The Monica Bellucci Fanclub - Detection and Defense Lessons Learned from the Trickbot Forum

all right so I'm Jason Gilliam my talk is about the Monica blue Chief club which is actually the title like this DLC it's weird but it's for learning from like the trip up to Forum dump so uh I find cool detection rules at Ray Canary uh or a company that does like we're an MDR basically and some xdr things but uh we find detection rules and so I've seen ransomware happen a couple times we have different customers some come on in the middle of an engagement so sometimes you see different parts of the life cycle of ransomware and the circle of life uh sometimes into the beginning sometimes the middle sometimes it's at the end and

you see just ransomware being deployed uh I'm also an Air Force cyber operator which sounds really cool but it's pretty I think it's kind of it's kind of it is what it is uh I want me for for those people with no field numbers or whatever uh I went to Italy for an Air Force thing to do a CPT assessment of a network I came back with only four bottles of wine I should have came back with 24 like some other people in my group did with suitcases full of wine uh and then uh like I I like to think of myself as like a moth to a dumpster fire so like I just like

to like get drawn in by it and like look at the nuts the craziness that's happened in some of these places sometimes so I like to play with the data and spawn can kind of understand what's going on there and that kind of gave me some insight into what we're going to talk about too so I'd also like to say I appreciate that these badges go up to 11 because I mean if they went up to 10 that wouldn't be as cool so you know uh so as an overview the tripod Forum uh I highly recommend you I'm going to kind of walk through how I like parse this data and so you can do

it yourself because it's available online all publicly accessible yeah so I'd say I took away stuff that the detection engineer takes away so like I'm looking for things to detect whereas like a system might take away policy things or rent team or it might take away different cool techniques or tactics or whatever um yeah and then Conti's expanded but like really they didn't disappear they're they just spread into other groups so you'll see these kind of techniques used again in other groups and this stuff isn't specific to the ransomware per se it's the stuff that leads up to it so as a situation the situation unfolded in Ukraine in February uh this security researcher I actually had this as I

didn't know who it was and then I like saw his on his own Twitter he posted like the CNN interview with himself um and he said basically like he said he was a cyber security researcher and I.T guy and he just was somehow in this forum and just was like screw these guys or avoid the profanity and uh dumped everything online and I guess the FBI reached out to him and said hey could you stop not do that or whatever but he had dumped already a whole lot of data online so um we're gonna talk about what we can find through that um one of the things I noticed with a lot of when this was dumped was people

talked about the chat logs like creds on security and a whole bunch of stuff about like interpersonal relationships business operations of the whole thing and stuff like that but nobody really talked about that thing you can you can kind of see in in the red circle which is the Forum link leak and it was basically like a Playbook and if somebody if people are like cyber operators in the Air Force we have like a school we go to and it was kind of like that where it was just like here's how you do this thing here's how you do this thing and so this is kind of a collection of those things that I learned from it and more like detection

things that you can look for when you're if you see this in your network it's probably a bit a pretty bad sign so one of the problems with this was it was all Russian and I don't read Russian I'm not I'm not a Russian linguist so uh and it was also split across like like 50 or 60 text files so I just like you oh yeah and then so this guy the parmac posted it on GitHub and it's it's on there Publix accessible that's the link at the bottom you can go to it it's I wouldn't recommend downloading it because I download a government computer and it like a embarrass quarantined it it was kind of mad about that but um

uh this guy whoever ran this through a deep learning AI translating stuff or Google translate and some other stuff that guy's the building VP in this to me but I just I'm going through it and I kind of look found some cool stuff so I'm because I'm a hacker man I just took all the text files and just made one text file so that's all you all I had to do was just pipe it I made a mistake when I was doing this like well I was like oh I'll just send the text file to the same folder and that you know it looked through all the text files and found something on file and

then found another text file and dumped all that to the same file and it like kind of ended up in a loop for a bit until I figured that out but that's fine so who's Monica Bellucci she is an Italian actress and her name is in the top I don't know if people ever been on a website with like the breadcrumbs thing but like the title of the website is like the the first breadcrumb usually so her the name of the website was for some reason the Monica Bellucci fan club so I thought that was pretty funny and I ended up leader name like 100 times as I was going through this I dumped into

