SlideShare uma empresa Scribd logo

Sandbox vs manual analysis v2.1

Michael Gough
Michael Gough

Malware Archaeology LOG-MD Are Malware Sandboxes as good as manual malware analysis? A look at some samples sent through automated malware sandboxes vs. manaul analysis

Tecnologia
1 de 50
Baixar para ler offline
Are malware sandboxes as good as manual analysis? Michael Gough – Founder MalwareArchaeology.com Co-creator of MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of • Malware Management Framework • Several Windows Logging Cheat Sheets • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @BrakeSec • @HackerHurricane and also my Blog MalwareArchaeology.com
Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Getting breached means an RGE !!! – Resume Generating Event MalwareArchaeology.com
Define Sandbox • A VM you build to evaluate malware • An on premise virtual malware analysis like Cuckoo sandbox • A specific malware analysis eco-system like RemNUX • A cloud based malware analysis like Payload Security/ Reverse.IT, Lastline, Malwr.com, etc. • Email Gateways like FireEye, Cisco AMP, etc. • Web Proxies like FireEye, Lastline, etc. • Advanced features in Firewalls like Palo Alto WildFire • And of course anything you specifically build MalwareArchaeology.com
Ways to bypass Automated Sandbox Analysis MalwareArchaeology.com
How do the malwarians evade sandbox analysis? Look for indicators of a VM • VM Tools • Registry keys • Hardware (is virtual not real) Look for ‘Recent Files’ • Have you opened several misc. documents Processor related indicators • Some API calls take MUCH longer on a VM MalwareArchaeology.com
How do the malwarians evade sandbox analysis? Password protected files • Can’t scan what you can’t access MalwareArchaeology.com
How do the malwarians evade sandbox analysis? OLE~ • Embed OLE objects and the sandbox may not know where to click to execute the payload MalwareArchaeology.com
How do the malwarians evade sandbox analysis? URL’s in the document • Can be anywhere in the document MalwareArchaeology.com
How do the malwarians evade sandbox analysis? Time • They wait you out • Your automated queue will just backup • How long can you wait? Or the automated sandbox wait? MalwareArchaeology.com
How do the malwarians evade sandbox analysis? Time • They wait you out • Your automated queue will just backup • How long can you wait? Or the automated sandbox wait? MalwareArchaeology.com
How do the malwarians evade sandbox analysis? Time • The automated sandbox gave up • So did our email “Advanced Malware Protection” But WE did not • +LOG-MD caught it all MalwareArchaeology.com
Manual Analysis rules • We detonate everything in a lab that fits a pattern like ‘has a password’ and anything that comes back ‘unknown’ or ‘look incomplete MalwareArchaeology.com
Manual Analysis rules MalwareArchaeology.com
Manual Analysis rules • We even found persistence MalwareArchaeology.com
Time to disclose a Cloud provider that has had a serious flaw ;-) MalwareArchaeology.com
Hey, I got a FAX!!! • Typical Phish • A FAX.. SERIOUSLY? • So 90’s… • Word Doc attached • Date: 08/30/16 • Time: 11:15am MalwareArchaeology.com
Simple Manual Analysis • 7-Zip • Contains Macros MalwareArchaeology.com
Simple Manual Analysis • Strings or Type • Shows a Macro • “Document_Open” shows autorun when the document is opened MalwareArchaeology.com
Simple Manual Analysis • OfficeMalScanner – Seems malicious MalwareArchaeology.com
Email Gateway MalwareArchaeology.com • Date: 08/30/16 • Time: 12:02pm • 47 Mins later, another copy CLEAN ???
And a couple more… • Clean??? MalwareArchaeology.com VawTrak
Even AV actually caught it • Same Day ! • McAfee knew MalwareArchaeology.com VawTrak
