Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Windows IR made easier and faster
Find the head of the snake using Logs,
AutoRuns, Large Registry Keys, Locked
Files, IP/W...
Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us W...
The Challenge
• Why can’t we be the ones to discover that a
system is compromised ?
• Before we receive a call from a 3rd ...
How all this started
• I worked for a gaming company that got pwned BAD by the Winnti
group
• We knew systems were infecte...
The Pretty Blue Blinky Lights
• We can’t all afford fancy $100k EDR endpoint
solutions
• Or fancy IR solutions
– I LOVE Bi...
So what are our options?
• Anti-Virus
• Next Gen Endpoint at $100k+
• Full Blown Forensics
• IR Firm at $350-$450/hr
• Det...
I think or know that one is infected
• So how do we go about investigating it?
• What kinds of things can we do to check a...
Typical Malwarian Behavior
• They generally compromise user space first
– C:Users
• And anywhere a standard user has right...
So how do we catch them?
• We need to focus more at Detection and Hunting
• Automate it too!
• Log management is the best ...
Command Line Rocks!
• We all use it
• So do many/most IR and Forensics tools
• GUI’s are bad because we cannot automate a ...
Command Line
• We can use logon scripts, PowerShell, PSExec,
etc.
• Configuration Management like BigFix,
Tanium, SCCM
• P...
Artifacts
MalwareArchaeology.com
So what do we look for?
• New files added to user space - C:Users
• Files added in Admin space – Everywhere else
• Persist...
So what can we do quickly?
• Lots of python scripts, projects, tools and options
– Not really my thing, too many things to...
Something New
MalwareArchaeology.com
I came here to show you a new tool
• It did not exist, so we created it
– Turned a collection of my scripts into a tool
• ...
The Log and Malicious Discovery tool
Logging:
• ALL VERSIONS OF WINDOWS (Win 7 & up)
• Audits your system log settings and...
There are three versions
• Free Edition
• Professional Edition
• Consulting Edition
– Just a license difference to Pro
Mal...
All Versions
• Collect 1-7 days of logs 7 days is about a 1GB Security Log
LOG-MD does more than just harvest logs
• Full ...
Free Edition
• Over 15 reports
• Quick Start Guide
• All reports are TXT or CSV for easy scripting and
post processing wit...
• Over 25 reports
• Full User Manual
• Collects Sysinternals Sysmon events
• WhoIS resolution of IPs from Win FW/Sysmon
– ...
• Interesting Artifacts report
– Null byte in registry value, Sticky Keys, etc.
– Adding more all the time
• SRUM (netflow...
What is a
Master-Digest?
MalwareArchaeology.com
Master-Digest
• A Hash Baseline (Hash_Baseline.txt) is a list of every
file and hash on the C: drive
• A Master Digest onl...
Master-Digest
• You can append files and hashes to the Master
Digest as you validate them as good
• You can feed the Maste...
SRUM
MalwareArchaeology.com
SRUM for IR and Malware Analysis
• SRUM holds 60 days of data !!!
• Updates (flushes cache to the database) in
one hour in...
• LOG-MD-Pro can harvest SRUM data LIVE or
offline like traditional forensic tools
• Great for answering the questions
– D...
AutoRuns
MalwareArchaeology.com
Autoruns
• We need to find the persistence
• There are typically over 1000 autoruns
• We need a way to filter down the kno...
Autoruns
• 1257 autoruns
• Subtract hashes in the Master-Digest
• 171 autoruns with parameters remain
• Subtract the white...
Locked Files
MalwareArchaeology.com
Locked Files
• If a file is locked…
• You can’t hash it
• You can’t run Sigcheck or Strings or pick your
favorite tool, yo...
Locked Files
MalwareArchaeology.com
Resources
LOG-MD.COM
• Websites
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet(s)”
– MalwareArchaeology.com
• Th...
Questions?
LOG-MD.COM
You can find us at:
• Log-MD.com
• @HackerHurricane
• @Boettcherpwned
• MalwareArchaeology.com
• Hac...
Upcoming SlideShare
Loading in …5
×

