SlideShare a Scribd company logo

Olha Pasko - Hunting fileless malware [workshop]

NoNameCon
NoNameCon

Original slides https://www.slideshare.net/OlgaPasko/hunting-fileless-malware-149129867 Workshop by Olha Pasko at NoNameCon 2019. https://nonamecon.org Fileless malware and system tools as bypass techniques in cyber-attack. Hunting with SysInternals tools and Digital Forensics techniques. 1. Fileless malware and system tools as bypass technique: an explanation of “bypass technique” and “fileless malware”. Creating custom fileless malware by abusing Powershell. 2. Threat hunting with Sysinternals tools: an explanation of system processes, threads, jobs, resources. Anomaly detection of system processes with Sysinternals tools. Fileless malware detection. 3. Threat hunting with Digital Forensics techniques: an explanation of “digital forensics”. Acquisition and analysis of RAM memory dump with Digital Forensics tools. 4. Summary or “what can participant obtain from this workshop”: knowledge about top bypass techniques, hard skills for detection and hunting malicious code, understand differences of hunting with SysInternals and Digital Forensics tools.

Software
1 of 33
Download to read offline
Hunting Fileless Malware [ SysInternals tools & Digital Forensics techniques ]
>whoami Olha Pasko, [ Chief Security Analyst, RMRF ] [ Co-founder, mentor & speaker, community WIA in Kyiv ]
>agenda 1. Fileless malware definition 2. Hunting fileless malware with SysInternals tools 3. Hunting fileless malware with Digital Forensics techniques
Fileless Malware Definition
Fileless Malware ● Fileless malware is a new type of malicious code which infects a host computer’s dynamic memory (RAM). ● As usual, fileless malware is combined with abusing such system tools as powershell, wmi, windows sdk, etc.
Fileless Malware Example
Fileless Malware. Example 1. Endpoint 2. C2C
Fileless Malware Hunting [ SysInternals Tools ]
OS Windows ● Processes
OS Windows ● Threads
OS Windows ● Handlers ● Resources
OS Windows [ 10 ] ● Boot chain
Boot Chain. Anomaly Detection ● System Anomalies in process’s behavior: ● System doesn’t have a parent (origin process run in kernel-mode) ● PID for System isn’t equal 4 ● if there are several copies of System
Boot Chain. Anomaly Detection ● SMSS Anomalies in process’s behavior: ● parent process isn’t System ● process directory isn’t %system%system32 ● procexp64.exe/procexp.exe shows parent process for winlogon, wininit or csrss
Boot Chain. Anomaly Detection ● CSRSS Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 Normal process’s behavior: ● one separate instance for each session ● first instance for System: Session0 ● second instance for user: Session1
Boot Chain. Anomaly Detection ● Wininit Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 ● SMSS isn’t a parent for wininit Normal process’s behavior: ● process is running from NT AUTHORITYSYSTEM ● process directory is %system%system32 ● creates Winsta0 and 2 desktops (Winlogon and Default) for Session0 ● creates Services.exe, Lsass.exe, Lsm.exe ● SMSS is a parent process ● creates %windir%temp ● process started under Session0
Boot Chain. Anomaly Detection ● Winlogon Anomalies in process’s behavior: ● fields such as Shell and Userinit are different than on image upper ● process directory isn’t %system%system32 ● procexp64.exe/procexp.exe shows parent process for winlogon ● process isn’t running from NT AUTHORITYSystem
Boot Chain. Anomaly Detection ● Explorer Anomalies in process’s behavior: ● process has TCP/IP connections ● process directory isn’t Windows
Boot Chain. Anomaly Detection ● Services Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 ● parent process isn’t Wininit.exe
Boot Chain. Anomaly Detection ● Svchost Anomalies in process’s behavior: ● process is running as non SYSTEM user, Local Service or Network Service ● process directory isn’t %system%system32 ● parent process isn’t services.exe ● process doesn’t use tag -k [name]
Boot Chain. Anomaly Detection ● LSASS Anomalies in process behavior: ● process is running as non SYSTEM user ● process directory isn’t %systemroot%system32 ● parent process isn’t wininit.exe ● processes with similar but a bit different name: lasss, lssaa, lsas Normal process behavior: ● process is running as NT AuthoritySYSTEM user ● directory is %systemroot%system32lsass.exe ● parent process is wininit.exe ● only one processes with name lsass.exe ● lsass.exe doesn’t has a child process ● lsass.exe is started under Session0
Boot Chain. Anomaly Detection ● LSM Normal process behavior: ● process is running as NT AuthoritySYSTEM user ● directory is %systemroot%system32 ● parent process is wininit.exe ● lsm is a terminal state manager on local host ● lsm.exe doesn’t has a child process ● lsm.exe is started under Session0 Anomalies in process behavior: ● process is running as non SYSTEM user ● process directory isn’t %systemroot%system32 ● parent process isn’t wininit.exe ● lsm has a child process
Threat Hunting > Don’t block detected threat: at the first you need to learn it
Threat Hunting. SysInternals 1 2 ● obtain Boot Chain [ tools as SysInternals or Digital Forensics RAM dump analysis techniques ] ● check Boot Chain for anomaly in process’s behavioral ● get suspicious processes ● gather more detailed information about suspicious processes ○ start directory ○ command line ○ parent process ○ start from what user name ○ network activities ○ procexp/procexp64 ○ listdlls/listdlls64 ○ pipelist/pipelist64 ○ strings/strings64 ○ netstat -anb / TCPview
3 Threat Hunting. SysInternals ● check gathered suspicious markers for malicious activities [ you can use public sandboxes which present detailed dynamic analysis, for example: reverse.it ] ● obtain Indicator of Compromised and malware behavioral
● Example:
Reverse.it vs VirusTotal
Fileless Malware Hunting [ Digital Forensics Techniques ]
Hunting with DF 1. RAM dump acquisition ( tool: DumpIt.exe) 2. RAM dump hash check ( tool: certutil ) 3. RAM dump analysis & anomaly detection 4. IOCs obtain and confirm with FileSystem artifacts 5. Reporting
1 2
3
Threat Hunting. DF techniques. IOCs example
RECOMMENDATIONS

