SlideShare ist ein Scribd-Unternehmen logo

Logging for hackers SAINTCON

Michael Gough
Michael Gough

SAINTCON LOG-MD LOG-MD.com Malware Archaeology MalwareArchaeology What you need to know to catch hackers using proper Windows logging

Technologie
1 von 61
Downloaden Sie, um offline zu lesen
Searching Logs for Hackers, what you need to know to catch them Michael Gough – Founder MalwareArchaeology.com Co-creator of MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of • Malware Management Framework • Several Windows Logging Cheat Sheets • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @BrakeSec • @HackerHurricane and also my Blog MalwareArchaeology.com
• We discovered this in May 2012 • Met with the Feds ;-) Why you should listen to me? 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail MalwareArchaeology.com
And because you want to catch these guys… or worse • Ben Ten (Not PowerShell) • Carlos (MetaSploit) • Dave (SET) • Kevin too (Pen Tester) MalwareArchaeology.com
Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Getting breached means an RGE !!! – Resume Generating Event MalwareArchaeology.com
A quick look at STATS MalwareArchaeology.com
DBIR 2016 • Why we are here… 7 Time it takes hackers to compromise you Time it takes hackers to steal your data GOAL To catch them BEFORE data loss occurs MalwareArchaeology.com
DBIR 2016 Hackers time to Compromise is getting faster Than our ability to Discover them MalwareArchaeology.com
Chasing Hashes • Malware hashes are no longer similar • Malware is morphing or created unique by design for each system OR on reboot MalwareArchaeology.com
Symantec says… MalwareArchaeology.com
SANS says… MalwareArchaeology.com
Sophos Says… • 70% of malware is unique to 1 company (APT) • 80% of malware is unique to 10 or less (APT) • That means… • 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by: – Attachments in email – URL in email – Surfing the web • Ads • WordPress, Drupal, Joomla… MalwareArchaeology.com
A quick look at Advanced Malware Artifacts MalwareArchaeology.com
Winnti - Malware Infection Malware Launch Hiding malware in the Registry Modify Service MalwareArchaeology.com
Escalate permissions obvious NOT your admin Check the Service used Modify Permissions Push out malware using CMD Shell & CScript MalwareArchaeology.com
Using the Registry for storage Update Registry Change Registry Permissions Change permissions on files MalwareArchaeology.com
Bad behavior becomes obvious Doing Recon Going after Terminal Services Query Users MalwareArchaeology.com
You can even capture their Credentials Caught THEIR Credentials! MalwareArchaeology.com
Persistence • Avoided leaving key files behind like they did before, well one anyways… the persistence piece MalwareArchaeology.com
HKLMSoftwareClients • putfile • file • read 4D5A = MZ in HEX Key Size = 256k MalwareArchaeology.com
Persistence • Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) • Altered system management binaries – McAfeeFrameworkService – BESClientHelper – Attempted a few others, some failed MalwareArchaeology.com
Persistence • BAM! Got ya – PROCMon on bootup MalwareArchaeology.com
A quick look at Commodity Malware Artifacts MalwareArchaeology.com
Angler delivered Kovter • Unique way to hide the persistence • Inserted a null byte in the name of the Run key so that RegEdit and Reg Query fail to read and display the value • And a LARGE Reg Key (anything over 20k is large) MalwareArchaeology.com
Dridex Artifacts MalwareArchaeology.com
Dridex Persistence • New method towards the end of 2015, nothing in the Registry showing persistence while system was running • In memory only until system shutdown – On shutdown the Run key was created • On startup the malware loads and Run key deleted MalwareArchaeology.com
Dridex is Baaack • 2016 variant MalwareArchaeology.com
How to Detect Malicious Behavior MalwareArchaeology.com
Take Away #1 MalwareArchaeology.com
Where to start • What am I suppose to set? “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Find them all here: – MalwareArchaeology.com MalwareArchaeology.com
PowerShell • It’s coming… in a BIG way - It’s already here • Ben Ten uses it (Not PowerShell) • Carlos uses it (MetaSploit) • Dave uses it (SET) • Kevin too (Pen Tester) • Dridex uses it • RansomWare uses it • And Windows default logging is TERRIBLE for it! MalwareArchaeology.com
Take Away #2 MalwareArchaeology.com
So what do we do about PowerShell? • The “Windows PowerShell Logging Cheat Sheet” • Designed to catch the folks I just mentioned, and others ;-) • Get it at: – MalwareArchaeology.com MalwareArchaeology.com
