A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
1. Logging for Hackers,
How we catch commodity and
advanced malware with this method.
IF only retailers did this
and how you can start doing it
Michael Gough – Founder
MalwareArchaeology.com
MalwareArchaeology.com
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @HackerHurricane also my Blog
MalwareArchaeology.com
3. Goal
• Interaction – Don’t be a Ding Dong, ask a
question… you WILL be rewarded for positive
synergy!
• Learn how us Ninja’s do it so you can too
• We have a NEW Tool for YOU!!!
MalwareArchaeology.com
4. Malware evolves
• So must we
• Darwin says so
• Evolve or die
• Well… Evolve or get breached anyways
• Which means an RGE !!!
– Resume Generating Event
MalwareArchaeology.com
5. • We discovered this
May 2012
• Met with the Feds ;-)
Why you should listen to me?
MalwareArchaeology.com
2014 - We gave an infected VM to one of the Big
IR Firms… They came back “Yup.. It’s clean” #Fail
6. A quick look at
Advanced Malware
Artifacts
MalwareArchaeology.com
7. WINNTI 2012 Summary
Pretty typical advanced malware
• DLL Injection
– WBEM
– Windows
– System32 – Files stored
– ProgramData – Files stored
• Sysprep Cryptbase.dll exploit
• Boot up back door, deletes on load, writes on shutdown
– Killed by pulling the power ;-)
• New Services installed
• Multiple infections per machine hoping you miss one
MalwareArchaeology.com
8. WINNTI 2014
• Summary of improvements for WINNTI 2014
– PlugX used as a base, modules added
– Dll injection on SQL Server (5 dirs. Deep)
• Allowed for SQL Mgmt utilities to enable XP Command Shell
and run .NET commands
– Binary infector – altered existing management
binaries to call main payload – and STILL worked!
– Driver infector – Added driver to look like existing
management software
– Hid scripts in the Registry
– Hid payload in the Registry!
• The Registry is a Huuuuuuuuuuuuuuuuge Database
MalwareArchaeology.com
9. Initial Infectors
• Perflogs
– C.exe – Communication to infected system
• Thanks for the Port and Password
• For once WE compromised THEM!
Now who is “sophisticated” ;-)
• PROOF of the power of Command Line Logging!
MalwareArchaeology.com
10. Persistence
• C:Program FilesCommon Files
– WLXSys64.sys – NOT ON DISK ANYWHERE ????
• Modified existing service
– WERCplSupport (Who needs WER Support)
– Changed ServiceDll to:
• Program FilesCommon FilesWLXSys64.sys
MalwareArchaeology.com
• So how did it load if it was NOT
on disk???
Normal
NOT Normal
11. Persistence
• Avoided leaving key files behind like they did
before, well one anyways… the persistence
piece
MalwareArchaeology.com
12. A quick look at
Commodity Malware
Artifacts
MalwareArchaeology.com
13. Angler delivered Kovtar
• Unique way to hide the persistence
• Inserted a null byte in the name of the Run
key so that RegEdit and Reg Query fail to read
and display the value
MalwareArchaeology.com
15. Dridex Persistence
• New method towards the end of 2015
• Nothing in the Registry showing persistence while
system was running
• In memory only until system shutdown
• Then we caught the bugger, with good auditing of
course and
MalwareArchaeology.com
16. Artifacts
• Dll Injection – New Files dropped in Windows
core directories
• Command Line details
• Admin tools misused
• Delete on startup, write on shutdown
• New Services (retail PoS should know this)
• Drivers used (.sys)
• Infected management binary (hash changed)
• Scripts hidden in the registry
• PAYLOAD hidden in the registry (256k binary)
MalwareArchaeology.com
18. So what led us there?
Command Line Logging !!!!
• At the time of Winnti 2014 ONLY Win 8.1 and Win
2012 R2
• Which we had, then we saw this in our alerts of
suspicious commands (Cscript & cmd.exe & cacls &
net & takeown & pushd & attrib)
• Scripts too
MalwareArchaeology.com
19. Hidden in the Registry
• Command Line execution led us to Registry Keys.
The main payload and scripts to infect were stored in
the registry – Classes and Client Keys
MalwareArchaeology.com
20. Hidden in the Registry
• HEX in some cases where infection was not complete
or when we recreated it in the lab because we were
missing something (the infected persistence binary)
• A Binary when complete, encrypted in some way
MalwareArchaeology.com
21. Hiding in the Registry
• This was new for WINNTI 2014, other
advanced malware uses this method too
• They added three values to the Keys
• HKLMSoftwareClients or Classes
– putfile
– file
– read
• This found on only a few systems to hide another backdoor
– HKLMSoftwareWow6432NodeBINARYAcrobat.dxe
MalwareArchaeology.com
23. Persistence
• Infector… One for the DLL (infect.exe) and
one for the Driver (InfectSys.exe)
• Altered system management binaries
– McAfeeFrameworkService
– BESClientHelper
– Attempted a few others, some failed
MalwareArchaeology.com
• We tried the infector on several
other system files and it worked
24. Persistence
• Infected management binary read key, decrypted
payload and dropped into:
– Program FilesCommon Files
• NOW WERCplSupport ServiceDll exists!
