribd logo

Deeplook into apt and how to detect and defend v1.0

Michael Gough
Michael Gough

Walk though of an APT attack that was more sophisticated than last time.

Tecnología
1 de 47
Descargar para leer sin conexión
A deep look into a Chinese advanced attack. Understand it, learn from it and how to detect and defend against attacks like this. Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast MalwareArchaeology.com
Goal • Interaction – Don’t be a Ding Dong, ask a question… you WILL be rewarded for positive synergy! • Learn how us Ninja’s do it so you can too • New Tool for YOU to use!!! MalwareArchaeology.com
• We discovered this May 2012 • Met with the Feds ;-) Why you should listen to me? MalwareArchaeology.com 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail
WINNTI 2014 • Much more “sophisticated” than before – They updated their approach – MUCH more complex – This is NOT your typical P0wnage • Boy did we catch them in the act • I am sharing so you can learn how! MalwareArchaeology.com
History • WINNTI has been around for 5+ years attacking the gaming industry • It is known the Chinese hackers are behind it – Kaspersky and the Feds • Not quite State Sponsored, but pretty darned good • I would consider this your “typical” APT • We saw new things each time they attacked • Maybe it is State Sponsored practicing? MalwareArchaeology.com
WINNTI 2012 Summary • Pretty typical • DLL Injection – WBEM – Windows – System32 – Files stored – ProgramData – Files stored • Sysprep Cryptbase.dll exploit • Boot up back door, deletes on load, writes on shutdown – Killed by pulling the power ;-) • New Services installed • Multiple infections per machine hoping you miss one MalwareArchaeology.com
WINNTI 2014 • New stuff • Dude ! • What triggered it? • What changed? • Avoided the methods they used before • Fortunately we were doing REALLY good logging. We are Ninja’s after all MalwareArchaeology.com
WINNTI 2014 • Summary of improvements for WINNTI 2014 – PlugX used as a base, modules added – Dll injection on SQL Server (5 dirs. Deep) • Allowed for SQL Mgmt utilities to enable XP Command Shell and run .NET commands – Binary infector – altered existing management binaries to call main payload – and STILL worked! – Driver infector – Added driver to look like existing management software – Hid scripts in the Registry – Hid payload in the Registry! • The Registry is a Huuuuuuuuuuuuuuuuge Database MalwareArchaeology.com
WINNTI 2014 • Popped a user, not an Admin, they know Who we are and What we do… Yay LinkedIn • Patient 0 – User phished (not an admin) and I believe they exploited Office to gain admin access • Dropped their initial malware payload • Used Backup software creds to then PoP a Domain Controller • Spread from there all over ;-( – Same MO as 2012 MalwareArchaeology.com
Files Dropped and gone • Used public accessible locations • C:UsersPublic • C:WindowsWeb • C:Perflogs • Deleted Infector files fast… almost all • Left some on disk MalwareArchaeology.com
Files Dropped • SQL Server bin directory (5 deep) – Only on SQL Servers – Cscapi.dll (Dll injection) • SysWOW64 – Qwave.dll - Normal on Workstations, NOT on servers • Splunk and Altiris Directories - Dropped a driver named like the app – Splunk.sys – Altiris.sys MalwareArchaeology.com
Initial Infectors • UsersPublic – C.exe – Infect.exe – Infectsys.exe – 64.dll – CompanyName.exe – Specific to us! • C:Perflogs – Command binary • C:WindowsWeb - .INI files for permission changes • C:WindowsTemp – VB Scripts – Netfxupdate.ax • C:WindowsSysWOW64 – Qwave.dll (Servers only) – SysWow64.sys – AxScriptHost70.dll MalwareArchaeology.com
Initial Infectors • Perflogs – C.exe – Communication to infected system • Thanks for the Port and Password • For once WE compromised THEM! – Now who is “sophisticated” ;-) MalwareArchaeology.com
