SlideShare uma empresa Scribd logo

Proper logging can catch breaches like retail PoS

Michael Gough
Michael Gough

Malware Archaeology LOG-MD Proper logging would have caught breaches like the ones suffered by the Retail PoS events

Tecnologia
1 de 59
Baixar para ler offline
Logging for Hackers How Proper Logging Would Have Caught PoS Breaches 2
Who am I – Michael Gough » Blue Team Defender Ninja, Malware Archaeologist, Logoholic » I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of » Malware Management Framework » Several Windows Logging Cheat Sheets » Co-Creator of “Log-MD” – Log Malicious Discovery Tool • With @Boettcherpwned – Brakeing Down Security PodCast » @HackerHurricane and also my Blog
Malware Archaeology
» We discovered this in May 2012 » Met with the Feds ;-) Why you should listen to me? MalwareArchaeology.com 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail
Malware evolves » So must we » Darwin says • Evolve or die » Well… Evolve or get breached anyways » Getting breached means an RGE !!! • Resume Generating Event
A quick look at STATS MalwareArchaeology.com
DBIR 2016 » Why we are here… MalwareArchaeology.com 8 Time it takes hackers to compromise you Time it takes hackers to steal your data
DBIR 2016 MalwareArchaeology.com 9 Hackers time to Compromise is getting faster Than our ability to Discover them
DBIR 2016 MalwareArchaeology.com 10 • The dreaded 3rd party call and Law Enforcement notifications going up • Fraud and Internal detection going down
Chasing Hashes MalwareArchaeology.com • Malware hashes are no longer similar • Malware is morphing or created unique by design for each system OR on reboot
Symantec says… MalwareArchaeology.com
SANS says… MalwareArchaeology.com
Sophos Says… » 70% of malware is unique to 1 company (APT) » 80% of malware is unique to 10 or less (APT) » That means… » 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by: • Attachments in email • URL in email • Surfing the web - Ads - WordPress, Drupal, Joomla… MalwareArchaeology.com
A quick look at Advanced Malware Artifacts MalwareArchaeology.com
Winnti - Malware Infection Malware Launch Hiding malware in the Registry Modify Service
Escalate permissions obvious NOT your admin Check the Service used Modify Permissions Push out malware using CMD Shell & CScript
Using the Registry for storage Update Registry Change Registry Permissions Change permissions on files
Bad behavior becomes obvious Doing Recon Going after Terminal Services Query Users
You can even capture their Credentials Caught THEIR Credentials!
Persistence » Avoided leaving key files behind like they did before, well one anyways… the persistence piece
HKLMSoftwareClients » putfile » file » read 4D5A = MZ in HEX Key Size = 256k
Persistence » Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) » Altered system management binaries • McAfeeFrameworkService • BESClientHelper • Attempted a few others, some failed
Persistence » BAM! Got ya – PROCMon on bootup
A quick look at Commodity Malware Artifacts MalwareArchaeology.com
Angler delivered Kovter » Unique way to hide the persistence » Inserted a null byte in the name of the Run key so that RegEdit and Reg Query fail to read and display the value » And a LARGE Reg Key (anything over 20k is large)
Dridex Artifacts
Dridex Persistence » New method towards the end of 2015, nothing in the Registry showing persistence while system was running » In memory only until system shutdown • On shutdown the Run key was created » On startup the malware loads and Run key deleted
Dridex is Baaack » 2016 variant
How to Detect Malicious Behavior MalwareArchaeology.com
Take Away #1 MalwareArchaeology.com
Where to start » What am I suppose to set? “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” » Find them all here: • MalwareArchaeology.com
PowerShell » It’s coming… in a BIG way - It’s already here » Ben Ten uses it (Not PowerShell) » Carlos uses it (MetaSploit) » Dave uses it (SET) » Kevin too (Pen Tester) » Dridex uses it » RansomWare uses it » And logging SUCKS for it
Take Away #2 MalwareArchaeology.com
So what do we do about PowerShell? » The “Windows PowerShell Logging Cheat Sheet” » Designed to catch the folks I just mentioned, and others ;-) » Get it at: • MalwareArchaeology.com
Take Away #3 MalwareArchaeology.com
How to catch this stuff Enable Command Line Logging !!!! » At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2 had command line logging » Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) SIX Commands » Scripts too
And this query - Splunk » index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message | stats count > 2
So how do you do this? » Malware Management allowed us to setup alerts on artifacts from other malware analysis • MalwareManagementFramework.org » Of course our own experience too » Malware Discovery allowed us to find odd file hashes, command line details, registry locations » Malware Analysis gave us the details
