Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Hackerhurricane
56 views
58 slides
Jul 18, 2024
Slide 1 of 58
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
About This Presentation
Every time I read the news, a blog, or security article like “LitterDrifter's means of self-propagation are simple. So why is it spreading so widely?” or “Hackers use new Agent Raccoon malware to backdoor US targets” or “Yellow Liderc ships its scripts and delivers IMAPLoader malware�...
Slide Content
All these so-called
sophisticated attacks…
Can we really detect them?
Michael Gough
Founder MalwareArchaeology.com
& IMF Security.com
MalwareArchaeology.com
sophisticated attacks…
Can we really detect them?
Michael Gough
Founder MalwareArchaeology.com
& IMF Security.com
MalwareArchaeology.com
Who am I
•Blue Team Defender Ninja, Malware Archaeologist, Logoholic,
Incident Responder and Threat Hunter
•I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Crowdstrike Logscale Logging Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Windows ATT&CK Logging Cheat Sheet”
“ARTHIR – ATT&CK Remote Threat Hunting Incident Response tool”
•Co-Creator of “Log-MD” – Log Malicious Discovery Tool
•Co-Creator of “File-MD” – File Malicious Discovery Tool
MalwareArchaeology.com
•Blue Team Defender Ninja, Malware Archaeologist, Logoholic,
Incident Responder and Threat Hunter
•I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Crowdstrike Logscale Logging Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Windows ATT&CK Logging Cheat Sheet”
“ARTHIR – ATT&CK Remote Threat Hunting Incident Response tool”
•Co-Creator of “Log-MD” – Log Malicious Discovery Tool
•Co-Creator of “File-MD” – File Malicious Discovery Tool
MalwareArchaeology.com
Why this talk?
Learn from what we
see in the trenches
MalwareArchaeology.com
Learn from what we
see in the trenches
MalwareArchaeology.com
•We get called when things get
•Management want to know Who, What, Where, When, and
How the pwnage happened
•We all know why…
•So let’s take a look at some so called “sophisticated attacks”
and how you might detect them
Being an Incident Responder
MalwareArchaeology.com
•Management want to know Who, What, Where, When, and
How the pwnage happened
•We all know why…
•So let’s take a look at some so called “sophisticated attacks”
and how you might detect them
Being an Incident Responder
MalwareArchaeology.com
•Let us first define a few items
•Security 101 – Things you should always do, usually things
you already have and are FREE… well your time is needed
•Security 201 – Things you should have to “reduce” pwnage
and hopefully alert to suspicious activity
•Security 301 – Things you should be doing with your tools,
understand the gaps and address them with additional
tooling, process and/or procedures, MITRE ATT&CK
•Security 501 – Doing things like Threat Hunting and being
proactive at seeking out the malicious behavior
Level Set
MalwareArchaeology.com
•Security 101 – Things you should always do, usually things
you already have and are FREE… well your time is needed
•Security 201 – Things you should have to “reduce” pwnage
and hopefully alert to suspicious activity
•Security 301 – Things you should be doing with your tools,
understand the gaps and address them with additional
tooling, process and/or procedures, MITRE ATT&CK
•Security 501 – Doing things like Threat Hunting and being
proactive at seeking out the malicious behavior
Level Set
MalwareArchaeology.com
•This talk covers more of Security 101, 201 and 301
•These are the things we see many, if not most
organizations are failing, forgot, or did not continue
doing
•Organizations jump to Security 301 or 501 and forget
to continue Security 101 and 201
This Talk
MalwareArchaeology.com
•These are the things we see many, if not most
organizations are failing, forgot, or did not continue
doing
•Organizations jump to Security 301 or 501 and forget
to continue Security 101 and 201
This Talk
MalwareArchaeology.com
First, we have to make a few assumptions
•Defense in Depth is an old term that still holds true
•So each tech layer should have their own security “reduction”
solution to “reduce” the likelihood of an incident
•Also make the assumption all-the-things will not get detected with
these solutions, the threat actors know how to get around or avoid
them
•For this talk we will assume you have one or more of the following
security solutions
Assumptions
MalwareArchaeology.com
•Defense in Depth is an old term that still holds true
•So each tech layer should have their own security “reduction”
solution to “reduce” the likelihood of an incident
•Also make the assumption all-the-things will not get detected with
these solutions, the threat actors know how to get around or avoid
them
•For this talk we will assume you have one or more of the following
security solutions
Assumptions
MalwareArchaeology.com
More assumptions
•If you are not running an EDR/XDR platform then you likely will
be unable to detect more advanced attacks
•If you do not have a Log Management solution, or SIEM then
you likely will be unable to craft any custom alerting and fill the
gaps left by EDR/XDR or other security solutions
