Malware Persistence in Windows
Show transcript [en]
foreign
[Music] we're going to talk about malware persistence anybody here do malware analysis or have to deal with ransomware or anything like that yeah so you're probably familiar with the concept of persistence um so for me that's a big picture uh I I lead the Brett Thornton cyber security services in Canada so I've been in the industry for about 25 years I'm out of Halifax um so I was trying to get as far away from the the aftermath of the hurricane as possible I came out here so no it was actually here to to to do some work and uh figured I'd come out and attend the B sides and I noticed they were looking for speakers so I put my name in and
they won't hold it on speaker so I do speak at a lot of different events black hat Defcon those kind of conferences and um on various subjects my my expertise is more in the critical infrastructure space so operational technology and that kind of thing so persistent so if you're familiar with uh the minor attack framework it is one of the specific techniques uh that comes out I'm not going to read the definition but essentially you know at the end of the day it's about adversaries making sure that they can maintain a foothold in your environment um and specifically what we'll talk about today is persistence within malware so once malware gets deployed on a machine or in an environment you know
what what does the malware developer need to do to make sure that that malware stays resident for as long as possible so in the windows world and I'm going to focus mainly on Windows I know there's there this exists in other environments and other operating systems but because we only have 50 minutes I'm going to focus on Windows persistence is not bad thing persistence is something that is built into the Windows operating system because there's good uses for it and those uses there referred to as auto start extensibility points or asaps there's a lot of reasons we may have reception in our Windows environment things like who here runs slack for example so you want slack to kind of be
persistent right you don't want it to go away and then you miss messages um you might have something like really annoying Cortana who loves Cortana I don't know when I'm installing Windows for the first time it's like how can I help you by turning you up um or I run tools like snagit for example if you if you want to do screenshots that stuff you don't want it to go away after the first time so there are legitimate reasons to having asaps in your environment now Windows is built around this concept and of course anytime you build something somebody's going to take advantage of it and that's why we have persistence with malware so from the adversary's perspective you
know there's real reasons they're going to do this real-time mechanisms you know it takes time to reach their goals so in a lot of in cases that we have malware that gets deployed this is not something that's going to take five minutes for them to reach the goals that they're trying to reach it's going to go on for a period of time so there has to be persistence right um they have to be able to survive a reboot so this isn't always likelihood in likelihood case that it's going to happen it doesn't always work out this way but that's the premise that we're fighting for so at the end of the day I reboot my machine that malware that
got deployed I don't want it to not I want to go away I want to come back on the reboot right um and then obviously you know things like different tools different techniques um and then from a post incident perspective it's things like re-establishing access or maintaining data collections so things like back doors that are built into malware we want those back doors to come back and we want them to be there so that when the attacker can you know needs to get back on that machine to do whatever he's doing there is some way of doing that at the end of the day so how does that work well I'm going to go through the various areas within the
Windows operating system where there are methods that attackers will use when they build that work to persist the first one and the most notable one is the good old registry so here I'm assuming everybody knows what the registry is everybody's been into red Jet and they've whacked away some stuff and totally messed up a computer one time in their life well the registry is essentially a database of all of your settings options values has a basically an asset list of all the software you have installed so anytime that you install something all of those settings they get stored in the registry so and this is a persistent thing across all versions of windows so um you know going back to previous
versions of Windows they've all had some form of registry at one point um so when a program's installed for example it's going to install a new sub key in the registry and that sub key is going to have those settings uh with regards to the program so it could be things like where you've installed the program in Windows of the version and it could be all kinds of other settings that are um associated with that specific program so here for example you can see uh installing the uh the brave browser you can see it the actual location of where the installer is now there are places and again when you look at this think of the legitimate
reasons why you would have this but there's also obviously the illegitimate reasons why you would have this so for example we have the keys of run and run once anybody familiar with this so you know if you've been in in this industry as long as I have you've gone and you've tried to make things work over years you've like hey maybe I can get it to do this if I go and whack away at that registry key so you're running one one run once he's are there to basically cause programs to run each time a user logs in so the the runx logs in and run once clears the register key as soon as the command is run so you
can see here that mission is that
um where they sit in the eye already
