BSidesDFW2020 Track 1 / part 1
Show transcript [en]
welcome to bsides DFW 2020 wherever you are we are finally here uh it's been a unique year and hopefully we deliver a unique event for you so let's Dive Right In and do this thing uh if you're not completely familiar with security bsides uh it was born in Vegas back in 2009 and for the most part has grown each year at least until now uh many of this year's events were cancelled or postponed due to the ongo going situation uh we do hope to see many if not all of those return next year or as soon as feas will be possible this is besides dfw's 11th year and it's our first virtual so hopefully we get things uh put together correctly
uh or or as best we can and you all have a good time we do have some rules um a lot of folks like to quote the Golden Rule uh that's all well and good but unless you're one of these two guys kind of see the rules a tad bit flawed me personally I prefer something a little more simple and at the end of the day just be excellent to each other uh if you've already been on the Discord server you've seen the code of conduct and you've agreed to it if you haven't been to the Discord server yet you'll be asked to read and agree to the code of conduct before you can enter the main
space um just to cover all our bases I'm going to go through that right now uh uh besides DFW is founded to facilitate the exchange of information and the development of relationships we welcome and encourage the expression and debate of ideas we also recognize that we do not have to agree in order to listen to or understand a given point of view however there is a language and a behavior that is appropriate and expected in achieving that discourse harassment Andor abusive Behavior will not be tolerated any participant that experiences or Witnesses in appropriate behavior if you're comfortable with it we encourage you to ask the offending individual to stop any participant that experiences Andor Witnesses inappropriate behavior
is expected to report said Behavior to the event staff and any participant asked to stop behavior is expected to comply immediately event organizers reserve the right to respond and to observed Andor reported behavior in any manner deemed appropriate including but not limited to expulsion or referral to irrelevant authorities it is our goal to ensure that the event is welcoming enjoyable and safe for all participants um so yes uh behave yourselves be excellent to each other and that's all I have to say on that topic obviously being virtual we don't have the typical floor plan for you to memorize this year uh what you will see is something more like this at least on the leftand side um we would like to
take this moment to thank some of our hosts or the hosts for our 2020 activities uh big thank you to point3 security for hosting their intermediate to advance CTF uh prizes include or the prizes are uh 12 month 6mon and a 3-month access to their escalate platform uh that's an Interactive Learning environment and if you're doing the CTF that that's basically what you'll have access to um we would like to thank prade cyber security for hosting the latest version of their CTF they've been with us for several years and and you know we definitely enjoy having them uh thank you to pentester Academy and pwn school project for hosting the network penetration testing Workshop um it's uh
slightly different vibe on what we've seen previously um so we look forward to it and you know we can't say it enough thank you to albeer for putting together a crazy Hardware hacking Village uh if you're local and you are lucky enough to get one of the toolkits um congratulations uh if you're not it should be easily reproducible uh the prizes there include a pi4 uh complete Starter Kit Digital multi and nms St core iot development kit uh with that um we have a great line of speakers talked up talked up this year we have a great line of speakers for you this year and we hope you enjoy it uh once again uh we tried to cover a
a good balance between entry level experience high level Deep In The Weeds um so you know uh there they are I'm not going to run through each one of them um see as many of the talks as you can um they're all recorded so you shouldn't have should be able to hit all of them um and Cong you know thank you to the speakers that did submit um congratulations to the speakers that were selected and uh may all of you enjoy the content we've put together would also like to thank some of the key individuals that helped put this thing together this year uh obviously we were just talking about the speakers so huge shout out to our
ministry of literature AKA cfp review panel um they did a wonderful job going through all of the submissions uh there's also some key people that just this wouldn't have happened without them uh some of them might be scratching their head because their names on the list uh you did you helped unfortunately some of the content is more geared towards physical environment and we just couldn't use it this year um but uh thank you to everybody involved I know I'm missing folks uh thank you to the moderators that are working today um and you know just thanks now before we get into our sponsors I I do want to pause here for a minute um when we started working on
this year's event it was before the pandemic uh and right as we were finalizing our sponsorship kit people started talking about a virus and as things progress we threw that sponsorship kit out uh we already operate on a thin line H keep in mind we we don't give participant information to sponsors the only data we provide is summarized demographics X number number of folks in this industry X number of folks with this title um so a good number of potential sponsors immediately stop talking to us without the traditional ability for the sponsor to to see you at a booth and talk to you and let you know what their product is and you know the very the very common
um business card in a fishbowl for a raffle uh without those traditional physical things uh we just didn't feel right asking people for money um you know what's the corporate iri uh unfortunately it's a reality uh name placement is limited uh we're not doing shirts this year uh what can we genuinely offer a as we move to a virtual event um as we started adding up the estimated costs or more accurately the massive lack of costs we simply felt even worse about going around and asking people for money uh so the very short list of sponsors that you're that I'm about to go through uh that's based on folks that reached out to us uh these
are folks that genuinely want to be here participate and give back to the community um so uh with that said um we changed our Focus and uh we we we focused on the things that had interactive content uh so please give the sponsors a visit today uh tell them thank you and that you appreciate their support and the involvement in the community and um if they have something that fits your needs even better um with that rant over uh we are super happy to be partnering with uh in is not a crime this year um if you're not familiar with them uh it's pretty simple it says it right there uh it's all about spreading
awareness and changing the misconception of the term hacker uh find these folks online today give them a hand um you know help spread the word uh would like to thank uh Weeoo Inc um we hope you like the presentations today uh the digital post production was provided in part by Weeoo Inc and um thank you to them for uh the graphic layouts and the editing um this would not have looked nearly as nice without their help uh massive UPS once again to albeer uh for putting together a hardware hacking Village um as I already mentioned if you're local and got one of the kits they're insane um I hope you all have a great time today and you know
again thank you Al beer for doing this uh big shout out to Pon school project uh we're super happy to have them back once again uh Phillip changed the TAC this year and pivoted into Network penetration testing um so hopefully that will be some really good content for you all uh again thank you pwn school project uh and they are co-sponsoring with pentester academy uh the actual Workshop is hosted on pentester Academy's platform um so again thank you pentester Academy for giving us free access for the day uh you know first time and uh welcome to the family uh we look forward to possibly working with you in the future uh shout out again to uh prev
cyber security uh another year with their uh at least the feedback I've gotten is always a fun and good CTF um they've been with us for several years and uh great F great set of folks uh thank you prev cyber security and last but not least uh another newcomer to the bides DFW family thank you so much uh3 security um you know as mentioned before uh they brought with them their intermediate to advance CTF and we're super excited to be working with them uh hopefully for many years to come uh again please visit the sponsors today uh see what they have to offer check them out um let them know you appreciate their effort and and
time and um with that um I mean it's one two three go have fun uh that's all I got um thank you all for coming out uh hopefully you'll stay with us all day and uh you know like I said enjoy the event have fun and um we'll see you on the flip side
bye
hey there bides DFW today we're going to talk about your phone we're going to talk about why it hates you and some of the things you can do to take care of [Music] that greetings my name is Mark I am a security researcher I have been a security researcher for 21 years professionally I've also been before that an advid uh what you call Enthusiast or amateur in essence I've been a hacker since before a lot of you were probably even born and with that comes a very healthy dose of paranoia hence this talk now the mobile phone is both wonderful and evil now over the years I've collected a good number of them a few of them are pictured here
I've taken them apart I've hacked them I've reverse engineered apps I perform Mana in-the-middle attacks against their traffic and I have come to the conclusion that while you might care about security and privacy well uh your phone doesn't it hates you okay maybe it doesn't hate you but it's indifference and betrayal that it shows uh the modern phone it just makes it border on evil for sure anyway what we're going to do is I'm going to talk about this and to do that I need to divide things up into a different category so we're first going to talk about uh hardware issues and then we're going to cover software issues then after that we will get into
some solutions and we'll get into some mitigation and oh in areas where there's really not some mitigation we'll kind of cover it with we we'll label that opsc for now and see how that works out the modern phone has five radios uh four of them are transmittable transmittable they four of them can transmit and one of them is basically receive only uh the four that can transmit they can potentially betray you uh the ability to do so uh can vary uh we're going to cover all five of them though we're going to start with the one that is receive only that cannot transmit and that's the GPS radio uh GPS is basically it's receive only GPS stands for global positioning
system and that's basically used for doing location services it helps you locate where you're at there are 24 satellites required for this to work these satellites are orbiting at 20,000 km or roughly 125,000 Mi above the Earth they complete their orbits twice per day uh 24 is the minimum I think right now there's like 31 of them so there's some redundancy there in place um but for this whole GPS thing to actually work you need to do uh communication with four of these so you need to acquire the signal from four different satellites now on a modern phone this can take up to 15 minutes depending upon certain conditions which is that can be kind of bad so anyway the
idea there is that if you can get the four great now you're able to roughly approximate where you are on the planet now the problems that occur with this is that occasionally because this is such a battery drain up to 15 minutes to acquire uh these satellite signals uh the operating system sometimes takes it upon itself to kind of help the GPS get going and figure out where it's at and so it will borrow information from other radios such as uh your cellular or your Wi-Fi and that helps speed things up this is why you sometimes see when you're using applications to say hey turn on Wi-Fi for a better GPS support that's why it's doing that it's trying
to not only get those satellites but also maintain them uh maintain the the position and use a combination of the two to actually give you fairly accurate GPS fine and dandy but that's basically how these things uh in particular work now the second radio uh is the cellular one and this is one where we're starting getting into some areas where we start getting a little bit evil with it uh it can transmit and receive um typically it's got a range of about a mile or two sometimes up to five miles in an urban setting uh you get out into urban areas uh where Towers may be mounted up a little bit higher and have slightly more
power to them um and uh you can get oh with line of sight in good conditions you can potentially in these uh rural areas get up to 20 mi although that's kind of a bit unusual uh but nonetheless in the city they have multiple Towers uh in in urban areas and or yeah and so what happens is then as you're moving through uh Town it will acquire new uh cell tower signals uh older ones will go away if you're moving through it that's how you're able to be on the phone while you're uh driving around town or on your uh either on a phone call or you know doing something with uh uh with data so that's how that
works now the thing that's interesting about those how they start end up betraying you is because these towers they gather information about the phone that identifies it as unique one of the things they gather is the is the international mobile subscriber identity number the uh imsi or MC and you may have heard of things like MC catchers and things like this what these are these are um these uh IMI numbers these are unique numbers that are associated with your phone number they're put on the Sim that you plug into your card and so uh with this uh someone could potentially figure out by tracking your your MC where you're physically located or where you've been at one point or another and
this is like how repressive governments they'll fly drones around with these MC catchers or you know helicopters or airplanes or even those Infamous unmarked Vans and with that what'll happen is they will gather data about like say they can you know who's there in a crowd that's gathered outside some building where they're protesting or something like that MC catcher they get everybody's info and they know who everyone was that was there or happen to be walking by at the time that kind of thing so it's and even if they can't for not using an MC catcher they can of course go and get the records from the uh uh the towers themselves uh and from the phone
companies and they can do that with a subpoena and they can still track your movements that way now the thing is though there's a second number that's uh called the IMI or the international mobile equipment identity now this is uh a value that's a number that's burned into a chip on your phone so it's basically in there as a permanent identifier That's Unique now with this you can still do the same level of tracking on cell towers uh this is how you're able to do something like dial 911 and the call actually goes through even though you don't have a SIM plugged in there it's using IMEI to at least help establish that you're a unique
device on the cellular network okay so with that you can still be tracked and whatnot so you have to keep that in mind if you pull the Sim out you're still going to potentially be tracked by that um the third radio I wanted to talk about was uh Wi-Fi uh with that the unique number associated with it of course is the MAC address that's associated with the Wi-Fi interface I really am not going to go into too much of detail with Wi-Fi there have been entire presentations on Wi-Fi and Wi-Fi security uh one can do an entire presentation on a single flaw in one company's implementation of Wi-Fi first off I just wanted to let you
guys know I am uh uh releasing a zero day uh in this talk but I want to point out that it's lame okay so I'm not going to go into a huge amount of detail here just bear in mind how awful Wi-Fi is uh Wi-Fi doesn't have a huge range but it can reach out from your phone for dozens of meters uh line of sight with good conditions that could do uh well over 100 meters uh so it's a pretty pretty uh powerful little uh radio the uh fourth Radio is Bluetooth now there are three classes of Bluetooth uh ranging from 1 M 10 m to 100 m respect effectively we're concerned with uh Class 2 which is the one that's 10 m
or 33 ft roughly uh it has its own Mac address as well and while there are uh things like I know like on an iPhone uh depending upon the uh applications that are using it'll actually randomize uh the MAC address for that for privacy purposes uh do realize that the MAC address of the um Bluetooth is one digit off from the MAC address of the Wi-Fi so if you can get one then you can figure out what the other one is so that's uh uh that's interesting with that now the fifth radio we're going to talk about is uh nearfield Communications or NFC now this is the background of NFC this gets back into RFID and again there's whole
presentations that have been done on RFID and whatnot but NFC there's three different types of of NFC and there's four technology types that are associated with those three different types uh that can extend those three and your phone speaks all of them okay now that may sound a little bit daunting but it's not as scary as it sounds I mean there is a MAC address associated with this technology the IP stack that is is one thing okay tcpip that's one thing the NFC stack is insane it is all kinds of levels of complexity uh and but the thing is is it's only activated via an app that has to use uh the apis in the lower parts of the of the
technology stack itself so there's no like direct access they have to go through apis to get down into there so there is some lower level isolation uh from the upper ranges of the uh of the phone at the app level and and also couple that with the fact that the transmission range of NFC is like roughly 4 cm something like that inch and a half so it's not very uh not very wide range so this drastically reduces the chance of compromise with that particular radio now from a hardware standpoint with four or five radios capable of transmitting one can safely state that if the phone has power is traceable and it is widely believed that even if the
battery in the phone is uh still there uh with power in it but the phone is powered off it is still traceable even then give you an example of that in 2003 then President George Bush made a surprise Thanksgiving trip to visit troops in Iraq this is during the Iraq War and to maintain all kinds of security and privacy and secrecy around this reporters were instructed not only to shut off their phones but they were told to remove the batteries cuz 2003 every phone had a removable battery they gave the reporters fresh phones when they uh were on the way back from uh Iraq so that they could actually begin reporting on what was going
on um now this level of phone spying is probably only going to apply to nation state attackers but it is a possibility uh and considering that was in 2003 I can only imagine where the technology for doing that kind of thing is now so if you're thinking oh I've got to stay away from the nation state uh actors they're going to be the ones that are coming after me well then there you go this is something to keep in mind as far as software goes there are a few things to keep in mind each operating system either Android or iOS will perform various queries back and forth to the respective homes uh the main reason for these is for updates for the
OS or for the included apps other reasons might include Telemetry data and this can be the health of the system usage statistics location data uh other bits and pieces of information that can be revealing some people uh don't have a problem with it say for example if they constantly lose their phone and they want to use some type of thing like find my phone uh uh to be able to retrieve it other people want to be able to keep an eye on their children obviously if there are malicious use cases uh then that's the ones we want to kind of keep in mind for the truly paranoid all of this data that's collected it can be subpoenaed by
the US government in some cases for uh foreign Nations there may not be even a subpoena process in place the government just gets access to it such as China GPS can be the source of a bit of unwanted tracking as we stated before uh it can take up to 15 minutes to acquire a signal uh this is known as ttff or first or time to First fix that's tricky to remember uh to improve upon that there are several techniques uh that are put into play here uh Wi-Fi uh using information about the surrounding available Wi-Fi networks uh you know such as collecting uh Network names Associated Mac addresses Etc uh a database can be accessed by the phone
that helps established location using what it sees versus what's in the database uh Google's Infamous street view surveys have been collecting this data during Street mapping for years now uh now of course this all depends upon the Wi-Fi radio being on Cell slight I have to this is kind of tricky to say cell site multilateralization which is a fancy term for using data from available cell sites to approximate your location and obviously that depends on your cellular radio being on um there's also something called agps the a stands for assisted or augmented mainly it stands for assisted in the stuff I've seen written up on it uh it does require access to um uh servers for AG GPS to work so and also
this is interesting uh depending upon local tariffs in your country uh data plan Etc uh this does count against your data plan if you're not connected to a Wi-Fi network for example agps uh has been known to be invoked even if the cellular radio radio has not been turned on which is interesting in itself most modern phones will use a combination of all of the above they'll use uh just regular GPS Wi-Fi cell sites and even agps and use those to actually put together their exact location data uh one more protocol to keep in mind is AML uh this is called this is Advanced Mobile location and what this is for conceptually is roughly the same as agps
but what this is for is when you dial Emergency Services instead of like agps querying internet-based servers it will turn on location services long enough to get Jeep PPS coordinates from whatever it can and then send them via an SMS message to Emergency Services now the standard is called AML but if you see a reference to El or emergency location service uh that's Google's name for it so you may see that pop up with Android related stuff but it is the exact same thing the thing is is just remember that anytime there is a query to Wi-Fi or cellular there's potential logging and an increase to your overall digital footprint apps on the phone those
however are absolutely the worst as most protocols used by apps are web protocols apps are basically glorified web browsers without the built-in features uh plugins and extensions that one normally might use to uh protect a normal web browser now apps are typically written in language referred to as cut and paste which is basically a lot of coding choices made by Googling a particular problem or you know situation that a coder is encountering and then just using whatever's popular whether that choice is uh recent or secure or not and that's that pretty much sums it up right there that is why apps have been such a disaster all right for mitigation something you should do update to your
operating system and apply patches security holes get closed but just as importantly new features are often added that add granular control over some of the security settings and control over what the application can actually do while on your phone be sure to delete any unused apps and turn off everything that you can that improves uh privacy then basically you go back and only turn on what you need for those critical apps you just can't live without if you're not using Wi-Fi or Bluetooth uh turn them off uh turn them on when you need to if you're worried about background apps eating up your data plan while Wi-Fi is off you could adjust those apps to make sure that they
only try to talk to the internet when Wi-Fi is on and they don't go against your uh data plan uh you simply just turn things on when needed and I would say also with GPS and NFC radios I wouldn't worry as much even though you can't be turned off but the thing is as long as you're not using an app that invokes their use uh you're not going to be activating the the radios uh for NFC usually NFC apps themselves have some built-in extra security feature such as maybe a biometric or something like that before you can perform some action um there's also things like I know that like with Android 10 they recently introduced a secure NFS which
means the NFS radio cannot be activated even though you may have the application active and open but it cannot be activated uh with the screen lock on uh so that's something that you may want to uh turn on just for a little bit of added added safety um once you figured out which apps you can't live without you may want to take a slightly deeper dive into those particular apps that have made it onto your list and you know basically uh after you've done some tweaking on the Privacy controls I'll cover my testing setup first and then I'll go through the uh steps and then I also want to talk about a few uh business related apps that I've looked
at for testing I have my gitlab issued because I my employer gitlab my gitlab issued uh Dell Precision 5530 I have It upgraded to run Ubuntu 2004 mainly because of the drivers uh the drivers uh uh work really well with pretty much everything that I plug into the laptop it's it's wonderful one of the things I plug in is an anchor USB C Hub and this has a whole bunch of different things that you can connect up to it but the thing that I'm using it for in this test environment is it has ethern because the Dell doesn't come with an Ethernet Jack so I mainly use it for this 1 gigb ethernet in this
situation I have three phones that I use for doing my testing that includes a an iPhone 10 a I have an a Nexus 5 that is only running Android 8 uh so that's considered old and is about ready for retirement at this point and it's going to be replaced with the Motorola Moto G7 uh which is currently running nine I need to get it upgraded and then once that's uh all upgraded to the to at least 10 then I'm going to be uh retiring the uh the Nexus uh from the uh pile of phones that I are considered active and it'll go into the deactivated pile uh software that I have loaded on the Linux system I have the uh an
assortment of AD related tools so I can manipulate the uh the Android phone um because you can get apps in downloadable form for Android and they are basically a big zip file that's in a specific format I use a decompiler for that uh the one I use uh right now is called jadex J A DX I think I'm pronouncing that roughly correctly uh I also use uh wire shark heavily and I also use man in-the-middle proxy which is is uh a really really fun product uh to uh to play with I do have a detailed blog post that covers all of the technical steps for getting Network sniffing going uh so you can check that
out for specifics and I'll make sure that uh uh there is a link available for that so you can look that up and go through those steps here are the rough steps I perform number one set up the uh Linux sniffing station and I connect up the phone to a hotspot that I launch on the uh on the Linux system I fire up wire shark I get a baseline by sniffing off of the uh hotspot interface uh and I just do that without the app I just get a baseline so I kind of know what the OS is doing and get familiar with the traffic uh then I launch the the app and use it
to get an idea of what the traffic looks like when the thing's in use and in particular at that point I usually note all the DNS lookups uh that are occurring uh because there will be some that are from the app that have nothing to do seemingly with the app uh so and those you want to kind of explore and say hey why is it talking to this other website and things like that I do those steps with both IOS and Android now like I said since you can download the APK file of the Android version and go through and decompile the thing um once I get it back into it Java source code State um I can poke around and look at
things the things that I end up looking for uh there's a list of those as well uh I look for all the included packages that happen to be there I I want to know what version they are uh of those of of those particular packages uh sometimes they'll include a version number if you look through the source code it'll have a a version number in there however for some of these packages you really can't tell if the source code is available for those packages conceivably I've done this before where you look through the readmes and the the release notes and stuff like that for a particular package and when some when feature X was available uh and it let's
say became available in a version that came out in 2017 and you look for that code in the package in your decompiled version and it's not there then that means that the version that you're looking at is at least 2017 or or uh or even older so I go through and do that while I'm in there I also am looking for stored Secrets including uh passwords plain text or otherwise um uh any stored URLs or IP addresses any pointers to any type of internet-based resources uh included libraries occasionally there's like a a full-blown executable that uh is included in there and I typically go through and try to check that out um with the Manifest you can go
through and look to see what kind of permissions are required for the application um you also will note that of course when you install it it may ask for certain accesses and permissions and whatnot but this will show you uh them in kind of a written form I'll look to see if there's any local accesses that go on and uh the combination of uh looking at the source code but also I'll poke around with ADB and see particularly what what's changed since I added this app on there uh fun things to look for sometimes there'll be like a small local database or something like that that is installed just for storing information um and then you could I've done this on
occasion I don't do it all the time I'm just getting the right tools that I want to use for this uh but run static analysis tools uh against the source code so you can kind of look for I I mainly at this point with these steps I'm looking for low hanging fruits I just get an idea of how well the thing is uh put together now this sets me up for the next phase of testing at the app where I fire up man- in-the-middle proxy and I use the app and going through my sniffing station and I can now look at decrypted data assuming that I can get man ofthe midle proxy to to work uh and then I examine that data to
see if there's any uh excessive information that's being uploaded or downloaded or whatever and just kind of take a look to see how it's handling data once I've done that I've got a pretty good idea where I stand at that point I may decide on some potential attack scenarios and stuff like that that might that I might launch against these apps and then I'll go ahead and see if I can actually perform those but this at least gives me a fairly decent Baseline to start with as far as okay this is I have a rough idea of how good the app is at least from a security perspective as I mentioned I work at gitlab as a
security researcher and one of the things I look at are mobile apps that access critical data I'm going to go through a few of those talk about you know basically how I applied some of the steps that we just went through and then I'll give you the results for a few of the apps that I've looked at and the first one up is going to be
Zoom okay we're taking a look at the zoom application uh what version I looked at which was 5.2 this was after 4. whatever was that uh at the beginning of the pandemic everyone was freaking out there was a lot of research being done most of the research that I did was just confirming other people's research I knew that five was coming out and so I waited for five and and then just give it a good a good look and checked out the data stream made sure that they're using decent encryption uh made sure that the certificate pinning was being done correctly and it was done exceptional there were some packages that they were using uh that
were uh a little outdated and some of these outdated ones had security issues associated with them all of this was reported to them and they have taken care of those problems the main problem that I did find was as far as as local storage of the end to end encryption keys and client side PM uh that was inside a a sqlite database I also reported that to zoom and said hey this is just being protected by local permissions on whatever device and this was for all clients not just for the U uh for the phone app but also for uh the app on Linux as well as on the Mac so the attack scenario would be that
someone would intercept the encrypted uh Zoom call and if they could uh additionally get into a client and get uh directories and whatnot where this data was being stored then they could actually use that to decrypt the data so it was kind of an unlikely scenario and the fact that at uh at the git lab there's a few meetings that we don't record but for the most part we record all meetings and since everything's being recorded that means that the endend encryption uh is essentially defeated but all that was reported to them they are going through and they're going to actually in the future I don't think they've done it yet but those keys are going to be stored on
secure Hardware uh uh on on on chips on on computers and on uh mobile devices uh so they won't be storing it in a uh in an insecure way in the future so that uh that did work out good so for us we deem that to be an acceptable an acceptable thing and and that's why we're still using zoom and we'll continue to use it for the near future okay we're going to be taking a look at the expensify uh phone app and uh the particular version we looked at at the time was 85102 this is several months ago uh good encryption uh their CSP policy was a little sparse um there were some problems with
some of the packages uh some of them uh the main ones that we had problems with there was this one for uh a package called Urban Airship of these app measurement kinds of things so it will tell it gathers uh information on app usage uh it did gather a couple of questionable things uh while it was in there doing that the worst one though was a uh from a branch iio anyway Branch they are a deep link Analysis company which basically means they gather information from a whole variety of sources and then put this data together to identify unique individual mod so that they could actually do uh a fairly sophisticated ad tracking and and
shoving ads at people uh I don't know why it was included with expensify and by looking at the encrypted data uh by decrypting it and getting in there with a man- in-the middle proxy you could see that the setting for ad tracking enabled had been marked to True uh again this is one of these things where if you had a regular browser it wouldn't have been so much of a problem but since it's you know an application there's no browser protection in there um so that was probably the uh the worst bit of it right there that was was found uh everything else was was okay they were able to go through they did fix it up reasonably quickly and we're
continuing to use expensify uh to this day and everything is working fine we're looking at uh bamboo HR the uh app for the phone and this was tested several months ago uh the version that I looked at was 3.1.2 um with it uh decent use of encryption there was a couple of odd things in the CSP but uh uh there was an inline Dynamic JavaScript was allowed the Firebase logging was uploading a lot and a Firebase is one of these statistic Gathering apps uh there was a lot of stuff uh that was being uploaded from that uh there was a few packages on there that were pretty old and um the code itself was pretty pretty rough I was able to
successfully perform a man inth the- middle attack uh against the application there was a lot of problems with it simply because there were so many things out of date and the fact that it was gathering so much data and whatnot uh we had decided because we were having a terrible time reporting anything to Bamboo HR uh we decided to go ahead and just make it a policy within gitlab that we would stop using uh bamboo HR on the phone in the web browser it seemed fine it's just using their app uh it was uh it was less than desirable so we made the decision to say okay we're just not going to uh use that at all until they at least get
it up to date okay last one we're looking at here is slack and I looked at version 20420 they used uh good encryption uh this was the first for any app I've looked at ever and that was that the libraries were all up to date or only one version out and there were no packages with security issues whatsoever uh that was that was wonderful that they were that much up to date uh there was a lot of personal data that was being stored in local database files and that included various configuration settings there were some things from uh private channels and and everything it it wasn't great but it was okay we could live with it and uh it handled
uh uh all kinds of uh attacks thrown at it I would didn't uh find anything really wrong with it and just like well this is really this looks pretty good so there was nothing to report to the company nothing to to speak of so uh we went ahead and just set a big thumbs up for for slack which made us feel really good as a remote only company we live in zoom and in slack when it comes to being online so this was uh this was good this was very good opsc this is probably the most entertaining part of the talk at least for me it's the most entertaining part basically what this boils down to
is this has to do with behavior what you're doing with your phone remembering that wherever you go with that phone whenever it has power you're potentially leaving a footprint somewhere a digital footprint that shows where you were at a particular time what you were looking at that's rather unnerving so to kind of help reduce that digital footprint if you've gone through the mitigation steps you're saying well there's still some more things I wish I could do well uh there are and we're going to cover those real quick the first one is well you could just leave your phone at home home and just only use it at one particular place and never carry it with you that's
rather impractical the whole idea behind a mobile phone is the mobile part you can take it anywhere uh so a lot of people don't do that you could get a second phone just for travel or just for travel into risky areas if you wanted to uh I may do a video in the future about that whole idea of having that second phone that we would refer to is probably a hacker burner phone and we'll I'll probably get to that at some point there is one other area that you can do and that is where you can actually keep your phone with you but selectively allow it to leave that digital uh footprint where you can
actually turn it off without having to take your phone apart and pull out the battery uh that one is kind of interesting because that one involves a technology known as Faraday bags and not only do I have uh uh some examples of Faraday bags I've actually gone through the trouble to put them to the test and I put them to the test out in the real world so let's take a quick
look
[Music]
[Music] right now I'm looking for a spot to do some testing of Faraday bags now Faraday bags come in different shapes and sizes I've just got some sample ones here I mean they make some that are big enough to put laptops in and whatnot I don't need that I need something fairly simple uh just to hold a cell phone I've got three different versions uh this one's from a company called uh onver on ever I don't know it's one ver I'm assuming it's on ever I have no idea but anyway this is a kind of a kind of a cheap one and then kind of a mid-range price one is this guy this is from uh Mission
darkness and this is uh got a bunch of uh extra features on it and then I have this one this is from uh silent pocket and this is the most expensive one and we're going to see whether it makes any difference whether you spend the extra money or not uh on the inside they look exactly the same they have the same type of material and whatnot I believe at least two of them I think the silent pocket and the uh Mission Darkness ones I think what they have is a um a lining inside them that's supposed to be Mill standard 188-195 and they particularly Mission Darkness uses that as a selling point saying we meet government standards well
that's one standard and that's for uh high altitude EMP attacks that your electronics will be safe from that I'm not concerned about that I'm concerned about whether it actually blocks phone signals and whatnot I did some rudimentary rudimentary testing early on when I first got the bags and they seem to work okay but what I'm going to do now is an actual fairly thorough test of them to make sure they actually work all right first up is the onever um Faraday bag and I'll put my phone in
here and give it a call now this is underneath the big towers we ringing see I can feel a buzzing in here so it did not block that's disappointing try the mission Darkness Faraday bag it has all kinds of extra goodies and features but essentially looks the same on the inside put that here
and okay this one is actually blocking it's not buzzing in here I can't feel it buzzing so this one works okay the last one is the silent
pocket and we will oh this one's a lot
tighter all right fireway hey it's me go ahead and leave a message thanks all right that went straight to voicemail very good all right so that worked so we know the cheap one is the one that uh did not perform very well okay let's go ahead it's in the on ever let's go ahead and try it out here with two
bars all right it's not buzzing the mission Darkness [Applause]
one it's not buzzing so that's good silent pocket Fair Day
bag no nothing not buzzing at all three good responses when we're away from a tower the one that seems to do the worst though is the on ever which does not block when you're right under a tower and that's not surprising considering this is the actual cheapest one so there we go one other interesting thing for obsc that I wanted to talk about and that is understand how Insidious the devices are out there that can record you okay you have such things as Bluetooth beacons that can be in brick and mortar locations these Bluetooth beacons can not only do things such as popup ads on your phone if you have Bluetooth on but if you were had the phone in your pocket
and had the Bluetooth uh active on it at the same time Beacon can pick that up and then phone home with it and if you're one of those deep leak analysis firms that's using this data and Gathering it and coupling it with other data all of a sudden you're at the mall you walk into a luggage store you walk back out you didn't even get your phone out the entire time you leave the mall you come home next thing you know you're getting ads on your computer for luggage from that luggage store another one is cell phone towers now this really weird it is not unusual to I mean you've seen them up on the top of other structures
I've seen them on water towers uh I've seen them uh on the sides of buildings designed to look like a part of the architecture but I've also seen them where they've been actually inserted into church Steeples and uh not too far from my home there is actually a uh giant tree that's not a tree it looks like a tree sort of you look at it closely and there's it's the only thing around that's even remotely close to that uh but it's a it's a cell tower now when you look at how small the 5G towers are now right now they're uh they're barely noticeable because it's just like a telephone pole without any wires attached to it they
have to have a whole lot more of them in a smaller space because of the uh fact that uh they don't have as near strong of a signal because the frequency is H is much tighter I wanted to thank besides DFW for having me talk to you all this has been a lot of fun hopefully you really enjoyed this kind of talk where it's not just me and slides it's actually just uh you know you know a little bit more uh visually interesting hopefully anyway thank you very
much
hello guys I'm so glad to be here and today we're going to talk about the second and compar binaries to analysis when we talking about our analysis right my name is Philip piis and this is my contact in the Twitter GitHub and medium I use a lot the LinkedIn profile ER not profile actually in social medias if you have any doubts or any questions please this is my contact and I am available to talk to you right so uh some information about me I have been working in hacker security as a Global Research manager right this is the Brazilian company I am a Founder this cses about Amar analysis fundamentals and now not actually not
now I started to to work in this company zup Innovation I am a responsible to zap zup security Labs I am a research and security manager as well uh I'm responsible to providing many research in in antivirals and many different sensors of security products right and this is a Brazilian company as well and um this is a like a software Houser responsible to create a softwares apps and applications and as you can imagine the kind of softwares and apps right so here's some uh papers or not papers in this case it's it's article that I was uh wrote yeah I publish it in a pantas magazine and forensic magazine and the cyber security Hub as well this is not a
you know my idea here is not to hack the N NSA or FBI or you know Microsoft uh my idea when I when I publish it this kind of Articles is to provide some bases you know so my idea is to talk about the bases what the fundamentals uh is important when you talk about the security products or or M analysis or maybe threy hunting or maybe a pentesting so we need to know about the bases during this our conversation now I will explain more about this right so here are not uh another papers that I was uh wrote right and you can read in my social medias or this uh magazin as well right so uh the first step that we
need to do when you talk about Mar analysis to identify right uh this is typ is call it identification right because we have the artifact we don't know if the artifact is malicious not or not we need to understand if if this if this malicious or this artifact actually is M softer malicious or M do document malicious right this is the first and very important uh part right after that you can choose what the kind of analysis you chose if you use static analysis or dynamic Anis analysis right after that after to realize or you executed it you can prepare a report right you actually this kind of Step it's very important because you need to
present it to the your manager your Tech lead your coordinator maybe and you can prepare prepare many these uh informations that you analyzed it before right after that you can improve your security defenses mechanism right this is the main point here because for example if you try to uh explor any antivirus in your environment right you maybe you can try explore explore many you know de Del injections you can try using another different mow or try or maybe using some exploits to try explore your antiviral Solutions this is a very interesting point you can present this to the our or not our your manager or your Tech lead and when you find any uh for example vulnerability
maybe bus maybe maybe um I don't know filers in your softwares in your security software for example you can improve you can uh uh adjust many settings inside your platform right and after that you can prepare the Beautiful word has no like a cyber threat intelligence or CTI right you can build it you can build this kind of intelligence in your company I know maybe you don't have a big company you have a small company but you can work uh with for example ioc's uh indicator of compromise or maybe you can work with a maybe uh EA or eoa it's like a indicator of attack and you can build it right right this is the mainly point when we
talk about the M analysis because you know when you mention M analysis maybe the people uh that was watching me now maybe are thinking for example okay if I have this kind of knowledgement maybe I can work as in a sock or maybe in a support but you can uh receive this kind of knowledgement and you can improve it it you can work for example at thy hunting or thy Hunter a person that realize or execute this kind of work right or you can maybe uh do this research has has me for example because I am creating this in my uh my company now in hacker Saki and uh zup Innovation as well and my idea put this kind of uh
professional Guy this is the m hunter in a top of the tower right the idea is to put in the research guy in the top of the tower this is my idea you know because when you talk uh for example with many companies in the world for example uh that that this kind of person or this this you know this is skill is it's not clear if this guy is working with a sock with a sassard in a in for example in in a sec or maybe in um in a support team or maybe in a red team or or or blue team you know it's it's maybe a confusion it's many companies so this
my idea to put in the top of tower because this guy have a defensive you know Essen but the think the mind it's totally offensive that's is my idea right and after that you can create the uh uh the strengthening yes the your cyber resilience because the threats are changing all the time right this is maybe not a life cycle of the moral but it's a one a suggestion right it's one idea you know that's my suggestion for you right so the first step is static analysis it's very simple usually this is the first step us it by uh Mar analysts yes because this is usually it's describe of the process of the the the some programs maybe the
structure or maybe what the fun function is calleded by any dll or maybe Call It by any uh library for example if you you are analyzing for example uh uh Unix platform right and usually uh this program itself it doesn't run at this time right because of course it's depending of the program that you can for example use in your analysis but usually it's more safe right because not 100% safe but usually it's more safe because you not put um in in real time right the analysis it's not in real time that's a a simple Point here when you talk about the statistic analysis right the second step is dynamic analysis just to explain for everyone that was
watching now right the dynamic the dynamic analysis it's based as just in in Behavior right uh basically the interactions that the M uh has with the the the files inside the the the the systems operation or maybe what the um the document Maybe this file can call it but usually you putting the sample inside of the virtual machine one environment controlled right you run the sample inside this environment and you can analyze this Behavior right so usually you can Auto uh you can automati that many this kind of uh analysis right because you can today you have many websites with antivirus engines to try execute your suspicious files right and you or you can create you can use it as well the
another concept col send box this is the basically it's a controlled environment that you can put your your sample inside this product for example you can run and you can look in the all um DLS and many informations are colored but the big point the very important thing here is okay I put my sample inside this send box but uh what the response what the answer are receiving report I can't uh I can't understand what the the dll are called it because I understand very well in low level in the K level or the user level uh you know I can understand this because you know I have the automatization tool but I need to
interpreter I need to like a translate not translate but you need to understand what this report is talking you know that very important thing because of this that's my mission now here to try explain some bases for you right so okay so here I have a a demo I will show in my machine by the way okay so I will try put here I will call I will pray to the you know to the the the Lords of demo to try let me check here I have here some samples right I have by the way here file Linux 32 yes this is the a simple uh executable file right so if I check here another in a whe machine let me check
here what I have here a simple file okay let me check here if I use file command I can find here the the in this case it's a portable executable from uh windows from Microsoft right so you have different uh files here to understand if it's malicious or not let me check it here I have another different here um let me check here I have H A bill let me check here Bill Bill file bill this is a PDF file right it's a PDF file okay so but here I would like to try uh explain about the basis right because we going to talk about file Command right I don't know if you uh read something about this
but what means what what means f in this case f determine F Type I know Philip but how this kind of tools or this tool in thata in this case works that's a a a a simple and very important point right because when you when you put this command inside your machine this H file or this tool actually will run or or run your environment and you show some answer right in a in a in the in the screen but how this tools works that's that's important because if you read here if you read here you can can read here the Mas test are used to check for files each data in particular fixed format
maybe you can maybe you are thinking now and and maybe uh I don't I know Philipp is show me about the man of files but here you can understand something because here you can understand those format is defined in elf Doh so maybe here we have interesting information if you let me for example if you check here uh for example if I put here for example no no you know let me oh yes I will open okay so here you can if you see here this information right that I was receive here in the M from file you can read here this file Define the standard elf types structure in macros right and here below you can
read another informations about the structure because here in the beginning you can read here the AL files header this appears at the start of every L file right you have here 16 bytes the first array the name e identity and you have the magic number and others information so we have here for example the magic number so what are what means this in this case a magic number here you have the key right so these files have a magic number stored in particular place near the beginning of the file that tells the Unix operation systems right so what's what's this means in this case it's very simple the file command has a database responsible to
provide all this information to find all these all those magic number in the beginning of the file right so here if you I will show you now here for example I have here the I I downloaded this this uh this file this file code to to look inside this to show this information right so here we can read you can read many informations here of many information of the this kind of database for example if you for examp read the information of JavaScript in this case here okay so JavaScript let me show you for you here JavaScript we have here many informations in the beginning of the file in this case is the magic number of the F you have many rules here
that you could use you that basically this file command used to identify the F the the file in this case if is executable or not right so let me show you some example now here you create this file the name our do text text right um is it malicious is it malici let me write here okay it's a simple question I will read this information this case they perfect let me use file command here it's really really text file right perfect so for example if I manipulate the magic number information here let me manipulate here I will put some string here that I know what this information means I will change here and I use the file again on text Doc text
and let me check here and here looking this incredible information now we have a python script in this case is a executable file right so if it's executable I can call it I can call maybe python after you think about it so I can call on not python python text in this case text because it's python right if I you let me read again this file yes but we have a problem maybe you can think about it some but the station here is different right just let me um because I have another python here in the other presentations I will okay so I have a key I have here yes okay so let me change now here
M let me move m text to the m.p right so here we going to pie so in this case we can run now just Pi um maybe you need to have you need to have um the authorization the the the privilege to to execute this kind of information maybe let me change here okay so now let's python again and let's check is the same eror why did this happen because it's not a script python right if you for example you can manipulate again uh this information here it's very interesting point another again let me move again in percent PDF trust maybe slash oh oh Dash actually 1. n and I will save here and I will clean
and let me check here m p Pi Doc py it's a PDF do take a look at the very interesting you know that's a big Point here uh maybe you can ask so Philip now the file commanded it's not conf it's not uh uh you know it's not a confidence com comment I can use this kind of comment no you need to use right but you need to understand all those days right this is the very important thing you never need you never can't uh believe in the ex station uh because of course you it's the same case when you talk about the strings for for example if you see here the strings the man of the strings
for example here the strings Command right so let me check here is strings command man string printed the sequence of printable characters in file right so here's the the simple key the manyu many people never think maybe because in the beginning of the description uh says for example for each file given you know strings print the printable character sequence that are at least four characters long because of this you when you execute for example here um string in strings that there maybe you EX for example in the beginning of this the many commments for example you you don't you you don't find for example the elf information or MZ information on the p e information right
for example here if you read here the X damp any let me check here any 32 um the Linux 32 by L okay in the beginning you can can read here the elf right so but here you have a just three L three character is not four in this case right so if you try here for example let me check change here if you TR if you change if you if you try for example run the strings um Das a putting in the Linux let me put pipe here pipe pipe L here and you put pipel here and you you try oops maybe I receive some re horse here of course I need to put the the fire correct yes so
here if you put here in the beginning take a look here you you don't find here the beginning the elf information because elf just see three characters not four characters that is important thing right this is all those bases right that's very important when you mention here right so we explain more than uh elf now so basically when you talk about the structure about the Elf or maybe PE portable execut you can see in the pictures it's the similar form not exactly the same but very very similar because we have the same header you have the sessions here in the text or uh um doc or do do doc oh my goodness you have the text you have
uh a data you have the data and you and you have uh many sessions had in the PA portable we have for example the the two uh Parts first right the header and the sessions of course it's dividing on other parts and you have for example in in in inside the header you have the Dos header when you can see the MZ information the signature MZ right when basically it's responsible to the creator of this kind of binary and you have here the PE header when you can find the P signature this information and Below you can see the sessions here is the informations where they usually the attacker can put your malicious code usually inside this session docs text
right and when you try to analyze any artifacts for example you can find the upx compressed or maybe a packer uh tools this is a technique Maybe many times the attackers can be using as many different attackers um usually the pcker can absolute all the the sessions inside the one of this uh Packer basic basically and you can when you use some tools to try in find any information you will find for example the Packer information right you you don't you can't see this information in the session right so okay so we talk about the p and Al structure of course it's very very simple uh we I can't uh I don't have a time actually to explain
all this uh binaries because you know uh if you talk about the for example just a PE portable executable from Microsoft man we have a many many hours to try explain and to try uh goes to inside this all this information right so I will try to explain more then PDF structure because basically it's it's in four main parts the header it's May baby it's basic basically it's the same when you talk about another binaries we have always you have the header right you have the Bor you have the cross reference table and you have the trailer right so here we have the all those structure in the beginning of the file you have the version number it's the
same information collected by file common do you remember when you execute the file command you can read you can read actually the uh magic number of this information you can find this information you have the body and inside this kind of body you know you have many reference inside of this body you have the cross reference table here and you can read here it's locate location of object e the file for a random axis what US what as what this the thing things means in this casee is basically one structure referring another inst structure or another object inside this bar in this case right in the trailer it's the same thing you have here uh location of the certain objects
inside the body that is you have many connections of this parts of this structure right so here I will show you one of M my analysis in a PDF file right to try understand I will use basically here I used the PDF ID it's very tools it's very known tools uh provided by DDA Stevens right this is basically I think it's in in installed in many Unix platform but you can download this information in the blog website from the Stevens as you can use this in Windows Windows machine sorry we have problem here with my demo let me try here okay I will pause actually this this demo because here we have all those informations you have the header you
