Microsoft Ignite session: Look under the hood: bypassing antimalware tactics and infrastructure response method”
Download as PPTX, PDF2 likes2,572 views
Paula Januszkiewicz, CEO and security expert, discusses various techniques for malicious code execution and prevention, emphasizing the importance of complete code execution prevention as the only true solution. The document outlines methods used by attackers to compromise systems and suggests anti-exploit solutions and effective use of Sysmon as critical defenses. Additionally, the effectiveness of these solutions often depends on proper configuration and budget considerations.
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics and infrastructure response method”
- 1. Paula Januszkiewicz CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Contact: paula@cqure.us | http://cqure.us @paulacqure @CQUREAcademy
- 8. Signature-based Behavior-based Attempts to open, view, delete, and/or modify files Attempts to format disk drives and other unrecoverable disk operations Modifications to the logic of executable files, scripts of macros Modification of critical system settings, such as start-up settings Scripting of e-mail and instant messaging clients to send executable content Initiation of network communications
- 9. Wrapping ttaches the malicious payload (the installer or the malware itself) to a legitimate file.
- 12. Custom code User Mode Loaders Executable is extracted and decrypted in memory Code is loaded and executed dynamically In Powershell.exe – not every module is embedded – they can be created and loaded during the execution In Win32API: Custom code mimics LoadLibrary() Interesting: During the compilation, that’s what helps us: CompilerParameters.CompilerOptions = "/platform:x64";
- 17. Attacker Victim Firefox RCE+payload Firefox GET Connect 888 Remote session 888: download files Remote session 888: SCHTASKS: elevate, 777 Connect 777 Remote session 777: Infect WMI Connect 666
- 21. Antimalware Scan Interface (AMSI) It is a generic interface standard that allows applications and services to integrate with any antimalware product Techniques used It supports a calling structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other techniques Allows correlation of events The different fragments of a malicious payload can be associated to reach a more informed decision, which would be much harder to reach just by looking at those fragments in isolation.
- 25. 1. The only cure is a _complete_ code execution prevention 2. Anti-Exploit solutions make a lot of sense 3. Sysmon (absolutely!) 4. At the end it is a matter of budged and price 5. Code execution prevention solutions are often misconfigured
Editor's Notes
- #8: W10 -> McAffion – remember to preset it! StopmeIfyoucan
- #9: IMPHash -> Lista importow, powiedziec, ze mozna skorzystac ze standardowego ladowania Load Library Nastolatek, google, stackoverflow -> 5 NY Minutes.
- #10: Wrappery – from 90s old school but not so old! Skrypty powershellowe pod skrypty powershellowe. Wrapping: Using static signatures to detect wrapper files is largely ineffective since new ones are easily and regularly created and often generates false positives. This technique is commonly used by Windows and OS X malware distributed via pirated software and P2P networks. . IceFog is a well-known malware commonly wrapped with a legitimate-looking CleanMyMac application and used to target OS X users. On the Windows platform, OnionDuke has been used with legitimate Adobe installers shared over Tor networks to infect machines. Obfuscation Using XOR encoding is one way to do this. Hiding process and file names, registry entries, URLs and other useful information can significantly slow down the investigation/reverse engineering of new malware samples.
- #11: Hyperion – wykrywalne – Mimikatza Helloword
- #12: Obfuscation – zmianie kodu, po kompilacji wyglada inaczej, zmiana nazw fukcji, inny zapis stale, inne zmienne, a lot of spaghetti code. Wrapping: Using static signatures to detect wrapper files is largely ineffective since new ones are easily and regularly created and often generates false positives. This technique is commonly used by Windows and OS X malware distributed via pirated software and P2P networks. . IceFog is a well-known malware commonly wrapped with a legitimate-looking CleanMyMac application and used to target OS X users. On the Windows platform, OnionDuke has been used with legitimate Adobe installers shared over Tor networks to infect machines. Obfuscation Using XOR encoding is one way to do this. Hiding process and file names, registry entries, URLs and other useful information can significantly slow down the investigation/reverse engineering of new malware samples. Anti debugging: . For example, the ZeroAccess malware implemented a self-debugging technique in order to block external debugging attempts. Another example is malware attempting to delay its execution (or sleep) for an extended period of time. This is useful for bypassing sandboxing solutions since these only keep binaries in an emulated environment for a specific period of time before classifying them as benign and releasing them to the network. Targeting. This technique is implemented when malware is designed to attack a specific type of system (e.g. Windows XP SP 3), application (e.g. Internet Explorer 10) and/or configuration (e.g. detecting a machine not running VMWare tools, which is often a telltale sign for usage of virtualization). Targeting ensures that the malware is only triggered and installed when specific conditions are met, which enables it to evade detection in sandboxes because they do not resemble the host being attacked.
- #13: Kompilator nie ma pojecia o tym co bedzie ladowane. Z metadanych 9.2 z Rootkit Arsenal 417
- #19: Mypaypalservices.com musi byc rozpoznawany na Victimie. Polaczenie na porcie 666.
- #20: cmd.Exe - przekierowane wejscie I wyjscie na socket
- #21: cdb.exe -cf x64_calc.wds -o notepad.exe
- #26: Licence: Common Nie ochroni przed WinDBG Nie udostepniamy miejsc, ktore sa wykonywane