Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deeplook into apt and how to detect and defend v1.0

1,121 views

Published on

Walk though of an APT attack that was more sophisticated than last time.

Published in: Technology
  • Be the first to comment

Deeplook into apt and how to detect and defend v1.0

  1. 1. A deep look into a Chinese advanced attack. Understand it, learn from it and how to detect and defend against attacks like this. Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  2. 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast MalwareArchaeology.com
  3. 3. Goal • Interaction – Don’t be a Ding Dong, ask a question… you WILL be rewarded for positive synergy! • Learn how us Ninja’s do it so you can too • New Tool for YOU to use!!! MalwareArchaeology.com
  4. 4. • We discovered this May 2012 • Met with the Feds ;-) Why you should listen to me? MalwareArchaeology.com 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail
  5. 5. WINNTI 2014 • Much more “sophisticated” than before – They updated their approach – MUCH more complex – This is NOT your typical P0wnage • Boy did we catch them in the act • I am sharing so you can learn how! MalwareArchaeology.com
  6. 6. History • WINNTI has been around for 5+ years attacking the gaming industry • It is known the Chinese hackers are behind it – Kaspersky and the Feds • Not quite State Sponsored, but pretty darned good • I would consider this your “typical” APT • We saw new things each time they attacked • Maybe it is State Sponsored practicing? MalwareArchaeology.com
  7. 7. WINNTI 2012 Summary • Pretty typical • DLL Injection – WBEM – Windows – System32 – Files stored – ProgramData – Files stored • Sysprep Cryptbase.dll exploit • Boot up back door, deletes on load, writes on shutdown – Killed by pulling the power ;-) • New Services installed • Multiple infections per machine hoping you miss one MalwareArchaeology.com
  8. 8. WINNTI 2014 • New stuff • Dude ! • What triggered it? • What changed? • Avoided the methods they used before • Fortunately we were doing REALLY good logging. We are Ninja’s after all MalwareArchaeology.com
  9. 9. WINNTI 2014 • Summary of improvements for WINNTI 2014 – PlugX used as a base, modules added – Dll injection on SQL Server (5 dirs. Deep) • Allowed for SQL Mgmt utilities to enable XP Command Shell and run .NET commands – Binary infector – altered existing management binaries to call main payload – and STILL worked! – Driver infector – Added driver to look like existing management software – Hid scripts in the Registry – Hid payload in the Registry! • The Registry is a Huuuuuuuuuuuuuuuuge Database MalwareArchaeology.com
  10. 10. WINNTI 2014 • Popped a user, not an Admin, they know Who we are and What we do… Yay LinkedIn • Patient 0 – User phished (not an admin) and I believe they exploited Office to gain admin access • Dropped their initial malware payload • Used Backup software creds to then PoP a Domain Controller • Spread from there all over ;-( – Same MO as 2012 MalwareArchaeology.com
  11. 11. Files Dropped and gone • Used public accessible locations • C:UsersPublic • C:WindowsWeb • C:Perflogs • Deleted Infector files fast… almost all • Left some on disk MalwareArchaeology.com
  12. 12. Files Dropped • SQL Server bin directory (5 deep) – Only on SQL Servers – Cscapi.dll (Dll injection) • SysWOW64 – Qwave.dll - Normal on Workstations, NOT on servers • Splunk and Altiris Directories - Dropped a driver named like the app – Splunk.sys – Altiris.sys MalwareArchaeology.com
  13. 13. Initial Infectors • UsersPublic – C.exe – Infect.exe – Infectsys.exe – 64.dll – CompanyName.exe – Specific to us! • C:Perflogs – Command binary • C:WindowsWeb - .INI files for permission changes • C:WindowsTemp – VB Scripts – Netfxupdate.ax • C:WindowsSysWOW64 – Qwave.dll (Servers only) – SysWow64.sys – AxScriptHost70.dll MalwareArchaeology.com
  14. 14. Initial Infectors • Perflogs – C.exe – Communication to infected system • Thanks for the Port and Password • For once WE compromised THEM! – Now who is “sophisticated” ;-) MalwareArchaeology.com
