Threat hunting: Using MITRE ATT&CK against Carbanak malware

all right so um anyways we got a special guest here today amal sarwat and uh he has a uh tremendous background in cyber security uh particularly with um let's see i believe you work for fidelis and cloud passage worldwide threat and security research labs uh responsible for network endpoints and clouds uh he's devoted his career um to protecting and securing educating the community from threats um got a lot of background in vulnerability research malware um iot scada security and uh been in this for two decades now right okay so what we're going to talk about today is threat hunting using mitre attack against carbonac malware very nasty malware out there so please give a warm welcome to our speaker here

i'm all [Applause] thank you

what now good you thank you

how about now good okay now i'll just speak up a little bit all right uh thank you thank you for being here i am actually super excited to to come here for a face-to-face conference after about like two years i think uh should couldn't could be the same with some of you or most of you so really nice to be here especially at b sites where always the focus is on on community and collaboration so let's get started uh as as it was introduced this session is about threat hunting using miler attack framework and against carbonic malware so the rating for this session like how you have movie ratings pg-13r is intermediate or actually beginner to

intermediate so do not expect to for for me to you know open up idea pro open up a binary and show you and things things like that so this is uh this is not not that type of a session so what we are going to do well oh actually before that my uh you already know my name is amol i work for fidelis and on a day-to-day basis i work with a really great team of security engineers reverse engineering people um malware researchers and things like that and get to learn something new every almost every day so this is this has been a great learning experience working with these folks so that's that's about me

so again coming back to this session as i mentioned uh what we'll look at is we'll look at uh threat hunting what is threat hunting and how possibly this session can help you a little bit do more thread hunting it's about using the miter attack framework and that's the reason i chose the carbonac malware because it's so well known it's so it it has been sort of researched and studied by a lot of people so it's a lot lot easier to understand and go over it by the way how many of you have heard about carbonac a lot of you good that's good so i think that's uh [Music] that that will be good for our session

so let's uh let's get started um threat hunting um i mean why do we still do threat hunting there are so many automated tools so many mlai based systems that i think you you might have deployed in your organizations to to catch malicious behavior so why do we still do threat hunting and the reason being that uh in addition to automated cyber security automated cyber security is essential but in addition to that some of the sophisticated threats can sometimes get past automated detections so a lot of the automated detections i mean you know a lot of these automated detections they used to work based on iocs based on like you must be hearing this on a daily basis on your

job on with file hashes ip addresses url blah blah blah which as you know can be tricked very easily some of the systems are based on behaviors which is a little bit better and now we have a lot of systems based on aiml type of things but still some of the advanced threats uh require a threat hunter to go there and look at uh look at the system and detections uh and sort of try to find out something which these which the automated systems cannot now again i'm not no by no means i'm saying automated systems are bad these are very very essentials but they they can be a good tool for in threat hunting

also because a lot of the threat attacks can be low and slow and we'll see what that means as we go forward so uh that's that's that's the reason we you we do need uh threat hunting so let's let's give a formal definition so this is like sort of my definition so thread hunting is an iterative search so i think there are like two really key phrases here so one is iterative so it never sort of finishes in one go in half a day in one day it's it's an iterative search going through a lots of data your network data endpoint data cloud data container data what whatever resources or whatever data that you have

and trying to detect malicious or suspicious or risky activities that evade now this is the second key phrase is that evade uh detections using existing tools so it's iterative and trying to find out something that evades uh existing uh tool sets and existing detections so that it's something sort of i made up by combining two or three other different definitions so there are uh generally when people talk about thread hunting there are three different models that people talk about so this is the most uh the model that has been used for a long time which is intelligence based hunting and what that pertains is that let's say you are in a sock you are a threat

hunter uh generally uh organizations get a lot of open source or closed source feeds that they buy on intelligence so what that is is a feed of a bad file hashes files that are bad so you can see if your network your emails your what not have those files bad ip addresses for where malware does the command and control or communicate with bad domains urls uh bad http requests and whatnot so this has i mean this was like sort of like the first uh go-to uh model for thread hunting where you get these uh iocs in your intelligence feeds and then a thread hunter once alert is triggered once your system i mean you have to use

