Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Logging for Hackers v1.0

1,082 views

Published on

A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.

MalwareArchaeology.com
LOG-MD.com

Published in: Technology
  • Be the first to comment

Logging for Hackers v1.0

  1. 1. Logging for Hackers, How we catch commodity and advanced malware with this method. IF only retailers did this and how you can start doing it Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  2. 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  3. 3. Goal • Interaction – Don’t be a Ding Dong, ask a question… you WILL be rewarded for positive synergy! • Learn how us Ninja’s do it so you can too • We have a NEW Tool for YOU!!! MalwareArchaeology.com
  4. 4. Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Which means an RGE !!! – Resume Generating Event MalwareArchaeology.com
  5. 5. • We discovered this May 2012 • Met with the Feds ;-) Why you should listen to me? MalwareArchaeology.com 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail
  6. 6. A quick look at Advanced Malware Artifacts MalwareArchaeology.com
  7. 7. WINNTI 2012 Summary Pretty typical advanced malware • DLL Injection – WBEM – Windows – System32 – Files stored – ProgramData – Files stored • Sysprep Cryptbase.dll exploit • Boot up back door, deletes on load, writes on shutdown – Killed by pulling the power ;-) • New Services installed • Multiple infections per machine hoping you miss one MalwareArchaeology.com
  8. 8. WINNTI 2014 • Summary of improvements for WINNTI 2014 – PlugX used as a base, modules added – Dll injection on SQL Server (5 dirs. Deep) • Allowed for SQL Mgmt utilities to enable XP Command Shell and run .NET commands – Binary infector – altered existing management binaries to call main payload – and STILL worked! – Driver infector – Added driver to look like existing management software – Hid scripts in the Registry – Hid payload in the Registry! • The Registry is a Huuuuuuuuuuuuuuuuge Database MalwareArchaeology.com
  9. 9. Initial Infectors • Perflogs – C.exe – Communication to infected system • Thanks for the Port and Password • For once WE compromised THEM! Now who is “sophisticated” ;-) • PROOF of the power of Command Line Logging! MalwareArchaeology.com
  10. 10. Persistence • C:Program FilesCommon Files – WLXSys64.sys – NOT ON DISK ANYWHERE ???? • Modified existing service – WERCplSupport (Who needs WER Support) – Changed ServiceDll to: • Program FilesCommon FilesWLXSys64.sys MalwareArchaeology.com • So how did it load if it was NOT on disk??? Normal NOT Normal
  11. 11. Persistence • Avoided leaving key files behind like they did before, well one anyways… the persistence piece MalwareArchaeology.com
  12. 12. A quick look at Commodity Malware Artifacts MalwareArchaeology.com
  13. 13. Angler delivered Kovtar • Unique way to hide the persistence • Inserted a null byte in the name of the Run key so that RegEdit and Reg Query fail to read and display the value MalwareArchaeology.com
  14. 14. Dridex Artifacts MalwareArchaeology.com
  15. 15. Dridex Persistence • New method towards the end of 2015 • Nothing in the Registry showing persistence while system was running • In memory only until system shutdown • Then we caught the bugger, with good auditing of course and MalwareArchaeology.com
  16. 16. Artifacts • Dll Injection – New Files dropped in Windows core directories • Command Line details • Admin tools misused • Delete on startup, write on shutdown • New Services (retail PoS should know this) • Drivers used (.sys) • Infected management binary (hash changed) • Scripts hidden in the registry • PAYLOAD hidden in the registry (256k binary) MalwareArchaeology.com
  17. 17. How to Detect Malicious Behavior MalwareArchaeology.com
  18. 18. So what led us there? Command Line Logging !!!! • At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2 • Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) • Scripts too MalwareArchaeology.com
  19. 19. Hidden in the Registry • Command Line execution led us to Registry Keys. The main payload and scripts to infect were stored in the registry – Classes and Client Keys MalwareArchaeology.com
  20. 20. Hidden in the Registry • HEX in some cases where infection was not complete or when we recreated it in the lab because we were missing something (the infected persistence binary) • A Binary when complete, encrypted in some way MalwareArchaeology.com
  21. 21. Hiding in the Registry • This was new for WINNTI 2014, other advanced malware uses this method too • They added three values to the Keys • HKLMSoftwareClients or Classes – putfile – file – read • This found on only a few systems to hide another backdoor – HKLMSoftwareWow6432NodeBINARYAcrobat.dxe MalwareArchaeology.com
