SlideShare a Scribd company logo

All These Sophisticated Attacks, Can We Really Detect Them - PDF

Michael Gough
Michael Gough

Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology

Technology
1 of 55
Download to read offline
All these so-called sophisticated attacks… Can we really detect them? Michael Gough Founder MalwareArchaeology.com & IMF Security.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic, Incident Responder and Threat Hunter • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Crowdstrike Logscale Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Windows ATT&CK Logging Cheat Sheet” “ARTHIR – ATT&CK Remote Threat Hunting Incident Response tool” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool • Co-Creator of “File-MD” – File Malicious Discovery Tool MalwareArchaeology.com
Why this talk? Learn from what we see in the trenches MalwareArchaeology.com
• We get called when things get • Management want to know Who, What, Where, When, and How the pwnage happened • We all know why… • So let’s take a look at some so called “sophisticated attacks” and how you might detect them Being an Incident Responder MalwareArchaeology.com
• Let us first define a few items • Security 101 – Things you should always do, usually things you already have and are FREE… well your time is needed • Security 201 – Things you should have to “reduce” pwnage and hopefully alert to suspicious activity • Security 301 – Things you should be doing with your tools, understand the gaps and address them with additional tooling, process and/or procedures, MITRE ATT&CK • Security 501 – Doing things like Threat Hunting and being proactive at seeking out the malicious behavior Level Set MalwareArchaeology.com
• This talk covers more of Security 101, 201 and 301 • These are the things we see many, if not most organizations are failing, forgot or did not continue doing • Organizations jump to Security 301 or 501 and forget to continue Security 101 and 201 This Talk MalwareArchaeology.com
First, we have to make a few assumptions • Defense in Depth is an old term that still holds true • So each tech layer should have their own security “reduction” solution to “reduce” the likelihood of an incident • Also make the assumption all-the-things will not get detected with these solutions, the threat actors know how to get around or avoid them • For this talk we will assume you have one or more of the following security solutions Assumptions MalwareArchaeology.com
More assumptions • If you are not running an EDR/XDR platform then you likely will be unable to detect more advanced attacks • If you do not have a Log Management solution, or SIEM then you likely will be unable to craft any custom alerting and fill the gaps left by EDR/XDR or other security solutions • If you do not have a network traffic security solution (NDR) then you are likely blind to network related data Assumptions MalwareArchaeology.com
More assumptions • If you do not have an Email security solution then it is likely malicious emails will get in at a much higher volume • If you do not have a Web Proxy solution for your users then it is likely a user can click on all kinds of websites you rather they did not • If you do not have a Data Loss Prevention solution then you are more likely to have confidential data leave unnoticed Assumptions MalwareArchaeology.com
1 0 • If all you have is AV and a Log Management solution or SIEM then you WILL be able to do a LOT towards detecting more advanced attacks • Care to guess what my Top 3 Security Solutions are that should be implemented? • #1 Log Management • #2 a “Good” EDR/XDR solution • #3 a good configuration asset management solution • OK.. #4… LOG-MD and FILE-MD of course to get more details Assumptions MalwareArchaeology.com
• What we are about to look at I refer to as: • Malware Management • We all do: • Patch Management • Vulnerability Management • Configuration Management • Asset Management • So why not practice Malware Management? Manage Malware? MalwareArchaeology.com
• You take reports much like we are about to go through and pull the artifacts (TTPs) and behaviors that we can then add, or verify are in your security tooling • MITRE ATT&CK is also your best friend here • Map your detections to MITRE ATT&CK Techniques and sub- techniques to build a detection methodology • MITRE ATT&CK helps to identify your gaps as well • Which you may be able to cover with other tools you have, such as Log Management/SIEM • You will have to interpret MITRE ATT&CK detection description, it is not as clear as we would like it to be Manage Malware? MalwareArchaeology.com