like Google Docs so you'll see some screenshots of um the formatted text from what from the working in Google Docs and I deleted and I have a name a bunch of times and it drove me nuts so so in general what tools they use is like a mixture of tools uh people who are in the red team or The Blue Team side of things a lot of it is low bins which is like any tool that's on Windows that's already there might be full uh anal test net Powershell most of the stuff you would expect basically um and then they use a lot of traditional Red Team Tools uh the ones that were in the document were Cobalt

strike rubies seat belts and sharp Chrome and I've seen most of these used in some form or in a like on red teams pen testers and and these guys um and then I also see some stuff I don't think I've seen a lot of written views uh we see some red teams here and there at work because because they're trying to test our detection rules uh but I saw our clone documentation for arkline engrock and AD find and Tor I think I left that one out there but uh and then server mode access tools which are like the examples I have here are any desk attera and like Splashtop but it seems like sometimes when they burn one tool they'll just

rotate to another so you can kind of just find if you can find them all and list them all that would be great but uh those are the one of the first ones that I could think of and any desk is partic is mentioned very specifically in the documentation so for low bins there wasn't much for that for that stuff like I don't think I even saw like cert util or any of those fancy low bins in here it was just mostly net NL test and and then I'll get to the Powershell stuff but like for the net stuff they're just usually looking for a domain admin and they're trying to find I think one

thing there was like net account which like gets you the password policy because they want to know how fast they can how how to not lock you out so like the the password tries and the poster policy and that kind of stuff um and I'll test is they use DC list specifically which gives them again a path to the domain controller they can find and some other stuff what you'll see sometimes is like domain trust all trust all this NL test stuff is not something people look for generally I think if there's not a lot of detection rules but like you can just look for all three of all those in one big list and

it'll probably catch some it's not common for admins to use this stuff so one of the first tools they mentioned and this is one I'm not familiar with so I don't have a lot of information about it and it didn't have a lot of context on how they use it it just had like the script for subdrill which again there's the link for it down at the bottom there uh it's kind of like a basically you give it a domain and it like spits out all the subdomains so if they want to find the exchange server from the outside or the domain controller the edfs stuff internal servers they're what your jump boxes may be are if they're

listed on the internet somehow so it'll go through a whole bunch of resource oh sent resources to find those subdomains and other stuff so it makes sense that they would use it but it wasn't clear exactly how they used it uh and so it's a surprise nobody thinks Cobalt strike uh if anybody's in security at all they're probably not surprised when they use it but a lot of the stuff they have was like how to set up a cool body strike server how to make it stealthy how to what's what operating system requirements are like there they say they use an Ubuntu server with um 16 gigs of data 500 SATA uh all that stuff so

this is pretty much what they use kind of their surf server and it has a whole giant list of like config scripts for that stuff yeah and so some of those things they use to make it more stealthy are something called C2 concealer from 40 North again I think I'll find like a lot of this stuff is like freely available online anybody can play with it so it's kind of cool for everybody out here if you can play with these tools and make your own Conti or simulated uh and personal experience when you're seeing Cobalt strike they don't put this much effort into making us healthy so like some of the defaults for Cobalt strike

we'll see in a second they randomized some of it but generally uh you'll see this is Cobalt strikeball at the top there that's a Twitter account they just post Cobalt strike information like their Spawn Two values which those are command lines so like I don't think you really see run dll 32 making a network connection without a command line it's pretty that's pretty weird so it's a pretty easy alert when things are going bad all of these if you see them without a command line and make the network connections is probably not a good sign um our Red Canary has a whole blog about Cobalt strike and how to and like stuff to look for with it there's tons of

research on that out there online this is another good one I saw was from uh Michael kazara uh but like it's just stuff out there everywhere just kind of finding the defaults because um you can change the defaults but these guys do not change the defaults sometimes like the what's it the the watermark is like just some is the same one every time so you'll start to see a lot of the defaults used and if you could detect all of the defaults and they change some of them you'll still catch them so one of the first things they use and again this is kind of like people think of Tor is like a browser to get to the

internet anonymously but like things are kind of the other way around they'll download they'll use it to basically anonymize their traffic coming in so we'll run the torque client on your Bot on the box they're on they're hopping from into your network and they'll basically redirect SSH RDP to the tour client and so yeah so here's an example this is from our own security platform for customer of some kind uh in this case it says Google updates.exe it is not Google updates it's tour and you can see the command line has NT service which allows it to run as a system service and F with a file with a file after it for the tour

