Recommended
More Related Content
What's hot
What's hot (20)
Similar to Threat hunting in_windows
Similar to Threat hunting in_windows (20)
Recently uploaded
Recently uploaded (20)
Threat hunting in_windows
- 2. PUBLIC ME IN A NUTSHELL 1 • Threat Hunter from MWR Countercept • Recently graduated from NUS Information system • Love food
- 4. PUBLIC First discussed in mid 2000s by NSA/US Airforce. Definition of hunting in The US Army LandCyber White Paper released in 2013 THREAT HUNTING 3 “cyber hunt teams will work inside the Army enterprise to actively search for and locate threats that have penetrated the Army enterprise, but not yet manifested their intended effects.” “Counter-reconnaissance, or hunt forces, will work within Army networks to maneuver, secure, and defend key cyberspace terrain, identifying and defeating concealed cyber adversaries that have bypassed the primary avenues of approach monitored by automated systems”. http://dtic.mil/dtic/tr/fulltext/u2/a592724.pdf
- 5. PUBLIC • Actively hunting for threats • Responding to them in real time • Assume threats has bypassed automated defence IN SHORT 4
- 6. PUBLIC HOW IS THIS ACHIEVED 5
- 7. PUBLIC • Endpoint detection and response • Agent installed on an endpoint • Collect process logs, autoruns, etc.. • Response function such as file capture, dumping of process memory host isolation WHAT'S EDR 6
- 8. PUBLIC • How do bad guys attack • How to detect attacks on windows machine 7 AGENDA
- 13. PUBLIC ATTACK SCENARIO 12 • Acme corporation is a financial corporation based in Singapore. Loony Tunes corporation, a small start-up in the same industry hires a freelance hacker to steal sensitive information from Acme.
- 14. PUBLIC • Installed by default on many windows system • Many open source-framework • Contain many useful functions to leverage on WHY POWERSHELL 13
- 15. PUBLIC POWERSHELL IN HTA FILE 14
- 18. PUBLIC • Minimal process or command line logging • Requires .Net Framework to be installed on windows machine ENTER .NET ATTACKS 17
- 19. PUBLIC • Embeds a serialised C# object into a HTA file • Upon deserialization, the object can be used to run malicious C# code • Technique discovered by James Forshaw .NET TO JSCRIPT 18
- 23. PUBLIC • Migrating to a different process • Make use of windows API to write to a different process HIDING IN MEMORY 22
- 24. PUBLIC INJECTING INTO ANOTHER PROCESS 23 Mshta.exe Victim Process
- 25. PUBLIC • Shared library which contains functions to be used by other applications • Don’t have to rewrite code that is already written DYNAMIC LINK LIBRARY 101 24
- 27. PUBLIC REFLECTIVE LOADING 26 Kernel32.dll export table VirtualAlloc() GetProcess() LoadLibray() Process Environment block Locates Locates
- 29. PUBLIC REFLECTIVE LOADING 28 Import directory table Wininet.dll Ws2_32.dll LoadLibrary() Use Locate Look up
- 30. PUBLIC REFLECTIVE LOADING 29 Import address table HttpOpenRequest getProcAddress Writes address Looks up
- 31. PUBLIC DETECTING REFLECTIVE LOADING 30 Process memory dump Raw data
- 32. PUBLIC QUICK WINS WITH YARA 31 Code injection api Network calls Api
- 34. PUBLIC • Can’t hide in memory forever • Laptop would be shutdown eventually • Attacker needs a way to get a shell the next day PERSISTENCY 33
- 37. PUBLIC • Ability to detect attacks at every stage • Consolidate information from each stage to aid in investigation PUTTING EVERYTHING TOGETHER 36
- 38. PUBLIC 37
- 39. PUBLIC • https://github.com/tyranid/DotNetToJScript • https://github.com/stephenfewer/ReflectiveDLLInjection • https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon • https://sourceforge.net/projects/processhacker/ • http://www.rohitab.com/apimonitor LINKS 38
Editor's Notes
- Show the Events logs (ways where attackers can spoof parent id)
- Reflective library allows a program to retrieve meta-data of
- How do you start?