My InfoSec journey led me to create my own IR tools, how, and why you should too
Hackerhurricane
169 views
49 slides
Sep 27, 2024
Slide 1 of 49
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
About This Presentation
Ever wonder what a seasoned incident responder uses to investigate an incident? Making security tools is harrrrrrrrrrd, I should know I have architected a few. In this talk we will walk through my career journey and what led me to create tools to fill gaps existing tooling did not have and why this ...
Slide Content
My InfoSec journey led me to
Create my own Incident
Response Tools
what led me here and how or why
Michael Gough
Principal Incident Response
Founder –Malware Archaeology.com
Founder-IMF Security
Create my own Incident
Response Tools
what led me here and how or why
Michael Gough
Principal Incident Response
Founder –Malware Archaeology.com
Founder-IMF Security
Cautionary Assurance
The following is a discussion surrounding topics within the incident response and security
industries.
All precautions have been taken to ensure that subject matters presented are handled and
discussed appropriately, however some troubling topics and content may arise due to the
nature of the security industry.
All efforts have been taken to ensure that sensitive subject matters and content will be
safely and freely discussed in this sanctioned forum to ensure the free exchange of
information and ideas.
This opportunity I take very seriously and have taken precautions to ensure that the
following subject matter is presented in a safe, free, and open manner.
I thank you all for your understanding.
The following is a discussion surrounding topics within the incident response and security
industries.
All precautions have been taken to ensure that subject matters presented are handled and
discussed appropriately, however some troubling topics and content may arise due to the
nature of the security industry.
All efforts have been taken to ensure that sensitive subject matters and content will be
safely and freely discussed in this sanctioned forum to ensure the free exchange of
information and ideas.
This opportunity I take very seriously and have taken precautions to ensure that the
following subject matter is presented in a safe, free, and open manner.
I thank you all for your understanding.
WhoamI
3MalwareArchaeology.com
Blue Team Defender Ninja, Malware Archaeologist, Logoholic and
•Principal Incident Response Threat Hunting Engineer for a new firm
I love “properly” configured logs – they tell us Who, What, Where, When
and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Windows ATT&CK Logging Cheat Sheet”
“ARTHIR – ATT&CK Remote Threat Hunting Incident Response tool”
Co-Creator of:
“Log-MD” – Log Malicious Discovery Tool and
“File-MD” – File Malicious Discovery Tool
3MalwareArchaeology.com
Blue Team Defender Ninja, Malware Archaeologist, Logoholic and
•Principal Incident Response Threat Hunting Engineer for a new firm
I love “properly” configured logs – they tell us Who, What, Where, When
and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Windows ATT&CK Logging Cheat Sheet”
“ARTHIR – ATT&CK Remote Threat Hunting Incident Response tool”
Co-Creator of:
“Log-MD” – Log Malicious Discovery Tool and
“File-MD” – File Malicious Discovery Tool
MalwareArchaeology.com 4
Why this talk?
Learn from what we Incident Responders
use in the real world
How and Why I developed tools
And why YOU should too
Why this talk?
Learn from what we Incident Responders
use in the real world
How and Why I developed tools
And why YOU should too
My Story Timeline
MalwareArchaeology.com 5
MalwareArchaeology.com 5
My Story
•I remember the first script I created was back in 1999
•Before we partied like it was 1999, was for Y2K
•The script was to look for Trojans
•So I called it “Troy.bat”
•It looked for things like the latest AV signatures
•Known things like the “I love you” virus artifacts and
other things
•Like we all do, we create scripts to solve a problem
•This was only the beginning for me
MalwareArchaeology.com 6
•I remember the first script I created was back in 1999
•Before we partied like it was 1999, was for Y2K
•The script was to look for Trojans
•So I called it “Troy.bat”
•It looked for things like the latest AV signatures
•Known things like the “I love you” virus artifacts and
other things
•Like we all do, we create scripts to solve a problem
•This was only the beginning for me
MalwareArchaeology.com 6
My Story – 1999 - 2009
•I worked for a Bank that got bought by BIG bank Wells Fargo
•I went to work for HP North American Security Practice
•Consulting, assessments, investigations
•I created a hardening methodology based on the CIS
Benchmarks, included scripts for many OSes (team effort)
•As an HP CIS member I got the HP-UX benchmark to match
the order of the other UX benchmarks, easier scripting
•I made NO progress on CIS Windows improvements, logging
of course… committees… geeze
MalwareArchaeology.com 7
•I worked for a Bank that got bought by BIG bank Wells Fargo
•I went to work for HP North American Security Practice
•Consulting, assessments, investigations
•I created a hardening methodology based on the CIS
Benchmarks, included scripts for many OSes (team effort)
•As an HP CIS member I got the HP-UX benchmark to match
the order of the other UX benchmarks, easier scripting
•I made NO progress on CIS Windows improvements, logging
of course… committees… geeze
MalwareArchaeology.com 7
My Story – 2002 - 2007
•I also wrote legislation for around 30 states
•Got 7 laws passed too
•Also, not security related
•Added video conferencing to divorce law long before it
was on all the cell phones and easy to do
•I would suggest you understand what goes into writing
and getting legislation passed, it’s interesting
•More of a Hallway Con discussion
MalwareArchaeology.com 8
