SlideShare a Scribd company logo

Logging for hackers SAINTCON

Michael Gough, profile picture
Michael Gough

The document outlines strategies for effectively detecting and responding to malware attacks through log analysis and enhanced logging practices. It emphasizes the importance of evolving techniques to keep pace with rapidly changing malware behaviors, particularly highlighting the role of tools like 'log-md' for auditing and enhancing security configurations. Additionally, it provides insights into specific malware capabilities and persistence mechanisms, recommending comprehensive logging and monitoring to catch threats before data breaches occur.

Technology
Related topics:
Blue Team Incident Response
1 of 61
Downloaded 120 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Searching Logs for Hackers, what you need to know to catch them Michael Gough – Founder MalwareArchaeology.com Co-creator of MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of • Malware Management Framework • Several Windows Logging Cheat Sheets • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @BrakeSec • @HackerHurricane and also my Blog MalwareArchaeology.com
• We discovered this in May 2012 • Met with the Feds ;-) Why you should listen to me? 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail MalwareArchaeology.com
And because you want to catch these guys… or worse • Ben Ten (Not PowerShell) • Carlos (MetaSploit) • Dave (SET) • Kevin too (Pen Tester) MalwareArchaeology.com
Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Getting breached means an RGE !!! – Resume Generating Event MalwareArchaeology.com
A quick look at STATS MalwareArchaeology.com
DBIR 2016 • Why we are here… 7 Time it takes hackers to compromise you Time it takes hackers to steal your data GOAL To catch them BEFORE data loss occurs MalwareArchaeology.com
DBIR 2016 Hackers time to Compromise is getting faster Than our ability to Discover them MalwareArchaeology.com
Chasing Hashes • Malware hashes are no longer similar • Malware is morphing or created unique by design for each system OR on reboot MalwareArchaeology.com
Symantec says… MalwareArchaeology.com
SANS says… MalwareArchaeology.com
Sophos Says… • 70% of malware is unique to 1 company (APT) • 80% of malware is unique to 10 or less (APT) • That means… • 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by: – Attachments in email – URL in email – Surfing the web • Ads • WordPress, Drupal, Joomla… MalwareArchaeology.com
A quick look at Advanced Malware Artifacts MalwareArchaeology.com
Winnti - Malware Infection Malware Launch Hiding malware in the Registry Modify Service MalwareArchaeology.com
Escalate permissions obvious NOT your admin Check the Service used Modify Permissions Push out malware using CMD Shell & CScript MalwareArchaeology.com
Using the Registry for storage Update Registry Change Registry Permissions Change permissions on files MalwareArchaeology.com
Bad behavior becomes obvious Doing Recon Going after Terminal Services Query Users MalwareArchaeology.com
You can even capture their Credentials Caught THEIR Credentials! MalwareArchaeology.com
Persistence • Avoided leaving key files behind like they did before, well one anyways… the persistence piece MalwareArchaeology.com
HKLMSoftwareClients • putfile • file • read 4D5A = MZ in HEX Key Size = 256k MalwareArchaeology.com
Persistence • Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) • Altered system management binaries – McAfeeFrameworkService – BESClientHelper – Attempted a few others, some failed MalwareArchaeology.com
Persistence • BAM! Got ya – PROCMon on bootup MalwareArchaeology.com
A quick look at Commodity Malware Artifacts MalwareArchaeology.com
Angler delivered Kovter • Unique way to hide the persistence • Inserted a null byte in the name of the Run key so that RegEdit and Reg Query fail to read and display the value • And a LARGE Reg Key (anything over 20k is large) MalwareArchaeology.com
Dridex Artifacts MalwareArchaeology.com
Dridex Persistence • New method towards the end of 2015, nothing in the Registry showing persistence while system was running • In memory only until system shutdown – On shutdown the Run key was created • On startup the malware loads and Run key deleted MalwareArchaeology.com
Dridex is Baaack • 2016 variant MalwareArchaeology.com
How to Detect Malicious Behavior MalwareArchaeology.com
Take Away #1 MalwareArchaeology.com
Where to start • What am I suppose to set? “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Find them all here: – MalwareArchaeology.com MalwareArchaeology.com
