Anti-forensics Techniques Used By Threat Actors In The Wild

thanks so much hi everyone thanks for being here um I'm going to ask you to remind me to wiggle my mouse on my screen every like minute or so cuz apparently there's some AV issues yeah I'm going to trust you cool thank you no pressure so hi everyone thank you for coming to my talk um in this talk I'm going to talk about anti-forensic techniques that uh me and my team see thread actors use in the wild all the time um and I'm going to talk about the thread actors that we've seen using these techniques um this talk is a result of working on multiple incident response engagements over and over again where we had to resort to creative ways of

figuring out what thread actors have done on system systems not being able to rely on the kind of traditional forensic artifacts that we usually would because of the anti-forensic methods that they were the thread actors were using um this talk doesn't cover all anti forensics techniques um and it doesn't cover all the ways that you might find evidence of those an forensics techniques being in use these are just the techniques that we have seen being used by thread actors somewhat recently by somewhat recently I mean in the past few years um and um ways that I found that you can look for evidence of these anti anti forensic techniques being used um unless mentioned otherwise most

of this is going to relate to Windows um this is just because of the nature of the um networks that I work on um yeah uh I haven't found any uh examples of anti forensics on Mac OS I even spoke to a guy on the Apple sech team just a few minutes ago and asked him if he knows about any example and he also hadn't heard of any um there's going to be a little bit of Linux as well uh so uh I started doing cyber security uh in around 2016 when I went to University to do a cyber security and digital forensics degree uh I was always really interested in digital forensics I thought it was quite uh fun and

interesting um and when I was looking at the different jobs available in the job market I thought instant response sounded cool because it sounded like when you're doing IR the people you're working with actually need you and actually need you to be there um so that was why uh I went for IR I did internships at coinbase meta and Morgan Stanley and then after graduating I worked at meta and KPMG before coming to crowd strike uh it's funny cuz it disappeared like the evidence um so for those that don't know um I'm just going to talk briefly about crowd strike and my team and the context in which this information is actually relevant uh so crowd strike makes a

product called Falcon which is an endpoint detection and response agent uh that means it's a little program that runs on endpoints and uh servers on your network and collects information um this information can be used by security teams uh to figure out what was happening on these devices and it also prevents bad stuff from happening um apart from the actual software uh our company also has a Professional Services team that's what I am part of um our Professional Services team does a bunch of stuff um which I will talk about in a second uh and we also have a brilliant thread intelligence team some of who are here today hi guys thanks for being around um and they uh provide us as the

Professional Services team as well as our developers and our customers with information about what fed actors are doing um and they do a bunch of malware analysis which is super useful CU I'm pretty bad at reverse engineering uh in terms of the services team I'm part of the uh Professional Services team in general I mostly work on instant response engagements um this means that we usually come in in a post breach scenario so the customer has noticed that something has gone wrong on their Network or some evidence of something bad happening uh and they call us in and we either already have visibility thanks to them having falcon or another EDR um or we deploy Falcon um

and then do an investigation which I'll talk about in a second um apart from incident response we also do other types of uh engagements that are listed there um yeah uh I get like a bonus for doing these talks and I have to include this slide [Music] so so so uh let's talk about the incident response life cycle and uh the context in which this um stuff is actually useful um so when we as the crowd Strike Team and it's not just us most IR Consulting teams will have a similar is methodology um when we come into a um incident the scenario is usually that there's been some kind of detection or somebody has noticed that

something bad has happened um we then try and gain visibility uh this is usually through uh either deploying uh an EDR tool such as Falcon other teams probably use different EDR tools as well um and um then we use that tool to uh do some analysis and investigation uh this analysis and investigation is also greatly helped by collecting so-called forensics packages we have a uh pack forensics package collector called Falcon forensics collector which we Deploy on all systems where it's possible um and we use the forensic data from each device to uh find evidence of compromise on those devices so we're usually looking for indicators of compromise which would be um evidence of a uh compromised account doing some

activity uh maybe some malware uh maybe some logs that show what a thread actor has been doing we then use that evidence to um well prevent the malware for example from executing by um putting um I don't know it's hash into um our prevention mechanism in h Falcon um and we use the ioc's to search more broadly across the estate because we are trying to get visibility everywhere so in a typical um incident response scenario where there is no anti forensics what a thread actor might do is they might use a specific let's say remote access tool on a system um however when they are using anti-forensic they might hide that they've been using F access tool on a

system um and this talk is about how you can actually find evidence of uh them hiding that remote access tool for instance and using that as an indicator of compromise instead of actually using the um evidence of that remote access tool being there in the first place 7 minutes 10 slides in damn it going to have to go fast right so the anti forensics techniques that I'm going to talk about today are file deletion log deltion and log tampering uh bring your own VM uh Sean security tool corruption and Cloud anti forensics um I'll go with file deletion first bear with me I know that file deletion is pretty simple uh and easy but uh I think it's worth covering

because it's quite relevant and uh we see all types of thread actor do it you'll see that some of these techniques I have attributed to specific thre actor groups or thread actors by the way you haven't given me a single sign to wiggle my mouse okay good thanks thanks for watching um I am trusting you um so uh file deletion is what we see loads of thread actors do so they'll you know bring some M onto a system run it and then delete it um typically the ways we see them do these kinds of deletions is either just via like the windows guey if they've got guey access like the graphical interface of the systems uh

that they're on uh we often see them deleting stuff for Powershell which you'll see why is important in a second and we sometimes see them use file deletion um utilities such as s delete and a bunch of others um some ways in which I found uh finding evidence of deleted files or figuring out how to recover those files um are using the dollar I30 file which I'll explain in a moment file carving looking at Powershell logs hence the Powershell stuff and execution artifacts so um first thing is the dollar sign I30 file now if you have ever looked at a file uh at a a image of a um system in some forensic software uh

you'll probably see that oh no it's not your fault sorry guys I'm going to have to do this

again yes okay cool uh so uh a dollar sign I3 file is a uh record uh which is in every directory um in an NTFS system um and that record will contain uh a bunch of information about the files that are in that directory now the nice thing about dollar sign I30 is that it stores that information in a bit of a a weird data structure that data structure means that um actually you can find uh evidence of records of files that have been previously deleted bear with

me it's awkward isn't it right there we go um so um the way you can use this file is you get it of your file system somehow and there is a bunch of command line tools um such as index pars which is uh listed there uh or other ones uh which you can use uh to Output a nice CSV file which will have um uh a bunch of lines which include records uh that say that they have been deleted um great resource uh most forensics collectors that I've seen around including open source ones uh won't collect this file um or the contents of this file so um this is something that you might need to

do extra um also if you're using a traditional forensics tool and you've got a dis image in those rare cases that you do you can also sometimes depending on the tool actually just click on the file and it will parse it for you um so um probably most people know this but maybe you don't uh so um in some types of file systems when files are deleted uh the contents of like on disk isn't actually overwritten the contents is still there uh there's just a special Mark that gets uh or a special flag that set that says that the file uh that the place on the dis where that file was can be used and

the contents is still there until the file the operating Sy system needs to use that space um so remove deleting a file might still leave it in the so-called slack space of the uh operating system um what this means is that you can go through this slack space and you can look for the header and footer of a file or you can use a tool that will do this for you preferably um and you can sometimes find evidence of deleted files um and actually carve those files so take all of the um data in between the U start and end of the file take it out and then use that as you would any other regular file and you

can use this with all types of files including files that um have forensic data in them such as Windows event logs for example we still there cool um so uh we often see thread actors using uh Powershell to do stuff uh and this includes delete deleting files uh there's two specific places that we've seen um uh thread actors not deleting even though they are trying to delete the evidence of what they did on a system um those places are the console host history file which uh you can see the path of the file just there and there's also uh some windows event logs um called Script block logs that log powerof shell execution on a

system um and often you'll see uh thread actors deleting um evidence of what they were doing but not deleting one of these files so if you have that resource then you can just look at it and see at least what the thread actor has been deleting and in this case let's say that you see that the thread actor has been deleting a specific registry key on a system uh and you see that in console host history you can then go and look at the console host history on all of your systems within your whole environment and maybe find that in the other console host history files this is happening as well and then that lets you know that the

thread actor has been on the system and you need to investigate what was happening before and after um and you can use that as an ioc or indicator of compromise within

itself cool um last one for file deletion uh is execution artifacts so um I'm not going to go through all of the artifacts uh that you can use to improve execution on a system uh just there you can definitely not see the uh contents but that is part of a poster from a company called Sans which is a really great resource um and it just lists a bunch of different um places that you can look uh on a Windows system for evidence that something has been executed uh now you can use um these execution artifacts to look for uh file wiping utilities being execut uted ones that we see over and over again are esite kill disc file

Shredder bleach bit and CC Cleaner but we see many many others and there are some uh thread actors now that use multiple different types of um file wipers within a within one uh case so we'll see one engagement with loads of different file wipers around the difference between deleting something uh just kind of normally and with a file wiper is that the data on the uh the data is actually overwritten in this case so you can't uh carve those files and obviously if the data has been deleted uh with a file wiping utility I haven't come across a case we were able to get that back however you can use the execution of a file wiping utility as an

indicator of compromise and look for that on other systems um so uh Windows event logs um Windows event logs are a log Source on Windows systems that provide information about U what's going on on your device uh they are found in uh C Windows system 32 config um and uh we heavily rely on them in incident response to find evidence of everything from execution to eleral movement um yeah depends on your login configuration but they are very very valuable uh the problem is that thread actors often delete them um but you can uh and you can see a bunch of examples of how they are deleted just there um but uh you can detect them being deleted at the very

least through the event logs themselves also through Powershell logging which I've gone over before and also through the execution again which I've gone over before of the Event Viewer utility sometimes um obviously that in itself isn't proof but uh it can be a good indicator that something weird has been going on if a compromised account is executing Event Viewer um so uh in terms of the event logs uh maybe a bit small uh but you can see that there is the um 104 vent log which shows the system log being clear cleared um 1102 again evidence of the in event log being cleared uh and also there's uh the 1100 event ID which shows that the event log

service has been shut down but um there are issues so thread actors um May delete event logs but you might be thinking that's fine I forward them to my SIM whatever but thread actors can also actually interfere with the event logging service um there was a french guy called Benjamin that wanted to learn c a while ago and he ended up writing a tool called mimik cats which is French signed for cute cat I believe um and now this tool is used by like almost every thread actor out there as far as I can tell um this tool is um interesting from an anti forensics perspective because it actually has a module uh called event this module can either

clear the event log or um it can patch the function within the event log dll event log Service dll uh to return before anything happens so um in that case you're not going to get uh any event logs written if your thread actor is running this um you also have tools such as invoke phantom um this uh suspends all the so if you look at the event log service it runs under SVC host um and it will just go into SVC host and look at all of the event log service dlls running under it um and it will kill them and suspend them um no event ID uh to do with with stopping the event log service will be

generated um at least in the cases that I've seen however the thread actor might uh do this but again forget to for example um delete console host history which shows you invoke Phantom being run uh in which case you can just look for that uh you can also manually modify the event log file I haven't actually seen this personally but I've heard it does happen um modifying your event log isn't that simple um so if you want to do it you have to stop the event log service copy the event log file modify your events and then recalculate the uh file header and the chunk headers within your event log file um however apparently it does

happen on Linux systems we also see thread actors uh setting the hist file to dead null or using the unset hist file uh command um sorry that looks weird that should not be in that font these are two separate things it's not just one long command um anyway when this is done commands don't get logged in bash history um and there's also some really crazy tools uh that are used for uh event log ref record and referencing such as event log edit uh I'll quickly um whoops I'll quick explain this one um so event loog edit is part of um uh is a tool that was found in the shadow Brokers leaks if anybody remembers that and this one is

quite cool because uh you can see that the record header here with so this is a unchanged event log this is a changed event log basically you set the size here in the event record header to be larger and then and just to overwrite the next event log so in this case as a forensic analyst you are you you're just blind to one event log not being there right there are ways to detect this if you take the evtx file um there's a company called Fox it that made a thing that can detect this and you just run this script um I think called dander Spritz evtx over the event log file um and yeah you can detect it but in

general uh yeah kind of hard to find if you're not looking for it specifically other issues that you may have is that your thread actor has uh just uh yeah encrypted your sim uh so we see this uh actually somewhat often um so there are a few scenarios uh one that we've seen is that there's um thread actors uh doing encryption at the um like uh virtual dis level so if you've got some virtual ized infrastructure maybe some uh systems running on an esxi for example uh the thread actor will run some ransomware that will just encrypt every um like vmdk file that is running um in that case if your sim is one of those vmdk

files yeah you're screwed uh not great um we've also seen thread actors specifically uh Delete the data partitions on a Sim system uh we actually never found how they did this specifically because there wasn't any evidence um and also we've seen some threat actors actually change login configurations and security tooling so for example emitting High severity events um or um yeah like for example if there were some um like if High severity events were sent to a specific email address just removing that email address or changing it um yeah in that case um if you've got auditing of that you could look for that um but I don't think I've yeah it's it's rare to see that um and

then yeah I mean you can detect it because your Sim doesn't work cool um so next one is bring your own VM so this is a anti-forensic technique where thread actors will run a virtual machine or a container on the host that they are uh currently um working on um so in this um situation you can see um usually some kind of evidence of uh virtualization programs being executed um so uh maybe downloading of like some uh VMware tooling uh which you could maybe go to your um like browser history that kind of thing uh you might be able to find that kind of thing and then uh also just the execution of those tools

um if you are uh lucky enough to have a disk image and you're able to carve files uh I have been in situations where um I can see that they've executed some virtualization stuff um and so I carve files and I find a vmdk file in the um in slack space then you can take that vmdk file now theoretically if it's still intact you could take that vmtk file itself and run that in a forensic software and if you're super lucky it'll work and you'll be able to get artifacts of what was happening within the VM itself personally haven't come across that but I guess in theory it is possible um however something that you

can do and something that uh I was able to do on one case is uh use like strings searching to look uh for indicators of compromise within the vmd K file and while you can't prove that something has happened like execution for instance just through strings you can see for example strings of maybe an exfiltration utility and you can maybe also see evidence of the thread actor grabbing a bunch of files via SMB from the host system then creating a zip file then running some virtualization stuff and then um that V that VM having for example like S3 browser or maybe some other exfiltration utility strings within it and then you can go to the

network logs and maybe confirm that there was some exfiltration from the VM within the machine that you're investigating Cloud stuff um so I uh haven't worked on that many cases uh that have uh Cloud components in it uh in them however when we do work on such cases uh in terms of forensics it really depends on the login configurations of your customers um or logging configuration within your network I think quite a lot of the time um yeah if there's no logging um you're going to be pretty blind um a lot of the time uh in uh like in the cloud um the thread actor Will spin up some kind of cloud resource so um I'm a bit biased to AWS

presumably because like Azure customers go with Microsoft Etc um but for example a thread actor might spin up an ec2 instance do a bunch of bad St up on it and then just delete it in those cases as far as I know the evidence is gone you're not going to get anything really um you may find evidence of them spinning up the ec2 instance um and maybe tearing it down um one other issue that uh uh we've come across is um thread actors using uh resources that um use autoc scaling um this is this means that when the resources aren't in use they are just torn down uh in those cases again once stuff is gone it's gone

honestly don't know if that was used as an anti forensics technique or if it was just what they used um another thing is disabling or deleting logs um in terms of detection again depends on logging availability they um if they're enabling autoscaling there's like the en create auto scaling group and enable autoscaling group types logs that you can look for or delete Trail logs for deleting cloud trail logs I guess you might notice that a your AWS will get smaller if they deleted all your logging thank you for laughing cool um so last thing um who actually uses anti forensics so all of these techniques that I've been describing um and especially the basic ones such as event log deletion and file

deletion um I'm not actually attributing to any specific thread actor because we see so many different thread actors as well as unattributed uh thread um unattributed incidents where we see this happen uh however there are three specific thread actors that I wanted to uh speak about that we see using anti-forensics a lot uh those are Vice spider light Basin and Scattered spider um so first one is vice spider um Vice spider is a e- crime group uh you might also know them as Vice Society um if you've ever looked at their data leak site it looks like um like GTA it's quite cool it's all pink um hence the logo with the car I guess

um so in terms of the anti-forensics techniques that this group uses um number one is uh deletion via Powershell through things like remove item or regge delete um also um removing console host history. txt or the contents of specific folders such as app data local temp um also deleting registry values that would usually have uh forens forensic value such as uh typed past or run mru um as well as the destruction of the seam data partition um so in general when working with this thread actor you'll come across systems where a lot of the registry has been wiped uh especially the interesting registry keys you don't have console console host history his you don't have the contents

of a lot of folders because they've just been deleted you don't have a SIM um and yeah you don't have like basically anything to investigate so what do you do in that case let me introduce you to my favorite forensic artifact the RDP bitmap cache so the RDP bitmap cache is um I'll explain in a second but you can see here an extract of it uh this is uh from a spider case although I have to say that this group of commands I'm not sure if you can see them at all but they basically are doing all the things that are explained above um so for example like deleting various registry keys uh Etc um so uh the RDP bit map cache uh

sorry just to finish off on that thought uh this seems to be a um group of commands that isn't just used by Vice spider so so just in case anybody is using this talk and this screenshot as a way to attribute something to Vice spider specifically um don't because it looks like there is various thread actor groups that are actually using this exact uh sequence of commands you can especially tell that it's this exact sequence of commands because there's actually no space in between this pipe and stop process just there which is um means it's just being copy pasted out of somewhere um anyway RDP bitmap cache uh there is a bunch of files at that location listed

in step one uh you can uh so these files are generated when you have an RDP session uh on host a when you've got an RDP session from host a to host B they are the cache files as the well name suggests of the RDP session uh I've heard I don't don't know if it's true that these cache files are generated by where uh the mouse is traveling in the uh RDP session itself um and apparently as humans when we type something or we read something sometimes we use the mouse to follow along um so that means that anything juicy on in an RDP session may be visible in the RDP bit map cache but the

problem with this artifact is that it's just a bunch of little tiles little cach tiles um that don't show that much of the content of the screen what you can do is you can parse these um parse these files using uh two tools uh one from the French sech one from the German search for some reason they love BMC um you can use uh one to get the tiles and then the other one to uh kind of arrange the tiles in a puzzle like you can see there as you can imagine this is a really uh time consuming forensic artifact uh to look at however um if you are working as a consultant or you're working with

non-technical people um then it's a really good way to show somebody visually what a thread actor was actually doing on your system because you can see uh you can find what is essentially a screenshot of what the thread actor was seeing themselves I don't think this is that funny but my friends made me put it in yeah you guys won cool uh right next one is uh light Basin uh light Basin is an activity cluster that's been targeting Telos um all around the world um for a while I think since 2016 um one of the issues that uh my team has encountered when investigating light Basin is that they use a custom tool called log bleach um

Now log bleach deletes log entries on um Unix systems the problem with log bleach is that it will only delete the logs that are actually related to the thread actor's activity uh which means that you end up with a system where there's been malicious activity but all of the logs from that activity spefic specifically um well aren't there anymore hard to investigate cool um scattered spider you may know them as well as uh like OCTA something uh or something OCTA if you're Microsoft um they are a group that we've been um well hammered with really recently um it's a group of teenage boys in the US us and middle-aged men in Russia um they um primarily start their

um activity with social engineering which as everybody knows here is probably one of the most difficult things to prevent um and protect against um they'll often call up um their help desks of the companies that they are uh trying to Target and they will um you know have some kind of pretext like oh I've got an important presentation or something and I really need my username and password they'll look up open source information um of uh the victims that they're trying to impersonate which is available online and use that to convince the help desk people to um you know reset their MFA number for example or uh give them credentials in some other way um once scattered spider is in

your systems they move really fast and they do look loads and loads of things they also seem to know their way around lots of um like corporate SAS software so they know workday way better than I ever will for example um and uh when working on these cases you work with a lot of interesting log sources that I haven't worked with before such as yeah SAS logs um but they use a lot of anti-forensics tools which is interesting because they don't tend to try and be particularly quiet in fact you can really tell it's a bunch of teenagers cuz they will like add just like a folder name called like you and it's like why like why are you doing

this I anyway but along with that which I would say is a pretty good ioc and like is very obvious that like who's doing things if they're doing that um but they also use a lot of anti forensics one thing that they use is uh bring your own VM extensively the case I was talking about um earlier is to do with uh scattered spider um they also uh end up using a lot of um Cloud resources then that they either then delete or are in autoscaling groups so are just deleted for them automatically um they also use bleach bit as well as a bunch of other um file wiping utilities and um we've also seen them uh