some sort of an automated system to trigger you to let you know that hey i got an alert based on this file hash or on this email or whatnot then what the thread hunter does is uh based on these iocs he or she can investigate what happened before and what happened after uh that alert so what happened like maybe five minutes 10 minutes before that alert or maybe even more like a larger time frame on that particular box and what happened afterwards so that this is essentially your uh go-to intelligence based threat hunting the second model is a situational model where a lot of people begin with and what happens here is in the situational

model there is a hypothesis so let's say you your organization is a healthcare organization and your security team or people who you collaborate with or whom you report to they tell you that hey there is a malware going on which is targeting healthcare organizations and it can you can you try to hunt for it and see if it exists in our networks in our uh cloud in our containers whatever sort of infrastructure in our emails whatever you are trying to threaten with and so you get a trigger like that and then you essentially research that malware look at possibly the intel iocs for it look at the behavior for it and try to find that

behavior in your again in your logs in your networks in your emails what not what uh whatever access you have and whatever domain of thread hunting you are working with so that's the situational model and then there is a third one which is a hypothesis-based model in this what usually happens is a thread hunter uses indicator of attacks or ioas and ttps which are tactics uh techniques and procedures and use some sort of a framework like the miter attack framework uh for forward thread hunting i think most of you must have i mean how many of you have heard of the mitre attack framework i think all of you yeah great that's perfect so uh

so this is like the third model but again there is no real uh saying that you use only one of them you can use all of them you can interchange them you can do whatever because the attackers out there they do not stick to a certain set of rules and there are no rules for them so i mean there is no reason why you or any thread hunter has to stick to one or the other you can sort of interchange and exchange them so that's a little bit on on some of the threat hunting models let's let's take a quick look at mitre mitre attacks and their ttp so i think these a few definitions would be

enough for this presentation so a tactic that the force t in the ttps a tactic is represents why like why is an attacker trying to do that so the attacker's tactical objective could be persistence they want to remain on that box even if you know that particular uh machine is rebooted or whatnot or they want to move laterally or they want to execute some files that could be their tactical objective so a tactic represents why an attacker is doing that and a technique represents how the attacker does that so a tactical objective could be persistence to remain on that box of unnoticed so maybe being unnoticed is one tactical objective and persistence is another and how they do that is the

technique which is well if you are using windows you go to this registry key you add yourself there and even if the machine is restarted or whatnot your malware would start again so that's sort of like the tactic and the technique and the procedure is essentially there are a lot a list of procedures that mitre has documented that various different thread groups have used to combine tactics and techniques and we will look at some of the procedures as we go through so these are really the only three things that that really we need for this presentation let's look at uh some of the tactics now this is a pretty busy slide uh mitre updates their framework

periodically we are currently on the 11.0 framework the mitre attack framework and this is how it looks like oh good i think it's it's readable so i think the first two things were added recently they were part of the mitre pre-attack framework so pre-attack was essentially the homework that an attacker does or you know before carrying out an attack so that consists of reconnaissance and resource development and now they are from version 11 they are in the mitre attack framework so reconnaissance is reconnaissance essentially if you are targeting let's say a healthcare organization an attacker before attacking would try to find out what type of healthcare you provide where are you located what type of

what type of systems do you work with what types of patients you have and things like that so he or she can think of how to infiltrate it what systems to expect what social engineering things to do to get into the organization resource development is once once he or she has that information once the attacker has that information they would try to develop a resource uh try to maybe create a web page an email invoice or something like that which closely resembles to what your organization's employees are used to seeing so that when they see that they would think that oh yeah this is something i it's for me i belong to so that's reconnaissance and resource

development initial access is initial access how the attacker gets or gets foothold into your organization could be social engineering could be just leaving usb drives in the parking lot and mitre has really done a really great job in uh in classifying further uh what these uh tactics and techniques are the next one is execution that that details how the malware would execute what would it be like powershell would it be this that and then we'll look at getting to the details uh after this uh persistence we talked about persistence already how the malware would persist reboots or even sometimes i mean there used to be malware that could uh even survive a osre install so firmware based malware

and things like that and then privilege uh elevation so once uh once you have some lower privileges how do you find accounts or how do you elevate your own privileges on that box defense evasion so that means if there is an antivirus present on the system how do you evade that if there is some sort of a network or endpoint detection and response system how do you evade that system um and and the the list is uh well i think but it's it's good to go quickly through the list credentials access how to access credentials discovery is how to find uh other targets that are of importance let's say you as an attacker or on one

machine but that's machine is not of much importance to you so how do you find other machines and then how do you laterally move to those machines collect data that you want to collect and then essentially create a command and control [Music] channel to your mothership to where you are to infiltrate or exfiltrate data that you want to exfiltrate so these are the main tactics in the mitre 11.0 framework go please go to the open source framework and there is excellent documentation and sub categorization of of these so this is one of the examples the tactic here is persistence and this is persistence had some categories some subcategories and the techniques are listed like how would you do persistence

if it is a windows box why this why that and then the procedures are how some of the malware like i think here you see abd oh this is better to read abd28 or other malware other malware families or threat actors have used this this particular tactic and this particular technique so that's a little bit on on mitre attack framework and on threat hunting so let's take an example to sort of really tie uh this together and as i mentioned i took example of the carbonac malware now carbonac is a pretty well understood thread group it's both it's a thread group as well as it is uh it is it is the actual name of the malware

that people refer to and it it was active a few years ago it targeted financial institutions so carbonac essentially stole a billion dollars and this is i mean pretty large sum of money from more than 100 financial institutions in 30 countries so you can see how how devastating this was from what i know a lot of a lot of people behind the carbonac malware have been apprehended and i think that's that's a good news but when i look at these numbers it's mind-boggling i mean i mean a lot of you may have worked at startups or are you working in larger companies like if your revenue is a billion dollars imagine what is your valuation i

mean you generally get like some x valuation and if this was a company just just it's just these numbers are just mind-boggling so anyway we are here to talk about threat hunting and the technicalities of it so let's go and let's see how the malware infiltrates a typical organization how you can use a miter attack framework and how as a threat hunter you can use mitre attack and some of these tactics and techniques to your advantage against some of this malware so this is uh the brief attack working um i think let's let's start uh with an overview so from the top left what you have is this attack was carried out by fishing i mean i know we are in

2022 but still fishing remains uh the number one cause of initial access or initial breach so in i mean fishing involves a lot of things it also could involve other social engineering aspects like clicking on links social media blah blah blah but again we are we are talking about carbon neck so carbonac used phishing sent a phishing email to an bank employee and we'll see all of this a little bit more into detail in subsequent slides send an email to a blank bank employee compromised that system laterally moved to a lot of other systems trying to find the privileged account so i think that is what most of these threat actors do is try to

find the privileged account because they are not interested in an account if or a machine if you don't have any access from there what they did was they really studied how by the means of screen recording and key loggers and whatnot how many transfers are being done and in in that particular organization and then carried out fraudulent transfers carried out things like controlling adms where they had some mules some people go to certain adms at a certain uh time and they would dispense cash in that atm and these guys would just grab the cash and take their cut and whatnot so this is sort of like an overview of how things work let's uh go into the

details one important thing to sort of keep on the back of our mind is that this did not happen overnight even in the single organization so i i mentioned there were like hundreds of organizations that were targeted but even in a single organization this did not happen with a single click this was like a low and slow attack so basically the attacker was in the organization's network for days weeks and months so it's not like you download something you click something boom uh something happened this is where the attacker was inside that organization for weeks at least so uh i think that sort of gives us a context of um how how the attack uh works and

what what really happened so initial access this is uh this is one of the first thing that comes to mind and again i'm not going to read the things on the slide but this sort of details uh various tactics and techniques uh and some techniques of how an initial access can happen so in case of carbonac oh i don't have my pointer thing but it was essentially fishing which is sort of somewhere in the middle there and this is an example of phishing email that was sent so this is from the link below from our justice department which did a good file on carbonac it's based on the carbonac files and this an email something similar to this was

uh sent to bank to one or many of the bank employees with the word attachment so um that's pretty clear here so as you know i mean in these type of attacks the employee opens the word document and uh uh oh here i talk a little bit about mitigation so okay let's talk about phishing mitigation i mean it is one of the social engineering types of attacks so uh the mitigation for this type of attack or initial access we are only talking about initial access not about the entire attack would be user training anti-malware ids ips type of scans or email security like dmarc and spf so you can read up on you may already know

about all these techniques and they may have been already there in your organization but looks like do i have the right presentation okay uh but from a attacker's perspective or from a threat intel person's perspective or from a threat hunter's perspective what you can uh what you can what what you can look at is how do i catch all these different emails so this is uh this is a graph created by it's on github it's created by center for threat i mean the link is right there on github and it shows what are the different on the columns what you have is are all the tactics all the mitre tactics and it has highlighted what are all the