• With all that said, let’s take a look at the attacks listed in the overview and see what obvious things could or should be detectable IF you use the right solution and Configure the right things and make sure the Coverage and Completeness of these items are optimal • More on the 3-Cs later • Let’s take a look at some attack write-ups and what I would expect to see if I were to investigate or craft detections for • OK… What I wish I would see during an investigation Manage Malware? MalwareArchaeology.com
Attack Artifact Walk-throughs MalwareArchaeology.com
USB worm unleashed by Russian state hackers spreads worldwide • https://arstechnica.com/security/2023/11/normally-targeting- ukraine-russian-state-hackers-spread-usb-worm-worldwide/ c c c 1st Example - LitterDrifter MalwareArchaeology.com
1 6 • LitterDrifter, the malware is written in the Visual Basic Scripting language (VBS). LitterDrifter serves two purposes: to promiscuously spread from USB drive to USB drive and to permanently infect the devices that connect • A USB Drive that is executing something? • Anyone here monitor USB device logs? • DriverFrameworks-UserMode/Operational ID 2100, 2105, 2106 • System Log Event ID 20003 • Security Log ‘Plug and Play’ Event ID 6416 • Registry Key – ‘HKLMSOFTWAREMicrosoftWindows Portable Devices’ ID 4657 • Or executions from the USB drive letters? 1st Example - LitterDrifter MalwareArchaeology.com
MalwareArchaeology.com
• As we saw in the previous diagram, a Scheduled Task is created for persistence • Anyone looking at the disabled by default TaskScheduler/Operational log Event ID 106 for ‘New Task Registered’? • Process Created in Security Log Event ID 4688? From a Scheduled Task? c 1st Example - LitterDrifter MalwareArchaeology.com
• Anyone looking at wscript executions in the Security Log for Event ID 4688? • Or better yet… • Disable wscript, cscript, jscript, and all script engines from executing using Group Policy to open up Notepad so it fails when clicked on by a user? 1st Example - LitterDrifter MalwareArchaeology.com
• The LNK files use wscript.exe **** to execute “trash.dll” with specified arguments " ""trash.dll"" /webm //e:vbScript //b /wm /cal • Anyone looking at .lnk executions in the Security Log in Event ID 4688? • The locations, like USB drive letter and names of .lnk files can be very telling • Using the user path variable %userprofile% 1st Example - LitterDrifter MalwareArchaeology.com
Example #2 MalwareArchaeology.com
2 2 Hackers use new Agent Raccoon malware to backdoor US targets • https://www.bleepingcomputer.com/news/security/hackers- use-new-agent-raccoon-malware-to-backdoor-us-targets/ • Uses .Net malware • Uses PunyCode-encoded URL subdomains for evasion 2nd Example – Agent Raccoon MalwareArchaeology.com
MalwareArchaeology.com
The attackers also used a customized version of the Mimikatz credential dumping utility, named 'Mimilite,' and a DLL credential stealer mimicking the Windows Network Provider module, named 'Ntospy.’ Ntospy registers as a legitimate Network Provider module named "credman" to hijack the authentication process and capture user credentials, a well-documented attack method. • Anyone Auditing Service Key Adds and Changes? Event ID 4657 • HKLMSystemCurrentControlSetControlServices • Or the HKLMSystemCurrentControlSetControlNetworkProvider key for Adds or Changes? 2nd Example – Agent Raccoon MalwareArchaeology.com
• the attackers use PowerShell snap-ins to steal emails from Microsoft Exchange servers or steal victims' Roaming Profile folders, compressing the directory with 7-Zip for efficiency and stealth • Anyone watching Windows PowerShell/Operational logs for Event ID 4103 and 4104 for odd calls to say email? Or archiving? • Anyone watching for 7Zip executions in Process Started Event ID 4688 in odd locations? 2nd Example – Agent Raccoon MalwareArchaeology.com
Example #3 MalwareArchaeology.com
Yellow Liderc ships its scripts and delivers IMAPLoader malware • https://www.pwc.com/gx/en/issues/cybersecurity/cyber- threat-intelligence/yellow-liderc-ships-its-scripts-delivers- imaploader-malware.html • IMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows utilities and acts as a downloader for further payloads. It uses email as a C2 channel and is able to execute payloads extracted from email attachments and is executed via new service deployments. 3rd Example - Yellow Liderc MalwareArchaeology.com
• Anyone watching for signs of recon using Windows utilities in the LOLBin/LOLBaS list? • https://lolbas-project.github.io/# • Or the same PowerShell cmdlets that can perform recon in Event IDs 4103 and 4104? • These being used in quantities across multiple systems is a definite tell recon is occurring 3rd Example - Yellow Liderc MalwareArchaeology.com
