SlideShare una empresa de Scribd logo
1 de 46
Descargar para leer sin conexión
Logging for Hackers,
How we catch commodity and
advanced malware with this method.
IF only retailers did this
and how you can start doing it
Michael Gough – Founder
MalwareArchaeology.com
MalwareArchaeology.com
Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @HackerHurricane also my Blog
MalwareArchaeology.com
Goal
• Interaction – Don’t be a Ding Dong, ask a
question… you WILL be rewarded for positive
synergy!
• Learn how us Ninja’s do it so you can too
• We have a NEW Tool for YOU!!!
MalwareArchaeology.com
Malware evolves
• So must we
• Darwin says so
• Evolve or die
• Well… Evolve or get breached anyways
• Which means an RGE !!!
– Resume Generating Event
MalwareArchaeology.com
• We discovered this
May 2012
• Met with the Feds ;-)
Why you should listen to me?
MalwareArchaeology.com
2014 - We gave an infected VM to one of the Big
IR Firms… They came back “Yup.. It’s clean” #Fail
A quick look at
Advanced Malware
Artifacts
MalwareArchaeology.com
WINNTI 2012 Summary
Pretty typical advanced malware
• DLL Injection
– WBEM
– Windows
– System32 – Files stored
– ProgramData – Files stored
• Sysprep Cryptbase.dll exploit
• Boot up back door, deletes on load, writes on shutdown
– Killed by pulling the power ;-)
• New Services installed
• Multiple infections per machine hoping you miss one
MalwareArchaeology.com
WINNTI 2014
• Summary of improvements for WINNTI 2014
– PlugX used as a base, modules added
– Dll injection on SQL Server (5 dirs. Deep)
• Allowed for SQL Mgmt utilities to enable XP Command Shell
and run .NET commands
– Binary infector – altered existing management
binaries to call main payload – and STILL worked!
– Driver infector – Added driver to look like existing
management software
– Hid scripts in the Registry
– Hid payload in the Registry!
• The Registry is a Huuuuuuuuuuuuuuuuge Database
MalwareArchaeology.com
Initial Infectors
• Perflogs
– C.exe – Communication to infected system
• Thanks for the Port and Password
• For once WE compromised THEM!
Now who is “sophisticated” ;-)
• PROOF of the power of Command Line Logging!
MalwareArchaeology.com
Persistence
• C:Program FilesCommon Files
– WLXSys64.sys – NOT ON DISK ANYWHERE ????
• Modified existing service
– WERCplSupport (Who needs WER Support)
– Changed ServiceDll to:
• Program FilesCommon FilesWLXSys64.sys
MalwareArchaeology.com
• So how did it load if it was NOT
on disk???
Normal
NOT Normal
Persistence
• Avoided leaving key files behind like they did
before, well one anyways… the persistence
piece
MalwareArchaeology.com
A quick look at
Commodity Malware
Artifacts
MalwareArchaeology.com
Angler delivered Kovtar
• Unique way to hide the persistence
• Inserted a null byte in the name of the Run
key so that RegEdit and Reg Query fail to read
and display the value
MalwareArchaeology.com
Dridex Artifacts
MalwareArchaeology.com
Dridex Persistence
• New method towards the end of 2015
• Nothing in the Registry showing persistence while
system was running
• In memory only until system shutdown
• Then we caught the bugger, with good auditing of
course and
MalwareArchaeology.com
Artifacts
• Dll Injection – New Files dropped in Windows
core directories
• Command Line details
• Admin tools misused
• Delete on startup, write on shutdown
• New Services (retail PoS should know this)
• Drivers used (.sys)
• Infected management binary (hash changed)
• Scripts hidden in the registry
• PAYLOAD hidden in the registry (256k binary)
MalwareArchaeology.com
How to Detect
Malicious Behavior
MalwareArchaeology.com
So what led us there?
Command Line Logging !!!!
• At the time of Winnti 2014 ONLY Win 8.1 and Win