•If you do not have a network traffic security solution (NDR)
then you are likely blind to network related data
•If your network is not segmented then you are likely to suffer a
larger impact to more systems
Assumptions
MalwareArchaeology.com
•If you are not running an EDR/XDR platform then you likely will
be unable to detect more advanced attacks
•If you do not have a Log Management solution, or SIEM then
you likely will be unable to craft any custom alerting and fill the
gaps left by EDR/XDR or other security solutions
•If you do not have a network traffic security solution (NDR)
then you are likely blind to network related data
•If your network is not segmented then you are likely to suffer a
larger impact to more systems
Assumptions
MalwareArchaeology.com
More assumptions
•If you do not have an Email security solution then it is likely
malicious emails will get in at a much higher volume
•If you do not have MFA on ALL possible solutions then it is
likely you will fall victim to account compromise
•If you do not have a Web Proxy solution for your users then it is
likely a user can click on all kinds of websites you rather they
did not
•If you do not have a Data Loss Prevention solution then you are
more likely to have confidential data leave unnoticed
Assumptions
MalwareArchaeology.com
•If you do not have an Email security solution then it is likely
malicious emails will get in at a much higher volume
•If you do not have MFA on ALL possible solutions then it is
likely you will fall victim to account compromise
•If you do not have a Web Proxy solution for your users then it is
likely a user can click on all kinds of websites you rather they
did not
•If you do not have a Data Loss Prevention solution then you are
more likely to have confidential data leave unnoticed
Assumptions
MalwareArchaeology.com
1
0
•If all you have is AV and a Log Management solution or SIEM
then you WILL be able to do a LOT towards detecting more
advanced attacks
•Care to guess what my Top 4 Security Solutions are that should
be implemented?
•#1 Log Management
•#2 a “Good” EDR/XDR solution
•#3 a good configuration asset management solution
•#4 MFA on all internet facing applications
•OK.. #5… LOG-MD and FILE-MD of course to get more details
Assumptions
MalwareArchaeology.com
0
•If all you have is AV and a Log Management solution or SIEM
then you WILL be able to do a LOT towards detecting more
advanced attacks
•Care to guess what my Top 4 Security Solutions are that should
be implemented?
•#1 Log Management
•#2 a “Good” EDR/XDR solution
•#3 a good configuration asset management solution
•#4 MFA on all internet facing applications
•OK.. #5… LOG-MD and FILE-MD of course to get more details
Assumptions
MalwareArchaeology.com
•What we are about to look at I refer to as:
•Malware Management
•We all do:
•Patch Management
•Vulnerability Management
•Configuration Management
•Asset Management
•So why not practice Malware Management?
Manage Malware?
MalwareArchaeology.com
•Malware Management
•We all do:
•Patch Management
•Vulnerability Management
•Configuration Management
•Asset Management
•So why not practice Malware Management?
Manage Malware?
MalwareArchaeology.com
•You take reports much like we are about to go through and pull
the artifacts (TTPs) and behaviors that we can then add, or
verify are in your security tooling
•MITRE ATT&CK is also your best friend here
•Map your detections to MITRE ATT&CK Techniques and sub-
techniques to build a detection methodology
•MITRE ATT&CK helps to identify your gaps as well
•Which you may be able to cover with other tools you have,
such as Log Management/SIEM
•You will have to interpret MITRE ATT&CK detection description,
it is not as clear as we would like it to be
Manage Malware?
MalwareArchaeology.com
the artifacts (TTPs) and behaviors that we can then add, or
verify are in your security tooling
•MITRE ATT&CK is also your best friend here
•Map your detections to MITRE ATT&CK Techniques and sub-
techniques to build a detection methodology
•MITRE ATT&CK helps to identify your gaps as well
•Which you may be able to cover with other tools you have,
such as Log Management/SIEM
•You will have to interpret MITRE ATT&CK detection description,
it is not as clear as we would like it to be
Manage Malware?
MalwareArchaeology.com
•With all that said, let’s take a look at the attacks listed in the
overview and see what obvious things could or should be
detectable IF you use the right solution and Configure the right
things and make sure the Coverage and Completeness of these
items are optimal
•More on the 3-Cs later
•Let’s take a look at some attack write-ups and what I would
expect to see if I were to investigate or craft detections for
•OK… What I wish I would see during an investigation
Manage Malware?
MalwareArchaeology.com
overview and see what obvious things could or should be
detectable IF you use the right solution and Configure the right
things and make sure the Coverage and Completeness of these
items are optimal
•More on the 3-Cs later
•Let’s take a look at some attack write-ups and what I would
expect to see if I were to investigate or craft detections for
•OK… What I wish I would see during an investigation
Manage Malware?
