How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Presented at the DEFCON27 Red Team Offensive Village on 8/10/19.
From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors.
In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Presented at the DEFCON27 Red Team Offensive Village on 8/10/19.
From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors.
In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
How we do it better than IR firms. Learn what you need to know to catch commoditized malware to advanced malware. Ask a Blue Team Ninja, Logoholic and Malware Archaeologist how we do ti.
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology
SpiceWorks Webinar: Whose logs, what logs, why logs AlienVault
Securing your environment requires an understanding of the current and evolving threat landscape as well as knowledge of network technology and system design. This session will combine lecture, demo and interactive Q/A that will highlight how to build out a security plan to defend against today’s threats. Join AlienVault for this webinar to learn:
• What network, system and host data you should be collecting for the quickest path to security visibility
• Best practices for network, perimeter and host monitoring
• Security advantages of new AlienVault Threat Alerts coming soon to SpiceWorks
Incident Response Fails – What we see with our clients, and their fails. As Incident Responders, what do we see as Incident Responders that you can do to be better prepared, reduce your incident costs, get answers faster and reduce the cost of an IR Firm if needed.
HackerHurricane
Malware Archaeology
MalwareArchaeology
LOG-MD
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantNathan Burke
How many times have your revisited your security policy? Or instituted new practices like proactive threat hunting? If you’re like most security teams, your answer is: we don’t have the time. And it’s understandable—with 92% of companies receiving 500+ alerts a day, it’s easy to see why security organizations are spending time on manual IR processes rather than critical initiatives.
But what would your team be able to accomplish if you automated the incident response process?
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
ShmooCon 2020
You’ve just been tasked with creating a vendor review management process at your company, but what does that even mean, and how are you going to do this? Do you need to buy a lot of expensive GRC software and hire an army of compliance staffers? This talk will explain what a vendor review process is and walk through setting one up at your company, using nothing more complicated than email, text files, and maybe some Slack and Google Forms.
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
This presentation will give you insights into timely information about current cybersecurity threats faced by small and mid-sized businesses, incident response plans, and Cybersecurity Maturity Model Certification (CMMC) compliance protocols required for government contracts and what you need to do now to protect your business from a cyberattack.
This talk is a summarized view of the various other talks in my profile. It was given to TACOM HQ LCMC as part of the "Our Shared Responsibility" initiative.
This is a good topical overview with some technical information.
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
We all practice Information Security, but do we practice what we preach? Do we do what we ask of our employees and clients to our own, family and work computers?
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
Are you ready for the next attack? Reviewing the SP Security Checklist, by Barry Green.
A presentation given at the APNIC 40 Opening Ceremony and Keynotes session on Tue, 8 Sep 2015.
Similar to The top 10 windows logs event id's used v1.0 (20)
LOG-MD
Malware Archaeology
MalwareArchaeology.com
Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can we do about it
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
The top 10 windows logs event id's used v1.0
1. 1
The Top 10 Windows Event ID's Used
To Catch Hackers In The Act
Michael Gough
Lead Incident Response
2. 2
What will be covered during this talk
• Windows logs are solid gold if you know what to Enable,
Configure, Gather and Harvest. When hacked they can tell
you what you need to know to find and harvest the malware
and what occurred. This talk walks through simple commodity
malware seen in SPAM and drive-bys to a Chinese advanced
attack and what Top Windows Event Codes and
information in the logs allowed us to harvest their malware
and understand what, where and when they were doing it.
• Details of the attack from the logs and the queries used will
be covered and shared to allow you to catch a similar type of
attack. This talk will show an advanced attack at its finest, but
is designed to be Blue Team Defense in nature so you can
learn from those that deal with malware and advanced attacks
almost daily.
• What works and why will also be discussed
3. 3
Disclaimer
The information in this presentation and
opinions are mine alone and do not reflect
those of my current or past employers.
MalwareArchaeology.com
5. 5
Who Am I
5
• Michael Gough, Malware Archaeologist
• Blue Team Ninja, Active Defense, Splunk Fu
• Blog - HackerHurricane.com
• Twitter - @HackerHurricane
• Creator of the “Malware Management Framework”
• Creator of several Logging Cheat Sheets
• “Windows Logging Cheat Sheet”
• “Windows Splunk Logging Cheat Sheet”
• “Windows File Auditing Cheat Sheet”
• “Windows Registry Auditing Cheat Sheet”
• Co-Creator of Log-MD
• LOG and Malicious Discovery tool for Malware Discovery & Incident
Response
MalwareArchaeology.com
6. 6
Hackers, Malware and Logs
• I am a Logoholic
• I love malware, malware discovery and malware
management
• But once I find an infected system, what happened
before I found it?
