logging for hackers - what you need to know to catch them
TRANSCRIPT
![Page 1: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/1.jpg)
Logging for HackersHow you can catch them with what
you already have and a walk through of an actual attack and how we
caught it
Michael Gough – Founder
MalwareArchaeology.com
MalwareArchaeology.com
![Page 2: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/2.jpg)
Who am I• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How
Creator of
• Malware Management Framework
• Several Windows Logging Cheat Sheets
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @HackerHurricane and also my Blog
MalwareArchaeology.com
![Page 3: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/3.jpg)
Malware Archaeology
Log-MD.com
![Page 4: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/4.jpg)
• We discovered this May 2012
• Met with the Feds ;-)
Why you should listen to me?
MalwareArchaeology.com
2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail
![Page 5: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/5.jpg)
Malware evolves
• So must we
• Darwin says so
• Evolve or die
• Well… Evolve or get breached anyways
• Getting breached means an RGE !!!– Resume Generating Event
MalwareArchaeology.com
![Page 6: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/6.jpg)
A quick look at
STATS
MalwareArchaeology.com
![Page 7: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/7.jpg)
DBIR 2016
• Why we are here…
MalwareArchaeology.com 7
• Hackers compromises us• in minutes
• And steal our data• in days
![Page 8: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/8.jpg)
DBIR 2016
MalwareArchaeology.com 8
• Hackers time to Compromise is getting faster
• Than our ability to Discover them
![Page 9: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/9.jpg)
DBIR 2016
MalwareArchaeology.com 9
• Fraud and Internal detection going down
• The dreaded 3rd
party call and Law Enforcement notifications going up
![Page 10: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/10.jpg)
Chasing Hashes
MalwareArchaeology.com
• Malware hashes are no longer similar
• Malware is morphing or created unique by design for each system OR on reboot
![Page 11: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/11.jpg)
Symantec says…
MalwareArchaeology.com
![Page 12: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/12.jpg)
SANS says…
MalwareArchaeology.com
![Page 13: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/13.jpg)
Sophos Says…• 70% of malware is unique to 1 company (APT)
• 80% of malware is unique to 10 or less (APT)
• That means…
• 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by:– Attachments in email
– URL in email
– Surfing the web• Ads
• WordPress, Drupal, Joomla…
MalwareArchaeology.com
![Page 14: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/14.jpg)
A quick look at
Advanced Malware
Artifacts
MalwareArchaeology.com
![Page 15: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/15.jpg)
Winnti - Malware Infection
15
Malware Launch
Hiding malwarein the Registry
Modify Service
![Page 16: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/16.jpg)
Escalate permissions obvious NOT your admin
16
Check the Service used
Modify Permissions
Push out malware using CMD Shell & CScript
![Page 17: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/17.jpg)
Using the Registry for storage
17
Update Registry
Change Registry Permissions
Change permissions on files
![Page 18: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/18.jpg)
Bad behavior becomes obvious
18
Doing Recon
Going after Terminal Services
Query Users
![Page 19: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/19.jpg)
You can even capture their Credentials
19
Caught THEIR Credentials!
![Page 20: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/20.jpg)
Persistence
• Avoided leaving key files behind like they did before, well one anyways… the persistence piece
MalwareArchaeology.com
![Page 21: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/21.jpg)
HKLM\Software\Clients• putfile
• file
• read
MalwareArchaeology.com
4D5A = MZ in HEX
Key Size = 256k
![Page 22: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/22.jpg)
Persistence
• Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe)
• Altered system management binaries
– McAfeeFrameworkService
– BESClientHelper
– Attempted a few others, some failed
MalwareArchaeology.com
• We tried the infector on several other system files and it worked
![Page 23: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/23.jpg)
Persistence
• BAM! Got ya – PROCMon on bootup
MalwareArchaeology.com
![Page 24: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/24.jpg)
A quick look at
Commodity Malware
Artifacts
MalwareArchaeology.com
![Page 25: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/25.jpg)
Angler delivered Kovtar
• Unique way to hide the persistence
• Inserted a null byte in the name of the \Run key so that RegEdit and Reg Query fail to read and display the value
• And a LARGE Reg Key (anything over 20k is large)
MalwareArchaeology.com
![Page 26: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/26.jpg)
Dridex Artifacts
MalwareArchaeology.com
![Page 27: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/27.jpg)
Dridex Persistence
• New method towards the end of 2015, nothing in the Registry showing persistence while system was running
• In memory only until system shutdown
– On shutdown the Run key was created
• On startup the malware loads and Run key deleted
MalwareArchaeology.com
![Page 28: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/28.jpg)
Dridex is Baaack
• 2016 variant
MalwareArchaeology.com
![Page 29: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/29.jpg)
How to Detect
Malicious Behavior
MalwareArchaeology.com
![Page 30: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/30.jpg)
Take Away
#1
MalwareArchaeology.com
![Page 31: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/31.jpg)
Where to start• What am I suppose to set?