•I also wrote legislation for around 30 states
•Got 7 laws passed too
•Also, not security related
•Added video conferencing to divorce law long before it
was on all the cell phones and easy to do
•I would suggest you understand what goes into writing
and getting legislation passed, it’s interesting
•More of a Hallway Con discussion
MalwareArchaeology.com 8
My Story – 2002 - 2007
•I wrote a couple books, not security related when at HP
•SkypeMe
•Video Conferencing over IP
•Signed the dummy contract – publishers make 90%
of the $$$$
•Don’t do that, self publish instead >>>>>>>>>>>>>
•You are your own best marketing, like this Con talk
•Self publishers will get you on Amazon and others
•I also raced Mountain Bikes in Wisconsin (WORS)
•Won or placed in all my events
•In California I raced road bikes and sucked, won nuttin
MalwareArchaeology.com 9
•I wrote a couple books, not security related when at HP
•SkypeMe
•Video Conferencing over IP
•Signed the dummy contract – publishers make 90%
of the $$$$
•Don’t do that, self publish instead >>>>>>>>>>>>>
•You are your own best marketing, like this Con talk
•Self publishers will get you on Amazon and others
•I also raced Mountain Bikes in Wisconsin (WORS)
•Won or placed in all my events
•In California I raced road bikes and sucked, won nuttin
MalwareArchaeology.com 9
My Story – 2009 - 2011
•I left HP in 2009 and went to work for the State of Texas
Comptroller to do my civic duty and get more involved with
the local security community as I knew I would be living in
Austin for awhile
•In 2010 I had to report the largest data leak in Texas history…
so many have happened since… MUCH larger too
•Fired the my boss the CISO, made me interim CISO
•What did THAT teach me? Report anything and you are fired!
•I am done with government work
MalwareArchaeology.com 10
•I left HP in 2009 and went to work for the State of Texas
Comptroller to do my civic duty and get more involved with
the local security community as I knew I would be living in
Austin for awhile
•In 2010 I had to report the largest data leak in Texas history…
so many have happened since… MUCH larger too
•Fired the my boss the CISO, made me interim CISO
•What did THAT teach me? Report anything and you are fired!
•I am done with government work
MalwareArchaeology.com 10
My Story – 2009 - 2016
•Joined ISSA Austin as VP for 1 year
•You might have heard of Security BSides?
•I ran the Austin entity for 7 years
•Formed the BSides Texas LLC
•Which ran 4 BSides events
•Austin
•San Antonio
•Dallas
•Houston
•You should REALLY consider joining/volunteering for a Security Org
•Good for you and your career, make GREAT connnections
MalwareArchaeology.com 11
•Joined ISSA Austin as VP for 1 year
•You might have heard of Security BSides?
•I ran the Austin entity for 7 years
•Formed the BSides Texas LLC
•Which ran 4 BSides events
•Austin
•San Antonio
•Dallas
•Houston
•You should REALLY consider joining/volunteering for a Security Org
•Good for you and your career, make GREAT connnections
MalwareArchaeology.com 11
My Story – 2011 - 2013
•I was in console gaming for a couple years
•The Chinese Group WinNTI, APT 17, Blackfly and other names
attacked us like political ads.. Every month or two
•WinNTI did lots of kewl things that were hard to detect
•None of our solutions caught them, they knew what security
solutions we had and how to get around them
•This led us to finding out why our tooling failed…
•We talked to a few companies about the flaws we found
•They were not happy when we called them out in a Con talks
•More for Hallway Con
MalwareArchaeology.com 12
•I was in console gaming for a couple years
•The Chinese Group WinNTI, APT 17, Blackfly and other names
attacked us like political ads.. Every month or two
•WinNTI did lots of kewl things that were hard to detect
•None of our solutions caught them, they knew what security
solutions we had and how to get around them
•This led us to finding out why our tooling failed…
•We talked to a few companies about the flaws we found
•They were not happy when we called them out in a Con talks
•More for Hallway Con
MalwareArchaeology.com 12
My Story – 2011 - 2013
•The data we provided the FBI was unlike anything they had seen on
WinNTI and we asked it to be shared with other gaming companies
•It was given to the bureau to share with other cases they were
involved with in gaming, we knew a few from our colleagues
•We know because our alerts triggered when other game installers
were run by our folks
•Basically with good logging we now had an EDR type solution with
all the alerts and queries we created, better because we also had
BigFix
•BigFix has queries as well that can look for things across all
systems, anything you can think up basically
•My 2
nd
favorite security tool… BigFix or equivalent
MalwareArchaeology.com 13
•The data we provided the FBI was unlike anything they had seen on
WinNTI and we asked it to be shared with other gaming companies
•It was given to the bureau to share with other cases they were
involved with in gaming, we knew a few from our colleagues
•We know because our alerts triggered when other game installers
were run by our folks
•Basically with good logging we now had an EDR type solution with
all the alerts and queries we created, better because we also had
BigFix
•BigFix has queries as well that can look for things across all
systems, anything you can think up basically
•My 2
nd
favorite security tool… BigFix or equivalent
MalwareArchaeology.com 13
My Story – 2013 - 2014
•There were not a lot tools (none really) to easily find their
advanced malware
•EDR was just getting started (original CarbonBlack)
•I used several small utilities as a part of my scripts
•I created a serious batch file calling various utilities to
discover the malware that was hidden within the
Windows directories
•This was the beginning of a NEW TOOL !