um config which basically tells Tor like how to what what what node what kind of nodes to use and those all this other stuff and like to they can probably configure that to their heart's content or just use a default one again so some detection Logic for tour you can cut this is it's kind of a weird one to do because I had to when I was making this detector a while ago um you could look you have to one of these files related to Tor called the state lock or cached micro whatever that file and in an app data rolling tour folder and if they're running it as an NT service it's gonna not be a very

user like you would think that if people are familiar with Windows the app Deva roaming folder is usually under the user folder there's also one under Windows service profiles so it could be there as well so if you just see those those files popping up that's not a good sign if you just see the tour folder popping up that's probably not good either um and for us we don't we say ignore tour.exe because we're expecting it to be renamed so this is kind of the summary of how like that backdoor tour script gets set up first they download Tor or engrock which is another one we'll get to uh they'll download nssm which is the

not sucking service manager and we're getting toward at systemon.exe they'll oh yeah they run it they put it in windows.temp and again like some of this is like I wouldn't look for windows.tempt the system necessarily that's just one place they put it so don't get hung up on looking for it exactly there it could be anywhere but as long as you find a tour wherever it's at um yeah then they use nssm which is basically a tool to create Services it's a it's like a tool that basically is a chameleon tool to make services on a computer so uh then they install SSH and uh tour yep and start ball services and then they create a firewall to rules

allow SSH inbound so that's kind of how it works and that's like the the net sucking service manager's web page again like it's I think it's nssm.cc but so if you ever want to play with it like as an admin you could even use it because you want to make services or you just want to test some things so engrock is another tool I don't think I've hear much about but it's a it's kind of like torn except at the end Brock instance runs on the box and it connects to tunnel.ngrock.com and you'll see some of like the common um also rats use it like they'll they'll run their server on the other end on a

on and rock and use it to Beacon out but in this case they're using it the other way they're using it as an Ingress point to to get into your network uh within garage so here's this is literally from the angle Rock website like anybody can go here it's a free service so like this is like how to set it up you give it you down you unzip it you you give it an off token which is basically your key to to use that garage uh and then he has a help with a nice help dashboard help page and all sorts of nice documentation so it's very very easy for this for to use this stuff

and then here's an example this script is kind of hard to read so I'm just gonna like I talked through it a moment ago it just basically downloads it runs it from puts it in the renames it puts it in Windows 10 for what somewhere like if you saw Google updates or whatever that was uh and in this case and rock here is running with running from the same folder system not this long uh I've seen it run on some other places and you see it make a connection out to Tunnel done and grow up.com so yep yeah so the remote access tools like I said um third documentation specifically calls out how to download any desk and

run it from like usually the program data folder or something weird you can basically just look for activity related to any of these tools if you see any desk in your environment with net support you just kind of want to you probably just figure out if you use it to use VNC do you use uh what was it teams here or something like that all this stuff just net support especially I think it's used legitimately by like schools but for the most part I don't see it used legitimately so it's it's pretty weird aterra uh and any desk and yeah I think our uh I I helped helped write a blog with Justin schoenefeld at

Red Canary about rats and it's kind of cool it's got a bunch of detection logic in it as well so if you have a chance check that out it's got some other some additional things you can try and then the next tool they use is called sharp Chrome uh it's kind of as it sounds it does stuff with chrome it basically dumps passwords from chrome it takes the whole password database and just dumps it to the screen Loop they seem to use it with when they take when they dump the passwords they dump them into a list and then they dump and they use it for a um another script called invoke SMB Auto boot which we'll get to

in a second but they they seem to like it to escalate things some other powerful stuff they use there's power supply power SQL and Empire view is kind of a red team tool to basically get reconnaissance in the network things that mostly to find a network admin they like they just say give me all the users with an admin account of one or whatever and then they'll look through those and try to find the guy that's like director of I.T or is obviously going to have like domain admin privileges so from there and then they'll and then also they'll use Kurt Rose which if you guys aren't familiar with programs it basically you can run it on against