2012 R2
• Which we had, then we saw this in our alerts of
suspicious commands (Cscript & cmd.exe & cacls &
net & takeown & pushd & attrib)
• Scripts too
MalwareArchaeology.com
Hidden in the Registry
• Command Line execution led us to Registry Keys.
The main payload and scripts to infect were stored in
the registry – Classes and Client Keys
MalwareArchaeology.com
Hidden in the Registry
• HEX in some cases where infection was not complete
or when we recreated it in the lab because we were
missing something (the infected persistence binary)
• A Binary when complete, encrypted in some way
MalwareArchaeology.com
Hiding in the Registry
• This was new for WINNTI 2014, other
advanced malware uses this method too
• They added three values to the Keys
• HKLMSoftwareClients or Classes
– putfile
– file
– read
• This found on only a few systems to hide another backdoor
– HKLMSoftwareWow6432NodeBINARYAcrobat.dxe
MalwareArchaeology.com
HKLMSoftwareClients
• putfile
• file
• read
MalwareArchaeology.com
4D5A = MZ in HEX
Persistence
• Infector… One for the DLL (infect.exe) and
one for the Driver (InfectSys.exe)
• Altered system management binaries
– McAfeeFrameworkService
– BESClientHelper
– Attempted a few others, some failed
MalwareArchaeology.com
• We tried the infector on several
other system files and it worked
Persistence
• Infected management binary read key, decrypted
payload and dropped into:
– Program FilesCommon Files
• NOW WERCplSupport ServiceDll exists!
• As soon as it was loaded… it was deleted making
it hard for us to find it
MalwareArchaeology.com
But we were better
than that ;-)
So what led us there?
• Malware Discovery Baseline
• Compared infected system hashes (Suspect) to a
known good system hashes (Master-Digest)
• Showed some single hashes in directories that
were odd to us (our own management software)?
• So we looked for these binaries across all systems
• ONLY the infected system had these odd hashes
MalwareArchaeology.com
Persistence
• BAM! Got ya – PROCMon on bootup
MalwareArchaeology.com
FINALLY !
• Malware Management allowed us to setup
alerts on artifacts from other malware analysis
• Of course our own experience too
• Malware Discovery allowed us to find odd file
hashes, command line details, registry locations
• Malware Analysis gave us the details
MalwareArchaeology.com
What we need to look for
• Logs of course, properly configured - Events
– Command Line details
– Admin tools misused – executions
– New Services (retail PoS should know this)
– Drivers used (.sys)
• New Files dropped anywhere on disk – Hashes
• Infected management binary (hash changed)
• Delete on startup, write on shutdown - Auditing
• Scripts hidden in the registry – Registry Compare
• Payload hidden in the registry – Large Reg Keys
• Malware Communication – IP and WhoIS info
• Expand PowerShell detection
• VirusTotal Lookups
MalwareArchaeology.com
So what did we
take away
from all of this?
MalwareArchaeology.com
It didn’t exist
So we created it!
So you can do it too!
MalwareArchaeology.com
Announcing the release of…
MalwareArchaeology.com
FREE!
$299
AND
Version RC-1
MalwareArchaeology.com
• Log and Malicious Discovery tool
• When you run the tool, it tells you what
auditing and settings to configure that it
requires. LOG-MD won’t harvest anything
until you configure the system!
• Once the system and/or GPO is configured
1. Clear the logs
2. Infect the system
3. Run Log-MD
4. Review “Report.csv” in Excel
Functions
MalwareArchaeology.com
• Audit Report of log settings compared to:
– The “Windows Logging Cheat Sheet”
– Center for Internet Security (CIS) Benchmarks
– Also USGCB and AU ACSC
