Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

In search of unique behaviour

41 views

Published on

Ioan Iacob and Marius Bucur in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

In search of unique behaviour

  1. 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IN SEARCH OF UNIQUE BEHAVIOUR MARIUS BUCUR & IOAN IACOB 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  2. 2. 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. MARIUS BUCUR ● Threat Hunter at Crowdstrike ● 7y+ IT industry ● last 4y IT Security at CrowdStrike and Avira ● Food and travel enthusiast
  3. 3. 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IOAN IACOB ● Threat Analyst at Crowdstrike ● 5 years in IT Sec ● CrowdStrike and Avira ● RE & DFIR enthusiast ● CTF player
  4. 4. 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. What we do Odd infection techniques Quirky, but legitimate behavior Q & A
  5. 5. WHAT WE DO ● Malware hunting ● Reverse engineering ● Write detections
  6. 6. MALWARE HUNTING ● Hunting with yara rules in MalQuery ● Overwatch patterns in Harrier ● VT queries and other OSINT ● Finding Infection vectors ● Kill chain ● Search infections
  7. 7. OVERWATCH PATTERNS ● Very generic patterns: ○ Eg.: "net use", wmic and http ... ● Used mostly in hunting for sophisticated attacks ● A red flag is raised once 3 or more patterns are found on one host
  8. 8. REVERSE ENGINEERING ● Focus on events not seen in conventional tools ○ Process injection ○ Callstack analysis ○ RPC and WMI ○ PrivEsc and Cred. Dumping ○ Exploitation techniques (DEP/ASLR bypass, HeapSpray, etc) ● Find similar samples using MalQuery
  9. 9. MALWARE EXAMPLES 1. MalDoc abuses MSIExec that drops signed Delphi malware 2. WMI abused to inject .NET binary in legit process (#Squiblytwo) 3. Excel Sheet and Steganography
  10. 10. EXAMPLE 1 MalDoc abuses MSIExec that drops Signed Delphi malware
  11. 11. EXAMPLE 1 § Word document found ITW § “Industry Standard” Social Engineering message
  12. 12. EXAMPLE 1
  13. 13. EXAMPLE 1
  14. 14. EXAMPLE 1
  15. 15. EXAMPLE 1
  16. 16. EXAMPLE 1
  17. 17. EXAMPLE 2 WMI abused to inject .NET binary in legit process #Squiblytwo „Fileless malware”
  18. 18. EXAMPLE 2
  19. 19. EXAMPLE 3 Excel Sheet and Steganography
  20. 20. EXAMPLE 3 § Excel sheet seen ITW § Typical infection vector with Macro
  21. 21. EXAMPLE 3
  22. 22. EXAMPLE 3
  23. 23. EXAMPLE 3
  24. 24. EXAMPLE 3
  25. 25. EXAMPLE 3
  26. 26. EXAMPLE 3
  27. 27. EXAMPLE 3
  28. 28. EXAMPLE 3
  29. 29. EXAMPLE 3
  30. 30. EXAMPLE 3
  31. 31. WRITE DETECTION RULES ● Call-Stack analysis ● Process Injection ● RPC ● Process trees ● Script control ● Credential dumping ● PrivEsc ● . . .
  32. 32. LAST STEP § Created detections: § IOAs for 1st and 3rd example § Injection flags for the 2nd example
  33. 33. BUT YOU ALSO SEE THIS § Winlogon in non-standard locaion § Crazy Powershell oneliners § Legit .doc|xls|pdf.exe received on emails JUST BECAUSE YOU CAN, DOESN’T MEAN YOU SHOULD!!!
  34. 34. IS THIS MALICIOUS?
  35. 35. IS THIS MALICIOUS? § Clean document received via email § Runs a PowerShell script from a shared drive
  36. 36. IS THIS MALICIOUS? ● Add more examples
  37. 37. CLOSING REMARKS ● Productivity apps are still used as initial infection vectors ● Quirky infection techniques are seen more often (WMI included) ● We can’t just blacklist all and hope for the best ● Adversaries try to migrate to fileless malware, but still write binaries on disk
  38. 38. Q & A

×