tactics that carbonac used so this is again this is not created by me the link is here and what we are discussing right now is the first one which is the initial access part of it so um this is a mitre execution so what happens when you get an email you get an email these are the various uh techniques and sub techniques that mitre has for execution for various different uh operating systems and in execution what happens was a bank employee he then opens a word document you got a word document you open it it looks familiar the word document had an embedded oel object object clinking and embedding this is a very old technology

back in the 90s when windows was you know when you had the dos disk operating system i don't know how many of you remember that and you go to the command prompt you type win and then windows start windows was not like a operating system yet this has exist this oel has been there right from the birth of windows even before it was a operating system but anyway so a bank employee opens the word document there is an embedded oel object which has an encoded visual basic script now this visual basic script executes it runs and it establishes a rat a remote access trojan it establishes a connection from that particular machine of the victim which

opened the email to the attacker's server so what what can we do as threat hunters here so one of the things that we can do is well we have a lot of tools at our disposal so the example of the tool here that i've given is oledump dot py dash py what it does it it identifies uh if you give it a word or excel or office find file it identifies macros in it and that's an example there at some places you would see there is a m written there that means it has identified a macro inside there now this could be one of the things where you are browsing through or where you are threat hunting you are you have a

lot of files you are looking at a lot of email attachments that your organization gets what you could do is you can sort of deploy some sort of an automation that extracts the attachments and run this tool to find which which which which attachments or files have macros now just because a file has a macro doesn't mean it's malicious but it at least gives you a good point to start with what you can do after that is deoxicate the powershell or other code in that macro and if there are some ttps there some domains some urls and try to identify them and start your thread hunting that way so those are some of the things that a

threat hunter could automate could could could do on this so the next so what we saw was execution initial access the first arrow was getting a email phishing email the second one was execution execute the macros in the word document and execute the shell script from that the third one what the malware did was it did some discovery and this these are the techniques that mitre has for discovery and the one that uh carbonac used was trying to find the host name trying to find the domain trying to find as much information about the machine that they are on now from an attacker's point of view they are sort of blind they know their code has executed on some machine they

don't know whose machine is it what credentials do they have where are they so they are in this uh discovery phase and that's what mitre uh categorizes as discovery where they try to discovery who they are or where they are and uh things like that so in case of carbonac and the t letters in the parentheses are the miter uh techniques and sub techniques so every techniques technique and sub technique has a unique id so those are the unique ids for the mitre unique ids so i think once you have the presentation you can possibly click on it or just google on it and get more information so what the attacker does is okay there

is an email it executed they are on some machine they have a cnc but they don't really know what that machine does where they are in the network hierarchy they just know that they are somewhere and again keep in mind this is a slow and low attack that means it's not it happened over the course of weeks with a lot of times real attackers real people not like completely automated sitting on the other side so and and what the uh first rat does is it executes a wmi script to get all this information so wmi everyone knows the wmi right that's the windows management interface another thing that you can look as a threat hunter is try to find which

machines are doing wmi queries i mean again just because the machine is doing wma queries doesn't mean that it is compromised but most probably in a financial institution your normal banker or a clerk or hr would not really do wmi queries so that is something if you have endpoint system is as a threat hunter you can immediately look at is okay this sounds suspicious why would anyone do wmi queries in my organization uh but this is what carbon act did using wmi queries tried to find all this information in the discovery part then came uh command and control execution and exfiltration so in command and control the attacker uploads some power shell scripts and starts taking

screenshots of the user's desktop and it's all an attempt to find out where they are who whose machines they are on and what they are doing and uh uploads all these screenshots to the attackers cnc uh server now this most probably would be automated there will be no one sitting on the other end but the malware essentially just takes screenshots and uploads them uploads it i mean someone there in the attackers i would like to call data center later looks at these screenshots and see if there is something of interest so those are the techniques that are that are pointed by the arrows so one another interesting thing in this chart is although um i mean instinctively we go from left

to right we like to say that okay there was initial access then execution and this and that that i mean it's not necessary and most of the time it's not like attackers are there to follow mitre's guidance they don't i mean you know they don't have to and they don't do in uh in in sequence a lot of times you would see that they would go from one place to another come back again and and these uh things would really jump in these charts from here to there so although we like to i mean instinctively we would like to think that an attack always happens from left to right uh i mean uh as you can see the attacker

