In search of unique behaviour

•

0 likes•347 views

This document summarizes a presentation by Marius Bucur and Ioan Iacob of CrowdStrike on finding malware through unique behaviors. It discusses how they hunt for malware using YARA rules and Overwatch patterns to find infection vectors. It provides examples of malware found, including a malicious document that drops signed Delphi malware using MSIExec, and WMI being abused to inject a .NET binary into a legitimate process. It also discusses analyzing process injection, callstacks, RPCs and other techniques through reverse engineering to attribute similar samples and develop detection rules. The document cautions that just because something is possible does not mean it is advisable, and provides an example of a potentially suspicious but ultimately legitimate PowerShell script.

Technology

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
IN SEARCH OF UNIQUE BEHAVIOUR
MARIUS BUCUR & IOAN IACOB
2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MARIUS BUCUR
● Threat Hunter at Crowdstrike
● 7y+ IT industry
● last 4y IT Security at
CrowdStrike and Avira
● Food and travel enthusiast

2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
IOAN IACOB
● Threat Analyst at Crowdstrike
● 5 years in IT Sec
● CrowdStrike and Avira
● RE & DFIR enthusiast
● CTF player

2018 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
What we do
Odd infection techniques
Quirky, but legitimate behavior
Q & A

WHAT WE DO
● Malware hunting
● Reverse engineering
● Write detections

MALWARE HUNTING
● Hunting with yara rules in MalQuery
● Overwatch patterns in Harrier
● VT queries and other OSINT
● Finding Infection vectors
● Kill chain
● Search infections

OVERWATCH PATTERNS
● Very generic patterns:
○ Eg.: "net use", wmic and http ...
● Used mostly in hunting for sophisticated attacks
● A red flag is raised once 3 or more patterns are found on one host

REVERSE ENGINEERING
● Focus on events not seen in conventional tools
○ Process injection
○ Callstack analysis
○ RPC and WMI
○ PrivEsc and Cred. Dumping
○ Exploitation techniques (DEP/ASLR bypass, HeapSpray, etc)
● Find similar samples using MalQuery

MALWARE EXAMPLES
1. MalDoc abuses MSIExec that drops signed Delphi malware
2. WMI abused to inject .NET binary in legit process (#Squiblytwo)
3. Excel Sheet and Steganography

EXAMPLE 1
MalDoc abuses MSIExec that drops Signed Delphi malware

EXAMPLE 1
§ Word document found ITW
§ “Industry Standard” Social Engineering message

EXAMPLE 2
WMI abused to inject .NET binary in legit process
#Squiblytwo
„Fileless malware”

EXAMPLE 3
§ Excel sheet seen ITW
§ Typical infection vector with Macro

WRITE DETECTION RULES
● Call-Stack analysis
● Process Injection
● RPC
● Process trees
● Script control
● Credential dumping
● PrivEsc
● . . .

LAST STEP
§ Created detections:
§ IOAs for 1st and 3rd example
§ Injection flags for the 2nd example

BUT YOU ALSO SEE THIS
§ Winlogon in non-standard locaion
§ Crazy Powershell oneliners
§ Legit .doc|xls|pdf.exe received on emails
JUST BECAUSE YOU CAN, DOESN’T MEAN YOU SHOULD!!!

IS THIS MALICIOUS?
§ Clean document received via email
§ Runs a PowerShell script from a shared drive

CLOSING REMARKS
● Productivity apps are still used as initial infection vectors
● Quirky infection techniques are seen more often (WMI included)
● We can’t just blacklist all and hope for the best
● Adversaries try to migrate to fileless malware, but still write binaries on
disk

What's hot

Learn how to prevent & detect even the most complex “file-less” ransomware exploits Ransomware continues to evolve as perpetrators develop new exploits with consequences that can be dramatic and immediate. The purveyors of ransomware continue to prosper with adversaries developing new strains such as Zepto and Cerber that are proving to be more challenging than ever. Other exploits can alter programmable logic controller (PLC) parameters and adversely impact mechanical systems. Clearly, new defense approaches are needed because organizations can no longer rely on backups and conventional security solutions to protect them. Join CrowdStrike Senior Security Architect Dan Brown as he offers details on these sophisticated new ransomware threats, and reveals recent innovations designed to offer better protection – including new indicator of attack (IOA) behavioral analysis methodologies that can detect and prevent even the most complex “file-less” ransomware exploits. Attend this CrowdCast where Dan will discuss: --The challenges of defending against dangerous new variants, such as Zepto and Cerber --Real-world examples of ransomware in action and the sophisticated tactics being used by a variety of adversaries --How the CrowdStrike Falcon cloud-delivered platform can defend your organization against new super strains of ransomware that use sophisticated malware-free tactics

CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...