Recommended

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorSam Bowne
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 

Recommended

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorSam Bowne
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdfIGedeArieYogantaraSu
 
Leveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxLeveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxChristian Bassey
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Bibek Sharma
 
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...NETWAYS
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
Log management principle and usage
Log management principle and usageLog management principle and usage
Log management principle and usageBikrant Gautam
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersTazdrumm3r
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]NoNameCon
 

More Related Content

Similar to Olha Pasko - Hunting fileless malware [workshop]

SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdfIGedeArieYogantaraSu
 
Leveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxLeveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxChristian Bassey
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Bibek Sharma
 
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...NETWAYS
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
Log management principle and usage
Log management principle and usageLog management principle and usage
Log management principle and usageBikrant Gautam
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersTazdrumm3r
 

Similar to Olha Pasko - Hunting fileless malware [workshop] (20)

SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
 
Leveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxLeveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptx
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?
 
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
Log management principle and usage
Log management principle and usageLog management principle and usage
Log management principle and usage
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
 

More from NoNameCon

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]NoNameCon
 
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]NoNameCon
 
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...NoNameCon
 
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографіїRuslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографіїNoNameCon
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...NoNameCon
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
 
Oksana Safronova - Will you detect it or not? How to check if security team i...
Oksana Safronova - Will you detect it or not? How to check if security team i...Oksana Safronova - Will you detect it or not? How to check if security team i...
Oksana Safronova - Will you detect it or not? How to check if security team i...NoNameCon
 
Bert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for CybersecurityBert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for CybersecurityNoNameCon
 
Ievgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpackingIevgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpackingNoNameCon
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...NoNameCon
 
Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?NoNameCon
 
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!NoNameCon
 
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...NoNameCon
 
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...NoNameCon
 
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameConAlexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameConNoNameCon
 
Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon WorkshopStas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon WorkshopNoNameCon
 
Serhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security BySerhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security ByNoNameCon
 
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical AccessSerhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical AccessNoNameCon
 
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...NoNameCon
 

More from NoNameCon (20)

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
 
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
 
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
 
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
 
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографіїRuslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
 
Oksana Safronova - Will you detect it or not? How to check if security team i...
Oksana Safronova - Will you detect it or not? How to check if security team i...Oksana Safronova - Will you detect it or not? How to check if security team i...
Oksana Safronova - Will you detect it or not? How to check if security team i...
 
Bert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for CybersecurityBert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for Cybersecurity
 
Ievgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpackingIevgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpacking
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
 
Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?
 