• Where do I get more information?
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Find them all here:– MalwareArchaeology.com
MalwareArchaeology.com
![Page 32: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/32.jpg)
PowerShell
• It’s coming… in a BIG way, it’s here
• Ben Ten uses it (Not PowerShell)
• Carlos uses it (MetaSploit)
• Dave uses it (SET)
• Kevin too (Pen Tester)
• Dridex uses it
• RansomWare uses it
• And logging SUCKS for itMalwareArchaeology.com
![Page 33: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/33.jpg)
Take Away
#2
MalwareArchaeology.com
![Page 34: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/34.jpg)
So what do we do???• It is the “SHOW ME” state
• So here it is
• The “Windows PowerShell Logging Cheat Sheet”
• Designed to catch the folks I just mentioned, and others ;-)
• Get it at:– MalwareArchaeology.com
MalwareArchaeology.com
![Page 35: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/35.jpg)
Take Away
#3
MalwareArchaeology.com
![Page 36: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/36.jpg)
How to catch this stuffCommand Line Logging !!!!
• At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2 had command line logging
• Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib)
• Scripts too
MalwareArchaeology.com
![Page 37: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/37.jpg)
And this query
index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\\net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | evalMessage=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message | stats count > 2
MalwareArchaeology.com
![Page 38: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/38.jpg)
So how do you do this?
• Malware Management allowed us to setup alerts on artifacts from other malware analysis
• Of course our own experience too
• Malware Discovery allowed us to find odd file hashes, command line details, registry locations
• Malware Analysis gave us the details
MalwareArchaeology.com
![Page 39: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/39.jpg)
What we need to look for• Logs of course, properly configured - Events
– Command Line details– Admin tools misused – executions– New Services (retail PoS should know this)– Drivers used (.sys)
• New Files dropped anywhere on disk – Hashes• Infected management binary (hash changed)• Delete on startup, write on shutdown - Auditing• Scripts hidden in the registry – Registry Compare• Payload hidden in the registry – Large Reg Keys• Malware Communication – IP and WhoIS info• Expand PowerShell detection• VirusTotal Lookups
MalwareArchaeology.com
![Page 40: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/40.jpg)
So what did we
take away
from all of this?
MalwareArchaeology.com
![Page 41: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/41.jpg)
You have 3 options
• Do nothing – Eventually an RGE
• Log Management / SIEM
– Cost $$$ and storage
– But IS the best option, better than most security solutions if you want my opinion
• What if I don’t have Log Management or SIEM?
MalwareArchaeology.com
![Page 42: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/42.jpg)
It didn’t exist
So we created it!
So you can do it too!
MalwareArchaeology.com
![Page 43: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/43.jpg)
Take Away
#4
MalwareArchaeology.com
![Page 44: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/44.jpg)
MalwareArchaeology.com
• Log and Malicious Discovery tool
• When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system!