using uh two tools called cover my ass and moonwalk I guess from the back you might not be able to see that so maybe read it out so cover my ass is a tool that finds which log files exist on the system and then uh lets you choose which ones you want to erase uh the files are overwritten with random data uh so it's um yeah hard to recover them um and then uh moonwalk will save the logs in the pre- exploitation State and then once you're done doing your stuff you can reset the log to the state before uh you were doing stuff leaving zero traces apart from the execution of moonwalk which is

a pretty good ioc uh so uh in terms of uh conclusion um there is a principle in classical forensics called Low cards exchange principle which states that every contact leaves a trace um even though it might seem a bit hopeless when your thread actors have deleted all of your data um you know there's still things that you can look for and you can at least find evidence that a threat actor has been on a system because you can sometimes find evidence of the threat actor using anti forensics techniques um unless they've deleted your sim yeah um I mean at least you know they deleted your sim right so that was it thank you very much any

questions

any questions there's a question over there uh which one do you want first that one I'm running that one sure sorry no [Music] offense hi yeah thanks for the uh talk great talk um just a quick question on uh attributing uh like different AP groups and sort of e- crime groups do you ever see uh any sort of groups attempting to mimic other groups and if so um what are the some of like the differentiating factors that you use to sort of say oh hey this is this AP trying to mimic this ATP or AP sorry yeah uh good question um in terms of attribution um like I don't really do attribution myself like will if I'm

working a case and it feels like this threat actor or that threat actor because it looks similar to another case um I will talk to my Intel team and um like tell them and then they will tell me no you're wrong usually um and yeah in terms of how they do their attribution I think it's based on a lot of um a lot of different factors not just the forensics evidence but also information they have from you know scanning the dark web access to thread actor forums you know all of these different things um yeah I mean attribution and threat intelligence is a whole topic and to be honest I don't really I I don't really know how to do

it myself but yeah good question um there was one on right the other side of the room and then one there as well just at the back there y the hand cool perfect if somebody on that side of the room pick another question as [Music] well hi thanks for great talk um I've got two questions I suppose the first question is in terms of the the volume of end points what does a typical incident that you guys respond to look like and the second second question then is when somebody has leveraged a cloud provider do you find in general that the cloud provider will work with you or do they tend to view you with

competition and kind of not help you so much um okay so uh first question what is what is the volume of end points so it's like how big are the networks that we usually work on like anything like we work I mean like small list around 10K and up like I mean sometimes there are smaller ones but like but like upper limit honestly I'm not sure like we've worked on some pretty big ones um and especially when you end up with like hybrid environments where you've got a bunch of cloud resources like yeah it can be big and um in terms of the sorry what was your second question oh the cloud provider if they

work with us um I mean I don't I haven't come across the situation when a cloud provider has seen us as competition um uh and in terms of and there have I'm not we've definitely had um scenarios where we needed some additional logs for some kind of software maybe cloud-based software and we've gone to the or our customer has gone to their um SAS provider and then they've gotten more logs in terms of cloud providers themselves I haven't come across that I think um but I mean in general we wouldn't be the people interfacing with the cloud provider it would be our customer and like yeah I mean if you're a big customer of any company like yeah

you'll probably get good treatment uh so it depends um yeah sorry I don't have a better answer for you there was one more here I don't know if we got time for it yeah sure um when looking at bring your own VM what's the kind of goal that an attacker has there cuz obviously a VM is like virtual you don't have access to the host machine so what's what do they actually do with that VM um well as far as I know um I mean so if you so your if you've got an EDR running on your host system the it won't be running inside the VM so you know doing um I mean so there there won't be

Telemetry from there i' I think we've seen VMS used for xville a bun Bunch um yeah I mean I think it's also like they can download a VM that has a specific tool set in it already um and then they just don't have to bother with getting tools from other places to be honest there's also that uh but yeah I mean we have really little visibility into what's going on inside these virtual machines so um yeah it's really it's it's hard I mean I can guess but it's it is just a guess because I haven't found one where we can actually take to look at what happened question thanks guys