SlideShare a Scribd company logo

PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR

K
Kurtis Armour
1 of 35
Download to read offline
WE  DETECT  THE  CYBER  THREATS  THAT  OTHER  TECHNOLOGIES  MISS Preventing  File-­‐Based  Botnet  Persistence   and  Growth Date December  2,  2016 Presented to BotConf Presenter Kurtis Armour Information  Security  Consultant
Who  am  I? » karmour@:/home$  whoami » Information  Security  Consultant » eSentire Inc. » 5  years  working  in  computer  security » This  talk  is  based  off  personal  research » Enjoy  finding  ways  to  help  build  more  secure  networks ©  2016  eSentire,  Inc. SLIDE  2
Paying  #Respect » Chris  Lowson » @LowsonWebmin » Jacob  Gajek » @jgajek » Matt  Graeber » @mattifestation ©  2016  eSentire,  Inc. SLIDE  3
Introduction » The  goal  of  this  talk » Education  of  threat  landscape » Layers  of  protection » What  is  not  covered? ©  2016  eSentire,  Inc. SLIDE  4
Botnet  Delivery  Mechanisms » Social  Engineering » Tricking  users » Phishing  Emails » Execution  of  fake  files » End  goal  monetization » For  Bot  Herders  -­‐>  More  Bots ©  2016  eSentire,  Inc. SLIDE  5
Botnet  Delivery  Mechanisms » Exploitation  (  Malvertising /  Exploit  Kits  ) » Browsers  /  Third  Party  Applications » EKs  can  drop  any  malware  variant » File-­‐Based  and  Memory-­‐Based ©  2016  eSentire,  Inc. SLIDE  6
MALWARE  LOTS  OF  MALWARE Code  execution  you  say? ©  2016  eSentire,  Inc. SLIDE  7
Code  Execution  Methods » What  is  the  end  goal  of  threat  actors? » What  are  the  main  ways  to  execute  code? » Binary  Executables » Scripts   » Shellcode ©  2016  eSentire,  Inc. SLIDE  8
Droppers,  Droppers  Everywhere! » HTML  /  HTA » JS » ZIP  /  7ZIP  /  RAR » EXE  /  DLL  /  MSI » Macros  (DOCM,  XLSM,  POTX) » PS » VBA  /  VBS  /  VBE » PDF ©  2016  eSentire,  Inc. SLIDE  9
Execution  Trees! ©  2016  eSentire,  Inc. SLIDE  10
Execution  Trees! ©  2016  eSentire,  Inc. SLIDE  11
Execution  Trees! ©  2016  eSentire,  Inc. SLIDE  12
Execution  Trees! ©  2016  eSentire,  Inc. SLIDE  13
PREVENTING MALICIOUS CODE EXECUTION User  Protection  and  Host  Hardening ©  2016  eSentire,  Inc. SLIDE  14
Overview  of  Defensive  Layers » The  goals  of  adding  layers » Blocking  execution  of  code  can  be  done  at  different  layers » Restricting  via  GPO  is  best  protection  against  changes ©  2016  eSentire,  Inc. SLIDE  15
Limiting  Software  and  Access » Restricting  access  is  key » No  admin! » Software  control  limits  attack  surface » LAPS  (Local  Administrator  Password  Solution) ©  2016  eSentire,  Inc. SLIDE  16
Script  Control  -­‐ WSH » Windows  Script  Host   » Lets  not  execute  things  by  default  J » Disable  built-­‐in  support  (Test  test  test) » Change  the  default  program  execution  (if  you  have  legacy   systems) ©  2016  eSentire,  Inc. SLIDE  17
Script  Control  -­‐ WSH » Disable  built-­‐in  support ©  2016  eSentire,  Inc. SLIDE  18
Script  Control  -­‐ WSH » Changing  default  execution  of  program ©  2016  eSentire,  Inc. SLIDE  19
Script  Control  – Microsoft  Office  Macros » Microsoft  Office  files  can  contain  embedded  code  written  in  VB » Microsoft  Office  macros  have  their  own  VBS  interpreter » Stopping  users  from  executing  untrusted  macros  is  key » Configurable  macro  rules  for  Office  (Excel, Word,  Infopath,   Outlook,  Powerpoint,  Project,  Publisher,  Visio) ©  2016  eSentire,  Inc. SLIDE  20
Script  Control  – Microsoft  Office  Macros ©  2016  eSentire,  Inc. SLIDE  21 http://www.asd.gov.au/publications/protect/Microsoft_Office_Macro_Security.pdf
Script  Control  – Microsoft  Office  Macros » Microsoft  has  added  newer  features  to  Office  2016 » Provides  more  granularity  to  apply  policies  through  GPO » Trust  Center » Restrict  the  ability  for  users  to  allow  macros   » Restrict  the  ability  for  macros  from  internet  to  execute » If  using  trust  location  be  sure  to  limit  who  can  execute  from  it ©  2016  eSentire,  Inc. SLIDE  22