MalwareArchaeology.com
Attack Artifact
Walk-throughs
MalwareArchaeology.com
Walk-throughs
MalwareArchaeology.com
USB worm unleashed by Russian state hackers spreads
worldwide
•https://arstechnica.com/security/2023/11/normally-targeting-
ukraine-russian-state-hackers-spread-usb-worm-worldwide/
ccc
1
st
Example - LitterDrifter
MalwareArchaeology.com
worldwide
•https://arstechnica.com/security/2023/11/normally-targeting-
ukraine-russian-state-hackers-spread-usb-worm-worldwide/
ccc
1
st
Example - LitterDrifter
MalwareArchaeology.com
1
6
•LitterDrifter, the malware is written in the Visual Basic Scripting
language (VBS). LitterDrifter serves two purposes: to promiscuously
spread from USB drive to USB drive and to permanently infect the
devices that connect
•A USB Drive that is executing something?
•Anyone here monitor USB device logs?
•DriverFrameworks-UserMode/Operational ID 2100, 2105, 2106
•System Log Event ID 20003
•Security Log ‘Plug and Play’ Event ID 6416
•Registry Key – ‘HKLM\SOFTWARE\Microsoft\Windows Portable Devices’ ID 4657
•Or executions from the USB drive letters?
1
st
Example - LitterDrifter
MalwareArchaeology.com
6
•LitterDrifter, the malware is written in the Visual Basic Scripting
language (VBS). LitterDrifter serves two purposes: to promiscuously
spread from USB drive to USB drive and to permanently infect the
devices that connect
•A USB Drive that is executing something?
•Anyone here monitor USB device logs?
•DriverFrameworks-UserMode/Operational ID 2100, 2105, 2106
•System Log Event ID 20003
•Security Log ‘Plug and Play’ Event ID 6416
•Registry Key – ‘HKLM\SOFTWARE\Microsoft\Windows Portable Devices’ ID 4657
•Or executions from the USB drive letters?
1
st
Example - LitterDrifter
MalwareArchaeology.com
MalwareArchaeology.com
•As we saw in the previous diagram, a Scheduled Task is created for
persistence
•Anyone looking at the disabled by default
TaskScheduler/Operational log Event ID 106 for ‘New Task
Registered’?
•Process Created in Security Log Event ID 4688? From a Scheduled
Task?
c
1
st
Example - LitterDrifter
MalwareArchaeology.com
persistence
•Anyone looking at the disabled by default
TaskScheduler/Operational log Event ID 106 for ‘New Task
Registered’?
•Process Created in Security Log Event ID 4688? From a Scheduled
Task?
c
1
st
Example - LitterDrifter
MalwareArchaeology.com
•Anyone looking at wscript executions in the Security Log for
Event ID 4688?
•Or better yet…
•Disable wscript, cscript, jscript, and all script engines from
executing using Group Policy to open up Notepad so it fails
when clicked on by a user?
1
st
Example - LitterDrifter
MalwareArchaeology.com
Event ID 4688?
•Or better yet…
•Disable wscript, cscript, jscript, and all script engines from
executing using Group Policy to open up Notepad so it fails
when clicked on by a user?
1
st
Example - LitterDrifter
MalwareArchaeology.com
•The LNK files use wscript.exe **** to execute “trash.dll” with
specified arguments " ""trash.dll"" /webm //e:vbScript //b
/wm /cal
•Anyone looking at .lnk executions in the Security Log in Event
ID 4688?
•The locations, like USB drive letter and names of .lnk files can
be very telling
•Using the user path variable %userprofile%
1
st
Example - LitterDrifter
MalwareArchaeology.com
specified arguments " ""trash.dll"" /webm //e:vbScript //b
/wm /cal
•Anyone looking at .lnk executions in the Security Log in Event
ID 4688?
•The locations, like USB drive letter and names of .lnk files can
be very telling
•Using the user path variable %userprofile%
1
st
Example - LitterDrifter
MalwareArchaeology.com
Example
#2
MalwareArchaeology.com
#2
MalwareArchaeology.com
2
2
Hackers use new Agent Raccoon malware to backdoor US
targets
•https://www.bleepingcomputer.com/news/security/hackers-
use-new-agent-raccoon-malware-to-backdoor-us-targets/
•Uses .Net malware
•Uses PunyCode-encoded URL subdomains for evasion
2
nd
Example – Agent Raccoon
MalwareArchaeology.com
2
Hackers use new Agent Raccoon malware to backdoor US
targets
•https://www.bleepingcomputer.com/news/security/hackers-
use-new-agent-raccoon-malware-to-backdoor-us-targets/
•Uses .Net malware
•Uses PunyCode-encoded URL subdomains for evasion
2
nd
Example – Agent Raccoon
MalwareArchaeology.com
MalwareArchaeology.com
The attackers also used a customized version of the Mimikatz credential
dumping utility, named 'Mimilite,' and a DLL credential stealer mimicking
the Windows Network Provider module, named 'Ntospy.’ Ntospy registers
as a legitimate Network Provider module named "credman" to hijack the
authentication process and capture user credentials, a well-documented
attack method.
