The security gap continues to evolve as attackers adjust their tactics to evade the latest defensive techniques. Using a recent case study, Adam Burt; Senior Systems Engineer at Fidelis Cybersecurity, will share his experience “From the Front Lines” on an example of the issues faced during investigations and Incident Response work.
2. Example based on a previous case
• Customer called us in to investigate suspect machines
• Systems were infected with malicious software
• Customer already attempted discovery / analysis
• 64-bit malware
• Had to re-create the malware manually
• Attempted to evade detection / collection
3.
4. Example based on a previous case
• Customer called us in to investigate suspect machines
• Systems were infected with malicious software
• Customer already attempted discovery / analysis
• 64-bit malware
• Had to re-create the malware manually
• Attempted to evade detection / collection
• Didn’t make use of any Jedi mind tricks
• Does show Fidelis Technologies (a bit)
• I feel a little bad labelling Obi-wan as malware
5. Scenario
• We deployed to site
• We were briefed
• We were given access to their on-site tooling (which was handy)
• Here is what we found…
9. Let’s go get that file!
• Using customers already deployed tools
• Agent was capable of forensic capture (file / memory)
• We went to collect “C:WindowsSystem32mftf.exe”
• Sure, we can disassemble and pick through the code, easy, no problem
13. Something didn’t look right
Errrrr, what???
7a02b873bfb5ec3957eef4d9983443be != f2c7bb8acc97f92e987a2d4087d021b1
= No match!
14. How does this feel?
• The customer is always watching
• You feel compelled to find and fix everything humanly possible
• When something doesn’t go right, panic can set in..
15.
16. How does this feel?
• The customer is always watching
• You feel compelled to find and fix everything humanly possible
• When something doesn’t go right, panic can set in..
• Even when it’s nothing to panic about
17. What was this malware doing?
• Rootkit?
• Custom file system filter?
• Automated suspension / termination on recognised process execution?
• Fileless / injected?
19. File System Redirector
“Most DLL file names were not changed when 64-bit versions of the DLLs were
created, so 32-bit versions of the DLLs are stored in a different directory. WOW64
hides this difference by using a file system redirector.” *
“In most cases, whenever a 32-bit application attempts to access
%windir%System32, the access is redirected to %windir%SysWOW64.” *
* https://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
20. File System Redirector
On 64-bit Windows
System32 = 64-bit
SysWOW64 = 32-bit
That makes sense
Why was this done?
Perhaps to help us avoid that complication of re-writing in 64-bit code? oh, wait….
21. One reason
DLL search order
(in no particular order, due to DLL safe search, SetDllDirectory, LOAD_WITH_ALTERED_SEARCH_PATH etc..)
• The directory from which the application loaded.
• The system directory
• The 16-bit system directory
• The Windows directory
• The current directory.
• The directories that are listed in the PATH environment variable
This is the one relevant to our situation
22. File System Redirector
Process
File System Redirector
C:Windowssystem32 C:WindowsSysWOW64
Customer’s acquisition tools
were here
The malware
was here
23. Lessons learned
• Their tools didn’t accommodate the File System Redirector
• File System Redirector can be “disabled” for a process
• The malware authors didn’t have to work hard (or perhaps they didn’t know
about FSR) to hide their malware
• Other than the file collection issue, the malware was pretty obvious
• Microsoft always surprise us
“Applications can control the WOW64 file system redirector using
the Wow64DisableWow64FsRedirection, Wow64EnableWow64FsRedirection, and Wow64RevertWow64FsRedirection functions.
Disabling file system redirection affects all file operations performed by the calling thread, so it should be disabled only when
necessary for a single CreateFile call and re-enabled again immediately after the function returns.”
24. Hiding in plain sight
• There are many aspects that can hinder an investigation
• Investigations can take unexpected turns
• They can be stressful and emotional
• It’s easy to make an assumption, but without evidence, this is dangerous
• We are always assessing our evidence and tool sets
25. Questions and Contact
Adam Burt
adam.burt@fidelissecurity.com
Peter Wieschollek
peter.wieschollek@fidelissecurity.com
Lukasz Przybylski
lukasz.przybylski@eversys.pl
Editor's Notes
Introduce yourself:
Name
Position: Systems Engineering & Incident Response
Working in IT since 1999
Working with computers since 1992
What is the presentation about?
A view from the front lines as an incident responder
Small insight into some of the challenges
Small insight into the mind set and emotions of an incident responder
Describe the deployment:
Size of customer – Thousands of users, but only several were affected
Had global sites - although only a single site was affected and only several computers
On-site response team, although not an “official” IR team