Recorded June 2020

OUR GUESTS WILL BE:

• Tyler Hudak - Practice Lead, Incident Response - TrustedSec

  • @secshoggoth

  • www.trustedsec.com

• Martin Brough - Cybersecurity Expert for Acronis

  • @TheHackerNinja

  • Website - infosec512.com

• SANS DFIR Summit - Running Processes, the Red Team and Bad Actors are using them

  • July 17-18

• Article in eForensics Magazine on ARTHIR covered in Episode 011

  1. Visit the website and register to get the free edition

• BSides Cleveland - Tyler’s Forensic Analysis

  1. Friday June 19th - Tactical WIndows Forensics

  2. https://www.bsidescleveland.com/training

  3. Will be held and/or released at another event soon

• Preparing for an Incident - NCC Group webinar.. Free to all

  1. July 22nd

  2. newsroom.nccgroup.com/events

• NCC Group has a position, remote, Incident Response engineer, with AWS, GCP, Azure experience.  You get to work with ME.

  • https://nccgroup.wd3.myworkdayjobs.com/en-US/NCC_Group/job/Manchester/Senior-Cyber-Incident-Response_R2595

• Ticket opened, users must exclude LOG-MD from being checked

• https://www-zdnet-com.cdn.ampproject.org/c/s/www.zdnet.com/google-amp/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/

• (SMBGhost) - Processing of a malformed compressed message - Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as ThreatPost points out, is the same version that was targeted by the WannaCry ransomware a couple of years ago

The US Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible

• https://arstechnica.com/information-technology/2020/06/exploiting-wormable-flaw-on-unpatched-windows-devices-is-about-to-get-easier/

• Microsoft warns of vulnerabilities in SMBv3

• https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/

• https://securityboulevard.com/2020/06/80-of-hacking-related-breaches-leverage-compromised-credentials/

• THE IR Crew

  1. MITRE ATTACK

     1. https://attack.mitre.org/

  1. Guest - Tyler

     1. https://www.incidentresponse.com/playbooks/

  2. Guest - Martin

     1. Sandbox - https://app.any.run

• The IR crew

  1. LOG-MD-Professional

  2. Volatility

• Guest 1 - Tyler

  1. MFTECmd

     1. https://github.com/EricZimmerman/MFTECmd/releases

     2. KAPE, or rawcopy, or other tools to capture MFT before processing

• Guest 2 - Martin

  1. NetworkMiner

     1. https://www.netresec.com/?page=NetworkMiner

Dridex fileless malware:

1. Key Detection points

   • Well… in memory only “fileless”

   • Rundll32 calling malicious DLL 

   • Parent Child relationship

   • Rundll32.exe calling SysWow64\Rundll32.exe

1. PREVENTION

   1. Scan email attachments

   2. Block Macro execution

   3. Block uncategorized websites

   4. Application Whitelist Users directory

   5. Lock down PowerShell

   6. EDR

1. What is “Fileless Malware”?

   1. Cyberreason - Unlike file-based attacks, fileless malware does not leverage traditional executable files. Fileless attacks abuse tools built-in to the operating system to carry out attacks. Essentially, Windows is turned against itself.

Without an executable, there is no signature for antivirus software to detect. This is part of what makes fileless attacks so dangerous - they are able to easily evade antivirus products.

1. McAfee - Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.

2. CarbonBlack - Fileless malware refers to a cyberattack technique that uses existing software, allowed applications, and authorized protocols to carry out malicious activities.

3. WikiPedia - Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM.

It does not write any part of its activity to the computer's hard drive meaning that it's very resistant to existing Anti-computer forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify illegitimate activity.

As malware of this type is designed to work in-memory, its longevity on the system exists only until the system is rebooted.

MGs definition

1. So what do WE think Fileless Malware is?

   1. The IR crew

   2. Tyler

   3. Martin

2. A better way to define Fileless Malware and WHY

   1. Memware

   2. Regware

   3. WMIware

   4. PowerShellware

   5. Wormware

   6. LolBin/LolBasware

   7. And malware

   8. .NETware compile on the fly (compileware)

   9. bootware

3. How does this change our evaluation of malware?

4. How does this change our IR or THreat Hunting process?

5. How does this change how we detect and alert on malware?

6. Final thoughts

-------------------

Cybereason - FILELESS MALWARE 101: UNDERSTANDING NON-MALWARE ATTACKS 

• https://www.cybereason.com/blog/fileless-malware

McAfee - What Is Fileless Malware?

