SlideShare a Scribd company logo

Open Source Malware Lab

Download as PPTX, PDF
ThreatConnect
ThreatConnect

The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This talk is an examination of the major open source tools that satisfy the analysis requirements for each of these entry points. Each tool’s output can potentially feed into another tool for further analysis. The linking of one tool to the next in a tool chain allows one to build a comprehensive automated malware analysis lab using open source software. For file analysis, the three major versions of Cuckoo Sandbox will be examined. To analyze a potentially malicious URL, the low-interaction honeyclient, Thug, will be covered. Next, if one has a network capture (PCAP) to analyze, the Bro Network Security Monitor is a great option, and will be covered. Finally, if the analysis target is a memory image, the Volatility Framework will be examined. Each of the inputs and outputs of the tools will be reviewed to expose ways that they can be chained together for the purpose of automation.

Technology
1 of 87
1@ThreatConnect Open Source Malware Lab © 2016 ThreatConnect, Inc. All Rights Reserved
2@ThreatConnect Director of Research Innovation Research Team ThreatConnect, Inc. © 2016 ThreatConnect, Inc. All Rights Reserved
3@ThreatConnect Why Do I Need A Malware Analysis Lab? • Malware Research • Automated Malware Analysis (AMA) • First two of four major stages • AMA can include second stage • Enhanced Threat Intelligence • Analysis of malware in your enterprise • Stage of malware hunting process • Network Defense • Network Traffic • Inbound Email • Host Intrusion Detection System • Fun!!! https://zeltser.com/mastering-4-stages-of-malware-analysis/ © 2016 ThreatConnect, Inc. All Rights Reserved
4@ThreatConnect Malware Analysis Process Entry Points File URL PCAP Memory Image © 2016 ThreatConnect, Inc. All Rights Reserved
5@ThreatConnect Cuckoo Sandbox Thug Bro Volatility Open Source Malware Analysis Tools © 2016 ThreatConnect, Inc. All Rights Reserved
6@ThreatConnect Cuckoo Sandbox Static and Dynamic File Analysis © 2016 ThreatConnect, Inc. All Rights Reserved
7@ThreatConnect Sandbox • A controlled, safe environment • Leverages • Virtual machines • Bare metal computers • Running malware • Observing its behavior • Dynamic malware analysis • May also perform static malware analysis © 2016 ThreatConnect, Inc. All Rights Reserved
8@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
9@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
10@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
11@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
12@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
13@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
14@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
15@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
16@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
17@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
18@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
19@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
20@ThreatConnect Cuckoo Sandbox Flavors © 2016 ThreatConnect, Inc. All Rights Reserved Plain Vanilla Version 1.2 (Stable) Cuckoo Modified (brad-accuvant / spender-sandbox) Next Generation Version 2.0 RC1
21@ThreatConnect Cuckoo Modified • Normalization of file and registry paths • 64bit analysis • Service monitoring • Extended API • Tor for outbound network connections • Malheur integration © 2016 ThreatConnect, Inc. All Rights Reserved
22@ThreatConnect Normalization - Why this is Great! • Not normalized •C:Documents and SettingsDumdumApplication DatabonzoAIDVFP.jpg •C:UsersDumdumAppDatabonzoAIDVFP.jpg • Normalized •%APPDATA%bonzoAIDVFP.jpg © 2016 ThreatConnect, Inc. All Rights Reserved
23@ThreatConnect Cuckoo Next Generation • Support for: • MacOS X • Linux • Android © 2016 ThreatConnect, Inc. All Rights Reserved • Integrations • Suricata • Snort • Moloch • SSL decryption • VPN support • 64-bit analysis • Fun, fun, fun
24@ThreatConnect What if the Malware is VM or Sandbox Aware? • Pafish (Paranoid Fish) • Uses malware’s anti-analysis techniques • Shows successful and unsuccessful techniques • Pinpoint ways to improve sandbox • VMCloak • Automated generation of Windows VM images • Ready for use in Cuckoo • Obfuscates VM to prevent anti-analysis © 2016 ThreatConnect, Inc. All Rights Reserved
