Ask a Malware Archaeologist

  • View

  • Download

Embed Size (px)

Text of Ask a Malware Archaeologist

  • Ask a Malware Archaeologist, Blue Team Ninja and Logoholic how we

    do it better than IR firms

    Michael Gough Founder

  • Who am I

    Blue Team Defender Ninja, Malware Archaeologist, Logoholic

    I love logs they tell us Who, What, Where, When and hopefully How

    Creator of the Windows Logging Cheat Sheet

    Creator of the Malware Management Framework

    @HackerHurricane also my Blog

  • Goal

    Interaction Dont be a Ding Dong and NOT ask a question you WILL be rewarded

    Learn how us Ninjas do it so you can too

    We gave an infected VM to one of the Big IR Firms They came back Yup.. Its clean #Fail

  • We discovered this May 2012 Met with the Feds ;-)

    Why listen to me

  • Last year

    They updated their approach

    MUCH more complex

    This is NOT your typical P0wnage

    This really was sophisticated malware

    Boy did we catch them in the act

    I am sharing so you can learn how!

  • Step 1

    READ !!!!

  • Read the malware reports

    Read (daily/weekly/monthly) review of virus descriptions, malware analysis and Advanced Persistent Threat (APT) reports for malware bits that you can look for or monitor for in your environment

    Watch for reviews and write ups of various published malware

    Read Malware Archaeology for a list of reports

  • BackOff Great Reporting Example

    US-CERT Alert (TA14-212A)

  • BlackPoS

  • Works for Linux too - Mayhem

    Jedi Tip

    Compare: /proc to items

    running against ps

    Things in /proc not showing in ps output are suspicious

  • Malware Management

    You will see patterns %AppData% %Temp% \Windows, \Windows\System32,

    \Windows\System32\WBEM Reg Keys, Domains, IPs, etc. Many other indicators Build a Malware Matrix Tweak your tools or scripts or pick 1 or 10

    systems and do it manually!

  • Create a Matrix of Indicators

  • Step 2

    The Lab !!!!

  • Lab for Malware Research


    VM is secondary, Malware looks for you analyzing

    2 - SSDs Smaller is better

    1 is your Master Image

    dd your Master to the Lab drive

    Lather, rinse, repeat

    Not connected to Corp net

  • Lab for Malware Research

    Load up your Master with all your tools

    You harvest Malware and explode it here

    No.. Not in a Sandbox ;-/

    Ninja Tip :Gotchya

    Copy *.* /y \Captured

    Goto Gotchya

    Process Monitor running when you explode malware will show you what directories to capture files from (Filter for - WriteFile)

  • Step 3

    Log It !!!!

  • Why are logs important?

    Have you ever had an Incident and called a consultancy?

    What is one of the first, if not the first thing they do?

    It is referenced in every DBIR report


    Details of what happened, where, how and by whom

    Command Line logging is the BEST thing since computers were invented! The SINGLE most important take away of this talk !!

  • Yes, Logs ARE SEXY!

    SEXY - because logs tell you what a particular malware did or the malwarian (aka Bad Actor) did on your system(s)

    SEXY Because they are the one way that you can get the details you need to know what happened

    SEXY Because this preso is going to show you how for Windows systems

    SEXY Because if Target, Neiman Marcus, Michaels, Home Depot did this I wouldnt have a presentation

    NOT SEXY Because most logs are not enabled or configured properly

    And because.

  • of the SEXY SIX

    Process Create 4688 Of course enable CMD Line logging

    File/Registry Auditing 4663

    Service Created 4075

    Service Changed 4070

    User Login Success 4624

    Share accessed 5140

    90% or more of malware trigger these Event Logs for Windows

  • Step 4

    Get the

    Cheat Sheet !!!!

  • You need this Cheat Sheet

  • You could catch CryptoWall

  • You can catch Malwarians

  • Step 5

    Enable Command Line Logging !!!!

  • Get the Command Line!

    Its nice to know cmd.exe executed, but we REALLY want to see what was executed. It would be better if we could see what was executed with svchost.exe!

    Again, Windows SUCKS by default, even Windows 8.1 and 2012 R2 I do think this is the K3wlest NEW Logging feature Worth the upgrade!

    Now available for Win 7 and Server 2008 and later

    Set GPO Must have 2012 DC Administrative Templates\System\Audit Process Creation "Include command line in process creation events

    Registry Key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ ProcessCreationIncludeCmdLine_Enabled DWORD - 1

  • Catch them trying to share

  • Not just CMD.EXE but the hack details

  • Another example

  • Reg Keys hide Malware

    The Windows Registry is a database

    You can store all kinds of things

    Including MALWARE

    Focus on Key Size 20k and up NirSoft RegScanner

    Focus on values MZ


    Encrypted of course

  • Enable Powershell command line Its nice to know Powershell executed, but we REALLY want to see what was executed

    Again, Windows SUCKS by default, Powershell v2

    Details on setting PowerShell Preference variables

    Create a Default Profile for all users: C:\Windows\System32\WindowsPowershell\v1.0 Profile.ps1

    Add these to your default profile.ps1 file $LogCommandHealthEvent = $true $LogCommandLifecycleEvent = $true

    Splunk - Inputs.conf # Windows platform specific input processor [WinEventLog://Windows PowerShell] disabled = 0

    Upgrade to ver 3 or ver 4 Investigating PowerShell Attacks (DefCon & Blackhat 2014)


  • PowerShell P0wnage on the rise

  • PowerShell P0wnage on the rise

  • Change the language

  • Actual

    Sophisticated Malware

  • APT30

  • So what did we learn from these? You MUST enable Command Line logging Monitor commands:

    Cmd.exe Command Shell Netstat.exe Network Connections Cscript Executes VB/C Script Pushd Sets Directory for Popd Popd Changes directory back WMIC Execute WMI commands Quser.exe Queries the current user Reg.exe Query and edit the registry SC.exe Start and Stop Services Regini.exe Add/Edit registry values Attrib.exe Change file attributes Cacls.exe Change file permissions Xcacls.exe Change file permissions Takeown.exe Take ownership of a file Auditpol.exe Sets Auditing settings (GPO too) Netsh Windows Firewall

  • Log everything!

    If it is Internet facing LOG IT! Hack yourself or use Pen Tests to improve your logs

    Catch them in the act! Purple Testing

    You should catch SQL Injection Failed Reads, Failed Writes

    Bruting of Apps Get the logs to see this behavior. #1 Software Development task

    Enable Auditing for NEW Files on Internet servers, you will be amazed how quiet this is

    Locally is a must, collect to Log Management if you can

  • In Summary

    Malware is noisy We CAN detect it Logs can hold all types of information

    Its NOT just for Forensics anymore

    All we have to do is: Enable the Logs Configure the Logs Gather the Logs Harvest the Logs

    Look for 6 SEXY Events And use the Windows Logging Cheat Sheet

  • Resources

    Our Website

    The Handout Windows Logging Cheat Sheet

    Malware Analysis links too

    Blog of Malware indicators

  • Questions?

    You can find us at: