SlideShare une entreprise Scribd logo

Email keeps getting us pwned v1.1

Michael Gough
Michael Gough

Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can you do about it? LOG-MD Malware Archaeology

Technologie
1  sur  52
Télécharger pour lire hors ligne
Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can you do about it? Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
The Problem or Challenge We all Face MalwareArchaeology.com
Email is #1 • Phishing IS our worst enemy MalwareArchaeology.com
Ransomware MalwareArchaeology.com
What we see in email • Attachments – .js, .jse, .wsf, .wsh, .hte, .lnk, PS1, CMD, BAT, .vbs, .vbe, etc. – PDF, Word, Excel, etc. • URL’s – Click HERE to see more – Then downloads the above file formats – Or sends you to a credential stealer webpage • Encrypted emails – Same as above but protected with a password to bypass ALL security controls MalwareArchaeology.com
So what can we do? MalwareArchaeology.com
Don’t Panic MalwareArchaeology.com
Why it Works MalwareArchaeology.com
Understand WHY it works • Email gateways do not block enough or anything • Exchange and Outlook controls are seldom used • Don’t forget users check personal email (Gmail, Yahoo, etc.) • Yeah, executables are not allowed (.EXE) • We do NOT do enough here and we should • It’s FREE, your email gateway and Exchange server already have the ability • Even Outlook has rules that can be enabled MalwareArchaeology.com
Outlook Rules • You REALLY need to enable these • https://support.office.com/en- us/article/Blocked-attachments-in-Outlook- 3811cddc-17c3-4279-a30c-060ba0207372 • Do it on your gateway !!! • Drop these PLEEEASE MalwareArchaeology.com
RansomWare/Malware • Most malware/ransomware comes in via email attachments • Some by drive-by surfing • Most infections are because users double-click the attachment • Dropping these will result in 90%+ reduction • Do whatever you can to reduce these at the email gateway or server MalwareArchaeology.com
If we drop these, What is left? • Encrypted messages • Attachments with URL’s • These will get by as ALL security solutions can’t inspect encrypted emails (It’s Haaaarrrrd) • Attachments with no malicious content also pass, URL’s are generally not bad.. Yet new campaigns • They use Cloud Storage too • Users download and Double-Click MalwareArchaeology.com
What Gets By MalwareArchaeology.com
What gets by • Documents that have URL’s that have the user download the file that would have been dropped if it were an attachment • Encrypted Word/Office Docs that have Macros or OLE objects that are scripts – We see a LOT of these • If the file type gets by in this way, then we have to address what happens when a user double-clicks MalwareArchaeology.com
Block Macros !!! MalwareArchaeology.com
Block Macros !!! • For corporate users – Office 2013 or 2016 required MalwareArchaeology.com
Or tweak the registry Office 2016 • HKCUSOFTWAREPoliciesMicrosoftoffice16.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 Office 2013 • HKCUSOFTWAREPoliciesMicrosoftoffice15.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 MalwareArchaeology.com
#WINNING • After adding these tweaks you will see this when you try and enable a macro and/or content • You can unblock if truly needed and trusted MalwareArchaeology.com
There is More Than Macros MalwareArchaeology.com
More than Macros • Macros account for a lot, but malwarians are morphing and evolving • We blocked more than 6000 emails between June and Dec 2016 • They have moved to encrypted documents • They have moved to documents with URL’s • They have moved to using Cloud Storage to retrieve documents MalwareArchaeology.com
Why it Works MalwareArchaeology.com
Understand WHY it works • Windows is SOoooooo broken • The malwarians are taking advantage of the default configuration of Windows • What happens when you Double-Click is the enemy • Users have been trained to just double-click MalwareArchaeology.com
So how does it work? • Double-Clicking by users • Yeah, Yeah, Yeah… User awareness training – It won’t be enough • How about this… • Change what happens when users Double- Click a suspect file type • There’s a thought… MalwareArchaeology.com
Deny the Double-Click MalwareArchaeology.com
Deny the Double-Click • Windows allows by default the execution of a file type by double-clicking and launching the execution program (Booooooo) • So how about changing the dangerous file types that launch the interpreters to launching a simple editor? • Yup, NOTEPAD to the rescue !!!!! • Finally a good use for Notepad MalwareArchaeology.com
Deny the Double-Click • This will NOT break the way these file types normally work. • Cscript ‘Logon.vbs’ will work fine • Double-Clicking ‘logon.vbs’ will just open Notepad • You WILL need to convince IT, they are kind of lame due to FUD and lack of experience • Prove it by showing it work ! MalwareArchaeology.com
Default Programs MalwareArchaeology.com
File Type MalwareArchaeology.com
Change to Notepad • Change ANYTHING that can execute a script to open to Notepad MalwareArchaeology.com
Windows Based Script Host • Get rid of it, they use it to execute malware • Consider .vbe, .vbs, .ps1 and .ps1xml too, but this is used in corporate environments • This only affects double-clicking the file, not using the file properly (cscript Good_file.vbs) MalwareArchaeology.com
So what happens? • Users will open files that have been blocked, but got by either via an encrypted email or a URL in an email or attachment • The user then downloads the malicious file type and double-clicks it… If it is one of the types that you have changed the File Association for, the malware script will FAIL !!! • #WINNING MalwareArchaeology.com
Now What Can Get By? MalwareArchaeology.com
What can still get by? • Binaries (MZ, 4D5A, EXE) • Yup, documents or emails that have URL’s to a website or cloud storage will be allowed • Browsers are doing a pretty good job of blocking .EXE downloads, or at least warning you • The malwarians will use ZIP or 7Zip, Doc, or PDF files with or without passwords to get by the browser controls MalwareArchaeology.com
What can still get by? • If a user gets an .EXE, then everything we have discussed thus far will not work, you can do: – Application Whitelisting - Complicated – Detect it and Respond – Logging and people – Next Gen Endpoint protection - $$$$ • Maybe User Awareness can help as you can now focus the training since all the other ways they get in have been dealt with MalwareArchaeology.com
Whitelisting MalwareArchaeology.com
Software Restriction Policies • Block all executions from “C:Users*” • Block all USB executions from “E:*” MalwareArchaeology.com
Software Restriction Policies • If you set to block like I do, then when you try to launch, install, or an update runs, it will fail • Generates an Event ID 866 in the Application Log • Copy the path that failed and create an exception if good and approved • Be careful of over trusting generic paths • Use a * to genericize an entry C:Users* MalwareArchaeology.com
AppLocker • ONLY works in Windows Enterprise versions • Screw you Microsoft ;-( • Has an Audit only mode (IDS) so can detect what would be blocked to allow you to tweak the policy before enforcing • It does Dlls • And it does Scripts MalwareArchaeology.com
User Awareness MalwareArchaeology.com
User Awareness Teach them two things, and only 2 things 1. Don’t open emails that have encrypted attachments AND have the password in the body AND contain a few words and not descriptive 2. Don’t launch ANY .EXE files that you download from sources via email and links in emails or documents – EVER! MalwareArchaeology.com
Watch Incoming Email MalwareArchaeology.com
Alert on encrypted emails • You heard me • Setup an email alert to copy your InfoSec team on encrypted emails with attachments of: – Word – Excel – PDF • Filter out the know good senders • You will see campaigns coming in • Tweak to prepend the subject with “Suspicious Email” once you made all your adjustments MalwareArchaeology.com
Malware/Ransomware Prevented • If you do these simple things, which are all FREE, you will curb malware/ransomware infections by 90-95% or more • This does not address malicious binaries .EXE files or .DLL files • Whitelisting with Software Restriction Policies or AppBlocker will be needed for this MalwareArchaeology.com
What do we do with the attachments we receive? MalwareArchaeology.com
Evaluate them • Splunk alerts looking at: – Same sender, multiple subjects or attachment names – Different senders same subject or attachment name – Encrypted Doc and XLS files • Detonate them in a malware lab • Obtain the artifacts to see who else might have open the ones that got through MalwareArchaeology.com
What do we use to quickly evaluate the malware? MalwareArchaeology.com
• The Log and Malicious Discovery tool • Audits your system and produces a report • Also shows failed items on the console • Helps you configure proper audit logging • ALL VERSIONS OF WINDOWS (Win 7 & up) • Helps you enable what is valuable • Compares to many industry standards • CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
Free Edition • Collect 1-7 days of logs • Over 20 reports • Full filesystem Hash Baseline • Full filesystem compare to Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery MalwareArchaeology.com
• Over 25 reports • Interesting Artifacts report • WhoIS resolution of IPs • SRUM (netflow from/to a binary) • AutoRuns report with whitelist and Master Digest exclusions • List of Locked files • More Whitelisting • Master-Digest to exclude hashes and files MalwareArchaeology.com
Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program MalwareArchaeology.com
Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net MalwareArchaeology.com

Recommandé

DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 

Recommandé

DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itJoAnna Cheshire
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 

Contenu connexe

Tendances

Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 

Tendances (20)

Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 

Similaire à Email keeps getting us pwned v1.1

Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itJoAnna Cheshire
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
How to remove pro search.me
How to remove pro search.meHow to remove pro search.me
How to remove pro search.me森泉 小
 
Phish training final
Phish training finalPhish training final
Phish training finalJen Ruhman
 
Internet security
Internet securityInternet security
Internet securityrfukunaga
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Security and protection
Security and protectionSecurity and protection
Security and protectionNital Shingala
 
Devoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsDevoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsBert Jan Schrijver
 
Arnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsArnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsBert Jan Schrijver
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 

Similaire à Email keeps getting us pwned v1.1 (20)

Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about it
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
I Have My WordPress Site Now What?
I Have My WordPress Site Now What?I Have My WordPress Site Now What?
I Have My WordPress Site Now What?
 
How to remove pro search.me
How to remove pro search.meHow to remove pro search.me
How to remove pro search.me
 
Phish training final
Phish training finalPhish training final
Phish training final
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.ppt
 
Internet security
Internet securityInternet security
Internet security
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
 
Ransomware
RansomwareRansomware
Ransomware
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
App locker
App lockerApp locker
App locker
 
Security and protection
Security and protectionSecurity and protection
Security and protection
 
Devoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsDevoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systems
 
Arnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsArnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systems
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
 
IS100 Week 11
IS100 Week 11IS100 Week 11
IS100 Week 11
 

Dernier

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Dernier (20)

