DR FAT
- 2. Product Demo
Get comfortable: Over the next 2 hours we will take a step
by step walk in great detail through the entire Fidelis
Cybersecurity product line.
You can expect:
1. Graphs on the current APT threatscape
2. Diagrams of best deployment practices
3. Kill Chain optimization of your current infrastructure for
synergy
4. Pricing and Availability.
- 4. Introduction
John Laycock:
• B.S. Mechanical Engineering from Northern Illinois
University
• Cognitech/Ocean Systems Forensic Video Analyst
• Government Contractor
DC3 – DCFL Forensic Examiner/DCISE/NCIJTF
• General Dynamics/Fidelis Commercial Forensics Team
• Fidelis Threat Research Team
John Laycock
Systems, Threat Research
Email: john.laycock@fidelissecurity.com
- 5. Introduction
Chris Rogers
• Army Intel Sigint / Humint
• Government Contractor
• Department of State
• NIPC
• US CERT
• DC3 Forensic Examiner / Intrusions
• Bank of America
Chris Rogers
Senior Analyst, Threat Research
Email: Chris.Rogers@fidelissecurity.com
- 6. Deductive Reasoning
“There is a strong family resemblance about misdeeds,
and if you have all the details of a thousand at your finger
ends, it is odd if you can't unravel the thousand and first.”
-Sir Arthur Conan Doyle
The Sign of Four
- 7. Deductive Reasoning
“There is a strong family resemblance about malicious
files, and if you have all the details of a thousand at your
finger ends, it is odd if you can't infer the thousand and
first.”
-Sir Arthur Conan Doyle
The Sign of Four
- 8. Disclaimer
This is an introductory level talk to folks that do not
necessarily do malware analysis on a daily basis.
Many of the things you are about to see are not what
would be considered forensically sound. These are quick,
down and dirty tools to help you evaluate if a file is
malicious. Many of the concepts we will be showing you
are from a high level view. You can refer to some of the
references in the appendix to drill down into these
concepts in more detail.
TL:DR This is an intro to a deep topic. We’re showing
some basic concepts that may or may not be forensically
sound.
- 9. What is Malware? s Malware?
Variety of evil logic.
Crimeware
BOTNET
Randsomware
Hijackers
Keyloggers
Adware
Spyware
Scumware
Rootkits
Trojans
Worms
Viri
Backdoors
- 11. The specific what… specific what
Computers are just tools that translate binary instructions
into cool stuff like cat pictures and movies to the latest
Zombie FPS.
Bad guys and shady marketers take full advantage of the user
friendly nature to deploy their collection of bits to your
computer.
- 12. What’s the vector victor?
• Downloader
• Exploit Kit
• E-mail
• Web
• Portable Media
- 13. How is this still a thing?
• User Friendlyitus
• Compatabilibuddy
• Legacy Code
- 15. Application in Security & IR
If it looks like malware and smells like
malware… it’s probably not the dancing
cat screen saver that was advertised.
- 16. Application in Security & IR
MAC Times
- General Rules of thumb
- How to debunk “Timestomping” or The secret
hidden times
- 17. Application in Security & IR
NTFS
Master File Table (MFT) - Information about every file on
an NTFS volume is stored in the Master File Table.
Information such as Modified, Access, Created (MAC) times
for the file are stored here.
- 19. Application in Security & IR
The MFT is found under the root directory of the volume
and can be hidden as a system file. You can use a tool like
FTK Imager Lite to copy this file out for analysis.
NTFS MAC Times
- 20. Application in Security & IR
NTFS MAC Times
Using MFTDump, you can export a csv of the $MFT
and use Excel to sort through the MAC times looking
for anomalies. In this case the Standard Info create
time field does not match the File Name create time
field this is evidence of time stomping.
- 21. Application in Security & IR
File System Locations
Malicious files can be found anywhere on your
system. Sometimes they are visible and sometimes
they like to hide. However, there are a number of
commonly used directories that you can look through
for anything that appears out of the ordinary.
- 22. Application in Security & IR
File System Locations
In this case the two irevil files are located under
c:Windowssystem32.
- 23. Application in Security & IR
File system locations
Some common locations:
C:
C:Windows
C:WindowsSystem32
C:Program Files<directory>*
C:Program Files (x86)<directory>*
C:Documents and Settings{username}Local SettingsTemp (XP)
C:Users{Username}AppDataLocalTemp
- 24. Application in Security & IR
Registry
Getting malware onto a system is
only the first step. The bad guys
need to be able to restart their files
if the system is rebooted.