Windows IR made easier and faster v1.0

456 views

Published on

Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA

Published in: Technology
  • Be the first to comment

Windows IR made easier and faster v1.0

  1. 1. Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow Michael Gough – Founder MalwareArchaeology.com IMFSecurity.com MalwareArchaeology.com
  2. 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  3. 3. The Challenge • Why can’t we be the ones to discover that a system is compromised ? • Before we receive a call from a 3rd party? • How do we take a system like that one – <insert one of your laptops here> • And determine if it is clean or compromised? MalwareArchaeology.com
  4. 4. How all this started • I worked for a gaming company that got pwned BAD by the Winnti group • We knew systems were infected, but how do you find what they placed and modified on the system? • In 2012 logging was not as good as it is now • In 2014 logging was MUCH better – Yay CMD Line Logging 8.1/2012 • So we had to find it the old fashioned way – Hash the files on a clean system (we built it) and compare it to a suspect system, we had lots of suspects… – RegShot GUI – Painful long analysis, almost forensics • Once we found the bad we had good tools to find it everywhere – Splunk and BigFix are AWESOME !!!!! MalwareArchaeology.com
  5. 5. The Pretty Blue Blinky Lights • We can’t all afford fancy $100k EDR endpoint solutions • Or fancy IR solutions – I LOVE BigFix for IR, or equivalent • We can’t all afford to call an IR Firm once an incident occurs – $350-$450/hr times X people MalwareArchaeology.com
  6. 6. So what are our options? • Anti-Virus • Next Gen Endpoint at $100k+ • Full Blown Forensics • IR Firm at $350-$450/hr • Detect and Respond yourself • Proactive Hunting yourself • Learning to do it ourselves should be our goal MalwareArchaeology.com
  7. 7. I think or know that one is infected • So how do we go about investigating it? • What kinds of things can we do to check a system? • We know certain things about systems – The malwarians behave a certain way – Many things are normal • So let’s use what’s normal to find their bad behavior MalwareArchaeology.com
  8. 8. Typical Malwarian Behavior • They generally compromise user space first – C:Users • And anywhere a standard user has rights – Whatever level a user is logged into, they have rights to add/modify/delete stuff • Then they go to Admin creds and space – They own the system now • And now east/west lateral movement is easy • And all that APT stuff the reports talk about MalwareArchaeology.com
  9. 9. So how do we catch them? • We need to focus more at Detection and Hunting • Automate it too! • Log management is the best option IMHO, but it can also be costly – There are cheaper solutions – Graylog, ELK, etc. – But free is not (human resource) free • Most of us have configuration management, we have to automate patching • Maybe we can use this? MalwareArchaeology.com
  10. 10. Command Line Rocks! • We all use it • So do many/most IR and Forensics tools • GUI’s are bad because we cannot automate a GUI • So command line rocks • We can automate command line • Which is why I recommend and use command line solutions and tools – If you don’t have the $$$$ solutions MalwareArchaeology.com
  11. 11. Command Line • We can use logon scripts, PowerShell, PSExec, etc. • Configuration Management like BigFix, Tanium, SCCM • Pick one, something, whatever you have • This allows you to automate command line tools MalwareArchaeology.com
  12. 12. Artifacts MalwareArchaeology.com
  13. 13. So what do we look for? • New files added to user space - C:Users • Files added in Admin space – Everywhere else • Persistence – Autorun locations • Registry Keys added or changed • Large Registry Keys – They hide stuff here • Logs of course, LOTS of good stuff here • Odd artifacts that Breach and Malware Analysis reports show that are ‘good to detect’ MalwareArchaeology.com
  14. 14. So what can we do quickly? • Lots of python scripts, projects, tools and options – Not really my thing, too many things to compile and tweak, I should not have to hack together my detection and hunting tool(s) suite • I wanted something that allowed me to focus on what I saw that worked – Well configured logs – Targeted reports by category – Large Registry Keys – Changes to Registry keys – Files added to places that seem odd – Other Interesting Artifacts MalwareArchaeology.com
  15. 15. Something New MalwareArchaeology.com