•Anyone Auditing Service Key Adds and Changes? Event ID 4657
•HKLM\System\CurrentControlSet\Control\Services
•Or the HKLM\System\CurrentControlSet\Control\NetworkProvider key for Adds or
Changes?
2
nd
Example – Agent Raccoon
MalwareArchaeology.com
dumping utility, named 'Mimilite,' and a DLL credential stealer mimicking
the Windows Network Provider module, named 'Ntospy.’ Ntospy registers
as a legitimate Network Provider module named "credman" to hijack the
authentication process and capture user credentials, a well-documented
attack method.
•Anyone Auditing Service Key Adds and Changes? Event ID 4657
•HKLM\System\CurrentControlSet\Control\Services
•Or the HKLM\System\CurrentControlSet\Control\NetworkProvider key for Adds or
Changes?
2
nd
Example – Agent Raccoon
MalwareArchaeology.com
•the attackers use PowerShell snap-ins to steal emails from
Microsoft Exchange servers or steal victims' Roaming Profile
folders, compressing the directory with 7-Zip for efficiency
and stealth
•Anyone watching Windows PowerShell/Operational logs for
Event ID 4103 and 4104 for odd calls to say email? Or
archiving?
•Anyone watching for 7Zip executions in Process Started Event
ID 4688 in odd locations?
2
nd
Example – Agent Raccoon
MalwareArchaeology.com
Microsoft Exchange servers or steal victims' Roaming Profile
folders, compressing the directory with 7-Zip for efficiency
and stealth
•Anyone watching Windows PowerShell/Operational logs for
Event ID 4103 and 4104 for odd calls to say email? Or
archiving?
•Anyone watching for 7Zip executions in Process Started Event
ID 4688 in odd locations?
2
nd
Example – Agent Raccoon
MalwareArchaeology.com
Example
#3
MalwareArchaeology.com
#3
MalwareArchaeology.com
Yellow Liderc ships its scripts and delivers IMAPLoader malware
•https://www.pwc.com/gx/en/issues/cybersecurity/cyber-
threat-intelligence/yellow-liderc-ships-its-scripts-delivers-
imaploader-malware.html
•IMAPLoader is a .NET malware that has the ability to fingerprint victim systems
using native Windows utilities and acts as a downloader for further payloads. It uses
email as a C2 channel and is able to execute payloads extracted from email
attachments and is executed via new service deployments.
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•https://www.pwc.com/gx/en/issues/cybersecurity/cyber-
threat-intelligence/yellow-liderc-ships-its-scripts-delivers-
imaploader-malware.html
•IMAPLoader is a .NET malware that has the ability to fingerprint victim systems
using native Windows utilities and acts as a downloader for further payloads. It uses
email as a C2 channel and is able to execute payloads extracted from email
attachments and is executed via new service deployments.
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•Anyone watching for signs of recon using Windows utilities in
the LOLBin/LOLBaS list?
•https://lolbas-project.github.io/#
•Or the same PowerShell cmdlets that can perform recon in
Event IDs 4103 and 4104?
•These being used in quantities across multiple systems is a
definite tell recon is occurring
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
the LOLBin/LOLBaS list?
•https://lolbas-project.github.io/#
•Or the same PowerShell cmdlets that can perform recon in
Event IDs 4103 and 4104?
•These being used in quantities across multiple systems is a
definite tell recon is occurring
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•Additional analysis shows widespread phishing activity that
have been conducted concurrently to the threat actor's
strategic web compromises. This activity is used to deliver a
malicious Excel file that drops a basic Python backdoor.
•The threat actor uses both custom and off-the-shelf malware
including PowerShell backdoors and infostealers in order to
gather information about victim systems
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
have been conducted concurrently to the threat actor's
strategic web compromises. This activity is used to deliver a
malicious Excel file that drops a basic Python backdoor.
•The threat actor uses both custom and off-the-shelf malware
including PowerShell backdoors and infostealers in order to
gather information about victim systems
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•Anyone watching for execution of Python on endpoints?
•Python is not installed on Windows by default so executions
of .py files could be very telling depending on the location
they are executed
•Map what is normal Python for your organization
•Anyone watching for PowerShell toolkits like PowerSploit,
ColbaltStrike, PowerShell Empire?
•Properly configured PowerShell logs are a MUST to see this
activity, the most malicious activity today
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•Python is not installed on Windows by default so executions
of .py files could be very telling depending on the location
they are executed
•Map what is normal Python for your organization
•Anyone watching for PowerShell toolkits like PowerSploit,
ColbaltStrike, PowerShell Empire?