will go and when he's deploying his malware he's going to go and write some register keys to make sure that that program will run when the when the user logs in um if you're familiar with wannacrypt so want a crypt use this type of persistence so essentially in the uh in the Run um and then and basically the run as part of the HD current user and HP local machine Keys it basically was starting this task scheduler or state task scheduler so that uh basically this would persist every time the machine uh the person would log into the machine another area that we see in the registry is the boot execute key so uh part of uh
Windows there's a component called the session manager subsystem or smss this executes the during the startup process it sets a whole bunch of things within Windows things like your environment variables it starts your kernel and user modes it creates that page file so when you're when your machine has to swap off of your memory that page file is created it starts the Windows login manage so it's it's that initial system that gets everything in Windows spinning at initially so the smss launches before the windows subsystem loads and it causes specific uh configuration subsystem to load the high present at that location or that hybrids it also will launch anything present in the boot xq key so what ends
up happening is we can go and we can modify that so if you go into Windows today and you go and look at that specific key that boot execute key in the current control set 001 control session manager it should have that it should have that value in there auto check auto check asterisks I I can you know 100 percent 100 say that that's what's going to be in there so what what uh malware developers like to do is they like to add something onto the end of that so when Windows is loading up those initial components to be able to get Windows running creating the page file getting everything set up it's also going to go in and it's going to launch
whatever's in that key so again it's a place where you can hide uh the location and the path and the actual executable that you want to launch in a very scary place here because it's so it's so much in the initial start of Windows that for example if you have an EVR tool or in any virus in a lot of cases it'll miss that because it starts up before those Services actually launch in Windows so there's some some very scary things that they do here to be able to bypass your EDR or or your antivirus or what have your security tools because they're starting up so early in the food process at the kernel loading process stage
right another one that we see is uh is this concept of the windlogger helper dll so there's a key called a user init key so uh again Windows a win login process uses the value specified in the username key to launch login Scripts um so and that's at this this location so current version uh win login so this points to username.exe but if this key is altered then uh the EHC will also launch during the win login process so for example you can see here we have that username key uh what the attacker could do is basically add on something to this value again during that win login process to actually launch their malware as well
so it looks something like this so you can see here I have my my typical username it which points to my usernet.exe but I'm concatenating uh command.exe on the end of it so when that login process happens not enough is the user knit run but it also runs my malware in the background right and again all of these things happen so early in the windows process that again in a lot of cases are really hard to catch capture by a lot of vendors out there uh we have the notify key uh very very similar to the previous one so this is part of the uh the SAS process or when you do the control out Delete
so when you do have to control at the leads you can actually add very similar you can add a an Exe on the end of that so these are used to notify event handles when the SAS happens and loads a dll the dll that's loaded can be edited to launch whatever you want at that control at the lead process right another interesting one is our good old explorer.exe so essentially that points to your current version win login shell and that points to your explore.exe or your your actual Windows subsystem your windows interface right uh the only thing in there should be in there is the explorer.exe um and again uh malware malware developers like to use this key to add
on extra bits to it to be able to launch things as well as the uh explore.exe so a good example of that if you're familiar with gazer which is a backdoor piece of malware so essentially what gazer was doing is that it was establishing persistence by setting the shell value at explore.exe uh with basically its malware path so you can see in the on the example there we have our explorer.exe and then I'm actually injecting that into user.log 3 file into Explorer when it terminates so there's a lot of things here that and again unless I'm going to show you some some ways of doing this but unless you're actually looking at changes in the registry
you're never going to know this is happening there's nothing in Windows that I'll actually come back and say uh oh you made a change to the registry and what what is the biggest thing the biggest issue with the registry is anybody can anybody tell me that the centralized close it's it's it's huge but it's it's it's not forgiving like if you go into the registry and you change something and you close the registry there's no like do you really want to do that do you really really want to do that and and if you if you remove something from the red tree it's like you know when you're in Linux and everything's loaded up and you can start
to just delete stuff and you're not going to know that it's bad until you've rebooted the machine that's the registry you can smack away stuff in the red Street and then the time then you don't reboot your machine and then it just doesn't work so the registry is a very scary place and that's that's why you know from the perspective of this it's there's there's lots that can be done uh we have our good old startup keys so these are these are very typical with the malware developers so uh being able to start things up on boot up um so you can see those those startup Keys here we have them your common programs your common start menu your