  15. 15. Persistence • C:Program FilesCommon Files – WLXSys64.sys – NOT ON DISK ANYWHERE ???? • Modified existing service – WERCplSupport (Who needs WER Support) – Changed ServiceDll to: • Program FilesCommon FilesWLXSys64.sys MalwareArchaeology.com • So how did it load if it was NOT on disk???
  16. 16. Persistence • WERCplSupport Service failed to start ? • YAY Windows !!!! THANK YOU Microsoft!!!! • For allowing a service to retry over and over and over and… well… forever until the file shows up, or the malware places it there • Once the file existed, “WERCplSupport” started and the system was infected calling other malicious binaries MalwareArchaeology.com
  17. 17. Persistence • Avoided leaving key files behind like they did before, well one anyways… the persistence piece MalwareArchaeology.com
  18. 18. So what led us there? • Command Line Logging !!!! • At the time ONLY Win 8.1 and Win 2012 R2 • Which we had, We then saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) • Scripts too MalwareArchaeology.com
  19. 19. Hidden in the Registry • Command Line execution led us to the Keys. Main payload and scripts to infect were stored in the registry – Classes and Client Keys MalwareArchaeology.com
  20. 20. Hidden in the Registry • HEX in some cases where infection not complete or when we recreated in the lab because we were missing something (the infected persistence binary) • Binary when complete, encrypted in some way MalwareArchaeology.com
  21. 21. Hiding in the Registry • This was new for WINNTI 2014 • They added three values to the Keys • HKLMSoftwareClients or Classes – putfile – file – read • This found on only a few systems to hide another backdoor – HKLMSoftwareWow6432NodeBINARYAcrobat.dxe MalwareArchaeology.com
  22. 22. HKLMSoftwareClients • putfile • file • read MalwareArchaeology.com 4D5A = MZ in HEX
  23. 23. Persistence • Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) • Altered system management binaries – McAfeeFrameworkService – BESClientHelper – Attempted a few others, some failed MalwareArchaeology.com • We tried the infector on several other system files and it worked
  24. 24. Persistence • Infected management binary read key, decrypted payload and dropped into: – Program FilesCommon Files • NOW WERCplSupport ServiceDll exists! • As soon as it was loaded… it was deleted making it hard for us to find it MalwareArchaeology.com But we were better than that ;-)
  25. 25. So what led us there? • Malware Discovery Baseline • Compared infected system hashes (Suspect) to a known good system hashes (MFR) • Showed some single hashes in directories that were odd to us (our own management software)? • So we looked for these binaries across all systems • ONLY the infected system had these odd hashes MalwareArchaeology.com
  26. 26. Persistence • BAM! Got ya – PROCMon on bootup MalwareArchaeology.com
  27. 27. FINALLY ! • Now we had all the pieces • Recreated in the lab so we knew we had it all • High confidence remediation was now able to start • And it did NOT take 210 days for MTTD ;-) MalwareArchaeology.com
  28. 28. FINALLY ! • Malware Management allowed us to setup alerts on artifacts from other malware analysis • Of course our own experience too • Malware Discovery allowed us to find odd file hashes • Malware Analysis gave us the details MalwareArchaeology.com
  29. 29. How YOU can Detect this Ninja Tips MalwareArchaeology.com
  30. 30. How we harvested malware • Some infections hung • Ran process check for any “parentless” processes • Found a couple systems hung and harvested the malware from these systems • Command line logging showed us where to look • Ninja Tip: – Parse through processes that do NOT have a parent!!! MalwareArchaeology.com
  31. 31. How we harvested malware • File Copy loop in Directories discovered – @echo off – cls – md captured – :Redo – robocopy . WooHooo /E /B /r:0 /w:1 /np /xo /xd WooHoo – Goto Redo – :End • Ninja Tip: – Great to do in Labs for User space AppData MalwareArchaeology.com