Take Away #3 MalwareArchaeology.com
How to catch this stuff Enable Command Line Logging !!!! • At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2 had command line logging • Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) • SIX Commands • Scripts too MalwareArchaeology.com
And this query - Splunk • index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message | stats count > 2 MalwareArchaeology.com
So how do you do this? • Malware Management allowed us to setup alerts on artifacts from other malware analysis – MalwareManagementFramework.org • Of course our own experience too • Malware Discovery allowed us to find odd file hashes, command line details, registry locations • Malware Analysis gave us the details MalwareArchaeology.com
What we all need to look for • Logs of course, properly configured - Events – Command Line details – Admin tools misused – executions – New Services (retail PoS should know this) – Drivers used (.sys) • New Files dropped anywhere on disk – Hashes – Infected management binary (hash changed) • Delete on startup, write on shutdown – File & Reg Auditing • Scripts hidden in the registry – Registry Compare • Payload hidden in the registry – Large Reg Keys • Malware Communication – IP and WhoIS info • Expand PowerShell detection • VirusTotal Lookups MalwareArchaeology.com
So what did we take away from all of this? MalwareArchaeology.com
You basically have 3 options • Do nothing – Eventually leading to an RGE • Log Management / SIEM – Cost $$$ and storage – But IS the best option, better than most security solutions if you want my opinion • What if you don’t have Log Management or a SIEM? MalwareArchaeology.com
It didn’t exist So we created it! So you can do it too! MalwareArchaeology.com
Take Away #4 MalwareArchaeology.com
• Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • So answers How to check for the What to set I already told you about MalwareArchaeology.com
Audit first • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • Plain text report so you can include them in your own report format MalwareArchaeology.com
Audit Settings Report MalwareArchaeology.com
Summary of Reports MalwareArchaeology.com
Purpose MalwareArchaeology.com • Malware Analysis Lab – Why we initially developed it • Investigate a suspect system • Audit the Windows - Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts (Large Keys, Null Byte, AutoRuns) • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • Replace several older tools and GUI tools • To answer the question: Is this system infected or clean? • And do it quickly !
Free Edition MalwareArchaeology.com • Audit your settings – Do you comply? • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads • 12 Reports
MalwareArchaeology.com • Everything the Free Edition does and… • 21 reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
MalwareArchaeology.com Future Versions – In the works! • PowerShell details • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • Other API calls to security vendors
MalwareArchaeology.com NEW Feature! • WhoIs lookups of IP’s VawTrak
MalwareArchaeology.com Let’s look at some LOG-MD RESULTS
MalwareArchaeology.com Crypto Event » C:UsersBobAppDataRoamingvcwixk.exe » C:UsersBobAppDataRoamingvcwpir.exe » C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL » C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
MalwareArchaeology.com Malicious Word Doc DRIDEX
MalwareArchaeology.com Malicious Word Doc con’t More DRIDEX
MalwareArchaeology.com Use the power of Excel • The reports are in .CSV format • Excel has sorting and filters • Filters are AWESOME to thin out your results • You might take filtered results and add them to your whitelist once vetted • Save to .XLS and format, color code and produce your report • For .TXT files use NotePad++
MalwareArchaeology.com So what do we get? • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare and website – Search for MalwareArchaeology or LOG-MD
Malware Archaeology
Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • MalwareManagementFramework.Org • http://www.slideshare.net – LinkedIn now

Empfohlen

RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
Michael Gough
 

Empfohlen

RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
Michael Gough
 

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 

Andere mochten auch

WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
Symantec
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 