common startup new templates all those things can be modified to launch or persist malware as well so here's a good example of a registry addition you can see here that by running this registry Edition we can actually add things like here we have a launcher.link file so uh we can actually point to a link file and and basically launch an application that way and that's on Startup through the startup keys we have the startup folder itself so this is kind of old school you know and most people don't use this anymore if you're if you're as old as I am you would have used it back in the windows you know when you wanted to load up a
program every time you're like that really stupid screensaver you downloaded on through your modem you would add it to the startup folder well it's still there and you can still use it so it's in the app data roaming Microsoft Windows start menu program startup Fuller you can copy things in there and they will load up now they load up later in the boot process so there is a good chance they'll be picked up by your EDR but they are it is still there and it is still a relatively easy thing that you can use to persist malware um the important note is that anything gets executed uh will be under the context of the user logging in so again
it's going to be based on the Privileges of the user that's being that's logging into the machine so uh you could have uh stuff that's launching in that startup folder because it's in that roaming directory that won't run because it needs to have privileges privileged access but there is of course there is a system-wide startup folder in the program program data directory and then essentially anything that's put in there um when it when it loads uh into this into the system no matter where they are it's going to be basically executed with that privileged level so there there are a bunch of places they can be basically putting this at any given time so here's an example I've got a launcher
shortcut here that is sitting in that uh programmed startup directory another good place we can have actually persist our malware does anybody have any questions so far yeah the uh the first one that you showed that uh loaded early yeah um when you've got app Locker is is that um loaded before that hits or is that load before the ad blocker service after most app same thing with uh if you're running like carbon black if you're letting it running like a white listing solution yeah after that that key runs after carbon block and and stuff low no it runs before that before those tools right yeah so you're still screwed yeah okay okay and I'm going to show you what I'm
going to show you afterwards is some non-commercial free ways of actually doing this there are ways to basically start to log certain things to look for these things and I'll show you how to do that I apologize I've had like 12 cups of coffee because I'm still on Halifax time and I was up like my wife called me at four o'clock this morning she's like oh yeah you're in Calgary you were asleep like thank you yeah did you do you know where those cans of super like No And it's like oh go back to bed then 4 30 she calls me I found them foreign [Music]
ERS so it would turn off Echo so you wouldn't see any anything come back and then it would essentially execute the command so this was another common way that gazer was using to establish its um its persistence services they all like the services right so this is another area so again your services are all controlled through the registry the registry can be written and it's very easy to write and it's it'll allow you to do anything in there so again attackers are going to go through the registry to get to your services so for example in the registry there's two areas where you're going to see your services run Services once and run Services as well as your main main part
of the hive which is where your actual list of services are so everything you know when you go into your Microsoft Services applet and you see all the services listed and then it has information like um you know whether it's going to run automatically or manually all that all that's stored in the registry so you can make changes Galore to your services without actually going in the services athlete right so think in your mind what a what a malware person can do with this right so here's a really interesting one did you guys know this existed so there is this really cool place that if a service fails um you can actually tell it what to do
if that service fails and you have a bunch of different options so for example you have a first failure a second failure and subsequent failures so a lot of people don't know this exists but let's say you have a program running and that service or sorry service writing and that service goes to start and it fails you can tell Windows what to do if it fails now in most cases nothing's really going to happen but in some cases you can have it do things and if you basically tell it to run a program you put that program right in that little browser when you can go to find your exe and you can save it
now what do you think a malware person is going to do with this okay so here's a good example so at the top I have the first way that malware developers use is a registry key because this is all stored in the registry right so you do a red ad HD local machine system current control set services and I'm using the facts everybody everybody uses facts right it's still there in Windows it's still a service the back service so I have a service slash B failure command okay slash T reg I'm going to add my key and I'm going to put it to Temp backdoor okay so you can see my little command prompt I I just ran a regular command
