Fireless Malware, we think not - Ep 014

Recorded June 2020

TOPIC: Fileless Malware, we think NOT

OUR SPONSORS:

OUR GUESTS WILL BE:

  • Tyler Hudak - Practice Lead, Incident Response - TrustedSec

    • @secshoggoth

    • www.trustedsec.com

  • Martin Brough - Cybersecurity Expert for Acronis

Upcoming Training:

  • SANS DFIR Summit - Running Processes, the Red Team and Bad Actors are using them

    • July 17-18

  • Article in eForensics Magazine on ARTHIR covered in Episode 011

    1. Visit the website and register to get the free edition

  • BSides Cleveland - Tyler’s Forensic Analysis

    1. Friday June 19th - Tactical WIndows Forensics

    2. https://www.bsidescleveland.com/training

    3. Will be held and/or released at another event soon

  • Preparing for an Incident - NCC Group webinar.. Free to all

    1. July 22nd

    2. newsroom.nccgroup.com/events

Job Opp:

  • NCC Group has a position, remote, Incident Response engineer, with AWS, GCP, Azure experience.  You get to work with ME.

    • https://nccgroup.wd3.myworkdayjobs.com/en-US/NCC_Group/job/Manchester/Senior-Cyber-Incident-Response_R2595

NEWS-WORTHY:

Cylance blocks LOG-MD-Premium Running Process check

  • Ticket opened, users must exclude LOG-MD from being checked

Windows malware opens RDP ports on PCs for future remote access

  • https://www-zdnet-com.cdn.ampproject.org/c/s/www.zdnet.com/google-amp/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/

Exploit code for wormable flaw on unpatched Windows devices published online

  • (SMBGhost) - Processing of a malformed compressed message - Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as ThreatPost points out, is the same version that was targeted by the WannaCry ransomware a couple of years ago

The US Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible

ENABLE THE WINDOWS FIREWALL !!!! BLock SMB to workstations, and you will get better logging too ;-)

  • https://arstechnica.com/information-technology/2020/06/exploiting-wormable-flaw-on-unpatched-windows-devices-is-about-to-get-easier/

Microsoft warns of vulnerabilities in SMBv3 (Eternal Darkness)

  • Microsoft warns of vulnerabilities in SMBv3

Netwalker Fileless Ransomware Injected via Reflective Loading

  • https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/

80% of hacking-related breaches leverage compromised credentials

  • https://securityboulevard.com/2020/06/80-of-hacking-related-breaches-leverage-compromised-credentials/

SITE-WORTHY:

TOOL-WORTHY:

MALWARE OF THE MONTH:

Dridex fileless malware:

  1. Key Detection points

    • Well… in memory only “fileless”

    • Rundll32 calling malicious DLL 

    • Parent Child relationship

    • Rundll32.exe calling SysWow64\Rundll32.exe

    1. PREVENTION

      1. Scan email attachments

      2. Block Macro execution

      3. Block uncategorized websites

      4. Application Whitelist Users directory

      5. Lock down PowerShell

      6. EDR

TOPIC OF THE DAY:

Fileless Malware, we don’t think so

  1. What is “Fileless Malware”?

    1. Cyberreason - Unlike file-based attacks, fileless malware does not leverage traditional executable files. Fileless attacks abuse tools built-in to the operating system to carry out attacks. Essentially, Windows is turned against itself.

Without an executable, there is no signature for antivirus software to detect. This is part of what makes fileless attacks so dangerous - they are able to easily evade antivirus products.

  1. McAfee - Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.

  2. CarbonBlack - Fileless malware refers to a cyberattack technique that uses existing software, allowed applications, and authorized protocols to carry out malicious activities.

  3. WikiPedia - Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM.

It does not write any part of its activity to the computer's hard drive meaning that it's very resistant to existing Anti-computer forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify illegitimate activity.

As malware of this type is designed to work in-memory, its longevity on the system exists only until the system is rebooted.

MGs definition

  1. So what do WE think Fileless Malware is?

    1. The IR crew

    2. Tyler

    3. Martin

  2. A better way to define Fileless Malware and WHY

    1. Memware

    2. Regware

    3. WMIware

    4. PowerShellware

    5. Wormware

    6. LolBin/LolBasware

    7. And malware

    8. .NETware compile on the fly (compileware)

    9. bootware

  3. How does this change our evaluation of malware?

  4. How does this change our IR or THreat Hunting process?

  5. How does this change how we detect and alert on malware?

  6. Final thoughts

Other Articles:

-------------------

Cybereason - FILELESS MALWARE 101: UNDERSTANDING NON-MALWARE ATTACKS 

  • https://www.cybereason.com/blog/fileless-malware

McAfee - What Is Fileless Malware?