• Additional analysis shows widespread phishing activity that have been conducted concurrently to the threat actor's strategic web compromises. This activity is used to deliver a malicious Excel file that drops a basic Python backdoor. • The threat actor uses both custom and off-the-shelf malware including PowerShell backdoors and infostealers in order to gather information about victim systems 3rd Example - Yellow Liderc MalwareArchaeology.com
• Anyone watching for execution of Python on endpoints? • Python is not installed on Windows by default so executions of .py files could be very telling depending on the location they are executed • Map what is normal Python for your organization • Anyone watching for PowerShell toolkits like PowerSploit, ColbaltStrike, PowerShell Empire? • Properly configured PowerShell logs are a MUST to see this activity, the most malicious activity today 3rd Example - Yellow Liderc MalwareArchaeology.com
• The threat actor has previously used macro enabled documents that drop a VBS script, commonly referred to as LEMPO, which establishes persistence, performs reconnaissance, and exfiltrates sensitive information. 3rd Example - Yellow Liderc MalwareArchaeology.com
• The threat actor often favors exfiltration of sensitive information to an actor-controlled email account via SMTPS or IMAP, and has been observed using both dedicated mailboxes and third party services for their email accounts • Are you watching for odd email behavior? • Watch Server Hosting companies • Foreign destinations • Attachment size • Times this occurs and of course • The account(s) being used 3rd Example - Yellow Liderc MalwareArchaeology.com
• The first stage is distributed as an Excel-DNA XLL plugin, an open source library that enables .NET integration into Microsoft Excel files 3rd Example - Yellow Liderc MalwareArchaeology.com
• Excel file calling .Net or any scripting • Anyone looking for these executions? • Scheduled Task created aka “New Task Registered” • Binaries executed Event ID 4688 location and names are key • DLLs heavily used, but you would need something like Sysmon to monitor for DLL loads that are not signed (False) Event ID 7 3rd Example - Yellow Liderc MalwareArchaeology.com
• As soon as JobTitle.dll is executed, it writes a C# source code file named source.cs to disk. This is subsequently compiled into a .NET DLL file called sign.dll, a version of IMAPLoader, by leveraging the native C# compiler tool csc.exe. • .Net on the fly has several files that are created or used • xxxxx.cs • yyyyy.config • zzzzzz.cmdline • Compiled with CSC.exe cvtrez.exe and parameters • Example: csc /out:My.exe File.cs 3rd Example - Yellow Liderc MalwareArchaeology.com
• Something like: • C:WindowsMicrosoft.NETFramework64v2.0.50727cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:UsersrootAppDataLocalTempRES399E.tmp“ • "C:WindowsMicrosoft.NETFramework64v2.0.50727csc.exe" /noconfig /fullpaths @"C:UsersrootAppDataLocalTempu_i8wgap.cmdline“ • Are you watching for these types of executions and what the parent process is of CSC.exe? • Map what is normal in your environment 3rd Example - Yellow Liderc MalwareArchaeology.com
Example #4 MalwareArchaeology.com
3 8 New 'HrServ.dll' Web Shell Detected in APT Attack Targeting Afghan Government • https://thehackernews.com/2023/11/new-hrservdll-web- shell-detected-in-apt.html • The web shell, a dynamic-link library (DLL) named "hrserv.dll," exhibits "sophisticated” features such as custom encoding methods for client communication and in-memory execution 4th Example - HrServ MalwareArchaeology.com
• The attack chain involves the PAExec remote administration tool, an alternative to PSExec that's used as a launchpad to create a scheduled task that masquerades as a Microsoft update ("MicrosoftsUpdate"), which subsequently is configured to execute a Windows batch script ("JKNLA.bat") • Here we go again with a new registered Scheduled Task… • Are you watching for batch files executing, odd names? • Or tools like PAExec or PSExec creating a NEW Service Event ID 7045 in the System Log? 4th Example - HrServ MalwareArchaeology.com
• The web shell is also capable of activating the execution of a stealthy "multifunctional implant" in memory that's responsible for erasing the forensic trail by deleting the "MicrosoftsUpdate" job as well as the initial DLL and batch files. • DLLs can only be seen with Sysmon or an EDR/XDR solution • You can however extract all the modules in memory and evaluate them for signs of maliciousness 4th Example - HrServ MalwareArchaeology.com