25@ThreatConnect Cuckoo Output • HTML Report • JSON Report • MongoDB Output • Dropped Files • PCAP • Memory Image • Visited URLs © 2016 ThreatConnect, Inc. All Rights Reserved
26@ThreatConnect Thug Low-Interaction Honeyclient © 2016 ThreatConnect, Inc. All Rights Reserved
27@ThreatConnect What is a Low-Interaction Honeyclient? • Pretends to be a browser • Trigger a drive-by download • Capture its payload © 2016 ThreatConnect, Inc. All Rights Reserved
28@ThreatConnect Wolf in Sheep’s Clothing • User agent can change • Windows, Mac, Linux, Android, iOS • Limitless possibilities • http://www.useragentstring.com/pages/ useragentstring.php • http://www.browser-info.net/useragents • Simulates vulnerable plugins with configurable versions • Flash • Java • Acrobat Reader (PDF) © 2016 ThreatConnect, Inc. All Rights Reserved
29@ThreatConnect Available User Agents © 2016 ThreatConnect, Inc. All Rights Reserved
30@ThreatConnect Thug Output • Payload Files • Other Content Files • Visited URLs • MongoDB Output • Elasticsearch Output • HPFeeds • MAEC • Native Report Format © 2016 ThreatConnect, Inc. All Rights Reserved
31@ThreatConnect Bro Network Analysis Framework © 2016 ThreatConnect, Inc. All Rights Reserved
32@ThreatConnect What is Bro? • Network Security Monitoring (NSM) Framework • Processes • Live Packet Capture • Recorded Packet Capture (PCAP) • Series of scripts • Output Bro logs • Packaged with a large group of scripts • Rich community of open source scripts • Write your own Bro script for specific needs © 2016 ThreatConnect, Inc. All Rights Reserved
33@ThreatConnect Bro in Action © 2016 ThreatConnect, Inc. All Rights Reserved • Analysis Target: tue_schedule.doc_7387.doc • PCAP Source: https://www.hybrid-analysis.com/ • SHA1: bb45bca4ccc0dd6a0b3a2c6001165f72fbd2cb6e • What can we learn from PCAP only?
34@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
35@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
36@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
37@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
38@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
39@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
40@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
41@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
42@ThreatConnect Poor Man’s pDNS © 2016 ThreatConnect, Inc. All Rights Reserved
43@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
44@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
45@ThreatConnect Site Content © 2016 ThreatConnect, Inc. All Rights Reserved
46@ThreatConnect Site Content © 2016 ThreatConnect, Inc. All Rights Reserved
47@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
48@ThreatConnect Poor Man’s pDNS © 2016 ThreatConnect, Inc. All Rights Reserved
49@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
50@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
51@ThreatConnect Poor Man’s Reverse Whois © 2016 ThreatConnect, Inc. All Rights Reserved
52@ThreatConnect Site Content © 2016 ThreatConnect, Inc. All Rights Reserved
53@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
54@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
55@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
56@ThreatConnect pDNS © 2016 ThreatConnect, Inc. All Rights Reserved
57@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
58@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
59@ThreatConnect© 2016 ThreatConnect, Inc. All Rights Reserved Zapoi (Russian: запой) A term used in Russia and other post-Soviet states to describe alcohol abuse behavior resulting in two or more days of continuous drunkenness. https://en.wikipedia.org/wiki/Zapoy
60@ThreatConnect /zapoy/gate.php = Pony © 2016 ThreatConnect, Inc. All Rights Reserved
61@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
62@ThreatConnect /xdaovcny/index.php = Nymaim © 2016 ThreatConnect, Inc. All Rights Reserved
63@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
64@ThreatConnect pe.log $ cat pe.log | bro-cut -c id machine compile_ts subsystem is_exe section_names | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
