1. Searching Logs for Hackers, what
you need to know to catch them
Michael Gough – Founder
MalwareArchaeology.com
Co-creator of
MalwareArchaeology.com
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
• Malware Management Framework
• Several Windows Logging Cheat Sheets
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @BrakeSec
• @HackerHurricane and also my Blog
MalwareArchaeology.com
3. • We discovered this in
May 2012
• Met with the Feds ;-)
Why you should listen to me?
2014 - We gave an infected VM to one of the Big
IR Firms… They came back “Yup.. It’s clean” #Fail
MalwareArchaeology.com
4. And because you want to catch
these guys… or worse
• Ben Ten (Not PowerShell)
• Carlos (MetaSploit)
• Dave (SET)
• Kevin too (Pen Tester)
MalwareArchaeology.com
5. Malware evolves
• So must we
• Darwin says so
• Evolve or die
• Well… Evolve or get breached anyways
• Getting breached means an RGE !!!
– Resume Generating Event
MalwareArchaeology.com
7. DBIR 2016
• Why we are here…
7
Time it takes hackers to
compromise you
Time it takes hackers to
steal your data
GOAL To catch them BEFORE data loss occurs
MalwareArchaeology.com
8. DBIR 2016
Hackers time to
Compromise is getting
faster
Than our ability to
Discover them
MalwareArchaeology.com
9. Chasing Hashes
• Malware hashes are no
longer similar
• Malware is morphing or
created unique by design for
each system OR on reboot
MalwareArchaeology.com
12. Sophos Says…
• 70% of malware is unique to 1 company (APT)
• 80% of malware is unique to 10 or less (APT)
• That means…
• 20% of malware is what the AV industry focuses
on, but it is what most of you and everyone in
this room sees and gets by:
– Attachments in email
– URL in email
– Surfing the web
• Ads
• WordPress, Drupal, Joomla…
MalwareArchaeology.com
13. A quick look at
Advanced Malware
Artifacts
MalwareArchaeology.com
14. Winnti - Malware Infection
Malware Launch
Hiding malware
in the Registry
Modify Service
MalwareArchaeology.com
15. Escalate permissions obvious NOT
your admin
Check the Service used
Modify
Permissions
Push out malware using CMD Shell & CScript
MalwareArchaeology.com
16. Using the Registry for storage
Update Registry
Change Registry Permissions
Change permissions on files
MalwareArchaeology.com
17. Bad behavior becomes obvious
Doing Recon
Going after Terminal Services
Query Users
MalwareArchaeology.com
18. You can even capture their
Credentials
Caught THEIR
Credentials!
MalwareArchaeology.com
19. Persistence
• Avoided leaving key files behind like they did
before, well one anyways… the persistence
piece
MalwareArchaeology.com
21. Persistence
• Infector… One for the DLL (infect.exe) and
one for the Driver (InfectSys.exe)
• Altered system management binaries
– McAfeeFrameworkService
– BESClientHelper
– Attempted a few others, some failed
MalwareArchaeology.com
23. A quick look at
Commodity Malware
Artifacts
MalwareArchaeology.com
24. Angler delivered Kovter
• Unique way to hide the persistence
• Inserted a null byte in the name of the Run
key so that RegEdit and Reg Query fail to read
and display the value
• And a LARGE Reg Key (anything over 20k is large)
MalwareArchaeology.com
26. Dridex Persistence
• New method towards the end of 2015, nothing in the Registry
showing persistence while system was running
• In memory only until system shutdown
– On shutdown the Run key was created
• On startup the malware loads and Run key deleted
MalwareArchaeology.com
30. Where to start
• What am I suppose to set?
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Find them all here:
– MalwareArchaeology.com
MalwareArchaeology.com
31. PowerShell
• It’s coming… in a BIG way - It’s already here
• Ben Ten uses it (Not PowerShell)
• Carlos uses it (MetaSploit)
• Dave uses it (SET)
• Kevin too (Pen Tester)
• Dridex uses it
• RansomWare uses it
• And Windows default logging is TERRIBLE for it!
MalwareArchaeology.com
33. So what do we do about
PowerShell?
• The “Windows PowerShell Logging Cheat Sheet”
• Designed to catch the folks I just mentioned, and others ;-)
• Get it at:
– MalwareArchaeology.com
MalwareArchaeology.com
35. How to catch this stuff
Enable Command Line Logging !!!!