• For in memory you can check for signs of injection, implants, hooks etc. • Use tools like Volatility • Process them on Linux system as new versions not compiled for Windows • You can use LOG-MD-Pro or Premium to extract and evaluate the modules using the B9 option or File-MD to evaluate the extracted files from memory • Sysmon has Event ID 17 for Named Pipe creation that PAExec uses • Sysmon also has Event ID 25 for process tampering such as hollowing 4th Example - HrServ MalwareArchaeology.com
• A study revealed that PowerShell Command & Scripting Interpreter was the number one attack technique used by threat actors. • The report provides a strong representation of adversary activity from authoritative sources. It assembled data from M-Trends, Red Canary’s Threat Detection Report, CTID ATT&CK Sightings Ecosystem and CISA alerts ranging from 2020 to 2022. • 28.49% of attacks !!! • https://www.splunk.com/en_us/blog/security/zoom-enhance-finding-value-in-macro-level-att-ck-reporting.html PowerShell for the Threat WIN MalwareArchaeology.com
The Three C’s MalwareArchaeology.com
What do we see our clients fail or not optimal at? Configuration Local audit logging not optimally configured Endpoint agents not optimally configured Coverage Endpoints missing one or more agents Some or all log data (endpoint, cloud, network, internet facing) not going to a log management solution Completeness Implement a process and/or procedure to validate and verify Configuration and Coverage is “Complete” The 3 Cs MalwareArchaeology.com
When you roll out an agent… Do you... 1. Validate the agent was properly installed? 2. Compare it to a list of known assets? • Do you even know where or what all your assets are? 3. Verify the data is collecting properly? 4. Have a way to identify new systems as they come live? 5. Have a way to install agents on new systems quickly? 6. Verify the endpoint configuration is showing up in the proper console(s)… regularly? Completeness MalwareArchaeology.com
• Incident Responders need data to discover what happened to the detail level we can be sure and answer questions • This is so our clients can improve and close the gap(s) of why the pwnage happened or wasn’t detected • To reduce the cost and time of an Incident Response investigation is a goal, less time = less cost • Optimal 3-Cs can save you 2x to 4x the cost of paying an Incident Response firm • You could be way ahead… IF you Prepare Why the 3 C’s are important MalwareArchaeology.com
• You don’t have to spend $$$ to improve processes, procedures and playbooks • Or tweak some settings • People time is a cost, but not an external spend • So spend some time on Preparation…. It is in the P in the SANS PICERL model • Many of our clients have incomplete or broken agent installs and endpoint configuration is not optimal • This means incomplete coverage and configuration • Thus missing details and potentially the initial compromise The 3 C‘s are FREE MalwareArchaeology.com
We check Windows systems for what logging is enabled as a part of triage to know what will likely be there… There is a freely available tool to check your Windows logs against some well known Cheat Sheets ;-) Hint.. Windows Audit Logs MalwareArchaeology.com
Local Log Sizes are NOT Big Enough MalwareArchaeology.com
• PowerShell is used a lot in all kinds of attacks • Commodity, Ransomware, APT • Command Line details missing • ScriptBlock Logging improperly or not set PowerShell Logging is inadequate MalwareArchaeology.com
• We need the data enabled and retained for a week or longer Audit Settings Fail MalwareArchaeology.com
CONCLUSION MalwareArchaeology.com
• Learn from these attacks and many others • Practice Malware Management and use MITRE ATT&CK to map your defenses • Configure your logging and agents OPTIMALLY • Cover ALL your assets • Verify the Completeness • Watch for the items in this talk • And several other of my talks Practice Security 101 and 201 even if you are all the way to 501 or beyond Conclusion MalwareArchaeology.com
• Websites • Log-MD.com The tools • The “Windows Logging Cheat Sheet(s)” • https://MalwareArchaeology.com/cheat-sheets • MITRE ATT&CK is your friend • https://attack.mitre.org/techniques/enterprise/ • JPCert Detecting Lateral Movement • https://www.jpcert.or.jp/english/pub/sr/20170612ac- ir_research_en.pdf • This presentation and others on SlideShare • Search for MalwareArchaeology or LOG-MD MalwareArchaeology.com Resources
You can find us at: • MalwareArchaeology.com • LOG-MD.com • LOGMD.com • TIME FOR HALLWAY CON !!! Questions? MalwareArchaeology.com

