Presenter:
Transcript:
Everybody has their belt buckle and their USB drives backwards. Okay. Welcome to the second talk of the morning here in 350. B is not to be confused with this. I'd like to introduce you to Michael Goss. As in cross, I was informed a CISSP certified malware archeologist and Blue Team defender hunter and incident responder with 20 plus years of experience.
He's another gray haired guy like me. I'm old. Me too. The creator of widely used windows logging cheat sheets and co-developer of incident response tools. What? Me and file me. He's a veteran consultant for fortune 500 companies across health care, finance and gaming and more with deep expertise in malware discovery and threat hunting. He's also a active community leader and conference speaker, and the former organizer.
Besides Texas and besides Austin. Shout out and one of my helpers I here Stephen, back in the day. So I will turn it over to Michael and Stephen. Let me.
First. Here we go. One part I want to mention on this before we get going is, you know, hey, how do you do what's in this and get past your EDR and everything? Something recently came out and just want to mention it. If you haven't heard of, EDR, break your silence or you are going to get this wrong.
I'll remember. Happy to to talk and mention it. But basically it's misusing were false secure. So if you're a threat owner or you want to look for how to freeze an EDR, this includes CrowdStrike, by the way, go research this project and, look for anything that's being written on were false secure. It's the parameters that are going to be the things to look at, which will come up a lot in here.
But that is something just came out in September. It's being written about. So, I want to just, edr a were fault is well, you know, when you're, when you're, when your program is crashing windows, there is a utility called root fault secure and the parameters you specify will allow you to freeze your freeze, such as cold will allow you to freeze.
EDR av allowing you to then do everything I'm talking about in this picture or you just do it. Not have EDR. However, however you want to get there. All right, so I am a, water holic, so. Hello, my name is Michael. Log aholic. There we go. Okay. I gotta keep it going on alert. Right. It's part of it.
I love configured logs. Properly configured logs. One of the reasons is for, the thing I just mentioned. Media freeze. If it freezes, you're you're and you're relying on EDR temporary telemetry. Your logs are going to be where you find lots of cool stuff. I am the contributor of all these cheat sheets. How many people here have heard about the windows logging cheat sheet series are very good.
If anybody here go to Andrew's talk. So very complimentary to Andrew's talk on memory forensics. Because we're going to talk about some of the other stuff, including maybe looking at some of the files or came out of memory. And, yeah, I made this tool to log into, walking billboard, windows incident response tool. So why this talk?
Well, basically, for you to learn what we do in the trenches, right. To improve your detection and and threat hunting. And of course, your skills in general. A lot of people are saying, how do I start learning this? Start going to talks like this, you know, tend to recent your local B-sides are really cheap or free.
But basically one of my goals is to try to teach people what I've learned and what I see, because I don't see that being taught very much. And so that's that's all my goals, is to help educate the folks in our community. So, of course, I like to pick on AI because, you know, factual intelligence. So I ask that, you know, so what can you tell me about set up or at our, our our, our client to malware?
I can't provide information about specific malware variants. Right. So I, I saw in how it talks about the topics, right. I can't tell you anything about malware. Yeah. Okay. We're not done with playing with your. I saw what you like, play sports. This sample comes from about this period of time in, end of April. Beginning of May is when I did this analysis on these samples that I had and that I had to deal with.
So, at the time was pretty popular stuff. A Red Canary had it, going up to sixth place in the list of malware, rootkits and Trojans are out there. So, yeah. So popular. It does uses encoded commands, remember that. But that's, you know, the fact that they mentioned that, actually, it's it's better that you do manipulate PowerShell.
It's easier to detect your manipulation than it is to detect what you're actually writing. Honestly, if you're dumb stuff to assume. But it's. That could just be me. And of course, what they're doing is they're looking at, injected processes using command C. So in this case I'm on now. There we go. Commander XP is a process for running.
Now, if you see any command out in front hunting, you should always investigated as well. But also things are being injected, which is where we're going to really focus, here on this talk. In this case, Msbuild is something you're using again, log in. They're living off the land built in utility being misused. And it does have outbound connections that are that are known port, you know, 15th May, 47.
But, you know, IP addresses and ports change like the fire manifest in the multiple samples I had, which, you'll see, they already started changing the port. So, chasing IP addresses and ports. Good for a sock for the immediate need of an immediate infection that maybe two, three, five people get. But not long term. You got to look for other stuff.
And then, of course, is using pastebin as a way to fetch files from. There's kind of two parts to this, but, you know, do you allow pastebin in your environment? A lot of people do. So again, this is a dot net based. That's why I wanted to have this talk. I've been seeing this come more and more and more and more dot nets built into windows.
That means a lot of the code I'm going to use. I just have to tell windows what to do with it and how to compile it, and or how to call those dot net libraries. And again connect service has been associated with hostname to receive the C2 to figure out where I'm going to send the payloads to.
And, you know, primarily uses 15, six, 47, but also 678, 649, 228 and 80. And as you'll see, four four, three. And so it also uses this orchestration technique. There's, there's the before on this page. Right, which is your left and the, after obfuscation, on the right. So they try to obfuscate the code as well, which makes it harder for us to read it, or, dictionary type readers to, detect what they're doing.
It does do browser logging. So it's trying to check what you're doing in your browser. Yeah. You know what else doesn't snoop on your browser? Every malware and demand, it does using coded PowerShell. Right? Base64. If you're not aware, by default, windows doesn't log PowerShell. Well, at all, right. Crap. So you have to actually take there's a cheat sheet for that.