have 15 objects here and you have the two ex streeming you have the one trailer one cross reference table here and you have a one trailer right so below this two we we can find this uh informations this is lash right in this information all those inform all those slashes are inside of this object that's a very interesting point because if you uh see in the man of the PDF ID you can note you can see this information that basically it's uh is this tool is responsible to print many strings inside of the PDF right so here we have another interesting point we have the encryption file and you have here five Java Script inside this PDF
you know so you can think about it what do you think you have a JavaScript inside of the PDF file maybe it's a it's a safe or or malicious you know I I don't talk about the reverse engineer here just to try to interpret it or to try understand of this file right and here you can see another information open Action it's one why what this means in this case open actions refer basically when the user receive the file and user click in a file in this case it's PDF file and after that and after that the file can execute something in this case we can see here we have five JavaScript we just need to understand
what this uh or what this command represent in this case right so I will put uh Mar let me check here okay so here I will use another uh platform in this case it's a PD PDF run right this some another platform created by DDA Steven PDF parser right oh my goodness we have a we have many problems here with my in this case my finger you know because I am clicking in a mouse but no but but now I will try to show here the the all those information in this case right because I will the the video to to explain as you can see here this information in the beginning we can see the header right and here you
can read the object one if you remember when I explain about the body about the cross reference table all those all those this parts of this PDF are connected one both another right right so here for example you have the object one referring object two object three four four five six and seven but you know and I know that we have 15 object inside this file right so let's continue to try understand here we can see the my goodness here we can see the JavaScript but here we we can't we can't understand what these informations means right so we need to try understand more here has as you can see we have the opt open Action as you explained before to
you right the open Action when the user click in this file this file uh will run someone or or or any JavaScript but we don't know right uh what this uh JavaScript uh maybe call it or maybe can call it right so let's continue to understand we have object one and here I will put okay more above here object four we have another reference here we have a reference eight and reference nine and we have a two more referencing right so uh you can see here more connectivity in the many objects inside the PDF right so here another interesting thing we have the object 7 connected or reference ring by um object 10 you know we are uh
growing up of this PDF file right and here the object 9 we have the same case we have the referencing the four because the four connected to the nine and the8 and the 11 right so we can see many connections of the object inside this name of body right so here we have the the the object 10 connected to uh 12 and here we have one first interesting uh information object 11 we have the contain ex streaming in this case uh when this object has some streams maybe you have a JavaScript inside this or maybe you can have some exploit inside this and you have this information flates decoded it means uh this are streaming are ausc are are
closed inside this uh flat decode you need to decode this information uh by the way so here another information is you have object 12 it's connected to 13 and if you compare here this streaming it's much uh uh bigger than uh than than another that we see that we saw uh later right if you compare this stream it's very very high the the size it's very high right when you compare here so maybe the idea is to try to looking all those informations inside this object right we have here the object 14 and here the 15 and finish the file right so the next steps is to try to look inside the object 13 right
so in this case I will use another tool PDF TKA in this case this to it's not from DDA Stevens by the way so I will run the dump of this information and this a key information uncompress it because I will uncompress all those information inside this PDF right because you remember I run the PDF pars and I I can uh read all those run information and here we I can uncompress because I know inside of this streaming we have a flat decode information so now I am seeing here the JavaScript obfuscated in this case the attacker use the first technique the obfuscation technique right because I can see the evil parameters and I can try to find
any information inside this obfuscated code right so here I will use uh Deno you know I could I can use VI maybe or another tools to edit all those informations and I will just uh change any information here you can see many informations in JavaScript so here we can find or you can try to read any information because you can if you imagine for example we going to talk about the JavaScript JavaScript us usually uh the the you know the the following it's a application you have application page maybe so because of this I will try to uh desus skate this kind of code so because I have the here the parameter I use in the script HML I you using the
document right to try read any information inside of this code right so I generate the payload do HTML and I will try to read if I find for example uh any information inside of this JavaScript ofus sken right so basically I will run out this code in a HTML page and how take a look all the what the in the the interesting information that we find here the variable payload do you know what this means it's basically the the Packer or not the Packer the package responsible to download uh in the vitman machine and this package is responsible to uh response this information to the attacker server right the it's knows uh the name it's a cic or command and
controller right so take a look in the first step we find the PDF file and this PDF file we have a five JavaScript but we have a one of this Java it's the bigger JavaScript and this JavaScript received the obfuscated technique right and after after that I will I I I needed to change all those information I need tocate of this code and when I execute the information in a HML page I can find the payload responsible to the load in the victim machine so if you remember in the beginning of this analysis when the user maybe the v in this case click in the file do you remember the open Action the next action of this file is to execute
this JavaScript in this case it's you know it's ausc so when the the user or the V click in this file this is script the JavaScript uh will run in the viman and will download this payload that you can see in the in the screen inside the victim machine right so in this case I I was I was thinking when I was uh uh doing this analysis so if I have the payload maybe I can try to find the CAC from the attacker right so I will continue to do my analysis in this case so I have here some informations inside this payload right so here I will use again my big friend Nano maybe many
people don't like this friend but you know it's in my case it's simple oh I could use again V or VI another uh edit test so if if if you see here we have a very percent inside of this information here when you when I look at when I look at all those uh uh percent all those information I can notes I can see here no notes I can see here the interesting information in this case here we have a a you see to based on a uni code you know uh information it's it's almost different when you talk about the asky or ask ask it means a two b one bytes when you talk about the unic
code you use then two bytes right so here I have the the the the pure not pure but the the Run data of this uni code right so now I need to translate all this information so I had the payload package but when I see I I see another technique the encode technique right so this the this payload is us it with a CO a un um sorry it's used a Unicode encoding right I know it's very it maybe confusing but take a look at this I have a payload package I have an information all those information receive a encode technique this encode technique is spaced in only code right so basically as you can see here I just
using the Unix platform but maybe you can ask uh or you can asking pH but I use just windows but not a problem you don't you however you don't need to have a a concern that's in this case right so here I use another platform in Milla by Bobby it's it's a similar platform I have here the same code I need to cut do you remember I need to cut this percent because I need to have the Run uh Unicode uh information right the unic code code right so here I have the unic code information and I can generate here the EXA file binary this this to it's responsible to generate this kind of information after that I used another
information uh another tools created by DDA Steven sh search executable to try find any a HTTP information because remember if I have the payload package probably this um package when after to download it in the vitman machine probably this package will make some request to the commanding controller from attacker right so that's my idea when I to continue to do this investigation so when you as you can see here I found the IP from the attacker in this case the p is based in Estonia Europe right all this information from the CAC the attacker I I don't use it basically here the reverse engineer but we find the JavaScript obfuscated we find the encode technique based in in in
unic code right um we've we can learn about the for example the open Action inside the PDF files so we can learn about many informations right so if you have any question I I am available to you this is my contact again and one more time thank you thank you for this opportunity if you have any question please let me
know
hello everybody Welcome to threat hunting where evil hides my name is Amberly Reynolds and I'm going to be your panelist for today if you'd like to get in touch with me after the panel or if you have any questions or concerns about the content you've seen here today you can find me on Twitter at threadology let's go ahead and get started to start off with briefly here's just a little bit about me you can see some of the alphabet soup there behind my name I have a pretty standard background in it and cyber security I was a former sock analyst I jokingly say recovering sock analyst but I am not in fact recovering being a sock analyst
actually gives you a great background as a threat Hunter because you have a chance to see what's coming in on the front lines of your Enterprise you can see all of the incoming malware attachments you can see all of the incoming fishing attempts and all of the different things that users see on a daily basis it gives you a really good idea of not only what to look for but how to look for it I have a particular interest as a thread hunter in malware analysis and reversing I'm very passionate about it you'll notice that I also perform root cause analysis if you saw my Twitter handle on the first page you may have caught that threadology is
a portmanto of threat and etymology finding the root cause of threats I thought that was rather clever in my free time I am a semi-professional musician in a symphony I also spend time writing around on a motorcycle I do in fact dance with firep safely I might add and I do make very terrible jokes most of which you can see on my Twitter so here is just a little bit of what I'd like to cover in today's panel you'll notice there's quite a bit to cover with each of these different categories I opted not to go into very specific details simply because it would take a little bit more time than I have today and also because I'd like you to
be able to use this content and the examples to build your own use cases and your own Sim content for your Enterprise which will be mostly dependent on the circumstances that you have so let's go ahead and get
started we'll start off with a little bit of threat hunting what it is and what it is not I will assume that everybody watching this panel has a fair idea of what threat hunting is but there are a couple things that I wanted to emphasize for those who perhaps may not know what threat hunting is or those who may wish to become threat so I found this great quote on Sand site and if you haven't been to sand site I highly recommend that you go and visit them whether you're a threat Hunter a sock analyst a forensic analyst or an incident responder is they have a lot of free resources that you can use to really enhance your knowledge base
the reason I put this up here is simply to emphasize that threat Hunters are not reactive they're actually incredibly proactive we threat Hunters are searching for things that security appliances in monitoring don't catch whether that's because of misconfigurations or perhaps a lack of signatures or even signatures that do exist but may not be written to look for specifically the things that you are hunting for that's what threat Hunters do on a daily basis here's a panel from crowd strike showing where threat hunters will tend to sit in your organization now this is showing you the sock at large in general rather than sock analysts as we traditionally think of them thread hunters will act alongside your analysts
they'll probably be looking at the same sorts of logs that sock analysts do they'll Simply Be parsing them in a different way and looking for different things another thing that I wanted to just mention as an aside is that threat hunters will typically not not be the people who triage incidents they're not generally the people who are hands on a keyboard uh face at the monitor looking for incidents that are already coming in from your security appliances they'll tend to be creating their own content creating their own dashboards from those same logs and looking for patterns that point to specific artifacts or behaviors here's a slightly different view of what threat Hunters will tend to
be doing on a daily basis we have here an artifact pyramid or an ioc pyramid the things that are on the bottom are still very important don't get me wrong thread hunters will certainly use domain names IP addresses and hash values in their daily hunts they simply won't focus on looking for the presence of those in your environment those sorts of things tend to be better suited for endpoint and network protections or security monitoring appliances threat hun Hunters are going to tend to focus on things that humans are better at finding ttps or tactics techniques and procedures the tools that are used by thread actors as well as Network and host artifacts that standard security
monitoring appliances may or may not be able to find now I know that there are things like Ai and machine learning that are definitely working towards finding these on a regular basis and making analysts lives easier but for now it is still easier for humans to be able to find these in conjunction with their machine
counterparts here's just a small example of what a thread Hunter might be looking at on a daily basis and this is a generic sort of Splunk search this isn't particular to any sort of organization and you can see here that this is a sampling of web Gateway traffic and there will be a ton of these logs in your organization you'll notice here that I've outlined in a red rectangle a source. hpg domain and the reason I box this is because this is something thread hunters will look for which is a pattern that attempts to look like a URL spoofing that happens to have a typo in it typo squatting and typog graphing are very common things for attackers to do
when attempting to say fish for somebody's credentials or host a website that looks pretty close to the original and host malware on it so these are the sorts of things that threat hunters will look for that machines may or may not be able to catch currently and last but not least before we leave this section I wanted to show you guys this really accurate quote from malware Jake you can find him on Twitter at the link you see on the screen every threat Hunt is like schro anger's Network this is actually incredibly true you don't really know what's inside your logs until you actually do look inside your logs and when you do you may find
that it's a a little more like Pandora's Box than sh Hanger's Network moving on to threat hunting researching and threat modeling when you first start setting up your threat hunting team or if you're trying to become a threat Hunter one of the first things that you'll do is a lot of research it's taking in and ingesting a lot of data and then organizing it in a very specific way both for you to be able to understand it and for other people to also be able to understand the information that you're presenting to them so this first slide that I have here is simply how I as a threat Hunter tend to organize my threat hunts I create theories and predictions
based on what sort of behaviors or artifacts I think I'm going to find in my environment and they tend to fall into two different categories these are threat agents which are the actual attacks themselves or thread actors the people and machines that are actually performing the attacks so you can look for attacks without worrying about attribution who's behind it so I can look for say a pattern of different subject names for a fishing campaign or I can look for a threat actor if I have a particular AP an advanced persistent threat group that displays certain behaviors repeatedly then I don't have to worry about simply looking for the attacks I can look for artifacts that
are specific to this one group another thing that you'll want to research is what is important to your company or in the case of your home network what is important to your family these are generally called the crown jewels the pieces of information that are most valuable to you and would cause the most impact to you were attackers to be able to get into your network and get a hold of that information not everything in your network is going to to be considered crown jewels you won't need to defend or hunt everything equally some systems will have more importance to you than others and it's very important as you threat hunt to identify these systems not just to be
able to threat hunt around them but also to get an idea of what the attackers are going to be after attackers generally aren't going to go looking for everything in your network it's simply takes too long they're going to go for the most valuable things they can find Smash and grab and then leave your network so if you know what they're looking for you know where to look for
it once you've gotten a bit of research together on the different sorts of attacks and maybe the different sorts of threat actors that you want to research and hunt for you'll want to organize that knowledge thus we have threat models it's just a way of making all of the research and information you've put together makes sense both to you and to the people that you're going to report to there are many different threat models some companies even have their own proprietary model Microsoft has one of theirs but the ones that you see here are fairly common you'll see the diamond model up in the top in the lower left corner many of you are probably familiar
with the Cyber kill chain from Lockheed Martin in the lower right is the UDA Loop the observe Orient decide and act from military applications and in the upper right corner I put simply the text miter attack and that is because the miter attack framework is so large it won't even fit on its own slide because they now have multiple spreadsheets that cover the miter attack framework incidentally if you haven't ever been to miter website I highly recommend that you go and have a look at it there is a ton of information that's very helpful to you both as a sock analyst and as a threat Hunter and I'll provide the link for you in a later
slide in fact speaking of later slide here it is these are some of the reference resources that I use when I'm gathering Intel both on attacks and thread actors I've divided it here into two different columns for you the commercial and licensed set which you generally have to pay for to get a license and then the free versions and I will say here that free does not necessarily mean bad this isn't quite a case of you get what you pay for because many of these free resources are actually fantastic has to get providing you information especially the links here that are about the AP groups it's valuable information for thread Hunters I also encourage you to look at social