Recommended

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 

Recommended

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptricagip499
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingNitheesh Adithyan
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
DR FAT
DR FATDR FAT
DR FATJohn Laycock
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hackingbaabtra.com - No. 1 supplier of quality freshers
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
Cyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWCyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWChanchalHiwanj1
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingNitheesh Adithyan
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 

More Related Content

Similar to All These Sophisticated Attacks, Can We Really Detect Them - PDF

ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptricagip499
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
Cyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWCyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWChanchalHiwanj1
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 

Similar to All These Sophisticated Attacks, Can We Really Detect Them - PDF (20)

ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.ppt
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
DR FAT
DR FATDR FAT
DR FAT
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
Cyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWCyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITW
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

More from Michael Gough

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 

More from Michael Gough (20)

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 

Recently uploaded

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Recently uploaded (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

All These Sophisticated Attacks, Can We Really Detect Them - PDF

  • 1. All these so-called sophisticated attacks… Can we really detect them? Michael Gough Founder MalwareArchaeology.com & IMF Security.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic, Incident Responder and Threat Hunter • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Crowdstrike Logscale Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Windows ATT&CK Logging Cheat Sheet” “ARTHIR – ATT&CK Remote Threat Hunting Incident Response tool” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool • Co-Creator of “File-MD” – File Malicious Discovery Tool MalwareArchaeology.com
  • 3. Why this talk? Learn from what we see in the trenches MalwareArchaeology.com
  • 4. • We get called when things get • Management want to know Who, What, Where, When, and How the pwnage happened • We all know why… • So let’s take a look at some so called “sophisticated attacks” and how you might detect them Being an Incident Responder MalwareArchaeology.com
  • 5. • Let us first define a few items • Security 101 – Things you should always do, usually things you already have and are FREE… well your time is needed • Security 201 – Things you should have to “reduce” pwnage and hopefully alert to suspicious activity • Security 301 – Things you should be doing with your tools, understand the gaps and address them with additional tooling, process and/or procedures, MITRE ATT&CK • Security 501 – Doing things like Threat Hunting and being proactive at seeking out the malicious behavior Level Set MalwareArchaeology.com
  • 6. • This talk covers more of Security 101, 201 and 301 • These are the things we see many, if not most organizations are failing, forgot or did not continue doing • Organizations jump to Security 301 or 501 and forget to continue Security 101 and 201 This Talk MalwareArchaeology.com
  • 7. First, we have to make a few assumptions • Defense in Depth is an old term that still holds true • So each tech layer should have their own security “reduction” solution to “reduce” the likelihood of an incident • Also make the assumption all-the-things will not get detected with these solutions, the threat actors know how to get around or avoid them • For this talk we will assume you have one or more of the following security solutions Assumptions MalwareArchaeology.com
  • 8. More assumptions • If you are not running an EDR/XDR platform then you likely will be unable to detect more advanced attacks • If you do not have a Log Management solution, or SIEM then you likely will be unable to craft any custom alerting and fill the gaps left by EDR/XDR or other security solutions • If you do not have a network traffic security solution (NDR) then you are likely blind to network related data Assumptions MalwareArchaeology.com
  • 9. More assumptions • If you do not have an Email security solution then it is likely malicious emails will get in at a much higher volume • If you do not have a Web Proxy solution for your users then it is likely a user can click on all kinds of websites you rather they did not • If you do not have a Data Loss Prevention solution then you are more likely to have confidential data leave unnoticed Assumptions MalwareArchaeology.com