CrowdStrike

The Time Has Come To Replace Your Antivirus Solution After decades of frustration and failure, the security industry is ready to replace legacy antivirus systems with more effective solutions. As breaches continue to make headlines, we are left to wonder if anything can really stop modern threats. The answer is yes, but it requires us to approach the problem in a new way. Instead of continually adding functionality and complexity to legacy security architectures, we need a complete reset. This is exactly what CrowdStrike offers with its cloud-delivered endpoint protection platform. The key to this new approach is going beyond malware to understanding and address cyber threats at every stage of the kill chain. CrowdStrike does this by combining next-gen antivirus, endpoint detection and response (EDR), and a managed threat hunting service – all cloud-delivered with a single lightweight agent. In this CrowdCast, Dan Larson, Sr. Director of Technical Marketing, will discuss: - The typical challenges with legacy antivirus implementations and how we solve them - How CrowdStrike offers a greater level of protection, especially against modern threats - How cloud-delivered endpoint protection reduces operational burden - How to migrate from legacy antivirus to CrowdStrike Falcon Link to on-demand webcast: https://www.crowdstrike.com/resources/crowdcasts/time-come-replace-antivirus-solution/

How to Replace Your Legacy Antivirus Solution with CrowdStrike

Adam Barrera

Falcon OverWatch Experts Hunt 24/7 To Stop Incidents Before They Become Breaches Is your IT security team suffering from alert fatigue? For many organizations, chasing down every security alert can tax an already overburdened IT department, often resulting in a breach that might have been avoided. Adding to this challenge is an increase in sophisticated threats that strike so fast and frequently, traditional methods of investigation and response can’t offer adequate protection. A new webcast from CrowdStrike, “Proactive Threat Hunting: Game-Changing Endpoint Protection Above and Beyond Alerting,” discusses why so many organizations are vulnerable to unseen threats and alert fatigue, and why having an approach that is both reactive and proactive is key. You’ll also learn about Falcon OverWatch™, CrowdStrike’s proactive threat hunting service that investigates and responds to threats immediately, dramatically increasing your ability to react before a damaging breach occurs. Download the webcast slides to learn: --How constantly reacting to alerts prevents you from getting ahead of the potentially damaging threats designed to bypass standard endpoint security --Why an approach that includes proactive threat hunting, sometimes called Managed Detection and Response, is key to increasing protection against new and advanced threats --How CrowdStrike Falcon OverWatch can provide 24/7 managed threat hunting, augmenting your security efforts with a team of cyber intrusion detection analysts and investigators who proactively identify and prioritize incidents before they become damaging breaches

Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting

CrowdStrike

In today’s threat environment, adversaries are constantly profiling and attacking your corporate infrastructure to access and collect your intellectual property, proprietary data, and trade secrets. Now, more than ever, Threat Intelligence is increasingly important for organizations who want to proactively defend against advanced threat actors. While many organizations today are collecting massive amount of threat intelligence, are they able to translate the information into an effective defense strategy? View the slides now to learn about threat intelligence for operational purposes, including real-world demonstrations of how to consume intelligence and integrate it with existing security infrastructure. Learn how to prioritize response by differentiating between commodity and targeted attacks and develop a defense that responds to specific methods used by advanced attackers.

CrowdCast Monthly: Operationalizing Intelligence

CrowdStrike

CrowdCasts Monthly: When Pandas Attack

CrowdStrike

Crowdstrike And Guest Forrester Share Keys To Mastering The Endpoint CrowdStrike VP, Product Management Rod Murchison and guest speaker Chris Sherman, Forrester Research analyst, will discuss how modern approaches must balance prevention with detection capabilities in the context of an overall security strategy. Ultimately, this will give security professionals the ability to better deal with the influx of new device types and data access requirements while reducing the likelihood of compromise. In this CrowdCast, Forrester and CrowdStrike will present: - Forrester’s Targeted-Attack Hierarchy of Needs - The six core requirements to a successful endpoint security strategy - Preparing for and responding to targeted intrusions and attacks - How CrowdStrike lines up with Forrester’s Hierarchy of Needs framework

You Can't Stop The Breach Without Prevention And Detection

CrowdStrike

CrowdCasts Monthly: Going Beyond the Indicator

CrowdStrike

PKI is widely understood and accepted as golden standard for Authentication, Non-repudiation and Integrity. It secures protocols for emails, web, software distributions, replaces ink with electronic signature, infrastructure, financial and other transactions. While obtaining the private key or gaining access to its usage is the first thought when attacking PKI based systems, there are usually easier ways and a multitude of attack vectors.