media because there are threat Hunters there Who network and share all sorts of information freely with the public you can also look at vendor blog posts because they also contain information that the vendor is allowing the public to see freely to help not only increase knowledge but to increase all of our
security and with that let's go ahead and take a dive into some of the different artifacts that you can find threat hunting in your network traffic one of the first things that you'll want to do in your Enterprise is to Baseline normal and what I mean by this is that you need to know in your environment what is considered normal behavior for both your users and your machines and what is not normal of course you can't find evil unless you know what is evil and what is not and you may need to coordinate with some of the other departments and Personnel in your Enterprise to be able to know what is normal it's good to be in touch with
server owners and users of all different departments and in all different areas of your company to be able to know what they do on a daily basis so that you know as you see here on this graph that a severe drop in traffic I'd say is not a normal thing to see that may end up being an outage due to maintenance or it could be because there are attackers in your network who have taken out one of your security appliances it's definitely good to investigate either way now I know that I mentioned earlier that threat Hunters don't tend to focus on the presence of IP addresses in your environment and in a general sense that's very true what I mean here by
known eval IP addresses is that sometimes security appliances do fail or sometimes they're misconfigured so if you happen to see quite a few machines in your environment suddenly attempting to reach out to known evil IP addresses like you see here in this Alien Vault threat feed for malware command and control IP servers you'll probably want to have a deeper look at it even if the traffic is blocked by by your security appliances and your monitoring that still May indicate the presence of an infection on one of your machines or maybe multiple machines so it's definitely worth having a look and ruling out something more nefarious similar to known eval IP addresses I've listed a set of known
evil ports for you and I don't mean to say that all of these ports if seen are automatically evil some of the software that you see here can be used both good and evil in some of these cases though especially recently they've been seen to be used by malware for C2 purposes and that's why I've got them listed here if you don't use these pieces of software in your network I highly recommend that if you see this activity in your environment that you take a closer look some of these ports like 1337 or 6969 to the best of my knowledge don't have common software associated with them and thus should always be investigated similarly 4444 is a well-known metas sploit Port
generally that won't be used in Enterprise environments either unless you have a red team or pen testing team present some of these others may be very commonly used like 3389 for RDP however if you have external traffic coming inbound to your network on RDP and it's not from a known system I'd highly recommend that you investigate it promptly I found this really neat article on splunk's site called hunting your DNS dragons and you can actually find it on their site by Googling that phrase and they've provided a fun search here with a dashboard and let me explain what the graph is showing you have on the bottom variance Beacon time this is simply the difference in time between packets the
count is simply showing you the number of packets that are sent and that's on the left hand side side so what you ultimately want to look for is a high number of packets or a high count with a low variance or change in the time between packets this would represent beaconing behavior and there are some legitimate sites that will appear to Beacon and these can be things like heartbeats if you're sitting on a new site or ad sites especially if they sell slots to different advertisers when the ads change you may see very consistent traffic that looks like beaconing but actually ends up being legitimate note that I did not necessarily say benign just legitimate but it's still worth a
look to ensure that it's not to a malicious site another way that you can look for beaconing is to look for consistent packet size this is actually a screenshot from active countermeasures and it's showing DNS traffic with an identical packet size all the way across the session This is highly unusual you probably won't see such identical packet sizes in a session and this can also be indicative of tunneling or exfiltration with consistent packet size you don't necessarily have to worry about time between packets so malware that attempts to sleep or attempts to increase and decrease its Jitter widely can still be spotted using this technique so I think it's worth looking
at the next type of thread hunting use cases I'd like to look at involve web traffic so let's
go similar to looking for unusual ports in network traffic you can also look for unusual ports in web traffic now generally this will be a smaller set of ports so this can be a little bit easier to look through remember that I said at the beginning of the network module that you need to Baseline normal and that still applies here and in every other module that I'll be talking about today I'm not going to repeat that slide for each module because let's face it that's going to get old very quickly what I wanted to show you here is that there is traffic being shown to a port that's not normally used for HTTP and as part of
the baselining you'll need to know if your Enterprise uses any alternate ports for http or https such as 8080 or 8443 once you've eliminated ports that you normally use for HTTP traffic you'll want to investigate anything that's left such as the one that is highlighted here if your web Gateway locks happen to keep user agent strings you can also hunt through these as well to see what sort of traffic is going in and out of your network here I've got a bad user agent list and what this is is simply a list of different user agents that are associated with scanners sweepers scrapers and bots of All Sorts generally things that you may not want to be
gathering information about your network and you can find several of these lists on GitHub and the internet at large this isn't the only one you can block these if you have that capability via your web Gateway but it's also good not just to look at the traffic coming inbound to your network but the traffic going outbound from your network because you can also hide things including code in your user agent strings now this won't necessarily work 100% of the time because user agent strings can be spoofed they can be changed by the attacker so it's not a catchall but it is definitely worth a look through to see if you happen to see any low hanging
fruit similar to beaconing with Network traffic you can also look for beaconing in HTTP traffic this may indicate that exfiltration is taking place in your network or that there's a malware infection the same sort of criteria apply looking for similarly sized packets looking for packets that are sent consistently with very little variance between them and or a high number of packets being sent to the same place this example that you see here on the screen happens to be a timing example where the packets are sent exactly 1 second apart all to the same website and if you happen to see this it may indicate something is going on or it may simply indicate a heartbeat but I
think that it is definitely worth having a look at just to make sure that it's benign known evil Uris and URLs now here I'm not necessarily referring to entire URLs that are known evil that point to very specific malware downloads or fishing sites here I'm actually referring more to a pattern you can see what I've got highlighted here in the CNC section is gate. PHP the reason I highlighted that is because Z loader this particular piece of malware here likes to use URLs that end in gate. PHP so if you happen to see any URL in your environment that ends in gate. PHP and it's not something that you use for your environment you'll probably want to have
your sock analysts take a look at that person's web Gateway traffic to see if perhaps that system is infected and maybe initiate an AV scan just to be safe so if you see patterns like this you can use those to Pivot and perhaps look for other infections in your environment now I promise this is not a Splunk presentation I just happen to find a lot of really cool stuff on their site and this is another use case that you can Implement in your environment using entropy to search your URLs entropy is simply how random a URL is what it's telling you is whether it's likely that a human created this particular domain or whether a machine
might have created it like many of the artifacts here it's not 100% for example cloudfront a Content service provider tends to have a lot of what look like machine created subdomains that doesn't necessarily make them evil but it does increase the entropy of those and here you can see a search implemented in Splunk that shows the domains that are coming out of your web Gateway traffic and the level of entropy or Randomness Randomness as represented by utor Shannon for each of those different domains the higher the UT Shannon score the higher the entropy or Randomness so the higher the score the more suspicious that a domain will look and the more likely that you should give it a second
glance known evil top level domains these tend to be domains where a lot of fishing sites or sites hosting malware have been reported by users it has nothing to do with the origin country of where they come from it's simply that these sites have been reported to host bad domains this particular list is from spam house that's h s and there are more than 10 on the list I believe there are actually 25 on the list and they do keep it updated so it may be worth having a look and if your company does not host any websites in any of these domains and your clients also do not host any websites in any of these domains You may
wish to block them and monitor in case any of your users attempt to visit them because again even if they're blocked and attempt to reach one of these May indicate infection if you remember earlier in the presentation I mentioned looking for packets that are of identical size in this case I'm showing a set of DNS queries that have much larger than normal packets and this can also indicate exfiltration DNS queries will tend to be fairly consistent in your environment so if you happen to see like this graph shows packets that have very long queries or very long responses not only can It indicate exfiltration but it can also indicate malware C2 commands running back and forth into your
environment which is generally not desirable so anytime that you see excessively large packets especially in protocols like HTTP or DNS I think you should definitely investigate it here's one of the more fun use cases I think I've developed workstation metadata in post strings this one I actually developed while studying trickbot and what trickbot and other malware occasionally do is they will exfiltrate or send out metadata about the machines that they have infected in the actual URL itself that it sends out in this case it is a post request and you can see the area that I've marked with a purple rectangle here the center portion of that URL actually contains a Workstation name it starts with DYI T
and it shows the operating system that's currently running along with the architecture and the host name this is pretty general information to be sending out of your environment to be fair somebody knowing the host name of one of your machines may not necessarily be able to do anything with that information but the reason I list it here is because it can also be an indicator of infection and I think if you see this in your environment you'll probably want to notify your CT
this is a little bit more esoteric of a use case but if you do happen to get mime type or content type within your web Gateway logs then you can compare the reported content type to the actual file extension that's being provided here in this screenshot you can see that file.php is definitely not a jpeg image file so that's another way that you can look for po malware coming into your environment another thing that you can hunt for in your web Gateway logs as referenced here by the ineffable Mr Troy hunt HTTP downgrade attacks so if you happen to see traffic in your web Gateway that starts off as https and then suddenly changes to http you may
want to have your analysts have a second look at that traffic just to make sure that you haven't suffered a man in the middle if you have HTTP to https traffic that can be legitimate and normal if a website is redirecting to its more secure counterpart however https to http can be
unusual and now let's move from the network onto to the endpoints let's start with endpoint files now the process es that you're going to see in this module are going to be Windows focused because I tend to be a much more comfortable person in Windows rather than Linux environments but the same Concepts apply that said if you'll look at the leftand column can you guys tell which process is
misspelled that's right it's SV host.exe it's missing the C it's very common for attackers to name their processes similar to existing system processes to make them seem more legitimate another thing that they can do is place them into a folder that also seems legitimate such as system 32 can you tell which of the processes on the right is in the wrong
location that's right it's explorer.exe which is normally in the C Windows folder not in system 32 another use case I've had success with is looking for executables that are running from user writable locations in this case I'm referring to a user with standard permissions and not an administrator who can write to many more folders but generally users can write to C program data any user folders like C users insert username here documents downloads and pictures also the app data folder and this includes both local and roaming folders malware likes to install itself here because all users have access to them so it's a good place to hunt for malware unusual or uncommon file extensions now this will also require
baselining or knowing what sorts of files are common in your environment for example if your administrators tend to run Powershell scripts for Server maintenance then you'll have PS1 files in your environment but if you don't allow that in your environment and you suddenly see a PS1 file appear it can be indicative of the presence of an attacker here I've shown an iqy file which is an internet query file that's normally associated with Microsoft Excel this sort of file is generally not very common in Enterprise environments and its presence is definitely suspicious in my opinion at the bottom of this slide I've included a few different file extensions that are typically considered uncommon and so should probably Merit a
second look in my opinion if you see them in your
environment this one is also a little esoteric files with unusual Department locations what I mean by that is if you happen to have an invoice file say invoice. dooc and it's located on a system for a user that doesn't typically handle invoices that can be highly suspicious it means generally that the person has probably opened an email that had either an attachment or a link in it now this can be a little bit more difficult to hunt for so what you'll probably end up doing is stumbling upon it as you're looking through various lists of files while you're doing a different investigation that doesn't make it any less valid though so if you happen upon
a file that doesn't appear to relate to the user on Whose machine it is currently sitting then you may want to give it another
look bonus fund if you happen to work for an Enterprise that takes in customer service requests from external users like clients or even just visitors to your website this can be a fantastic place to hunt for malicious attachments and malicious links especially if your Enterprise doesn't limit the type of files that you can upload or the type of text that can be submitted in the description area I will caution though that you should be very careful if clicking on these links or opening these attachments please always do so in an isolated sandbox wherever possible otherwise have fun hunting because you can find plenty of stuff submitted from the outside since Bots can also post to these
forms and from files let's move over into endpoint processes if you don't happen to recognize this poster this is the venerable Sans hunt evil poster and you can download it for free from their website along with a bunch of other posters and resources now granted if you want the poster version those come with the courses but you don't have to take a Sans course to download a version of this poster that you can definitely use and what it does is it describes most basic Windows system processes and more importantly in my book it describes the parent child relationship between those different processes so you'll know that wininit.exe is supposed to spawn an instance of services.exe if you were to
see services.exe spawning smss.exe you would be able to look at this poster and know that that's not supposed to happen and it may be a spoofed process so it's important to know the parent child relationship for these different processes so that you know what is supposed to spawn in a chain and what is not if you see something that is not say
something this goes along with what I mentioned earlier about executables running from user writable folders oddly named processes especially in these user writable locations definitely tend to stand out if you happen to be looking at a live image of that machine you can see here that I've highlighted in red an executable that is clearly not human named malware authors don't always necessarily take the time to name their things something legitimate especially if they're in a hurry so this can be a very red flag as it were to identify that there is something going on on that system that should probably be handed over to your SE team so if you happen to see anything like this I would consider
it very
suspicious this one many users May recognize as the install location for the Google update application and it shows up whenever you install Google Chrome Google helpfully lists and you can see it on this Slide the locations where this executable is supposed to reside Google update is actually a very popular program for malware authors to spoof they like to call their program Google update.exe but they will place it in a folder that is not one of the three that you see listed here so for example they might throw it in C program data Google update.exe or worse if your user is an administrator they may try and throw it in C windows Google update.exe if you happen to see an executable like
that in a location where you know it doesn't belong it definitely should be investigated in my
opinion this one is actually probably my favorite as a malware analyst processes that are launching command. exe or conhost the console host executable as children this particular example is showing a PDF in foxit reader generally PDFs are not going to launch command prompt windows or console Host Windows if you happen to see a PDF that is doing this it can be an indicator of infection and that pretty much goes for any sort of Office document or email any program that your average user might use that doesn't normally perform this behavior and isn't purposefully running a batch script will show up as showing a commit man.exe child and should ring alarm bells in your
environment this one is also popular with malware processes requesting elevation or Worse self-elevating without asking the user at all and that would occur if you don't have UAC user account control turned on anytime that you see a program requesting elevation like this where the user did not explicitly choose run as administrator then this is definitely a red flag in my opinion programs generally will not ask to self- elevate unless they have been tampered with or if the user has explicitly asked it to do
so this one I actually just recently learned about and I admit it blew my mind that notepad.exe can actually connect to the internet I did not know that and so I give you this use case processes initiating network connections that don't normally do so now this particular example actually has a couple different things wrong with it and if you combine the knowledge that we've discussed from this module and previous modules you can see here that the bottom entry there notepad.exe is located in the wrong place it is not in system 32 it is actually in a user writable location even though it is called notepad.exe you may also notice that there on the left that the icon with notepad.exe appears