You actually have to take and configure PowerShell logging under windows servers, workstations, etc. and if you do a properly actually then base64 is that made it on a windows box. It will un encrypt or decode the payload in the log as well. So no, no use for going to the Cyber Chef or anything else. But yeah, they go ahead and they do these steps with you so you won't have to because it can be in the logs.
Yeah. If, you know, if you don't do your logs correctly, you have to take us encoded base64. Barbara. So cyber shift drop tunnels and all that. So what is malware still work so easily today? Users. No, really. It's it's, more about that, but really is users, local logging is rarely, like, almost never up to my standards.
You know, this I think if you rely to eat there, I'll talk about that in minutes. The easy button. Right on. Just go ahead and put it up there. The easy button for, ETR is what people think. And if you look at why ETR was developed back in the day, it's because in order to get the detail level that we see today in Windows Logs, ETR was written like if you region original, carbon black was literally just a stream of everything happening on the box, unfortunately way too noisy.
You got to intelligence and now we're in the modern ETR realm. But what if they interrupt it with the R freeze or some other mechanism your logs are going to be? Where are you going to get some details. Right. So that's why. That's why I love them. The goal with is is to feed into detection, right? We find something.
When you investigate a box you like. Oh, this will make a really good detection. A good detection is something that's high validity. Meaning it it triggers when it happens, but it doesn't trigger offense and it doesn't create a lot of noise. Right. So anytime you can find that when you're doing this kind of spy or malware discovery, malware analysis, this is not reversing, by the way, I don't do reversing.
I used what, what tools I have, which is that box properly configured with a bunch of stuff added to it. And then I detonate the malware because that's what our tools can actually detect. That's what the thing's going to see. So I want that kind of data. I don't I don't want any other mumbo jumbo. And again, the typical artifacts, can we detect this?
Can we set up a rule to say this is interesting? We probably shouldn't have this. And we'll we'll talk about a couple of those as we go along. And again, one of the problems is everybody thinks EDR is doing the job. I don't need to do better logging. I got EDR. Okay. You are so wrong. ADR misses things like recon, lateral movement.
It will occur when the bad guys, especially advanced attacker, will get in with EDR deployed. Find you have EDR. Do all kinds of recon and pushing and moving. Find that one 310 boxes. I do not have EDR or it's not running and that's where they'll start their attack and go from there. So how many people here know for absolute positive fact 100% of the machines?
Okay. 99.666666 sigma of your machines have EDR running in currently up to snuff. Yeah. No, it's it's difficult. I can tell you from being a consultant back in the day, I've never been in an environment that could prove they were even 80%. So there was always gaps in the space of deployments. It's a difficult problem. Most EDR do well on process execution.
Unless they're bypassed, like the EDR freeze. That's just literally this month been reported. And I have seen an example of that. So it's the the parameters of were fault secure that you're looking for. Most orgs don't have a whole body exam. That's another problem. Nor do they collect all the workstations. Again remember the comment where I said what's the problem users?
Well, if you don't collect your workstations, where's the malware for sparks restarting on your servers? That's where it goes to. Unless it's a web based attack early on, all that stuff. So what does malware tend to always do? The same that we should or could detect. Okay, so users are still users. Yeah. If you look at ways the way malware infects a user's box, what does a hacker know?
In this case, here's the September 2025 sample of set top right so you can kind of follow this. I'm just going to put it up here for reference. I will, the old version of this was posted. I'll post this version, after the con on and I'll link it to malware archeology.com. Which is going to be SlideShare.
Right. But basically, you know, if you look at the title up here, see users, right. This is where this stuff starts. Why? Because the bad guys know when you click on something. See, users is a place you can write stuff to the disk to begin the infection, whether it persistent disk or not, but they can start there.
Okay, so what does typical malware look like in common? Percent 10% APT data percent program. It's these variables are what the malware is used when they write stuff or detonate stuff on your box. Because you can write any user walk down to the hilt. Any user can write here so they know they have rights to write here. They have the right rights and then they write malware begins in the user space like 95% of the time.
So this is like, you know, what do I look for in a box that I think is infected? Come on, you get to participate here. Where do you first look see users. Because it's 95% of it starts there. There's probably a remnant you can find. Right. And so these variables are places they tend to write stuff and go from there.
Security of bad ideas. You want to look for the process of execution is 4688 using system on an additional service. And there's my old friend Damon. Hello, sir. Oh, chef. But, yeah, you can also do assessment, which again, I have in my lab box. I, you know, you can put it in deployment in the corporate world.
But it's incredibly noisy unless you seriously configure it not to be noisy, like ridiculously noisy. You'll go through, gigabytes of logs in a couple of days, depending on what you configure. Maybe even less if you configure a registry and whatnot. And all file rates there. You know, again, it's good process execution. But the technique you're using can bypass into yours and AV.
Right. So C users file names and location, location, location just like retail space location location, location malware loves it. So let's take a look at some of the original file names of set top rates. A lot of times. And again, this is where you execute as a as a researcher. You're like, try a little harder, make this hard to catch.
Right. This is a great one. Uninstall smb xy. All right. It actually looks like uninstall feedback application. It's got its proper metadata. That's all the stuff you see in the box, affect my partition or whatever the heck it says there. And then on the right, you've got the guy got lazy into that. Whatever. Did you get the bus?
All right. I'll immediately find this off. I'm doing research. Right. Come on. The left is harder to find. The one on the right is a lot easier to find. And also, they didn't fill in all the metadata, which is important because the metadata is what immediately tells us, hey, we got something fishy here. That doesn't mean proper files don't like metadata.
It does. They do, especially third party stuff. The location of files are also the great giveaways. In this case, you can see, on the left, malware, see users malware at the local. And then in the root of local, this is like what I call a high validity alert excuse deals binary should never be in the root of that data.