Persistence is the key to surviving
a reboot. This can be
accomplished by making entries in
the registry.
- 25. Application in Security & IR
Registry
To review the registry on your system you can use
Regedit.
This shows irevil.exe is set to run on startup.
- 28. Application in Security & IR
Finding Registry time stamps
Open in notepad.
Alternatively you can use FTK Imager to export the
registry hive and use a tool like RegRipper.
- 30. Application in Security & IR
Common Registry Keys
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunO
nceEx]
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
]
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
Try using regedit to look through some of these registry locations:
- 31. Application in Security & IR
Common Registry Keys
[HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
]
Windows 7 64-bit
[HKLMsoftwarewow6432nodemicrosoftwindowscurrentvers
ionrun]
Consider using a tool like Autorunsc.exe from Microsoft
Sysinternals.
- 32. Application in Security & IR
Prefetch
The prefetch folder contains a list of commonly run programs
on your system to help speed up loading times. These files
are stored as .pf files in C:WindowsPrefetch.
- Date/Time file first executed
- Last time of execution
- Number of times run
- 33. Application in Security & IR
Task Scheduler
This can be used to help persist malware on a system and to schedule
it to run at various intervals.
Look for schedlgu.txt commonly found in
C:Windows
C:WindowsTasks
You can also look for
HKLMSOFTWAREMicrosoftSchedulingAgent
- 34. Application in Security & IR
Task Scheduler
The ScheduLgU.txt file is essentially a log file showing lists of jobs
scheduled and if they’ve run properly.
- 37. Tools
• DR Fat
1. The Internet
2. Hex Editor
3. Entropy Analyzer
4. Hashing Tool
5. Analyzer/PE Information Tool
Heuristics and Tools
- 39. Tools
• DR Fat
Heuristics and Tools
1. The Internet
2. Hex Editor
3. Entropy Analyzer
4. Hashing Tool
5. Analyzer/PE Information Tool
- 41. Tools
• DR Fat
Heuristics and Tools
1. The Internet
2. Hex Editor
3. Entropy Analyzer
4. Hashing Tool
5. Analyzer/PE Information Tool
- 44. Tools
• DR Fat
Heuristics and Tools
1. The Internet
2. Hex Editor
3. Entropy Analyzer
4. Hashing Tool
5. Analyzer/PE Information Tool
- 45. Tools
• DR Fat
Hashing Tool
CRC32: 968A8A16
MD5: 31e6002b21c489fbbdb0f88ddc02603e
SHA1: 524584aa63b9cb95b72ab5ae64522a0d48d857b2
SHA256:
a326d9b72e6905304de30fa02fd3a087506c99486f5094e8a5c7cc7a5f84e059
Ssdeep:
24576:v2UnOxz4461D69+Twrijj9Ig6sIw7ag38YaXag:v2cIZbuHqsd7agvaV
Authentihash: 53e70adbf1277fe98a4bc7830a173327398b6196dfb9231b53275544e2980f30
Imphash: 884310b1928934402ea6fec1dbd3cf5e
Heuristics and Tools
- 46. Tools
• DR Fat
Heuristics and Tools
1. The Internet
2. Hex Editor
3. Entropy Analyzer
4. Hashing Tool
5. Analyzer/PE Information Tool
- 72. Why dynamics sometimes aren’t
1. Virtual Detection
2. Sandbox Detection
3. Debugger Checking
4. Weird Dependencies
5. Time Checks
6. Missing Components
7. Unusual URL Response during execution
- 73. He Laterally just said that
“Laterals work goodly, they is not for every play though.”
-Unnamed ex-Giants receiver
- 74. Tales from the field
• Not your average melting point.
• A PNG in the butt.
- 76. In Conclusion
Static indicators that we talked about are clues.
• Some clues are key indicators
• Some clues are circumstantial
A final fitting Doyle/Holmes quote:
“The more bizarre a thing the less mysterious it
proves to be. It is your commonplace,
featureless crimes which are really puzzling.”
- 77. Appendix
The following are a series of links to references and tools we have found
useful. Many are beyond the scope of a short talk but we have included
them for future reference.