•Properly configured PowerShell logs are a MUST to see this
activity, the most malicious activity today
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•The threat actor has previously used macro enabled
documents that drop a VBS script, commonly referred to as
LEMPO, which establishes persistence, performs
reconnaissance, and exfiltrates sensitive information.
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
documents that drop a VBS script, commonly referred to as
LEMPO, which establishes persistence, performs
reconnaissance, and exfiltrates sensitive information.
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•The threat actor often favors exfiltration of sensitive
information to an actor-controlled email account via SMTPS or
IMAP, and has been observed using both dedicated mailboxes
and third party services for their email accounts
•Are you watching for odd email behavior?
•Watch Server Hosting companies
•Foreign destinations
•Attachment size
•Times this occurs and of course
•The account(s) being used
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
information to an actor-controlled email account via SMTPS or
IMAP, and has been observed using both dedicated mailboxes
and third party services for their email accounts
•Are you watching for odd email behavior?
•Watch Server Hosting companies
•Foreign destinations
•Attachment size
•Times this occurs and of course
•The account(s) being used
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•The first stage is distributed as an Excel-DNA XLL plugin, an
open source library that enables .NET integration into
Microsoft Excel files
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
open source library that enables .NET integration into
Microsoft Excel files
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•Excel file calling .Net or any scripting
•Anyone looking for these executions?
•Scheduled Task created aka “New Task Registered”
•Binaries executed Event ID 4688 location and names are key
•DLLs heavily used, but you would need something like Sysmon
to monitor for DLL loads that are not signed (False) Event ID 7
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•Anyone looking for these executions?
•Scheduled Task created aka “New Task Registered”
•Binaries executed Event ID 4688 location and names are key
•DLLs heavily used, but you would need something like Sysmon
to monitor for DLL loads that are not signed (False) Event ID 7
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•As soon as JobTitle.dll is executed, it writes a C# source code
file named source.cs to disk. This is subsequently compiled
into a .NET DLL file called sign.dll, a version of IMAPLoader, by
leveraging the native C# compiler tool csc.exe.
•.Net on the fly has several files that are created or used
•xxxxx.cs
•yyyyy.config
•zzzzzz.cmdline
•Compiled with CSC.exe cvtres.exe and parameters
•Example: csc /out:My.exe File.cs
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
file named source.cs to disk. This is subsequently compiled
into a .NET DLL file called sign.dll, a version of IMAPLoader, by
leveraging the native C# compiler tool csc.exe.
•.Net on the fly has several files that are created or used
•xxxxx.cs
•yyyyy.config
•zzzzzz.cmdline
•Compiled with CSC.exe cvtres.exe and parameters
•Example: csc /out:My.exe File.cs
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•Something like:
•C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY
/MACHINE:IX86 "/OUT:C:\Users\root\AppData\Local\Temp\RES399E.tmp“
•"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths
@"C:\Users\root\AppData\Local\Temp\u_i8wgap.cmdline“
•Are you watching for these types of executions and what the
parent process is of CSC.exe?
•Map what is normal in your environment
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
•C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY
/MACHINE:IX86 "/OUT:C:\Users\root\AppData\Local\Temp\RES399E.tmp“
•"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths
@"C:\Users\root\AppData\Local\Temp\u_i8wgap.cmdline“
•Are you watching for these types of executions and what the
parent process is of CSC.exe?
•Map what is normal in your environment
3
rd
Example - Yellow Liderc
MalwareArchaeology.com
Example
#4
MalwareArchaeology.com
#4
MalwareArchaeology.com
3
8
New 'HrServ.dll' Web Shell Detected in APT Attack Targeting
Afghan Government
•https://thehackernews.com/2023/11/new-hrservdll-web-
shell-detected-in-apt.html
•The web shell, a dynamic-link library (DLL) named "hrserv.dll,"
exhibits "sophisticated” features such as custom encoding
methods for client communication and in-memory execution
4
th
Example - HrServ
MalwareArchaeology.com
8
New 'HrServ.dll' Web Shell Detected in APT Attack Targeting
Afghan Government
•https://thehackernews.com/2023/11/new-hrservdll-web-
shell-detected-in-apt.html
•The web shell, a dynamic-link library (DLL) named "hrserv.dll,"
exhibits "sophisticated” features such as custom encoding
methods for client communication and in-memory execution
4
th
Example - HrServ
MalwareArchaeology.com
•The attack chain involves the PAExec remote administration
tool, an alternative to PSExec that's used as a launchpad to
create a scheduled task that masquerades as a Microsoft
update ("MicrosoftsUpdate"), which subsequently is
configured to execute a Windows batch script ("JKNLA.bat")
•Here we go again with a new registered Scheduled Task…
•Are you watching for batch files executing, odd names?
•Or tools like PAExec or PSExec creating a NEW Service Event ID
7045 in the System Log?