MalwareArchaeology.com 14
•There were not a lot tools (none really) to easily find their
advanced malware
•EDR was just getting started (original CarbonBlack)
•I used several small utilities as a part of my scripts
•I created a serious batch file calling various utilities to
discover the malware that was hidden within the
Windows directories
•This was the beginning of a NEW TOOL !
MalwareArchaeology.com 14
My Story – 2014 - 2015
•With the help of a colleague we created “The Sniper
Forensics Toolkit”
•A utility you can run on a local system to look for all
kinds of details
•This morphed into an Azure cloud solution
•Malware Sentinel was an EDR/Threat Hunting tool
developed in Azure
•Did not work as well as I hoped, Azure issues too
MalwareArchaeology.com 15
•With the help of a colleague we created “The Sniper
Forensics Toolkit”
•A utility you can run on a local system to look for all
kinds of details
•This morphed into an Azure cloud solution
•Malware Sentinel was an EDR/Threat Hunting tool
developed in Azure
•Did not work as well as I hoped, Azure issues too
MalwareArchaeology.com 15
My Story - 2015
•The Cheat Sheets were created to capture settings that
everyone should configure to have a chance to catch
threat actor behaviors
•Do logging well and you basically have an EDR and
Threat Hunting data, one of the best actually
•My #1 Security Tool, SIEM that is
•One of the best, if not the best security solutions you
have actually is a SIEM, with the proper data of course
MalwareArchaeology.com 16
•The Cheat Sheets were created to capture settings that
everyone should configure to have a chance to catch
threat actor behaviors
•Do logging well and you basically have an EDR and
Threat Hunting data, one of the best actually
•My #1 Security Tool, SIEM that is
•One of the best, if not the best security solutions you
have actually is a SIEM, with the proper data of course
MalwareArchaeology.com 16
My Story – Cheat Sheets
•Windows Logging Cheat Sheet Current
•Windows Advanced Logging Cheat Sheet Current
•Windows File Auditing Cheat Sheet Current
•Windows Registry Auditing Cheat Sheet Current
•Windows PowerShell Logging Cheat Sheet Current
•Windows Splunk Logging Cheat Sheet Current
•Windows Crowdstrike Logscale Cheat Sheet New
•Windows Sysmon Logging Cheat Sheet Needs Updating
•Windows MITRE ATT&CK Cheat Sheet Needs updating
•Windows LOG-MD ATT&CK Cheat Sheet Needs updating
MalwareArchaeology.com 17
•Windows Logging Cheat Sheet Current
•Windows Advanced Logging Cheat Sheet Current
•Windows File Auditing Cheat Sheet Current
•Windows Registry Auditing Cheat Sheet Current
•Windows PowerShell Logging Cheat Sheet Current
•Windows Splunk Logging Cheat Sheet Current
•Windows Crowdstrike Logscale Cheat Sheet New
•Windows Sysmon Logging Cheat Sheet Needs Updating
•Windows MITRE ATT&CK Cheat Sheet Needs updating
•Windows LOG-MD ATT&CK Cheat Sheet Needs updating
MalwareArchaeology.com 17
My Story – 2015…
•Have I said how much I LOVE BigFix
•It’s the BEST security tool you never heard of
•The features of BiFix started the tool making journey
•The features BigFix has are just not in other tools
•How to quickly find APT and of course commodity artifacts
•In enough detail to actually remediate the system
•I would have hated to be the ones to reimage hundreds of game
servers
•Let’s take features of things I used, add more, make it easy to use
so I have less tools to use and “work smarter not harder”
•Also the output needed to be consumable into…
Log Management
MalwareArchaeology.com 18
•Have I said how much I LOVE BigFix
•It’s the BEST security tool you never heard of
•The features of BiFix started the tool making journey
•The features BigFix has are just not in other tools
•How to quickly find APT and of course commodity artifacts
•In enough detail to actually remediate the system
•I would have hated to be the ones to reimage hundreds of game
servers
•Let’s take features of things I used, add more, make it easy to use
so I have less tools to use and “work smarter not harder”
•Also the output needed to be consumable into…
Log Management
MalwareArchaeology.com 18
My Story – 2015…
•Would it be nice if there was a tool to look for the things
that we manually created queries and alerts in BigFix
and Splunk?