PowerShell • It’s coming… in a BIG way - It’s already here • Ben Ten uses it (Not PowerShell) • Carlos uses it (MetaSploit) • Dave uses it (SET) • Kevin too (Pen Tester) • Dridex uses it • RansomWare uses it • And Windows default logging is TERRIBLE for it! MalwareArchaeology.com
Take Away #2 MalwareArchaeology.com
So what do we do about PowerShell? • The “Windows PowerShell Logging Cheat Sheet” • Designed to catch the folks I just mentioned, and others ;-) • Get it at: – MalwareArchaeology.com MalwareArchaeology.com
Take Away #3 MalwareArchaeology.com
How to catch this stuff Enable Command Line Logging !!!! • At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2 had command line logging • Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) • SIX Commands • Scripts too MalwareArchaeology.com
And this query - Splunk • index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message | stats count > 2 MalwareArchaeology.com
So how do you do this? • Malware Management allowed us to setup alerts on artifacts from other malware analysis – MalwareManagementFramework.org • Of course our own experience too • Malware Discovery allowed us to find odd file hashes, command line details, registry locations • Malware Analysis gave us the details MalwareArchaeology.com
What we all need to look for • Logs of course, properly configured - Events – Command Line details – Admin tools misused – executions – New Services (retail PoS should know this) – Drivers used (.sys) • New Files dropped anywhere on disk – Hashes – Infected management binary (hash changed) • Delete on startup, write on shutdown – File & Reg Auditing • Scripts hidden in the registry – Registry Compare • Payload hidden in the registry – Large Reg Keys • Malware Communication – IP and WhoIS info • Expand PowerShell detection • VirusTotal Lookups MalwareArchaeology.com
So what did we take away from all of this? MalwareArchaeology.com
You basically have 3 options • Do nothing – Eventually leading to an RGE • Log Management / SIEM – Cost $$$ and storage – But IS the best option, better than most security solutions if you want my opinion • What if you don’t have Log Management or a SIEM? MalwareArchaeology.com
It didn’t exist So we created it! So you can do it too! MalwareArchaeology.com
Take Away #4 MalwareArchaeology.com
• Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • So answers How to check for the What to set I already told you about MalwareArchaeology.com
Audit first • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • Plain text report so you can include them in your own report format MalwareArchaeology.com
Audit Settings Report MalwareArchaeology.com
Summary of Reports MalwareArchaeology.com
Purpose MalwareArchaeology.com • Malware Analysis Lab – Why we initially developed it • Investigate a suspect system • Audit the Windows - Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts (Large Keys, Null Byte, AutoRuns) • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • Replace several older tools and GUI tools • To answer the question: Is this system infected or clean? • And do it quickly !
Free Edition MalwareArchaeology.com • Audit your settings – Do you comply? • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads • 12 Reports
MalwareArchaeology.com • Everything the Free Edition does and… • 21 reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
MalwareArchaeology.com Future Versions – In the works! • PowerShell details • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • Other API calls to security vendors
MalwareArchaeology.com NEW Feature! • WhoIs lookups of IP’s VawTrak
MalwareArchaeology.com Let’s look at some LOG-MD RESULTS
MalwareArchaeology.com Crypto Event » C:UsersBobAppDataRoamingvcwixk.exe » C:UsersBobAppDataRoamingvcwpir.exe » C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL » C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
MalwareArchaeology.com Malicious Word Doc DRIDEX
MalwareArchaeology.com Malicious Word Doc con’t More DRIDEX
MalwareArchaeology.com Use the power of Excel • The reports are in .CSV format • Excel has sorting and filters • Filters are AWESOME to thin out your results • You might take filtered results and add them to your whitelist once vetted • Save to .XLS and format, color code and produce your report • For .TXT files use NotePad++
MalwareArchaeology.com So what do we get? • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare and website – Search for MalwareArchaeology or LOG-MD
Malware Archaeology
Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • MalwareManagementFramework.Org • http://www.slideshare.net – LinkedIn now