Local AppData roaming after the local Microsoft Windows C program data. I can't tell you how many malware campaigns and payloads and keystroke log files and data files, but I find in locations this stuff should never exist. Okay, just it shouldn't be there. So if you know that's the case, then this would be a high validity alert because a lot of malware in this case set up.
Let's race it to a place. There is never any XY literally. That's the dump of the folder you see. That's it. So if there's a binary there deal it's bad right? So there's a bad guy right there. And that's the location. So yeah this is a great location, location, location. So here some of the output from volume B.
Right. So folders and user space, new folders, linear program data, local running local Microsoft Windows, etc.. You can see in this case AppData roaming or FS control. So now they made a subfolder and they put this a bad deal inside that folder. Right. So now you're looking for user space, some weird new folder name. And then what's in that.
And you know, go from there. On the left you see the word malicious or word that's the file on this stuff where it's statically analyzing the files to look at how the files crafted to determine whether the files good, bad or malicious low, medium, high kind of thing. And so that helps us when we're doing our investigations.
I say you might want to look at this one. And then I see it's in roaming our control like I don't want our control is what it says. It's malicious. So I'm going to look at it. All right. So location location location. So what do they like to share in common. Now here's one where again the client used host app debug in the in the root there's gamma 64 plus in the root of the folder program data.
They created a folder and put this file in here and a bunch of other ones okay. That's all right. There's actually not bad. That's a good file. One of the files below it is the bad file. Anybody could you guess take a wild guess. So this is what's called the a little side loading. So they take a valid program valid binary windows or a third party.
Doesn't matter. They create a folder and they drop all the files that that program needs. And then they have their bad deal. So when the program runs out they call the program. And you see that program, you send it to VirusTotal, it says, no, that's good. You're like, okay, you move on to the actual cycle of history, to the bad files of 535.
Now.
Good. Yes. So here it is a deal. We'll get to it. So again, here's another folder. Another another item. XP fix that. You see the only thing in there okay. It's prefix remember. So in this windows in Windows 11. So you know these kinds of things are what I see. So it's like the matrix. You're looking at the matrix.
And this stuff to me sticks out. I can look at the results and go here you go. And so yeah. Location. If you want to up your game on logging for this cheat sheet, for that you can turn on file and folder auditing on C users. It can run this across the entire infrastructure if you want.
You don't necessarily want to collect all that into a SIM, but at least if you collect it locally, you'll get a 4663 event, which will allow you to see newly created files. And yes, you're going to see new problems in Firefox, etc. but you'll also see these kinds of things. And if you do some filtering, you potentially can, can benefit from that dramatically.
So what's typical malware look like? So here's what I told you about the uninstall, whatever the heck it was. Fix fix that. Just a little thing you say. All right. There's a new file here. I want to go look at the binary and see if it's bad. Nope. Perfectly good. Burton. Good. So again, trying to fool the analyst.
Here's the other one. If you didn't get the second file down, that is actually the malware. So in that uninstall uninstall, SB come on, go back. There you go in that guy, there's a deal this required called lib crypto. And that's the malware that actually gets sideloaded when they call it what they it's not a better.
It's in the folder. It's sitting right next to it in the folder that they created. Right. So deal with sideloading. So again it may not be just the EFC that's being called in or not around or something you see executed in the in your it will be the module that they're calling from in some cases, as Andrew might point out, and load it only in the memory and nothing's on disk.
So, how to tell. Net malware, when you see the process execution and you look at all the modules that the X is calling, you'll see, see windows assembly made of images for all system windows, blah blah, blah, blah. Right. Here's the dot net locations and all the all the things they load. And so this tells you that they're calling a lot of the botnet functions.
And if you read what the what the actual file names are system search on the bottom on system.net.gp. Well clearly they're calling web traffic. Right. So now you have an idea of what it's doing. You want them reverse the malware to know what it's doing. There's some system windows forms. You can go research what all these are just some simple system configuration system for system drawing etc..
And you can kind of get an idea of the things they're doing. Oops I want to go back there. And then below that you can kind of see the tree system and you build this log in B but a process tree where they can see the gamut B 64 been calling the gamut B 64 again and then calling D4, and then the XP six, so you can see what's calling what.
It's the series of parent child relationships are key as well. Location, location, location. Yes. This is upper to Morgan. This is a tool that I just created. It's a it's a standalone Windows instant response tool that you run on a box and you collect the data.
What's kind of what? You can launch this from case. If you wanted to create a module for Tate, that's what we do, you know? All command line have a monster. It would go to the RTL console. Here. Your are on the box. Click the artifacts format, just like we do. Okay. So yeah. Good question. That's a good question.
And coming. Oh well, that wasn't even close. But it's pretty far back. And the one below that, you can see from just a standard type PIDs nine six, nine, 96 is calling the other ones below. So that's kind of in the graphical typical windows way you would see it, as opposed to log in when we do our process tree greater one, it makes it a lot easier to see if I can look at that immediately go get that right.
So location, location, location PowerShell. What is typically our, it looks like our Sharon Collins site proper app like a lot of malware because again, PowerShell is built in robots. We type all that code when it's already there. It's built in, right. Just like that. And they use obfuscation, either naming things funky or using base64 or a combination.
They do all kinds of funny stuff with this stuff. But again, if it's not properly configured, that's one of the reasons they're doing that is because if you don't configure PowerShell, then as they type PowerShell, you're not going to see much. So yeah, I do that for you. You want to look for 4104 if it's properly configured, and you'll get to see the base64 blob and the obfuscated blob and then the base64 decoded, if you do it properly secured properly.