  • 10. 1 0 • If all you have is AV and a Log Management solution or SIEM then you WILL be able to do a LOT towards detecting more advanced attacks • Care to guess what my Top 3 Security Solutions are that should be implemented? • #1 Log Management • #2 a “Good” EDR/XDR solution • #3 a good configuration asset management solution • OK.. #4… LOG-MD and FILE-MD of course to get more details Assumptions MalwareArchaeology.com
  • 11. • What we are about to look at I refer to as: • Malware Management • We all do: • Patch Management • Vulnerability Management • Configuration Management • Asset Management • So why not practice Malware Management? Manage Malware? MalwareArchaeology.com
  • 12. • You take reports much like we are about to go through and pull the artifacts (TTPs) and behaviors that we can then add, or verify are in your security tooling • MITRE ATT&CK is also your best friend here • Map your detections to MITRE ATT&CK Techniques and sub- techniques to build a detection methodology • MITRE ATT&CK helps to identify your gaps as well • Which you may be able to cover with other tools you have, such as Log Management/SIEM • You will have to interpret MITRE ATT&CK detection description, it is not as clear as we would like it to be Manage Malware? MalwareArchaeology.com
  • 13. • With all that said, let’s take a look at the attacks listed in the overview and see what obvious things could or should be detectable IF you use the right solution and Configure the right things and make sure the Coverage and Completeness of these items are optimal • More on the 3-Cs later • Let’s take a look at some attack write-ups and what I would expect to see if I were to investigate or craft detections for • OK… What I wish I would see during an investigation Manage Malware? MalwareArchaeology.com
  • 15. USB worm unleashed by Russian state hackers spreads worldwide • https://arstechnica.com/security/2023/11/normally-targeting- ukraine-russian-state-hackers-spread-usb-worm-worldwide/ c c c 1st Example - LitterDrifter MalwareArchaeology.com
  • 16. 1 6 • LitterDrifter, the malware is written in the Visual Basic Scripting language (VBS). LitterDrifter serves two purposes: to promiscuously spread from USB drive to USB drive and to permanently infect the devices that connect • A USB Drive that is executing something? • Anyone here monitor USB device logs? • DriverFrameworks-UserMode/Operational ID 2100, 2105, 2106 • System Log Event ID 20003 • Security Log ‘Plug and Play’ Event ID 6416 • Registry Key – ‘HKLMSOFTWAREMicrosoftWindows Portable Devices’ ID 4657 • Or executions from the USB drive letters? 1st Example - LitterDrifter MalwareArchaeology.com
  • 18. • As we saw in the previous diagram, a Scheduled Task is created for persistence • Anyone looking at the disabled by default TaskScheduler/Operational log Event ID 106 for ‘New Task Registered’? • Process Created in Security Log Event ID 4688? From a Scheduled Task? c 1st Example - LitterDrifter MalwareArchaeology.com
  • 19. • Anyone looking at wscript executions in the Security Log for Event ID 4688? • Or better yet… • Disable wscript, cscript, jscript, and all script engines from executing using Group Policy to open up Notepad so it fails when clicked on by a user? 1st Example - LitterDrifter MalwareArchaeology.com
  • 20. • The LNK files use wscript.exe **** to execute “trash.dll” with specified arguments " ""trash.dll"" /webm //e:vbScript //b /wm /cal • Anyone looking at .lnk executions in the Security Log in Event ID 4688? • The locations, like USB drive letter and names of .lnk files can be very telling • Using the user path variable %userprofile% 1st Example - LitterDrifter MalwareArchaeology.com
  • 22. 2 2 Hackers use new Agent Raccoon malware to backdoor US targets • https://www.bleepingcomputer.com/news/security/hackers- use-new-agent-raccoon-malware-to-backdoor-us-targets/ • Uses .Net malware • Uses PunyCode-encoded URL subdomains for evasion 2nd Example – Agent Raccoon MalwareArchaeology.com
  • 24. The attackers also used a customized version of the Mimikatz credential dumping utility, named 'Mimilite,' and a DLL credential stealer mimicking the Windows Network Provider module, named 'Ntospy.’ Ntospy registers as a legitimate Network Provider module named "credman" to hijack the authentication process and capture user credentials, a well-documented attack method. • Anyone Auditing Service Key Adds and Changes? Event ID 4657 • HKLMSystemCurrentControlSetControlServices • Or the HKLMSystemCurrentControlSetControlNetworkProvider key for Adds or Changes? 2nd Example – Agent Raccoon MalwareArchaeology.com
  • 25. • the attackers use PowerShell snap-ins to steal emails from Microsoft Exchange servers or steal victims' Roaming Profile folders, compressing the directory with 7-Zip for efficiency and stealth • Anyone watching Windows PowerShell/Operational logs for Event ID 4103 and 4104 for odd calls to say email? Or archiving? • Anyone watching for 7Zip executions in Process Started Event ID 4688 in odd locations? 2nd Example – Agent Raccoon MalwareArchaeology.com