Simple Manual Analysis • In 1 minute or less I was able to tell this Word DOC is malicious with very basic analysis – 7Zip, Strings & OfficeMalScanner • To be certain the file is bad, we could detonate it in a lab or an online solution • Let’s see what the fancy pants Cloud and Sandbox solutions say about it • By the way, auto processing your documents to the cloud may contain PII ;-( MalwareArchaeology.com
VirusTotal • VT Score 28/53 • Date: 9/8/16 • 8 Days later • AV has a Sig • Clearly BAD MalwareArchaeology.com
Unknown??? MalwareArchaeology.com • This is obviously bad Word Doc, same as the others • This one had the added benefit of an embedded OLE object • Still easily bad • This one was KOVTER
Let’s see what a Cloud analysis shows MalwareArchaeology.com
Reverse.IT MalwareArchaeology.com
Reverse.IT MalwareArchaeology.com
Reverse.IT MalwareArchaeology.com
Artifacts / Indicators • What do we want to get out of any analysis? – URL’s What websites were visited – IP’s Communications – Filenames What files were added – Directories used Where does it live – Autoruns used How does it launch – Config changes What changed – Metadata Details – Signed Digital Signatures – Behavior What actually happened – Network info Traffic behavior - Net Flow MalwareArchaeology.com
Artifacts / Indicators • Why do we want this data? • We need to know who else got infected – The IP’s and URL’s • What was added • What was changed • So we know whether to – Re-image – IF we can clean it up MalwareArchaeology.com
Let’s look at another Manual analysis MalwareArchaeology.com
Artifacts URL’s • A little script I run during analysis • And… • Google MalwareArchaeology.com
Process Artifacts • What launched • Linked processes – Bad EXE calls WinHost32.exe MalwareArchaeology.com Creator ID Process ID Process Name Sandbox Found
Artifacts IP’s • What talked to Whom • Wait… WinHost32 did not show up in the Cloud Analysis MalwareArchaeology.com
File & Dir Artifacts • Files involved • Directories involved MalwareArchaeology.com
Persistence • Run Key created MalwareArchaeology.com
Artifacts - Sysmon • What loaded the image • Signed or not • Hashes MalwareArchaeology.com
• Another little script I run MalwareArchaeology.com
Let’s compare Manual to Cloud MalwareArchaeology.com
Artifacts / Indicators – URL’s – IP’s – All Filenames – All Directories used – Autoruns used – Config changes – Metadata – Signed – Behavior MalwareArchaeology.com No/Yes Yes No Yes Some Yes Some Yes No Yes No Yes Yes Yes Yes Yes No Yes Cloud Manual
Sandbox or Manual? • Paid solutions work better than Free ones • Many samples failed to execute due to VM aware • Not as much detail as you can get yourself (IMHO) • You CAN do as good a job, or better as sandbox solutions • Sandbox solutions are good for multiple samples after you have evaluated one using manual analysis so you can compare results • You may, or will have to super harden VM sandboxes to make them look and act like a normal system MalwareArchaeology.com
So what do we use for manual analysis? MalwareArchaeology.com
Free Edition MalwareArchaeology.com • Audit your settings – Do you comply? • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • WhoIs lookups of IP Addresses called • SRUM netflow data (Win 8.1 & 10 64bit) • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
MalwareArchaeology.com Future Versions – In the works! • PowerShell details • AutoRuns report • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • Other API calls to security vendors
So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare and website – Search for MalwareArchaeology or LOG-MD
Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • MalwareManagementFramework.Org • http://www.slideshare.net – LinkedIn now