What we all need to look for » Logs of course, properly configured - Events • Command Line details • Admin tools misused – executions • New Services (retail PoS should know this) • Drivers used (.sys) » New Files dropped anywhere on disk – Hashes • Infected management binary (hash changed) » Delete on startup, write on shutdown – File & Reg Auditing » Scripts hidden in the registry – Registry Compare » Payload hidden in the registry – Large Reg Keys » Malware Communication – IP and WhoIS info » Expand PowerShell detection » VirusTotal Lookups
So what did we take away from all of this? MalwareArchaeology.com
You basically have 3 options » Do nothing – Eventually leading to an RGE » Log Management / SIEM • Cost $$$ and storage • But IS the best option, better than most security solutions if you want my opinion » What if I don’t have Log Management or SIEM?
It didn’t exist So we created it! So you can do it too! 43
Take Away #4 MalwareArchaeology.com
» Log and Malicious Discovery tool » When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! » So answers How to check for the What to set I already told you about
Functions » Audit Report of log settings compared to: • The “Windows Logging Cheat Sheet” • Center for Internet Security (CIS) Benchmarks • Also USGCB and AU ACSC » White lists to filter out the known good • By IP Address • By Process Command Line and/or Process Name • By File and Registry locations (requires File and Registry auditing to be set) » Full File System hash baseline and compare » Full Registry baseline and compare » Report.csv - data from logs specific to security • 12 reports total
Audit Settings Report
Purpose » Malware Analysis Lab – Why we initially developed it » Investigate a suspect system » Audit the Windows - Advanced Audit Policy settings » Help MOVE or PUSH security forward » Give the IR folks what they need and the Feds too » Take a full system (File and Reg) snapshot to compare to another system and report the differences » Discover tricky malware artifacts (Large Keys, Null Byte, AutoRuns) » Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… » Replace several tools we use today with one easy to use utility that does much more » Replace several older tools and GUI tools » To answer the question: Is this system infected or clean? » And do it quickly - SPEED !
Free Edition » Audit your settings – Do you comply? » Harvest security relevant log data – 12 Reports » Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations » Perform a full file hash baseline of a system » Compare a suspect system to a Baseline or Dir » Perform a full Registry snapshot of a system » Compare a suspect system to a Reg Baseline » Look for Large Registry Keys for hidden payloads
» Everything the Free Edition does and… » More reports, breakdown of things to look for » PowerShell report » Specify the Output directory » Harvest Sysmon logs » Harvest WLS Logs » Whitelist Hash compare results » Whitelist Registry compare results » Create a Master-Digest to exclude unique files » Free updates for 1 year, expect a new release every quarter » Manual – How to use LOG-MD Professional
Future Versions – In the works! » WhoIs lookups of IP Addresses called » VirusTotal lookups of discovered files » Find parent-less processes » Assess all processes and create a Whitelist » Assess all services and create a Whitelist » VirusTotal lookups of unknown or new processes and services » Other API calls to security vendors
Let’s look at some LOG-MD RESULTS
Crypto Event » C:UsersBobAppDataRoamingvcwixk.exe » C:UsersBobAppDataRoamingvcwpir.exe » C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL » C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
Malicious Word Doc DRIDEX
Malicious Word Doc con’t More DRIDEX
Use the power of Excel » The reports are in .CSV format » Excel has sorting and filters » Filters are AWESOME to thin out your results » You might take filtered results and add them to your whitelist once vetted » Save to .XLS and format, color code and produce your report » For .TXT files use NotePad++
So what do we get? » WHAT Processes executed » WHERE it executed from » IP’s to enter into Log Management to see WHO else opened the malware » Details needed to remediate infection » Details to improve your Active Defense! » I did this in… 15 Minutes!
Resources » Websites • Log-MD.com The tool » The “Windows Logging Cheat Sheet” • MalwareArchaeology.com » Malware Analysis Report links too • To start your Malware Management program » This presentation is on SlideShare and website • Search for MalwareArchaeology or LOG-MD
Questions You can find us at: » Log-MD.com » @HackerHurricane » @Boettcherpwned » MalwareArchaeology.com » HackerHurricane.com (blog) » MalwareManagementFramework.Org » http://www.slideshare.net – LinkedIn now