65@ThreatConnect files.log $ cat files.log | bro-cut -c fuid filename total_bytes md5 sha1 sha256 | grep 'F8Ksgsir0wLKqA4e9||F0XaRJ2XvH5Epscnqj|#fields' | sed -e 's/#fields//g' | column -t | cut -d " " -f 2- | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
66@ThreatConnect MAN1 Adversary Group © 2016 ThreatConnect, Inc. All Rights Reserved http://www.threatgeek.com/2016/07/tracking-man1-crypter-actor.html
67@ThreatConnect What Can We Learn From PCAP Only? • Adversary Likely Russophone • Office Document generating network traffic • Multi-stage malware • One payload is Pony • One payload is Nymaim • Nymaim has • Dedicated infrastructure •Rogue DNS • Dropper uses compromised Drupal websites • Adversary is MAN1 © 2016 ThreatConnect, Inc. All Rights Reserved
68@ThreatConnect Collected Lots of Indicators © 2016 ThreatConnect, Inc. All Rights Reserved
69@ThreatConnect My local.bro © 2016 ThreatConnect, Inc. All Rights Reserved
70@ThreatConnect cuddlesome.exe = Ruckguv © 2016 ThreatConnect, Inc. All Rights Reserved
71@ThreatConnect Bro Output • Important Logs • conn.log • dns.log • http.log • pe.log • file.log • Extracted Files • Alternative JSON Output for Elasticsearch © 2016 ThreatConnect, Inc. All Rights Reserved
72@ThreatConnect Volatility Memory Analysis Framework © 2016 ThreatConnect, Inc. All Rights Reserved
73@ThreatConnect What is the Volatility Framework? • Extracts artifacts from samples of volatile memory • An amazing view into what is happening in memory while a malware sample is running © 2016 ThreatConnect, Inc. All Rights Reserved
74@ThreatConnect Operating System Support © 2016 ThreatConnect, Inc. All Rights Reserved
75@ThreatConnect Volatility in Action • Analysis Target: b.exe • Sample Source: https://www.hybrid-analysis.com/ • SHA1: 5149b40858c575238f1cbfcd32dd78a30bc87742 • What can we learn from memory analysis? © 2016 ThreatConnect, Inc. All Rights Reserved
76@ThreatConnect Preparing Your Memory ImageConvert ELF64 image into raw dd-style memory dump • Dump a memory image from running VirtualBox VM • VBoxManage debugvm "Win7x64" dumpvmcore --filename=vbox.img • vol.py -f vbox.img --profile=Win7SP1x64 imagecopy -O copy.raw © 2016 ThreatConnect, Inc. All Rights Reserved
77@ThreatConnect pslist & psscan © 2016 ThreatConnect, Inc. All Rights Reserved • psscan shows hidden and terminated processes • pslist shows running processes • pslist before and after running malware sample
78@ThreatConnect malfind $ vol.py -f copy.raw --profile=Win7SP1x64 malfind -D . © 2016 ThreatConnect, Inc. All Rights Reserved
79@ThreatConnect Malware Found? Avira: TR/Patched.Ren.Gen7 Qihoo-360: HEUR/QVM40.1.Malware.Gen Qihoo-360: HEUR/QVM40.1.Malware.Gen 0x80000 0xa000 © 2016 ThreatConnect, Inc. All Rights Reserved
80@ThreatConnect netscan $ vol.py -f copy.raw --profile=Win7SP1x64 netscan | grep explorer © 2016 ThreatConnect, Inc. All Rights Reserved
81@ThreatConnect What Can We Learn From Memory Analysis? • Sample uses process injection • Injects explorer.exe • Command and Control IP Address: 216.170.126.105 © 2016 ThreatConnect, Inc. All Rights Reserved
82@ThreatConnect Volatility Output • Files extracted from services • Files extracted from injection • DLLs extracted • IP addresses extracted from network connections • URLs extracted from IE history • URLs extracted from malware configuration • Suspicious mutexes © 2016 ThreatConnect, Inc. All Rights Reserved
83@ThreatConnect Tying It All Together Conclusion © 2016 ThreatConnect, Inc. All Rights Reserved
84@ThreatConnect Cuckoo, Thug, Bro Process © 2016 ThreatConnect, Inc. All Rights Reserved
85@ThreatConnect Volatility, Thug, Cuckoo Process © 2016 ThreatConnect, Inc. All Rights Reserved
86@ThreatConnect Orchestration and Automation • Use a message queue • Redis • Rabbit MQ • ZeroMQ <- Preferred • Use NGINX for file transfer under message queue • Keep all output in Elasticsearch • Cuckoo needs to be cuckoo-modified or write your own report plugin • Thug uses ES natively • Bro can export logs in JSON format • Volatility can export logs in JSON format • Glue everything together with Python3 © 2016 ThreatConnect, Inc. All Rights Reserved
87@ThreatConnect Questions? © 2016 ThreatConnect, Inc. All Rights Reserved www.ThreatConnect.com/blog @MalwareUtkonos @ThreatConnect