  32. 32. Top Priority • Enable and Configure Process Command Line – KB3004375 - https://support.microsoft.com/en-us/kb/3004375 • Enable Advanced Audit Policy in Windows – The “Windows Logging Cheat Sheet” – Audit Process Creation = Success 4688 – Audit Logon = Success & Failure 4624 – Audit File Share = Success 5140 – Audit File System = Success 4663 – Audit Registry = Success 4663 & 4657 – Audit Filtering Platform Connection = Success 5156 (Any/Any min) – Services already captured by System Log 7045 & 7040 – PowerShell Logging (needs profile.ps1) 500 MalwareArchaeology.com
  33. 33. Alert for Suspicious Commands • #1 trigger for a compromise • (EventCode=4688) (at.exe OR bcdedit.exe OR calcls.exe OR chcp.exe OR cmd.exe OR cscript.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR bcp.exe OR sqlcmd.exe OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR sc.exe OR schtasks.exe OR sethc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32net.exe OR takeown.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR winrm.* OR winrs.* OR wmic.exe OR wsmprovhost.exe) MalwareArchaeology.com
  34. 34. Size Matters!!! • Bigger IS better… – For Size of Registry Keys – Very few over 20k – WINNTI was 296k • RegScanner – NirSoft • Reglister - @dnlongen – python script – https://github.com/dnlongen/RegLister MalwareArchaeology.com
  35. 35. Enhanced Logging • Sysmon – Gives you images loaded (.DLL) look for unsigned! – Gives you Drivers loaded (.SYS) – Gives you Hashes – Upload to VirusTotal • Windows Logging Service (WLS) – Alternative logging agent – More than Sysmon provides – http://energy.gov/sites/prod/files/cioprod/documents/Splunkified_- _the_Next_Evolution_of_Log_Analysis_-_Green_and_McCord.pdf – http://digirati82.com/wls-information/ MalwareArchaeology.com
  36. 36. Malware Discovery • Once a system was labeled “suspect” • Compare known good hashes to suspect system • Odd files will show up • What???? • You don’t have a Log Management solution – SIEM MalwareArchaeology.com
  37. 37. INTERMISSION MalwareArchaeology.com
  38. 38. Introducing • Use in a Malware Analysis Lab • Investigate a suspect system • For Incident Response • Produce IT/InfoSec/Audit/Compliance report comparing actual Audit Log system settings to CIS and “Windows Logging Cheat Sheet” recommendations • Assist in tweaking File and Registry auditing MalwareArchaeology.com
  39. 39. Introducing • Log Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires • Once the system and/or GPO is configured 1. Clear the logs 2. Infect the system 3. Run Log-MD 4. Review “Report.csv” in Excel MalwareArchaeology.com
  40. 40. Functions • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks • 3 White lists to filter out the known good – By IP Address – By Process Command Line and/or Process Name – By File and Registry locations (requires File and Registry auditing to be set) • Report.csv of data from logs specific to security MalwareArchaeology.com
  41. 41. Crypto Event • C:UsersBobAppDataRoamingvcwixk.exe • C:UsersBobAppDataRoamingvcwpir.exe • C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL • C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet MalwareArchaeology.com
  42. 42. Malicious Word Doc MalwareArchaeology.com
  43. 43. Malicious Word Doc con’t MalwareArchaeology.com
  44. 44. So what do we get? • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… MalwareArchaeology.com 15 Minutes!
  45. 45. In Summary • Malware is noisy • We CAN detect it • Logs can hold all types of information – It’s NOT just for Forensics anymore • All we have to do is: – Enable the Logs – Configure the Logs – Gather the Logs – Harvest the Logs • Look for Top Security related events • Use the “Windows Logging Cheat Sheet” • GET Log-MD – It’s FREE! MalwareArchaeology.com
  46. 46. Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program MalwareArchaeology.com
  47. 47. Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net MalwareArchaeology.com

×