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

Email keeps getting us pwned v1.1

  • 1. Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can you do about it? Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 3. The Problem or Challenge We all Face MalwareArchaeology.com
  • 4. Email is #1 • Phishing IS our worst enemy MalwareArchaeology.com
  • 6. What we see in email • Attachments – .js, .jse, .wsf, .wsh, .hte, .lnk, PS1, CMD, BAT, .vbs, .vbe, etc. – PDF, Word, Excel, etc. • URL’s – Click HERE to see more – Then downloads the above file formats – Or sends you to a credential stealer webpage • Encrypted emails – Same as above but protected with a password to bypass ALL security controls MalwareArchaeology.com
  • 7. So what can we do? MalwareArchaeology.com
  • 10. Understand WHY it works • Email gateways do not block enough or anything • Exchange and Outlook controls are seldom used • Don’t forget users check personal email (Gmail, Yahoo, etc.) • Yeah, executables are not allowed (.EXE) • We do NOT do enough here and we should • It’s FREE, your email gateway and Exchange server already have the ability • Even Outlook has rules that can be enabled MalwareArchaeology.com
  • 11. Outlook Rules • You REALLY need to enable these • https://support.office.com/en- us/article/Blocked-attachments-in-Outlook- 3811cddc-17c3-4279-a30c-060ba0207372 • Do it on your gateway !!! • Drop these PLEEEASE MalwareArchaeology.com
  • 12. RansomWare/Malware • Most malware/ransomware comes in via email attachments • Some by drive-by surfing • Most infections are because users double-click the attachment • Dropping these will result in 90%+ reduction • Do whatever you can to reduce these at the email gateway or server MalwareArchaeology.com
  • 13. If we drop these, What is left? • Encrypted messages • Attachments with URL’s • These will get by as ALL security solutions can’t inspect encrypted emails (It’s Haaaarrrrd) • Attachments with no malicious content also pass, URL’s are generally not bad.. Yet new campaigns • They use Cloud Storage too • Users download and Double-Click MalwareArchaeology.com
  • 15. What gets by • Documents that have URL’s that have the user download the file that would have been dropped if it were an attachment • Encrypted Word/Office Docs that have Macros or OLE objects that are scripts – We see a LOT of these • If the file type gets by in this way, then we have to address what happens when a user double-clicks MalwareArchaeology.com
  • 17. Block Macros !!! • For corporate users – Office 2013 or 2016 required MalwareArchaeology.com
  • 18. Or tweak the registry Office 2016 • HKCUSOFTWAREPoliciesMicrosoftoffice16.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 Office 2013 • HKCUSOFTWAREPoliciesMicrosoftoffice15.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 MalwareArchaeology.com
  • 19. #WINNING • After adding these tweaks you will see this when you try and enable a macro and/or content • You can unblock if truly needed and trusted MalwareArchaeology.com
  • 20. There is More Than Macros MalwareArchaeology.com
  • 21. More than Macros • Macros account for a lot, but malwarians are morphing and evolving • We blocked more than 6000 emails between June and Dec 2016 • They have moved to encrypted documents • They have moved to documents with URL’s • They have moved to using Cloud Storage to retrieve documents MalwareArchaeology.com
  • 23. Understand WHY it works • Windows is SOoooooo broken • The malwarians are taking advantage of the default configuration of Windows • What happens when you Double-Click is the enemy • Users have been trained to just double-click MalwareArchaeology.com
  • 24. So how does it work? • Double-Clicking by users • Yeah, Yeah, Yeah… User awareness training – It won’t be enough • How about this… • Change what happens when users Double- Click a suspect file type • There’s a thought… MalwareArchaeology.com
  • 26. Deny the Double-Click • Windows allows by default the execution of a file type by double-clicking and launching the execution program (Booooooo) • So how about changing the dangerous file types that launch the interpreters to launching a simple editor? • Yup, NOTEPAD to the rescue !!!!! • Finally a good use for Notepad MalwareArchaeology.com
  • 27. Deny the Double-Click • This will NOT break the way these file types normally work. • Cscript ‘Logon.vbs’ will work fine • Double-Clicking ‘logon.vbs’ will just open Notepad • You WILL need to convince IT, they are kind of lame due to FUD and lack of experience • Prove it by showing it work ! MalwareArchaeology.com
  • 30. Change to Notepad • Change ANYTHING that can execute a script to open to Notepad MalwareArchaeology.com
  • 31. Windows Based Script Host • Get rid of it, they use it to execute malware • Consider .vbe, .vbs, .ps1 and .ps1xml too, but this is used in corporate environments • This only affects double-clicking the file, not using the file properly (cscript Good_file.vbs) MalwareArchaeology.com
  • 32. So what happens? • Users will open files that have been blocked, but got by either via an encrypted email or a URL in an email or attachment • The user then downloads the malicious file type and double-clicks it… If it is one of the types that you have changed the File Association for, the malware script will FAIL !!! • #WINNING MalwareArchaeology.com
  • 33. Now What Can Get By? MalwareArchaeology.com
  • 34. What can still get by? • Binaries (MZ, 4D5A, EXE) • Yup, documents or emails that have URL’s to a website or cloud storage will be allowed • Browsers are doing a pretty good job of blocking .EXE downloads, or at least warning you • The malwarians will use ZIP or 7Zip, Doc, or PDF files with or without passwords to get by the browser controls MalwareArchaeology.com
  • 35. What can still get by? • If a user gets an .EXE, then everything we have discussed thus far will not work, you can do: – Application Whitelisting - Complicated – Detect it and Respond – Logging and people – Next Gen Endpoint protection - $$$$ • Maybe User Awareness can help as you can now focus the training since all the other ways they get in have been dealt with MalwareArchaeology.com
  • 37. Software Restriction Policies • Block all executions from “C:Users*” • Block all USB executions from “E:*” MalwareArchaeology.com
  • 38. Software Restriction Policies • If you set to block like I do, then when you try to launch, install, or an update runs, it will fail • Generates an Event ID 866 in the Application Log • Copy the path that failed and create an exception if good and approved • Be careful of over trusting generic paths • Use a * to genericize an entry C:Users* MalwareArchaeology.com
  • 39. AppLocker • ONLY works in Windows Enterprise versions • Screw you Microsoft ;-( • Has an Audit only mode (IDS) so can detect what would be blocked to allow you to tweak the policy before enforcing • It does Dlls • And it does Scripts MalwareArchaeology.com
  • 41. User Awareness Teach them two things, and only 2 things 1. Don’t open emails that have encrypted attachments AND have the password in the body AND contain a few words and not descriptive 2. Don’t launch ANY .EXE files that you download from sources via email and links in emails or documents – EVER! MalwareArchaeology.com
  • 43. Alert on encrypted emails • You heard me • Setup an email alert to copy your InfoSec team on encrypted emails with attachments of: – Word – Excel – PDF • Filter out the know good senders • You will see campaigns coming in • Tweak to prepend the subject with “Suspicious Email” once you made all your adjustments MalwareArchaeology.com
  • 44. Malware/Ransomware Prevented • If you do these simple things, which are all FREE, you will curb malware/ransomware infections by 90-95% or more • This does not address malicious binaries .EXE files or .DLL files • Whitelisting with Software Restriction Policies or AppBlocker will be needed for this MalwareArchaeology.com
  • 45. What do we do with the attachments we receive? MalwareArchaeology.com
  • 46. Evaluate them • Splunk alerts looking at: – Same sender, multiple subjects or attachment names – Different senders same subject or attachment name – Encrypted Doc and XLS files • Detonate them in a malware lab • Obtain the artifacts to see who else might have open the ones that got through MalwareArchaeology.com
  • 47. What do we use to quickly evaluate the malware? MalwareArchaeology.com
  • 48. • The Log and Malicious Discovery tool • Audits your system and produces a report • Also shows failed items on the console • Helps you configure proper audit logging • ALL VERSIONS OF WINDOWS (Win 7 & up) • Helps you enable what is valuable • Compares to many industry standards • CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
  • 49. Free Edition • Collect 1-7 days of logs • Over 20 reports • Full filesystem Hash Baseline • Full filesystem compare to Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery MalwareArchaeology.com
  • 50. • Over 25 reports • Interesting Artifacts report • WhoIS resolution of IPs • SRUM (netflow from/to a binary) • AutoRuns report with whitelist and Master Digest exclusions • List of Locked files • More Whitelisting • Master-Digest to exclude hashes and files MalwareArchaeology.com
  • 51. Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program MalwareArchaeology.com
  • 52. Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net MalwareArchaeology.com