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptx
waizuq
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptx
waizuq
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE - ATT&CKcon
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
ThreatConnect
 
Computer malware anti malware coevolution
Computer malware anti malware coevolution Computer malware anti malware coevolution
Computer malware anti malware coevolution
Himanshu Dubey
 

More Related Content

What's hot

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE - ATT&CKcon
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 

What's hot (20)

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 

Viewers also liked

The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
ThreatConnect
 
Computer malware anti malware coevolution
Computer malware anti malware coevolution Computer malware anti malware coevolution
Computer malware anti malware coevolution
Himanshu Dubey
 
VMs All the Way Down (BSides Delaware 2016)
VMs All the Way Down (BSides Delaware 2016)VMs All the Way Down (BSides Delaware 2016)
VMs All the Way Down (BSides Delaware 2016)
John Hubbard
 
Startup dans les nuages - breizhcamp 2015
Startup dans les nuages - breizhcamp 2015Startup dans les nuages - breizhcamp 2015
Startup dans les nuages - breizhcamp 2015
Nicolas Ledez
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
ThreatConnect
 
Workshop on Setting up Malware Lab
Workshop on Setting up Malware LabWorkshop on Setting up Malware Lab
Workshop on Setting up Malware Lab
Charles Lim
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 PresentationAngelo Rago
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
Cysinfo Cyber Security Community
 
How To Protect From Malware
How To Protect From MalwareHow To Protect From Malware
How To Protect From Malware
INFONAUTICS GmbH
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
CrowdStrike
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
Tal Be'ery
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Metodo estatico equivalente jessica garcia
Metodo estatico equivalente jessica garciaMetodo estatico equivalente jessica garcia
Metodo estatico equivalente jessica garcia
JESSICA GARCIA
 
Presentacion Stitanques
Presentacion StitanquesPresentacion Stitanques
Presentacion Stitanques
Andres Garcia
 

Viewers also liked (20)

The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
 
Computer malware anti malware coevolution
Computer malware anti malware coevolution Computer malware anti malware coevolution
Computer malware anti malware coevolution
 
VMs All the Way Down (BSides Delaware 2016)
VMs All the Way Down (BSides Delaware 2016)VMs All the Way Down (BSides Delaware 2016)
VMs All the Way Down (BSides Delaware 2016)
 
Startup dans les nuages - breizhcamp 2015
Startup dans les nuages - breizhcamp 2015Startup dans les nuages - breizhcamp 2015
Startup dans les nuages - breizhcamp 2015
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
 
Workshop on Setting up Malware Lab
Workshop on Setting up Malware LabWorkshop on Setting up Malware Lab
Workshop on Setting up Malware Lab
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 Presentation
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
 
How To Protect From Malware
How To Protect From MalwareHow To Protect From Malware
How To Protect From Malware
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 
Pycon Sec
Pycon SecPycon Sec
Pycon Sec
 