4
th
Example - HrServ
MalwareArchaeology.com
tool, an alternative to PSExec that's used as a launchpad to
create a scheduled task that masquerades as a Microsoft
update ("MicrosoftsUpdate"), which subsequently is
configured to execute a Windows batch script ("JKNLA.bat")
•Here we go again with a new registered Scheduled Task…
•Are you watching for batch files executing, odd names?
•Or tools like PAExec or PSExec creating a NEW Service Event ID
7045 in the System Log?
4
th
Example - HrServ
MalwareArchaeology.com
•The web shell is also capable of activating the execution of a
stealthy "multifunctional implant" in memory that's
responsible for erasing the forensic trail by deleting the
"MicrosoftsUpdate" job as well as the initial DLL and batch
files.
•DLLs can only be seen with Sysmon or an EDR/XDR solution
•You can however extract all the modules in memory and
evaluate them for signs of maliciousness
4
th
Example - HrServ
MalwareArchaeology.com
stealthy "multifunctional implant" in memory that's
responsible for erasing the forensic trail by deleting the
"MicrosoftsUpdate" job as well as the initial DLL and batch
files.
•DLLs can only be seen with Sysmon or an EDR/XDR solution
•You can however extract all the modules in memory and
evaluate them for signs of maliciousness
4
th
Example - HrServ
MalwareArchaeology.com
•For in memory you can check for signs of injection, implants, hooks
etc.
•Use tools like Volatility
•Process them on Linux system as new versions not compiled for
Windows
•You can use LOG-MD-Pro or Premium to extract and evaluate the
modules using the B9 option or File-MD to evaluate the extracted files
from memory
•Sysmon has Event ID 17 for Named Pipe creation that PAExec uses
•Sysmon also has Event ID 25 for process tampering such as hollowing
4
th
Example - HrServ
MalwareArchaeology.com
etc.
•Use tools like Volatility
•Process them on Linux system as new versions not compiled for
Windows
•You can use LOG-MD-Pro or Premium to extract and evaluate the
modules using the B9 option or File-MD to evaluate the extracted files
from memory
•Sysmon has Event ID 17 for Named Pipe creation that PAExec uses
•Sysmon also has Event ID 25 for process tampering such as hollowing
4
th
Example - HrServ
MalwareArchaeology.com
•A study revealed that PowerShell Command & Scripting Interpreter
was the number one attack technique used by threat actors.
•The report provides a strong representation of adversary activity from
authoritative sources. It assembled data from M-Trends, Red Canary’s
Threat Detection Report, CTID ATT&CK Sightings Ecosystem and CISA
alerts ranging from 2020 to 2022.
•28.49% of attacks !!!
•https://www.splunk.com/en_us/blog/security/zoom-enhance-finding-value-in-macro-level-att-ck-reporting.html
PowerShell for the Threat WIN
MalwareArchaeology.com
was the number one attack technique used by threat actors.
•The report provides a strong representation of adversary activity from
authoritative sources. It assembled data from M-Trends, Red Canary’s
Threat Detection Report, CTID ATT&CK Sightings Ecosystem and CISA
alerts ranging from 2020 to 2022.
•28.49% of attacks !!!
•https://www.splunk.com/en_us/blog/security/zoom-enhance-finding-value-in-macro-level-att-ck-reporting.html
PowerShell for the Threat WIN
MalwareArchaeology.com
The
Three C’s
MalwareArchaeology.com
Three C’s
MalwareArchaeology.com
What do we see our clients fail or not optimal at?
Configuration
Local audit logging not optimally configured
Endpoint agents not optimally configured
Coverage
Endpoints missing one or more agents
Some or all log data (endpoint, cloud, network, internet facing) not
going to a log management solution
Completeness
Implement a process and/or procedure to validate and verify
Configuration and Coverage is “Complete”
The 3 Cs
MalwareArchaeology.com
Configuration
Local audit logging not optimally configured
Endpoint agents not optimally configured
Coverage
Endpoints missing one or more agents
Some or all log data (endpoint, cloud, network, internet facing) not
going to a log management solution
Completeness
Implement a process and/or procedure to validate and verify
Configuration and Coverage is “Complete”
The 3 Cs
MalwareArchaeology.com
When you roll out an agent…
Do you...
1.Validate the agent was properly installed?
2.Compare it to a list of known assets?
•Do you even know where or what all your assets are?
3.Verify the data is collecting properly?
4.Have a way to identify new systems as they come live?
5.Have a way to install agents on new systems quickly?
6.Verify the endpoint configuration is showing up in the proper
console(s)… regularly?
Completeness
MalwareArchaeology.com
Do you...
1.Validate the agent was properly installed?
2.Compare it to a list of known assets?
•Do you even know where or what all your assets are?
3.Verify the data is collecting properly?
4.Have a way to identify new systems as they come live?