And so here's what, here's what it looks like here. So up on top you can see the base 64. You can take that the cyber chef or and just looking at logs for it. Here's what the output actually looks like. So we're going to leave that custom initially. Get the payload. And then you can see as you follow where the line goes, it ends up going to temp member the environment variables.
Member percent temp. That's what it is. So it's bumping into the temp folder. Crystal. Chris 60 x64. All right. So that's that's the thing I mentioned earlier, which. So location location, location. And then down there, if you decode this, you can see that it's meant to sleep for a little over a minute there doing that to try to create, stopping stop some of the protection capabilities.
Right. If something executes and I launch it right away, nothing's happened yet. But if I wait a minute or two. And so by some of this decoding, you see in the logs, if you do it properly or things that I would look at, you know, I generally sit there and twiddling my thumbs before I launch my protection scripts.
But sometimes I launch it right away. I'm like, I'm not saying, but I think I should see. I just run it again and then boom, I've done it past the sleep period. So watch out for these that these are for detection avoidance startup folder auto persistence. This is again try a little harder guys I mean come on set up right.
Did not have anything interesting here. Same old dumb autorun. It basically used a link in the starter folder. Now the link goes to the valid binary binaries talked about. So none of that's bad. But look at the name right. The name like there should tell you something. Something. And so if you're back and then you can see down here below, programs start up and you see the launching program starter, this may be a temp.
Okay. Where what the heck is a start? A folder got, temp offer, and then there's some other run keys. You should always look at as well. Again, watch for these to be created or changed. Running one once will happen when there's upgrades and whatnot, but generally when things are added to the run key, they're looking to persist.
So yeah, there's a cheat sheet to all those, browning properties do not match. That's kind of an important one as well. If that's the name of the file, then the internal name should be the same. And so that's something else that now is constantly mess up. It's really easy for us to see in our reports, in our data.
It's literally right click properties or use a tool to, to look at the metadata, of the product. And you'll see that these things don't match the blank or whatnot. There's always things to look and throw on. So let's talk a little bit about communications setup right using really see for different payloads. And then set it in that to then go to pastebin to say where do you want me to send it to?
And then also goes to wherever, right. So we got two pieces to the to the web puzzle here. Instead of doing it all at once. The idea here is maybe a block one, but not the other. Or you miss one and then you still have problems happening. Reports and domains changed, so I'm not a real big fan of that.
Good at the point of time. But if you ever chased a threat actor, were constantly putting IP blocks, they realize we're blocking them and they change the IP block to a completely different subnet. Right? So it's it's a short lived relief. Or ports. So, definitely you want to look for more of what's communicating. Sometimes you even go and look at the headers of the communications and write rules.
So here's an example where all the IO seasonal replacements, you can see they've got endless combinations of spins to use your Google Earth. I'm trying to chase those down. But yeah, again, if you look at the web to look up pastebin is generally okay. So the malware you know that this is generally allowed in a lot of environments, which is why they use it.
So typical things on the Windows Firewall logs. So this is where I never see this configured in environments. So Windows Firewall logs are awesome because the one thing you don't do here's the Windows firewall. You just have to turn on a logging is it gives you the binary that the columns are happening to. Right. We got this funny traffic on port 22.
What's doing it? Well, the Windows Firewall logs and the windows box will tell you that it's binary x y x, y, z. So if you remember right in the talk when we talk about there's Russia and us in here, but port 15 847 there's at the top and you can see Hamas build is a thing, calling and running it.
Right. So right there very telling for me, I kind of focused on, being used in this build. There it is. But. Net framework. And there's the, report that we know the set top is running. But Russia, I mean, one of the things on your do is be who is all those, Windows Firewall logs so we can get the country owners and the reports.
So it's really easy to say, hey, Russia's calling, but and again, in the sample below, later on, they said, okay, fine, we won't use Russia. We'll go over here and use us as well. Amazon. So yes, they might be supporting more from Russia to Amazon. But again look at the location. Location right. Using Bob AppData Local Reforge you know, etc..
So you know, the location of the darknet stuff is pretty telling in regards to what's going on on the box. And then there's a different port. So now we got full four three showing up. Right. That wasn't in the original report. So what is new with malware that we should detect. So now our latest, thing to do is inject process, follow whatever combination of of messing with memory there is.
This is where Andrew's talk was really good. But yeah, they inject things into memory. Why? Because if I take a disk, I get you to actually do something, and I get it in memory. I can wipe what's on disk. And then as an analyst, you go looking for the malware, you can't find anything. But if you reboot, it comes back.
You're scratching your head knowing what's going on. Well, if you turn on file folder auditing and reg auditing and you do things like a run key and you do things like the users folder, you'll see when the system shuts down, they will write the file to disk, they'll write the honor run to the run to your starter folder wherever.
And then when it reboots or read, it starts up and it deletes it. So when it's alive, I can't figure out how run of the file. But memory on the other hand, it's there or it'll be memory only, as Andrew pointed out. And they get it injected in memory and there's no artifact. Even on a reboot, your reboot malware is gone.
You know, they require or need the malware to talk in memory to another box in memory, to then infect other boxes. Right. And so they can bunny hop to that patching once they figure out how to get around your environment. But yeah, in your, a lot of good ideas will do pretty good at this. But again, your freeze is a way to pause your EDR to create this.
They can unpause it when they're done if they so choose. But that's why they can't get around it. So you need a tool on the endpoint to look for this, right. If you have EDR that's an endpoint on it. It's a tool on the endpoint. Or you have to go to the endpoint through a console and run something like a log into your one of the other tools, or PSN or volatility of course.