Metodo estatico equivalente jessica garcia
Metodo estatico equivalente jessica garciaMetodo estatico equivalente jessica garcia
Metodo estatico equivalente jessica garcia
 
Presentacion Stitanques
Presentacion StitanquesPresentacion Stitanques
Presentacion Stitanques
 

Similar to Open Source Malware Lab

Michelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalMichelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research Final
M.K. Webster
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
Priyanka Aash
 
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Minseok(Jacky) Cha
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
J Hartig
 
Big Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityBig Data Analytics to Enhance Security
Big Data Analytics to Enhance Security
Data Science Thailand
 
利用 SDACK 架構分析資安事件大數據
利用 SDACK 架構分析資安事件大數據利用 SDACK 架構分析資安事件大數據
利用 SDACK 架構分析資安事件大數據
Yu-Lun Chen
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Ramin Farajpour Cami
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen Security
Sophos Benelux
 

Similar to Open Source Malware Lab (20)

Michelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalMichelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research Final
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
Big Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityBig Data Analytics to Enhance Security
Big Data Analytics to Enhance Security
 
利用 SDACK 架構分析資安事件大數據
利用 SDACK 架構分析資安事件大數據利用 SDACK 架構分析資安事件大數據
利用 SDACK 架構分析資安事件大數據
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen Security
 

More from ThreatConnect

Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017
ThreatConnect
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
ThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?
ThreatConnect
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
ThreatConnect
 
Threat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a Destination
ThreatConnect
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
ThreatConnect
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
ThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceThreatConnect
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 

More from ThreatConnect (12)

Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
 
Threat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a Destination
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 