• https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html

Recorded May 2020

• https://www.softwaretestinghelp.com/edr-security-services/

• https://www.wired.com/story/avoid-spam-disposable-email-burner-phone-number/

• https://nakedsecurity.sophos.com/2020/05/18/shiny-new-azure-login-attracts-shiny-new-phishing-attacks/

• https://securityboulevard.com/2020/05/upgrading-from-edr-to-mdr-is-critical-but-easier-than-you-think/

• https://nakedsecurity.sophos.com/2020/05/22/the-ransomware-that-attacks-you-from-inside-a-virtual-machine/

• https://www.MalwareArchaeology.com/cheat-sheets

• “LOG-MD -a” will give you how you compare against the cheat sheets

• https://www.LOG-MD.com

Qakbot

• Typical delivery via a Office doc or URL

• Created a folder in C:\Users

Key Detection points

• Enable better logging AutoRuns - Uses Run key and Scheduled Task

• WMIPrvSe launch binary in C:\Users

• Binary in root of \Username directory C:\Users\\.exe

• C:\Users\\AppData\Roaming\Microsoft\ Syswow64\Explorer.exe used Parent of Explorer.exe is NEVER a binary in C:\Users

• Process injection of Syswow64\Explorer.exe

• Ping 127.0.0.1

• Scheduled Task created by a binary in C:\Users

• Syswow64\Explorer,exe opening all the browsers

• Binary in C:\User calling out to foreign country

PREVENTION

• Block Office macros

• Don’t allow uncategorized websites

• EDR Software

• Whitelisting C:\Users

What is getting back to basics - IR 101

• This will likely be multiple episodes

• We will start with Windows

Why is this important?

1. WHEN you have an incident, data we, and you need will be available

2. This is probably the #1 finding and recommendation we have made to organizations we have been involved with over the years

3. Security tools fail, so other data you collect can help discover what happened where, when, and how

What is the problem we are wanting our listeners to solve? 

1. To be better prepared in the event of an incident to speed up investigations

2. Give your SOC, IT, or Security people the data they need to investigate events

3. Make log management data better if you are collecting all the things

4. And of course… help your IR Consultancy do a better job FASTER

-------------------

CIS Benchmarks

• https://www.cisecurity.org/cis-benchmarks/

DerbyCon talk on EDR

• https://www.irongeek.com/i.php?page=videos/derbycon7/t416-edr-etdr-next-gen-av-is-all-the-rage-so-why-am-i-enraged-michael-gough

DerbyCon talk on Winnti

• https://www.irongeek.com/i.php?page=videos/derbycon5/teach-me01-a-deep-look-into-a-chinese-advanced-attack-understand-it-learn-from-it-and-how-to-detect-and-defend-against-attacks-like-this-michael-gough

Formerly the Brakeing Down Incident Response Podcast

Recorded Oct 2019

OUR GUEST WILL BE:

• Oddvar Moe, Sr. Security Consultant TrustedSec - Red Teamer

• @Oddvarmoe

• Blog - https://oddvar.moe/

• lolbas-project.com

• https://github.com/api0cradle/UltimateAppLockerByPassList

• https://github.com/api0cradle/PowerAL

• Share something that can help SMBs, your family or friends 

• Patch patch patch...

• https://go.newsfusion.com//security/item/1524577

• https://securityboulevard.com/2019/10/most-americans-dont-know-what-2fa-is-pew-research-shows/

• https://nakedsecurity.sophos.com/2019/10/11/hackers-bypassing-some-types-of-2fa-security-fbi-warns/

• Malware Archaeology Logging tips - List of Binaries to monitor

  • https://www.malwarearchaeology.com/logging

Guest - LolBin/LolBas - api0cradle - aka Oddvar Moe

• https://lolbas-project.github.io/

• https://github.com/LOLBAS-Project/LOLBAS

• https://gtfobins.github.io/

• http://www.hexacorn.com/blog/

• HUMIO - Free 2GB/day 7 day retention

  • https://www.Humio.com

Guest:

• https://github.com/PowerShellMafia/CimSweep - Matt Graeber – Agentless using CIM/WMI

• http://nirsoft.net/ (DLL Export viewer, Reg DLL View, Password recovery, network tools +++)

• Get injected-thread by Jared Atkinson - https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2

• https://github.com/Neo23x0/sigma - Standardized ruleset for SIEMs

New Dridex version

1. Delivered via Office document or Email with URL

2. wscript/csript downloads bad binary named Chrome.exe

3. Calls Scheduled task for persistence

4. Chrome calls msra.exe for comms

   1. C:\Windows\syswow64\Msra.exe chrome.exe

1. So another LOLBin ?  This is what prompted this podcast

What is a LOLBin and LOLBas?