Persistence • C:Program FilesCommon Files – WLXSys64.sys – NOT ON DISK ANYWHERE ???? • Modified existing service – WERCplSupport (Who needs WER Support) – Changed ServiceDll to: • Program FilesCommon FilesWLXSys64.sys MalwareArchaeology.com • So how did it load if it was NOT on disk???
Persistence • WERCplSupport Service failed to start ? • YAY Windows !!!! THANK YOU Microsoft!!!! • For allowing a service to retry over and over and over and… well… forever until the file shows up, or the malware places it there • Once the file existed, “WERCplSupport” started and the system was infected calling other malicious binaries MalwareArchaeology.com
Persistence • Avoided leaving key files behind like they did before, well one anyways… the persistence piece MalwareArchaeology.com
So what led us there? • Command Line Logging !!!! • At the time ONLY Win 8.1 and Win 2012 R2 • Which we had, We then saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) • Scripts too MalwareArchaeology.com
Hidden in the Registry • Command Line execution led us to the Keys. Main payload and scripts to infect were stored in the registry – Classes and Client Keys MalwareArchaeology.com
Hidden in the Registry • HEX in some cases where infection not complete or when we recreated in the lab because we were missing something (the infected persistence binary) • Binary when complete, encrypted in some way MalwareArchaeology.com
Hiding in the Registry • This was new for WINNTI 2014 • They added three values to the Keys • HKLMSoftwareClients or Classes – putfile – file – read • This found on only a few systems to hide another backdoor – HKLMSoftwareWow6432NodeBINARYAcrobat.dxe MalwareArchaeology.com
HKLMSoftwareClients • putfile • file • read MalwareArchaeology.com 4D5A = MZ in HEX
Persistence • Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) • Altered system management binaries – McAfeeFrameworkService – BESClientHelper – Attempted a few others, some failed MalwareArchaeology.com • We tried the infector on several other system files and it worked
Persistence • Infected management binary read key, decrypted payload and dropped into: – Program FilesCommon Files • NOW WERCplSupport ServiceDll exists! • As soon as it was loaded… it was deleted making it hard for us to find it MalwareArchaeology.com But we were better than that ;-)
So what led us there? • Malware Discovery Baseline • Compared infected system hashes (Suspect) to a known good system hashes (MFR) • Showed some single hashes in directories that were odd to us (our own management software)? • So we looked for these binaries across all systems • ONLY the infected system had these odd hashes MalwareArchaeology.com
Persistence • BAM! Got ya – PROCMon on bootup MalwareArchaeology.com
FINALLY ! • Now we had all the pieces • Recreated in the lab so we knew we had it all • High confidence remediation was now able to start • And it did NOT take 210 days for MTTD ;-) MalwareArchaeology.com
FINALLY ! • Malware Management allowed us to setup alerts on artifacts from other malware analysis • Of course our own experience too • Malware Discovery allowed us to find odd file hashes • Malware Analysis gave us the details MalwareArchaeology.com
How YOU can Detect this Ninja Tips MalwareArchaeology.com
How we harvested malware • Some infections hung • Ran process check for any “parentless” processes • Found a couple systems hung and harvested the malware from these systems • Command line logging showed us where to look • Ninja Tip: – Parse through processes that do NOT have a parent!!! MalwareArchaeology.com
How we harvested malware • File Copy loop in Directories discovered – @echo off – cls – md captured – :Redo – robocopy . WooHooo /E /B /r:0 /w:1 /np /xo /xd WooHoo – Goto Redo – :End • Ninja Tip: – Great to do in Labs for User space AppData MalwareArchaeology.com