  • https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html

Getting back to basics, IR 101 - Episode 013

Recorded May 2020

TOPIC: Getting back to basics, IR 101

OUR SPONSORS:

NEWS-WORTHY:

Best EDR Security Services In 2020 for Endpoint Protection

How to Avoid Spam—Using Disposable Contact Information

Shiny new Azure login attracts shiny new phishing attacks

Upgrading from EDR to MDR is Critical but Easier than You Think

The ransomware that attacks you from inside a virtual machine

SITE-WORTHY:

Malware Archaeology - Cheat Sheets

TOOL-WORTHY:

LOG-MD - The Log anD Malicious Discovery tool

MALWARE OF THE MONTH:

Qakbot

  • Typical delivery via a Office doc or URL

  • Created a folder in C:\Users

Key Detection points

  • Enable better logging AutoRuns - Uses Run key and Scheduled Task

  • WMIPrvSe launch binary in C:\Users

  • Binary in root of \Username directory C:\Users\<username>\<random long filename>.exe

  • C:\Users\<username>\AppData\Roaming\Microsoft\<random_foldername> Syswow64\Explorer.exe used Parent of Explorer.exe is NEVER a binary in C:\Users

  • Process injection of Syswow64\Explorer.exe

  • Ping 127.0.0.1

  • Scheduled Task created by a binary in C:\Users

  • Syswow64\Explorer,exe opening all the browsers

  • Binary in C:\User calling out to foreign country

PREVENTION

  • Block Office macros

  • Don’t allow uncategorized websites

  • EDR Software

  • Whitelisting C:\Users

TOPIC OF THE DAY:

Getting back to basics, IR 101

What is getting back to basics - IR 101

  • This will likely be multiple episodes

  • We will start with Windows

Why is this important?

  1. WHEN you have an incident, data we, and you need will be available

  2. This is probably the #1 finding and recommendation we have made to organizations we have been involved with over the years

  3. Security tools fail, so other data you collect can help discover what happened where, when, and how

What is the problem we are wanting our listeners to solve? 

  1. To be better prepared in the event of an incident to speed up investigations

  2. Give your SOC, IT, or Security people the data they need to investigate events

  3. Make log management data better if you are collecting all the things

  4. And of course… help your IR Consultancy do a better job FASTER

Other Articles:

-------------------

CIS Benchmarks

DerbyCon talk on EDR

DerbyCon talk on Winnti

Ep 012 - Laughing at Binaries - LOLBin/LOLBas

Formerly the Brakeing Down Incident Response Podcast

Recorded Oct 2019

TOPIC: Laughing at Binaries - LOLBin/LOLBas

OUR GUEST WILL BE:

  • Oddvar Moe, Sr. Security Consultant TrustedSec - Red Teamer

  • @Oddvarmoe

  • Blog - https://oddvar.moe/

  • lolbas-project.com

  • https://github.com/api0cradle/UltimateAppLockerByPassList

  • https://github.com/api0cradle/PowerAL

OUR SPONSORS:

NEWS-WORTHY:

Cyber Security Awareness Month

  • Share something that can help SMBs, your family or friends 

Flaw with SUDO that lets you get admin priv when denied

  • Patch patch patch...

Microsoft Enables Tamper Protection by Default for all Windows 10 Users to Defend Against Attacks

Most Americans do not know what MFA is????

Hackers bypassing some types of 2FA security FBI warns

SITE-WORTHY:

Guest - LolBin/LolBas - api0cradle - aka Oddvar Moe

TOOL-WORTHY:

Guest:

MALWARE OF THE MONTH:

New Dridex version

  1. Delivered via Office document or Email with URL

  2. wscript/csript downloads bad binary named Chrome.exe

  3. Calls Scheduled task for persistence

  4. Chrome calls msra.exe for comms

    1. C:\Windows\syswow64\Msra.exe chrome.exe

  1. So another LOLBin ?  This is what prompted this podcast

TOPIC OF THE DAY:

Laughing at Binaries - LOLBin/LOLBas

What is a LOLBin and LOLBas?

  1. It stands for Living off the Land Binary and Scripts

  2. Libraries too, Dlls

What started all this?

  1. @SubTee Casey Smith efforts on Application Whitelisting bypasses from 2015 ish where he found ways to use existing binaries on the system to do bad things like RegSvr32, RegAsm, RunDll32, and several others

Why are these an issue for us Defenders?

  1. Well Pentesters and Red Teams use them to get around security solutions like AV, EDR and App Whitelisting

Do these normally execute?  If so how noisy are they?

  1. Some are noisy

What do we need to watch out for?

  1. Command line parameters are key

  2. What is are the parameters they are executing with these utilities

Are there any lists people can use?

  1. Malware Archaeology Logging page has a list and link to Oddvar’s page

What about security solutions, do we need to be concerned with these?

  1. Yes, many AV and EDRs will not have alerts for these items

  2. You will need to build some alerts and filter out the good/noise

What about logging theme?

  1. Use the list(s) and build a lookup list that you can add to 4688 events or Sysmon 1 and 7 events and monitor them

What about MITRE ATT&CK, do they reference these?

  1. Yes, there are several of these mentioned in MITRE ATT&CK, so map your tools to ATT&CK Techniques

Are there ways to test for these LOLs

What else do people need to watch out for?