"Is your browser secure? Breaking cryptography in PKI based systems, opening ...

PROIDEA

Hacking Exposed Live: Mobile Targeted Threats

CrowdStrike

Gain in-depth information on the massive WannaCry ransomware attack On Friday, May 12, the WannaCry ransomware variant swept the globe. In a short period of time, WannaCry (also known as Wanna Decryptor and WannaCryptor) infected over 230,000 systems in 150 countries. It was a particularly effective piece of malware because it not only encrypted data and held it for ransom, but it also spread like wildfire to other systems. Entire organizations found themselves looking at a ransom note on their screens and wondering what to do next. As the situation continues to unfold, please join us as Adam Myers, VP of Threat Intelligence at CrowdStrike, presents an in-depth look at the WannaCry ransomware. Register for this webcast to learn: -A complete technical understanding of the WannaCry threat -What analysts were seeing on the day of the WannaCry outbreak -How to prevent WannaCry infections and protect against ransomware going forward

An Inside Look At The WannaCry Ransomware Outbreak

CrowdStrike

Learn about the history of Russian intelligence influence operations and the cyber actors implementing them today. In June 2016, CrowdStrike exposed unprecedented efforts by Russian intelligence services to interfere in the U.S. election via the hacking and subsequent leaking of information from political organizations and individuals. Election manipulation was not a new activity for the Russians - they have engaged in these influence operations consistently for the better part of the last two decades inside and outside of Russia. In this CrowdCast, CrowdStrike experts Adam Meyers, VP of Intelligence, and Dmitri Alperovitch, Co-Founder & CTO, will provide a detailed overview of the history of Russian intelligence influence operations going back decades and provide a deep dive overview of various BEAR (including FANCY BEAR AND COZY BEAR) intrusion sets and their tactics, techniques and procedures (TTPs). They will also discuss the considerable attribution evidence that CrowdStrike has collected from a variety of investigations into their operations and lay out the case for the Russian government connection to these hacks.

Bear Hunting: History and Attribution of Russian Intelligence Operations

CrowdStrike

Discussions on threat intelligence often get bogged down between machine speed ingestion of atomic indicators and in-depth analysis of activity taking weeks (or months) to produce. Left in the cold in such debates is a very important but seldom considered middle ground: time-sensitive and incomplete but enriched threat intelligence. In various military settings, this is referred to as threat indications and warning (I&W) a step beyond a simple observable refined to ensure accuracy and timely receipt. The goal of I&W is to get actionable, important information to those in need of it most as quickly, efficiently, and accurately as possible, even if as a result some context or other insights are lost. As a result of this activity, consumers are better armed and equipped to deal with and counter threats as they emerge, rather than either reacting to items with no context whatsoever or only reading about their challenges weeks after the fact in a complete intelligence report. This discussion will explore the concept of threat I&W within the context of network security generally and threat intelligence specifically to identify this topic as a shamefully ignored middle ground between extremes. The presentation will explore the conceptual background behind this idea, then transition to real-life examples of I&W drawn from the speakers past activity in threat intelligence, incident response, and military operations. Attendees will walk away with two key lessons: first, do not let perfect (finished, complete intelligence) be the enemy of the good (actionable, if incomplete, information) when it comes to network defense; second, network defense consists of multiple phases of activity, from tactical to strategic, but ignoring the spaces in between results in fractured and incomplete operations. As a result of this discussion, attendees will be better armed and equipped to ask critical questions of their threat intelligence providers and have an enhanced set of expectations for what threat intelligence can do to support defensive operations.

"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...