More Related Content

PDF
RMISC logging for hackers
Michael Gough
 
PDF
Sandbox vs manual analysis v2.1
Michael Gough
 
PDF
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
PDF
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
PDF
Windows IR made easier and faster v1.0
Michael Gough
 
PDF
Sandbox vs manual malware analysis v1.1
Michael Gough
 
PDF
Logging for Hackers - What you need to know to catch them
Michael Gough
 
PDF
Mw arch mac_tips and tricks v1.0
Michael Gough
 
RMISC logging for hackers
Michael Gough
 
Sandbox vs manual analysis v2.1
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
Windows IR made easier and faster v1.0
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Mw arch mac_tips and tricks v1.0
Michael Gough
 

What's hot (20)

PDF
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
PDF
Commodity malware means YOU
Michael Gough
 
PDF
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
PDF
Logging for Hackers v1.0
Michael Gough
 
PDF
Malware Management - HouSecCon 2014
Michael Gough
 
PDF
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
PDF
Info sec is not daunting v1.0
Michael Gough
 
PDF
Email keeps getting us pwned v1.1
Michael Gough
 
PDF
What can you do about ransomware
Michael Gough
 
PDF
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
PDF
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
PDF
The top 10 windows logs event id's used v1.0
Michael Gough
 
PDF
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
PDF
You can detect PowerShell attacks
Michael Gough
 
PDF
Ask a Malware Archaeologist
Michael Gough
 
PDF
Proper logging can catch breaches like retail PoS
Michael Gough
 
PDF
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
PDF
Finding attacks with these 6 events
Michael Gough
 
PDF
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
PDF
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
Commodity malware means YOU
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Logging for Hackers v1.0
Michael Gough
 
Malware Management - HouSecCon 2014
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
Info sec is not daunting v1.0
Michael Gough
 
Email keeps getting us pwned v1.1
Michael Gough
 
What can you do about ransomware
Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
The top 10 windows logs event id's used v1.0
Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
You can detect PowerShell attacks
Michael Gough
 
Ask a Malware Archaeologist
Michael Gough
 
Proper logging can catch breaches like retail PoS
Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
Finding attacks with these 6 events
Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 

Viewers also liked (12)

PDF
Proper logging can catch breaches like retail PoS
Michael Gough
 
PDF
Windows logging workshop - BSides Austin 2014
Michael Gough
 
PPTX
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Ryan G. Murphy
 
PPTX
Où sont mes données ? | Résowest
resowest
 
PDF
Risque cyber
Xavier Biseul
 
PPTX
Comment se protéger contre les menaces de CTB Locker (ransomware)?
ATN Groupe
 
PDF
WHITE PAPER▶ The Evolution of Ransomware
Symantec
 
PDF
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
PPTX
NextGen Endpoint Security for Dummies
Atif Ghauri
 
PPTX
Ransomware
Armor
 
PPTX
Ransomware
Nick Miller
 
PPTX
What is Next-Generation Antivirus?
Ryan G. Murphy
 
Proper logging can catch breaches like retail PoS
Michael Gough
 
Windows logging workshop - BSides Austin 2014
Michael Gough
 
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Ryan G. Murphy
 
Où sont mes données ? | Résowest
resowest
 
Risque cyber
Xavier Biseul
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
ATN Groupe
 
WHITE PAPER▶ The Evolution of Ransomware
Symantec
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
NextGen Endpoint Security for Dummies
Atif Ghauri
 
Ransomware
Armor
 
Ransomware
Nick Miller
 
What is Next-Generation Antivirus?
Ryan G. Murphy
 

Similar to Logging for hackers SAINTCON (17)

PDF
When Security Tools Fail You
Michael Gough
 
PDF
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
Michael Gough
 
PDF
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Michael Gough
 
PPTX
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
PDF
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
PPTX
Building next gen malware behavioural analysis environment
isc2-hellenic
 
PDF
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
PDF
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PPTX
Introduction to Malware Analysis
Andrew McNicol
 