• White lists to filter out the known good
– By IP Address
– By Process Command Line and/or Process Name
– By File and Registry locations (requires File and
Registry auditing to be set)
• Report.csv - data from logs specific to security
Purpose
MalwareArchaeology.com
• Malware Analysis Lab
• Investigate a suspect system
• Audit Advanced Audit Policy settings
• Help MOVE or PUSH security forward
• Give the IR folks what they need and the Feds too
• Take a full system (File and Reg) snapshot to compare to another
system and report the differences
• Discover tricky malware artifacts
• SPEED !
• Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc…
• Replace several tools we use today with one easy to use utility that
does much more
• To answer the question: Is this system infected or clean?
• And do it quickly !
Free Edition
MalwareArchaeology.com
• Harvest security relevant log data
• Whitelist log events by IP, Cmd Line, Process
and File / Registry audit locations
• Perform a full File Baseline of a system
• Compare a suspect system to a Baseline or Dir
• Perform a full Registry snapshot of a system
• Compare a suspect system to a Reg Baseline
• Look for Large Registry Keys for hidden
payloads
MalwareArchaeology.com
• Everything the Free Edition does and…
• More reports, breakdown of things to look for
• Specify the Output directory
• Harvest Sysmon logs
• Harvest WLS Logs
• Whitelist Hash compare results
• Whitelist Registry compare results
• Create a Master-Digest to exclude unique files
• Free updates for 1 year, expect a new release
every quarter
• Manual – How to use LOG-MD Professional
MalwareArchaeology.com
Future Versions – In the works!
• WhoIs lookups of IP Addresses called
• VirusTotal lookups of discovered files
• Find parent-less processes
• Assess all processes and create a Whitelist
• Assess all services and create a Whitelist
• VirusTotal lookups of unknown or new processes
and services
• PowerShell details
• Other API calls to security vendors
MalwareArchaeology.com
Let’s look
at some
LOG-MD
RESULTS
Crypto Event
MalwareArchaeology.com
• C:UsersBobAppDataRoamingvcwixk.exe
• C:UsersBobAppDataRoamingvcwpir.exe
• C:WINDOWSsystem32cmd.exe /c del
C:UsersBobAppDataRoamingvcwixk.exe >> NUL
• C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
Malicious Word Doc
MalwareArchaeology.com
DRIDEX
Malicious Word Doc con’t
MalwareArchaeology.com
More DRIDEX
Use the power of Excel
MalwareArchaeology.com
• The reports are in .CSV format
• Excel has sorting and Filters
• Filters are AWESOME to thin out your results
• You might take filtered results and add them
to your whitelist once vetted
• Save to .XLS and format, color code and
produce your report
• For .TXT files use NotePad++
So what do we get?
MalwareArchaeology.com
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see
WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!
Resources
MalwareArchaeology.com
• Websites
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”
– MalwareArchaeology.com
• Malware Analysis Report links too
– To start your Malware Management program
• This presentation is on SlideShare
– Search for MalwareArchaeology or LOG-MD
Testers for RC-1
MalwareArchaeology.com
• May 1st 2016 - launch date
• Looking for a few good testers…
– of LOG-MD Professional
• Test the manual and tool and provide
feedback
• You WILL be rewarded for the effort ;-)
• You heard it here first !
• A gift from Austin Security Professionals
– Keeping Security Weird
Questions?
MalwareArchaeology.com
You can find us at:
• Log-MD.com
• @HackerHurricane
• @Boettcherpwned
• MalwareArchaeology.com
• HackerHurricane.com (blog)
• http://www.slideshare.net – LinkedIn now