1. It stands for Living off the Land Binary and Scripts

2. Libraries too, Dlls

What started all this?

1. @SubTee Casey Smith efforts on Application Whitelisting bypasses from 2015 ish where he found ways to use existing binaries on the system to do bad things like RegSvr32, RegAsm, RunDll32, and several others

Why are these an issue for us Defenders?

1. Well Pentesters and Red Teams use them to get around security solutions like AV, EDR and App Whitelisting

Do these normally execute?  If so how noisy are they?

1. Some are noisy

What do we need to watch out for?

1. Command line parameters are key

2. What is are the parameters they are executing with these utilities

Are there any lists people can use?

1. Malware Archaeology Logging page has a list and link to Oddvar’s page

What about security solutions, do we need to be concerned with these?

1. Yes, many AV and EDRs will not have alerts for these items

2. You will need to build some alerts and filter out the good/noise

What about logging theme?

1. Use the list(s) and build a lookup list that you can add to 4688 events or Sysmon 1 and 7 events and monitor them

What about MITRE ATT&CK, do they reference these?

1. Yes, there are several of these mentioned in MITRE ATT&CK, so map your tools to ATT&CK Techniques

Are there ways to test for these LOLs

What else do people need to watch out for?

-------------------

Casey Smith @SubTee - Red Canary

Bypassing Application Whitelisting

SHMOOCon 2015 -

• https://youtu.be/XVuboBH5TYo

SANS

• https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1524509113.pdf

DerbyCon 2016 - 

• http://www.irongeek.com/i.php?page=videos/derbycon6/522-establishing-a-foothold-with-javascript-casey-smith

DerbyCon 2019 - 

• http://www.irongeek.com/i.php?page=videos/derbycon9/stable-28-net-manifesto-win-friends-and-influence-the-loader-casey-smith

Oddvar Moe talk on LOLBin at DerbyCon 2018

• https://www.youtube.com/watch?v=NiYTdmZ8GR4

Alternate Data Streams:

• https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

www.LOG-MD.com/podcasts

Newsworthy Items: • INSURANCE COMPANY REFUSES TO PAY NOTPETRYA BILL, SAYS IT WAS AN ACT OF WAR, COMPANY SUES FOR $100M • 2-FACTOR AUTH BYPASSED ??? • 773 MILLLLLION PASSWORDS CIRCULATING THE INTERNET FROM PAST BREACHES • BYPASS BLACKLISTED WORDS FILTER (OR FIREWALLS) VIA WILDCARDS Malware of the month - First Sednit UEFI Rootkit Unveiled Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share

Newsworthy Items: Over 1 BILLION Pwned Dell Breach Marriott/Starwood Breach Malware of the month - LOKIBot Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share

Newsworthy Items: 1. NSS Labs fires off anti-malware-testing lawsuit at infosec toolmakers 2. Gartner says EDR will be a 1.5 BILLION, with a B business by 2020 3. Forrester Report on is EDR overblown

Newsworthy Items: ----------------------- After Sept 21st Credit Freezes are FREEEEEE - Article - by Krebs "Do you use a Tumi bag? Registered it with Tumi's Tracer service? British airways website hacked 380K users affected How Hackers Slipped by British Airways' Defenses - Wired Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob - WIRED Exploit vendor drops Tor Browser zero-day on Twitter - zdnet Bad Actors Sizing Up Systems Via Lightweight Recon Malware Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share Malware of the month - EMOTET

Newsworthy Items: The most expensive Cyber attack EVER !!! (wired) City of Atlanta 17 million ransom attack APT32 proves what we say about logging - Monitor Scheduled Tasks Malware of the month - None, so send us something interesting... Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share

Newsworthy Items - New Sysmon and Autoruns versions released. Be careful of VirusTotal uploads Malware of the month - None, so send us something interesting... Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share