  • 27. Yellow Liderc ships its scripts and delivers IMAPLoader malware • https://www.pwc.com/gx/en/issues/cybersecurity/cyber- threat-intelligence/yellow-liderc-ships-its-scripts-delivers- imaploader-malware.html • IMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows utilities and acts as a downloader for further payloads. It uses email as a C2 channel and is able to execute payloads extracted from email attachments and is executed via new service deployments. 3rd Example - Yellow Liderc MalwareArchaeology.com
  • 28. • Anyone watching for signs of recon using Windows utilities in the LOLBin/LOLBaS list? • https://lolbas-project.github.io/# • Or the same PowerShell cmdlets that can perform recon in Event IDs 4103 and 4104? • These being used in quantities across multiple systems is a definite tell recon is occurring 3rd Example - Yellow Liderc MalwareArchaeology.com
  • 29. • Additional analysis shows widespread phishing activity that have been conducted concurrently to the threat actor's strategic web compromises. This activity is used to deliver a malicious Excel file that drops a basic Python backdoor. • The threat actor uses both custom and off-the-shelf malware including PowerShell backdoors and infostealers in order to gather information about victim systems 3rd Example - Yellow Liderc MalwareArchaeology.com
  • 30. • Anyone watching for execution of Python on endpoints? • Python is not installed on Windows by default so executions of .py files could be very telling depending on the location they are executed • Map what is normal Python for your organization • Anyone watching for PowerShell toolkits like PowerSploit, ColbaltStrike, PowerShell Empire? • Properly configured PowerShell logs are a MUST to see this activity, the most malicious activity today 3rd Example - Yellow Liderc MalwareArchaeology.com
  • 31. • The threat actor has previously used macro enabled documents that drop a VBS script, commonly referred to as LEMPO, which establishes persistence, performs reconnaissance, and exfiltrates sensitive information. 3rd Example - Yellow Liderc MalwareArchaeology.com
  • 32. • The threat actor often favors exfiltration of sensitive information to an actor-controlled email account via SMTPS or IMAP, and has been observed using both dedicated mailboxes and third party services for their email accounts • Are you watching for odd email behavior? • Watch Server Hosting companies • Foreign destinations • Attachment size • Times this occurs and of course • The account(s) being used 3rd Example - Yellow Liderc MalwareArchaeology.com
  • 33. • The first stage is distributed as an Excel-DNA XLL plugin, an open source library that enables .NET integration into Microsoft Excel files 3rd Example - Yellow Liderc MalwareArchaeology.com
  • 34. • Excel file calling .Net or any scripting • Anyone looking for these executions? • Scheduled Task created aka “New Task Registered” • Binaries executed Event ID 4688 location and names are key • DLLs heavily used, but you would need something like Sysmon to monitor for DLL loads that are not signed (False) Event ID 7 3rd Example - Yellow Liderc MalwareArchaeology.com
  • 35. • As soon as JobTitle.dll is executed, it writes a C# source code file named source.cs to disk. This is subsequently compiled into a .NET DLL file called sign.dll, a version of IMAPLoader, by leveraging the native C# compiler tool csc.exe. • .Net on the fly has several files that are created or used • xxxxx.cs • yyyyy.config • zzzzzz.cmdline • Compiled with CSC.exe cvtrez.exe and parameters • Example: csc /out:My.exe File.cs 3rd Example - Yellow Liderc MalwareArchaeology.com
  • 36. • Something like: • C:WindowsMicrosoft.NETFramework64v2.0.50727cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:UsersrootAppDataLocalTempRES399E.tmp“ • "C:WindowsMicrosoft.NETFramework64v2.0.50727csc.exe" /noconfig /fullpaths @"C:UsersrootAppDataLocalTempu_i8wgap.cmdline“ • Are you watching for these types of executions and what the parent process is of CSC.exe? • Map what is normal in your environment 3rd Example - Yellow Liderc MalwareArchaeology.com
  • 38. 3 8 New 'HrServ.dll' Web Shell Detected in APT Attack Targeting Afghan Government • https://thehackernews.com/2023/11/new-hrservdll-web- shell-detected-in-apt.html • The web shell, a dynamic-link library (DLL) named "hrserv.dll," exhibits "sophisticated” features such as custom encoding methods for client communication and in-memory execution 4th Example - HrServ MalwareArchaeology.com
  • 39. • The attack chain involves the PAExec remote administration tool, an alternative to PSExec that's used as a launchpad to create a scheduled task that masquerades as a Microsoft update ("MicrosoftsUpdate"), which subsequently is configured to execute a Windows batch script ("JKNLA.bat") • Here we go again with a new registered Scheduled Task… • Are you watching for batch files executing, odd names? • Or tools like PAExec or PSExec creating a NEW Service Event ID 7045 in the System Log? 4th Example - HrServ MalwareArchaeology.com