Andere mochten auch (12)

Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
 
Où sont mes données ? | Résowest
Où sont mes données ? | RésowestOù sont mes données ? | Résowest
Où sont mes données ? | Résowest
 
Risque cyber
Risque cyberRisque cyber
Risque cyber
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Ransomware
Ransomware Ransomware
Ransomware
 
Ransomware
RansomwareRansomware
Ransomware
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
 

Ähnlich wie Logging for hackers SAINTCON

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 

Ähnlich wie Logging for hackers SAINTCON (19)

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Ranger BSides-FINAL
Ranger BSides-FINALRanger BSides-FINAL
Ranger BSides-FINAL
 
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Logging for hackers SAINTCON

  • 1. Searching Logs for Hackers, what you need to know to catch them Michael Gough – Founder MalwareArchaeology.com Co-creator of MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of • Malware Management Framework • Several Windows Logging Cheat Sheets • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @BrakeSec • @HackerHurricane and also my Blog MalwareArchaeology.com
  • 3. • We discovered this in May 2012 • Met with the Feds ;-) Why you should listen to me? 2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail MalwareArchaeology.com
  • 4. And because you want to catch these guys… or worse • Ben Ten (Not PowerShell) • Carlos (MetaSploit) • Dave (SET) • Kevin too (Pen Tester) MalwareArchaeology.com
  • 5. Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Getting breached means an RGE !!! – Resume Generating Event MalwareArchaeology.com
  • 6. A quick look at STATS MalwareArchaeology.com
  • 7. DBIR 2016 • Why we are here… 7 Time it takes hackers to compromise you Time it takes hackers to steal your data GOAL To catch them BEFORE data loss occurs MalwareArchaeology.com
  • 8. DBIR 2016 Hackers time to Compromise is getting faster Than our ability to Discover them MalwareArchaeology.com
  • 9. Chasing Hashes • Malware hashes are no longer similar • Malware is morphing or created unique by design for each system OR on reboot MalwareArchaeology.com
  • 12. Sophos Says… • 70% of malware is unique to 1 company (APT) • 80% of malware is unique to 10 or less (APT) • That means… • 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by: – Attachments in email – URL in email – Surfing the web • Ads • WordPress, Drupal, Joomla… MalwareArchaeology.com
  • 13. A quick look at Advanced Malware Artifacts MalwareArchaeology.com
  • 14. Winnti - Malware Infection Malware Launch Hiding malware in the Registry Modify Service MalwareArchaeology.com
  • 15. Escalate permissions obvious NOT your admin Check the Service used Modify Permissions Push out malware using CMD Shell & CScript MalwareArchaeology.com
  • 16. Using the Registry for storage Update Registry Change Registry Permissions Change permissions on files MalwareArchaeology.com
  • 17. Bad behavior becomes obvious Doing Recon Going after Terminal Services Query Users MalwareArchaeology.com
  • 18. You can even capture their Credentials Caught THEIR Credentials! MalwareArchaeology.com
  • 19. Persistence • Avoided leaving key files behind like they did before, well one anyways… the persistence piece MalwareArchaeology.com
  • 20. HKLMSoftwareClients • putfile • file • read 4D5A = MZ in HEX Key Size = 256k MalwareArchaeology.com
  • 21. Persistence • Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe) • Altered system management binaries – McAfeeFrameworkService – BESClientHelper – Attempted a few others, some failed MalwareArchaeology.com
  • 22. Persistence • BAM! Got ya – PROCMon on bootup MalwareArchaeology.com
  • 23. A quick look at Commodity Malware Artifacts MalwareArchaeology.com
  • 24. Angler delivered Kovter • Unique way to hide the persistence • Inserted a null byte in the name of the Run key so that RegEdit and Reg Query fail to read and display the value • And a LARGE Reg Key (anything over 20k is large) MalwareArchaeology.com
  • 26. Dridex Persistence • New method towards the end of 2015, nothing in the Registry showing persistence while system was running • In memory only until system shutdown – On shutdown the Run key was created • On startup the malware loads and Run key deleted MalwareArchaeology.com
  • 27. Dridex is Baaack • 2016 variant MalwareArchaeology.com
  • 28. How to Detect Malicious Behavior MalwareArchaeology.com