5.Have a way to install agents on new systems quickly?
6.Verify the endpoint configuration is showing up in the proper
console(s)… regularly?
Completeness
MalwareArchaeology.com
•Incident Responders need data to discover what happened to
the detail level we can be sure and answer questions
•This is so our clients can improve and close the gap(s) of why
the pwnage happened or wasn’t detected
•To reduce the cost and time of an Incident Response
investigation is a goal, less time = less cost
•Optimal 3-Cs can save you 2x to 4x the cost of paying an
Incident Response firm
•You could be way ahead… IF you Prepare
Why the 3 C’s are important
MalwareArchaeology.com
the detail level we can be sure and answer questions
•This is so our clients can improve and close the gap(s) of why
the pwnage happened or wasn’t detected
•To reduce the cost and time of an Incident Response
investigation is a goal, less time = less cost
•Optimal 3-Cs can save you 2x to 4x the cost of paying an
Incident Response firm
•You could be way ahead… IF you Prepare
Why the 3 C’s are important
MalwareArchaeology.com
•You don’t have to spend $$$ to improve processes,
procedures and playbooks
•Or tweak some settings
•People time is a cost, but not an external spend
•So spend some time on Preparation…. It is in the P in the
SANS PICERL model
•Many of our clients have incomplete or broken agent installs
and endpoint configuration is not optimal
•This means incomplete coverage and configuration
•Thus missing details and potentially the initial compromise
The 3 C‘s are FREE
MalwareArchaeology.com
procedures and playbooks
•Or tweak some settings
•People time is a cost, but not an external spend
•So spend some time on Preparation…. It is in the P in the
SANS PICERL model
•Many of our clients have incomplete or broken agent installs
and endpoint configuration is not optimal
•This means incomplete coverage and configuration
•Thus missing details and potentially the initial compromise
The 3 C‘s are FREE
MalwareArchaeology.com
We check Windows systems for what logging is enabled as a
part of triage to know what will likely be there…
There is a freely available tool to check your Windows logs
against some well known Cheat Sheets ;-)
Hint..
Windows Audit Logs
MalwareArchaeology.com
part of triage to know what will likely be there…
There is a freely available tool to check your Windows logs
against some well known Cheat Sheets ;-)
Hint..
Windows Audit Logs
MalwareArchaeology.com
Local Log Sizes are NOT Big Enough
MalwareArchaeology.com
MalwareArchaeology.com
•PowerShell is used a lot in all kinds of attacks
•Commodity, Ransomware, APT
•Command Line details missing
•ScriptBlock Logging improperly or not set
PowerShell Logging is inadequate
MalwareArchaeology.com
•Commodity, Ransomware, APT
•Command Line details missing
•ScriptBlock Logging improperly or not set
PowerShell Logging is inadequate
MalwareArchaeology.com
•We need the data enabled and retained for a week or longer
Audit Settings Fail
MalwareArchaeology.com
Audit Settings Fail
MalwareArchaeology.com
CONCLUSION
MalwareArchaeology.com
MalwareArchaeology.com
•Learn from these attacks and many others
•Practice Malware Management and use MITRE ATT&CK to map your
defenses
•Configure your logging and agents OPTIMALLY
•Cover ALL your assets
•Verify the Completeness
•Watch for the items in this talk
•And several other of my talks
Practice Security 101 and 201 even if you are all the way to 501 or beyond
Conclusion
MalwareArchaeology.com
•Practice Malware Management and use MITRE ATT&CK to map your
defenses
•Configure your logging and agents OPTIMALLY
•Cover ALL your assets
•Verify the Completeness
•Watch for the items in this talk
•And several other of my talks
Practice Security 101 and 201 even if you are all the way to 501 or beyond
Conclusion
MalwareArchaeology.com
•Enable and log Task Scheduler events, 106, etc.
•Enable Process Command Line for 4688 events
•Watch Parent-Child process executions for odd combinations in 4688 events
•Block scripting engine extensions from coming in via email (.vbs, .js, .jse, .wsh,
.wsf, etc.)
•Watch for any scripting engines being used
•Set AD to open Notepad for scripting extensions when double-clicked by a user
versus launching the script
•Watch for .lnk executions and what launched them in 4688 events
•Watch USB drive letter for any exections in 4688 events
•Consider using File/Folder and Registry auditing for key locations
•Watch registry changes to service keys in 4657 events
•Watch PowerShell VERY closely for 4103 and 4104 events
Things that should/could be detected
MalwareArchaeology.com
•Enable Process Command Line for 4688 events
•Watch Parent-Child process executions for odd combinations in 4688 events
•Block scripting engine extensions from coming in via email (.vbs, .js, .jse, .wsh,
.wsf, etc.)