•From that complicated script and failed tool effort
•LOG-MD was born, a standalone locally run tool
•A Windows Incident Response tool
•Standalone tool you run locally and collect the output
•Details EDR could not provide
•Preso on this at IronGeek.con from DerbyCon talk
MalwareArchaeology.com 19
•Would it be nice if there was a tool to look for the things
that we manually created queries and alerts in BigFix
and Splunk?
•From that complicated script and failed tool effort
•LOG-MD was born, a standalone locally run tool
•A Windows Incident Response tool
•Standalone tool you run locally and collect the output
•Details EDR could not provide
•Preso on this at IronGeek.con from DerbyCon talk
MalwareArchaeology.com 19
My Story – 2018 - 2019
•Attack Remote Threat Hunting Incident Response tool
(ARTHIR)
•As a side project I forked KANSA with a little help from
my security friends into ARTHIR for deploying tools and
getting the results back in their native report format
using something already installed on all Windows
systems, PowerShell WinRM, no new agent needed
•It was created to provide a way to push out LOG-MD and
get the reports back in the native format to be consumed
into Log Management or reviewed in Excel
MalwareArchaeology.com 20
•Attack Remote Threat Hunting Incident Response tool
(ARTHIR)
•As a side project I forked KANSA with a little help from
my security friends into ARTHIR for deploying tools and
getting the results back in their native report format
using something already installed on all Windows
systems, PowerShell WinRM, no new agent needed
•It was created to provide a way to push out LOG-MD and
get the reports back in the native format to be consumed
into Log Management or reviewed in Excel
MalwareArchaeology.com 20
My Story – 2020-2024
•COVID happened
•Slowed things down a bit for all of us
•Promoted Malware Management at Cons
•But we progressed and now have a new tool
•FILE-MD was born 2024
•File Malicious Discovery tool
•Static File Analysis of files
MalwareArchaeology.com 21
•COVID happened
•Slowed things down a bit for all of us
•Promoted Malware Management at Cons
•But we progressed and now have a new tool
•FILE-MD was born 2024
•File Malicious Discovery tool
•Static File Analysis of files
MalwareArchaeology.com 21
So Why Share?
•So YOU can see what I/we did and craft your own next
generation of kewl toolz. Make it YOUR STORY
•Take the ideas and things I have done and create your own
story!
•Someday I will retire and so it will be YOUR TURN
•Because “Prevention” tools continue to fail us, or prevent
more attacks and thus “Detection” and “Threat Hunting” is
where it’s at when they do fail us
•When I say “fail” it means bypassed, blocked, disabled or
failed, whatever can be used to get around the defenses
•The way I see things is not necessarily the way you will see
things and we all know, things change… Ai is coming
MalwareArchaeology.com 22
•So YOU can see what I/we did and craft your own next
generation of kewl toolz. Make it YOUR STORY
•Take the ideas and things I have done and create your own
story!
•Someday I will retire and so it will be YOUR TURN
•Because “Prevention” tools continue to fail us, or prevent
more attacks and thus “Detection” and “Threat Hunting” is
where it’s at when they do fail us
•When I say “fail” it means bypassed, blocked, disabled or
failed, whatever can be used to get around the defenses
•The way I see things is not necessarily the way you will see
things and we all know, things change… Ai is coming
MalwareArchaeology.com 22
Why Share
•By sharing, hopefully we get the juices flowing to give you an approach
•Give you ideas
•Give you and others another option
•Give you a career path? BLUE TEAM RULEZ !!!!!
•Maybe you want to work with us
•Get an education path for DFIR
•The more you know…
•The better decisions you can make
•The places you will go
•The faster you can work and get answers
MalwareArchaeology.com 23
•By sharing, hopefully we get the juices flowing to give you an approach
•Give you ideas
•Give you and others another option
•Give you a career path? BLUE TEAM RULEZ !!!!!
•Maybe you want to work with us
•Get an education path for DFIR
•The more you know…
•The better decisions you can make
•The places you will go
•The faster you can work and get answers
MalwareArchaeology.com 23
MalwareArchaeology.com 24
So Why
Run A Local tool?
So Why
Run A Local tool?
Level Set
•DFIR = Digital Forensics and Incident Response
•Forensics is getting harder and longer to do
•Disk sizes getting huge
•Images must be made and stored, write blockers are slow
•Upload these images to the cloud for us to process is sloooow
•Or you need a bunch of BIG drives to store these images, copies
are slow
•Memory too is getting larger
•And don’t forget the working copies, so TWO of each
MalwareArchaeology.com 25
•DFIR = Digital Forensics and Incident Response
•Forensics is getting harder and longer to do
•Disk sizes getting huge
•Images must be made and stored, write blockers are slow
•Upload these images to the cloud for us to process is sloooow
•Or you need a bunch of BIG drives to store these images, copies
are slow
•Memory too is getting larger
•And don’t forget the working copies, so TWO of each
MalwareArchaeology.com 25
Level Set
•Incident Response (IR) are the steps used to prepare for, detect,
contain, and recover from a security or cyber event that may lead
to finding if a data breach has occurred.
•Can be anything you do that may, or may not include some
Forensics process, procedures or playbooks
•Maybe you still make a disk and memory image in case you
want/need to do forensics later
• Let’s focus on DETECT or Malicious Discovery as I call it
MalwareArchaeology.com 26
•Incident Response (IR) are the steps used to prepare for, detect,
contain, and recover from a security or cyber event that may lead
to finding if a data breach has occurred.
•Can be anything you do that may, or may not include some
Forensics process, procedures or playbooks
•Maybe you still make a disk and memory image in case you
want/need to do forensics later
• Let’s focus on DETECT or Malicious Discovery as I call it
MalwareArchaeology.com 26
Types of Analysis
•I focus in this space
MalwareArchaeology.com 27
Malware
Discovery
Basic
Analysis
Advanced
Analysis
Reverse
Engineering
Traditional
Forensics
Easier and Faster Harder and Slower
•Focus your skills here, get GREAT at this area first
•I focus in this space
MalwareArchaeology.com 27
Malware
Discovery
Basic
Analysis
Advanced
Analysis
Reverse
Engineering
Traditional
Forensics
Easier and Faster Harder and Slower
•Focus your skills here, get GREAT at this area first
Triage
•First we need to do Triage
•Prioritize the things to do…
•Where does it hurt?
MalwareArchaeology.com 28
•First we need to do Triage
•Prioritize the things to do…
•Where does it hurt?
MalwareArchaeology.com 28
Malicious Discovery
•There are two primary conditions we need to know
1.Has the system been touched by a threat actor or infected?
2.Is the system untouched by a threat actor?
•So how can we do this quickly on 1, 3, 30, 100, 1000 systems?
•You can deploy an EDR/XDR solution
•But that does not see everything, very process execution centric,
some can see network traffic too
•Generally not very quick to deploy, more costly for our clients
MalwareArchaeology.com 29
•There are two primary conditions we need to know
1.Has the system been touched by a threat actor or infected?
2.Is the system untouched by a threat actor?
•So how can we do this quickly on 1, 3, 30, 100, 1000 systems?
•You can deploy an EDR/XDR solution
•But that does not see everything, very process execution centric,
some can see network traffic too
•Generally not very quick to deploy, more costly for our clients
MalwareArchaeology.com 29
Malicious Discovery
•EDR/XDR is another agent, many do NOT like another agent
•So what if we used a launch script that calls a bunch of tools
that run on the actual systems?
•Then you only have return the results which is not that much
data, a fraction of what you need for Forensics
•Terrabytes smaller than disk images
•Gigabytes less than memory images
•Unless you take a memory dump as a part of your script
•Scripts only take an hour or two on a typical system to gather
all the data
MalwareArchaeology.com 30
•EDR/XDR is another agent, many do NOT like another agent
•So what if we used a launch script that calls a bunch of tools
that run on the actual systems?