  • 40. • The web shell is also capable of activating the execution of a stealthy "multifunctional implant" in memory that's responsible for erasing the forensic trail by deleting the "MicrosoftsUpdate" job as well as the initial DLL and batch files. • DLLs can only be seen with Sysmon or an EDR/XDR solution • You can however extract all the modules in memory and evaluate them for signs of maliciousness 4th Example - HrServ MalwareArchaeology.com
  • 41. • For in memory you can check for signs of injection, implants, hooks etc. • Use tools like Volatility • Process them on Linux system as new versions not compiled for Windows • You can use LOG-MD-Pro or Premium to extract and evaluate the modules using the B9 option or File-MD to evaluate the extracted files from memory • Sysmon has Event ID 17 for Named Pipe creation that PAExec uses • Sysmon also has Event ID 25 for process tampering such as hollowing 4th Example - HrServ MalwareArchaeology.com
  • 42. • A study revealed that PowerShell Command & Scripting Interpreter was the number one attack technique used by threat actors. • The report provides a strong representation of adversary activity from authoritative sources. It assembled data from M-Trends, Red Canary’s Threat Detection Report, CTID ATT&CK Sightings Ecosystem and CISA alerts ranging from 2020 to 2022. • 28.49% of attacks !!! • https://www.splunk.com/en_us/blog/security/zoom-enhance-finding-value-in-macro-level-att-ck-reporting.html PowerShell for the Threat WIN MalwareArchaeology.com
  • 44. What do we see our clients fail or not optimal at? Configuration Local audit logging not optimally configured Endpoint agents not optimally configured Coverage Endpoints missing one or more agents Some or all log data (endpoint, cloud, network, internet facing) not going to a log management solution Completeness Implement a process and/or procedure to validate and verify Configuration and Coverage is “Complete” The 3 Cs MalwareArchaeology.com
  • 45. When you roll out an agent… Do you... 1. Validate the agent was properly installed? 2. Compare it to a list of known assets? • Do you even know where or what all your assets are? 3. Verify the data is collecting properly? 4. Have a way to identify new systems as they come live? 5. Have a way to install agents on new systems quickly? 6. Verify the endpoint configuration is showing up in the proper console(s)… regularly? Completeness MalwareArchaeology.com
  • 46. • Incident Responders need data to discover what happened to the detail level we can be sure and answer questions • This is so our clients can improve and close the gap(s) of why the pwnage happened or wasn’t detected • To reduce the cost and time of an Incident Response investigation is a goal, less time = less cost • Optimal 3-Cs can save you 2x to 4x the cost of paying an Incident Response firm • You could be way ahead… IF you Prepare Why the 3 C’s are important MalwareArchaeology.com
  • 47. • You don’t have to spend $$$ to improve processes, procedures and playbooks • Or tweak some settings • People time is a cost, but not an external spend • So spend some time on Preparation…. It is in the P in the SANS PICERL model • Many of our clients have incomplete or broken agent installs and endpoint configuration is not optimal • This means incomplete coverage and configuration • Thus missing details and potentially the initial compromise The 3 C‘s are FREE MalwareArchaeology.com
  • 48. We check Windows systems for what logging is enabled as a part of triage to know what will likely be there… There is a freely available tool to check your Windows logs against some well known Cheat Sheets ;-) Hint.. Windows Audit Logs MalwareArchaeology.com
  • 49. Local Log Sizes are NOT Big Enough MalwareArchaeology.com
  • 50. • PowerShell is used a lot in all kinds of attacks • Commodity, Ransomware, APT • Command Line details missing • ScriptBlock Logging improperly or not set PowerShell Logging is inadequate MalwareArchaeology.com
  • 51. • We need the data enabled and retained for a week or longer Audit Settings Fail MalwareArchaeology.com
  • 53. • Learn from these attacks and many others • Practice Malware Management and use MITRE ATT&CK to map your defenses • Configure your logging and agents OPTIMALLY • Cover ALL your assets • Verify the Completeness • Watch for the items in this talk • And several other of my talks Practice Security 101 and 201 even if you are all the way to 501 or beyond Conclusion MalwareArchaeology.com
  • 54. • Websites • Log-MD.com The tools • The “Windows Logging Cheat Sheet(s)” • https://MalwareArchaeology.com/cheat-sheets • MITRE ATT&CK is your friend • https://attack.mitre.org/techniques/enterprise/ • JPCert Detecting Lateral Movement • https://www.jpcert.or.jp/english/pub/sr/20170612ac- ir_research_en.pdf • This presentation and others on SlideShare • Search for MalwareArchaeology or LOG-MD MalwareArchaeology.com Resources
  • 55. You can find us at: • MalwareArchaeology.com • LOG-MD.com • LOGMD.com • TIME FOR HALLWAY CON !!! Questions? MalwareArchaeology.com