Powershell -­‐ Execution  Control » We  do  not  want  to  allow  normal  users  to  execute  PowerShell » Why  is  PowerShell  so  dangerous? » Run  code  in  memory  without  touching  disk » Download  &  execute  code  from  another  system » Interface  with  .Net &  Windows  APIs » Most  organizations  are  not  watching  PowerShell  activity ©  2016  eSentire,  Inc. SLIDE  23
Powershell -­‐ Execution  Control » Blocking  PowerShell  functionality  is  not  easy » Local  Security  Policies  is  not  the  answer!   » Execution  Policies  are  easily  bypassed ©  2016  eSentire,  Inc. SLIDE  24
Powershell -­‐ Execution  Control » Powershell v5 » Provides  improved  logging » Includes  improved  security  features » Constrained  Mode   » Limits  what  can  be  executed   » Direct  .NET  scripting » Invoking  of  Win32  APIs  via  the  Add-­‐Type  cmdlet » Interaction  with  COM  objects ©  2016  eSentire,  Inc. SLIDE  25
APPLICATION WHITELISTING User  Protection  and  Host  Hardening ©  2016  eSentire,  Inc. SLIDE  26
AppLocker » Free  Windows  Built-­‐in  Application  Whitelisting  Feature » Policy  is  maintainable  through  GPO  admin » Available  on  a  handful  of  Windows  OS’ » WS2008,  WS2012,  WS2016 » Enterprise  and  Ultimate  Editions » Application  inventory » Protection  against  unwanted  software » Software  standardization ©  2016  eSentire,  Inc. SLIDE  27
AppLocker » Two  main  approaches  to  implementing  AppLocker » Allow  Mode  (Block  all  and  whitelist  approved  by  hash/path/publisher)   » Deny  Mode  (Allow  all  and  blacklist  disapproved  by  hash/path/publisher) » Provides  the  ability  to  enable  an  audit  feature » Allows  you  to  investigate  what  would  be  blocked  /  allowed » Filters  on: » Hash » Path » Publisher ©  2016  eSentire,  Inc. SLIDE  28
AppLocker  – Executable  Control » Executable  Control » Blocking  executing  in  %OSDRIVE%Users*   » Publisher  rules » Whitelist  Publishers  so  they  can  update  applications » Restricting  access  to  writeable  directories » Users  can  write  and  execute  from  System32  and  Windows  folders!? » Automatic  Generation  of  Executable  Rules » Utilize  this  feature  for  creating  publisher  and  hash  rules  for  approved   programs ©  2016  eSentire,  Inc. SLIDE  29
AppLocker  – Executable  Control » Writeable  Directories ©  2016  eSentire,  Inc. SLIDE  30
AppLocker  -­‐ Some  neat  tricks » Blocking  Macros  the  DLL  way   » %OSDRIVE%Program  FilesCommon  FilesMicrosoft  SharedVBA* » .hta files  are  nasty » Utilizes  another  interpreter  to  execute  script  code  (MSHTA.exe) » Blocking  PowerShell  via  Applocker has  some  wins   » Stops  auto-­‐execution  of  droppers  that  call  PowerShell.exe » Can  completely  block  PowerShell  interpreter  if  you  want  too ©  2016  eSentire,  Inc. SLIDE  31
Bypasses  and  workarounds  there  are  a  few……. » Applocker Local  Security » Applocker local  rules  overwrite  GPO  rules » Admin  has  ability  to  turn  off  AppIDsvc » Signed  Binaries  doing  what  they  aren’t  suppose  to  do » e.g.  MSBuild.exe,  cdb.exe,  dnx.exe,  rcsi.exe,  etc » Device  Guard  helps  protect  against  this  abuse » Powershell » Calling  older  version  of  PowerShell  (bypasses  security  related  to  one  version) » Uninstall  older  legacy  versions » Applocker PowerShell  “Allow  Mode”  increases  protection  (interactive  input   and  user-­‐authored  scripts  with  PowerShell  v5) ©  2016  eSentire,  Inc. SLIDE  32
Device  Guard » Essentially  does  not  allow  untrusted  code  to  be  executed » Everything  is  untrusted  by  default  unless  specifically  approved » Two  primary  components » Code  Integrity  (CI) » Kernel  Mode  Code  Integrity » User  Mode  Code  Integrity » Virtualization-­‐Based  Security  (VBS) ©  2016  eSentire,  Inc. SLIDE  33
Conclusion » Adding  layers  makes  executing  bad  code  harder » There  is  no  silver  bullet  to  defense » Not  every  company  is  the  same   ©  2016  eSentire,  Inc. SLIDE  34
+1  866.579.2200 sales@esentire.com www.esentire.com Follow  us  @esentire THANK YOU QUESTIONS MORE SECURE!