And get a memory, get a memory dump run through volatility or PSA. We'll look at what's in memory just like log in to us. And then you can use file on B to check these extracted files from memory and say is there any signs of maliciousness. Oh hey I got a pointer on this thing. Cool. It's from the pointer.
Yeah. And so, yeah, you there's lots of ways you can do this, but what you're looking at is signs of some sort of injection, hollowing, etc. in memory. That is something a lot of analysts don't do. A lot of tools can be bypassed for, these are extracted modules. Right. So anybody know which ones of these extracted modules are the malware.
Yeah. Yeah yeah. We know that's just the launcher. We talked about that already right. And so, it's the part of a module that you're looking for and see how one of this part of it because they all got launched by D forge. But one of these was side loaded. And again it doesn't look like what you saw in the folder.
The names that they put in memory are completely arbitrary. But it turns out that's the malware. So how would you know that if you extracted that with volatility? Or is it volatility you might not find it probably would see that as malware. But if you extract it as a memory, how would you check it for versus. Or do you use something like file in B to say, hey, I'm potentially malicious.
So low base and valid binaries. So again, msbuild was this guy was a valid binary. And here's the example of where it's showing that a hook or an implant or powder occurred on Msbuild. So now we know something funny is going on. That means they did something within that. Here's a piece of data. Here's what log B gives you.
But that's the that's what's happening with that file that was pulled out of memory. But this is something that is if you want to find something, it's only a memory. This is this is the way you got to go about it. So actually, it's just a launcher that signed. Right. In this case, it was, flex their software again.
They're using everybody knows who folks there is. Here's one from 18 and another one from Naomi. Right. So these are just the launchers. They're perfectly valid, very subtle. Going to come back and say you're good. There's nothing bad about these files. It's where they are in the files below it. Yes. They go like this again.
In right. So they just, you know. What do you mean? It doesn't mean this in our DNA itself. So VirusTotal is a massive repository of files that Google is now on. Right. And has threat intelligence, but they also have 65 engines that they can run against. And so in their database they know that that files are in standby x, y, z, or they will initiate a scan of all those engines in their environment to get you a score.
And it comes back as zero of 65. Right. So that's what it means by that one. And what they're doing is they're just using this file to say, you know, x, y, z DLLs required for that. And so I'm going to go in that same folder. Windows is fundamentally broken here. Right. Windows should only pull details from a certain location like C, C, windows System32 or Syswow64 which starts you.
Which doesn't make any sense. Why is a 64 folder 32 bit projects? I didn't write stuff. I should only pull it from there. But if you actually take a copy of, say, Ms. Paint and you put it in C users some folder name and you put it in, you look at what files, what modules? The ls that means when you throw a bad popular DLL in there, even though there's a good copy, is in system32 windows will load that one first before it will call the other one.
Yeah, so.
Yes. It's the same like sort of software you'd use if you bought the tool for long term. Yep. Regression tool. Yep. Exact same tool. Yeah. All these actually came from the vendor or some download that they got or some machine they harvested on. They are all completely valid. It is what they do in the folder afterwards. In this case here's one.
Look at auto it auto it is an installer. It two will come up clean except for 1 or 2 reviews because it's going to say, hey, that's an installer. But you should ask yourself, what's Ottawa doing on a workstation? You know, and look at all the files they added in this case. So this is probably one of those cases where they added a bunch of these files because as it reboots, they may use a different file each time to try to make, detection harder.
But yeah. Which one of these are bad? None of them. All those files are good. They're really trying to confuse us as an analyst. So, you have to say, okay, what's going on here? So there's order at three, there's seven below, there's Adobe, etc.. Right. So, this was kind of interesting. But Lion Hardie files are the ones that are actually bad.
Which are these guys right here. These are actually they're all the way up payloads that are encrypted. So if you scan those in VirusTotal, they're encrypted installer payloads. They don't know anything about these things or what's in them. You have to actually run all the way to start with, encryption process of auto IPS to then extract the deal.
So their infection mechanism is drop this on disk. None of this will be positive in VirusTotal. Start auto it, call these files, and then by doing that they can infect the machine. So rather rather interesting scenario. But again if I saw this show up on a workstation because it's on C users under some users, that's going to make me say, what the hell, we don't allow installers randomly in our environment.
So this could be this should be bad. Right. And these with the payloads come out of this, by the way, are injected into memory like I talked about. And so again, if you look at these, there's JSC directory on this here and. Net framework. So another version of this things using the JavaScript compiler to compile JavaScript.
So they're doing more wall bands. Right. Stuff is normally on the box. But do these things normally execute in your environment. You're going to find most of the time the answer's no. So therefore if I'm doing hunting or I'm doing detections of executions, the C users, you'll see these oddball executions and these are the ones you should follow up.
And also all your users are administrators, and you're going to have all kinds of weird stuff that users are going to install. But if you have a general user environment, this is all stuff that you're most concerned about, right? So in conclusion, hey, I can't spell with the crap. You know, I I'm still scratching my head about this.
How is I misspelling all these things when I tell it exactly what I want? Yeah. No, it's it's it's like I'm telling you, but. Yeah, I set up a set of read underwater.
Hopefully.
The set up rat is a newer malware. Use assign valid launchers. Right. These are the same programs you get directly from the vendor. To avoid the launchers. Right. I'm a check. What you're launching. Okay. You're calling this other stuff? You're good. Multiple PowerShell scripts to initiate those payloads, base64, etc.. So, you know, again, we talked about how to detect those.