line reg add right operation completes successfully and then when I look at my registry you can see right right yes you see right there there's my failure command C10 back door DNC so what you do is you go in when you're building your malware you figure a way to chill the fat service and when the fact service dies my back door opens so all you have to do is look for and that's when you have to kind of think about these things you know in in the life cycle of things when you see those vulnerabilities and they say oh you know vulnerability of this service and if you do this it's going to cause the service to die and
you're like oh well it's never going to happen to me well the malware guy is going to look at that he's going to find that vulnerability he's going to use that vulnerability as the starting process to kill it so that he could get his persistence so you got to think of it that way the other way you can do this is through a regular um service control command that the command line again so if I do a service control uh failure facts and I pass the command make this work very well you can see on the right hand side there my program is now C Windows system 32 backyard.phc excuse me in the corresponding registry
setting there's my failure command at backdoor.exe so again playing around surfaces this is another way that we can actually get persistence this is actually turning a denial of service attack into your remote code execution attack by sitting there pretty much so think of it you're on your machine in like some you know when you're looking at the crazy event logs because everybody looks at those and they you can glean everything from that right so you look at the event logs and it's like uh service failed for no unknown reason because it doesn't you're like oh well I guess I don't need fax service today meanwhile something else is running in the background right your file Association keys so this is an
interesting one as well uh basically taking your uh associating your your file types to something else okay so that can be done in the registry right so here's a good example I have a the file Association for txt file so a DOT txt what would you default that to notepad right so what I'm going to do is I'm going to actually add a value in there so when you open that notepad something's going to happen so here's a good example of that right I basically Associated a notepad still going to be still going to be notepad that's going to open but I'm also going to open netcat in the background so essentially you double click on any
txt file in my my notepad opens and then my back door starts up in the background running netcat now I know obviously that that's a bad example because any any virus tool today should pick that up but you can see how easy it is to reassociate a file type and actually launch something in the background and the great thing about it is now this is very visible because you actually see the net tag process in the background but because notepad starts up nobody knows that anything bad's happening right oh notepad Okay yeah that's what I expected so if you have the expectation and that works well then at the end of the day they don't know
anything's happening in the background uh anybody heard of the term aka the term dll side loading this is a really cool one too so um so everybody knows what a dll is right everybody knows that dll is very close to an exe file it's just not executable so your dll is your basically your your libraries that your exes are going to use right so all the things that an exe does open a window close the window make a window look like this put a pointer here pointer there open a network connection all those things are functions that are stored in the dll and we do that so that basically our exes are not like uh you know 600 gigs in
size and because a lot of these processes these functions are shared across all these different exes there's no point in having them all buried into an exe right so what we can do is we can play around with this because the dlls are there we can actually play around and say well what if instead of opening the dll that you're supposed to open you open the dll that I put on there right so when you go to open a windows program there's Windows actually goes through a list of common places to look for dll so for example if you're going to open it a a program in that program is going to look for specific function it's going
to go through a bunch of places and windows looking for that dll so for example it's going to look in the directory where the application was launched okay so if it's a custom built application and it has some custom dlls they're going to probably be in the directory where the exe is so the first thing it's going to do it's going to say okay does that dll with that function exist in this directory no it doesn't so the next place it's going to go is it going to go to your Windows system 32 directory it's going to do the same thing it's going to say does that dll here with that function no it's going to
go to the windows directory and the current working directory then the directories you have defined in your path variable that you set in Windows now because this order does not change we can actually go and find out where the best place to inject our dll would be so if we know for example that we are going to side load to Microsoft Word we know the dlls because we can we can use tools to figure this out we know what dlls it's going to use and we know where they are so as long as we put our malicious dll in the place prior to where the real dll is it's going to open hours before it opens the real one
and we can have all kinds of really good stuff in there we could have the functions it's looking for so it's legitimate but we can also have some other good things in there to maintain persistence so for example um the the really interesting thing that Microsoft came out with is they said well hang on we know we know security we're going to go and protect Windows against this so we're going to create this thing called safe dll search mode okay so if this is enabled in Windows then the OS is going to check whether the dll is already loaded in memory or if it's part of the known dll registry key located in this known dlls key in