Recommended

An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database ServerFahri Firdausillah
 
Sneaking Past Device Guard - HITB19AMS
Sneaking Past Device Guard - HITB19AMSSneaking Past Device Guard - HITB19AMS
Sneaking Past Device Guard - HITB19AMSPhilip Tsukerman
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1Frank Avila Zapata
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 

Recommended

An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database ServerFahri Firdausillah
 
Sneaking Past Device Guard - HITB19AMS
Sneaking Past Device Guard - HITB19AMSSneaking Past Device Guard - HITB19AMS
Sneaking Past Device Guard - HITB19AMSPhilip Tsukerman
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1Frank Avila Zapata
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...enigma0x3
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018Paula Januszkiewicz
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Sneaking Past Device Guard
Sneaking Past Device GuardSneaking Past Device Guard
Sneaking Past Device GuardPhilip Tsukerman
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017Paula Januszkiewicz
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat Security Conference
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...Paula Januszkiewicz
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overviewn|u - The Open Security Community
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz
 
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!MSHOWTO Bilisim Toplulugu
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
Kvs what we can do for you 01082016
Kvs what we can do for you 01082016Kvs what we can do for you 01082016
Kvs what we can do for you 01082016K R Vaghela
 
Specialized training 01082016
Specialized training 01082016Specialized training 01082016
Specialized training 01082016K R Vaghela
 

More Related Content

What's hot

BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...enigma0x3
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018Paula Januszkiewicz
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Sneaking Past Device Guard
Sneaking Past Device GuardSneaking Past Device Guard
Sneaking Past Device GuardPhilip Tsukerman
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017Paula Januszkiewicz
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat Security Conference
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...Paula Januszkiewicz
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz
 
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!MSHOWTO Bilisim Toplulugu
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 

What's hot (20)

BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Sneaking Past Device Guard
Sneaking Past Device GuardSneaking Past Device Guard
Sneaking Past Device Guard
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
 
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 

Viewers also liked

Kvs what we can do for you 01082016
Kvs what we can do for you 01082016Kvs what we can do for you 01082016
Kvs what we can do for you 01082016K R Vaghela
 
Specialized training 01082016
Specialized training 01082016Specialized training 01082016
Specialized training 01082016K R Vaghela
 
Einführung in Web 2.0
Einführung in Web 2.0Einführung in Web 2.0
Einführung in Web 2.0Moe
 
Panel talnan touk(1)
Panel talnan touk(1)Panel talnan touk(1)
Panel talnan touk(1)alex touk
 
Ics company overview marketing
Ics company overview marketingIcs company overview marketing
Ics company overview marketingK R Vaghela
 