  22. 22. HKLMSoftwareClients • putfile • file • read MalwareArchaeology.com 4D5A = MZ in HEX
  23. 23. Persistence • Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) • Altered system management binaries – McAfeeFrameworkService – BESClientHelper – Attempted a few others, some failed MalwareArchaeology.com • We tried the infector on several other system files and it worked
  24. 24. Persistence • Infected management binary read key, decrypted payload and dropped into: – Program FilesCommon Files • NOW WERCplSupport ServiceDll exists! • As soon as it was loaded… it was deleted making it hard for us to find it MalwareArchaeology.com But we were better than that ;-)
  25. 25. So what led us there? • Malware Discovery Baseline • Compared infected system hashes (Suspect) to a known good system hashes (Master-Digest) • Showed some single hashes in directories that were odd to us (our own management software)? • So we looked for these binaries across all systems • ONLY the infected system had these odd hashes MalwareArchaeology.com
  26. 26. Persistence • BAM! Got ya – PROCMon on bootup MalwareArchaeology.com
  27. 27. FINALLY ! • Malware Management allowed us to setup alerts on artifacts from other malware analysis • Of course our own experience too • Malware Discovery allowed us to find odd file hashes, command line details, registry locations • Malware Analysis gave us the details MalwareArchaeology.com
  28. 28. What we need to look for • Logs of course, properly configured - Events – Command Line details – Admin tools misused – executions – New Services (retail PoS should know this) – Drivers used (.sys) • New Files dropped anywhere on disk – Hashes • Infected management binary (hash changed) • Delete on startup, write on shutdown - Auditing • Scripts hidden in the registry – Registry Compare • Payload hidden in the registry – Large Reg Keys • Malware Communication – IP and WhoIS info • Expand PowerShell detection • VirusTotal Lookups MalwareArchaeology.com
  29. 29. So what did we take away from all of this? MalwareArchaeology.com
  30. 30. It didn’t exist So we created it! So you can do it too! MalwareArchaeology.com
  31. 31. Announcing the release of… MalwareArchaeology.com FREE! $299 AND Version RC-1
  32. 32. MalwareArchaeology.com • Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • Once the system and/or GPO is configured 1. Clear the logs 2. Infect the system 3. Run Log-MD 4. Review “Report.csv” in Excel
  33. 33. Functions MalwareArchaeology.com • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • White lists to filter out the known good – By IP Address – By Process Command Line and/or Process Name – By File and Registry locations (requires File and Registry auditing to be set) • Report.csv - data from logs specific to security
  34. 34. Purpose MalwareArchaeology.com • Malware Analysis Lab • Investigate a suspect system • Audit Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • To answer the question: Is this system infected or clean? • And do it quickly !
  35. 35. Free Edition MalwareArchaeology.com • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
  36. 36. MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Harvest WLS Logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
  37. 37. MalwareArchaeology.com Future Versions – In the works! • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • PowerShell details • Other API calls to security vendors
  38. 38. MalwareArchaeology.com Let’s look at some LOG-MD RESULTS
  39. 39. Crypto Event MalwareArchaeology.com • C:UsersBobAppDataRoamingvcwixk.exe • C:UsersBobAppDataRoamingvcwpir.exe • C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL • C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
  40. 40. Malicious Word Doc MalwareArchaeology.com DRIDEX
  41. 41. Malicious Word Doc con’t MalwareArchaeology.com More DRIDEX
  42. 42. Use the power of Excel MalwareArchaeology.com • The reports are in .CSV format • Excel has sorting and Filters • Filters are AWESOME to thin out your results • You might take filtered results and add them to your whitelist once vetted • Save to .XLS and format, color code and produce your report • For .TXT files use NotePad++
  43. 43. So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  44. 44. Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare – Search for MalwareArchaeology or LOG-MD
  45. 45. Testers for RC-1 MalwareArchaeology.com • May 1st 2016 - launch date • Looking for a few good testers… – of LOG-MD Professional • Test the manual and tool and provide feedback • You WILL be rewarded for the effort ;-) • You heard it here first ! • A gift from Austin Security Professionals – Keeping Security Weird
  46. 46. Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net – LinkedIn now

×