PROIDEA

What Happens Before the Kill Chain

OpenDNS

The Art of Evading Anti-Virus There are estimates that security analysts, to include penetration testers, are approximately 5 years behind malicious actors. Anti-virus by itself isn’t enough to stop a malicious individual from gaining access to your servers or computers anymore. In fact many of them have devised ways to evade anti-viruses. We as security professionals should understand how these individuals are doing this, and what tools are available for us to replicate these attacks. Tools such as veil-framework assist us with this. This talk will go over this tool, and how malicious individuals evade anti-viruses with ease. Quentin Rhoads-Herrera is a security analyst for State Farm. In this position he is responsible for risk analysis and application security assessments. He is accountable for ensuring risks are identified and properly mitigated throughout the organization. He previously served as the Information Security Director for Clearview Energy and Solarview. In this position he oversaw all information security activities. These included development of company-wide cyber security standards, development of layered defense approaches and the hardening and defense of all company systems. Mr. Rhoads-Herrera has worked in the Information Security space for a total of seven years serving in roles ranging from Security Consultant to Information Security Director.

NTXISSACSC4 - The Art of Evading Anti-Virus

North Texas Chapter of the ISSA

Where is endpoint security headed? How do your priorities and capabilities compare to those of your peers? As the battle against breaches rages on, many enterprises are focused on revamping their endpoint security strategy – from enhancing efficacy to reducing complexity and agent bloat. A new webcast, “State of the Endpoint: The Buyer Mindset,” discusses the current state of endpoint security and offers insights from an all-star panel of thought leaders, including Internationally recognized cybersecurity leader and CrowdStrike Co-founder Dmitri Alperovitch, VP of Product Marketing Dan Larson, and other experts as they discuss today’s most important security issues. Join them as they explore the findings from a new research report, “Trends in Endpoint Security: A State of Constant Change,” a study conducted by ESG and commissioned by CrowdStrike and other technology vendors. The panel will provide their impressions of the data in the survey and how the viewpoints revealed mesh with current technology trends, offering insights that can help inform your security strategy going forward. Join this webcast to learn: -The current state of Antivirus (AV) including how many organizations are choosing to change vendors and why -Best of breed vs. comprehensive suites – which approach do your peers prefer and what are the advantages and challenges of each? -How solutions are affecting endpoints and your IT Security peers, including the increase in agents installed and the impact of increased complexity

State of Endpoint Security: The Buyers Mindset

CrowdStrike

Red, Amber, Green Status: The Human Dashboard This session will outline the importance of presenting actionable metrics for the Security Awareness program. Oftentimes security programs are presented while omitting the most constant threat to Information Systems: the human. From a security awareness perspective, we will review analytics that include key performance indicators that may already be available to you; they just need to be added to the new human dashboard. Laurianna Callaghan currently serves as a security consultant for Ana Academy, a Dallas based security training company. Previously, Laurianna worked with Dell where she was the creator of security analytics for a major healthcare customer which were presented at the 2016 IASAP conference. In addition, Laurianna has more than 21 years experience in various IT domains. She has served as the Director of Systems Engineering for a telemarketing firm, the UNIX/MVS Manager for a major airline and has IT experience in the healthcare, communications, transportation, education, retail, and other industry sectors. Laurianna holds both the CCNA Security and CISSP designations.

NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard

North Texas Chapter of the ISSA

You Have an Adversary Problem. Who's Targeting You and Why? Nation-States, Hacktivists, Industrial Spies, and Organized Criminal Groups are attacking your enterprise on a daily basis. Their goals range from espionage for technology advancement and disruption of critical infrastructure to for-profit theft of trade secrets and supporting a political agenda. You no longer have a malware problem, you have an adversary problem, and you must incorporate an intelligence-driven approach to your security strategy. During this CrowdCast, you will learn how to: Incorporate Actionable Intelligence into your existing enterprise security infrastructure Quickly understand the capabilities and artifacts of targeted attacked tradecraft Gain insight into the motivations and intentions of targeted attackers Make informed decisions based off of specific threat intelligence

CrowdCasts Monthly: You Have an Adversary Problem

CrowdStrike

CSF18 - Guarding Against the Unknown - Rafael Narezzi

NCCOMMS

Learn about the first signature-less engine to be integrated into VirusTotal. In this CrowdCast deck, CrowdStrike’s Chief Scientist Dr. Sven Krasser offers an exclusive look “under the hood” of this unique machine learning engine, revealing how it works, how it differs from all other signature-based engines integrated into VirusTotal to date, and how it fits into the larger ecosystem of techniques used by CrowdStrike Falcon to keep endpoints and environments safe. Topics will include: - What CrowdStrike Falcon machine learning is and how it works - How to interpret results of machine learning-based threat detection - How users can benefit from the CrowdStrike Falcon machine learning engine - How this cutting-edge technology fits into the CrowdStrike Falcon breach prevention platform

Battling Unknown Malware with Machine Learning

CrowdStrike

Cyberextortion

Salim Al Talie

What's hot (20)

CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...