the registry again what what is the registry it's a list of stuff that we can change so we can just go and modify that known dll ski and we can go basically at our malicious dll to that list prior to doing what we're going to do so there you go Microsoft we've we've foiled you again uh we have shortcut hijacking which is another good one so that's basically going and taking a shortcut to say to a um to a a website someone creates a shortcut we can go and change that so essentially what happens is when Firefox or um or or Chrome loads it's actually going to load an evil website that's going to go download something and it's
going to basically get installed for persistence reasons so this is another one we can do to install back doors uh good old apt-29 or Cozy Bear um used a bunch of these techniques so things like weaponized Windows shortcut that came down in a zip archive uh that that came down through a shortcut in a uh a browser shortcut that basically launched a Cobalt strike as a back door so a lot of these these uh these concepts are being actively used today by nation states and by various uh nefarious groups out there scheduled pass we all we always schedule tasks here set of tasks that's going to run Windows uh it's going to launch an executable well
again that is something we can change as well we can go into our schedules scheduled task lists and we can basically modify or add in a scheduled task that's going to run in this case I've got a Powershell Powershell command a little bit of encoding and it looks very you know hard to understand and we can get that to run on a regular basis so as that scheduled task we can mean persist we can maintain persistence uh another one that uh we see that's pretty popular is uh ifeo or image file execution options so ifeo if you're a developer is a way of basically debugging file execution so when uh when you're going to launch an EMC and you
and it's something's going on with it you want to debug it you can actually go and you can set a debugger function in the registry to that specific exe so in this current version image file execution options I would basically list the name of the executable and then I would specifically um I would specify the path to the debugger so when I launched the program my debugger launches in the background and I can actually figure out why my program is not working now can anybody figure out what a malware developer would do with this well does the debugger need to be a debugger no it's probably not so you can see here I've got my debugger so this is
specifically for taskmanager.exe it doesn't have to be like some new program you can debug anything in Windows so you all know what the task manager is Right control delete look at your tasks so every time I launch control it deletes it's going to go into the registry it's going to see task manager in the image file execution options uh registry and it's going to basically say I got a launch debugger well what's my debugger well it happens to be backdoor wxc so you can see the persistence you can you got to think in your mind like when you're developing malware you think of all the places that a user is going to go to on a regular basis and how you can
kind of attach to that so if it's something like you think you understand the psychology of a person when they use Windows oh well they click this or they do this regularly or they hit control at the league all those places you try to find the the most likely place that you can persist your malware right so we're all familiar with the solarwinds Sunburst thing everybody anybody have any problems with that you know I feel I feel for you if you did so I I did a lot of incident response for this one so they use the IE ifeo debugger registry value for the process dllhost.exe does anybody know what dllhost.exe is what's dllhost.exe yeah it's the pre-processor for dll so
you run a dll and this is what connects your exes to your dlls right so what they did is they put in a debugger for dllhost.exe so literally anything you do in Windows is going to cause the debugger to run but it's not really a debugger what was what was happening once they had a VB script that was attached to that debugger so every time you would do anything in Windows it would launch the VB script the vbd script would activate a Cobalt strike ELO in a process and then basically they would have remote access to the machine yeah does the ifbo when it launches that debugger is it launched at this at the user level or at the system level or uh
it's at the user level
um and another one I wanted to add this was a pretty interesting one this is kind of an exotic method anybody familiar with light Neutron or or the turla EPT group this is a most pretty recent one and I added this recently because it was just I found it very exotic but this is one of those uh most recent exchange vulnerabilities you know we've been dealing with all those exchange vulnerabilities since the late this one basically what they would do is they would they would install they called the light neuron transport agent if you're familiar with how exchange Works your transport agents are what moves your email around right so they installed this vulnerable or this this malicious
transport agent and essentially what they would do is once it was installed they would if they would email that the vulnerable Exchange Server um what they would do is they'd have these these specially crafted PDF files and what would happen was that light that light neuron transport agent would basically read that that specially crafted PDF file and they were able to actually execute commands against this system so it was really interesting so what would happen is you could do all kinds of different things they could interact with the email on the server but they could also execute actual commands and and this was a form of persistence for the turla group when they were when they
