Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry...

40

Transcript of Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry...

Page 1: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 2: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

CybersecurityResearcheratGoSecurePreviously

MalwareResearcheratESETInfoseclectureratETSUniversityinMontrealInfosecdeveloper,networkadmin,linuxsystemadmin

Co-founderMontrehack(hands-onsecurityworkshops)VPTrainingandHackerJeopardyatNorthSec

Page 3: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Computerengineeringstudent@PolyMTLDirector@PolyHackCo-chapterleader(Audio,RecordingandStreaming)@OWASPMontrealMemberofJoseFernandez’sSecSIlab@PolyMTLVulnerabilityResearchIntern@WurldtechFormerIntern@ESET

Page 4: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Why?What?Where?Saywhaat!?

Page 5: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Ourdemo

https://asciinema.org/a/4qnqka18av0uvikiqrbpf1jbx?speed=4
Page 6: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

@obilodeau@hugospns

Page 7: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 8: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 9: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

VanillaXPVMs(ormorerecentversions)NotraceofaprevioususerManualcustomizationCanleadtocross-infectedVMsCan’tbuildorreusetemplatesAlsotimeconsuming

Page 10: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 11: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

NotaccessibletonewcomersEasytomessthingsupTeamworkishard(toolsdon’tencourageit)Buildingacredibleenvironmentistimeconsuming

Page 12: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 13: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 14: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

MalwareisdoinganalysisdetectionAnti-VMslikeredpill,sldtinstruction

Notreliableonmulticoresystemsorwhenaccelerationisdeactivated.

Page 15: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Anti-debuggingDebuggerplugins

SystemfingerprintingWhatisreallyavailable?

Page 16: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

OnechancetogetnoticedasinterestingorelseitstoolateYourIPcouldbebanned

Hastobecredible

Page 17: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 18: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Whywouldthedevopspeoplehaveallthefun?

Page 19: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Coreprinciple:InfrastructureascodeReproducibleThrow-awayEfficient

Page 20: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 21: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Reusingexistingdevopstoolspacker:machineimagebuildervagrant:configurereproducibleoperatingenvironmentsWinRM:WindowsRemoteManagement

Page 22: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

2yearsagothiswasn’tpossibleBorrowedsomeconfigsfromMarkAndrewDwyer’s

ChocolateyHashicorptoolsandcommunity

packer-malware

https://github.com/m-dwyer/packer-malware
Page 23: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Toolsautomaticallyinstalledbasedonprofilesallsysinternaltoolswindbgputtyfiddlerwireshark

Page 24: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 25: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

MalwarebehavesdifferentlyindifferentcontextsYouknowthetargetoftheAPTyouaretrackingandyouwanttofoolthemInaslittletimeaspossible

Page 26: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 27: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

ManualreconLists:

LastopenedfilesDirectoriesWhat’sontheDesktopSysteminfo

Usefulfor:User,installdate,hardwareinfo

Page 28: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

UNC/ShareddrivesfingerprintingActiveDirectoryfingerprinting

Page 29: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Leftasanexercisetothereader

Page 30: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 31: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

gitclonehttps://github.com/GoSecure/malboxes.git

Page 32: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Youusemalboxes.pytobuildaprofileThenitbuildsavagrantboxforyouAndyouspinaVagrantfileforeachofyouranalysis

Page 33: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Registry-ModifiestheWindowsRegistry(add,modify,delete)Document-AddordeleteafileDirectory-AddordeleteadirectoryPackage-AddsaChocolateypackagetoinstallBuild-BuildthevirtualboximageSpin-CreateaVagrantfileforyouranalysiscase

Page 34: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 35: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

Reduceart,augmentscienceGetnewpeopleintomalwareanalysisImproveworkflowofseasonedanalyst/teams

Page 36: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 37: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

ImplementantiVM-detectiontricksHigherlevelconstructstobuildinterestingtargets

ActiveDirectoryintegrationGeneraterandomhoneydocsbasedonatheme

DocumentaproperteamworkflowIt’sallinTODO.adocJointhefun!

Page 38: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete
Page 39: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

JoanCalvetfortipsandhelpMarc-EtienneM.LeveilleforsuggestionsandlinktoOlivierJurriaanBremerforhelpwithVMCloakJoseFernandezandthelabteamfortipsandsponsorshipJessyCamposforpushingmeMyfamily,friendsandgirlfriendforsupport

Page 40: Cybersecurity Researcher at GoSecure...May 19, 2016  · Registry - Modifies the Windows Registry (add, modify, delete) Document - Add or delete a file Directory - Add or delete

@obilodeau@hugospns


Add Rename Delete

Add Rename Delete

Tutorial CT02 EN - ONFrdinnovation.onf.fr/.../2370/Tutorial_CT02_EN_3dview.pdf · - It is possible to add a color: «Add a color» - It is possible to delete a color: "Delete the