Top Priority • Enable and Configure Process Command Line – KB3004375 - https://support.microsoft.com/en-us/kb/3004375 • Enable Advanced Audit Policy in Windows – The “Windows Logging Cheat Sheet” – Audit Process Creation = Success 4688 – Audit Logon = Success & Failure 4624 – Audit File Share = Success 5140 – Audit File System = Success 4663 – Audit Registry = Success 4663 & 4657 – Audit Filtering Platform Connection = Success 5156 (Any/Any min) – Services already captured by System Log 7045 & 7040 – PowerShell Logging (needs profile.ps1) 500 MalwareArchaeology.com
Alert for Suspicious Commands • #1 trigger for a compromise • (EventCode=4688) (at.exe OR bcdedit.exe OR calcls.exe OR chcp.exe OR cmd.exe OR cscript.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR bcp.exe OR sqlcmd.exe OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR sc.exe OR schtasks.exe OR sethc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32net.exe OR takeown.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR winrm.* OR winrs.* OR wmic.exe OR wsmprovhost.exe) MalwareArchaeology.com
Size Matters!!! • Bigger IS better… – For Size of Registry Keys – Very few over 20k – WINNTI was 296k • RegScanner – NirSoft • Reglister - @dnlongen – python script – https://github.com/dnlongen/RegLister MalwareArchaeology.com
Enhanced Logging • Sysmon – Gives you images loaded (.DLL) look for unsigned! – Gives you Drivers loaded (.SYS) – Gives you Hashes – Upload to VirusTotal • Windows Logging Service (WLS) – Alternative logging agent – More than Sysmon provides – http://energy.gov/sites/prod/files/cioprod/documents/Splunkified_- _the_Next_Evolution_of_Log_Analysis_-_Green_and_McCord.pdf – http://digirati82.com/wls-information/ MalwareArchaeology.com
Malware Discovery • Once a system was labeled “suspect” • Compare known good hashes to suspect system • Odd files will show up • What???? • You don’t have a Log Management solution – SIEM MalwareArchaeology.com
INTERMISSION MalwareArchaeology.com
Introducing • Use in a Malware Analysis Lab • Investigate a suspect system • For Incident Response • Produce IT/InfoSec/Audit/Compliance report comparing actual Audit Log system settings to CIS and “Windows Logging Cheat Sheet” recommendations • Assist in tweaking File and Registry auditing MalwareArchaeology.com
Introducing • Log Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires • Once the system and/or GPO is configured 1. Clear the logs 2. Infect the system 3. Run Log-MD 4. Review “Report.csv” in Excel MalwareArchaeology.com
Functions • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks • 3 White lists to filter out the known good – By IP Address – By Process Command Line and/or Process Name – By File and Registry locations (requires File and Registry auditing to be set) • Report.csv of data from logs specific to security MalwareArchaeology.com
Crypto Event • C:UsersBobAppDataRoamingvcwixk.exe • C:UsersBobAppDataRoamingvcwpir.exe • C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL • C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet MalwareArchaeology.com
Malicious Word Doc MalwareArchaeology.com
Malicious Word Doc con’t MalwareArchaeology.com
So what do we get? • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… MalwareArchaeology.com 15 Minutes!
In Summary • Malware is noisy • We CAN detect it • Logs can hold all types of information – It’s NOT just for Forensics anymore • All we have to do is: – Enable the Logs – Configure the Logs – Gather the Logs – Harvest the Logs • Look for Top Security related events • Use the “Windows Logging Cheat Sheet” • GET Log-MD – It’s FREE! MalwareArchaeology.com
Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program MalwareArchaeology.com
Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net MalwareArchaeology.com