Recomendados

DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 

Recomendados

DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 

Destaque

2 introduccion al direccionamiento
2 introduccion al direccionamiento2 introduccion al direccionamiento
2 introduccion al direccionamiento
Alexander Hernandez
 
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandboxTécnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Juan Salas Santillana
 

Destaque (14)

Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Eyeo festival redux
Eyeo festival reduxEyeo festival redux
Eyeo festival redux
 
2 introduccion al direccionamiento
2 introduccion al direccionamiento2 introduccion al direccionamiento
2 introduccion al direccionamiento
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
 
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandboxTécnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
 
An Organizational Story: Salesforce Lightning Design (Nalini Kotamraju at Ent...
An Organizational Story: Salesforce Lightning Design (Nalini Kotamraju at Ent...An Organizational Story: Salesforce Lightning Design (Nalini Kotamraju at Ent...
An Organizational Story: Salesforce Lightning Design (Nalini Kotamraju at Ent...
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Tipos de malware
Tipos de malwareTipos de malware
Tipos de malware
 
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 

Semelhante a Sandbox vs manual analysis v2.1

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does ItRightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
RightScale
 

Semelhante a Sandbox vs manual analysis v2.1 (16)

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about it
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
 
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does ItRightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It
 

Último

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Último (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 

Sandbox vs manual analysis v2.1

  • 1. Are malware sandboxes as good as manual analysis? Michael Gough – Founder MalwareArchaeology.com Co-creator of MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of • Malware Management Framework • Several Windows Logging Cheat Sheets • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @BrakeSec • @HackerHurricane and also my Blog MalwareArchaeology.com
  • 3. Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Getting breached means an RGE !!! – Resume Generating Event MalwareArchaeology.com
  • 4. Define Sandbox • A VM you build to evaluate malware • An on premise virtual malware analysis like Cuckoo sandbox • A specific malware analysis eco-system like RemNUX • A cloud based malware analysis like Payload Security/ Reverse.IT, Lastline, Malwr.com, etc. • Email Gateways like FireEye, Cisco AMP, etc. • Web Proxies like FireEye, Lastline, etc. • Advanced features in Firewalls like Palo Alto WildFire • And of course anything you specifically build MalwareArchaeology.com
  • 5. Ways to bypass Automated Sandbox Analysis MalwareArchaeology.com
  • 6. How do the malwarians evade sandbox analysis? Look for indicators of a VM • VM Tools • Registry keys • Hardware (is virtual not real) Look for ‘Recent Files’ • Have you opened several misc. documents Processor related indicators • Some API calls take MUCH longer on a VM MalwareArchaeology.com
  • 7. How do the malwarians evade sandbox analysis? Password protected files • Can’t scan what you can’t access MalwareArchaeology.com
  • 8. How do the malwarians evade sandbox analysis? OLE~ • Embed OLE objects and the sandbox may not know where to click to execute the payload MalwareArchaeology.com
  • 9. How do the malwarians evade sandbox analysis? URL’s in the document • Can be anywhere in the document MalwareArchaeology.com
  • 10. How do the malwarians evade sandbox analysis? Time • They wait you out • Your automated queue will just backup • How long can you wait? Or the automated sandbox wait? MalwareArchaeology.com
  • 11. How do the malwarians evade sandbox analysis? Time • They wait you out • Your automated queue will just backup • How long can you wait? Or the automated sandbox wait? MalwareArchaeology.com
  • 12. How do the malwarians evade sandbox analysis? Time • The automated sandbox gave up • So did our email “Advanced Malware Protection” But WE did not • +LOG-MD caught it all MalwareArchaeology.com
  • 13. Manual Analysis rules • We detonate everything in a lab that fits a pattern like ‘has a password’ and anything that comes back ‘unknown’ or ‘look incomplete MalwareArchaeology.com
  • 15. Manual Analysis rules • We even found persistence MalwareArchaeology.com