to be handdrawn can't really tell what they were going for with the Red Dot and the semicircle over it but we'll set that aside for now the other important thing to see is boxed in on the right in red you can see that there were two network connections initiated by notepad.exe Notepad ad does not regularly do this you actually have to take a very specific set of steps to make notepad connect to the internet since it does not regularly do this anytime you see it attempting a network connection is suspicious and this is of course for notepad.exe the built-in executable and not notepad++ which does connect to the internet to check for updates and from
files and processes we will move over to registry hives now many people who have had a chance to look at malware know that the run and run ones Keys tend to be the most common for malware to use whenever they want to establish persistence so this is one of the best places that you can look for artifacts surrounding malware and persistent programs they'll tend not to use run once unless they are changing to a different registry key or if they're trying to establish fileless persistence because it will only like the name indicates run once the Run key indicates that it will run each time your system boots up now there are more than two keys in
the registry that can be used to establish persistence it's not limited just to the run and run once keys and here I wanted to introduce you to the Magnificent blog by hexor and the link is here on the slide for you and the blog is called beyond the good old run key and I believe there's something like 150 entries now each one dedicated to a different section of the registry showing where a program can establish persistence Beyond The Run and run once Keys it's terrifying to read in a way because it just shows how how many different ways there are to establish persistence that the average user might not even think of so it's a great read
and I highly recommend it there are also debug keys for each different type of process this can be used in two different ways it can be used by malware to run malware whenever you're trying to launch a legitimate program like in this example task manager.exe if you were to click on taskmanager exe per the debugger key that you see here on the screen it would not run task manager it would in fact run process Explorer instead so malware can use that to launch a different process alternatively it can take a Security Programs key such as Windows Defender and you can tell it instead of running Windows Defender to run SVC host.exe instead which means that your security
program will no longer function as it Norm normally would so malware can use it both to run itself and to disable your security applications both are indicative of suspicious Behavior a slightly different use case for you here you can look for excessively long registry keys and this may be a little difficult to look for if you don't keep registry key data in your sim but if you have this capability looking for registry keys that are excessively long such as the one shown here in the screenshot can indicate the presence of a code or a script that has been injected into the registry by malware doubly so if like the screenshot here it is base 64 encoded it's
generally not common to have such a long registry key especially one that doesn't point to say a file location or a clsid something like this is definitely indicative that something is wrong let's quickly move over to thread hunting through emails since email hunting tends to be a lot like web Gateway hunting I'm not really going to go into detail here about it but I will tell you that as a thread Hunter these are the three primary things that I hunt for when I am looking through email logs subject lines and attachment names both kind of go together in that if you see the set of phrases that I've put down here at at the bottom of the slide anytime that you
see invoice receipt payment document proposal inquiry in either the subject line or as an attachment and generally these will be office type documents so Word documents Excel files PowerPoint presentations and occasionally zip files if you see those keywords and it's not from a client or a prospective client that you were expecting Communications from you probably want to have a second look at that email and also caution users not to open it as malware authors like to use this quite a bit to either fish the targets or deliver malware to their systems the other thing that I look for are URLs within the email itself the links contained within these can be investigated independent of the emails
that they are part of and it works very similarly to web Gateway log research it can be very very fun threat hunting in terms of timing now when I say timing I mean the time that the behavior takes place so for example as on this slide if you have a dip in traffic or a spike in traffic outside of your normal business hours say that you have an Enterprise that is open primarily from 8:00 a.m. until 5:00 p.m. your local time if I suddenly had a spike in traffic at 2: a.m. i' definitely want to have a second look at it and make sure that there wasn't a user say traveling out of state or out
of country who was trying to get some work done in a different time zone while they were traveling some of these may have legitimate purposes or benign purposes and the only way to know is to go ahead and ask the user similarly if you see a sudden dip in traffic it can indicate either a failure or worse in attacker in your network that has disabled one of your monitoring appliances likewise if you see traffic outside of your normal business days it merits investigation if you're normally only open Monday through Friday and you suddenly see a traffic Spike or dip on Saturday or Sunday and it's outside of normal scheduled maintenance or any sort of user interaction that you previously
knew about say a user gave you a heads up that they were going to be working on a presentation while they were at home on the weekend any of those can generally dis count traffic anomalies but if you don't have any of that information then I think you should definitely give it a second look and lastly a sudden spike in a particular user or machine this also involves of course Bas slighting what is normal so if you see particularly a sudden spike in traffic it can indicate not only an infection but that somebody is trying to exfiltrate data on a machine this can also indicate an Insider threat it may be an employee that has malicious intent toward the
company and is trying to send out Data before they are terminated on the other hand it can also be a legitimate use whether benign or not perhaps the user is trying to back up some data it's definitely worth asking the user not only what they were doing but why they were doing it just to rule out anything nefarious all right and last but not least threat hunter story time these are tips and tricks and various pieces advice that I have learned in my time as a threat Hunter know your architecture and environment this is very important to threat hunting because it helps you rule out false positives it can also help when you trace the traffic flow in your
environment you can tell where changes may need to be made so that you can either detect better or detect at all in some
cases so many logs as a thread Hunter you're going to look through tons of logs so many logs from so many different sources and one of the best things that you can do is determine what is the best way for you to parse that information for me it happens to be graphics-based dashboards it's it's much easier for me to look at a picture and know what's going on very quickly than it is for me to look at like this slide a table full of text but that may not work for everybody so figure out what works best for you in terms of your thread hunting style and then make the logs fit into the format that
works actually finding stuff can be terrifying we have actually found things in our environment here where I work uh this particular example is not one of them this is actually a Powershell from the turla A and it can definitely be terrifying if you see something like this in your environment that indicates the presence of a attacker for who knows how long they've been in there but something important to remember is that it's not on you personally you did not cause this AP to be present as far as I know you did not invite them in if you you did then your company may wish to have a chat with you but don't take it personally when you find things like
this in your environment and also don't take it personally if you don't find them in your environment I know I've been frustrated quite a few times when I find out after the fact that our penetration testing team has done some testing in our environment and I did not see any trace of them and it makes me feel like I am personally a failure because I did not catch them and it's my job to catch them it's a learning experience coordinate with your penetration testing team ask them how did you do this what sorts of techniques did you use so that you can write better content and catch them next time the whole point of this is for everyone to
work together and make better security always be reading this is one of the best pieces of advice that I can give threat Hunters whether new threat Hunters just starting on the job or experienced threat Hunters find the sources that appeal to you whether it's blogs it's social media it's vendor posts whichever works for you and read constantly keep up on who the latest thread actors are what the latest attacks are what the latest vulnerabilities are because that's what attackers are going to go after and all of the different updates that go on with various products knowing when Windows updates are coming means it's time to go and read the Microsoft blog that details all about about what those updates
entail so that you know what sorts of attacks might be coming at your environment and you can plan patching around it well not you as the thread Hunter will plan the patching but you'll know to prompt the people who actually take care of that and that is my presentation I hope you guys enjoyed it again if you have questions I will happily take those now in the Discord chat alternatively you can reach out to me I am at threadology on Twitter thank you so much for attending today and I hope you guys enjoy the rest of besides
d
uh hello everyone uh thanks to besides DFW for having me here uh today I will be talking about automating threat hunting on the dark web and the things that surrounds it uh a little about me my name is Aur Singh goam I a security researcher I started into threat Intel 2 years back uh currently I'm doing my masters in cyber security from Georgia Tech uh this summer I did I was a resarch intern atticc UC Berkley doing research in threat intelligence towards dark website uh some of my hobbies include uh gaming hiking uh I started into lockpicking recently and I've been loving it uh I do contribute to security Community I've been a senior ta at CBR
and I also I'm also a TA at station X and I also do contribute to local security meetup groups uh so what we will talk about today uh so we'll start start with what do you mean by dark web uh how do you go on uh accessing dark web what you mean by thread hunting uh how you hunt data from the dark web how you collect data from the dark web uh also what are you gaining when you are researching on dark web what are you losing when you are not researching on the dark web we will discuss few methods of hunting on the dark web we will discuss a tool-based method what kind of tools you can use to
hunt from the dark web and we will uh discuss a human element or how humans can use to monitor dark web then we will discuss uh how you can automate this whole tool based hunting architecture and then we will discuss the overall picture so by overall picture I mean we'll discuss the steps that is taken starting from threat modeling in your organization uh till report generation for the dark web hunting part and then we will discuss a little about operational security and why you should follow obsc while doing dark web hunting uh so starting with the introduction uh I'm sure you must have seen this image a lot of time on the internet so basically there are three
parts to the web uh there's surface web deep web and the dark web uh surface web these are all the sites that are indexed by search engines like Google Bing Yahoo Etc uh these are all the s that you can directly search on any of the search engines and it will come up and you can directly access it uh Deep Web these are all the sides that are behind some kind of login system or payall system so it is basically uh all the sides uh for example uh these are these are all the sides that are behind some kind of of uh login system so you can't directly access those or you can't directly search on the uh search engines so some
of the examples include your college database where you go and search uh get your results by after logging in or your server IP addresses either you have your server hosted on Google uh digital ocean AWS Etc uh coming to the dark web which we will discuss today specifically so dark web is the part of the web that you need a special software to access and uh there are different forums and marketplac on the dark web which host different kinds of stuff that we'll talk about in the coming slides and what kind of stuffs people sell or trade on dark web uh so going a little deep into dark web so there are different organizations that offer their dark web systems some
of them are T ITP zeret freet Etc uh we will discuss specifically T because that's the popular one and majority of people use T so the basic idea of T is it's a decentralized three- layer proxy system so uh basically you your route or your traffic goes through several proxies or relas or nodes that we call in Tor and then reach to the destination so this is why it is difficult to track where the traffic is coming from and where the traffic is going I I not say it is impossible to track because there are many vulnerabilities in Tor uh but it is uh highly difficult to uh track all these things and that is why it is
popular uh and majority people use T to circumvent uh like surveillance and uh similar kind of things so basically I'm sure you must have seen uh many t uh IPS on the web here and there as you can see from the image itself uh so the Tor IPS are basically hexadecimal alpha numeric 16 character or 56 character in case in in case of Tor and in case of other organizations uh systems they are different and uh talking about t is specifically 16 character or 56 character it's based on the cryptography algorithm used behind it so 16 character is V2 address or similarly 6 56 character is V3 address so this is how T Works uh in like in CRA this is how T
Works uh moving on so there are many misconceptions about Tor or the dark web and people so starting with the first misconception is people think this is a really vast or the dark web or the tour is really big but if you compare the websites on the tour and the website on the clear web then the talking about the availability of the or the up time the clear web sites are available 24x7 but uh t t IPS or t onion links they're not available all the time uh only few uh Onan domains are available all the time but majority of them are not available so that's why it is not as vast as it seems uh another uh thing is people when
for someone who doesn't know about dark web Ator when you talk to them about this stuff they think uh the first thing that comes to them to their mind is it is the place only for cyber criminals so yes that is true cyber criminals do uh like go on tour but it is also place for good people like journalist or activists uh all Vera blowers who go on tour and they they can talk about anything without being surveilled on and that is why there are many website popular websites like Facebook NY Times uh who have their T counterpart Oran counterpart on the dark web uh and uh the last thing is people think it's illegal to access dark web but uh that's
not the case it's completely legal to access the dark web uh yes your ISP might have blocked dark web uh nodes or relays but you can circumvent it through some kind of proxy socks proxy or evpn but it is completely legal to access dark web uh and yes it is illegal when you indulge in some kind of illicit activities on the dark web uh so talking on the same uh similar lines uh as a researcher or as a person who are who is researching on the dark web there are different types of forums or different types of websites that you can focus on uh based on your organizations threat model or based on a organization's
requirement so basically uh there there are sites or forums of marketplaces like General forums where you can get all kind of all kinds of things related to your uh research uh then there comes credit card forums or dumb shops where different credit cards are being Dum so for example if you are a bank then you would want to focus on these credit card forums or dump shops where people or users or actors they dump credit cards and they try to and someone tries to buy a it and similar there Insider thread forums and so on uh these are some of the examples of uh forums uh on the dark web that I took from the wiki one of the
wiki Pages uh there are lot more others so just for example uh you can you can search for these anyal links either on Google or on Reddit or on some of the search engines on dark web itself uh so coming to the part why U like why you should care about this stuff why is it necessary to hunt on the dark of why dark web monitoring is important is as you can see there people sell a lot of stuffs on the dark web and it is really easy to get those things like you can get an SSN in $1 or you can get a credit card under a $20 uh similarly Bank details or exploits of
zero days in some amount of money so getting these things if you have money if an actor of if a person even though he doesn't have that kind of technical technical knowledge if he has that kind of money he can buy these things from the darker and I'm sure you must have heard about different uh databases or accounts like some 100,000 Zoom accounts being sold on the dark recently or some 100,000 uh FB user profiles being sold on the dark so these are all things that if you as an organization if you get to know these things before then you can avoid the risks to your organization and you can like basically you get to know
what is going on uh on your organ or how actors are uh exploiting your organization or what they are selling from your organization so that is why hunting on dark web is important and uh these type of so these are examples of how uh listings are made on the RO web so people uh so these are listings from different dark forums and marketplaces and this is how um actors they make listing and some of the other users they buy things so coming to the part of what do you mean by threat hunting uh why you should hunt on the dark web again we will talk a little about why you should care about these things and we will
discuss few examples of it so starting with what do you mean by threat hting so basically it's a practice of proactively looking for threats and by proactively I mean looking for threats or looking for uh attacks that before even happening or before the attack is happened so it's basically you search uh for you search in logs uh ioc's that indicators of compromise including domains emails Etc and uh textual data uh in case of dark web monitoring in case of dark web research uh the majority of the data is textual data because you don't know what you are looking for in those data and uh here is where your analytic uh Concepts like machine learning natural language
processing or deep learning comes into the play because you are dealing with text based data and you don't want everything that you see So based on your organization's requirement or threat model you will uh clear or you will cut down the data that you don't need and as I told you you don't know what you're looking for so that's why majority of the thing here is hypothesis based you take one use case you go for it and then you uh go for another use case and in this way you do it iteratively uh moving on so why you should why why is it important to hunt on the dark web uh again as I told you
before there are different forums Marketplace on the dark web and this is where different actors or criminals they sell their products they sell their exploits they talk about new attacks amongst each other uh they trade their exploits and if if uh you do dark monitoring or you do do dark we threat hunting uh correctly then you can identify these things before so you can identify uh actors or you can identify new attack ttps that tactics techniques and procedures about different types of attacks beforehand and this will help you uh help you to minimize risk to your organization and another thing that I would like to talk about is you can reduce different kinds of impacts if you