Open Source Malware Lab

  • 1. 1@ThreatConnect Open Source Malware Lab © 2016 ThreatConnect, Inc. All Rights Reserved
  • 2. 2@ThreatConnect Director of Research Innovation Research Team ThreatConnect, Inc. © 2016 ThreatConnect, Inc. All Rights Reserved
  • 3. 3@ThreatConnect Why Do I Need A Malware Analysis Lab? • Malware Research • Automated Malware Analysis (AMA) • First two of four major stages • AMA can include second stage • Enhanced Threat Intelligence • Analysis of malware in your enterprise • Stage of malware hunting process • Network Defense • Network Traffic • Inbound Email • Host Intrusion Detection System • Fun!!! https://zeltser.com/mastering-4-stages-of-malware-analysis/ © 2016 ThreatConnect, Inc. All Rights Reserved
  • 4. 4@ThreatConnect Malware Analysis Process Entry Points File URL PCAP Memory Image © 2016 ThreatConnect, Inc. All Rights Reserved
  • 5. 5@ThreatConnect Cuckoo Sandbox Thug Bro Volatility Open Source Malware Analysis Tools © 2016 ThreatConnect, Inc. All Rights Reserved
  • 6. 6@ThreatConnect Cuckoo Sandbox Static and Dynamic File Analysis © 2016 ThreatConnect, Inc. All Rights Reserved
  • 7. 7@ThreatConnect Sandbox • A controlled, safe environment • Leverages • Virtual machines • Bare metal computers • Running malware • Observing its behavior • Dynamic malware analysis • May also perform static malware analysis © 2016 ThreatConnect, Inc. All Rights Reserved
  • 8. 8@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
  • 9. 9@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
  • 10. 10@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
  • 11. 11@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved TrendMicro: OSX_KeRanger.A ESET-NOD32: OSX/Filecoder.KeRanger.A Kaspersky: UDS:DangerousObject.Multi.Generic $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ Strings AV Detections
  • 12. 12@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 13. 13@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 14. 14@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 15. 15@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 16. 16@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 17. 17@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 18. 18@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 19. 19@ThreatConnect More Than Just Dynamic Analysis © 2016 ThreatConnect, Inc. All Rights Reserved data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fba d3ed9b9c9687 99 files found Name Addr Ent MD5 .rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found Sections Resources Timestamp: 2016-03-07 09:41:34 First Seen: 2016-03-07 09:42:47 95c231bb, web, RU File Metadata
  • 20. 20@ThreatConnect Cuckoo Sandbox Flavors © 2016 ThreatConnect, Inc. All Rights Reserved Plain Vanilla Version 1.2 (Stable) Cuckoo Modified (brad-accuvant / spender-sandbox) Next Generation Version 2.0 RC1
  • 21. 21@ThreatConnect Cuckoo Modified • Normalization of file and registry paths • 64bit analysis • Service monitoring • Extended API • Tor for outbound network connections • Malheur integration © 2016 ThreatConnect, Inc. All Rights Reserved
  • 22. 22@ThreatConnect Normalization - Why this is Great! • Not normalized •C:Documents and SettingsDumdumApplication DatabonzoAIDVFP.jpg •C:UsersDumdumAppDatabonzoAIDVFP.jpg • Normalized •%APPDATA%bonzoAIDVFP.jpg © 2016 ThreatConnect, Inc. All Rights Reserved
  • 23. 23@ThreatConnect Cuckoo Next Generation • Support for: • MacOS X • Linux • Android © 2016 ThreatConnect, Inc. All Rights Reserved • Integrations • Suricata • Snort • Moloch • SSL decryption • VPN support • 64-bit analysis • Fun, fun, fun
  • 24. 24@ThreatConnect What if the Malware is VM or Sandbox Aware? • Pafish (Paranoid Fish) • Uses malware’s anti-analysis techniques • Shows successful and unsuccessful techniques • Pinpoint ways to improve sandbox • VMCloak • Automated generation of Windows VM images • Ready for use in Cuckoo • Obfuscates VM to prevent anti-analysis © 2016 ThreatConnect, Inc. All Rights Reserved
  • 25. 25@ThreatConnect Cuckoo Output • HTML Report • JSON Report • MongoDB Output • Dropped Files • PCAP • Memory Image • Visited URLs © 2016 ThreatConnect, Inc. All Rights Reserved
  • 26. 26@ThreatConnect Thug Low-Interaction Honeyclient © 2016 ThreatConnect, Inc. All Rights Reserved