1. Sans Memory Forensics Poster http://digital-
forensics.sans.org/media/Poster-2015-Memory-Forensics2.pdf
2. Sans Windows Forensic Analysis Poster http://digital-
forensics.sans.org/media/poster-windows-forensics-2015.pdf
3. Fidelis Threat Advisories http://www.fidelissecurity.com/resources/threat-
advisory
4. MFTDUMP v1.3.0http://malware-hunters.net/wp-
content/downloads/MFTDump_V.1.3.0.zip
5. NTFS
Documentationhttp://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pd
f
- 78. Appendix
7. Sysinternals - Autorunsc http://technet.microsoft.com/en-
us/sysinternals/bb963902
8. Many ways of malware persistence (that you were always afraid to
ask) http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-
persistence-that.html
9. Common Autostart Locations - http://gladiator-
antivirus.com/forum/index.php?showtopic=24610
10. FTK Imager Lite - http://accessdata.com/product-download/digital-
forensics/ftk-imager-lite-version-3.1.1
11. Suspicious File Locations - http://www.malicious-
streams.com/resources/articles/DGMW1_Suspicious_FS_Geography.ht
ml
12. Windows Scheduler - http://what-when-how.com/windows-forensic-
analysis/file-analysis-windows-forensic-analysis-part-4/
13. Windows Prefetch - http://forensicswiki.org/wiki/Prefetch
- 79. Appendix
14. Notes on Linux/Xor.DDoS.
http://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html
15. Time Stomping is for Suckers.
http://thedigitalstandard.blogspot.com/2011/02/time-stomping-is-for-
suckers.html
Editor's Notes
- So it’s a difficult problem, with no easy answer. There’s no “silver bullet”. And throwing a pile of boxes and a ton of money at the problem is not going to make it go away.
-
----- Meeting Notes (10/16/15 16:21) -----
Sir Arthur Conan Doyle through his chartacter Sherlock Holmes stated that if you have seen 1,000 crime scenes the 1001st should not surprise you.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- This is where you enter the picture. From the “My computer is acting funny” to Microsoft calling you up because your computer is pinging their server.
- Keeping with our theme of malware standing out, keep in mind that on the surface things aren’t always what they appear. You need to dig down beneath the surface to see what is really happening.
- We’ll start with MAC times, many of your may be familiar with this term, for those of you that are not, MAC stands for Modified Accessed Created and refers to time attributes for a given file. A great indication of malicious intent is if a file has had it’s MAC times deliberately changed to an earlier or later date. This can be done to mislead folks looking for signs of an intrusion around a specific time frame. For example if a network log shows that a system was accessed on November 2, it would make sense to look for files created or modified around that time frame on the system. However with various time stomping tools out there, malware writers can change the time stamps to a different date.
- How does a user go about this? Well when you’re talking about NTFS, it uses a file table called the Master File Table (MFT). The MFT contains various information about the files on the system. Such as the MAC times, file location on the disk etc. In the case of the MAC times, there’s actually two sets of time stamps. The SI (Standard Information) and FN (File Name) times.
- The times we see from the operating system are the SI times. In this case for this file, irevil.dll we see that the file was created on November 12, 2005 and was last accessed on November 2, 2014. On the surface all seems legitimate. Lets dig a little deeper.
- We can use a tool from Access Data called FTK Imager to help us browse the files on the system. We can also use FTK Imager to actually create an image of the system if we need to later on. (Note: you will find several links to the tools and concepts we will be talking about in an appendix at the back of this presentation.) For now, we are interested in taking a closer look at the MFT, so we will export that file out. You’ll also find a backup of the MFT in the same location called the MFTMirr. For now, lets just concentrate on the MFT file.
- There are lots of ways we can do this, one quick down and dirty way is to use a tool called MFTDump. We can export out the contents of the MFT into an csv file for analysis, using Excel. If you dabble in Excel a lot you know that you can create filters very easily. In this case I created one to show me where the SI times and the FN times don’t match up. On this system there are two files where we see that has happened and we now have two files that we may want to take a closer look, Chris will highlight some of those techniques in a little bit.
- Malware authors like to run their files from pretty specific locations. It used to be pretty simple to look through 2-3 directories for any weird looking files. Now it can be in dozens of different locations. Things to look for are files with strange sounding names, maybe foreign Chinese/Cyrillic characters. Let’s take a look at some examples.
- In this case irevil should obviously stick out like a sore thumb. In reality it may not be quite so obvious. You can see that these files are located in the C:\Windows\System32 directory.
- These are some common locations, I’ve put some links in at the end of the slides that can give you many more directories to look in.