um the network and you can kind of get hashes back and dump hashes to the screen and then they can again use those to Pivot through the network and stuff or crack them offline and have the actual password with a lot of hashes you don't actually even have to crack the password you just have to have the hash to authenticate so yeah Conti likes to use some of these to basically just pivot into users and they'll just sometimes they'll like I said they'll take that hash and uh crack it with a hash cat offline oh yeah and then they use far sorry uh power up the SQL level is basically a tool that lets you exploit the SQL

servers they didn't really talk how do they use it much but like it makes sense that they're going to want to steal all the data out of a SQL database probably so it it pretty much makes sense but for the Powershell this is kind of the example of the script I'll just kind of like hit the points they're looking through this domain which is actually I think a domain it's a real domain I looked up online construction I'm not sure what happened there I didn't see any like news announcements but like a lot of these are really small companies they're getting targeted which is which really suck for those people because they probably don't have a dedicated security

team to properly secure things uh they basically run in the Auto Group Powershell script with a password list uh like they took the list from sharp Chrome they'll say they use like spring 2020 or whatever year it is because people use that password those kind of passwords what was it fall 2020 Autumn 2021 with exclamation marks and some other stuff thrown in so this is really easy stuff to like crack in the hashcat because it's like people do this um yeah so they have some example passwords they use here password one welcome one a keyboard walk for people that think they're being sneaky with their random password that's a keyboard walk it's not as good as you think it is

um in this case they you know they take the list of passwords they found from the list and then they they combine it with like a rock you or some kind of popular password list like that and then they run it and they see the result which in this case they got two admins uh with the same password and they scramble to make domain Evans so curb roasting uh again if people aren't familiar it basically allows you to get a hash from the network interaction and get that and then they can take that hash they can dump all those hashes to a list and then craft them in hashket yeah so you should just look for that on

the list if you see rubyus.exe or Kerberos and a command line that's probably not a good sign um and again Ray Canary does have a Blog about kerberosting they have a whole documentation on it with the guy who made Kerberos which is kind of cool uh yeah and then here's from the script uh they run it with a list of hashes um with looking for an admin account and crack it and then they have some commandment options in here and they dump it to program data which again like for people that look at like stuff that happens in a box there's not a lot of stuff that gets written to the root of current data so

that's probably another thing you could always look for is just like who's writing text files to program you know that's kind of weird so and another tool they use this is AD find I see this one also with a lot in cubot which is another malware family that is like a bot that would lead into Conti or some other ransomware group they'll usually one of the first things they start running is if somebody has hands on keyboard is uh is 85 which basically is a tool to enumerate the the active directory Network and find all the users they want to find so uh they're they're got their guidance on how to use it and how it parse through

it is pretty extensive they're like look for look for users with an admin or it you keep some keywords and then pivot to that guy and opponent him or whatever yeah and then from 85 this is like some of the stuff they run in 85 there's a whole bunch of command line options they run uh and they get like basically groups uh oh you use a list of computers users subnets and Trust dump enough it's familiar with that one but it's an option in 80 fine that gets like I'm guessing the active directory trusts and stuff and then yep and then they say let's look into 80 fine at home and um they can find the users they want to

find from there so seat belt is a tool uh from Ghost pack and it basically lets them right when you run into a box it gives them possible safety checks or opportunities for privilege escalation and unlike when you do run it it just gives you a whole bunch of reconnaissance bit specific to that host so they'll probably run it on a box to look into Escalade privileges on or find some different pivoting opportunities because they want to get they probably want to run as like a NT service so they can ex they can dump out things that are really sensitive which you need to have like super Adventures that just work so the next tool they use again this

this to me like when I when I hear like people say this to the thing is net gpp password it basically looks for passwords stored and clear text on in your active directory scripts which sounds like that can't it can't be that easy but I guess a lot of older I.T uses like the password in the command line of when running certain things so it's I don't know how often it works but I would hope not often but if it does work they have a password right there for probably what is a domain admin or an account that at least is valid and several places on the network so they can they also use it like in

their documentation they use netgpp.exe so they're compiling some of these Powershell scripts into binaries so you won't necessarily see the PowerSchool script running you'll see like a weird exp with the command lines for net gpp so like one of the detection rules we use sometimes is like if it's a random binary but it has like the command lines specific to like net gpp that's probably a pretty big print flag that somebody's trying to do some stuff another tool they use is sharp view it's basically just Power view but in C sharp so it's again it's compiled which I I guess I'm sensing the theme here and in general they kind of use it to find the