  • 27. 27@ThreatConnect What is a Low-Interaction Honeyclient? • Pretends to be a browser • Trigger a drive-by download • Capture its payload © 2016 ThreatConnect, Inc. All Rights Reserved
  • 28. 28@ThreatConnect Wolf in Sheep’s Clothing • User agent can change • Windows, Mac, Linux, Android, iOS • Limitless possibilities • http://www.useragentstring.com/pages/ useragentstring.php • http://www.browser-info.net/useragents • Simulates vulnerable plugins with configurable versions • Flash • Java • Acrobat Reader (PDF) © 2016 ThreatConnect, Inc. All Rights Reserved
  • 29. 29@ThreatConnect Available User Agents © 2016 ThreatConnect, Inc. All Rights Reserved
  • 30. 30@ThreatConnect Thug Output • Payload Files • Other Content Files • Visited URLs • MongoDB Output • Elasticsearch Output • HPFeeds • MAEC • Native Report Format © 2016 ThreatConnect, Inc. All Rights Reserved
  • 31. 31@ThreatConnect Bro Network Analysis Framework © 2016 ThreatConnect, Inc. All Rights Reserved
  • 32. 32@ThreatConnect What is Bro? • Network Security Monitoring (NSM) Framework • Processes • Live Packet Capture • Recorded Packet Capture (PCAP) • Series of scripts • Output Bro logs • Packaged with a large group of scripts • Rich community of open source scripts • Write your own Bro script for specific needs © 2016 ThreatConnect, Inc. All Rights Reserved
  • 33. 33@ThreatConnect Bro in Action © 2016 ThreatConnect, Inc. All Rights Reserved • Analysis Target: tue_schedule.doc_7387.doc • PCAP Source: https://www.hybrid-analysis.com/ • SHA1: bb45bca4ccc0dd6a0b3a2c6001165f72fbd2cb6e • What can we learn from PCAP only?
  • 34. 34@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 35. 35@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 36. 36@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 37. 37@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 38. 38@ThreatConnect conn.log $ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 39. 39@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 40. 40@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 41. 41@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 42. 42@ThreatConnect Poor Man’s pDNS © 2016 ThreatConnect, Inc. All Rights Reserved
  • 43. 43@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
  • 44. 44@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
  • 45. 45@ThreatConnect Site Content © 2016 ThreatConnect, Inc. All Rights Reserved
  • 46. 46@ThreatConnect Site Content © 2016 ThreatConnect, Inc. All Rights Reserved
  • 47. 47@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 48. 48@ThreatConnect Poor Man’s pDNS © 2016 ThreatConnect, Inc. All Rights Reserved
  • 49. 49@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
  • 50. 50@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
  • 51. 51@ThreatConnect Poor Man’s Reverse Whois © 2016 ThreatConnect, Inc. All Rights Reserved
  • 52. 52@ThreatConnect Site Content © 2016 ThreatConnect, Inc. All Rights Reserved
  • 53. 53@ThreatConnect dns.log $ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR|fields' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 54. 54@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
  • 55. 55@ThreatConnect Whois Data © 2016 ThreatConnect, Inc. All Rights Reserved
  • 57. 57@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 58. 58@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 59. 59@ThreatConnect© 2016 ThreatConnect, Inc. All Rights Reserved Zapoi (Russian: запой) A term used in Russia and other post-Soviet states to describe alcohol abuse behavior resulting in two or more days of continuous drunkenness. https://en.wikipedia.org/wiki/Zapoy
  • 60. 60@ThreatConnect /zapoy/gate.php = Pony © 2016 ThreatConnect, Inc. All Rights Reserved
  • 61. 61@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 62. 62@ThreatConnect /xdaovcny/index.php = Nymaim © 2016 ThreatConnect, Inc. All Rights Reserved
  • 63. 63@ThreatConnect http.log $ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields|200' | sed -e 's/#fields//g' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 64. 64@ThreatConnect pe.log $ cat pe.log | bro-cut -c id machine compile_ts subsystem is_exe section_names | sed -e 's/#fields//g' | grep -v '#' | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 65. 65@ThreatConnect files.log $ cat files.log | bro-cut -c fuid filename total_bytes md5 sha1 sha256 | grep 'F8Ksgsir0wLKqA4e9||F0XaRJ2XvH5Epscnqj|#fields' | sed -e 's/#fields//g' | column -t | cut -d " " -f 2- | column -t © 2016 ThreatConnect, Inc. All Rights Reserved