  • 16. Time to disclose a Cloud provider that has had a serious flaw ;-) MalwareArchaeology.com
  • 17. Hey, I got a FAX!!! • Typical Phish • A FAX.. SERIOUSLY? • So 90’s… • Word Doc attached • Date: 08/30/16 • Time: 11:15am MalwareArchaeology.com
  • 18. Simple Manual Analysis • 7-Zip • Contains Macros MalwareArchaeology.com
  • 19. Simple Manual Analysis • Strings or Type • Shows a Macro • “Document_Open” shows autorun when the document is opened MalwareArchaeology.com
  • 20. Simple Manual Analysis • OfficeMalScanner – Seems malicious MalwareArchaeology.com
  • 21. Email Gateway MalwareArchaeology.com • Date: 08/30/16 • Time: 12:02pm • 47 Mins later, another copy CLEAN ???
  • 22. And a couple more… • Clean??? MalwareArchaeology.com VawTrak
  • 23. Even AV actually caught it • Same Day ! • McAfee knew MalwareArchaeology.com VawTrak
  • 24. Simple Manual Analysis • In 1 minute or less I was able to tell this Word DOC is malicious with very basic analysis – 7Zip, Strings & OfficeMalScanner • To be certain the file is bad, we could detonate it in a lab or an online solution • Let’s see what the fancy pants Cloud and Sandbox solutions say about it • By the way, auto processing your documents to the cloud may contain PII ;-( MalwareArchaeology.com
  • 25. VirusTotal • VT Score 28/53 • Date: 9/8/16 • 8 Days later • AV has a Sig • Clearly BAD MalwareArchaeology.com
  • 26. Unknown??? MalwareArchaeology.com • This is obviously bad Word Doc, same as the others • This one had the added benefit of an embedded OLE object • Still easily bad • This one was KOVTER
  • 27. Let’s see what a Cloud analysis shows MalwareArchaeology.com
  • 31. Artifacts / Indicators • What do we want to get out of any analysis? – URL’s What websites were visited – IP’s Communications – Filenames What files were added – Directories used Where does it live – Autoruns used How does it launch – Config changes What changed – Metadata Details – Signed Digital Signatures – Behavior What actually happened – Network info Traffic behavior - Net Flow MalwareArchaeology.com
  • 32. Artifacts / Indicators • Why do we want this data? • We need to know who else got infected – The IP’s and URL’s • What was added • What was changed • So we know whether to – Re-image – IF we can clean it up MalwareArchaeology.com
  • 33. Let’s look at another Manual analysis MalwareArchaeology.com
  • 34. Artifacts URL’s • A little script I run during analysis • And… • Google MalwareArchaeology.com
  • 35. Process Artifacts • What launched • Linked processes – Bad EXE calls WinHost32.exe MalwareArchaeology.com Creator ID Process ID Process Name Sandbox Found
  • 36. Artifacts IP’s • What talked to Whom • Wait… WinHost32 did not show up in the Cloud Analysis MalwareArchaeology.com
  • 37. File & Dir Artifacts • Files involved • Directories involved MalwareArchaeology.com
  • 38. Persistence • Run Key created MalwareArchaeology.com
  • 39. Artifacts - Sysmon • What loaded the image • Signed or not • Hashes MalwareArchaeology.com
  • 40. • Another little script I run MalwareArchaeology.com
  • 41. Let’s compare Manual to Cloud MalwareArchaeology.com
  • 42. Artifacts / Indicators – URL’s – IP’s – All Filenames – All Directories used – Autoruns used – Config changes – Metadata – Signed – Behavior MalwareArchaeology.com No/Yes Yes No Yes Some Yes Some Yes No Yes No Yes Yes Yes Yes Yes No Yes Cloud Manual
  • 43. Sandbox or Manual? • Paid solutions work better than Free ones • Many samples failed to execute due to VM aware • Not as much detail as you can get yourself (IMHO) • You CAN do as good a job, or better as sandbox solutions • Sandbox solutions are good for multiple samples after you have evaluated one using manual analysis so you can compare results • You may, or will have to super harden VM sandboxes to make them look and act like a normal system MalwareArchaeology.com
  • 44. So what do we use for manual analysis? MalwareArchaeology.com
  • 45. Free Edition MalwareArchaeology.com • Audit your settings – Do you comply? • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
  • 46. MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • WhoIs lookups of IP Addresses called • SRUM netflow data (Win 8.1 & 10 64bit) • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
  • 47. MalwareArchaeology.com Future Versions – In the works! • PowerShell details • AutoRuns report • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • Other API calls to security vendors
  • 48. So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  • 49. Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare and website – Search for MalwareArchaeology or LOG-MD
  • 50. Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • MalwareManagementFramework.Org • http://www.slideshare.net – LinkedIn now