How to Replace Your Legacy Antivirus Solution with CrowdStrike

Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting

CrowdCast Monthly: Operationalizing Intelligence

CrowdCasts Monthly: When Pandas Attack

You Can't Stop The Breach Without Prevention And Detection

CrowdCasts Monthly: Going Beyond the Indicator

"Is your browser secure? Breaking cryptography in PKI based systems, opening ...

Hacking Exposed Live: Mobile Targeted Threats

An Inside Look At The WannaCry Ransomware Outbreak

Bear Hunting: History and Attribution of Russian Intelligence Operations

"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...

What Happens Before the Kill Chain

NTXISSACSC4 - The Art of Evading Anti-Virus

State of Endpoint Security: The Buyers Mindset

NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard

CrowdCasts Monthly: You Have an Adversary Problem

CSF18 - Guarding Against the Unknown - Rafael Narezzi

Battling Unknown Malware with Machine Learning

Cyberextortion

Similar to In search of unique behaviour

Creating a quality web application is hard. It’s hard to gain customers, it’s hard to build your reputation and it’s hard to keep the costs low. Nevertheless, security is often an afterthought. However… Have you considered the cost of fixing security issues later? What about the reputational damage of a security breach? Are you worried about your customers’ data? We will talk about good security coding practices for web applications and how to apply them early on using some real world examples. We will also help you to think about your website’s vulnerabilities from the view of a hacker.

N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018

Codemotion

Adversary Driven Defense in the Real World

James Wickett

IoT Attack Surfaces -- DEFCON 2015

Daniel Miessler

In this beginner-friendly talk, we'll discuss how AI infrastructure presents novel security challenges, while also requiring many of the time-honored basics. Defense runs the gamut from protecting brand-new AI services to the simple exercise of basic hygiene. Attack employs AI-specific techniques on the one hand, and tried-and-true social engineering (of a sort) on the other. We'll cover both aspects, ultimately arming you with knowledge and tools to adopt AI infrastructure safely and predictably.

2024 Kernelcon Attack and Defense of AI.pdf

Gabriel Schuyler

Ncc hackers session 4

Jemma Davis

All These Sophisticated Attacks, Can We Really Detect Them - PDF

Michael Gough

Ethichack 2012

santhosh kumarRG

Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here

Java application security the hard way - a workshop for the serious developer

Steve Poole

The hardcore stuff i hack, experiences from past VAPT assignments

n|u - The Open Security Community

Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive. Key Takeaways: -Great places in the user journey to inject security tests - Ways to augment existing test approaches to cover security concerns - Typical security tools that are free, cheap, and easy for software testers

Zen and the art of Security Testing

TEST Huddle

Bypassing Windows Security Functions(en)

abend_cve_9999_0001

Disruptionware-TRustedCISO103020v0.7.pptx

Debra Baker, CISSP CSSP

Securing your Cloud Environment v2

ShapeBlue

The life of breached data and the attack lifecycle

Jarrod Overson

SF Bay Area Splunk User Group Meeting October 5, 2022

Becky Burwell

Ten security product categories you've (probably) never heard of

Adrian Sanabria

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA

NowSecure

OWASP Top 10 - The Ten Most Critical Web Application Security Risks

All Things Open

MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET

MITRE - ATT&CKcon

Vskills certification for Cyber Security Analyst assesses the candidate as per the company’s need for cyber security and forensics. The certification tests the candidates on various areas in cybercrime, IT Act 2000, cyberoffenses, wireless devices cybercrime, phishing, keyloggers, backdoors, SQL injection, DDoS attacks, identity theft, computer and wireless forensics, cyberterrorism, social media marketing, incident handling and privacy.

cyber security analyst certification

Vskills

Similar to In search of unique behaviour (20)

N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018

Adversary Driven Defense in the Real World

IoT Attack Surfaces -- DEFCON 2015

2024 Kernelcon Attack and Defense of AI.pdf

Ncc hackers session 4

All These Sophisticated Attacks, Can We Really Detect Them - PDF

Ethichack 2012

Java application security the hard way - a workshop for the serious developer

The hardcore stuff i hack, experiences from past VAPT assignments

Zen and the art of Security Testing

Bypassing Windows Security Functions(en)