know about these things before so for example if you are a bank and if you see your data being sold on the dark web and if you get to know this that thing before then you can uh reduce some of the impacts like reputation or some Revenue loss and obviously legal penalties if you get to know these things before uh so these type of things you can or these type of impacts you can reduce uh that will eventually happen and the dark web I'm talking about dark web here because dark web is first place where criminals sell their uh sell any data set or sell any type of things from an organization and then later it comes to
the clear web so if you get to know these things before on the docum itself then you can reduce these impacts uh these are some of the examples that I will uh show you that will uh uh some of the recent examples within 2 to 3 months that will show you what you are losing if you don't research on dark web so this is this first example is someone selling in RC exploit of an Australian Bank uh this is a pbin related site where an actor is talking about a vulnerability in a US based hospital and the last example is uh from Russian Forum where where an actor is selling a u RDP credential for
a US based hospital so for example if you are in hospital and if you have a threat hunting team that is hunting on the dark web then if you get to know these things before you can go to or you can uh verify or you can see if you have some kind suppose for in this case you can see if you have some kind of RDP vulnerability in your organization or not so it can help in that way and that is why you should care and if you don't do these things before then you losing on these things like you don't know about uh RDP vulnerability in your organization before and attackers can utilize this uh on on the similar line
uh you can if if done correctly you can keep up with the latest trends of the attacks uh you can uh get new ttps you can analyze you can get to know about new ttps that the actors are talking about uh you can identify uh if if done correctly you can identify Insider threats also and new data breaches and so on and in the if if you get new ttps then you can prepare your socks and incident responders so that whenever the attack happens or if the attack happens they can they are already prepared to uh tackle with or deal with it and in turn reduce dis risk and damages to your organization uh so
coming to the methods part uh like what you can use or what tools you can use to hunt on the dark web so I will talk a little I will talk uh about few tools that you can use to get data from the dark web obviously there are many other tools that are on the web or you can use to hunt data from the dark web so starting with Scrapy uh basically Scrapy is a python uh web crawling framework that has multi-threading capability I'm emphasizing on Multi multi-threading because uh while hunting on the rock you don't want to focus on getting the data you would want to focus on analyzing that data that you have based on your
organization's threat modeling uh threat model so that is why you don't want to waste time in uh designing uh your tool to get the data so that is why Scrapy is really important here because it can get the data in a really fast way uh and another is store so obviously if you want to dark web or t you need to Tool installed another great tool is onion scan so onion scan is basically you can uh find out different similarities uh you can find out similarities between different onion links or uh you can find out if an onion link is up or not uh before coming to privoxy so basically when you access store you
would want to go through some kind of socks proxy or VPN uh the first thing is to have that extra layer of protection and the second thing is your ISP might have blocked T nodes so to circumvent that you need some kind of socks proxy to a socks proxy or VPN to go to T and there are many tools that you can use to uh like you you can use to uh route your traffic through socks proxy some of them are privoxy T Sox popo I have been using privoxy you can use any other tool it does the same thing uh next thing is elastic so basically you need some kind of database to get your data into that
and uh you can use any database whether SQL nosql uh elastic I I use elastic or many people use elastic because of that kibana support and you can easily search or analyze the data in kibana uh and I mean you you can use any other database and then put into lastic or you can directly put into elastic uh so uh another thing is redis so redis is uh in memory database it acts like a cast database and we'll talk why we are using redis in this case and why it is important to use it is when we are using Scrapy so moving a little deep into Scrapy of I mean I already told you Scrapy is really important in this case
so why we use Scrapy is or how Scrapy works so I will talk uh step by step of how scrip works so let's uh think of every major thing that you see here like spider pipeline downloader scheder engine these are all python programs like different python programs so starting with Scrappy uh starting with spider spider is the place where you will give your uh first URL or first Onan link now the spider will send the request to the engine now engine is the Python program that manages every other Python program in scrii uh engine gives it to the scheduler scheder is the part where your multi- threading comes to into the play so schedu is the program
that will manage the threading and it it will give each onion link to different threads and you can uh tune This Thread I think from 8 to 32 or 64 now scheduler from scheduler it goes back to the engine engine sends it to the middleware now middleware is a really important part in Scrapy because this is where your uh proxy code and your login code goes by proxy code I mean your T IP and your privoxy IP goes in middleware and by login code what I mean is uh majority of the site on the dark web requires res ation or login uh so you can't access those without registering registering an account so before I mean you you need to register
an account and get the login credential or cookies and then put in put it into middleware uh where a login function is another thing to note is uh capture so majority of the site do use capture and majority of these are text based capture which are easy to bypass so you can use uh tools you can use OCR Tools in python or you can use any third party capture by bypassing or capture solving sites like anti capture or death by capture and you have that code in this middleware now middleware it sends to it to the downloader so downloader basically gets the HTML page from The Forum and it sends back to the spider now SP uh now you you have the HTML code
now you need some part of the HTML like you don't need full HTML code so basically suppose if you have uh if you are on a forum then you would want only the Forum text where some actor has posted something so you get those stml elements and uh in Scrapy we call uh it items like the variable where you storing uh your HTML element data so you store you make different items based on different things that you are getting from HTML and then you store into items and then it goes to the item pipeline where you have your either your database or or you dump into some kind of file format like Json or JL Etc so this is
basically how Scrapy works and how you can utilize Scrapy to get data really fast from the dark web because of that multi-threading capability uh moving on uh let's talk about human element or how you can use humans uh to monitor or get uh something from the darkb so basically human intelligence it's the human hum or human intelligence is the process of gathering intelligence through interperson contact rather than any technical or tool-based methods uh by interperson contact I mean you are going on the dark web and directly engaging with the actor uh and engaging with the actors is it's not an easy task uh many people can't do it it requires uh specific skill sets to
engage with uh actors you can think of this as a highte equivalent of an FBI agent going undercover uh to infiltrate a criminal organization so that task is not easy and neither is this task uh where you go on the darkware forums and you talk with the actors uh you have to keep many things in mind uh we will talk later what things you keep in mind and how to talk to the actor and uh so basically if if you're doing human intelligence uh properly then you can uh find out many things about the attacks like you you can find out what are the intents behind the actors uh attacking some particular organization or you can
also find out what new ttps they are using what new attacks they're talking about which new organization they are trying to attack and you can get to know these things if you have that kind of relationship with the actors and it takes a lot of time to do these things but it can help your tool-based uh tool-based hunting in sense like uh you can either get new attack vectors or you can get new attack ttps through this method or you can uh also do Post attack investigation so suppose for example if your organization's data has been breeed and someone is selling that data on the dark web then you can activate your human intelligence and they can go on
the dark we and if they have that kind of relationship with the actor they can see if the actor is selling uh fake data or real data because major I mean there are uh many people on the roip that sell fake data so you can find out if the data is real or fake uh moving to the automated part so how you can automate your threat hunting or how you can automate your tool-based threat hunting so I will talk about uh one example of how you can do it there are a lot more ways you can utilize this uh to make your hunting pipeline or automate your hunting pipeline so starting with so start when you start
with this you need different onion links different Forum links or Marketplace links and socks proxy so you can write simple automated scripts or you can write scripts that you can automate to get the links and the socks proxies now Scrapy setup so uh Scrapy setup includes all the things that you need to start your Scrapy so this uh there are some manual parts to the Scrapy setup because many things you cannot automate so Scrapy setup includes going to different anual link going to different forums and as you are getting uh like what we talked about before in Scrapy you need to get those HTML elements that you want so you need to get uh yourself uh uh
like you need to see uh what the HTML architecture is for different forums and then only you can get those HTML elements that you want and another thing is you make uh accounts for different forums obviously you can uh automate made account creation but uh you can do it manually also so you can do either those two things and you create accounts you get those cookies you get those uh account credentials and then you put into Scrapy you set your multi-threading whatever threading you have based on your system and then you start a Scrapy so crawler parts and analyzer these are basically parts of Scrapy that we talked before crawler gets the HTML page par
passes the HTML page gets the HTML elements and and is where you will uh put the data into database and then analyze it in this case what uh I'm doing what I usually do is I put the data into Json and again as I told you before based on your organization's thread model you focus on that particular data that you that your that is the requirement and that you want so you don't uh as scrip is a multi-threading web crawling framework it gets data really fast so you don't want all that data you trim data according to your need so this is where analytical Concepts like NLP or machine learning comes into the play because
majority of uh like most of the data is text based data so you need some kind of NLP or ml processing to filter out the data so this is where I get the data into Json format and then uh the basic idea is to train a model uh first get some part of the data train a model based on organization's threat model or uh requirement and then put that model into place to trim out that data or to get only that data that you want and then you basically put into elastic search uh and then this whole process goes on and on uh the part or the uh use of redis here is as I told you before
Scrapy gets data really fast and it is a multi-threading thing so you may get duplicate datas uh and yes Scrapy does have duplicate filter but if your Scrapy breaks down and if you have to start it again it doesn't work so that is why you have a cach data or cach like database where script gets the commands from that database of what you want to scrape further and you basically give a unique identifier for different data that you get and it keeps in redish and then Scrapy automatically gets that data or gets that thing from the uh red is and then it goes on crawling or goes on getting data from the dark web so this
is basically one example of it you can think of many other things in this uh example also you can place many things here and there and you can design your own uh automated hunting architecture uh so moving on uh let's talk about the overall picture here like we just talked about hunting and getting the data uh but we didn't talk about how you plan all this and what do you do after you get the data so let's talk about threat intelligence life cycle so this is basically these uh it basically includes the steps that you take uh to start your thread hunting or start Gathering data and then analyzing those data and then getting reports generated
so in case of our threat hunting on the dark web you basically start uh with identifying dark web forums or before that you do basically thread modeling of your organization you get your threat requirements uh that you want and then you identify dark wave forums that you want to focus on and uh so on then you start your script you start collecting those things in the collection phase in processing phase you basically process the HTML page you get the elements and in the analysis you analyze using some NLP or ml uh methods uh after that you either create reports you create alerts and you basically you create different kinds of graphs or visualizations and then you
send it to your managers to look into that so this is basically a Crux of how how uh you start and end for uh these kind of things uh and how you do these things uh this uh particular thing of threat hunting on dark web when you uh consider the overall picture of it uh going a little deep into it so starting with threat modeling so basically what threat modeling is you uh Define your critical assets of your organization or the assets that the actors can Target so this can include anything starting from products or similar anything uh so this is where you spend most of the time because uh you you need to focus on
things that the actor can Target and uh similarly you focus on different darkware forums where these kind of things happen or where these kind of things are being talked on and this is where you can prioritize different kinds of risk risk so for example you can use paramet of pain to prioritize risk based on your organizations requirement so uh for example if you if you are an organization that want to focus on getting domain name or IP address from the dark we then you can focus on uh those forums that talk that have those kind of uh data and then you can grab those data and then analyze those kind of data or you want to focus on ttps
then you can grab those data and analyze those data so this is where you uh basically this is how you start uh your thread hunting on the dark web uh by defining these things uh moving on you get uh you define different forums or you think of different forums and websites you want to Target on so this is where you should ideally you should uh collect data from both clear web and the dark web because you don't want uh like getting all those data from different places gives you more intelligence so you basically collect data from pbin Twitter Reddit telegram nowadays because many actors are talking on telegram also and you and then you collect data from dark web uh obviously
you need to get different forums and Market places where you want to get data from uh coming sorry uh coming to the analy analysis phase so this is uh where so you have the data now you need to apply some kind of NLP ml or DL techniques to analyze those data based on your organiz organization's requirement so this is where you uh either do classification of different forums or you do clustering of different different kinds of products on those forums either you do clustering of different kinds of exploits or you do social network analysis of different actors or whether you are mapping or whether you are comparing different actors on different forums So based on
your organization organizations requirement you do you can do any uh kind of things and I will talk a little about MIT attack so what MIT attack basically is it's a knowledge base of ttps uh based on real world organ real world observations so it includes all the ttps that the actors have used already so if you are getting um that rich amount of data from the dark web then you can map those data to the MIT attack or map those ttps to the MIT attack to understand the ttps better and it creates a good report to show to your managers uh moving on so coming to the operation security or what do you mean by opsc uh so obsc is basically the
practice of hiding yourself online uh by dissociate by dissociating or differentiating your online self to your real self so this is basically the actions you take to hide yourself online or to hide your operations or your organization online or while you are doing dark we monitoring uh this includes all the things you hide like your full name your license your email your organization's name anything that can correlate back to you or your organization and um another thing to noce at the end of the day we are all humans so we like to seen knowledgeable in front of others be it an actor and this is where uh this is what it like this leads to bragging
oversharing and that is why OBS is really hard it's not an easy task uh so I will discuss a few steps that you can take to like maintain obsc in your lifestyle but there are lot of steps that you need to follow and you should always think about obsc before uh uh before doing dark web monitoring or dark web hunting stuff so starting with the first uh as I told you before uh you should use uh T over some kind of socks proxy or VPN preferably VPN to get that added layer of encryption and uh another thing is and on the system that you are doing your dark web hunting you should never store any personal information on that
system another thing to not is as I already told you before this is Hightech equivalent of an FBI agent going undercover so he has some kind of persona and a backstory so you should have a persona for different forums or for for different forums for different users that you are creating on different forums and have different persona for that and have different backstory for that and uh if you're doing this for a long period of time then uh these things get to your mind so the personas really get to your mind so have that extensive note so that you don't mix your personas because the last thing you would want is to mix personas and give your identity
up to the actors and uh another thing to note is uh you should always change time zones uh for example if you are uh researching on a Russian Forum from USA then try to change time zones so that the actors don't uh like so that the actors don't think that you are not uh an actor or not a Russian actor because major majority of the time you would talk in Russian language on those Russian actor forums so that is why you would want to change your time zone obviously yes uh there may be Russian people who will be in us talking on the Russian forums but for that added layer of uh what do you
call Peace of Mind you should always change time zones and another thing to note is on the similar line if you are trying to research on different forums like Russian Forum German Forum then you need to learn those language or slang skills that are being used on those forums so these are some of the stepss that you can take to maintain your OBS new lifestyle and there are a lot more steps but the main thing is you should always think about obsc or maintaining obsc before doing uh dark web monitoring or dark web hunting stuff uh so that was it uh we talked about uh what dark web is basically how do you access dark web we
talked about different forums and Market places on the dark web uh what are you gaining while you are hunting on the darkb and what are you losing uh we talked about uh Scrapy uh specifically in tools uh and how you can use Scrapy to get data from the darkware we talked about human element and human humm and how you can use humans to bolster your tool based threat hunting we talked one use case of how you can automate your dark we threat hunting and then we discussed the overall picture and we discuss about threat intelligence life cycle and all and then at the end we talked about operation security and how you can use obsc or how you should