were basically launching this campaign so this is where you can get some very very exotic forms of persistence where you're using a specific vulnerability to take advantage of of a persistence essentially now to get through all this and I know this is all crazy and you're like oh I hate Windows I'm going to go back and Ubuntu today there are ways to get through this now again I'm not crapping on EDR tools they're all great I know crowd strikes here they're all good and I I recommend them absolutely but there's other ways you can so we can add on to make things a little bit more safe for example there's a tool from system Turtles called Auto runs anybody ever
use Auto runs yeah
uh so Auto runs uh assistant journals tools so as you know system journals is part of Microsoft now and what Auto runs does is it basically gives us a view of essentially everything uh on the machine from your registry entries to your scheduled tasks a whole bunch of things it's very light it doesn't need to be installed it's a singular application and it gives you really cool things like this so what what it basically is telling you is it's giving you a list of all your auto runs through all the various uh parts of the registry where this could exist and the great thing is you can see the image path right away so you can
export this to excel you can do all kinds of really cool things to get a view of everything because if you have to go through now I didn't show you everything in the red stream but if you had to go through individually each key and start to look through things you you would you'd be here forever so by using something like Auto runs you're able to do that now the really cool thing as well is it actually looks up sites like virustotal so it does take some of this information and it basically looks and it looks the virus total to see if anything basically uh you know um comes out as as as noticeable and it
does score it against the different antivirus tools that it's looking for so autorun's really good tool free you can install it download it use it uh like I said was good enough that Microsoft bought it so um right shot is another one anybody familiar with right shot this is uh one that's so when I teach malware analysis I show this to a lot of my students and they're like where did this come from it's like this little program that nobody knows about so what right shot does is we use this typically when we're doing malware analysis or reverse engineering or do any kind of incident response so what you do is you run right shot it doesn't need to be
installed it's a little program that runs on it so you install it on the machine you think is is been compromised and essentially what you do is you take a shot and it scans the machine and it takes a listing of a whole bunch of things okay and then what you do is you then execute your malware in this system and then you run another shot and then it looks it compares the two together and it kind of finds it looks kind of like this so it creates a lot of stuff so even if you're not in the malware game and you're just curious what happens when you run a program in Windows run a
run right shot do a shot run your program and then run raid shot again the amount of footprint on Windows is insane like the amount of times that it goes and it adds keys or it searches your registry it's insane the amount of stuff it does so you can see here what it's telling me is it's telling you the amount of keys that were deleted the amount of keys that were added and the ones that were modified so right shot's really good at telling you like what's being changed on your machine when a particular exe is being loaded so very very good tool to have and again it is free you can download this and use it to your heart
and then my favorites in this whole thing is good old system so if you're not using syspon I feel like I feel like uh Marcus owes me like like royalties on this because I go and I talk I actually do presentations and workshops on sysmon itself this is one of the best security tools I've ever used and if you can not install anything on your Windows machine except one tool sysmon is in okay so how many times have you gone on the red Street does anybody know what uh event ID 4688 is come on you all know what 46.88 is right nobody new process being created yeah so this is the the crappy thing about
the registry right it has a lot of really useful information that nobody understands uh and and that's when it's giving you anything of of any value to begin with so what cisbon does is it essentially installs on your Windows machine it's very lightweight um and uh basically uses the process monitoring Foundation which Windows is using today um and you can track file network access anything like the newer versions now when you go to a website it'll actually track the DNS request in your log files it tracks everything and to the point where it does the most basic thing when you launch a new program and you see that 4688 you're like okay great lunch program well when I look at the
subsequent events in in sysmon which is an event one it has its own number in okay it creates its own log file in your event monitor so it doesn't overwrite any of your event logs it actually takes a hash of the program that was actually run when I ran that program so because I have that hash and if I find out that that hash is bad if I'm running system on on all my machines in my Enterprise I can go to something like Splunk and I could search all of my logs for that hash and I know where that malware has been it's like why aren't they doing that with with Microsoft I don't know
uh but we can find some really cool things with this if you look at it there's a couple of events like event 11 which is your file create event event 12 which is your register event or object create and delete in the registry object uh event 13 registry event uh value being set in the registry and registry event key and value renaming those events right there basically it's it's everything that we've been talking about so now I have a way of actually tracking this through the event log that is native to Windows okay so if you look at it for example we have our startup file detection so we've we've created malicious startup files right we can look for events in the