•Then you only have return the results which is not that much
data, a fraction of what you need for Forensics
•Terrabytes smaller than disk images
•Gigabytes less than memory images
•Unless you take a memory dump as a part of your script
•Scripts only take an hour or two on a typical system to gather
all the data
MalwareArchaeology.com 30
Ways to Deploy
•You can use KAPE, a modular launcher of tools you want to use
•You can use a Batch or bash script
•You can use a PowerShell script
•Or a combination of them all
•You can use ARTHIR PowerShell remoting tool that launches
modules you create to a list of hosts on your network that has
WinRM enabled, already on all Windows systems, so no new agent
•You can use SCCM.. errr InTune… errr CoPilot to deploy them
•You can use the coolest tool BigFix to deploy them
•Or whatever configuration patch management tool you use
•Or manually over RDP or other remote solution
MalwareArchaeology.com 31
•You can use KAPE, a modular launcher of tools you want to use
•You can use a Batch or bash script
•You can use a PowerShell script
•Or a combination of them all
•You can use ARTHIR PowerShell remoting tool that launches
modules you create to a list of hosts on your network that has
WinRM enabled, already on all Windows systems, so no new agent
•You can use SCCM.. errr InTune… errr CoPilot to deploy them
•You can use the coolest tool BigFix to deploy them
•Or whatever configuration patch management tool you use
•Or manually over RDP or other remote solution
MalwareArchaeology.com 31
MalwareArchaeology.com 32
Why We
Develop Tools
Why We
Develop Tools
Why We Develop New Tools
•Because we like bright shiny things
•Usually because we are trying to solve a problem or we can’t
find something to do what we want the way we want
•As a creator of a couple different tools, many cheat sheets,
filling a gap to discover what we were looking for is the main
driver, wanting to give back to the community is another
•I wish I had a tool that looked for this…
•Since we are looking for this let’s look for that…. And that…
Oooo this too.. And that … and that…. Ahhhh what about
that
•So on and so forth and a tool is born
MalwareArchaeology.com 33
•Because we like bright shiny things
•Usually because we are trying to solve a problem or we can’t
find something to do what we want the way we want
•As a creator of a couple different tools, many cheat sheets,
filling a gap to discover what we were looking for is the main
driver, wanting to give back to the community is another
•I wish I had a tool that looked for this…
•Since we are looking for this let’s look for that…. And that…
Oooo this too.. And that … and that…. Ahhhh what about
that
•So on and so forth and a tool is born
MalwareArchaeology.com 33
Tool Design
•Things I do NOT like about many freely available or low cost
security tools/utilities
•Dependencies, man I hate running into a dependency
requirement not included with the tool, distribution
restrictions or developer just didn’t do it
•.Net dependent tools, Microsoft updates things and breaks
them, so now I have to upgrade all my systems to what the
tool needs before I can use the tool?
•Python, modules and dependencies that worked on the
developers oddly configured system with whatever versions
used but are no longer available or the update(s) do not work
with the tool
MalwareArchaeology.com 34
•Things I do NOT like about many freely available or low cost
security tools/utilities
•Dependencies, man I hate running into a dependency
requirement not included with the tool, distribution
restrictions or developer just didn’t do it
•.Net dependent tools, Microsoft updates things and breaks
them, so now I have to upgrade all my systems to what the
tool needs before I can use the tool?
•Python, modules and dependencies that worked on the
developers oddly configured system with whatever versions
used but are no longer available or the update(s) do not work
with the tool
MalwareArchaeology.com 34
Tool Design
•Python is NOT on all Windows systems
•PowerShell is, but also has version issues as I found updating
ARTHIR for archiving for example, very PowerShell version specific
•I like to use what is already on the system without the need to
update the system, within reason
•If you SHOULD have it, then that is OK, like PowerShell ver 5 and
the .Net required for it. If you NEED it…. DO/Upgrade it
•Cmdlets in PS v5 are not in PS v4 so you will need to upgrade and
should, it is a recommendation for sure, for logging alone
•NO NEW AGENTS, bugs, too many agents, performance concerns,
etc., a LOT more development required
MalwareArchaeology.com 35
•Python is NOT on all Windows systems
•PowerShell is, but also has version issues as I found updating
ARTHIR for archiving for example, very PowerShell version specific
•I like to use what is already on the system without the need to
update the system, within reason
•If you SHOULD have it, then that is OK, like PowerShell ver 5 and
the .Net required for it. If you NEED it…. DO/Upgrade it
•Cmdlets in PS v5 are not in PS v4 so you will need to upgrade and
should, it is a recommendation for sure, for logging alone
•NO NEW AGENTS, bugs, too many agents, performance concerns,
etc., a LOT more development required
MalwareArchaeology.com 35
Tool Requirements
LOG-MD and FILE-MD
•A standalone binary, NO DEPENDENCIES !!!
•OK.. They have some TXT config files, but they are optional
•Created in Visual Studio and Golang so everything we need is there
•Output is in CSV and/or TXT formats
•Multiple Files/Reports to control sizes so they can be opened
•Some tools make too large of files and can’t be opened
•Easily consumable into Log Management
•Utilize tools we already have and use, Excel and NotePad++
•Excel for CTRL-T filtering, sorting and correct the log times
•NotePad++ for comparing TXT files for diff of two files
MalwareArchaeology.com 36
LOG-MD and FILE-MD
•A standalone binary, NO DEPENDENCIES !!!