Disruptionware-TRustedCISO103020v0.7.pptx

Securing your Cloud Environment v2

The life of breached data and the attack lifecycle

SF Bay Area Splunk User Group Meeting October 5, 2022

Ten security product categories you've (probably) never heard of

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA

OWASP Top 10 - The Ten Most Critical Web Application Security Risks

MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET

cyber security analyst certification

Recently uploaded

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

DBX First Quarter 2024 Investor Presentation

Dropbox

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

ICT role in 21st century education and its challenges

rafiqahmad00786416

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Recently uploaded (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

AWS Community Day CPH - Three problems of Terraform

Automating Google Workspace (GWS) & more with Apps Script

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Ransomware_Q4_2023. The report. [EN].pdf

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

DBX First Quarter 2024 Investor Presentation

Powerful Google developer tools for immediate impact! (2023-24 C)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

MS Copilot expands with MS Graph connectors

ICT role in 21st century education and its challenges

Why Teams call analytics are critical to your entire business

A Year of the Servo Reboot: Where Are We Now?

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

presentation ICT roal in 21st century education

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

In search of unique behaviour

5. WHAT WE DO ● Malware hunting ● Reverse engineering ● Write detections

6. MALWARE HUNTING ● Hunting with yara rules in MalQuery ● Overwatch patterns in Harrier ● VT queries and other OSINT ● Finding Infection vectors ● Kill chain ● Search infections

8. OVERWATCH PATTERNS ● Very generic patterns: ○ Eg.: "net use", wmic and http ... ● Used mostly in hunting for sophisticated attacks ● A red flag is raised once 3 or more patterns are found on one host

10.

11. REVERSE ENGINEERING ● Focus on events not seen in conventional tools ○ Process injection ○ Callstack analysis ○ RPC and WMI ○ PrivEsc and Cred. Dumping ○ Exploitation techniques (DEP/ASLR bypass, HeapSpray, etc) ● Find similar samples using MalQuery

12. MALWARE EXAMPLES 1. MalDoc abuses MSIExec that drops signed Delphi malware 2. WMI abused to inject .NET binary in legit process (#Squiblytwo) 3. Excel Sheet and Steganography

13. EXAMPLE 1 MalDoc abuses MSIExec that drops Signed Delphi malware

14. EXAMPLE 1 § Word document found ITW § “Industry Standard” Social Engineering message

15. EXAMPLE 1

16. EXAMPLE 1

17. EXAMPLE 1

18. EXAMPLE 1

19. EXAMPLE 1

20. EXAMPLE 2 WMI abused to inject .NET binary in legit process #Squiblytwo „Fileless malware”

21. EXAMPLE 2

22.

23.

24.

25. EXAMPLE 3 Excel Sheet and Steganography

26. EXAMPLE 3 § Excel sheet seen ITW § Typical infection vector with Macro

27. EXAMPLE 3

28. EXAMPLE 3

29. EXAMPLE 3

30. EXAMPLE 3

31. EXAMPLE 3

32. EXAMPLE 3

33. EXAMPLE 3

34. EXAMPLE 3

35. EXAMPLE 3

36. EXAMPLE 3

37. WRITE DETECTION RULES ● Call-Stack analysis ● Process Injection ● RPC ● Process trees ● Script control ● Credential dumping ● PrivEsc ● . . .

38. LAST STEP § Created detections: § IOAs for 1st and 3rd example § Injection flags for the 2nd example

39. BUT YOU ALSO SEE THIS § Winlogon in non-standard locaion § Crazy Powershell oneliners § Legit .doc|xls|pdf.exe received on emails JUST BECAUSE YOU CAN, DOESN’T MEAN YOU SHOULD!!!

40. IS THIS MALICIOUS?

41. IS THIS MALICIOUS? § Clean document received via email § Runs a PowerShell script from a shared drive

42. IS THIS MALICIOUS? ● Add more examples

43. CLOSING REMARKS ● Productivity apps are still used as initial infection vectors ● Quirky infection techniques are seen more often (WMI included) ● We can’t just blacklist all and hope for the best ● Adversaries try to migrate to fileless malware, but still write binaries on disk

44. Q & A

In search of unique behaviour

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to In search of unique behaviour

Similar to In search of unique behaviour (20)

More from DefCamp

More from DefCamp (20)

Recently uploaded

Recently uploaded (20)

In search of unique behaviour