Recomendados

Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 

Recomendados

Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 

Mais conteúdo relacionado

Mais procurados

Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 

Mais procurados (20)

Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 

Semelhante a Proper logging can catch breaches like retail PoS

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionJames Haughom Jr
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Scripting and Automation within the MAX Platform - Mark Petrie
Scripting and Automation within the MAX Platform - Mark Petrie Scripting and Automation within the MAX Platform - Mark Petrie
Scripting and Automation within the MAX Platform - Mark Petrie MAXfocus
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 

Semelhante a Proper logging can catch breaches like retail PoS (20)

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Scripting and Automation within the MAX Platform - Mark Petrie
Scripting and Automation within the MAX Platform - Mark Petrie Scripting and Automation within the MAX Platform - Mark Petrie
Scripting and Automation within the MAX Platform - Mark Petrie
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 

Mais de Michael Gough

Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 

Mais de Michael Gough (8)

Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Proper logging can catch breaches like retail PoS

  • 1.
  • 2. Logging for Hackers How Proper Logging Would Have Caught PoS Breaches 2
  • 3. Who am I – Michael Gough » Blue Team Defender Ninja, Malware Archaeologist, Logoholic » I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of » Malware Management Framework » Several Windows Logging Cheat Sheets » Co-Creator of “Log-MD” – Log Malicious Discovery Tool • With @Boettcherpwned – Brakeing Down Security PodCast » @HackerHurricane and also my Blog
  • 5. » We discovered this in May 2012 » Met with the Feds ;-) Why you should listen to me? MalwareArchaeology.com 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail
  • 6. Malware evolves » So must we » Darwin says • Evolve or die » Well… Evolve or get breached anyways » Getting breached means an RGE !!! • Resume Generating Event
  • 7. A quick look at STATS MalwareArchaeology.com
  • 8. DBIR 2016 » Why we are here… MalwareArchaeology.com 8 Time it takes hackers to compromise you Time it takes hackers to steal your data
  • 9. DBIR 2016 MalwareArchaeology.com 9 Hackers time to Compromise is getting faster Than our ability to Discover them
  • 10. DBIR 2016 MalwareArchaeology.com 10 • The dreaded 3rd party call and Law Enforcement notifications going up • Fraud and Internal detection going down
  • 11. Chasing Hashes MalwareArchaeology.com • Malware hashes are no longer similar • Malware is morphing or created unique by design for each system OR on reboot
  • 14. Sophos Says… » 70% of malware is unique to 1 company (APT) » 80% of malware is unique to 10 or less (APT) » That means… » 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by: • Attachments in email • URL in email • Surfing the web - Ads - WordPress, Drupal, Joomla… MalwareArchaeology.com
  • 15. A quick look at Advanced Malware Artifacts MalwareArchaeology.com
  • 16. Winnti - Malware Infection Malware Launch Hiding malware in the Registry Modify Service
  • 17. Escalate permissions obvious NOT your admin Check the Service used Modify Permissions Push out malware using CMD Shell & CScript
  • 18. Using the Registry for storage Update Registry Change Registry Permissions Change permissions on files
  • 19. Bad behavior becomes obvious Doing Recon Going after Terminal Services Query Users
  • 20. You can even capture their Credentials Caught THEIR Credentials!
  • 21. Persistence » Avoided leaving key files behind like they did before, well one anyways… the persistence piece
  • 22. HKLMSoftwareClients » putfile » file » read 4D5A = MZ in HEX Key Size = 256k
  • 23. Persistence » Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) » Altered system management binaries • McAfeeFrameworkService • BESClientHelper • Attempted a few others, some failed
  • 24. Persistence » BAM! Got ya – PROCMon on bootup
  • 25. A quick look at Commodity Malware Artifacts MalwareArchaeology.com
  • 26. Angler delivered Kovter » Unique way to hide the persistence » Inserted a null byte in the name of the Run key so that RegEdit and Reg Query fail to read and display the value » And a LARGE Reg Key (anything over 20k is large)
  • 28. Dridex Persistence » New method towards the end of 2015, nothing in the Registry showing persistence while system was running » In memory only until system shutdown • On shutdown the Run key was created » On startup the malware loads and Run key deleted
  • 29. Dridex is Baaack » 2016 variant
  • 30. How to Detect Malicious Behavior MalwareArchaeology.com
  • 32. Where to start » What am I suppose to set? “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” » Find them all here: • MalwareArchaeology.com
  • 33. PowerShell » It’s coming… in a BIG way - It’s already here » Ben Ten uses it (Not PowerShell) » Carlos uses it (MetaSploit) » Dave uses it (SET) » Kevin too (Pen Tester) » Dridex uses it » RansomWare uses it » And logging SUCKS for it
  • 35. So what do we do about PowerShell? » The “Windows PowerShell Logging Cheat Sheet” » Designed to catch the folks I just mentioned, and others ;-) » Get it at: • MalwareArchaeology.com