• As soon as it was loaded… it was deleted making
it hard for us to find it
MalwareArchaeology.com
But we were better
than that ;-)
25. So what led us there?
• Malware Discovery Baseline
• Compared infected system hashes (Suspect) to a
known good system hashes (Master-Digest)
• Showed some single hashes in directories that
were odd to us (our own management software)?
• So we looked for these binaries across all systems
• ONLY the infected system had these odd hashes
MalwareArchaeology.com
27. FINALLY !
• Malware Management allowed us to setup
alerts on artifacts from other malware analysis
• Of course our own experience too
• Malware Discovery allowed us to find odd file
hashes, command line details, registry locations
• Malware Analysis gave us the details
MalwareArchaeology.com
28. What we need to look for
• Logs of course, properly configured - Events
– Command Line details
– Admin tools misused – executions
– New Services (retail PoS should know this)
– Drivers used (.sys)
• New Files dropped anywhere on disk – Hashes
• Infected management binary (hash changed)
• Delete on startup, write on shutdown - Auditing
• Scripts hidden in the registry – Registry Compare
• Payload hidden in the registry – Large Reg Keys
• Malware Communication – IP and WhoIS info
• Expand PowerShell detection
• VirusTotal Lookups
MalwareArchaeology.com
29. So what did we
take away
from all of this?
MalwareArchaeology.com
30. It didn’t exist
So we created it!
So you can do it too!
MalwareArchaeology.com
32. MalwareArchaeology.com
• Log and Malicious Discovery tool
• When you run the tool, it tells you what
auditing and settings to configure that it
requires. LOG-MD won’t harvest anything
until you configure the system!
• Once the system and/or GPO is configured
1. Clear the logs
2. Infect the system
3. Run Log-MD
4. Review “Report.csv” in Excel
33. Functions
MalwareArchaeology.com
• Audit Report of log settings compared to:
– The “Windows Logging Cheat Sheet”
– Center for Internet Security (CIS) Benchmarks
– Also USGCB and AU ACSC
• White lists to filter out the known good
– By IP Address
– By Process Command Line and/or Process Name
– By File and Registry locations (requires File and
Registry auditing to be set)
• Report.csv - data from logs specific to security
34. Purpose
MalwareArchaeology.com
• Malware Analysis Lab
• Investigate a suspect system
• Audit Advanced Audit Policy settings
• Help MOVE or PUSH security forward
• Give the IR folks what they need and the Feds too
• Take a full system (File and Reg) snapshot to compare to another
system and report the differences
• Discover tricky malware artifacts
• SPEED !
• Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc…
• Replace several tools we use today with one easy to use utility that
does much more
• To answer the question: Is this system infected or clean?
• And do it quickly !
35. Free Edition
MalwareArchaeology.com
• Harvest security relevant log data
• Whitelist log events by IP, Cmd Line, Process
and File / Registry audit locations
• Perform a full File Baseline of a system
• Compare a suspect system to a Baseline or Dir
• Perform a full Registry snapshot of a system
• Compare a suspect system to a Reg Baseline
• Look for Large Registry Keys for hidden
payloads
36. MalwareArchaeology.com
• Everything the Free Edition does and…
• More reports, breakdown of things to look for
• Specify the Output directory
• Harvest Sysmon logs
• Harvest WLS Logs
• Whitelist Hash compare results
• Whitelist Registry compare results
• Create a Master-Digest to exclude unique files
• Free updates for 1 year, expect a new release
every quarter
• Manual – How to use LOG-MD Professional
37. MalwareArchaeology.com
Future Versions – In the works!
• WhoIs lookups of IP Addresses called
• VirusTotal lookups of discovered files
• Find parent-less processes
• Assess all processes and create a Whitelist
• Assess all services and create a Whitelist
• VirusTotal lookups of unknown or new processes
and services
• PowerShell details
• Other API calls to security vendors
42. Use the power of Excel
MalwareArchaeology.com
• The reports are in .CSV format
• Excel has sorting and Filters
• Filters are AWESOME to thin out your results
• You might take filtered results and add them
to your whitelist once vetted
• Save to .XLS and format, color code and
produce your report
• For .TXT files use NotePad++
43. So what do we get?
MalwareArchaeology.com
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see
WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!
44. Resources
MalwareArchaeology.com
• Websites
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”
– MalwareArchaeology.com
• Malware Analysis Report links too
– To start your Malware Management program
• This presentation is on SlideShare
– Search for MalwareArchaeology or LOG-MD
45. Testers for RC-1
MalwareArchaeology.com
• May 1st 2016 - launch date
• Looking for a few good testers…
– of LOG-MD Professional
• Test the manual and tool and provide
feedback
• You WILL be rewarded for the effort ;-)
• You heard it here first !
• A gift from Austin Security Professionals
– Keeping Security Weird
46. Questions?
MalwareArchaeology.com
You can find us at:
• Log-MD.com
• @HackerHurricane
• @Boettcherpwned
• MalwareArchaeology.com
• HackerHurricane.com (blog)
• http://www.slideshare.net – LinkedIn now