•OK.. They have some TXT config files, but they are optional
•Created in Visual Studio and Golang so everything we need is there
•Output is in CSV and/or TXT formats
•Multiple Files/Reports to control sizes so they can be opened
•Some tools make too large of files and can’t be opened
•Easily consumable into Log Management
•Utilize tools we already have and use, Excel and NotePad++
•Excel for CTRL-T filtering, sorting and correct the log times
•NotePad++ for comparing TXT files for diff of two files
MalwareArchaeology.com 36
Tool Requirements
•Can be used to Schedule a Task for repeat runs
•Like running Autoruns daily for example and consume it into Log
Management
•Use within PowerShell for PowerShell remoting
•Thus use ARTHIR or other method like KAPE
•Take into account MITRE ATT&CK
•Use within remote shell of an EDR/XDR solution
•EDR/XDR does not have the detail levels we want or need
•Use for Threat Hunting
•I chose CSV for output so we could use the #1 security tool…
•EXCEL… CTRL-T for the WIN and adjust the log times
•And CSV is easily consumed into Log Management
MalwareArchaeology.com 37
•Can be used to Schedule a Task for repeat runs
•Like running Autoruns daily for example and consume it into Log
Management
•Use within PowerShell for PowerShell remoting
•Thus use ARTHIR or other method like KAPE
•Take into account MITRE ATT&CK
•Use within remote shell of an EDR/XDR solution
•EDR/XDR does not have the detail levels we want or need
•Use for Threat Hunting
•I chose CSV for output so we could use the #1 security tool…
•EXCEL… CTRL-T for the WIN and adjust the log times
•And CSV is easily consumed into Log Management
MalwareArchaeology.com 37
Evaluating Your Logging
Measure the logging on the system against the Cheat Sheets
LOG-MD -a
•Audit your system against several industry standards
•Know what passes and fails so you can adjust local logging
•LOG-MD -a > Report_Audit_Score.txt
•Provides two reports
•Report_Audit_Score.txt – Gives Pass/Fail on your settings
•Report_Audit_Settings.txt – Gives more details
•We want you to be better at logging… It’s Security 101
MalwareArchaeology.com 38
Measure the logging on the system against the Cheat Sheets
LOG-MD -a
•Audit your system against several industry standards
•Know what passes and fails so you can adjust local logging
•LOG-MD -a > Report_Audit_Score.txt
•Provides two reports
•Report_Audit_Score.txt – Gives Pass/Fail on your settings
•Report_Audit_Settings.txt – Gives more details
•We want you to be better at logging… It’s Security 101
MalwareArchaeology.com 38
MalwareArchaeology.com 39
Tool Requirements
Tool Requirements
Malware Management
•Threat actors morph/pivot as their ways are discovered
•So I also practice “Malware Management”
•Look at reports of other published incidents and malware
•Find any new techniques
•Add any new features to the tool, scripts or add another tool
to my launch script, update queries and alerts
•I still work this way today, 10 years later… and teach it in my
Malware Discovery class
•My last Con talk on Malware Management, go take a read
at…
•https://www.malwarearchaeology.com/presentations
MalwareArchaeology.com 40
•Threat actors morph/pivot as their ways are discovered
•So I also practice “Malware Management”
•Look at reports of other published incidents and malware
•Find any new techniques
•Add any new features to the tool, scripts or add another tool
to my launch script, update queries and alerts
•I still work this way today, 10 years later… and teach it in my
Malware Discovery class
•My last Con talk on Malware Management, go take a read
at…
•https://www.malwarearchaeology.com/presentations
MalwareArchaeology.com 40
Tool Must Have
Allow/Exclude Lists
•Exclude known good or “these are not the droids
you are looking for” to reduce your result volume
•This works in Log Management too
•Lookup lists in Splunk/SIEM used to include in a
query or exclude results
•VERY important feature
MalwareArchaeology.com 41
Allow/Exclude Lists
•Exclude known good or “these are not the droids
you are looking for” to reduce your result volume
•This works in Log Management too
•Lookup lists in Splunk/SIEM used to include in a
query or exclude results
•VERY important feature
MalwareArchaeology.com 41
Tool Must Have
Configuration Files
•We use them in LOG-MD and FILE-MD
•Use them to refine your tools
•I want to look for this in these ways
•We can choose what PowerShell event IDs to look for and what
obfuscation characters we want to count and how many
• What folders do we want to look for EXE and DLLs in
•What Yara Rules we want to run
Configuration Files
•We use them in LOG-MD and FILE-MD
•Use them to refine your tools
•I want to look for this in these ways
•We can choose what PowerShell event IDs to look for and what
obfuscation characters we want to count and how many
• What folders do we want to look for EXE and DLLs in
•What Yara Rules we want to run
Tool Must Have
Wildcards
•Wildcards are crucial
•Some Log Management/SIEM solutions do not have a wildcard
•How to deal with versions in folder names?????