• Was there more than one system involved?
• Did the Malwarian do more?
• What behavior did the system or systems have after the
initial infection?
• Who was Patient 0?
• Logs are the perfect partner to malware!
MalwareArchaeology.com
7. 7
So why listen to me?
• I have been there
• In the worst way
• Found malware quickly
• Discovered 10 months before the Kaspersky report – June
2012
• We needed more… Who, What, Where, When and How
• We found the logs were not fully enabled or configured
and couldn’t get the data we needed
• Once the logs from endpoints were enabled and
configured, we saw all kinds of cool stuff, it showed the
How that we ALL NEED
MalwareArchaeology.com
8. 8
8
So what is the problem
we are trying to solve?
MalwareArchaeology.com
9. 9
You’re Next
97,000
76 Mil + 8 Mil
1000+ Businesses395
Stores
4.5 Million
25,000
4.9 Million
4.03 Million
105k trans
40 Million
40+70 Million
~ $758 Mil
33 locations
650k -
2010
76,000
670,000 1900 locations
145 Million
20,000
3 Million
35,000
60,000 alerts
990,000
56 Mil
550,000
TBD
Citigroup, E*Trade Financial
Corp., Regions Financial
Crop, HSBC Holdings and
ADP
?????
?
MalwareArchaeology.com
10. 10
What is Coming
• Statistics showing prevalence of weaponized document attacks as top
threat in 4th quarter of 2015.
MalwareArchaeology.com
11. 11
Why we should care
Mandiant M-Trends 2016 Report
• Numbers always tell a story, but it’s the interpretation of those numbers
that holds the real value. The median number of days an organization was
compromised in 2015 before the organization discovered the breach (or
was notified about the breach) was 146. This continues a positive
improvement since we first measured 416 days in 2012. Additionally, the
median number was 205 days in 2014, which means we witnessed a drop
of more than 50 days in 2015! Obviously, as an industry, we are getting
better at detecting breaches. On a positive note, companies that detected
the breach on their own had a median number of 56 days compromised.
The takeaway is that we are getting better as an industry, but there is still
work left to do!
• 2012 – 416 days MTTD
• 2014 – 205 days MTTD
• 2015 – 146 days MTTD
• 2015 – 56 days MTTD for companies that detected it themselves
MalwareArchaeology.com
12. 12
Who is catching it?
MalwareArchaeology.com
Mandiant M-Trends 2016 Report
19. 19
A walk through of Winnti
Winter 2014 campaign
MalwareArchaeology.com
20. 20
Winnti – A campaign against the Gaming industry
• Kaspersky was the first to report on Winnti
• Then came the publically released report in
2013
MalwareArchaeology.com
• Followed up in 2014 with another wave of
attacks
• Now the group is expanding
• Kaspersky Report
– http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-
130410.pdf
• Novetta did a Winnti Analysis
– https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
21. 21
Like all malware.. It and they
evolve
• First gaming
• Then Telecoms and BIG
Pharma
• Now So. Korea, UK &
Russia businesses
• We must learn and
evolve with them
MalwareArchaeology.com
23. 23
Escalate permission – obvious NOT your
admin
23
Check the Service used
Modify Permissions
Push out malware using CMD Shell & CScript
MalwareArchaeology.com
24. 24
Command Line logging is Priority
#1
24
Update Registry
Change Registry Permissions
Change permissions on files
MalwareArchaeology.com
25. 25
Bad behavior becomes obvious
25
Doing Recon
Going after Terminal Services
Query Users
MalwareArchaeology.com
26. 26
You can even capture their
Credentials
26
Caught THEIR
Credentials!
MalwareArchaeology.com
27. 27
With what we have just seen
What can we do with logs?
MalwareArchaeology.com
28. 28
More than you would have ever guessed!
•Not only detect retail PoS malware (BackOff) that
hit Target, Neiman Marcus and Michael’s
•Government sponsored malware like Regin,
Cleaver, Stuxnet, Duqu, Flamer, etc.