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
 
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
 
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
 
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameConAlexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
 
Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon WorkshopStas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
 
Serhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security BySerhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security By
 
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical AccessSerhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
 
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
 

Recently uploaded

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...software pro Development
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 

Olha Pasko - Hunting fileless malware [workshop]

  • 1. Hunting Fileless Malware [ SysInternals tools & Digital Forensics techniques ]
  • 2. >whoami Olha Pasko, [ Chief Security Analyst, RMRF ] [ Co-founder, mentor & speaker, community WIA in Kyiv ]
  • 3. >agenda 1. Fileless malware definition 2. Hunting fileless malware with SysInternals tools 3. Hunting fileless malware with Digital Forensics techniques
  • 5. Fileless Malware ● Fileless malware is a new type of malicious code which infects a host computer’s dynamic memory (RAM). ● As usual, fileless malware is combined with abusing such system tools as powershell, wmi, windows sdk, etc.
  • 8. Fileless Malware Hunting [ SysInternals Tools ]
  • 12. OS Windows [ 10 ] ● Boot chain
  • 13. Boot Chain. Anomaly Detection ● System Anomalies in process’s behavior: ● System doesn’t have a parent (origin process run in kernel-mode) ● PID for System isn’t equal 4 ● if there are several copies of System
  • 14. Boot Chain. Anomaly Detection ● SMSS Anomalies in process’s behavior: ● parent process isn’t System ● process directory isn’t %system%system32 ● procexp64.exe/procexp.exe shows parent process for winlogon, wininit or csrss
  • 15. Boot Chain. Anomaly Detection ● CSRSS Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 Normal process’s behavior: ● one separate instance for each session ● first instance for System: Session0 ● second instance for user: Session1
  • 16. Boot Chain. Anomaly Detection ● Wininit Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 ● SMSS isn’t a parent for wininit Normal process’s behavior: ● process is running from NT AUTHORITYSYSTEM ● process directory is %system%system32 ● creates Winsta0 and 2 desktops (Winlogon and Default) for Session0 ● creates Services.exe, Lsass.exe, Lsm.exe ● SMSS is a parent process ● creates %windir%temp ● process started under Session0
  • 17. Boot Chain. Anomaly Detection ● Winlogon Anomalies in process’s behavior: ● fields such as Shell and Userinit are different than on image upper ● process directory isn’t %system%system32 ● procexp64.exe/procexp.exe shows parent process for winlogon ● process isn’t running from NT AUTHORITYSystem
  • 18. Boot Chain. Anomaly Detection ● Explorer Anomalies in process’s behavior: ● process has TCP/IP connections ● process directory isn’t Windows
  • 19. Boot Chain. Anomaly Detection ● Services Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 ● parent process isn’t Wininit.exe
  • 20. Boot Chain. Anomaly Detection ● Svchost Anomalies in process’s behavior: ● process is running as non SYSTEM user, Local Service or Network Service ● process directory isn’t %system%system32 ● parent process isn’t services.exe ● process doesn’t use tag -k [name]
  • 21. Boot Chain. Anomaly Detection ● LSASS Anomalies in process behavior: ● process is running as non SYSTEM user ● process directory isn’t %systemroot%system32 ● parent process isn’t wininit.exe ● processes with similar but a bit different name: lasss, lssaa, lsas Normal process behavior: ● process is running as NT AuthoritySYSTEM user ● directory is %systemroot%system32lsass.exe ● parent process is wininit.exe ● only one processes with name lsass.exe ● lsass.exe doesn’t has a child process ● lsass.exe is started under Session0
  • 22. Boot Chain. Anomaly Detection ● LSM Normal process behavior: ● process is running as NT AuthoritySYSTEM user ● directory is %systemroot%system32 ● parent process is wininit.exe ● lsm is a terminal state manager on local host ● lsm.exe doesn’t has a child process ● lsm.exe is started under Session0 Anomalies in process behavior: ● process is running as non SYSTEM user ● process directory isn’t %systemroot%system32 ● parent process isn’t wininit.exe ● lsm has a child process
  • 23. Threat Hunting > Don’t block detected threat: at the first you need to learn it
  • 24. Threat Hunting. SysInternals 1 2 ● obtain Boot Chain [ tools as SysInternals or Digital Forensics RAM dump analysis techniques ] ● check Boot Chain for anomaly in process’s behavioral ● get suspicious processes ● gather more detailed information about suspicious processes ○ start directory ○ command line ○ parent process ○ start from what user name ○ network activities ○ procexp/procexp64 ○ listdlls/listdlls64 ○ pipelist/pipelist64 ○ strings/strings64 ○ netstat -anb / TCPview
  • 25. 3 Threat Hunting. SysInternals ● check gathered suspicious markers for malicious activities [ you can use public sandboxes which present detailed dynamic analysis, for example: reverse.it ] ● obtain Indicator of Compromised and malware behavioral
  • 28. Fileless Malware Hunting [ Digital Forensics Techniques ]
  • 29. Hunting with DF 1. RAM dump acquisition ( tool: DumpIt.exe) 2. RAM dump hash check ( tool: certutil ) 3. RAM dump analysis & anomaly detection 4. IOCs obtain and confirm with FileSystem artifacts 5. Reporting
  • 30. 1 2
  • 31. 3
  • 32. Threat Hunting. DF techniques. IOCs example