Recomendados

RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 

Recomendados

RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 

Más contenido relacionado

La actualidad más candente

Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 

La actualidad más candente (20)

Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 

Destacado

The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Où sont mes données ? | Résowest
Où sont mes données ? | RésowestOù sont mes données ? | Résowest
Où sont mes données ? | Résowestresowest
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?ATN Groupe
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychologychrissanders88
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareSymantec
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
Ransomware
Ransomware Ransomware
Ransomware Armor
 

Destacado (12)

The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Risque cyber
Risque cyberRisque cyber
Risque cyber
 
Où sont mes données ? | Résowest
Où sont mes données ? | RésowestOù sont mes données ? | Résowest
Où sont mes données ? | Résowest
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
Ransomware
RansomwareRansomware
Ransomware
 
Ransomware
Ransomware Ransomware
Ransomware
 

Similar a Deeplook into apt and how to detect and defend v1.0

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & TricksDell World
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)PROIDEA
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionJames Haughom Jr
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionDefconRussia
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleMichel Coene
 

Similar a Deeplook into apt and how to detect and defend v1.0 (20)

Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & Tricks
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sample
 

Más de Michael Gough

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 

Más de Michael Gough (6)

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Deeplook into apt and how to detect and defend v1.0

  • 1. A deep look into a Chinese advanced attack. Understand it, learn from it and how to detect and defend against attacks like this. Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast MalwareArchaeology.com
  • 3. Goal • Interaction – Don’t be a Ding Dong, ask a question… you WILL be rewarded for positive synergy! • Learn how us Ninja’s do it so you can too • New Tool for YOU to use!!! MalwareArchaeology.com
  • 4. • We discovered this May 2012 • Met with the Feds ;-) Why you should listen to me? MalwareArchaeology.com 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail
  • 5. WINNTI 2014 • Much more “sophisticated” than before – They updated their approach – MUCH more complex – This is NOT your typical P0wnage • Boy did we catch them in the act • I am sharing so you can learn how! MalwareArchaeology.com
  • 6. History • WINNTI has been around for 5+ years attacking the gaming industry • It is known the Chinese hackers are behind it – Kaspersky and the Feds • Not quite State Sponsored, but pretty darned good • I would consider this your “typical” APT • We saw new things each time they attacked • Maybe it is State Sponsored practicing? MalwareArchaeology.com
  • 7. WINNTI 2012 Summary • Pretty typical • DLL Injection – WBEM – Windows – System32 – Files stored – ProgramData – Files stored • Sysprep Cryptbase.dll exploit • Boot up back door, deletes on load, writes on shutdown – Killed by pulling the power ;-) • New Services installed • Multiple infections per machine hoping you miss one MalwareArchaeology.com
  • 8. WINNTI 2014 • New stuff • Dude ! • What triggered it? • What changed? • Avoided the methods they used before • Fortunately we were doing REALLY good logging. We are Ninja’s after all MalwareArchaeology.com
  • 9. WINNTI 2014 • Summary of improvements for WINNTI 2014 – PlugX used as a base, modules added – Dll injection on SQL Server (5 dirs. Deep) • Allowed for SQL Mgmt utilities to enable XP Command Shell and run .NET commands – Binary infector – altered existing management binaries to call main payload – and STILL worked! – Driver infector – Added driver to look like existing management software – Hid scripts in the Registry – Hid payload in the Registry! • The Registry is a Huuuuuuuuuuuuuuuuge Database MalwareArchaeology.com