•Yes, even the really bad stuff like Winnti, well good
stuff to me ;-)
•You can lower your MTTD to days if not hours
•IF... you know what to look for
MalwareArchaeology.com
29. 29
Malware Management
• Read reports from analysts, IR firms and presentations
like this
• Use the data in these reports, pull out the artifacts
• Tweak your defenses
• Lather – Rinse – Repeat
• Long list of reports at MalwareArchaeology.com
• Details found at MalwareManagementFramework.org
• Send me links to reports and your thoughts
MalwareArchaeology.com
30. 30
Improve Security with Endpoint Data
•Great coverage with 10 events per system, not
60,000 alerts like we heard the retailers had
•If you get 10, then 20, then 30 alerts… you should
be kicking into Incident Response mode
•Of course there are more, but this is where to start
MalwareArchaeology.com
31. 31
The Windows Logging Cheat Sheet
• 6 pages on Windows
Logging
• Details on how configure
Windows logging and
auditing
• Found at:
• MalwareArchaeology.com
Also…
• Windows Splunk Logging
Cheat Sheet
• Windows File Auditing Cheat
Sheet
• Windows Registry Auditing
Cheat Sheet
MalwareArchaeology.com
32. 32
The 10 Windows Event ID’s
everyone must monitor and
alert on
MalwareArchaeology.com
33. 33
The Ten Command-lets
1. 4688 - New Process – Look for the obvious malicious executables like
cscript.exe, sysprep.exe, nmap.exe, nbtstat.exe, netstat.exe, ssh.exe,
psexec.exe, psexecsvc.exe, ipconfig.exe, ping.exe OR powershell.exe (SET,
MetaSploit) Of course, new odd .exe’s
2. 4624 - Some account logged in. What is normal?
3. 5140 - A share was accessed. They most likely connected to the C$ share.
4. 5156 – Windows Firewall Network connection by process. Can see the
process connecting to an IP that you can use GEOIP to resolve Country,
Region and City.
5. 7040 - A new service has changed. Static systems don't change details of
services
6. 7045 - A new service is installed. Static systems don't get new services except
at patch time and new installs.
7. 4663 - File auditing must be enabled on directories you want to monitor.
8. 4657 – Registry auditing will give more Registry details than 4663 for Reg
items
9. 501 – PowerShell execution
10. 4104 – PowerShell Scriptblock module loading
MalwareArchaeology.com
34. 34
Steps you will need to take
34
• Enable Advanced Audit Policy in Windows
• The “Windows Logging Cheat Sheet”
• Audit Process Creation = Success 4688
• Audit Logon = Success & Failure 4624 &
4625
• Audit File Share = Success 5140
• Audit File System = Success 4663
• Audit Registry = Success 4657
• Audit Filtering Platform Connection = Success 5156
(Any/Any min)
• Services already captured by System Log 7045 & 7040
• Enable and Configure to capture
• Process Command Line
• The #1 thing that will catch the nefarious ne’er-do-wellers
MalwareArchaeology.com
36. 36
Windows 7 thru 2012 (Win 10 too)
"Include command line in process creation events“
• http://technet.microsoft.com/en-
us/library/dn535776.aspx
1. You must have the patch for MS15-015 (KB3031432) for Win
7 and Win 2008, From Feb 2015
2. Registry Key tweak for all versions
• SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAudit
• ProcessCreationIncludeCmdLine_Enabled
• to DWORD - 1
MalwareArchaeology.com
37. 37
And you will see this added to your
logs
37
• Only a fraction more data
• Most valuable thing to log
Additional context is important
to identify abnormal behavior
MalwareArchaeology.com
38. 38
PowerShell – Command Line
Windows PowerShell Log: Event ID 501
Details on setting PowerShell Preference variables
• http://technet.microsoft.com/en-us/library/hh847796.aspx
1. You MUST have a default Profile for all users:
• C:WindowsSystem32WindowsPowerShellv1.0Profile.ps1
2. Add these to your default profile.ps1 file
• $LogCommandHealthEvent = $true
• $LogCommandLifecycleEvent = $true
3. Upgrade PowerShell to version 4
• Investigating PowerShell Attacks (DefCon & Blackhat 2014)
• Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT
• Matt Hastings CONSULTANT, MANDIANT
MalwareArchaeology.com
39. 39
PowerShell – Script Block Module loading
Microsoft-Windows -
PowerShell/Operational Log:
• Event ID 4104
Details on setting PowerShell Script Block and Module
logging
• http://technet.microsoft.com/en-
us/library/hh847796.aspx
1. Add these Registry keys Windows 8.1 Server 2012 and
later, Sorry no Windows 7 or Win 2008 yet:
• HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellModuleLogging
EnableModuleLogging= 1
HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellModuleLogging
ModuleNames = *
• HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellScriptBlockLogging
EnableScriptBlockLogging= 1
2. Windows Management Framework version 5 will add
more
• FireEye article on the new capabilities
• https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
MalwareArchaeology.com
41. 41
PowerShell Transcripts
• You can also specify a transcript of all PowerShell commands
executed which can be located locally or on a network share
• You can add these to your Log Management solution
• Add these Registry Keys:
• HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellTranscription EnableTranscription = 1
• HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellTranscription EnableInvocationHeader = 1
• HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellTranscription OutputDirectory = “” (Enter path. Empty = default)
MalwareArchaeology.com
42. 42
Some tips to save on data that
you collect with your
Log Management solution
MalwareArchaeology.com
43. 43
Do’s and Don’ts
Reducing or excluding events (save on license)
• Event ID’s 4688 & 4689 (New Process Start/Stop) and 5156
& 5158 (Windows Firewall) will be the Top 4 Events in
quantity!