Dec 2016 GMW Ripples Crop2
Dec 2016 GMW Ripples Crop2Dec 2016 GMW Ripples Crop2
Dec 2016 GMW Ripples Crop2Mark Poole (PMP)
 
Contratos en Materia Civil
Contratos en Materia CivilContratos en Materia Civil
Contratos en Materia Civilazuremoses
 
From Lab to Factory: Or how to turn data into value
From Lab to Factory: Or how to turn data into valueFrom Lab to Factory: Or how to turn data into value
From Lab to Factory: Or how to turn data into valuePeadar Coyle
 
2015-Xu-etal-Fungal Diversity
2015-Xu-etal-Fungal Diversity2015-Xu-etal-Fungal Diversity
2015-Xu-etal-Fungal DiversityAlan Biggs
 
Description of design process new
Description of design process newDescription of design process new
Description of design process newSiddharth Sharma
 

Viewers also liked (13)

Kvs what we can do for you 01082016
Kvs what we can do for you 01082016Kvs what we can do for you 01082016
Kvs what we can do for you 01082016
 
Specialized training 01082016
Specialized training 01082016Specialized training 01082016
Specialized training 01082016
 
Einführung in Web 2.0
Einführung in Web 2.0Einführung in Web 2.0
Einführung in Web 2.0
 
Panel talnan touk(1)
Panel talnan touk(1)Panel talnan touk(1)
Panel talnan touk(1)
 
Ics company overview marketing
Ics company overview marketingIcs company overview marketing
Ics company overview marketing
 
Dec 2016 GMW Ripples Crop2
Dec 2016 GMW Ripples Crop2Dec 2016 GMW Ripples Crop2
Dec 2016 GMW Ripples Crop2
 
Contratos en Materia Civil
Contratos en Materia CivilContratos en Materia Civil
Contratos en Materia Civil
 
From Lab to Factory: Or how to turn data into value
From Lab to Factory: Or how to turn data into valueFrom Lab to Factory: Or how to turn data into value
From Lab to Factory: Or how to turn data into value
 
2015-Xu-etal-Fungal Diversity
2015-Xu-etal-Fungal Diversity2015-Xu-etal-Fungal Diversity
2015-Xu-etal-Fungal Diversity
 
Marte
MarteMarte
Marte
 
Muy sensual
Muy sensualMuy sensual
Muy sensual
 
Description of design process new
Description of design process newDescription of design process new
Description of design process new
 
Pd Criteria
Pd CriteriaPd Criteria
Pd Criteria
 

Similar to PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR

Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp dotnetcode
 
Journey from Monolith to a Modularized Application - Approach and Key Learnin...
Journey from Monolith to a Modularized Application - Approach and Key Learnin...Journey from Monolith to a Modularized Application - Approach and Key Learnin...
Journey from Monolith to a Modularized Application - Approach and Key Learnin...mfrancis
 
Delivering Security with GFI MAX - Mark Petrie
Delivering Security with GFI MAX - Mark Petrie Delivering Security with GFI MAX - Mark Petrie
Delivering Security with GFI MAX - Mark Petrie MAXfocus
 
Delivering Security with the MAX RemoteManagement Platform - Paul Fenwick
Delivering Security with the MAX RemoteManagement Platform - Paul FenwickDelivering Security with the MAX RemoteManagement Platform - Paul Fenwick
Delivering Security with the MAX RemoteManagement Platform - Paul FenwickMAXfocus
 
Delivering Security Within the MAX Remote Management Platform - Todd Haughland
Delivering Security Within the MAX Remote Management Platform - Todd HaughlandDelivering Security Within the MAX Remote Management Platform - Todd Haughland
Delivering Security Within the MAX Remote Management Platform - Todd HaughlandMAXfocus
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)abend_cve_9999_0001
 
Micro-Frontends JSVidCon
Micro-Frontends JSVidConMicro-Frontends JSVidCon
Micro-Frontends JSVidConAmir Zuker
 