Más contenido relacionado

La actualidad más candente

Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 

La actualidad más candente (20)

Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 

Destacado

Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Ryan G. Murphy
 
Où sont mes données ? | Résowest
Où sont mes données ? | RésowestOù sont mes données ? | Résowest
Où sont mes données ? | Résowestresowest
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?ATN Groupe
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychologychrissanders88
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareSymantec
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
 

Destacado (10)

Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
 
Où sont mes données ? | Résowest
Où sont mes données ? | RésowestOù sont mes données ? | Résowest
Où sont mes données ? | Résowest
 
Risque cyber
Risque cyberRisque cyber
Risque cyber
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 

Similar a Logging for Hackers v1.0

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & TricksDell World
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionJames Haughom Jr
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsNatraj G
 
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)PROIDEA
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 

Similar a Logging for Hackers v1.0 (20)

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & Tricks
 
Ranger BSides-FINAL
Ranger BSides-FINALRanger BSides-FINAL
Ranger BSides-FINAL
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows Programs
 
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 

Último

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Último (20)

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Logging for Hackers v1.0

  • 1. Logging for Hackers, How we catch commodity and advanced malware with this method. IF only retailers did this and how you can start doing it Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 3. Goal • Interaction – Don’t be a Ding Dong, ask a question… you WILL be rewarded for positive synergy! • Learn how us Ninja’s do it so you can too • We have a NEW Tool for YOU!!! MalwareArchaeology.com
  • 4. Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Which means an RGE !!! – Resume Generating Event MalwareArchaeology.com
  • 5. • We discovered this May 2012 • Met with the Feds ;-) Why you should listen to me? MalwareArchaeology.com 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail
  • 6. A quick look at Advanced Malware Artifacts MalwareArchaeology.com
  • 7. WINNTI 2012 Summary Pretty typical advanced malware • DLL Injection – WBEM – Windows – System32 – Files stored – ProgramData – Files stored • Sysprep Cryptbase.dll exploit • Boot up back door, deletes on load, writes on shutdown – Killed by pulling the power ;-) • New Services installed • Multiple infections per machine hoping you miss one MalwareArchaeology.com
  • 8. WINNTI 2014 • Summary of improvements for WINNTI 2014 – PlugX used as a base, modules added – Dll injection on SQL Server (5 dirs. Deep) • Allowed for SQL Mgmt utilities to enable XP Command Shell and run .NET commands – Binary infector – altered existing management binaries to call main payload – and STILL worked! – Driver infector – Added driver to look like existing management software – Hid scripts in the Registry – Hid payload in the Registry! • The Registry is a Huuuuuuuuuuuuuuuuge Database MalwareArchaeology.com
  • 9. Initial Infectors • Perflogs – C.exe – Communication to infected system • Thanks for the Port and Password • For once WE compromised THEM! Now who is “sophisticated” ;-) • PROOF of the power of Command Line Logging! MalwareArchaeology.com
  • 10. Persistence • C:Program FilesCommon Files – WLXSys64.sys – NOT ON DISK ANYWHERE ???? • Modified existing service – WERCplSupport (Who needs WER Support) – Changed ServiceDll to: • Program FilesCommon FilesWLXSys64.sys MalwareArchaeology.com • So how did it load if it was NOT on disk??? Normal NOT Normal
  • 11. Persistence • Avoided leaving key files behind like they did before, well one anyways… the persistence piece MalwareArchaeology.com
  • 12. A quick look at Commodity Malware Artifacts MalwareArchaeology.com
  • 13. Angler delivered Kovtar • Unique way to hide the persistence • Inserted a null byte in the name of the Run key so that RegEdit and Reg Query fail to read and display the value MalwareArchaeology.com
  • 15. Dridex Persistence • New method towards the end of 2015 • Nothing in the Registry showing persistence while system was running • In memory only until system shutdown • Then we caught the bugger, with good auditing of course and MalwareArchaeology.com
  • 16. Artifacts • Dll Injection – New Files dropped in Windows core directories • Command Line details • Admin tools misused • Delete on startup, write on shutdown • New Services (retail PoS should know this) • Drivers used (.sys) • Infected management binary (hash changed) • Scripts hidden in the registry • PAYLOAD hidden in the registry (256k binary) MalwareArchaeology.com
  • 17. How to Detect Malicious Behavior MalwareArchaeology.com
  • 18. So what led us there? Command Line Logging !!!! • At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2 • Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) • Scripts too MalwareArchaeology.com