•Things with similar names
•Exclude a large amount of similar data
•Makes excluding MUCH easier
•Tools must have this feature
Wildcards
•Wildcards are crucial
•Some Log Management/SIEM solutions do not have a wildcard
•How to deal with versions in folder names?????
•Things with similar names
•Exclude a large amount of similar data
•Makes excluding MUCH easier
•Tools must have this feature
MalwareArchaeology.com 44
In Summary
In Summary
Conclusion
•Now that you know what I do, use and why
•Come up with your own ideas for a tool(s)
•Practice Malware Management !
•Maybe come work with us
•Give back to the community along the way
•Share what you created and why with the community
•So they can learn too
•Everyone thinks and does things differently
•There are 10 ways to do just about anything
•So come up with your own story
•And one day tell it at a Con talk like this one
MalwareArchaeology.com 45
•Now that you know what I do, use and why
•Come up with your own ideas for a tool(s)
•Practice Malware Management !
•Maybe come work with us
•Give back to the community along the way
•Share what you created and why with the community
•So they can learn too
•Everyone thinks and does things differently
•There are 10 ways to do just about anything
•So come up with your own story
•And one day tell it at a Con talk like this one
MalwareArchaeology.com 45
Resources
•Websites
•LOG-MD Free, Pro and Premium Log-MD.com
•FILE-MD Log-MD.com
•The “Windows Logging Cheat Sheet(s)”
•https://MalwareArchaeology.com/cheat-sheets
•ARTHIR
•https://github.com/MalwareArchaeology/ARTHIR
•MITRE ATT&CK is your friend
•https://attack.mitre.org/techniques/enterprise/
•JPCert Detecting Lateral Movement
•https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
•This presentation and others on SlideShare
•Search for MalwareArchaeology or LOG-MD
MalwareArchaeology.com 46
•Websites
•LOG-MD Free, Pro and Premium Log-MD.com
•FILE-MD Log-MD.com
•The “Windows Logging Cheat Sheet(s)”
•https://MalwareArchaeology.com/cheat-sheets
•ARTHIR
•https://github.com/MalwareArchaeology/ARTHIR
•MITRE ATT&CK is your friend
•https://attack.mitre.org/techniques/enterprise/
•JPCert Detecting Lateral Movement
•https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
•This presentation and others on SlideShare
•Search for MalwareArchaeology or LOG-MD
MalwareArchaeology.com 46
Resources
•KAPE
•https://ericzimmerman.github.io/KapeDocs/#!Pages%5C2.-Getting-
started.md
•BigFix
•https://www.hcl-software.com/bigfix
•NirSoft Utilities
•https://www.nirsoft.net/
•Eric Zimmerman Tools – EZTools
•Watch out for dependencies
•https://ericzimmerman.github.io/#!index.md
MalwareArchaeology.com 47
•KAPE
•https://ericzimmerman.github.io/KapeDocs/#!Pages%5C2.-Getting-
started.md
•BigFix
•https://www.hcl-software.com/bigfix
•NirSoft Utilities
•https://www.nirsoft.net/
•Eric Zimmerman Tools – EZTools
•Watch out for dependencies
•https://ericzimmerman.github.io/#!index.md
MalwareArchaeology.com 47
Questions?
You can find us at:
•MalwareArchaeology.com
•LOG-MD.com
•LOGMD.com
•TIME FOR HALLWAY CON !!!
MalwareArchaeology.com 48
You can find us at:
•MalwareArchaeology.com
•LOG-MD.com
•LOGMD.com
•TIME FOR HALLWAY CON !!!
MalwareArchaeology.com 48
Malware Management Sources
Use Feedly or other reader app and add these sources
•Contagio
•Dark Reading
•Hexacorn
•Malware Analysis
•The Hacker News
•This week in 4n6
•Active Directory Security
•SANS Storm Center
•Zscaler Research
•Fortinet Security Blog
•Windows Incident Response
•SOC Prime
•Crowdstrike
•Use “Discover Mode” and look for other Malware reports sources
Use Feedly or other reader app and add these sources
•Contagio
•Dark Reading
•Hexacorn
•Malware Analysis
•The Hacker News
•This week in 4n6
•Active Directory Security
•SANS Storm Center
•Zscaler Research
•Fortinet Security Blog
•Windows Incident Response
•SOC Prime
•Crowdstrike
•Use “Discover Mode” and look for other Malware reports sources
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 169
- Slides 49
- Age 431 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
30 views