- In addition to file time stamps and file system locations, malware authors will commonly use the registry to help them. It’s one thing to get their file onto a system, but its another to make sure it keeps running, especially after a reboot. An easy way to go about that is to make an entry in the registry to start the file on the system startup.
- Prefetch is another area you can check to see if a file has been executed on your system. It’s commonly used by Windows to help speed up loading times. It can also be review to look for evidence of a file being executed on the system. It will create a .pf file in C:\Windows\Prefetch. There are prefetch parsers that you can find online that will allow you to parse the pf file and find out additional information like date time that it was first executed, last time it was executed and the number of times that it was run.
- It is important to be able to gather all information at your disposal.
Your sleuth kit should include but not be limited to the following items as each one can provide different clues to the nature of the file in question.
- We life in the information age and believe it or not the internet is a tool for good as well as evil.
Just don’t rely on it as the only determining source of information.
Svchost.exe is not always bad… and be sure you are querying information from a clean system. Use your phone or something.
Also uploading files means loss of control. Anubis/Virus Total are great services but if you upload a weird file that was a crashed version of nana’s secret baked bean recipe it now belongs to the internets.
Also don’t quote me but… internet law dictates that for every cutesy cat video or picture uploaded there must exist a malware related post. Some pages have great content and some are stuffed with fluff.
http://blog.didierstevens.com/programs/virustotal-tools/
- Ever wonder what those binary instructions look like… well hex editors are useful to see the the hexadecimal translation.
This system is useful because it represents every byte (8 bits) as two consecutive hexadecimal digits.
It is much easier for humans to read hex than binary.
4D 5A = MZ
- Shannon entropy was introduced by Claude E. Shannon in his 1948 paper "A Mathematical Theory of Communication“ and further in his “Communication Theory of Secrecy Systems”
https://www.cryptool.org/en/
- Great formula but the bottom line is that Data compressors and encryptors tend to produce very high entropy results.
Or high entropy could mean someone's trying to hide something
https://www.cryptool.org/en/
- http://implbits.com/products/hashtab/#
http://portableapps.com/apps/utilities/winmd5sum_portable
CRC32: 8 Char and pretty weak computationally
MD5: 32 Char (Standard Hash)
Sha1: 40 Char Sha256: 64 Sha384: 96 Sha512: 128
SSDeep: aka Captain Fuzzy: can be used to compare files format is block size:hash:hash
Authenithash: Windows Authenticode used for integrity
Imphash: used to find compiler/builder commonalities
Each one of these algorithmic hashes has a place and purpose, although some get picked on by serious math nerds and the Monday morning quarter-geeks they all still have value and rule of thumb is the more digits the more accurate/secure.
- PEStudio: https://www.winitor.com/
Yara
- PEStudio: https://www.winitor.com/
Yara
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- In general is the file too old >2yrs or too new last three days or even future date times
This example shows an old date time so in theory we should be able to find the actual object and compare or if it shows up on the FS in 2015 and Doc Brown isn’t involved there probably is a story there.
- Another Holmes quote is, the more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling.
- Another Holmes quote is, the more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
- #1 Responding to an alert once:
Name was messed, high entropy, known suspect location, creation time matched.
No one classified it laterally, sandbox failed. Took in depth RE to discover that during entrenchment malware used system name as key field during melt, upon every run queried system name and went down different fork if diff.
#2 Another time we discovered some sporadic beacon traffic. Finding the binary on the system was easy but the entrenchment wasn’t. We finally discovered that it was tied to the users roaming profile under the png rendering in internet explorer. So only when the user a) used IE and b) went to a site with a png on it did the beacon take place.
- Ex: VT has hash but it registers 0/56 with no real data does not mean it’s a good file.
- #1 Responding to an alert once:
Name was messed, high entropy, known suspect location, creation time matched.
No one classified it laterally, sandbox failed. Took in depth RE to discover that during entrenchment malware used system name as key field during melt, upon every run queried system name and went down different fork if diff.
#2 Another time we discovered some sporadic beacon traffic. Finding the binary on the system was easy but the entrenchment wasn’t. We finally discovered that it was tied to the users roaming profile under the png rendering in internet explorer. So only when the user a) used IE and b) went to a site with a png on it did the beacon take place.
- Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat.
The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
-
Another Holmes quote is, the more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling
Key indicators: Known Mutexes, muticies, mutex patterns….. Kxgryzz.exe found in a users appdata directory
Circumstantial: Just because the glove does not fit exactly doesn’t necessarily mean