The document discusses how to detect malware through effective logging. It recommends enabling command line logging for events like cmd.exe, powershell, and other processes to see details of malware behavior. The speaker advocates building a "malware matrix" of indicators and monitoring important log events. Effective logging of files, registry, network connections and other activities on internet-facing systems can help detect malware, as demonstrated by the speaker's analysis of real world advanced persistent threats. Logs are crucial for both incident response and prevention when properly configured.
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
We all practice Information Security, but do we practice what we preach? Do we do what we ask of our employees and clients to our own, family and work computers?
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
We all practice Information Security, but do we practice what we preach? Do we do what we ask of our employees and clients to our own, family and work computers?
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Building an IP Reputation Engine: Tracking the MiscreantsAlienVault
The AlienVault Open Threat Exchange™ (AV-OTX™) is a system for sharing threat intelligence among OSSIM users and AlienVault customers. Go behind the scenes and find out how it works!
This World History power point covers what a historian is, what they do, and how they use primary and secondary sources in their work. To see more visit http://teach180.bitnamiapp.com/joomla/
Présentation de la réunion du 07 avril 2015 de Résowest qui avait pour objectif de sensibiliser chacun d’entre nous sur la thématique de la sauvegarde de données.
Présentée par Baptiste Leclercq de Provectio
Comment se protéger contre les menaces de CTB Locker (ransomware)?ATN Groupe
CTB-Locker : l'antivirus ne suffit plus!
CTB-Locker est un Ransomware qui encrypte vos données en utilisant un système de chiffrement fort. Vous devez ensuite payer une rançon (jusqu'à 1600 euros) afin de déverrouiller ses fichiers. En participant à notre Webinaire de 30 minutes ou en téléchargeant notre livre blanc, découvrez dès à présent quelles sont les parades.
http://goo.gl/fA1Nyc
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
An Introduction To Software Development - Testing, Continuous integrationBlue Elephant Consulting
This presentation is a part of the COP2271C college level course taught at the Florida Polytechnic University located in Lakeland Florida. The purpose of this course is to introduce Freshmen students to both the process of software development and to the Python language.
The course is one semester in length and meets for 2 hours twice a week. The Instructor is Dr. Jim Anderson.
A video of Dr. Anderson using these slides is available on YouTube at:
http://youtu.be/4_PoQseQUaY
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Functionality, security and performance monitoring of web assets (e.g. Joomla...Sanjay Willie
This presentation was from Joomla day 2016 held right here in KLCC Malaysia. Astiostech presented several important factors to consider when monitoring a web service with of course special focus on Joomla. However, these guidelines can be used for just about any web service you may want to monitor. Monitoring is pivotal to a web infrastructure and it should not be considered today as a luxury. With tools like Nagios XI, we can simply start monitoring with mere clicks of a web browser and you're pretty much on the right track.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology
Incident Response Fails – What we see with our clients, and their fails. As Incident Responders, what do we see as Incident Responders that you can do to be better prepared, reduce your incident costs, get answers faster and reduce the cost of an IR Firm if needed.
HackerHurricane
Malware Archaeology
MalwareArchaeology
LOG-MD
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Ask a Malware Archaeologist
1. Ask a Malware Archaeologist, Blue
Team Ninja and Logoholic how we
do it better than IR firms
Michael Gough – Founder
MalwareArchaeology.com
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist,
Logoholic
• I love logs – they tell us Who, What, Where, When and
hopefully How
• Creator of the “Windows Logging Cheat Sheet”
• Creator of the “Malware Management Framework”
• @HackerHurricane also my Blog
3. Goal
• Interaction – Don’t be a Ding Dong and NOT
ask a question… you WILL be rewarded
• Learn how us Ninja’s do it so you can too
• We gave an infected VM to one of the Big IR
Firms… They came back “Yup.. It’s clean” #Fail
4. • We discovered this May 2012
• Met with the Feds ;-)
Why listen to me
5. Last year
• They updated their approach
• MUCH more complex
• This is NOT your typical P0wnage
• This really was “sophisticated malware”
• Boy did we catch them in the act
• I am sharing so you can learn how!
7. Read the malware reports
• Read (daily/weekly/monthly) review of virus
descriptions, malware analysis and Advanced
Persistent Threat (APT) reports for malware
bits that you can look for or monitor for in
your environment
• Watch HackerHurricane.com for reviews and
write ups of various published malware
• Read Malware Archaeology for a list of reports
10. Works for Linux too - Mayhem
• Jedi Tip
• Compare:
• /proc to items
running against ps
• Things in /proc not
showing in ‘ps’
output are
suspicious
11. Malware Management
• You will see patterns
• %AppData%
• %Temp%
• Windows, WindowsSystem32,
WindowsSystem32WBEM
• Reg Keys, Domains, IP’s, etc.
• Many other indicators
• Build a Malware Matrix
• Tweak your tools or scripts… or pick 1 or 10
systems and do it manually!
14. Lab for Malware Research
• Barebones!