  • 66. 66@ThreatConnect MAN1 Adversary Group © 2016 ThreatConnect, Inc. All Rights Reserved http://www.threatgeek.com/2016/07/tracking-man1-crypter-actor.html
  • 67. 67@ThreatConnect What Can We Learn From PCAP Only? • Adversary Likely Russophone • Office Document generating network traffic • Multi-stage malware • One payload is Pony • One payload is Nymaim • Nymaim has • Dedicated infrastructure •Rogue DNS • Dropper uses compromised Drupal websites • Adversary is MAN1 © 2016 ThreatConnect, Inc. All Rights Reserved
  • 68. 68@ThreatConnect Collected Lots of Indicators © 2016 ThreatConnect, Inc. All Rights Reserved
  • 69. 69@ThreatConnect My local.bro © 2016 ThreatConnect, Inc. All Rights Reserved
  • 70. 70@ThreatConnect cuddlesome.exe = Ruckguv © 2016 ThreatConnect, Inc. All Rights Reserved
  • 71. 71@ThreatConnect Bro Output • Important Logs • conn.log • dns.log • http.log • pe.log • file.log • Extracted Files • Alternative JSON Output for Elasticsearch © 2016 ThreatConnect, Inc. All Rights Reserved
  • 72. 72@ThreatConnect Volatility Memory Analysis Framework © 2016 ThreatConnect, Inc. All Rights Reserved
  • 73. 73@ThreatConnect What is the Volatility Framework? • Extracts artifacts from samples of volatile memory • An amazing view into what is happening in memory while a malware sample is running © 2016 ThreatConnect, Inc. All Rights Reserved
  • 74. 74@ThreatConnect Operating System Support © 2016 ThreatConnect, Inc. All Rights Reserved
  • 75. 75@ThreatConnect Volatility in Action • Analysis Target: b.exe • Sample Source: https://www.hybrid-analysis.com/ • SHA1: 5149b40858c575238f1cbfcd32dd78a30bc87742 • What can we learn from memory analysis? © 2016 ThreatConnect, Inc. All Rights Reserved
  • 76. 76@ThreatConnect Preparing Your Memory ImageConvert ELF64 image into raw dd-style memory dump • Dump a memory image from running VirtualBox VM • VBoxManage debugvm "Win7x64" dumpvmcore --filename=vbox.img • vol.py -f vbox.img --profile=Win7SP1x64 imagecopy -O copy.raw © 2016 ThreatConnect, Inc. All Rights Reserved
  • 77. 77@ThreatConnect pslist & psscan © 2016 ThreatConnect, Inc. All Rights Reserved • psscan shows hidden and terminated processes • pslist shows running processes • pslist before and after running malware sample
  • 78. 78@ThreatConnect malfind $ vol.py -f copy.raw --profile=Win7SP1x64 malfind -D . © 2016 ThreatConnect, Inc. All Rights Reserved
  • 79. 79@ThreatConnect Malware Found? Avira: TR/Patched.Ren.Gen7 Qihoo-360: HEUR/QVM40.1.Malware.Gen Qihoo-360: HEUR/QVM40.1.Malware.Gen 0x80000 0xa000 © 2016 ThreatConnect, Inc. All Rights Reserved
  • 80. 80@ThreatConnect netscan $ vol.py -f copy.raw --profile=Win7SP1x64 netscan | grep explorer © 2016 ThreatConnect, Inc. All Rights Reserved
  • 81. 81@ThreatConnect What Can We Learn From Memory Analysis? • Sample uses process injection • Injects explorer.exe • Command and Control IP Address: 216.170.126.105 © 2016 ThreatConnect, Inc. All Rights Reserved
  • 82. 82@ThreatConnect Volatility Output • Files extracted from services • Files extracted from injection • DLLs extracted • IP addresses extracted from network connections • URLs extracted from IE history • URLs extracted from malware configuration • Suspicious mutexes © 2016 ThreatConnect, Inc. All Rights Reserved
  • 83. 83@ThreatConnect Tying It All Together Conclusion © 2016 ThreatConnect, Inc. All Rights Reserved
  • 84. 84@ThreatConnect Cuckoo, Thug, Bro Process © 2016 ThreatConnect, Inc. All Rights Reserved
  • 85. 85@ThreatConnect Volatility, Thug, Cuckoo Process © 2016 ThreatConnect, Inc. All Rights Reserved
  • 86. 86@ThreatConnect Orchestration and Automation • Use a message queue • Redis • Rabbit MQ • ZeroMQ <- Preferred • Use NGINX for file transfer under message queue • Keep all output in Elasticsearch • Cuckoo needs to be cuckoo-modified or write your own report plugin • Thug uses ES natively • Bro can export logs in JSON format • Volatility can export logs in JSON format • Glue everything together with Python3 © 2016 ThreatConnect, Inc. All Rights Reserved
  • 87. 87@ThreatConnect Questions? © 2016 ThreatConnect, Inc. All Rights Reserved www.ThreatConnect.com/blog @MalwareUtkonos @ThreatConnect