Botconf Author Listing

At BotConf 2015, I presented a lightning talk “Creating your own CTI in 3 minutes”. This presentation is building on that capability to do semi-automated malware analysis based on a commercial sandbox solution. I will discuss a malware campaign analysis from a persistent threat actor (or group) over the past 18 months and still ongoing. The attacks are linked by email headers, targeting, and malware C&C infrastructure…

Many security professionals and Blue Team members appreciate a good and detailed written APT report by any renowned security company. This is especially true, if they document and explain some new and stealthy technique that was used and not well known yet by defenders.

One such technique is “WMI event subscription” for persistence, which has been used by APT29.
Another one is the “Logon Script” technique (“UserInitMprLogonScript” reg key) used by APT28.
A third technique that is discussed very often is (ab-)using Powershell and “living off the land” (LOL).
To even top this one, attackers are using “unmanaged Powershell” (e.g. using PowerPick) to evade command line based detection. But thanks to the Powershell logging features available since version 5, even this can be detected.

I will discuss and show how to detect all of these techniques by using Sysmon data and Powershell logging (with Splunk as a SIEM).

Enterprises and organizations of all sizes are struggling to prevent and detect all malware attacks and advanced adversary actions inside their networks in a timely manner. Prevention focused technology hasn’t been good enough to prevent breaches for years and detection has been lacking in many ways.
This presentation will give an overview and detailed examples on how to use the free Sysinternals tool SYSMON to greatly improve host-based incident detection and enable threat hunting approaches.
Splunk is just an example of a SIEM to centralize Sysmon log data and be able to search and correlate large amounts of data to create high-quality alerts with low false-positive rates. The same could likely be done using another free or commercial SIEM.
The main goal is to share an approach, a methodology how to greatly improve host-based detection by using Sysmon and Splunk to create alerts.
One main topic throughout the presentation will be how to find suspicious or malicious behaviors, how to implement search queries and how to reduce or eliminate false-positives. Examples will cover different crimeware malware families as well as tools and TTPs used by Red Teams and advanced adversaries.
For the latter, a commercial tool (Cobalt Strike) was used to test different privilege escalation and lateral movement techniques and develop queries for detection. Sysinternals Process Monitor and Sysmon tools were used to analyze behaviors on the endpoints involved.
Any Blue Team member should be able to take away some ideas and approaches to improve detection and incident response readiness in their organization.

In early 2011 we discovered some malware infected systems in our network. Starting from one A/V event we found several host- and network-based indicators to identify and confirm several infections within our company. A few weeks later the sinkholing of several known C&C domains showed the botnet was very big (several million bots). Quickly I got obsessed with analyzing and hunting this malware, which could infect fully patched systems protected by firewalls, IPS and multi-layered A/V without using exploits (only social engineering).
The malware got some media attention in June 2012 with titles such as “printer virus”, “printer bomb” or “Trojan.Milicenso: A Paper Salesman’s Dream Come True”. A/V detection names for this malware vary greatly and there may be as little as one registry key in common as indicator for all infected hosts. Over time the infection and C&C domains, IPs and URL patterns changed to avoid detection.

In late 2012 a “anti-sinkholing technique” was introduced in using C&C domains. Just recently I discovered how this technique can be overcome to allow sinkholing of botnet domains again. Unfortunately the currently used C&C domains are not as well known as they were after the incident and analysis in 2011.