•Watch for any scripting engines being used
•Set AD to open Notepad for scripting extensions when double-clicked by a user
versus launching the script
•Watch for .lnk executions and what launched them in 4688 events
•Watch USB drive letter for any exections in 4688 events
•Consider using File/Folder and Registry auditing for key locations
•Watch registry changes to service keys in 4657 events
•Watch PowerShell VERY closely for 4103 and 4104 events
Things that should/could be detected
MalwareArchaeology.com
Things that should/could be detected
MalwareArchaeology.com
•Watch PowerShell VERY closely for obfuscation and Base64 events
•PowerShell accounts for over 25% of all attacks, 50% if you include
obfuscation which can also be in 4688 process command line events
•Watch for archive tools such as 7zip, Winrar, Winzip and others in 4688
events
•Watch for LOLBaS executables in quantity across multiple systems
•Watch for Python executions in 4688 events and .py files
•Watch for PowerShell exploit kits being used, PowerSploit, Empire, etc.
this will require Red Team, Purple Team or testing to produce it
•Watch email for foreign IPs, Off hours use, size of attachments, server
hosting companies
•Excel calling .Net in anyway or CSC.exe, ctvres.exe, etc.
•Watch for parent calling xxxxx.cs, yyyyy.config or zzzzzz.cmdline files
MalwareArchaeology.com
•Watch PowerShell VERY closely for obfuscation and Base64 events
•PowerShell accounts for over 25% of all attacks, 50% if you include
obfuscation which can also be in 4688 process command line events
•Watch for archive tools such as 7zip, Winrar, Winzip and others in 4688
events
•Watch for LOLBaS executables in quantity across multiple systems
•Watch for Python executions in 4688 events and .py files
•Watch for PowerShell exploit kits being used, PowerSploit, Empire, etc.
this will require Red Team, Purple Team or testing to produce it
•Watch email for foreign IPs, Off hours use, size of attachments, server
hosting companies
•Excel calling .Net in anyway or CSC.exe, ctvres.exe, etc.
•Watch for parent calling xxxxx.cs, yyyyy.config or zzzzzz.cmdline files
Things that should/could be detected
MalwareArchaeology.com
•Watch C:\Users based executions VERY closely for anything new
•Watch for Dlls being called in 4688 events
•Might consider using Sysmon ID7 to more closely watch Dll use
•Watch for NEW service creation 7045 events
•Do you have a way to pull modules from memory and evaluate them for
so called “fileless” malware?
•Watch for signs of process hooks and implant type behavior (EDR, LOG-
MD, FILE-MD, Sysmon (25), etc)
•Watch for named pipes ID 17 with Sysmon that are odd
•Create a Process and Procedures for the 3-Cs to know your assets and
all the agents and configurations you think are deployed and any
variances from them
MalwareArchaeology.com
•Watch C:\Users based executions VERY closely for anything new
•Watch for Dlls being called in 4688 events
•Might consider using Sysmon ID7 to more closely watch Dll use
•Watch for NEW service creation 7045 events
•Do you have a way to pull modules from memory and evaluate them for
so called “fileless” malware?
•Watch for signs of process hooks and implant type behavior (EDR, LOG-
MD, FILE-MD, Sysmon (25), etc)
•Watch for named pipes ID 17 with Sysmon that are odd
•Create a Process and Procedures for the 3-Cs to know your assets and
all the agents and configurations you think are deployed and any
variances from them
•Websites
•Log-MD.com The tools
•The “Windows Logging Cheat Sheet(s)”
•https://MalwareArchaeology.com/cheat-sheets
•MITRE ATT&CK is your friend
•https://attack.mitre.org/techniques/enterprise/
•JPCert Detecting Lateral Movement
•https://www.jpcert.or.jp/english/pub/sr/20170612ac-
ir_research_en.pdf
•This presentation and others on SlideShare
•Search for MalwareArchaeology or LOG-MD
MalwareArchaeology.com
Resources
•Log-MD.com The tools
•The “Windows Logging Cheat Sheet(s)”
•https://MalwareArchaeology.com/cheat-sheets
•MITRE ATT&CK is your friend
•https://attack.mitre.org/techniques/enterprise/
•JPCert Detecting Lateral Movement
•https://www.jpcert.or.jp/english/pub/sr/20170612ac-
ir_research_en.pdf
•This presentation and others on SlideShare
•Search for MalwareArchaeology or LOG-MD
MalwareArchaeology.com
Resources
You can find us at:
•MalwareArchaeology.com
•LOG-MD.com
•LOGMD.com
•TIME FOR HALLWAY CON !!!
Questions?
MalwareArchaeology.com
•MalwareArchaeology.com
•LOG-MD.com
•LOGMD.com
•TIME FOR HALLWAY CON !!!
Questions?
MalwareArchaeology.com
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 56
- Slides 58
- Age 501 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
30 views