always maintain obsc while doing this dark web threat runting or dark web monitoring uh if you if you like one thing from this stock then I would suggest you to go back and do and follow these steps so first figure out your assets what things you want to focus on create the hunting P plan that we talked about uh you start your Scrapy start putting data into elk and then uh once you have uh good amount of data try searching your company's name in kabana or uh your company's product in kabana and then if if found then try to analyze those results try to see uh which Forum talked about those stuff based on related to your organization which
particular actor talked about those stuff and then try to monitor this uh like regularly and do this basically on a monthly basis and then report it to your team and you will see the results uh out of it uh obviously dark web threat hunting is hard but it's worth the effort you don't get intelligence uh that you get from the dark web anywhere else uh you should always keep operation Security in mind and another thing that I already talked about is always look at more than one resource you get more intelligence by looking at more than one resource and yes it takes a lot of time and it's a team effort but if done correctly you
get a lot out of it and I talked about a little uh I talked a little about miter attack and how you can use miter attack to basically get a really good reports if you have that kind of uh that right amount of data and that rich amount of data basically uh these are some of the resources that you can look into if you want to know more about dark web hunting or dark web monitoring stuff uh there are many good companies like recorded future Insight crowd strike Digital Shadow that release their blogs and white papers regularly on these kind of stuff uh that was it I hope you all like my presentation if you have any
questions you can hit me up on Twitter or LinkedIn and I would be happy to talk about this stuff uh so thank you
um thank you there's um uh several other you know presentations in there but um want just wanted to say thank you guys for taking the time of joining me um this is I broken now Linux manual privilege escalation 101 PHS who I am degree in computer systems engineering I'm a senior security engineer with um a little bit over seven years of it experience I'm a red team Enthusiast um I'm by no means a hacker uh have CCNA SSP e jbt c i SSP just kind of like a little alphabet to in here um more complex alphabets um experience on incident detection and response honestly I've always found incident detection really fascinating because with the information that you
have um you know like you're given little pieces of information and put a picture together which is definitely really fascinating and you kind of get to do a little bit of detective work which is awesome um color is pink and when I was a kid I was terrified of Mr Clean creepy and grumpy uh but yeah you know like I guess you you grow up and you learn you're a blue teamer why are you teaching me pantastic stuff a very common question that I've always gotten I had co-workers reaching out to me like why are you putting so much effort into this and you know like even one of my old bosses like you do realize
we don't pest in here right you're never going to be pester at least not in here I mean makes a lot of sense but I always thought that if you really want to protect an environment you have to think as an attacker right so you want to know how an attacker would act in order to you know like in order for you to take the right measures and you know like the right actions for you to protect your environment um another thing is that is very common the industry tries to glamorize contesting and it's true um red teers are fascinating you know like just I get to be a hacker and I use the hashtag hacking and I'll take selfies
and post them on Twitter and you know like just with my hoodie and and that's fun but they really don't talk about the challenges that a blue teamer would face uh a red demer starts there they go through all the steps they well first and you know like it's over I'll go home and watch the Kardashians or do whatever I do while a blue teamer basically is working in a way if you see it like this they're basically working 24/7 so an attacker or a really really bad person wouldn't really be bad just from nine to five so I guess it's just something to keep in consideration um they're playing pretend is the blue teamers that are the unsung heroes of
the of the whole entire industry that's just the way I see it what is exactly privilege escalation well privilege escalation vulnerabilities are security are security issues that allow users to gain more permissions and a higher level of access to systems or applications that their administrators intended these types of laws are valuable for attackers because they're needed for full exploit chains but can be overlooked by Defenders or developers because of their lower security lower severity scores so so what does this even mean it's just like a whole bunch of text but if you think about it for a second whenever you compromise an application whether it's you know like Thea Port ad0 or Port you know like just
through SMB or through FTP you you g you manage to gain a shell now that I think about it I've never really seen FTP in production I'm pretty sure some people still use it but it's a very old protocol and you don't really gain access to system or to the administrator user to the root user if in an Ideal World a system administrator Works under privileg what does this mean you give permissions for them to perform their daily tasks when I mean just talking for example um Bethany from accounting or Pedro from the front desk or Alice from accounts payable or you know like Bob from project management or but this should also apply for basically
service accounts like a a or do do rude those type of accounts should really be be given the very very minimum access for them to perform what they're supposed to do good Ling ring 2009 a group of Alin Hollywood teenagers broke broke into celebrities homes to seal luxury items they took as much as they could and they went on notied for several months what does this have to do with privileges um although this happened some I heard about it I was kind of in I think back in 2014 and I if I'm not mistaken they even made a movie about it but when they interviewed these people I was so surprised about the answers that
they gave they were like yeah so we looked at the most obvious Solutions or you know like for the most obious things to do for us to get access we created persistence in a way where we could have taken a copy of the key if we wanted to and yeah we got so used to and so comfortable with it that we started taking much as you know like we could and we wanted so three things came to mind they were persistent they look for the most obvious or easy solution managed to remain sneaky so those would be you know like really good things escalation or even for compromising a machine for the first time is like fantasting but
backwards awesome the ugly truth and when I say the Ugly Truth um I we pH again um this industry is really going to try to glamorize pentesting which is you know like it's pretty cool but one thing to take take in consideration is for example it is unlikely that you'll find one size fits old type of exploit whenever you're trying to work with an exploit you're going to give you a shell you have to make some changes you have to you know like if you're lucky you might only just need to change like the port number and the IV but there's a lot more to that there might be like a directory that you need to change um I
don't know attempt to brot force with just a different username or um maybe you're missing a library which those are a nmare if you're really not familiar with any type of programming people escalation so this kind of reminds me of um who are the people in your
neighborhood just because you're not able to gather something useful from your current you know like so you really want to take a good look at what's in your network and what is the purpose of those computers that are in there like is it some kind of web server is it a print server is it's just you know like Linda from ID just anything so this is kind of like a rein and repeat process you're not able to find anything the first time okay enumerate again enumerate better uh look at those other machines in the network if you found credentials that's awesome try to test those credentials
and you just want to you know like appr with the Desolation the actual pentest you know this is one of is really notd architecture for the actual pentest like for you to feel comfortable in practice there's really not going to be something defined for or privilege escalation itself creating sound boxes for customization research and testing um well you know what they expect and you don't want to get in trouble so if there is an exploit or if there is like a you know like you have a defined privilege escalation methodology you're not just going to run run to the client machines and try everything just like crazy if it's something you're not familiar with it really doesn't matter matter if
you're practicing like in half the box or you know like what's the other one what's a try harder one oh allb that one and anyway it really doesn't matter because you can just you can just reset the machine and then you're good to go but in the real world you can really mess up a client's environment and then get in trouble awesome now the um my slide is really not exactly working okay there it is yay okay explain like I'm five um we're really not going to reinvent the wheel in here we're just going to um talk about a little bit of the basics when it comes to you know like the attack kill chain for example
reconnaissance identify it try to gather operating systems
architectures AV verions anything that we could potentially and very useful a lot of people say don't underestimate the power of reconnaissance I hacked into this box and I didn't an enumerate so I mean this is just common knowledge everybody knows that if you want to start getting an initial shell it's very important to you know like an well um with planation this means basically hearing an exploit with a particular vulnerability that you know like we have an open port doesn't necessarily mean that we're going to be able to exploit it perhaps it's patch or you know like we're not able to find anything functional so that's something to keep in mind another thing that is important
is when we're enumerating well bigger Target bigger chances of you to get you know like bigger chances for you to be able to compromise something so we have our exploit how are we going to place said where it's supposed to go right so either if it's something that we need to inject Cod or we need to place a reverse shell are there any additional ports open that we have access to um that we really want to keep in mind
is examp it and I used to see okay here's an exploit but why doesn't this give me a Shell where is my reverse shell why am I not able to connect to the you know like the end host all exploits work the same some of them might do different things that you could use to your advantage for example this particular case when it a hash that I could use for a web application so I had to correct the hash use you know like the standard you know like default admin name and boom I was in is you know like self-explanatory how do we activate the payload or the exploit that we just delivered how do we trigger it what do we have to
do whether we have to you know like just make a user click on something or make a user open an attachment so there's some from our end or an action for it to work do we want to add or um install additional tools the hands- on keyboard right we're basically able to be able to do anything we want and at this point we kind of have full control actions and objectives so what were we trying to gather out of all of this we're fun because we're bored we're are we're really bad people is this just an engagement you know like from a client so whatever your final objective was basically we just get to
it backwards it's about a group of security operations analyst that work for a TV station and use logs to save an innocent man from going to gym this Mees and I saw this like years
ago this lies bread um the word toxicity but industry when it comes to the use of met you just go and need you know like food from Waterburg or McDonald's or whatever and most commonly used you're not a real hat well I've heard um that's Pain by numbers um you know like everything is pre-made there's really no point to it um try harder that's my favorite um so yeah that's like something very common and honestly I don't see why I'm not really here to bash and Rapid seven I think they're a great tool and I find it extremely useful um but it unlikely that in the real world you'll find a client telling you hey you better
not be using metas flid or you know like don't use this tells you don't use metp or don't use so Ando tool then you should be good to go uh with them it's basically the challenges that you could potentially deal with is you get what you pay for um I assume like the paid version has more visibility um another thing is visibility so um I want you all to think of something if yall ever used times have you actually looked at your exploits like open code because I for sure didn't when I got started so I I don't remember it very clearly but when I was just get that I use it I think it was for net
happy yeah vulnerability it was for a very old Windows XP machine and it didn't really even give me like a shell itself it gave me an BNC session and it was low as crazy and I could very barely move the mouse and but I felt like I was a hacker anyway um customization requires expertise you really there's two things to this you really have to know what you're doing in order to get the results that you expect and this applies Prett much for everything not just for pesting so if you really want to be able to write your own code you have to have a good understanding of the vulnerability just get familiar with the vulnerability
itself just learn how it works what are the limitations uh for which operating systems or for which type of services you know like would apply to so um here is pretty much like a little rundown of our metal SP modules we have auxiliary payloads explo and coders and notes for auxiliary this is I'm going to have to say this is definitely one of my favorite modules because even though it doesn't really give you a shell or an exploit information that you could gather and what you could potentially use during other steps and even Ed up scans or buzzing um I've honestly never try this for Linux and mety but I know that for Windows there is an auxiliary
module where you have the option to impersonate token so you find credentials you can actually impersonate that user I know that manually you can do it with um a hot potato but for metas Floy the imperson a token option is right there and it's a lot easier and it really saves you a lot of time basically that one is you know like like a self-explanatory so what what happens with those um you get to select which payload do you want and for that okay what is a payload payload exploitation or what you with your victim computer do you want to get a reversal from it do you want to connect to it directly via you know like CCP bind or
do you just want to be funny and pop in the calculator well that is a potential payload um pretty much all the potential codes that we would want to use um the format of the presentation that we want to give to an equal secure um I honestly believe that there isn't such thing as this is unhackable or this is 100% secure it doesn't exist you might as well be looking for a unicorn just going to add that extra layer of security and you might make it trickier for them to Define you uh then there is no for no operators and uh what is a no operator that doesn't do anything and why would we want an operator that
doesn't do anything well um for example for memory alignment um we're trying to use both for overflows if we want a pointer to point or to be assigned to certain part of the registry are certain programming languages that do not allow noes instead to invalidate or avoid an instruction that's when we use a no operator msf Venom Ms of Venom is a tool that allows users to generate payloads and en code them Ms of venm are one single tool standardized and increase speed so what I mean with um one single tool is the fact that before 2015 there was a combination of msf payload and msf encode and now you can just like it's all bundled up together so
that's awesome and this is what an msf
Venom so as I was mentioning earlier RSE TCB the Apple ones in like the with interpreter but um it's definitely something that I want to do at some point
done these two are the ones that I most commonly use Linux generic and python would do like an exe so you can create always have to go to mety and kind of look for them why esal Privileges and that's a that's a really good question um knowing your distribution type and that's gather general info so I used to think that Linux distributions were pretty much like ma mic movies You' seen one you send them all but that's really not true um really not available for other distributions and other is currently running you want to be able to visualize what you're fighting against right so uh you want to see which applications and services are running so you might be
able to exploit them weak file
permissions to we might be able to exploit that for example um the typical case of um Linda from accounts payable has per because she's always been harassing you know like the IT department and everybody's afraid of her times like I was mentioning before it's not really the fact that you have to be extremely technical you just have to keep your eyes open a lot of the times is the fact that as really do their due diligence and incorrect permissions are assigned which is basically for uh Linux schedule tasks configuration files so with configuration files the fun part is we might not be able to get a shell out of them but we might be able to see
a version um a default user and a lot of of the times lazy admins just reuse their
passwords possible to replace legitimate binaries with our code as a means of executing them at higher permissions level if a user has permissions to write into the folder where the binary is located then the file can be replaced with a custom kead um long story short if I can ride to it I can ride whatever I want including a reverse shell or a way for it to connect back to me on the root privileges and so a lot of you guys are really familiar with all of this commands we're really not going to go super crazy on them because I don't want to put y all to sleep um so we're looking at our version
of the kernel the computer that we connected to I have config we want to see um our current IB ar- e to look at our local [Music] addresses see um which ports are open um which you know like services are are in there which for numbers we can see um ID which current user which user are we password for example um that would be like all the current accounts or all the current usernames that are in that computer sud DLS um honestly this is really important when it comes to privilege escalation so sud sudo kind of um it stands for super user du I'm so sorry okay so here's what happens with me I speak very broken English but in my
defense I've been in the US for like five years so anyway so this is recorded but if youall ever have any kind of issue understanding what I'm trying to say just ping me and I can totally repeat that so back to sudo um yeah super user du so there are times not have root privileges doesn't necessarily mean that there are are not certain commands on the root permissions I like how I'm having a window open something and it doesn't work so screen button here sudo dasl what what does this mean all the applications and all the potential commands that I could run on the root permissions going to try to do pseudo them I like how I cannot type for my
life and
then boom I'm R so basically what I do what I did in here was abuse the Vim option that I have I can see that for Nano I can see that for FTP I can see that for I'm going to go back to my old account a different um command so let's just go ahead and try
example oh okay yeah there is still a way that I can use this if I do an exclamation point boom I'm rot so another thing that keep in mind is that you want to keep in mind is under the pseudo options Google that so it's like okay how do I I use um Nano and my option so really helpful um files World rable directories World rable files and checking for amounted tri systems why not why on Earth would I want to know or how is this anything useful okay because if you want to be able to copy your post exploitation tools or any tools that would potentially help you you want to find a location where they
work if I can write to it I can write whatever I want just basically see which applications are installed as rout uh what files am I able to see under the HTML folder this this would be you know especially useful if we're talking about a web server and in here which uh applications are running under sui be
Related talks
34:39
46:20
36:40
51:16
39:13
29:00