They use sign dollar dot net tools living off the land to further execute and, create things on the fly which, which dot net. And they're even using installer files like the auto it stuff and then the compiled auto IT folders. I mean, to me it just looks like a zip file because that's what it is. It's just an auto.
It how do it format, which is actually kind of a packed file like cardboard for whatever reason, we are packing mechanism for automate files. It will sideload malicious DLLs in the same folder as those launchers under the C users folder. So again, all under C users, because all of this can be, detected memory injections being used more often.
So if you're not starting to implement in your triage process investigation process to either do a memo dump and your volatility, extract files and column D them, or use log in D to see if there's any signs or pieces or any signs of hollowing, injections or site loading or whatnot. You really need to start doing that when you're doing investigations because it's being used more and more.
I've looked at several campaigns of malware where literally I, you know, as I detonate it, I can see it happening in the logs, but I go look on disk for the stuff. It's not there. The only place that exists in memory and whether or not it writes down to disk and run keys on shutdown and delete on startup is an option for them.
Sometimes it doesn't. Sometimes I reboot the box, some hours gone are reinfected. Do it again. I shut it down. The malware is gone. So it's literally only a memory, which is where volatility, memory dumps become crucial to builds. So this is something you really should hone your skills and start playing with, because this is where they're going to get around, especially with the media freeze type tool.
Malicious browser plugins are being used. So I did notice that it did add a fake Google Docs into my Google browser. Of course, Google said no, I don't think so. You're I don't know about you, but you know, a lot of users that might be okay and edge and, Firefox, who knows what they can get around.
Same old user directory structure being used for file storage because they know they can right there. So that's really critical, right? See, users where you spend most of your time and I do malware discovery classes. I will give users one of one of my tricks I give them is I show a malware infection starts and a couple students every time will say, I spent hours.
I just can't find where the malware is. Did you consider it actually didn't launch or crashed out or found something I didn't like? Run the less version? Did you look for that condition? Not all malware will work, believe it or not. Same old of folder in this case. You know, the auto start was a start. A folder that's just dumb.
Anybody care of just how many auto start locations and windows are?
Hundreds to a thousand.
There's there's easily 10,000 start locations using these old start up location folders and run keys. And just like, try harder, there are thousands of them. I am not kidding you. There's actually a blog that Adam does. Same old run he exploits. Re test all kinds of ways to learn stuff is mind blowing, and when he finds one, it's like every generation of that in the registry.
I don't know his last name. And what's the name of the law? It's an auto run. Just look for auto run malware blog and you'll find a study.
Some files move on. Reboots are renamed. Right. They'll move them from where they initially placed them in the root of their folders, or create some folders and rename them. So that way, what you might have seen in the beginning, after the reboot, because the user will infect the machine, you get around to it and they will have rebooted, or you'll say, would you please turn machine back on so I can investigate it?
Now what you saw, you're looking for something totally different. So that's that's common thing I see too. And again, still in the C users and program data folders, which is user space that you'll see a bulk of the disk based stuff occurring and the same old, auto run locations. So resources, is where you can find our stuff.
Minor Attack is your best friend. I highly recommend if you want to do threat hunting and or look to see what your tool coverage is. Use minor attack to kind of map what you can and can't see. You can just use yellow, orange, red, blue, green, gray, whatever you want to try to match what your, your quality of protection may be.
Same as your number one tool, if you ask me what the top three tools are. Sam e r Morgan, the, you know, AB has its purpose. Windows Defender for free. Turn it on. It's free. It's on every box. I can tell you investigations I had where the ETR was broken lock or something else. But buried in the defender lock is a stupid detection for the malware.
It's like, come on, it's free. Turn on. It works with your ideas. The only problem we'll have is that we're both detecting. I have investigated this where two events happened on two machines. One gets caught by, say, CrowdStrike, one gets caught by defender. So that's kind of a pain, but especially if you don't centralized the data. But for the most part just Windows Defender Logs, right?
Locally. It's something we harvest log and so it's a real easy log to go look for. It's a real easy log to load into. Simple. Because if you just look for detections 26 and seven, I think they are, then your validity is really high because the only time you get to see those ideas is if something offensive. But again, it's pretty easy to shut down or digest.
A lot of our movement, this is probably one of the best documents I've ever read. A lateral movement. Why is this so important? Because it's what the bad guys do before they ever inspect your boxes, they move around. They do recon to get the transfer. CCie cert did a phenomenal job on testing myriads of ways to laterally move within your mind that use, etc. and all the event IDs and things to look for phenomenal document because this is the prior to infection kind of behavior.
You'll see when an actor or a protester is actually on there and you'll get these slides, there when you want it. Here's all the website reports that I referenced in the talks. You can find us there. Hallway. Kind of course. Please, approach me. I'm approachable. We'll talk. And, you know, Oh.
Manage network. So I've got some extra slides here. I'm going to cover these there in the presentation, but take a look at it. We manage vulnerabilities. We manage patches. Why do we manage malware? What I mean by that is reading reports of malware not reversing reports. Because again what comes out of reversion reports very rarely can be applied to any security tool.
You have to go look for something like a Sam query or any of your or whatever, but why not look at these things and say, why can't we manage malware in a way that we read, like set up, read reports and reports coming out from researchers who tells you that, hey, it's during this new technique, is doing this new thing, and you read that and say, maybe we should go look for that environment.
If we don't see this in our environment, we know they're not capitalize on this like hollowing using pieces or a log into or whatever. So why not manage malware? So there's some slides that talk about that. And the three CS configuration coverage completeness, which is, I say not always a problem where you don't configure your boxes correctly.
