A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
How we do it better than IR firms. Learn what you need to know to catch commoditized malware to advanced malware. Ask a Blue Team Ninja, Logoholic and Malware Archaeologist how we do ti.
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
We all practice Information Security, but do we practice what we preach? Do we do what we ask of our employees and clients to our own, family and work computers?
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
How we do it better than IR firms. Learn what you need to know to catch commoditized malware to advanced malware. Ask a Blue Team Ninja, Logoholic and Malware Archaeologist how we do ti.
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
We all practice Information Security, but do we practice what we preach? Do we do what we ask of our employees and clients to our own, family and work computers?
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Ryan G. Murphy
According to Carbon Black data, attackers are holding data for ransom at an alarming rate and are continuing to deploy attacks across every industry. In conjunction with the rise of ransomware and the continued ubiquity of mass malware, attackers are increasingly utilizing non-malware attacks in an attempt to remain undetected and persistent on organizations’ enterprises.
Présentation de la réunion du 07 avril 2015 de Résowest qui avait pour objectif de sensibiliser chacun d’entre nous sur la thématique de la sauvegarde de données.
Présentée par Baptiste Leclercq de Provectio
Comment se protéger contre les menaces de CTB Locker (ransomware)?ATN Groupe
CTB-Locker : l'antivirus ne suffit plus!
CTB-Locker est un Ransomware qui encrypte vos données en utilisant un système de chiffrement fort. Vous devez ensuite payer une rançon (jusqu'à 1600 euros) afin de déverrouiller ses fichiers. En participant à notre Webinaire de 30 minutes ou en téléchargeant notre livre blanc, découvrez dès à présent quelles sont les parades.
http://goo.gl/fA1Nyc
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychologychrissanders88
The information security industry and the vendors that support it have placed emphasis on the tools we use to investigate security breaches. However, we rarely win or lose battles in the trenches because of the tools we buy. Instead, our result is typically determined by the tools we are born with and nurture over time. While machines are ideal for collecting data and finding anomalies, there is no tool better for connecting the dots than the human mind. Of course, the human mind is not without its own limitations and challenges we must overcome. This presentation discusses metacognition and how it applies to the investigative process.
Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today. In recent years, personal use of computers and the internet has exploded and, along with this massive growth, cybercriminals have emerged to feed off this burgeoning market, targeting innocent users with a wide range of malware. The vast majority of these threats are aimed at directly or indirectly making money from the victims. Today, ransomware has emerged as one of the most troublesome malware categories of our time.
There are two basic types of ransomware in circulation. The most common type today is crypto ransomware, which aims to encrypt personal data and files. The other, known as locker ransomware, is designed to lock the computer, preventing victims from using it. In this research, we will take a look at how the ransomware types work, not just from a technological point of view but also from a psychological viewpoint. We will also look at how these threats evolved, what factors are at play to make ransomware the major problem that it is today, and where ransomware is likely to surface next.
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
This session will clarify the definition of next-generation endpoint security and distinguish it from legacy antivirus software. It will also describe how next-generation endpoint security can help organizations improve incident prevention, detection and response.
(Source: RSA USA 2016-San Francisco)
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
There are so many hidden jewels in the inventory, we'll take a deeper look at what's in there, how it's useful, and what's not in there and how to get it in there. Learn more: http://dell.to/1GDYpr8
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Let's Talk Technical: Malware Evasion and DetectionJames Haughom Jr
This is from my talk at IR18 geared around evasion techniques employed by malware, and detection methods for incident responders. I touch on everything from ransomware, to evasive fileless WMI malware. My goal for this talk was to teach defenders about the inner-workings and capabilities of malware, as well as some detection methods they may have not considered.
CONFidence 2017: Hiding in plain sight (Adam Burt)PROIDEA
The security gap continues to evolve as attackers adjust their tactics to evade the latest defensive techniques. Using a recent case study, Adam Burt; Senior Systems Engineer at Fidelis Cybersecurity, will share his experience “From the Front Lines” on an example of the issues faced during investigations and Incident Response work.
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
Получение прав администратора домена не всегда означает, что сразу появляется доступ ко всем хостам, общим ресурсам или базам данных сети. Хитрость в том, чтобы найти нужный аккаунт. Докладчик приведет примеры различных сценариев внутреннего тестирования на проникновение, расскажет о сложностях, с которыми столкнулась его команда и о том, как разрабатывался инструмент, позволивший справиться с ними.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology
Incident Response Fails – What we see with our clients, and their fails. As Incident Responders, what do we see as Incident Responders that you can do to be better prepared, reduce your incident costs, get answers faster and reduce the cost of an IR Firm if needed.
HackerHurricane
Malware Archaeology
MalwareArchaeology
LOG-MD
LOG-MD
Malware Archaeology
MalwareArchaeology.com
Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can we do about it
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
Logging for Hackers v1.0
1. Logging for Hackers,
How we catch commodity and
advanced malware with this method.