• At the time of Winnti 2014 ONLY Win 8.1 and Win
2012 R2 had command line logging
• Which we had, then we saw this in our alerts of
suspicious commands (Cscript & cmd.exe & cacls &
net & takeown & pushd & attrib)
• SIX Commands
• Scripts too
MalwareArchaeology.com
36. And this query - Splunk
• index=windows LogName=Security EventCode=4688 NOT
(Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR
chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR
ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR
netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe
OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR
psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR
rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe
OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR
systeminfo.exe OR system32net.exe OR reg.exe OR tasklist.exe OR
tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe
OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR
wusa.exe) | eval Message=split(Message,".") | eval
Short_Message=mvindex(Message,0) | table _time, host, Account_Name,
Process_Name, Process_ID, Process_Command_Line,
New_Process_Name, New_Process_ID, Creator_Process_ID,
Short_Message | stats count > 2
MalwareArchaeology.com
37. So how do you do this?
• Malware Management allowed us to setup
alerts on artifacts from other malware analysis
– MalwareManagementFramework.org
• Of course our own experience too
• Malware Discovery allowed us to find odd file
hashes, command line details, registry locations
• Malware Analysis gave us the details
MalwareArchaeology.com
38. What we all need to look for
• Logs of course, properly configured - Events
– Command Line details
– Admin tools misused – executions
– New Services (retail PoS should know this)
– Drivers used (.sys)
• New Files dropped anywhere on disk – Hashes
– Infected management binary (hash changed)
• Delete on startup, write on shutdown – File & Reg Auditing
• Scripts hidden in the registry – Registry Compare
• Payload hidden in the registry – Large Reg Keys
• Malware Communication – IP and WhoIS info
• Expand PowerShell detection
• VirusTotal Lookups
MalwareArchaeology.com
39. So what did we
take away
from all of this?
MalwareArchaeology.com
40. You basically have 3 options
• Do nothing – Eventually leading to an RGE
• Log Management / SIEM
– Cost $$$ and storage
– But IS the best option, better than most security
solutions if you want my opinion
• What if you don’t have Log Management or a
SIEM?
MalwareArchaeology.com
41. It didn’t exist
So we created it!
So you can do it too!
MalwareArchaeology.com
43. • Log and Malicious Discovery tool
• When you run the tool, it tells you what
auditing and settings to configure that it
requires. LOG-MD won’t harvest anything
until you configure the system!
• So answers How to check for the What to set I
already told you about
MalwareArchaeology.com
44. Audit first
• Audit Report of log settings compared to:
– The “Windows Logging Cheat Sheet”
– Center for Internet Security (CIS) Benchmarks
– Also USGCB and AU ACSC
• Plain text report so you can include them in
your own report format
MalwareArchaeology.com
47. Purpose
MalwareArchaeology.com
• Malware Analysis Lab – Why we initially developed it
• Investigate a suspect system
• Audit the Windows - Advanced Audit Policy settings
• Help MOVE or PUSH security forward
• Give the IR folks what they need and the Feds too
• Take a full system (File and Reg) snapshot to compare to another
system and report the differences
• Discover tricky malware artifacts (Large Keys, Null Byte, AutoRuns)
• SPEED !
• Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc…
• Replace several tools we use today with one easy to use utility that
does much more
• Replace several older tools and GUI tools
• To answer the question: Is this system infected or clean?
• And do it quickly !
48. Free Edition
MalwareArchaeology.com
• Audit your settings – Do you comply?
• Harvest security relevant log data
• Whitelist log events by IP, Cmd Line, Process and
File / Registry audit locations
• Perform a full File Baseline of a system
• Compare a suspect system to a Baseline or Dir
• Perform a full Registry snapshot of a system
• Compare a suspect system to a Reg Baseline
• Look for Large Registry Keys for hidden payloads
• 12 Reports
49. MalwareArchaeology.com
• Everything the Free Edition does and…
• 21 reports, breakdown of things to look for
• Specify the Output directory
• Harvest Sysmon logs
• Whitelist Hash compare results
• Whitelist Registry compare results
• Create a Master-Digest to exclude unique files
• Free updates for 1 year, expect a new release
every quarter
• Manual – How to use LOG-MD Professional
50. MalwareArchaeology.com
Future Versions – In the works!
• PowerShell details
• WhoIs lookups of IP Addresses called
• VirusTotal lookups of discovered files
• Find parent-less processes
• Assess all processes and create a Whitelist
• Assess all services and create a Whitelist
• VirusTotal lookups of unknown or new processes and
services
• Other API calls to security vendors
56. MalwareArchaeology.com
Use the power of Excel
• The reports are in .CSV format
• Excel has sorting and filters
• Filters are AWESOME to thin out your results
• You might take filtered results and add them
to your whitelist once vetted
• Save to .XLS and format, color code and
produce your report
• For .TXT files use NotePad++
57. MalwareArchaeology.com
So what do we get?
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see
WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!
58. So what do we get?
MalwareArchaeology.com
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see
WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!
59. Resources
MalwareArchaeology.com
• Websites
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”
– MalwareArchaeology.com
• Malware Analysis Report links too
– To start your Malware Management program
• This presentation is on SlideShare and website
– Search for MalwareArchaeology or LOG-MD