  • 37. How to catch this stuff Enable Command Line Logging !!!! » At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2 had command line logging » Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) SIX Commands » Scripts too
  • 38. And this query - Splunk » index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message | stats count > 2
  • 39. So how do you do this? » Malware Management allowed us to setup alerts on artifacts from other malware analysis • MalwareManagementFramework.org » Of course our own experience too » Malware Discovery allowed us to find odd file hashes, command line details, registry locations » Malware Analysis gave us the details
  • 40. What we all need to look for » Logs of course, properly configured - Events • Command Line details • Admin tools misused – executions • New Services (retail PoS should know this) • Drivers used (.sys) » New Files dropped anywhere on disk – Hashes • Infected management binary (hash changed) » Delete on startup, write on shutdown – File & Reg Auditing » Scripts hidden in the registry – Registry Compare » Payload hidden in the registry – Large Reg Keys » Malware Communication – IP and WhoIS info » Expand PowerShell detection » VirusTotal Lookups
  • 41. So what did we take away from all of this? MalwareArchaeology.com
  • 42. You basically have 3 options » Do nothing – Eventually leading to an RGE » Log Management / SIEM • Cost $$$ and storage • But IS the best option, better than most security solutions if you want my opinion » What if I don’t have Log Management or SIEM?
  • 43. It didn’t exist So we created it! So you can do it too! 43
  • 45. » Log and Malicious Discovery tool » When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! » So answers How to check for the What to set I already told you about
  • 46. Functions » Audit Report of log settings compared to: • The “Windows Logging Cheat Sheet” • Center for Internet Security (CIS) Benchmarks • Also USGCB and AU ACSC » White lists to filter out the known good • By IP Address • By Process Command Line and/or Process Name • By File and Registry locations (requires File and Registry auditing to be set) » Full File System hash baseline and compare » Full Registry baseline and compare » Report.csv - data from logs specific to security • 12 reports total
  • 48. Purpose » Malware Analysis Lab – Why we initially developed it » Investigate a suspect system » Audit the Windows - Advanced Audit Policy settings » Help MOVE or PUSH security forward » Give the IR folks what they need and the Feds too » Take a full system (File and Reg) snapshot to compare to another system and report the differences » Discover tricky malware artifacts (Large Keys, Null Byte, AutoRuns) » Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… » Replace several tools we use today with one easy to use utility that does much more » Replace several older tools and GUI tools » To answer the question: Is this system infected or clean? » And do it quickly - SPEED !
  • 49. Free Edition » Audit your settings – Do you comply? » Harvest security relevant log data – 12 Reports » Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations » Perform a full file hash baseline of a system » Compare a suspect system to a Baseline or Dir » Perform a full Registry snapshot of a system » Compare a suspect system to a Reg Baseline » Look for Large Registry Keys for hidden payloads
  • 50. » Everything the Free Edition does and… » More reports, breakdown of things to look for » PowerShell report » Specify the Output directory » Harvest Sysmon logs » Harvest WLS Logs » Whitelist Hash compare results » Whitelist Registry compare results » Create a Master-Digest to exclude unique files » Free updates for 1 year, expect a new release every quarter » Manual – How to use LOG-MD Professional
  • 51. Future Versions – In the works! » WhoIs lookups of IP Addresses called » VirusTotal lookups of discovered files » Find parent-less processes » Assess all processes and create a Whitelist » Assess all services and create a Whitelist » VirusTotal lookups of unknown or new processes and services » Other API calls to security vendors
  • 53. Crypto Event » C:UsersBobAppDataRoamingvcwixk.exe » C:UsersBobAppDataRoamingvcwpir.exe » C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL » C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
  • 55. Malicious Word Doc con’t More DRIDEX
  • 56. Use the power of Excel » The reports are in .CSV format » Excel has sorting and filters » Filters are AWESOME to thin out your results » You might take filtered results and add them to your whitelist once vetted » Save to .XLS and format, color code and produce your report » For .TXT files use NotePad++
  • 57. So what do we get? » WHAT Processes executed » WHERE it executed from » IP’s to enter into Log Management to see WHO else opened the malware » Details needed to remediate infection » Details to improve your Active Defense! » I did this in… 15 Minutes!
  • 58. Resources » Websites • Log-MD.com The tool » The “Windows Logging Cheat Sheet” • MalwareArchaeology.com » Malware Analysis Report links too • To start your Malware Management program » This presentation is on SlideShare and website • Search for MalwareArchaeology or LOG-MD
  • 59. Questions You can find us at: » Log-MD.com » @HackerHurricane » @Boettcherpwned » MalwareArchaeology.com » HackerHurricane.com (blog) » MalwareManagementFramework.Org » http://www.slideshare.net – LinkedIn now