• So answers How to check for the What to set I already told you about
![Page 45: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/45.jpg)
Functions
MalwareArchaeology.com
• Audit Report of log settings compared to:– The “Windows Logging Cheat Sheet”
– Center for Internet Security (CIS) Benchmarks
– Also USGCB and AU ACSC
• White lists to filter out the known good– By IP Address
– By Process Command Line and/or Process Name
– By File and Registry locations (requires File and Registry auditing to be set)
• Report.csv - data from logs specific to security
![Page 46: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/46.jpg)
Purpose
MalwareArchaeology.com
• Malware Analysis Lab – Why we initially developed it• Investigate a suspect system• Audit the Windows - Advanced Audit Policy settings• Help MOVE or PUSH security forward• Give the IR folks what they need and the Feds too• Take a full system (File and Reg) snapshot to compare to another
system and report the differences• Discover tricky malware artifacts (Large Keys, Null Byte, AutoRuns)• SPEED !• Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc…• Replace several tools we use today with one easy to use utility that
does much more• Replace several older tools and GUI tools• To answer the question: Is this system infected or clean?• And do it quickly !
![Page 47: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/47.jpg)
Free Edition
MalwareArchaeology.com
• Audit your settings – Do you comply?
• Harvest security relevant log data
• Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations
• Perform a full File Baseline of a system
• Compare a suspect system to a Baseline or Dir
• Perform a full Registry snapshot of a system
• Compare a suspect system to a Reg Baseline
• Look for Large Registry Keys for hidden payloads
![Page 48: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/48.jpg)
MalwareArchaeology.com
• Everything the Free Edition does and…• More reports, breakdown of things to look for• Specify the Output directory• Harvest Sysmon logs• Harvest WLS Logs• Whitelist Hash compare results• Whitelist Registry compare results• Create a Master-Digest to exclude unique files• Free updates for 1 year, expect a new release
every quarter• Manual – How to use LOG-MD Professional
![Page 49: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/49.jpg)
MalwareArchaeology.com
Future Versions – In the works!• PowerShell details
• WhoIs lookups of IP Addresses called• VirusTotal lookups of discovered files
• Find parent-less processes• Assess all processes and create a Whitelist• Assess all services and create a Whitelist• VirusTotal lookups of unknown or new processes and
services• Other API calls to security vendors
![Page 50: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/50.jpg)
MalwareArchaeology.com
Let’s look
at some
LOG-MD
RESULTS
![Page 51: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/51.jpg)
Crypto Event
MalwareArchaeology.com
• C:\Users\Bob\AppData\Roaming\vcwixk.exe
• C:\Users\Bob\AppData\Roaming\vcwpir.exe
• C:\WINDOWS\system32\cmd.exe /c del C:\Users\Bob\AppData\Roaming\vcwixk.exe >> NUL
• C:\Windows\System32\vssadmin.exe delete shadows /all /Quiet
![Page 52: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/52.jpg)
Malicious Word Doc
MalwareArchaeology.com
DRIDEX
![Page 53: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/53.jpg)
Malicious Word Doc con’t
MalwareArchaeology.com
More DRIDEX
![Page 54: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/54.jpg)
Use the power of Excel
MalwareArchaeology.com
• The reports are in .CSV format
• Excel has sorting and Filters
• Filters are AWESOME to thin out your results
• You might take filtered results and add them to your whitelist once vetted
• Save to .XLS and format, color code and produce your report
• For .TXT files use NotePad++
![Page 55: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/55.jpg)
So what do we get?
MalwareArchaeology.com
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!
![Page 56: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/56.jpg)
Resources
MalwareArchaeology.com
• Websites– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”– MalwareArchaeology.com
• Malware Analysis Report links too– To start your Malware Management program
• This presentation is on SlideShare and website– Search for MalwareArchaeology or LOG-MD
![Page 57: Logging for Hackers - What you need to know to catch them](https://reader030.vdocuments.net/reader030/viewer/2022021416/587b4ee31a28abff1a8b5697/html5/thumbnails/57.jpg)
Questions?
MalwareArchaeology.com
You can find us at:
• Log-MD.com
• @HackerHurricane• @Boettcherpwned
• MalwareArchaeology.com• HackerHurricane.com (blog)
• http://www.slideshare.net – LinkedIn now