domain user locations so like again they find that admin they got to figure out how to get to his box to get like more passwords and credentials off of them so they'll they'll they'll use it to basically find oh I got the admin um I'm going to find users location and see all the computers he's logged into at the network and then I'll look through that list and find the guy's laptop and then go on there so yeah and then you can get that one that one's on to bore a threat on GitHub and you can just download and use it so I would recommend if you have a lab at your work or at least you have like some

place to play with these tools or like just if you're on the security team just tell everybody you're running these tools and just play with them because they're they're not in themselves malicious they're not gonna just hone your network by themselves they're how they're used that they pull their Network so and then this is a tool that's called zero login they they need zero.exe and it's basically they said it's a tool of their own making which I it's very much doubt but whatever it exploits this is like the only cve that I've I saw in the whole documentation and it basically allows them getting unauthenticated remote code execution on the domain controller which again is like their

keys their their final goal is probably the domain controller because they want to get on there and dump some stuff and tone that pulling that stuff so they'll pivot up through with that to get on the domain explore sometimes if that vulnerability is attached yep and then here's an example of how they use it here's like command line options it takes they take the domain controller name and like possible commands to run or run as a user um and some other stuff so I haven't run this for myself I don't know how to I might have to look around to see how if I can but I don't have a I don't have a lab Network that has a

domain controller right now so I don't play for the end these are some sneaky registry hacks I actually just added these in last night because I was like I was thinking about this as I was finishing up these slides like oh man these are just like some cool things they do and I'm I'm kind of a Windows registry nerd because I did a I did a b size [ __ ] a few years ago at besides Springfield and I talked about what was it uh Eric Zimmerman's registry tools anyways um some registry hacks that they add this there's entries in the registry if you add something to the special accounts list you can make that user

account not appear at the login screen which sounds pretty useful if you're adding a bunch of use to the network or adding an admin on all the boxes for them uh they actually changed the default RDP port on that box which again is pretty is I thought was pretty sneaky I didn't even think about I mean I didn't think you could I mean now that makes sense but like I didn't even think you would do that that's freaking nuts and so then they'll also be an accompanying um firewall rule to allow that Newport that they've added and in their example it was like 13 15. yeah and here's an example of some of this stuff I just mentioned they they're

downloading any desk here and installing it uh to program data and they're running it silently obviously they're not going to have it pop up on the screen um and then they'll set a password for it in that case whatever that is with the J at the top at the middle there uh and then now again they make it they make a new user called Old administrator they're trying to blend in with your network that's that they probably don't know who what they expect hold administrator here and then they add that user to the administrators and they add it to the user list special accounts so this is like an admin account they're added in that local box and they're hiding from

the from that from that computer um so so like some places might be like oh there's a new user on my my login screen that's weird that that would probably obviously trigger some kind of incident response they're kind of smart about it and then the uh they and here they change the new RDP Port they allow and let us uh in this case we're using Powershell and they're just basically allowing the RDP Port impound from for 1350. um and then again they're changing the port for RDP and they're restarting terminal Services which is what controls your RDP stuff so this is some other stuff they do from previously escalation it's some some stuff like they're proof or path to

privilege escalation to me is like a lot simpler than I expected they're gonna basically find that admin uh you sure if you find the workstation like I said uh use pass the hash like specifically mentioned using that with global strike and some other stuff once they get that hash and then they'll look through that computer for all the sensitive stuff on that person's computer that they might be able to use to to escalate the Privileges together because they're they need to basically get all the passwords they need passwords to like uh like your Synology your all your backup stuff they need the passwords for not just that guys can that guy's credentials about all the password

credentials probably for the entire network so you have to imagine there's a lot a lot of a lot of possible credentials they need for a given Network so approval distillation again this is kind of the screenshots for my documentation uh I'll try to make these slides available on GitHub on my on my personal GitHub later after this too by the way oh I forgot how to share that uh so again the one of the things I thought that was funny was they're like now a noob or whatever would just drop a beacon on this guy's box but that's not what we're doing we're gonna be sneaky about it they're like we're gonna remote into this guy's machine using a file