would jump back and forth between these techniques and tactics so okay what happens after that attacker so there was an email execution email screenshots trying to find out who they are then they deploy a second stage rat uh remote access trojan what it does is it writes some code into the windows registry offset that so that most scanners or avs won't sort of try to would not find it as uh suspicious and then run that run that shell code and after execution they essentially receive a call back and this is where uh they receive a call back as in this is where an attacker like a real attacker or a physical person if he is

interested in that machine would do more things on that machine so they do this call callback on a certain tcp port and this falls again into execution and command and control so now the attacker has complete command and control access to that particular box and again it falls in these categories the reason i always go to this chart and these categories is because these are the miter categories they are highlighted with the carbonac and i think as a threat hunter you can really look at them into detail and i think it will really help you in in your effort so okay what happens then the attacker is on the box he has exec he or she has

executed command and control they can look at you know screen captures and things like that so then they try to uh dump a credentials so there have been some uac bypass vulnerabilities and that is what the attackers use to dump the current users uh credentials so there is a tool called as open source tool called as mimikatz i think how many of you have heard of mimikatz okay good so mimikatz was as you know was written by a developer to to show microsoft um the vulnerabilities in their uh authentication and credential system and past the past the hash was the first most famous mimikatz function has been downloaded and used by a lot of researchers and things like that

unfortunately some of these tools or many of these tools have are also used by attackers for their advantage so carbonac uses a modified version of mimikats to dump credentials mimikatz again has now evolved it has a lot so what microsoft did was because of the past the hash they they moved to tokens then mimikatz upgraded itself to pass the token and then i mean if you i would really recommend you to look at the different features of mimikatz what it does and how it has responded to to different security mechanisms that are introduced in the os i really think open source tools really help in increasing the security overall of the ecosystem but again it's a very

different talk if you want to debate on on that so anyway so it uses mimikats to dump plain text credentials of the current user because they have screenshots but they need credentials so that is here in in the mitre framework after that the machine may be of interest the machine the current machine that they are on may not be of interest so the the attacker tries to do a lateral movement to different uh machines and try to find machines that are really interesting for him or her so uh carbonac used uh several tools for lateral movement uh several second phase uh rats so the first remote access tool is really they want to be hidden not noticed and now

they are like sort of upping up their game and taking a little bit more risk because the more tools they try they download they send there is more chance of yours behavior based systems catching them but i mean they have to do this so uh they try to do these various techniques and i'm not gonna read everything on the screen but they try to do these various techniques to move uh laterally and to gain a shell on the domain controller so they try to find where is the domain controller for that particular windows network and then they try to find you know where is that particular domain controller try to get using smb on that domain controller

so carbonac has used ps exec is known to use tinymat has downloaded and utilized ps cap these are all different open source or different various utilities that it uses to get access and it has performed the past the hash function so that's where your lateral movement is so discovery of privileged users so now uh they are trying to find where is your where is the privileged user so they use uh they they try to find these privileged users from the domain controller by running get ad computer get net user power view and various techniques that are again documented and you can sort of google on them and try to find out what what those different techniques

do so trying to find a privileged user and let me just scroll through this once they find the privileged account from the domain controller they try to persist on that privileged account and now what is this privilege account exactly so this privileged account what they are trying to find is an account of someone who does the transaction who opens up the financial who opens up their browser or some other software and does financial transactions transfers money to other vendors transfers payment to other vendors so that is essentially what they are after and again i have 10 minutes i'll breeze through this and basically try to create covert access and profile the profile the victim again create a

reverse shell with that privileged users account uh so now after setting up persistence uh what what what they do is they install now now they know that okay now i'm on the machine of a privileged user that is doing these transactions that is doing these financial transactions or that has some remote access to these atms and whatnot and again i think we have all this in mind this didn't happen in one day this happened where the attacker was in the network looking at screenshots every day or in their data center whatever was being uploaded so um this is so once the attacker know that he or she is on the privileged machine and this is the machine they

want they really learn how transactions are done in that organization the attacker may have knowledge of generally how financial transactions are done but how is it done in your organization what software do you go to where do you click how do you do that so they really learn uh what's happening uh for that privileged user who does these financial transactions in in this phase they install key loggers to uh get your credentials or sometimes get credentials from your browser memory cache and uh you can use reverse shell to to to obtain all this information so at this point the attacker or carbonac has enough information to and again look up all these t uh numbers to get more information on each