  • 19. Hidden in the Registry • Command Line execution led us to Registry Keys. The main payload and scripts to infect were stored in the registry – Classes and Client Keys MalwareArchaeology.com
  • 20. Hidden in the Registry • HEX in some cases where infection was not complete or when we recreated it in the lab because we were missing something (the infected persistence binary) • A Binary when complete, encrypted in some way MalwareArchaeology.com
  • 21. Hiding in the Registry • This was new for WINNTI 2014, other advanced malware uses this method too • They added three values to the Keys • HKLMSoftwareClients or Classes – putfile – file – read • This found on only a few systems to hide another backdoor – HKLMSoftwareWow6432NodeBINARYAcrobat.dxe MalwareArchaeology.com
  • 22. HKLMSoftwareClients • putfile • file • read MalwareArchaeology.com 4D5A = MZ in HEX
  • 23. Persistence • Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) • Altered system management binaries – McAfeeFrameworkService – BESClientHelper – Attempted a few others, some failed MalwareArchaeology.com • We tried the infector on several other system files and it worked
  • 24. Persistence • Infected management binary read key, decrypted payload and dropped into: – Program FilesCommon Files • NOW WERCplSupport ServiceDll exists! • As soon as it was loaded… it was deleted making it hard for us to find it MalwareArchaeology.com But we were better than that ;-)
  • 25. So what led us there? • Malware Discovery Baseline • Compared infected system hashes (Suspect) to a known good system hashes (Master-Digest) • Showed some single hashes in directories that were odd to us (our own management software)? • So we looked for these binaries across all systems • ONLY the infected system had these odd hashes MalwareArchaeology.com
  • 26. Persistence • BAM! Got ya – PROCMon on bootup MalwareArchaeology.com
  • 27. FINALLY ! • Malware Management allowed us to setup alerts on artifacts from other malware analysis • Of course our own experience too • Malware Discovery allowed us to find odd file hashes, command line details, registry locations • Malware Analysis gave us the details MalwareArchaeology.com
  • 28. What we need to look for • Logs of course, properly configured - Events – Command Line details – Admin tools misused – executions – New Services (retail PoS should know this) – Drivers used (.sys) • New Files dropped anywhere on disk – Hashes • Infected management binary (hash changed) • Delete on startup, write on shutdown - Auditing • Scripts hidden in the registry – Registry Compare • Payload hidden in the registry – Large Reg Keys • Malware Communication – IP and WhoIS info • Expand PowerShell detection • VirusTotal Lookups MalwareArchaeology.com
  • 29. So what did we take away from all of this? MalwareArchaeology.com
  • 30. It didn’t exist So we created it! So you can do it too! MalwareArchaeology.com
  • 31. Announcing the release of… MalwareArchaeology.com FREE! $299 AND Version RC-1
  • 32. MalwareArchaeology.com • Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • Once the system and/or GPO is configured 1. Clear the logs 2. Infect the system 3. Run Log-MD 4. Review “Report.csv” in Excel
  • 33. Functions MalwareArchaeology.com • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • White lists to filter out the known good – By IP Address – By Process Command Line and/or Process Name – By File and Registry locations (requires File and Registry auditing to be set) • Report.csv - data from logs specific to security
  • 34. Purpose MalwareArchaeology.com • Malware Analysis Lab • Investigate a suspect system • Audit Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • To answer the question: Is this system infected or clean? • And do it quickly !
  • 35. Free Edition MalwareArchaeology.com • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
  • 36. MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Harvest WLS Logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
  • 37. MalwareArchaeology.com Future Versions – In the works! • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • PowerShell details • Other API calls to security vendors
  • 39. Crypto Event MalwareArchaeology.com • C:UsersBobAppDataRoamingvcwixk.exe • C:UsersBobAppDataRoamingvcwpir.exe • C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL • C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
  • 41. Malicious Word Doc con’t MalwareArchaeology.com More DRIDEX
  • 42. Use the power of Excel MalwareArchaeology.com • The reports are in .CSV format • Excel has sorting and Filters • Filters are AWESOME to thin out your results • You might take filtered results and add them to your whitelist once vetted • Save to .XLS and format, color code and produce your report • For .TXT files use NotePad++
  • 43. So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  • 44. Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare – Search for MalwareArchaeology or LOG-MD
  • 45. Testers for RC-1 MalwareArchaeology.com • May 1st 2016 - launch date • Looking for a few good testers… – of LOG-MD Professional • Test the manual and tool and provide feedback • You WILL be rewarded for the effort ;-) • You heard it here first ! • A gift from Austin Security Professionals – Keeping Security Weird
  • 46. Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net – LinkedIn now