share um I don't know if anybody's ever worked in IR but like um sometimes you get alert on a given person's computer box and you just like type Windows run and that computer names C dollar this is kind of that same thing they're doing it in their way because in the context that they're working from they're working probably from a Linux box that's authenticated to the network and pivoting through that so they have to remote into that machine somehow so the remote and using like filezilla or some other tool and they'll start looking through folders they'll look through OneDrive the downloads folder the desktop and I'd like to schedule does it look like this guy has a bunch

of admin tools yep he's an admin so that looks after the local roaming this is kind of in in Windows context this is kind of like where configurations are stored or databases are stored your password database for Chrome is store here um keypads on the top right there they look for that and then they're also just like it sometimes happens that there's just passwords.txt on the desktop for passwords.x on the in this example or access.xls and again like like the net GPB that sounds really stupid why would anybody do that but it's literally another documentation so I'm pretty sure it works for them at least once or twice so and then they also say to download

the Outlook file which in again if you've ever logged in outlook for the first time it takes forever to load it's because it's caching that entire entire inbox onto that computer so next time you open Outlook it just pops right open so for them they catch the entire they take the whole that whole Cash Pot Outlook file at OST file and then they take that off Network and they'll they'll sip through and try to find some more passwords I think they're usually looking for the um what's it called your ransomware recovery policy with a with an insurer or some kind so that they can know how much to charge you because they know how much your what

your limit is for that um and then they also look for filezilla for people that have used filezilla before it stores the credentials I think in clear text inside filezilla on that computer I mean so it's a lot worse than like the team's vulnerability that people were going on about lately so and then TDS dumping I had to get I had like a game over picture from this but like it's not quite game over for if they dump ntds because it's like Capture the Flag or red versus blue where he's got the flag and he's like now what where do I go with this thing or whatever but one thing they usually do is they just

run ntds util and sometimes they'll be like sometimes you get kicked off the network for doing this because obviously that's pretty a pretty big red flag to be using that um and so they to another thing that's sneakier which I again I haven't heard of this but this is pretty smart uh they enable volume Shadow copies on that domain controller and then they find the shadow copy path which if you've used DSS admin it's kind of weird but like it gives you like a a slash slash hard disk volume something or other disc thing so they can get into that and then find the ntds file that's been snapshotted and steal it from there so then you're not running NTD it's done

you're only running vssm but running vsfm and on a domain controller again is pretty weird so if you see the volume Shadow copies being

turned on in general it's probably weird because you know it's probably something you do when the computer first set up not like something you're going to turn off and on all the time unless next time the credential rotation comes around and if you don't if so it it they're still authenticating with the network and then if they see that happening they can probably uh still use their credentials for a little bit longer enough to to recover or whatever they need to do to basically get back in the network before you before their credential expired so if you go twice uh it forces that authentication to happen right then and there instead of uh later I don't know

it might be a day sometimes it just depends on the network oh yeah so they can come right back with like one ticket which is what they call that so this is kind of a screenshot from the interior something that I was talking about with the bssf and stuff so they basically they're they're running it against the domain controller look from another box sometimes so um you'll see wmick with like BSS admin and some commands to turn on to maybe turn on Shuffle copies and then uh they'll like seven zip it out of there off that box so let's just read it straight from the domain controller file sharing and dump it so I I haven't I haven't seen he was

like this but I actually made this detector up detector for this and then we saw like a different ransomware group just enabling the ss7 right on the box they weren't even remoting into it so that was a that was kind of awesome to see it like immediately pay off for me so another tool again this is like filezilla is like a file sharing tool I I mean I wouldn't look for filezilla on your network because it's very common for admins to use it or like just people doing their jobs with files on your network but maybe if you see like Jan and HR using files that's kind of weird but they actually use it from the other

side from that from that Linux machine that you have no control over a lot of these ransomware incidents I've I've noticed come from a VPN authenticated user so you kind of have to find that user that's dedicated on the VPN and they're remote through that to mount the file shares on that box they're trying to pone next tool to use is called R clone again this is a freely available tool um with it's similar to our sync it basically allows you to sync your files across the network which if if you're thinking about it it's not good not good if you if you don't have control over who's thinking those files that's not great um with uh I forgot his name