start folder we know where the startup folders are I showed you them we can look for events that are current in that startup folder with event uh the 11 or file creation that will point to a new file be created in that location right and then we could filter that down and then we can basically bring that into our splumps or whatever our Sims are and we can look for things that will be created in known startup folders right uh we have the registered run Keys detection so event event ID 12 points to actions and modifying the registry so we know again I showed you all the places where malware basically will modify the registry to maintain persistence so we
know where it's going to be so now if we can start to monitor those keys for things that are changing we get a bit of an idea if malware is starting to persist on our Network and we've actually used this and we've been able to stop ransomware from spreading in environments because we detect it once twice three times and that's where we sell okay now it's time to stop so we cut off the network and then we've infected we have three machines infected with ransomware as opposed to 600 machines effectively throughout some work right and the cool thing is this is what it looks like so it's a typical Event Event in the event law event ID 13 Source assist mod
and you can see our Target object HD local machine software Microsoft Windows current version run test run we actually could pick this information up um and then basically the really cool thing is if we're looking at the miter attack framework and if we can bring that information into our Sim we can actually start to feed intelligence into this so we can actually start to look for Behavior so you see how this is increasing again we now have Behavior through miter attack that we know that there's specific things are going to happen in specific places if we link the two together the data coming in from our machines and the miter attack threat intelligence and we look at that in our
Sim we can start to put two and two together right we can look for uh startup file creation so things like document files dot ps1s.back files being created in specific startup directories okay and then what uh what sysmon does that the event log doesn't do as well is it allows us to really Pare down what we're going to get so if we start to bring all this stuff into a SIM for example it's going to be a lot of data but what sysmon has done is they actually allow you to do conditions uh you can actually create conditions in the configuration of sysmon so in this case I don't want to look at everything being created I just want to find
anything in the start menu directory the startup directory and it has to end with back or commands unless and if it's something else I don't care about it don't log it but if it has that I want you to log in so you can do all of that and the really cool thing about sysmon is that configuration file you can load it live so what we've done is we've had configuration files that we use for breach response on a USB stick I'll go in and I'll load that right up and then it sets my machine to log breach response type details that I need and you can do that in real time you don't have to reboot don't have to do any of
that so you can see we have a Target file name uh users Amy Walsh app data roaming Microsoft Windows start menu program Startup shell dot command so again because I told that I wanted to see anything with a DOT CMD file in that startup directory it logged it for me right so in closing for right on time uh from a tools perspective uh collect the persistence mechanisms using single commands for specific techniques or tools for collection of a bunch at the same time don't rely on any single tool for answers like I showed you Auto runs I showed you uh um I showed you um you know a bunch of other tools it's always good to use a number of
tools when you're trying to do the analysis to see persistence so that you make sure that one tool is not Mis misreporting information analyze the command file hash file signer and file path information to Rich the information and more information through external Services there's all kinds of really good thread Intel out there miter is a good one that has some really good stuff the whole techniques area of persistence all that miter is is information on Behavior they've pulled off from Real World campaigns so using that stuff is a great way to enrich the information you have if the output doesn't help check the information gets other clients in your infrastructure it's essentially found on other hosts too and look for novelies an
exe is a file startup folder where normally link files should be replaced or look for IP address or web requests and scheduled tasks again looking at the way that Windows works and looking at the outliers of why why would it be doing that why would a scheduled task be going out to a server in North Korea you know why would a exe be in a place where a link file would be so starting to look at anomalies of why things are there in a lot of cases as I showed you the attackers basically turning Windows upside down to doing things that it's not really supposed to do and with that I open it to questions
anybody have any questions you look all fatigued higher PowerPoint um I I you guys are going to have the slides right I think so we'll validate that if you don't email me look I I work for a consulting firm I'm not a sales guy I'm not going to pitch you if you guys have questions come out and ask me questions you know that's why I have my personal email there don't worry I always do the second minute like well we don't want to call him because he's going to try to pitch us I'm not a salesperson if you guys have questions I'm more than happy to answer them and you don't have to worry about there
being any kind of sales pitch so thank you and thanks to uh [Applause]
Related talks
41:51
46:27
49:45
49:41
35:42
27:37