Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

In search of unique behaviour

122 vues

Publié le

Ioan Iacob and Marius Bucur in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Publié dans : Technologie
  • Login to see the comments

  • Soyez le premier à aimer ceci

In search of unique behaviour

  1. 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IN SEARCH OF UNIQUE BEHAVIOUR MARIUS BUCUR & IOAN IACOB 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  2. 2. 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. MARIUS BUCUR ● Threat Hunter at Crowdstrike ● 7y+ IT industry ● last 4y IT Security at CrowdStrike and Avira ● Food and travel enthusiast
  3. 3. 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. IOAN IACOB ● Threat Analyst at Crowdstrike ● 5 years in IT Sec ● CrowdStrike and Avira ● RE & DFIR enthusiast ● CTF player
  4. 4. 2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. What we do Odd infection techniques Quirky, but legitimate behavior Q & A
  5. 5. WHAT WE DO ● Malware hunting ● Reverse engineering ● Write detections
  6. 6. MALWARE HUNTING ● Hunting with yara rules in MalQuery ● Overwatch patterns in Harrier ● VT queries and other OSINT ● Finding Infection vectors ● Kill chain ● Search infections
  7. 7. OVERWATCH PATTERNS ● Very generic patterns: ○ Eg.: "net use", wmic and http ... ● Used mostly in hunting for sophisticated attacks ● A red flag is raised once 3 or more patterns are found on one host
  8. 8. REVERSE ENGINEERING ● Focus on events not seen in conventional tools ○ Process injection ○ Callstack analysis ○ RPC and WMI ○ PrivEsc and Cred. Dumping ○ Exploitation techniques (DEP/ASLR bypass, HeapSpray, etc) ● Find similar samples using MalQuery
  9. 9. MALWARE EXAMPLES 1. MalDoc abuses MSIExec that drops signed Delphi malware 2. WMI abused to inject .NET binary in legit process (#Squiblytwo) 3. Excel Sheet and Steganography
  10. 10. EXAMPLE 1 MalDoc abuses MSIExec that drops Signed Delphi malware
  11. 11. EXAMPLE 1 § Word document found ITW § “Industry Standard” Social Engineering message
  12. 12. EXAMPLE 1
  13. 13. EXAMPLE 1
  14. 14. EXAMPLE 1
  15. 15. EXAMPLE 1
  16. 16. EXAMPLE 1
  17. 17. EXAMPLE 2 WMI abused to inject .NET binary in legit process #Squiblytwo „Fileless malware”
  18. 18. EXAMPLE 2
  19. 19. EXAMPLE 3 Excel Sheet and Steganography
  20. 20. EXAMPLE 3 § Excel sheet seen ITW § Typical infection vector with Macro
  21. 21. EXAMPLE 3
  22. 22. EXAMPLE 3
  23. 23. EXAMPLE 3
  24. 24. EXAMPLE 3
  25. 25. EXAMPLE 3
  26. 26. EXAMPLE 3
  27. 27. EXAMPLE 3
  28. 28. EXAMPLE 3
  29. 29. EXAMPLE 3
  30. 30. EXAMPLE 3
  31. 31. WRITE DETECTION RULES ● Call-Stack analysis ● Process Injection ● RPC ● Process trees ● Script control ● Credential dumping ● PrivEsc ● . . .
  32. 32. LAST STEP § Created detections: § IOAs for 1st and 3rd example § Injection flags for the 2nd example
  33. 33. BUT YOU ALSO SEE THIS § Winlogon in non-standard locaion § Crazy Powershell oneliners § Legit .doc|xls|pdf.exe received on emails JUST BECAUSE YOU CAN, DOESN’T MEAN YOU SHOULD!!!
  34. 34. IS THIS MALICIOUS?
  35. 35. IS THIS MALICIOUS? § Clean document received via email § Runs a PowerShell script from a shared drive
  36. 36. IS THIS MALICIOUS? ● Add more examples
  37. 37. CLOSING REMARKS ● Productivity apps are still used as initial infection vectors ● Quirky infection techniques are seen more often (WMI included) ● We can’t just blacklist all and hope for the best ● Adversaries try to migrate to fileless malware, but still write binaries on disk
  38. 38. Q & A

×