with the AI talk uh I think some of these network connections aren't to the same host they're like thousands of connections sometimes because sometimes they're using like Mega sync or some other cloud provider to send these files out so I don't know how that would look but it would be a lot of files going out but from one box so you have a common source host but not a common destination so you could probably tune the rules somehow again uh we did a really good blog on our clone we called it our Clone Wars because it came on out on May the 4th so I thought that was kind of awesome uh there's a lot of again with

our clone you just kind of look for the command lines that are big red flags that it's being used on the network and you kind of because you'll find some users thinking files once in a while but generally it's not used that much so it's a pretty good tool and they have a lot of documentation and they're in ponte's documentation on how to use it and the documentation board column is freely available online at rclone.orged so yeah Justin and Aaron uh Justin again Shawna Feld and Aaron Didier they did a pretty good blog on our clone so recommend it uh the next one of the other thing the other thing I thought was kind of

notable they have a bunch of different stuff that for different vendors like this but they decrypt the passwords from veeam which for people that haven't used them before it allows you to back up your um PMS hence the name um they use it to basically back to to they run a command down at the bottom there that basically uses SQL dumps the contents of the veeam database and from there they actually have a net compiled file script file that they compile and run it against this and it gives them all the all the feeding passwords again they're trying to get credentials to everything so that they can delete everything or steal everything or whatever they want to do

so then they stop all the things so uh they have a script a ginormous script that was just like three or four pages long with different command lines to run to stop various different things because they're about to they're they're about to encrypt everything so when they encrypt things like a database they have to have that database stopped out of people try to use files on Windows but if you try to drag a file somewhere else in some use they complaints or whatever so they avoid that by stopping everything and uh encrypting it right after so if you see this one that's probably not good and it's probably almost this close to the game over if if not it is it isn't already

starting to encrypt things so in summary like some things I recommend is read the mail uh you can learn a lot from like some of these tools just by using them and finding the documentation online for Sharp Chrome for our clone for all this stuff you can just kind of use it I mean I wouldn't recommend using like the remote desktop tools without like prior approval for that but like most of these tools don't even leave the network so like play with our clone I'd say set up a server and Excel a file or two and just see what it looks like see what your sim trigger if you're sending Triggers on anything or if it doesn't figure out how to make a

trigger on something uh Conti is disbanded but again like I've seen all these tools used repeatedly uh I've been at break Canary for like three years so I've seen these tools like films day one I think I've seen a lot of these tools like over and over again so uh again like Stan says no one will find evil so like um yeah just kind of learn your network what's normal just like if you run it across alert that's a false positive that's also an opportunity to like learn what that normal process looks like and why it triggered your your role that sucks or whatever so look through it and be like okay this is normal because of

this so now I understand what it looks like when it's normal next time I have this alert uh I can know what to look for that's different from what I saw last time or whatever and then as you do it over the years it gets easier um in the zero days there's zero zero days in this really it was this most of the time most of these exploits are not like zero days they're most they're like Microsoft patches it and like what was it um the SNB one was like like several months later after Microsoft patched it the Wanna Cry stuff started running around the network so like I mean if it's an unauthenticated remote

code execution vulnerability you should probably patch as quickly as possible but also don't like get caught up on a zero that's happening right now get caught up on the Zero days that are like a month old or several months old and you haven't passed yet a remote credit execution those are probably more important than the one coming out today because those aren't going to get exploited today those are going to exploited months from now that's it q a okay what what's your GitHub oh uh uh oh it's over here uh sure I had the Ghost type thing up because I had to read about how it works again uh I have personal load that was my working

Canary one I think it's killing Jr I'm on Twitter as kill MJR I forgot to even mention that I'm the suspicious link guy yeah I believe I'm killing Jr I just totally spaced that to add that I'll I'll post it on my Twitter that that'll work that [Music]

oh yeah I forgot to pull up this so again this is the Conte leaks Twitter account he just posts this stuff right on Twitter all the files they're all right here they even like talks about something a little a little bit um some oh there's even some Van Lines in here this is what gets me excited files different stuff he's just like posting stuff and I guess you have batteries like hey can you not do that please because that's bad uh yeah that's me I I haven't posted in a while because like it's cool to I don't know it's hard to share stuff and that's yeah all that stuff so yeah I've posted a while I try to post when I can but

it's it has happened as often but I'll post my slides to the talk there yep killing Jr it's my last name first two initials so thanks