  • 10. WINNTI 2014 • Popped a user, not an Admin, they know Who we are and What we do… Yay LinkedIn • Patient 0 – User phished (not an admin) and I believe they exploited Office to gain admin access • Dropped their initial malware payload • Used Backup software creds to then PoP a Domain Controller • Spread from there all over ;-( – Same MO as 2012 MalwareArchaeology.com
  • 11. Files Dropped and gone • Used public accessible locations • C:UsersPublic • C:WindowsWeb • C:Perflogs • Deleted Infector files fast… almost all • Left some on disk MalwareArchaeology.com
  • 12. Files Dropped • SQL Server bin directory (5 deep) – Only on SQL Servers – Cscapi.dll (Dll injection) • SysWOW64 – Qwave.dll - Normal on Workstations, NOT on servers • Splunk and Altiris Directories - Dropped a driver named like the app – Splunk.sys – Altiris.sys MalwareArchaeology.com
  • 13. Initial Infectors • UsersPublic – C.exe – Infect.exe – Infectsys.exe – 64.dll – CompanyName.exe – Specific to us! • C:Perflogs – Command binary • C:WindowsWeb - .INI files for permission changes • C:WindowsTemp – VB Scripts – Netfxupdate.ax • C:WindowsSysWOW64 – Qwave.dll (Servers only) – SysWow64.sys – AxScriptHost70.dll MalwareArchaeology.com
  • 14. Initial Infectors • Perflogs – C.exe – Communication to infected system • Thanks for the Port and Password • For once WE compromised THEM! – Now who is “sophisticated” ;-) MalwareArchaeology.com
  • 15. Persistence • C:Program FilesCommon Files – WLXSys64.sys – NOT ON DISK ANYWHERE ???? • Modified existing service – WERCplSupport (Who needs WER Support) – Changed ServiceDll to: • Program FilesCommon FilesWLXSys64.sys MalwareArchaeology.com • So how did it load if it was NOT on disk???
  • 16. Persistence • WERCplSupport Service failed to start ? • YAY Windows !!!! THANK YOU Microsoft!!!! • For allowing a service to retry over and over and over and… well… forever until the file shows up, or the malware places it there • Once the file existed, “WERCplSupport” started and the system was infected calling other malicious binaries MalwareArchaeology.com
  • 17. Persistence • Avoided leaving key files behind like they did before, well one anyways… the persistence piece MalwareArchaeology.com
  • 18. So what led us there? • Command Line Logging !!!! • At the time ONLY Win 8.1 and Win 2012 R2 • Which we had, We then saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) • Scripts too MalwareArchaeology.com
  • 19. Hidden in the Registry • Command Line execution led us to the Keys. Main payload and scripts to infect were stored in the registry – Classes and Client Keys MalwareArchaeology.com
  • 20. Hidden in the Registry • HEX in some cases where infection not complete or when we recreated in the lab because we were missing something (the infected persistence binary) • Binary when complete, encrypted in some way MalwareArchaeology.com
  • 21. Hiding in the Registry • This was new for WINNTI 2014 • They added three values to the Keys • HKLMSoftwareClients or Classes – putfile – file – read • This found on only a few systems to hide another backdoor – HKLMSoftwareWow6432NodeBINARYAcrobat.dxe MalwareArchaeology.com
  • 22. HKLMSoftwareClients • putfile • file • read MalwareArchaeology.com 4D5A = MZ in HEX
  • 23. Persistence • Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) • Altered system management binaries – McAfeeFrameworkService – BESClientHelper – Attempted a few others, some failed MalwareArchaeology.com • We tried the infector on several other system files and it worked
  • 24. Persistence • Infected management binary read key, decrypted payload and dropped into: – Program FilesCommon Files • NOW WERCplSupport ServiceDll exists! • As soon as it was loaded… it was deleted making it hard for us to find it MalwareArchaeology.com But we were better than that ;-)
  • 25. So what led us there? • Malware Discovery Baseline • Compared infected system hashes (Suspect) to a known good system hashes (MFR) • Showed some single hashes in directories that were odd to us (our own management software)? • So we looked for these binaries across all systems • ONLY the infected system had these odd hashes MalwareArchaeology.com
  • 26. Persistence • BAM! Got ya – PROCMon on bootup MalwareArchaeology.com
  • 27. FINALLY ! • Now we had all the pieces • Recreated in the lab so we knew we had it all • High confidence remediation was now able to start • And it did NOT take 210 days for MTTD ;-) MalwareArchaeology.com
  • 28. FINALLY ! • Malware Management allowed us to setup alerts on artifacts from other malware analysis • Of course our own experience too • Malware Discovery allowed us to find odd file hashes • Malware Analysis gave us the details MalwareArchaeology.com
