Libsyn Feed - http://www.brakeingdownir.libsyn.com/
Join us for Episode-002, our guest will be:
David Longenecker - InfoSec Practitioner
- Twitter: @dnlongen
- Blog: SecurityForRealPeople.com
- GitHub - https://github.com/dnlongen
News-Worthy - City of Atlanta hit with ransomware, services taken offline
“Mayor (Keisha Lance Bottoms) told reporters that cybersecurity is now a top priority for the city.”
“Wi-Fi at Hartsfield-Jackson Atlanta International Airport has been shut down as a precaution”
“SecureWorks and the city's incident response team are working with law enforcement, including the FBI, Homeland Security and the Secret Service, as well as independent forensics experts and educational partners like Georgia Tech, to determine exactly what happened.”
“I am looking forward to us really being a national model of how cities can shore themselves up and be stronger because of it.” mayor said regarding digital infrastructure
Malware of the Month
Dridex - Artifacts
- This came in an email with a URL that auto downloaded and installed the malware, but could be a drive-by as well.
- Since Dridex uses actual signed Microsoft binaries located in a different directory (not System32), sideloading is easy, it just has to be named after one of the Dlls that the binary actual needs in the same folder that is usually, and should be located in System32
- This method has been making the Con circuit talks as many tools miss or exclude known good Microsoft signed binaries as “Good”. A popular tool we all use, Microsoft’s Sysinternals ProcessExplorer has an option we all have used to hide the Microsoft signed files to make it easier to see an obvious bad processes. Dridex exploits this typical behavior by analysts to hide among the known good.
It is important to note that we designed LOG-MD to see these cases since WHERE the file is located can be a BIG clue, even if it is a real and signed MS binary
- Morphs on reboot - The DLL changes its hash on each reboot and the .EXE changes as well and the DLL named changed to what will work for that .exe. So chasing hashes is a waste of time. What you have hash wise is not what the rest of us will have.
5. Uses a valid trusted MS signed binary to launch the Bad DLL, which is named for a correct DLL that is needed by the launcher (GamePanel.exe, UxTheme.dll, CameraSettingsUIHost.exe, DUI70.dll, etc.)
6. Autoruns are a .lnk file in the users Startup folder and a Scheduled Task pointing to another version
7. Files are found in:
8. Uses SVCHost.exe to phone home and communicate
9. Opens a hole for Explorer in the Windows Firewall
Guest - David Longenecker
https://attack.mitre.org/wiki/Main_Page - Adversarial Tactics, Techniques & Common Knowledge. A repository of things for which to ask yourself, "would I detect this? Would it set off any alarms?"
https://jpcertcc.github.io/ToolAnalysisResultSheet/ - dozens of tools and exploitation techniques, with detailed artifacts generated by those actions. Again, a great resource for asking "how would I detect this?"
Guest - David Longenecker
https://blog.didierstevens.com/my-software/ - Didier writes lots of handy tools useful for forensics and IR. I use his pdf tools (https://blog.didierstevens.com/programs/pdf-tools/) a fair bit for inspecting suspicious attachments; rtfdump and oledump seem to do the same for OLE and RTF files.
Topic of the Day
Windows Logging, Who, What, Where, When, Why
Why is logging important?
Incident took place...what happened? I don’t know!
Research / hunting.
Windows Default logging
Some of the improvements since XP
Default is painfully bad, so at minimum set the following
CMD Line Logging
Make checks for
Where does one start to improve logging
Gaps in the industry standards
Why are they inadequate
Centralized / forwarded vs. Local logging
Why some things shouldn’t be forwarded
Log “nice-to-haves” locally (it won’t kill the box -Microsoft Article)
What tools can you use to collect local logs?
Filtering logs on the endpoint
3rd party logging utilities
10. Advanced Logging
- NEW - The Windows Advanced Logging Cheat Sheet
11. Log Attacks
- Clear the logs
- Stop the logging service
- Change size to 1k