Scripting and Automation within the MAX Platform - Mark Petrie
Scripting and Automation within the MAX Platform - Mark Petrie Scripting and Automation within the MAX Platform - Mark Petrie
Scripting and Automation within the MAX Platform - Mark Petrie MAXfocus
 
SDL: Secure design principles
SDL: Secure design principlesSDL: Secure design principles
SDL: Secure design principlessluge
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5FRSecure
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibilitymicham
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresAlexander Benoit
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilitiesphanleson
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesInformation Technology
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS VulnerabilitiesSecurityTube.Net
 

Similar to PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR (20)

Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
 
Journey from Monolith to a Modularized Application - Approach and Key Learnin...
Journey from Monolith to a Modularized Application - Approach and Key Learnin...Journey from Monolith to a Modularized Application - Approach and Key Learnin...
Journey from Monolith to a Modularized Application - Approach and Key Learnin...
 
Delivering Security with GFI MAX - Mark Petrie
Delivering Security with GFI MAX - Mark Petrie Delivering Security with GFI MAX - Mark Petrie
Delivering Security with GFI MAX - Mark Petrie
 
Delivering Security with the MAX RemoteManagement Platform - Paul Fenwick
Delivering Security with the MAX RemoteManagement Platform - Paul FenwickDelivering Security with the MAX RemoteManagement Platform - Paul Fenwick
Delivering Security with the MAX RemoteManagement Platform - Paul Fenwick
 
Delivering Security Within the MAX Remote Management Platform - Todd Haughland
Delivering Security Within the MAX Remote Management Platform - Todd HaughlandDelivering Security Within the MAX Remote Management Platform - Todd Haughland
Delivering Security Within the MAX Remote Management Platform - Todd Haughland
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
 
Micro-Frontends JSVidCon
Micro-Frontends JSVidConMicro-Frontends JSVidCon
Micro-Frontends JSVidCon
 
Scripting and Automation within the MAX Platform - Mark Petrie
Scripting and Automation within the MAX Platform - Mark Petrie Scripting and Automation within the MAX Platform - Mark Petrie
Scripting and Automation within the MAX Platform - Mark Petrie
 
SDL: Secure design principles
SDL: Secure design principlesSDL: Secure design principles
SDL: Secure design principles
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopeless
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibility
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included features
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System Vulnerabilities
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS Vulnerabilities
 

PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR

  • 1. WE  DETECT  THE  CYBER  THREATS  THAT  OTHER  TECHNOLOGIES  MISS Preventing  File-­‐Based  Botnet  Persistence   and  Growth Date December  2,  2016 Presented to BotConf Presenter Kurtis Armour Information  Security  Consultant
  • 2. Who  am  I? » karmour@:/home$  whoami » Information  Security  Consultant » eSentire Inc. » 5  years  working  in  computer  security » This  talk  is  based  off  personal  research » Enjoy  finding  ways  to  help  build  more  secure  networks ©  2016  eSentire,  Inc. SLIDE  2
  • 3. Paying  #Respect » Chris  Lowson » @LowsonWebmin » Jacob  Gajek » @jgajek » Matt  Graeber » @mattifestation ©  2016  eSentire,  Inc. SLIDE  3
  • 4. Introduction » The  goal  of  this  talk » Education  of  threat  landscape » Layers  of  protection » What  is  not  covered? ©  2016  eSentire,  Inc. SLIDE  4
  • 5. Botnet  Delivery  Mechanisms » Social  Engineering » Tricking  users » Phishing  Emails » Execution  of  fake  files » End  goal  monetization » For  Bot  Herders  -­‐>  More  Bots ©  2016  eSentire,  Inc. SLIDE  5
  • 6. Botnet  Delivery  Mechanisms » Exploitation  (  Malvertising /  Exploit  Kits  ) » Browsers  /  Third  Party  Applications » EKs  can  drop  any  malware  variant » File-­‐Based  and  Memory-­‐Based ©  2016  eSentire,  Inc. SLIDE  6
  • 7. MALWARE  LOTS  OF  MALWARE Code  execution  you  say? ©  2016  eSentire,  Inc. SLIDE  7
  • 8. Code  Execution  Methods » What  is  the  end  goal  of  threat  actors? » What  are  the  main  ways  to  execute  code? » Binary  Executables » Scripts   » Shellcode ©  2016  eSentire,  Inc. SLIDE  8
  • 9. Droppers,  Droppers  Everywhere! » HTML  /  HTA » JS » ZIP  /  7ZIP  /  RAR » EXE  /  DLL  /  MSI » Macros  (DOCM,  XLSM,  POTX) » PS » VBA  /  VBS  /  VBE » PDF ©  2016  eSentire,  Inc. SLIDE  9
  • 10. Execution  Trees! ©  2016  eSentire,  Inc. SLIDE  10
  • 11. Execution  Trees! ©  2016  eSentire,  Inc. SLIDE  11
  • 12. Execution  Trees! ©  2016  eSentire,  Inc. SLIDE  12
  • 13. Execution  Trees! ©  2016  eSentire,  Inc. SLIDE  13
  • 14. PREVENTING MALICIOUS CODE EXECUTION User  Protection  and  Host  Hardening ©  2016  eSentire,  Inc. SLIDE  14
  • 15. Overview  of  Defensive  Layers » The  goals  of  adding  layers » Blocking  execution  of  code  can  be  done  at  different  layers » Restricting  via  GPO  is  best  protection  against  changes ©  2016  eSentire,  Inc. SLIDE  15
  • 16. Limiting  Software  and  Access » Restricting  access  is  key » No  admin! » Software  control  limits  attack  surface » LAPS  (Local  Administrator  Password  Solution) ©  2016  eSentire,  Inc. SLIDE  16
  • 17. Script  Control  -­‐ WSH » Windows  Script  Host   » Lets  not  execute  things  by  default  J » Disable  built-­‐in  support  (Test  test  test) » Change  the  default  program  execution  (if  you  have  legacy   systems) ©  2016  eSentire,  Inc. SLIDE  17
  • 18. Script  Control  -­‐ WSH » Disable  built-­‐in  support ©  2016  eSentire,  Inc. SLIDE  18
  • 19. Script  Control  -­‐ WSH » Changing  default  execution  of  program ©  2016  eSentire,  Inc. SLIDE  19
  • 20. Script  Control  – Microsoft  Office  Macros » Microsoft  Office  files  can  contain  embedded  code  written  in  VB » Microsoft  Office  macros  have  their  own  VBS  interpreter » Stopping  users  from  executing  untrusted  macros  is  key » Configurable  macro  rules  for  Office  (Excel, Word,  Infopath,   Outlook,  Powerpoint,  Project,  Publisher,  Visio) ©  2016  eSentire,  Inc. SLIDE  20
  • 21. Script  Control  – Microsoft  Office  Macros ©  2016  eSentire,  Inc. SLIDE  21 http://www.asd.gov.au/publications/protect/Microsoft_Office_Macro_Security.pdf
  • 22. Script  Control  – Microsoft  Office  Macros » Microsoft  has  added  newer  features  to  Office  2016 » Provides  more  granularity  to  apply  policies  through  GPO » Trust  Center » Restrict  the  ability  for  users  to  allow  macros   » Restrict  the  ability  for  macros  from  internet  to  execute » If  using  trust  location  be  sure  to  limit  who  can  execute  from  it ©  2016  eSentire,  Inc. SLIDE  22
