Cybersecurity Researcher at GoSecure...May 19, 2016 · Registry - Modifies the Windows Registry...
Transcript of Cybersecurity Researcher at GoSecure...May 19, 2016 · Registry - Modifies the Windows Registry...
CybersecurityResearcheratGoSecurePreviously
MalwareResearcheratESETInfoseclectureratETSUniversityinMontrealInfosecdeveloper,networkadmin,linuxsystemadmin
Co-founderMontrehack(hands-onsecurityworkshops)VPTrainingandHackerJeopardyatNorthSec
Computerengineeringstudent@PolyMTLDirector@PolyHackCo-chapterleader(Audio,RecordingandStreaming)@OWASPMontrealMemberofJoseFernandez’sSecSIlab@PolyMTLVulnerabilityResearchIntern@WurldtechFormerIntern@ESET
Why?What?Where?Saywhaat!?
@obilodeau@hugospns
VanillaXPVMs(ormorerecentversions)NotraceofaprevioususerManualcustomizationCanleadtocross-infectedVMsCan’tbuildorreusetemplatesAlsotimeconsuming
NotaccessibletonewcomersEasytomessthingsupTeamworkishard(toolsdon’tencourageit)Buildingacredibleenvironmentistimeconsuming
MalwareisdoinganalysisdetectionAnti-VMslikeredpill,sldtinstruction
Notreliableonmulticoresystemsorwhenaccelerationisdeactivated.
Anti-debuggingDebuggerplugins
SystemfingerprintingWhatisreallyavailable?
OnechancetogetnoticedasinterestingorelseitstoolateYourIPcouldbebanned
Hastobecredible
Whywouldthedevopspeoplehaveallthefun?
Coreprinciple:InfrastructureascodeReproducibleThrow-awayEfficient
Reusingexistingdevopstoolspacker:machineimagebuildervagrant:configurereproducibleoperatingenvironmentsWinRM:WindowsRemoteManagement
2yearsagothiswasn’tpossibleBorrowedsomeconfigsfromMarkAndrewDwyer’s
ChocolateyHashicorptoolsandcommunity
packer-malware
Toolsautomaticallyinstalledbasedonprofilesallsysinternaltoolswindbgputtyfiddlerwireshark
MalwarebehavesdifferentlyindifferentcontextsYouknowthetargetoftheAPTyouaretrackingandyouwanttofoolthemInaslittletimeaspossible
ManualreconLists:
LastopenedfilesDirectoriesWhat’sontheDesktopSysteminfo
Usefulfor:User,installdate,hardwareinfo
UNC/ShareddrivesfingerprintingActiveDirectoryfingerprinting
Leftasanexercisetothereader
gitclonehttps://github.com/GoSecure/malboxes.git
Youusemalboxes.pytobuildaprofileThenitbuildsavagrantboxforyouAndyouspinaVagrantfileforeachofyouranalysis
Registry-ModifiestheWindowsRegistry(add,modify,delete)Document-AddordeleteafileDirectory-AddordeleteadirectoryPackage-AddsaChocolateypackagetoinstallBuild-BuildthevirtualboximageSpin-CreateaVagrantfileforyouranalysiscase
Reduceart,augmentscienceGetnewpeopleintomalwareanalysisImproveworkflowofseasonedanalyst/teams
ImplementantiVM-detectiontricksHigherlevelconstructstobuildinterestingtargets
ActiveDirectoryintegrationGeneraterandomhoneydocsbasedonatheme
DocumentaproperteamworkflowIt’sallinTODO.adocJointhefun!
JoanCalvetfortipsandhelpMarc-EtienneM.LeveilleforsuggestionsandlinktoOlivierJurriaanBremerforhelpwithVMCloakJoseFernandezandthelabteamfortipsandsponsorshipJessyCamposforpushingmeMyfamily,friendsandgirlfriendforsupport
@obilodeau@hugospns