Routers correct your agents correctly. I had an environment once where, the client told me only investigate the ones or CrowdStrike alerts. I go investigate a bunch of boxes. I find they talk to these other boxes. I went to those boxes, found them, some of the press right on them. I said, you got to expand these 20 boxes.
We expanded those 20 boxes. He says, okay, I don't want you to look for anything else for your media, everything. And I go look at the network logs and I see all this talk traffic coming out of a handful of boxes. I'm like, oh no, we got to go look at this. Well, we have that turned on and cuts, right?
That's not so we turned it on and whacked it that way. So figuration is not just the agents you put in your box of logs and whatnot. It's the agents and what you do with them and then coverages. Are you sure you got it everywhere? Is there a process to do that? So I talk about that because it's an important thing of why we have these failures in environment.
So that's because any questions I got summarizing sort of this.
So PowerShell down credit text. Basically instead of using PowerShell 5 or 6 I'm actually calling an older version system that whatever resource PowerShell thing. And I I'm doing that. You will see the deal LS in windows don't get registered anywhere right. This is something that you don't see if I call user in that deal that doesn't show up anywhere, it does insist on.
So if you use something like a system on, you can see all the module over 87. It is something I do look for, especially false ones, which means they aren't signed. So that's something I collect into myself. I use log scale at home for all my stuff, and so I do use that in order to do those kinds of module calls.
You're going to need to use something like a system or a tool that can see module loading the other is if they call it on the command line or in the PowerShell line that you'll see it being called. So you'll see that in a 41 for a brand of 504 hundred there. And you'll see it in 46, 88 if you're recording those logs, if they call it on the command line, but just secretly calling it below that, they're going to call that below.
Halos are tough to see in windows, so you need something like assessment or ADR. I wish windows would have that log. Seriously, because I think they could really catch some stuff because they could apply their logic. Well, is this good or just bad? Was loaded correctly, you know? Yeah. No, this has been deprecated. You shouldn't you know, it's there because we have family compatibility.
But yeah. Good question. Anybody else got a question? Always, hon. Yep. Thank you. Okay, I'm gonna try to phrase this another phone like a complaint. We do what you're talking about quite a bit. We get one of our customers to have that probably every two months. We get one of these you're not having. Well, the problem is, it's usually early in the morning, middle.
And right when they notice something happens. So we basically hop on a remote bridge and start taking a look at the logs. Right. And I'm probably the world's worst admin because I've never gotten PowerShell to work enough to pull all of those event codes that I know that I need to go look for a script someone already wrote.
I can go just for those logs so I can have it in an Excel format, so I can look at the times and say, okay, these are associated with this. I'm going to give you two of these. So, log harvesting in windows is incredibly awful. You have two options PowerShell like you referred to. Or you may curse when events and you try to craft a command line and everything.
It's also for this absolutely horrendously bad for it. Utils. Another one, horrendously bad for it. You can actually go into the PowerShell logs or PowerShell, go to XML portion, see the actual command line to whatever windows recorded, and pipe that and use that in event util to get a good report out of windows itself without a tool for logs is also or use event viewer.
That's actually why we create a log in B, because there wasn't a tool that easily went out and grabbed it. There are a couple other utilities out there that grab the event logs. There's actually a PowerShell one I don't care for. It's and we only collect the logs we think are the because we want to get the volume down right.
So we don't collect everything. I do have a power skill script that collects the logs general message of everything that we don't collect log into in my lab just because of, you know, windows pad stuff, a recent poll. Awesome. There's a new log, you know, or that app created a log, right? But in windows itself, getting logs off the box or trying to in a readable format or search for things like some of the output you saw, forget it.
It's just it's a pain. Yeah. So you need a utility command line utility or feed the logs to a SIM basically. Right. A log scale of Splunk or Elk or whatever team you want, a gray log, whatever you want to go through. I like log scale. If you want a solution, look at CrowdStrike. Mark, you used to call him, you know, I had a sticker in here.
But, you know, it's tough. There's no user base. That's actually all the reasons, because I used to painfully go through windows Logs and find this kind of data. And my gosh, I just had utilities like harvest log data and put it in a nice spreadsheet form, CSV. I could send that to, assuming that once I've crashed, whatever I'm looking for, you know, and, and then look at, look for the same thing across 20 machines because, you know, you can import see if we use the same reason, I have all my logging stuff that runs and I go to a sim.
I also have the beats agents on my boxes, so I don't need to send that log and stuff. I always send the log in to see something I want. The benefits of beat agents were log beats. Or and those beats configs are on my website, as is a system on to take on malware archeology. Yeah. Using utility.
Here's a clip I'm looking at. Near soft has a lot of good utilities, tests, internals, obviously easy tools that are examined, you know, log and be, my work. LG has some resources for that. I have some cheat sheets reference for other people's cheat sheets on their, but really good question, because it's a pain you ask about some utility or some any other questions?
We have this stream of, like for a private person. Yes. How are they able to tell that they were malicious? So funny enough story. A friend of ours called Fred, wrote a tool called benign. Benign is morphed into a tool called file in D to match the login. The. I didn't write that. I am helping him try to get him usable space.
And so basically think of it as a quick reversing kind of thing. A file, when you look at how it's crafted, can indicate malicious things. For example, if the beginning headers are normal, I may put a big chunk of packet payload in there. So if I kind of look at it, it looks pretty benign. The fact that it's patch flags something.
So these various things, no metadata etc. can be looked at and say, yeah, these aren't normal. And so you can then up that from a load are good to a low to, to medium suspicious. Or to a high and malicious. And so that's what that's where that came from is the benign capability file on the. So I can take file on for example go to find me minus see if I want to see the output in the console.