PPT
Malware forensics
Sameera Amjad
 
PPTX
Defending Your "Gold"
Will Schroeder
 
PPTX
Malware Analysis Techniques &Incident Response.pptx
Gol D Roger
 
PPTX
Ch0 1
TylerDerdun
 
PPTX
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
PPTX
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
PDF
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
When Security Tools Fail You
Michael Gough
 
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
Michael Gough
 
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Michael Gough
 
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
Building next gen malware behavioural analysis environment
isc2-hellenic
 
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Introduction to Malware Analysis
Andrew McNicol
 
Malware forensics
Sameera Amjad
 
Defending Your "Gold"
Will Schroeder
 
Malware Analysis Techniques &Incident Response.pptx
Gol D Roger
 
Ch0 1
TylerDerdun
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 

Recently uploaded (20)

PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Encapsulation theory and applications.pdf
gurumoop
 

Logging for hackers SAINTCON

  • 1. Searching Logs for Hackers, what you need to know to catch them Michael Gough – Founder MalwareArchaeology.com Co-creator of MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of • Malware Management Framework • Several Windows Logging Cheat Sheets • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @BrakeSec • @HackerHurricane and also my Blog MalwareArchaeology.com
  • 3. • We discovered this in May 2012 • Met with the Feds ;-) Why you should listen to me? 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail MalwareArchaeology.com
  • 4. And because you want to catch these guys… or worse • Ben Ten (Not PowerShell) • Carlos (MetaSploit) • Dave (SET) • Kevin too (Pen Tester) MalwareArchaeology.com
  • 5. Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Getting breached means an RGE !!! – Resume Generating Event MalwareArchaeology.com
  • 6. A quick look at STATS MalwareArchaeology.com
  • 7. DBIR 2016 • Why we are here… 7 Time it takes hackers to compromise you Time it takes hackers to steal your data GOAL To catch them BEFORE data loss occurs MalwareArchaeology.com
  • 8. DBIR 2016 Hackers time to Compromise is getting faster Than our ability to Discover them MalwareArchaeology.com
  • 9. Chasing Hashes • Malware hashes are no longer similar • Malware is morphing or created unique by design for each system OR on reboot MalwareArchaeology.com
  • 12. Sophos Says… • 70% of malware is unique to 1 company (APT) • 80% of malware is unique to 10 or less (APT) • That means… • 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by: – Attachments in email – URL in email – Surfing the web • Ads • WordPress, Drupal, Joomla… MalwareArchaeology.com
  • 13. A quick look at Advanced Malware Artifacts MalwareArchaeology.com
  • 14. Winnti - Malware Infection Malware Launch Hiding malware in the Registry Modify Service MalwareArchaeology.com
  • 15. Escalate permissions obvious NOT your admin Check the Service used Modify Permissions Push out malware using CMD Shell & CScript MalwareArchaeology.com
  • 16. Using the Registry for storage Update Registry Change Registry Permissions Change permissions on files MalwareArchaeology.com
  • 17. Bad behavior becomes obvious Doing Recon Going after Terminal Services Query Users MalwareArchaeology.com
  • 18. You can even capture their Credentials Caught THEIR Credentials! MalwareArchaeology.com
  • 19. Persistence • Avoided leaving key files behind like they did before, well one anyways… the persistence piece MalwareArchaeology.com
  • 20. HKLMSoftwareClients • putfile • file • read 4D5A = MZ in HEX Key Size = 256k MalwareArchaeology.com
  • 21. Persistence • Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) • Altered system management binaries – McAfeeFrameworkService – BESClientHelper – Attempted a few others, some failed MalwareArchaeology.com
  • 22. Persistence • BAM! Got ya – PROCMon on bootup MalwareArchaeology.com
  • 23. A quick look at Commodity Malware Artifacts MalwareArchaeology.com
  • 24. Angler delivered Kovter • Unique way to hide the persistence • Inserted a null byte in the name of the Run key so that RegEdit and Reg Query fail to read and display the value • And a LARGE Reg Key (anything over 20k is large) MalwareArchaeology.com
  • 26. Dridex Persistence • New method towards the end of 2015, nothing in the Registry showing persistence while system was running • In memory only until system shutdown – On shutdown the Run key was created • On startup the malware loads and Run key deleted MalwareArchaeology.com
  • 27. Dridex is Baaack • 2016 variant MalwareArchaeology.com