  • 23. Powershell -­‐ Execution  Control » We  do  not  want  to  allow  normal  users  to  execute  PowerShell » Why  is  PowerShell  so  dangerous? » Run  code  in  memory  without  touching  disk » Download  &  execute  code  from  another  system » Interface  with  .Net &  Windows  APIs » Most  organizations  are  not  watching  PowerShell  activity ©  2016  eSentire,  Inc. SLIDE  23
  • 24. Powershell -­‐ Execution  Control » Blocking  PowerShell  functionality  is  not  easy » Local  Security  Policies  is  not  the  answer!   » Execution  Policies  are  easily  bypassed ©  2016  eSentire,  Inc. SLIDE  24
  • 25. Powershell -­‐ Execution  Control » Powershell v5 » Provides  improved  logging » Includes  improved  security  features » Constrained  Mode   » Limits  what  can  be  executed   » Direct  .NET  scripting » Invoking  of  Win32  APIs  via  the  Add-­‐Type  cmdlet » Interaction  with  COM  objects ©  2016  eSentire,  Inc. SLIDE  25
  • 26. APPLICATION WHITELISTING User  Protection  and  Host  Hardening ©  2016  eSentire,  Inc. SLIDE  26
  • 27. AppLocker » Free  Windows  Built-­‐in  Application  Whitelisting  Feature » Policy  is  maintainable  through  GPO  admin » Available  on  a  handful  of  Windows  OS’ » WS2008,  WS2012,  WS2016 » Enterprise  and  Ultimate  Editions » Application  inventory » Protection  against  unwanted  software » Software  standardization ©  2016  eSentire,  Inc. SLIDE  27
  • 28. AppLocker » Two  main  approaches  to  implementing  AppLocker » Allow  Mode  (Block  all  and  whitelist  approved  by  hash/path/publisher)   » Deny  Mode  (Allow  all  and  blacklist  disapproved  by  hash/path/publisher) » Provides  the  ability  to  enable  an  audit  feature » Allows  you  to  investigate  what  would  be  blocked  /  allowed » Filters  on: » Hash » Path » Publisher ©  2016  eSentire,  Inc. SLIDE  28
  • 29. AppLocker  – Executable  Control » Executable  Control » Blocking  executing  in  %OSDRIVE%Users*   » Publisher  rules » Whitelist  Publishers  so  they  can  update  applications » Restricting  access  to  writeable  directories » Users  can  write  and  execute  from  System32  and  Windows  folders!? » Automatic  Generation  of  Executable  Rules » Utilize  this  feature  for  creating  publisher  and  hash  rules  for  approved   programs ©  2016  eSentire,  Inc. SLIDE  29
  • 30. AppLocker  – Executable  Control » Writeable  Directories ©  2016  eSentire,  Inc. SLIDE  30
  • 31. AppLocker  -­‐ Some  neat  tricks » Blocking  Macros  the  DLL  way   » %OSDRIVE%Program  FilesCommon  FilesMicrosoft  SharedVBA* » .hta files  are  nasty » Utilizes  another  interpreter  to  execute  script  code  (MSHTA.exe) » Blocking  PowerShell  via  Applocker has  some  wins   » Stops  auto-­‐execution  of  droppers  that  call  PowerShell.exe » Can  completely  block  PowerShell  interpreter  if  you  want  too ©  2016  eSentire,  Inc. SLIDE  31
  • 32. Bypasses  and  workarounds  there  are  a  few……. » Applocker Local  Security » Applocker local  rules  overwrite  GPO  rules » Admin  has  ability  to  turn  off  AppIDsvc » Signed  Binaries  doing  what  they  aren’t  suppose  to  do » e.g.  MSBuild.exe,  cdb.exe,  dnx.exe,  rcsi.exe,  etc » Device  Guard  helps  protect  against  this  abuse » Powershell » Calling  older  version  of  PowerShell  (bypasses  security  related  to  one  version) » Uninstall  older  legacy  versions » Applocker PowerShell  “Allow  Mode”  increases  protection  (interactive  input   and  user-­‐authored  scripts  with  PowerShell  v5) ©  2016  eSentire,  Inc. SLIDE  32
  • 33. Device  Guard » Essentially  does  not  allow  untrusted  code  to  be  executed » Everything  is  untrusted  by  default  unless  specifically  approved » Two  primary  components » Code  Integrity  (CI) » Kernel  Mode  Code  Integrity » User  Mode  Code  Integrity » Virtualization-­‐Based  Security  (VBS) ©  2016  eSentire,  Inc. SLIDE  33
  • 34. Conclusion » Adding  layers  makes  executing  bad  code  harder » There  is  no  silver  bullet  to  defense » Not  every  company  is  the  same   ©  2016  eSentire,  Inc. SLIDE  34
  • 35. +1  866.579.2200 sales@esentire.com www.esentire.com Follow  us  @esentire THANK YOU QUESTIONS MORE SECURE!