  • 30. Where to start • What am I suppose to set? “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Find them all here: – MalwareArchaeology.com MalwareArchaeology.com
  • 31. PowerShell • It’s coming… in a BIG way - It’s already here • Ben Ten uses it (Not PowerShell) • Carlos uses it (MetaSploit) • Dave uses it (SET) • Kevin too (Pen Tester) • Dridex uses it • RansomWare uses it • And Windows default logging is TERRIBLE for it! MalwareArchaeology.com
  • 33. So what do we do about PowerShell? • The “Windows PowerShell Logging Cheat Sheet” • Designed to catch the folks I just mentioned, and others ;-) • Get it at: – MalwareArchaeology.com MalwareArchaeology.com
  • 35. How to catch this stuff Enable Command Line Logging !!!! • At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2 had command line logging • Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib) • SIX Commands • Scripts too MalwareArchaeology.com
  • 36. And this query - Splunk • index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message | stats count > 2 MalwareArchaeology.com
  • 37. So how do you do this? • Malware Management allowed us to setup alerts on artifacts from other malware analysis – MalwareManagementFramework.org • Of course our own experience too • Malware Discovery allowed us to find odd file hashes, command line details, registry locations • Malware Analysis gave us the details MalwareArchaeology.com
  • 38. What we all need to look for • Logs of course, properly configured - Events – Command Line details – Admin tools misused – executions – New Services (retail PoS should know this) – Drivers used (.sys) • New Files dropped anywhere on disk – Hashes – Infected management binary (hash changed) • Delete on startup, write on shutdown – File & Reg Auditing • Scripts hidden in the registry – Registry Compare • Payload hidden in the registry – Large Reg Keys • Malware Communication – IP and WhoIS info • Expand PowerShell detection • VirusTotal Lookups MalwareArchaeology.com
  • 39. So what did we take away from all of this? MalwareArchaeology.com
  • 40. You basically have 3 options • Do nothing – Eventually leading to an RGE • Log Management / SIEM – Cost $$$ and storage – But IS the best option, better than most security solutions if you want my opinion • What if you don’t have Log Management or a SIEM? MalwareArchaeology.com
  • 41. It didn’t exist So we created it! So you can do it too! MalwareArchaeology.com
  • 43. • Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • So answers How to check for the What to set I already told you about MalwareArchaeology.com
  • 44. Audit first • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • Plain text report so you can include them in your own report format MalwareArchaeology.com
  • 47. Purpose MalwareArchaeology.com • Malware Analysis Lab – Why we initially developed it • Investigate a suspect system • Audit the Windows - Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts (Large Keys, Null Byte, AutoRuns) • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • Replace several older tools and GUI tools • To answer the question: Is this system infected or clean? • And do it quickly !
  • 48. Free Edition MalwareArchaeology.com • Audit your settings – Do you comply? • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads • 12 Reports
  • 49. MalwareArchaeology.com • Everything the Free Edition does and… • 21 reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
  • 50. MalwareArchaeology.com Future Versions – In the works! • PowerShell details • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • Other API calls to security vendors
  • 53. MalwareArchaeology.com Crypto Event » C:UsersBobAppDataRoamingvcwixk.exe » C:UsersBobAppDataRoamingvcwpir.exe » C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL » C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
  • 56. MalwareArchaeology.com Use the power of Excel • The reports are in .CSV format • Excel has sorting and filters • Filters are AWESOME to thin out your results • You might take filtered results and add them to your whitelist once vetted • Save to .XLS and format, color code and produce your report • For .TXT files use NotePad++
  • 57. MalwareArchaeology.com So what do we get? • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  • 58. So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  • 59. Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare and website – Search for MalwareArchaeology or LOG-MD
  • 61. Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • MalwareManagementFramework.Org • http://www.slideshare.net – LinkedIn now