  • 29. How YOU can Detect this Ninja Tips MalwareArchaeology.com
  • 30. How we harvested malware • Some infections hung • Ran process check for any “parentless” processes • Found a couple systems hung and harvested the malware from these systems • Command line logging showed us where to look • Ninja Tip: – Parse through processes that do NOT have a parent!!! MalwareArchaeology.com
  • 31. How we harvested malware • File Copy loop in Directories discovered – @echo off – cls – md captured – :Redo – robocopy . WooHooo /E /B /r:0 /w:1 /np /xo /xd WooHoo – Goto Redo – :End • Ninja Tip: – Great to do in Labs for User space AppData MalwareArchaeology.com
  • 32. Top Priority • Enable and Configure Process Command Line – KB3004375 - https://support.microsoft.com/en-us/kb/3004375 • Enable Advanced Audit Policy in Windows – The “Windows Logging Cheat Sheet” – Audit Process Creation = Success 4688 – Audit Logon = Success & Failure 4624 – Audit File Share = Success 5140 – Audit File System = Success 4663 – Audit Registry = Success 4663 & 4657 – Audit Filtering Platform Connection = Success 5156 (Any/Any min) – Services already captured by System Log 7045 & 7040 – PowerShell Logging (needs profile.ps1) 500 MalwareArchaeology.com
  • 33. Alert for Suspicious Commands • #1 trigger for a compromise • (EventCode=4688) (at.exe OR bcdedit.exe OR calcls.exe OR chcp.exe OR cmd.exe OR cscript.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR bcp.exe OR sqlcmd.exe OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR sc.exe OR schtasks.exe OR sethc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32net.exe OR takeown.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR winrm.* OR winrs.* OR wmic.exe OR wsmprovhost.exe) MalwareArchaeology.com
  • 34. Size Matters!!! • Bigger IS better… – For Size of Registry Keys – Very few over 20k – WINNTI was 296k • RegScanner – NirSoft • Reglister - @dnlongen – python script – https://github.com/dnlongen/RegLister MalwareArchaeology.com
  • 35. Enhanced Logging • Sysmon – Gives you images loaded (.DLL) look for unsigned! – Gives you Drivers loaded (.SYS) – Gives you Hashes – Upload to VirusTotal • Windows Logging Service (WLS) – Alternative logging agent – More than Sysmon provides – http://energy.gov/sites/prod/files/cioprod/documents/Splunkified_- _the_Next_Evolution_of_Log_Analysis_-_Green_and_McCord.pdf – http://digirati82.com/wls-information/ MalwareArchaeology.com
  • 36. Malware Discovery • Once a system was labeled “suspect” • Compare known good hashes to suspect system • Odd files will show up • What???? • You don’t have a Log Management solution – SIEM MalwareArchaeology.com
  • 38. Introducing • Use in a Malware Analysis Lab • Investigate a suspect system • For Incident Response • Produce IT/InfoSec/Audit/Compliance report comparing actual Audit Log system settings to CIS and “Windows Logging Cheat Sheet” recommendations • Assist in tweaking File and Registry auditing MalwareArchaeology.com
  • 39. Introducing • Log Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires • Once the system and/or GPO is configured 1. Clear the logs 2. Infect the system 3. Run Log-MD 4. Review “Report.csv” in Excel MalwareArchaeology.com
  • 40. Functions • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks • 3 White lists to filter out the known good – By IP Address – By Process Command Line and/or Process Name – By File and Registry locations (requires File and Registry auditing to be set) • Report.csv of data from logs specific to security MalwareArchaeology.com
  • 41. Crypto Event • C:UsersBobAppDataRoamingvcwixk.exe • C:UsersBobAppDataRoamingvcwpir.exe • C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL • C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet MalwareArchaeology.com
  • 43. Malicious Word Doc con’t MalwareArchaeology.com
  • 44. So what do we get? • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… MalwareArchaeology.com 15 Minutes!
  • 45. In Summary • Malware is noisy • We CAN detect it • Logs can hold all types of information – It’s NOT just for Forensics anymore • All we have to do is: – Enable the Logs – Configure the Logs – Gather the Logs – Harvest the Logs • Look for Top Security related events • Use the “Windows Logging Cheat Sheet” • GET Log-MD – It’s FREE! MalwareArchaeology.com
  • 46. Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program MalwareArchaeology.com
  • 47. Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net MalwareArchaeology.com