Other Articles:

-------------------

Casey Smith @SubTee - Red Canary

Bypassing Application Whitelisting

SHMOOCon 2015 -

SANS

DerbyCon 2016 - 

DerbyCon 2019 - 

Oddvar Moe talk on LOLBin at DerbyCon 2018

Alternate Data Streams:

Ep 011 - ARTHIR - ATT&CK Remote Threat Hunting Incident Response tool

Formerly the Brakeing Down Incident Response Podcast

Recorded Sept 2019

TOPIC: ARTHIR - ATT&CK Remote Threat Hunting Incident Response tool

OUR GUEST WILL BE:

  • Olaf Hartong, Co-Founder Falcon Force

  • @olafhartong and @FalconForceTeam

  • Blog - https://medium.com/@olafhartong

  • Github - https://github.com/olafhartong/ThreatHunting

  • Website - https://www.falconforce.nl

OUR SPONSORS:

NEWS-WORTHY:

ISO Files via EMAIL???

  • https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/

French Police take dowN Botnet

Over 10 billion malware attacks detected in 2018

91% Of Cyberattacks Start With A Phishing Email

  • According to a new report from PhishMe that found that 91% of cyberattacks start with a phish, the top reasons people are duped by phishing emails are curiosity (13.7%), fear (13.4%), and urgency (13.2%), followed by reward/recognition, social, entertainment, and opportunity.

GUEST Story - Dutch helped with Stuxnet

  • https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html

SITE-WORTHY:

TOOL-WORTHY:

MALWARE OF THE MONTH:

URSNif

  1. https://www.sentinelone.com/blog/ursnif-polymorphic-delivery-mechanism-explained/

  2. https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/

    1. This analysis list the MITRE ATT&CK used - very nice

  3. SentinelOne did a good write up about it

  4. Typical Word document delivery

  5. Winword calling PowerShell - Always BAD

  6. Base64 PowerShell executed - Always Bad

  7. VBScript then downloads the payload

  8. Stores it where else, under the User directory structure

  9. Mutates on download, so you won’t find the same hash if multiple users open the document

Key Detection points

  1. AutoRuns of course, but created on shutdown like Dridex

    1. So File and Registry auditing might help catch it on shutdown and boot up… there is a Cheat Sheet for that ;-)

  2. Winword calling PowerShell

  3. PowerShell Base64 encoding

  4. Random named executable

  5. Injects into the browsers

PREVENTION

  1. Scan email attachments

  2. Block Macro execution

  3. Application Whitelist Users directory

  4. Lock down PowerShell

  5. EDR

TOPIC OF THE DAY:

ARTHIR - ATT&CK Remote Threat Hunting Incident Response Tool

What is the problem ARTHIR is trying to solve?

  1. Run LOG-MD remotely and get back the reports is how it started without using an enterprise type solution.

  2. How do you run one or more of your favorite tools remotely against a system and get back the results?

  3. During Incident Response this is an easy tweak to GPO to get it enabled on all machines, nothing to purchase, you already have it

  4. It’s FREEEEeeeeeeee

What project was this forked from?

What improvements were added to make it ARTHIR?

  1. Notes for MITRE ATT&CK Technique IDs

  2. Scheduled task creation on remote systems running PS v2 thru v6

  3. Push a binary to a folder other than the Kansa default C:\Windows

  4. Cleanup module to delete the stuff you run, leave no trace

  5. Run any binary tool you want and get back the native reports

  6. Of course all the old Kansa capabilities

  7. It is fairly easy to use

Why did you take this on and how did you solve the shortcomings of Kansa?

  1. Shout-out to Olaf Hartong and Josh Ricard for their parts in this

    1. Olaf on the report retrieval

    2. Josh on the Schedule Task portion

  2. Get back reports of utility or tool, in our case LOG-MD

  3. Kansa only pulls back PowerShell console output

  4. ARTHIR can do PS console as Kansa did, or the native reports in the native format of the tool, and Kansa is no longer supported by the creator.

What are the requirements for someone wanting to use ARTHIR in a domain and no domain?

  1. Windows Remote Management or WinRM, aka PowerShell Remoteing which is built into all versions of Windows 7 and later

  2. Uses the power of PowerShell v2 thru v5

  3. Domain creds for Domain

  4. Local creds with Authentication being Negotiate for non-domain

What are some use cases for ARTHIR?

  1. Incident Response obviously

  2. Auditing

  3. Threat Hunting

  4. Configuration validation

  5. Manual tweaks, security improvements

  6. Remediation

  7. A way to schedule one of more tasks of your favorite tools, like LOG-MD

Documentation?

  1. WinRm guide

  2. And how to use info too

  3. LOG-MD Professional you get a more detailed guide and all the modules for all the features of LOG-MD Professional and Consulting ships with LOG-MD Pro

Where do people get it?

  1. You can find ARTHIR HERE:

  2. Try it

  3. Contribute

  4. And MAP things to MITRE ATT&CK

Other Articles:

-------------------

Original Kansa Project