of it so at this point the attacker has enough information uh from the initial email to coming to being executed on a machine finding a privileged user and finding how the privileged user behaves they have enough information to now carry out an attack this was just all of this was still just trying to find information staying low and trying to learn things in in the victims network now with all this information what they do is they essentially impersonate victim now it's really easy after this things still now very difficult now it's they they could install some remote control program like vnc and essentially use the credentials that they have obtained to control the victims machine they already are on the

domain controller and i think uh in one of these t rules they have mentioned that they do see on the domain control machine if a user is logged in or not on that machine when the user is not logged in that is when they execute this they take control of that machine and essentially from what they have learned so far um just impersonate the machine do the same thing and do the same banking transactions for their benefit in their accounts so that is yeah that is pretty much essentially this is when the attack is complete the banking transactions are done and the carbon act has the money from that particular financial institution now it almost sounds like a movie isn't

it like i mean mission impossible or whatever movies where an attacker is moving but this is as i said that's the reason i chose carbonac which is a very well known thread group very well known research to malware and whatever i've presented here is i mean you know sort of common information now of how carbon act worked and managed to get a billion dollars from more than 100 financial institutions in 30 different countries so just just a lot of mind boggling numbers

so so this was was our original attack uh which started from a phishing email to a bank employee to find to moving laterally finding a privileged account uh using screen recording to really learn how money transfers are done and then carry out these transactions so if you augment it if you add the miter sort of framework on top of it and the guys here have really done the github link is already in the first slide of creating this chart then you can literally see how they jump from one phase to another of the mitre techniques and carry out the attack so i think we have that's all i have for today we have five minutes uh

thank you so much and i'll open it up for questions at this time [Applause]

um uh questions here this is a great talk anyone okay well i have one um so there we go okay

use some browser related as in stealing your credentials from the browser's memory so when the operator or the privileged user log went to their browser and logged into those systems uh i mean your i mean whenever you enter anything in your browser it is in the browser's memories and if uh if you have higher credentials access on that machine that particular process can just read the entire memory and plug it out of memory i mean that's how um on on i mean we're talking about windows here i mean that's how most debuggers work right like if you write a program and if you're trying to debug it a debugger requires a higher privilege access but then can attach to other

processes and show you memory and things like that of other processes so that's what they do is they once they get once they are on the box they try to get those higher privileges on the box so then they can act as a debugger attached to any process and get a dump dump memory and things like that so the man in the middle for the browser i don't think i'm not sure i don't think most probably was used in carbonx case but i think they definitely used the credential stealing from the browser okay good um other people got questions oh great

man

anybody anybody catch them in the act while this while one of their attacks was taking place or was this all subsequent like they found that the money was gone

research or looked into how they were caught um [Music] or if they were caught in the act they were like all the interpol and all the threat all the sort of cops from all the countries were looking for it they were found in i think eastern europe somewhere um [Music] and i don't know the details on how they were caught so yeah sorry sorry i don't know how they were caught so there is i think one one more question but i mean if if if say that they infiltrated 100 organizations they were definitely not caught in the first hundred maybe it's the 101 is where they were caught

question

like you are in this case you are a financial institution you know that there is this financial malware going on i think what the trigger that you have is as a threat hunter you would immediately start to research on what does the malwared do how does it behave try to communicate with a lot of organizations or even connect with authorities to see if you can get a malware sample or if try to find any and every information about that attack or malware and then if you get some iocs then yeah try to see if those particular iocs are in your logs in your network in your emails it really depends on your investigation and how much

information is available you can also look for behavior so if there are no iocs available if there is not much concrete information available there is no malware samples but if you even know the behavior or the common behaviors you have seen in the past like we saw like there are some wmi queries being run or power shell being run or sys internal tools being downloaded then you can also look for those type of things because malware writers use a lot of reuse of code you know no one is going to write all these tools from scratch so they use all these existing tools so i think one of the best things which could be done is to see

uh if these tools are running in on your in your organization and does uh that particular person really need this tool so if it's a banking organization as i said do you know does the person really need uh powershell or wmi queries to do his or her banking transactions so yeah that's what i can suggest