• VM is secondary, Malware looks for you
analyzing
• 2 - SSD’s – Smaller is better
– 1 is your Master Image
– dd your Master to the Lab drive
– Lather, rinse, repeat
• Not connected to Corp net
15. Lab for Malware Research
• Load up your Master with all your tools
• You harvest Malware and explode it here
• No.. Not in a Sandbox ;-/
• Ninja Tip
– :Gotchya
– Copy *.* /y Captured
– Goto Gotchya
• Process Monitor running when you explode malware will
show you what directories to capture files from (Filter for
- WriteFile)
17. Why are logs important?
• Have you ever had an Incident and called a
consultancy?
• What is one of the first, if not the first thing they do?
• It is referenced in every DBIR report…
• LOGS!
• Details of what happened, where, how and by whom
• Command Line logging is the BEST thing since
computers were invented! The SINGLE most important
take away of this talk !!
18. Yes, Logs ARE SEXY!
• SEXY - because logs tell you what a particular malware did or the
malwarian (aka Bad Actor) did on your system(s)
• SEXY – Because they are the one way that you can get the details
you need to know what happened
• SEXY – Because this preso is going to show you how for Windows
systems
• SEXY – Because if Target, Neiman Marcus, Michael’s, Home Depot…
did this… I wouldn’t have a presentation
• NOT SEXY – Because most logs are not enabled or configured
properly
• And because….
19. of the SEXY SIX
• Process Create 4688
– Of course enable CMD Line logging
• File/Registry Auditing 4663
• Service Created 4075
• Service Changed 4070
• User Login Success 4624
• Share accessed 5140
• 90% or more of malware trigger these Event Logs
for Windows
25. Get the Command Line!
• It’s nice to know cmd.exe executed, but we REALLY want to see what was
executed. It would be better if we could see what was executed with svchost.exe!
• Again, Windows SUCKS by default, even Windows 8.1 and 2012 R2
– I do think this is the K3wlest NEW Logging feature – Worth the upgrade!
• Now available for Win 7 and Server 2008 and later
• Set GPO – Must have 2012 DC
– Administrative TemplatesSystemAudit Process Creation
– "Include command line in process creation events“
– http://technet.microsoft.com/en-us/library/dn535776.aspx
• Registry Key
– HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAudit
– ProcessCreationIncludeCmdLine_Enabled DWORD - 1
29. Reg Keys hide Malware
• The Windows Registry is a database
• You can store all kinds of things
• Including MALWARE
• Focus on Key Size
– 20k and up – NirSoft RegScanner
• Focus on values
– MZ
– 4D5A
– Encrypted of course
30. Enable Powershell command line
• It’s nice to know Powershell executed, but we REALLY want to see what was executed
• Again, Windows SUCKS by default, Powershell v2
• Details on setting PowerShell Preference variables
– http://technet.microsoft.com/en-us/library/hh847796.aspx
• Create a Default Profile for all users:
– C:WindowsSystem32WindowsPowershellv1.0
– Profile.ps1
• Add these to your default profile.ps1 file
– $LogCommandHealthEvent = $true
– $LogCommandLifecycleEvent = $true
• Splunk - Inputs.conf
– # Windows platform specific input processor
– [WinEventLog://Windows PowerShell]
– disabled = 0
• Upgrade to ver 3 or ver 4
• Investigating PowerShell Attacks (DefCon & Blackhat 2014)
– Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT
– Matt Hastings CONSULTANT, MANDIANT
36. So what did we learn from these?
• You MUST enable Command Line logging
• Monitor commands:
– Cmd.exe Command Shell
– Netstat.exe Network Connections
– Cscript Executes VB/C Script
– Pushd Sets Directory for Popd
– Popd Changes directory back
– WMIC Execute WMI commands
– Quser.exe Queries the current user
– Reg.exe Query and edit the registry
– SC.exe Start and Stop Services
– Regini.exe Add/Edit registry values
– Attrib.exe Change file attributes
– Cacls.exe Change file permissions
– Xcacls.exe Change file permissions
– Takeown.exe Take ownership of a file
– Auditpol.exe Sets Auditing settings (GPO too)
– Netsh Windows Firewall
37. Log everything!
• If it is Internet facing… LOG IT!
• Hack yourself or use Pen Tests to improve your logs –
Catch them in the act!
– Purple Testing
• You should catch SQL Injection
– Failed Reads, Failed Writes
• Bruting of Apps – Get the logs to see this behavior. #1
Software Development task
• Enable Auditing for NEW Files on Internet servers, you
will be amazed how quiet this is
• Locally is a must, collect to Log Management if you can
38. In Summary
• Malware is noisy
• We CAN detect it
• Logs can hold all types of information
– It’s NOT just for Forensics anymore
• All we have to do is:
– Enable the Logs
– Configure the Logs
– Gather the Logs
– Harvest the Logs
• Look for 6 SEXY Events
• And use the “Windows Logging Cheat Sheet”
39. Resources
• Our Website
– MalwareArchaeology.com
• The Handout – Windows Logging Cheat Sheet
– MalwareArchaeology.com
• Malware Analysis links too
• Blog of Malware indicators
40. Questions?
• You can find us at:
• @HackerHurricane
• MalwareArchaeologist.com
• HackerHurricane.com
• http://www.slideshare.net/Hackerhurricane/ask-aalware-archaeologist