  • 28. How to Detect Malicious Behavior MalwareArchaeology.com
  • 30. Where to start • What am I suppose to set? “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Find them all here: – MalwareArchaeology.com MalwareArchaeology.com
  • 31. PowerShell • It’s coming… in a BIG way - It’s already here • Ben Ten uses it (Not PowerShell) • Carlos uses it (MetaSploit) • Dave uses it (SET) • Kevin too (Pen Tester) • Dridex uses it • RansomWare uses it • And Windows default logging is TERRIBLE for it! MalwareArchaeology.com
  • 33. So what do we do about PowerShell? • The “Windows PowerShell Logging Cheat Sheet” • Designed to catch the folks I just mentioned, and others ;-) • Get it at: – MalwareArchaeology.com MalwareArchaeology.com
  • 35. How to catch this stuff Enable Command Line Logging !!!! • At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2 had command line logging • Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) • SIX Commands • Scripts too MalwareArchaeology.com
  • 36. And this query - Splunk • index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message | stats count > 2 MalwareArchaeology.com
  • 37. So how do you do this? • Malware Management allowed us to setup alerts on artifacts from other malware analysis – MalwareManagementFramework.org • Of course our own experience too • Malware Discovery allowed us to find odd file hashes, command line details, registry locations • Malware Analysis gave us the details MalwareArchaeology.com
  • 38. What we all need to look for • Logs of course, properly configured - Events – Command Line details – Admin tools misused – executions – New Services (retail PoS should know this) – Drivers used (.sys) • New Files dropped anywhere on disk – Hashes – Infected management binary (hash changed) • Delete on startup, write on shutdown – File & Reg Auditing • Scripts hidden in the registry – Registry Compare • Payload hidden in the registry – Large Reg Keys • Malware Communication – IP and WhoIS info • Expand PowerShell detection • VirusTotal Lookups MalwareArchaeology.com
  • 39. So what did we take away from all of this? MalwareArchaeology.com
  • 40. You basically have 3 options • Do nothing – Eventually leading to an RGE • Log Management / SIEM – Cost $$$ and storage – But IS the best option, better than most security solutions if you want my opinion • What if you don’t have Log Management or a SIEM? MalwareArchaeology.com
  • 41. It didn’t exist So we created it! So you can do it too! MalwareArchaeology.com
  • 43. • Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • So answers How to check for the What to set I already told you about MalwareArchaeology.com
  • 44. Audit first • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • Plain text report so you can include them in your own report format MalwareArchaeology.com
  • 47. Purpose MalwareArchaeology.com • Malware Analysis Lab – Why we initially developed it • Investigate a suspect system • Audit the Windows - Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts (Large Keys, Null Byte, AutoRuns) • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • Replace several older tools and GUI tools • To answer the question: Is this system infected or clean? • And do it quickly !
  • 48. Free Edition MalwareArchaeology.com • Audit your settings – Do you comply? • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads • 12 Reports
  • 49. MalwareArchaeology.com • Everything the Free Edition does and… • 21 reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
  • 50. MalwareArchaeology.com Future Versions – In the works! • PowerShell details • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • Other API calls to security vendors
  • 53. MalwareArchaeology.com Crypto Event » C:UsersBobAppDataRoamingvcwixk.exe » C:UsersBobAppDataRoamingvcwpir.exe » C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL » C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
  • 56. MalwareArchaeology.com Use the power of Excel • The reports are in .CSV format • Excel has sorting and filters • Filters are AWESOME to thin out your results • You might take filtered results and add them to your whitelist once vetted • Save to .XLS and format, color code and produce your report • For .TXT files use NotePad++
  • 57. MalwareArchaeology.com So what do we get? • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  • 58. So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  • 59. Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare and website – Search for MalwareArchaeology or LOG-MD
  • 61. Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • MalwareManagementFramework.Org • http://www.slideshare.net – LinkedIn now