IF only retailers did this
and how you can start doing it
Michael Gough – Founder
MalwareArchaeology.com
MalwareArchaeology.com
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @HackerHurricane also my Blog
MalwareArchaeology.com
3. Goal
• Interaction – Don’t be a Ding Dong, ask a
question… you WILL be rewarded for positive
synergy!
• Learn how us Ninja’s do it so you can too
• We have a NEW Tool for YOU!!!
MalwareArchaeology.com
4. Malware evolves
• So must we
• Darwin says so
• Evolve or die
• Well… Evolve or get breached anyways
• Which means an RGE !!!
– Resume Generating Event
MalwareArchaeology.com
5. • We discovered this
May 2012
• Met with the Feds ;-)
Why you should listen to me?
MalwareArchaeology.com
2014 - We gave an infected VM to one of the Big
IR Firms… They came back “Yup.. It’s clean” #Fail
6. A quick look at
Advanced Malware
Artifacts
MalwareArchaeology.com
7. WINNTI 2012 Summary
Pretty typical advanced malware
• DLL Injection
– WBEM
– Windows
– System32 – Files stored
– ProgramData – Files stored
• Sysprep Cryptbase.dll exploit
• Boot up back door, deletes on load, writes on shutdown
– Killed by pulling the power ;-)
• New Services installed
• Multiple infections per machine hoping you miss one
MalwareArchaeology.com
8. WINNTI 2014
• Summary of improvements for WINNTI 2014
– PlugX used as a base, modules added
– Dll injection on SQL Server (5 dirs. Deep)
• Allowed for SQL Mgmt utilities to enable XP Command Shell
and run .NET commands
– Binary infector – altered existing management
binaries to call main payload – and STILL worked!
– Driver infector – Added driver to look like existing
management software
– Hid scripts in the Registry
– Hid payload in the Registry!
• The Registry is a Huuuuuuuuuuuuuuuuge Database
MalwareArchaeology.com
9. Initial Infectors
• Perflogs
– C.exe – Communication to infected system
• Thanks for the Port and Password
• For once WE compromised THEM!
Now who is “sophisticated” ;-)
• PROOF of the power of Command Line Logging!
MalwareArchaeology.com
10. Persistence
• C:Program FilesCommon Files
– WLXSys64.sys – NOT ON DISK ANYWHERE ????
• Modified existing service
– WERCplSupport (Who needs WER Support)
– Changed ServiceDll to:
• Program FilesCommon FilesWLXSys64.sys
MalwareArchaeology.com
• So how did it load if it was NOT
on disk???
Normal
NOT Normal
11. Persistence
• Avoided leaving key files behind like they did
before, well one anyways… the persistence
piece
MalwareArchaeology.com
12. A quick look at
Commodity Malware
Artifacts
MalwareArchaeology.com
13. Angler delivered Kovtar
• Unique way to hide the persistence
• Inserted a null byte in the name of the Run
key so that RegEdit and Reg Query fail to read
and display the value
MalwareArchaeology.com
15. Dridex Persistence
• New method towards the end of 2015
• Nothing in the Registry showing persistence while
system was running
• In memory only until system shutdown
• Then we caught the bugger, with good auditing of
course and
MalwareArchaeology.com
16. Artifacts
• Dll Injection – New Files dropped in Windows
core directories
• Command Line details
• Admin tools misused
• Delete on startup, write on shutdown
• New Services (retail PoS should know this)
• Drivers used (.sys)
• Infected management binary (hash changed)
• Scripts hidden in the registry
• PAYLOAD hidden in the registry (256k binary)
MalwareArchaeology.com
18. So what led us there?
Command Line Logging !!!!
• At the time of Winnti 2014 ONLY Win 8.1 and Win
2012 R2
• Which we had, then we saw this in our alerts of
suspicious commands (Cscript & cmd.exe & cacls &
net & takeown & pushd & attrib)
• Scripts too
MalwareArchaeology.com
19. Hidden in the Registry
• Command Line execution led us to Registry Keys.
The main payload and scripts to infect were stored in
the registry – Classes and Client Keys
MalwareArchaeology.com
20. Hidden in the Registry
• HEX in some cases where infection was not complete
or when we recreated it in the lab because we were
missing something (the infected persistence binary)
• A Binary when complete, encrypted in some way
MalwareArchaeology.com
21. Hiding in the Registry
• This was new for WINNTI 2014, other
advanced malware uses this method too
• They added three values to the Keys
• HKLMSoftwareClients or Classes
– putfile
– file
– read
• This found on only a few systems to hide another backdoor
– HKLMSoftwareWow6432NodeBINARYAcrobat.dxe
MalwareArchaeology.com
23. Persistence
• Infector… One for the DLL (infect.exe) and
one for the Driver (InfectSys.exe)
• Altered system management binaries
– McAfeeFrameworkService
– BESClientHelper
– Attempted a few others, some failed
MalwareArchaeology.com
• We tried the infector on several
other system files and it worked
24. Persistence
• Infected management binary read key, decrypted
payload and dropped into:
– Program FilesCommon Files
• NOW WERCplSupport ServiceDll exists!