  16. 16. I came here to show you a new tool • It did not exist, so we created it – Turned a collection of my scripts into a tool • Built on everything I saw and experienced with Winnti over 3 years, which was a LOT • And Breach and Malware Analysis reports • Tips from colleagues at this very conference • And years of experience of course • And because we may not be able to afford $$$$ MalwareArchaeology.com
  17. 17. The Log and Malicious Discovery tool Logging: • ALL VERSIONS OF WINDOWS (Win 7 & up) • Audits your system log settings and produces a report, every time it runs • Also shows failed items on the console • Guides you to configure proper audit logging • Guides you to enable what is valuable • Compares auditing to many industry standards – CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
  18. 18. There are three versions • Free Edition • Professional Edition • Consulting Edition – Just a license difference to Pro MalwareArchaeology.com
  19. 19. All Versions • Collect 1-7 days of logs 7 days is about a 1GB Security Log LOG-MD does more than just harvest logs • Full filesystem Hash Baseline • Full filesystem compare to a Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery • List of Autoruns (coming next release) • List of Locked files (coming next release) • 3 Whitelist files to reduce normal noise and events MalwareArchaeology.com
  20. 20. Free Edition • Over 15 reports • Quick Start Guide • All reports are TXT or CSV for easy scripting and post processing with your favorite flavor of scripting • Scripts I created are what became LOG-MD Pro MalwareArchaeology.com
  21. 21. • Over 25 reports • Full User Manual • Collects Sysinternals Sysmon events • WhoIS resolution of IPs from Win FW/Sysmon – Owner, Network, Country, CIDR • Master-Digest to exclude hashes and files • 3 more Whitelisting files – File, Registry and AutoRuns MalwareArchaeology.com
  22. 22. • Interesting Artifacts report – Null byte in registry value, Sticky Keys, etc. – Adding more all the time • SRUM (netflow from/to a binary) – Win 8.1 and 10 only • AutoRuns compare feature to show only those Autoruns whose hashes are not in the Master Digest or Whitelisted parameters MalwareArchaeology.com
  23. 23. What is a Master-Digest? MalwareArchaeology.com
  24. 24. Master-Digest • A Hash Baseline (Hash_Baseline.txt) is a list of every file and hash on the C: drive • A Master Digest only lists the unique files and hashes, and they are sorted • Results in 33%+ less files to do compares against, so much faster • Speed for any disk reads is a good thing MalwareArchaeology.com
  25. 25. Master-Digest • You can append files and hashes to the Master Digest as you validate them as good • You can feed the Master Digest any set of SHA256 Hashes like; – Hashsets.com (Whitehat Forensics) – NSRL, etc. MalwareArchaeology.com
  26. 26. SRUM MalwareArchaeology.com
  27. 27. SRUM for IR and Malware Analysis • SRUM holds 60 days of data !!! • Updates (flushes cache to the database) in one hour intervals or on shutdown • How many bytes were written and read from the system by Application/Process MalwareArchaeology.com
  28. 28. • LOG-MD-Pro can harvest SRUM data LIVE or offline like traditional forensic tools • Great for answering the questions – Did we lose any data? – When were we first infected? MalwareArchaeology.com
  29. 29. AutoRuns MalwareArchaeology.com
  30. 30. Autoruns • We need to find the persistence • There are typically over 1000 autoruns • We need a way to filter down the known good • Master-Digest to the rescue !!! • Whitelist out binaries with parameters • The parameters are often where the bad stuff hides so whitelisting is the best option • So we let you whitelist out your known good MalwareArchaeology.com
  31. 31. Autoruns • 1257 autoruns • Subtract hashes in the Master-Digest • 171 autoruns with parameters remain • Subtract the whitelist • 2 remain and Splunk to show a normal entry • Easy to spot the malicious persistence MalwareArchaeology.com
  32. 32. Locked Files MalwareArchaeology.com
  33. 33. Locked Files • If a file is locked… • You can’t hash it • You can’t run Sigcheck or Strings or pick your favorite tool, you need to break the handle first • It sure would be nice to see a list of locked files • That are DIFFERENT from the norm MalwareArchaeology.com
  34. 34. Locked Files MalwareArchaeology.com
  35. 35. Resources LOG-MD.COM • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet(s)” – MalwareArchaeology.com • This presentation and others on SlideShare – Search for MalwareArchaeology or LOG-MD
  36. 36. Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog)

×