• Storage and License required to gather all these events
• 4689 and 5158 CAN be excluded as least valuable that
is 50% savings
• Do NOT exclude by EventID’s that you want, exclude them
by the Message within the EventID
• I want 4688, but not splunk*.exe or googleupdate.exe, so
exclude by New_Process_Name to reduce normal noise
• I want 5156, but not things that are normal to execute, so
exclude by Application_Name
43
MalwareArchaeology.com
44. 44
A sample query using Splunk for
the #1 alert that ALL Log
Management solutions should
MUST have
MalwareArchaeology.com
45. 45
4688 (New Process Started)
You can add any or all Windows Admin Utilities
in System32 or SysWOW64
• index=windows source="WinEventLog:Security" (EventCode=4688) NOT (Account_Name=*$)
=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR
cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe
OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR
OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR
psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe
OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR
sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR
system32net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR
whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe
OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval
Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name,
Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID,
Creator_Process_ID, Short_Message
45
MalwareArchaeology.com
47. 47
New Process to Catch the PowerShell
bypass
• index=windows source="WinEventLog:Security" (EventCode=4688)
(powershell* AND -ExecutionPolicy) OR (powershell* AND bypass) OR
(powershell* AND -noprofile) | eval Message=split(Message,".") | eval
Short_Message=mvindex(Message,0) | table _time, host, Account_Name,
Process_Name, Process_ID, Process_Command_Line,
New_Process_Name, New_Process_ID, Creator_Process_ID,
Short_Message
• CRITICAL ALERT !!! Catch malware using PowerShell and executing a
policy bypass
47
MalwareArchaeology.com
49. 49
5156 (Win FW Connection)
Shows what process connecting to an IP
• index=windows LogName=Security EventCode=5156 NOT
(Source_Address="239.255.255.250" OR Source_Address="224.0.0.*" OR
Source_Address="::1" OR Source_Address="ff02::*" OR Source_Address="fe80::*"
OR Source_Address="255.255.255.255" OR Source_Address=192.168.1.255) NOT
(Destination_Address="127.0.0.1" OR Destination_Address="239.255.255.250" OR
Destination_Address="*.*.*.255" OR Destination_Address="224.0.0.25*") NOT
(Destination_Port="0") NOT (Application_Name=“icamsource" OR
Application_Name="*binsplunkd.exe") | dedup Destination_Address
Destination_Port | table _time, host, Application_Name, Direction, Source_Address,
Source_Port, Destination_Address, Destination_Port | sort Direction
Destination_Port
49
MalwareArchaeology.com
50. 50
5156 - CSV output for additional processing
50
Used to track BAD IP’s
MalwareArchaeology.com
51. 51
Windows Firewall Logging
• Set to ANY/ANY mode if Windows Firewall not used. Filter out
5158 events as these are not needed
• Do NOT disable in Root OU, put lower so you can add and remove
systems to the OU to apply this rule
• Of course enable the Win F/W everywhere and collect locally, there
is no good reason not to
• Export to CSV for manual processing or (or use LOG-MD)
• Do WhoIS lookup to resolve the Company, Country, etc.
• Create a large Whitelist of good IP’s (lookup list)
• Exclude Browsers from one search. The list of IP’s will be much
smaller for non browser executables talking to external IP’s
51
MalwareArchaeology.com
52. 52
7045 (New Service added)
New Service has been added
• index=windows LogName=System EventCode=7045 NOT
(Service_Name=tenable_mw_scan) | eval Message=split(Message,".") |
eval Short_Message=mvindex(Message,0) | table _time host
Service_Name, Service_Type, Service_Start_Type, Service_Account,
Short_Message
• This one alert would have caught EVERY retail PoS breach!