So the down a little bit minus L five which is five levels deep. That takes you to happy little temp and minus six checks. So I get the signature checks. Meaning is it signed and it's a valid or not. And then minus oh whatever output I want to do and I see myself I see colon users.
It will scan every file for every binary word doc PDF in that folder and give me a rating of of this error or malicious. And so it's a tool profoundly. It's not released yet. But so then when the launcher is trying to find the DLO and is run, was it what is it looking at. Just at the I looked at the crafting of the deal.
So I go to that location where that below lives. I can read that know. Look at the headers, look at packing, look at various indicators within how the files crafted and determined, whether that's good, bad, or malicious. It's not. It's sort of like AB does it in memory. It says we're looking at the disk file directly, but the lunch what is it looking at?
One is trying to run the details at oh the launcher. So when you go to programs you need all these capabilities doing user stuff, web traffic, etc.. So in your compiling you'll say I need these modules to be loaded, right? You can just have the name partial match, full match with looking. Yes, it doesn't matter. Windows is broken here.
So you can literally say C colon backslash, windows system32, backslash whatever about the else. But if you put that whatever dll a bad version of it in a folder above system32, it will load that one first before it just ignores the path. It says, oh, you need whatever deal. I'm going to load that for you because it's right here.
It's fundamental for windows. They actually tried fixing it from Windows 7 service part two, and they broke so much stuff at the background where they basically forced everybody. Nope. You have to use running from here. But so many developers wrote so poorly of code. They were dumping their deals in places they shouldn't have, and so they couldn't actually enforce it.
So windows is fundamentally broken here. You can't solve it. It's a hierarchy. So it's a side load hierarchy problem with windows. That's a bummer. But again I can take MSP. That is by the way one of the things we look for in a log and B is we look for binaries that are normally in windows that have been moved outside of the system32 or system32 drivers to record, but there is no padding.
Ms.. Paint people are using our. So take a copy of MSP. They know which deals in this paint does. And then we'll put in a folder where the homeless people are worse. Bright XP research projects. Every time Granicus rebooted, it would pull a different binary out of windows. Copier on shutdown would get rid of MSP. Really bad deal.
It would go to system32 Gregory, pick notepad the next time or whatever, and then they would rename the they'll drop it and that location was shut down. And so the files completely change the names and the loader will change. And yeah, just because windows is totally broken here. All right. So we look for that and say, hey, you know, you're launching a windows binary outside of, outside of the normal places.
That's that's called an interesting artifact. Say, hey, let's throw the catch. All right. Comic-Con, I have one more question. I you so you are getting better, at detecting and also blocking PowerShell. Do you still feel like there is like a big gap between what Windows Learning can do for PowerShell, between videos? ETR unfortunately, what it's going to look at is what's executing in PowerShell and what it thinks is malicious in your has a simple concept.
I'm going to look at what executes and what child it's calling or what code it's calling. Right. So if I see c windows jot in a J script, what whatever on a command line, you know, ADR to say, hey, wait a minute. This combination of things is bad. It also says, okay, I'm calling notepad, but suddenly I'm calling this weird deal in a different folder.
It's going to see this parent child center. We get that PowerShell same thing. It sees PowerShell calling various things, but it it sees a web client call in PowerShell. It's saying, hey, you're talking to the internet. That's probably not good. You're going to get I need your alert. Unfortunately, that's how it looks at it. And that's where it ends.
It's it's going to detect base64 depending on the ADR I took at 16 yards. Most of them all failed terribly on PowerShell. This was good, 6 or 8 years ago now. So, you know, obviously some stuff change, some products are gone, some products are bought. But the PowerShell logging itself, if you want to see what it's doing and read what it's doing, the logs are the best place to see that defender does a terrible job, which is funny because Windows Defender on the cloud.
This is the the SIM part of it, right? Sentinel. Sorry. Windows Sentinel that collects the windows, logs into Sentinel does not pass PowerShell logs like you would think they would. There's literally one line this way when actually PowerShell blob goes this way. And so you can't write a simple rule, to look. It's awful in Sentinel how they do for PowerShell.
So is good for a lot of other stuff for PowerShell. Awful. And you can't regex enough to try to find what you're looking for. I did a MapReduce threat and we did the same. And it was it was just better opening a case of Microsoft saying, how do we write something as simple as looking at looking for a base64 module?
Oh, use answer to that like, no, you're stuffs broken. And so I don't want to rely on your stuff detecting it. I want to write my own down detection rule. Probably one of the worst things for PowerShell I've ever used. The rest of them usually just read the blobs, and then you can look for whatever you want to look for.
And there's a Palo Alto Unit 42 article that's fantastic for the top misuse PowerShell command lines. And so also in obfuscation like let's say you want to do or command like, no profile, right? Literally spelled no space probes. Welcome and tick oh tick space tick Pete. Right. So you can obfuscated so the spelling of no profile gets broken up.
That's what's called, obfuscation. Daniel Hammond did a great talking dirty talking about that. I helped him with some detection. Turns out he just kept the checks log, and he does that as well. You can write some rules for that as well. I have an log scale. And that's. I can't cheat sheet. One of the cheat sheets is a log scale on Splunk automatic.
Those detections are in there. But the, the counting of this stuff so they can break it up a million ways for Sunday. Right. So you can read that in the log and submit to Sam. Write a query that says look for this condition of how many ticks, how many special characters are being used. Because, you know, Ben ten will break it up in such a way that it runs these letters this way to spell whatever they want as opposed to putting ticks this way.
But yeah, it's a tough one. So thank you. Good question. I made it so. All right. Done. Thank you Michael.