• As soon as it was loaded… it was deleted making
it hard for us to find it
MalwareArchaeology.com
But we were better
than that ;-)
25. So what led us there?
• Malware Discovery Baseline
• Compared infected system hashes (Suspect) to a
known good system hashes (Master-Digest)
• Showed some single hashes in directories that
were odd to us (our own management software)?
• So we looked for these binaries across all systems
• ONLY the infected system had these odd hashes
MalwareArchaeology.com
27. FINALLY !
• Malware Management allowed us to setup
alerts on artifacts from other malware analysis
• Of course our own experience too
• Malware Discovery allowed us to find odd file
hashes, command line details, registry locations
• Malware Analysis gave us the details
MalwareArchaeology.com
28. What we need to look for
• Logs of course, properly configured - Events
– Command Line details
– Admin tools misused – executions
– New Services (retail PoS should know this)
– Drivers used (.sys)
• New Files dropped anywhere on disk – Hashes
• Infected management binary (hash changed)
• Delete on startup, write on shutdown - Auditing
• Scripts hidden in the registry – Registry Compare
• Payload hidden in the registry – Large Reg Keys
• Malware Communication – IP and WhoIS info
• Expand PowerShell detection
• VirusTotal Lookups
MalwareArchaeology.com
29. So what did we
take away
from all of this?
MalwareArchaeology.com
30. It didn’t exist
So we created it!
So you can do it too!
MalwareArchaeology.com
32. MalwareArchaeology.com
• Log and Malicious Discovery tool
• When you run the tool, it tells you what
auditing and settings to configure that it
requires. LOG-MD won’t harvest anything
until you configure the system!
• Once the system and/or GPO is configured
1. Clear the logs
2. Infect the system
3. Run Log-MD
4. Review “Report.csv” in Excel
33. Functions
MalwareArchaeology.com
• Audit Report of log settings compared to:
– The “Windows Logging Cheat Sheet”
– Center for Internet Security (CIS) Benchmarks
– Also USGCB and AU ACSC
• White lists to filter out the known good
– By IP Address
– By Process Command Line and/or Process Name
– By File and Registry locations (requires File and
Registry auditing to be set)
• Report.csv - data from logs specific to security
34. Purpose
MalwareArchaeology.com
• Malware Analysis Lab
• Investigate a suspect system
• Audit Advanced Audit Policy settings
• Help MOVE or PUSH security forward
• Give the IR folks what they need and the Feds too
• Take a full system (File and Reg) snapshot to compare to another
system and report the differences
• Discover tricky malware artifacts
• SPEED !
• Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc…
• Replace several tools we use today with one easy to use utility that
does much more
• To answer the question: Is this system infected or clean?
• And do it quickly !
35. Free Edition
MalwareArchaeology.com
• Harvest security relevant log data
• Whitelist log events by IP, Cmd Line, Process
and File / Registry audit locations
• Perform a full File Baseline of a system
• Compare a suspect system to a Baseline or Dir
• Perform a full Registry snapshot of a system
• Compare a suspect system to a Reg Baseline
• Look for Large Registry Keys for hidden
payloads
36. MalwareArchaeology.com
• Everything the Free Edition does and…
• More reports, breakdown of things to look for
• Specify the Output directory
• Harvest Sysmon logs
• Harvest WLS Logs
• Whitelist Hash compare results
• Whitelist Registry compare results
• Create a Master-Digest to exclude unique files
• Free updates for 1 year, expect a new release
every quarter
• Manual – How to use LOG-MD Professional
37. MalwareArchaeology.com
Future Versions – In the works!
• WhoIs lookups of IP Addresses called
• VirusTotal lookups of discovered files
• Find parent-less processes
• Assess all processes and create a Whitelist
• Assess all services and create a Whitelist
• VirusTotal lookups of unknown or new processes
and services
• PowerShell details
• Other API calls to security vendors
42. Use the power of Excel
MalwareArchaeology.com
• The reports are in .CSV format
• Excel has sorting and Filters
• Filters are AWESOME to thin out your results
• You might take filtered results and add them
to your whitelist once vetted
• Save to .XLS and format, color code and
produce your report
• For .TXT files use NotePad++
43. So what do we get?
MalwareArchaeology.com
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see
WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!
44. Resources
MalwareArchaeology.com
• Websites
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”
– MalwareArchaeology.com
• Malware Analysis Report links too
– To start your Malware Management program
• This presentation is on SlideShare
– Search for MalwareArchaeology or LOG-MD
45. Testers for RC-1
MalwareArchaeology.com
• May 1st 2016 - launch date
• Looking for a few good testers…
– of LOG-MD Professional
• Test the manual and tool and provide
feedback
• You WILL be rewarded for the effort ;-)
• You heard it here first !
• A gift from Austin Security Professionals
– Keeping Security Weird
46. Questions?
MalwareArchaeology.com
You can find us at:
• Log-MD.com
• @HackerHurricane
• @Boettcherpwned
• MalwareArchaeology.com
• HackerHurricane.com (blog)
• http://www.slideshare.net – LinkedIn now