This document summarizes a presentation by Marius Bucur and Ioan Iacob of CrowdStrike on finding malware through unique behaviors. It discusses how they hunt for malware using YARA rules and Overwatch patterns to find infection vectors. It provides examples of malware found, including a malicious document that drops signed Delphi malware using MSIExec, and WMI being abused to inject a .NET binary into a legitimate process. It also discusses analyzing process injection, callstacks, RPCs and other techniques through reverse engineering to attribute similar samples and develop detection rules. The document cautions that just because something is possible does not mean it is advisable, and provides an example of a potentially suspicious but ultimately legitimate PowerShell script.

1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
IN SEARCH OF UNIQUE BEHAVIOUR
MARIUS BUCUR & IOAN IACOB
2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

2. 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MARIUS BUCUR
● Threat Hunter at Crowdstrike
● 7y+ IT industry
● last 4y IT Security at
CrowdStrike and Avira
● Food and travel enthusiast

3. 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
IOAN IACOB
● Threat Analyst at Crowdstrike
● 5 years in IT Sec
● CrowdStrike and Avira
● RE & DFIR enthusiast
● CTF player

4. 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
What we do
Odd infection techniques
Quirky, but legitimate behavior
Q & A

5. WHAT WE DO
● Malware hunting
● Reverse engineering
● Write detections

6. MALWARE HUNTING
● Hunting with yara rules in MalQuery
● Overwatch patterns in Harrier
● VT queries and other OSINT
● Finding Infection vectors
● Kill chain
● Search infections

8. OVERWATCH PATTERNS
● Very generic patterns:
○ Eg.: "net use", wmic and http ...
● Used mostly in hunting for sophisticated attacks
● A red flag is raised once 3 or more patterns are found on one host

11. REVERSE ENGINEERING
● Focus on events not seen in conventional tools
○ Process injection
○ Callstack analysis
○ RPC and WMI
○ PrivEsc and Cred. Dumping
○ Exploitation techniques (DEP/ASLR bypass, HeapSpray, etc)
● Find similar samples using MalQuery

12. MALWARE EXAMPLES
1. MalDoc abuses MSIExec that drops signed Delphi malware
2. WMI abused to inject .NET binary in legit process (#Squiblytwo)
3. Excel Sheet and Steganography

13. EXAMPLE 1
MalDoc abuses MSIExec that drops Signed Delphi malware

14. EXAMPLE 1
§ Word document found ITW
§ “Industry Standard” Social Engineering message

15. EXAMPLE 1

16. EXAMPLE 1

17. EXAMPLE 1

18. EXAMPLE 1

19. EXAMPLE 1

20. EXAMPLE 2
WMI abused to inject .NET binary in legit process
#Squiblytwo
„Fileless malware”

21. EXAMPLE 2

25. EXAMPLE 3
Excel Sheet and Steganography

26. EXAMPLE 3
§ Excel sheet seen ITW
§ Typical infection vector with Macro

27. EXAMPLE 3

28. EXAMPLE 3

29. EXAMPLE 3

30. EXAMPLE 3

31. EXAMPLE 3

32. EXAMPLE 3

33. EXAMPLE 3

34. EXAMPLE 3

35. EXAMPLE 3

36. EXAMPLE 3

37. WRITE DETECTION RULES
● Call-Stack analysis
● Process Injection
● RPC
● Process trees
● Script control
● Credential dumping
● PrivEsc
● . . .

38. LAST STEP
§ Created detections:
§ IOAs for 1st and 3rd example
§ Injection flags for the 2nd example

39. BUT YOU ALSO SEE THIS
§ Winlogon in non-standard locaion
§ Crazy Powershell oneliners
§ Legit .doc|xls|pdf.exe received on emails
JUST BECAUSE YOU CAN, DOESN’T MEAN YOU SHOULD!!!

40. IS THIS MALICIOUS?

41. IS THIS MALICIOUS?
§ Clean document received via email
§ Runs a PowerShell script from a shared drive

42. IS THIS MALICIOUS?
● Add more examples

43. CLOSING REMARKS
● Productivity apps are still used as initial infection vectors
● Quirky infection techniques are seen more often (WMI included)
● We can’t just blacklist all and hope for the best
● Adversaries try to migrate to fileless malware, but still write binaries on
disk

44. Q & A