52
MalwareArchaeology.com
54. 54
4663 (File Auditing) 4657 (Registry)
Filter out/exclude known good noise
• index=windows sourcetype=WinEventLog:Security EventCode=4663 NOT
(Process_Name="*WindowsservicingTrustedInstaller.exe" OR
"*WindowsSystem32poqexec.exe") NOT (Object_Name="*Userssvc_acctpnp“ OR
Object_Name="C:UsersSurfAppDataLocalGoogleChromeUser Data*" NOT
Object_Name="C:UsersSurfAppDataRoamingMicrosoftWindowsRecentCustomD
estinations") NOT (Object_Name="C:WindowsSystem32LogFiles*" OR
Object_Name="*ProgramDataMicrosoftRAC*" OR
Object_Name="*MicrosoftWindowsExplorerthumbcache*" OR Object_Name="*.MAP"
OR Object_Name="*counters.dat" OR
Object_Name="*WindowsGatherlogsSystemIndex*") | rename Process_Name as
Created_By | table _time, host, Security_ID, Handle_ID, Object_Type, Object_Name,
Process_ID, Created_By, Accesses
54
MalwareArchaeology.com
55. 55
4663 (File/Reg Auditing) – In Splunk
55
Using LOG-MD we were able to enable and expand File and Registry auditing and use the results to
tweak the audit locations to reduce noise or events that are not needed, saving on license and storage
If it were not for LOG-MD testing, we would have never caught Dridex creating a key on shutdown and
deleting that key on startup for persistence.!
File and Registry auditing for shutdown and startup is VERY
powerful
MalwareArchaeology.com
56. 56
File and Registry Auditing tips
Add this slowly and keep it simple or you will create a lot of
noise
• Set via the GUI (Booo)
• Or use a PowerShell script, GPO, etc.
• Or by Security Policy file
• Make one for each File and Registry, apply via GPO or locally with “secedit”
• Audit only for:
• Files - WriteData (or AddFile), Create folders / append data, Change permissions,
Take ownership
• Registry – Set Value, Delete, Write DAC, Write Owner are optional
• NEW is what we want... Malware needs to be added
• Start with simple items like Run Keys, Firewall policy, keys that are HIGH value
• Remember there are 2 Cheat Sheets to help you with this
• “Windows File Auditing Cheat Sheet”
• “Windows Registry Auditing Cheat Sheet”
56
MalwareArchaeology.com
57. 57
Other valuable queries
Add these to the list
• EventID 106 – New Scheduled job
• EventID 2004, 2005, 2006 – Windows Firewall rule added, modified
or deleted
• Exchange by Subject
• Use to find who received a reported Phishing email
• Network logs by known Bad IP
• Who visited a known Bad IP (you populate) that you discover in malware
analysis or triggered logs mentioned in previous slides
57
MalwareArchaeology.com
58. 58
Other logging improvements
• Of course LOG-MD to help you refine your logging and expand it.
• Also great for IR tasks, lots of other features
• Sysinternals – SYSMON
• Module loading (.EXE, DLL, SYS)
• Provides Hashes of files
• Networks connections like Win FW 5156
• Windows Logging Service (WLS)
• Agent to replace your logging agent
• Provides Hashes of files
• Provides some WMI and PowerShell execution
• Replaces the need for SYSMON
MalwareArchaeology.com
59. 59
The Windows Splunk Cheat Sheet
Just for you
• All the queries in this preso and a few more
• Some tips about filtering
• Found at:
• MalwareArchaeology.com
59
MalwareArchaeology.com
60. 60
Resources
Websites
• MalwareArchaeology.com
• Cheat Sheets
• Malware Reports
• Log-MD.com
• Log and Malicious Discovery tool
• Malware Analysis Report links too
• To start your Malware Management program
MalwareArchaeology.com
61. 61
Questions?
You can find me at:
• MalwareArchaeology.com
• MalwareManagementFramework.org
• HackerHurricane.com (blog)
• @HackerHurricane
• Log-MD.com
• http://www.slideshare.net
• Search for MalwareArchaeology
MalwareArchaeology.com
62. 62
We Value Your Feedback
Please take a moment to
complete the brief session survey
inside of the app, and you’ll
receive extra points!