Tutorial CT02 EN - ONFrdinnovation.onf.fr/.../2370/Tutorial_CT02_EN_3dview.pdf · - It is possible to add a color: «Add a color» - It is possible to delete a color: "Delete the

Family tree – edit, add or delete (1)

Family tree – edit, add or delete (1)

Building/Contents/Portable - Add/Update/Delete Form€¦ · Building/Contents/Portable - Add/Update/Delete Form PLEASE COMPLETE FOR (EACH) BUILDING, CONTENTS, PORTABLE . Building

Building/Contents/Portable - Add/Update/Delete Form€¦ · Building/Contents/Portable - Add/Update/Delete Form PLEASE COMPLETE FOR (EACH) BUILDING, CONTENTS, PORTABLE . Building

African Top Level Registry...Policy XML PolicyExec.fieldConstraintsValidation()

African Top Level Registry...Policy XML PolicyExec.fieldConstraintsValidation()

Global Add, Delete, & Change Guide · chapter 2 What Is In This Guide? In the Global Add, Delete, & Change Guide, you learn about the global functionality available in The Raiser’s

Global Add, Delete, & Change Guide · chapter 2 What Is In This Guide? In the Global Add, Delete, & Change Guide, you learn about the global functionality available in The Raiser’s

BOKA EDUARD ZORANcan add effects to the objects (Effect), or add a Script to objects you inserted. Also you can add frames, delete frames, insert seconds and delete seconds from the

BOKA EDUARD ZORANcan add effects to the objects (Effect), or add a Script to objects you inserted. Also you can add frames, delete frames, insert seconds and delete seconds from the

DGS Merge Workform · Web viewSave & Exit. to retain the data and exit the Add Item screen. Select . Cancel. to terminate the add process. Delete Document Item. Delete is used to

DGS Merge Workform · Web viewSave & Exit. to retain the data and exit the Add Item screen. Select . Cancel. to terminate the add process. Delete Document Item. Delete is used to

Learning Objectivesc.ymcdn.com/sites/ · Web viewManual edits: Add Line, Delete Line, Swap Edge, Add Point, Delete Point, Modify Point, Move Point. Surface Smoothing This is meant

Learning Objectivesc.ymcdn.com/sites/ · Web viewManual edits: Add Line, Delete Line, Swap Edge, Add Point, Delete Point, Modify Point, Move Point. Surface Smoothing This is meant

Scania CV Specification - Festo · 3.1 01.07.2015 Thorsten Weiß / Festo - delete Södertälje and Luleå - add valves VUVG - add valves VUWG - add valve terminal VTUG - add visual

Scania CV Specification - Festo · 3.1 01.07.2015 Thorsten Weiß / Festo - delete Södertälje and Luleå - add valves VUVG - add valves VUWG - add valve terminal VTUG - add visual

INSERT ISTOCK IMAGE HERE DELETE THIS BOX ADD ALT-TEXT …

INSERT ISTOCK IMAGE HERE DELETE THIS BOX ADD ALT-TEXT …

add drop shadows & delete dotted lines before printing · 2019. 9. 15. · add drop shadows & delete dotted lines before printing *Conditions apply. Promotional offer applies to Allure,

add drop shadows & delete dotted lines before printing · 2019. 9. 15. · add drop shadows & delete dotted lines before printing *Conditions apply. Promotional offer applies to Allure,

INSERT ISTOCK IMAGE HERE DELETE THIS BOX ADD ......INSERT ISTOCK IMAGE HERE –DELETE THIS BOX ADD ALT-TEXT TO IMAGE AND REMOVE FROM CLIENT LOGO RCH The Arts Response Tracking Study

INSERT ISTOCK IMAGE HERE DELETE THIS BOX ADD ......INSERT ISTOCK IMAGE HERE –DELETE THIS BOX ADD ALT-TEXT TO IMAGE AND REMOVE FROM CLIENT LOGO RCH The Arts Response Tracking Study

Instructions to add and delete assistant and intern ... supervisee instructions.pdf · Instructions to add and delete assistant and intern supervisees using the online form Please

Instructions to add and delete assistant and intern ... supervisee instructions.pdf · Instructions to add and delete assistant and intern supervisees using the online form Please

Registry of Motor Vehicles Division ATLAS Go-Live Update · • Add to, update, or delete information in ATLAS, and upload and export information from ATLAS • 24/7 access to ATLAS

Registry of Motor Vehicles Division ATLAS Go-Live Update · • Add to, update, or delete information in ATLAS, and upload and export information from ATLAS • 24/7 access to ATLAS

Booth Representative Add/Delete Form - NAGAP Rep Add-Delete Form.pdf · Booth Representative Add/Delete Form Please use this form after Booth Representative Form has been submitted

Booth Representative Add/Delete Form - NAGAP Rep Add-Delete Form.pdf · Booth Representative Add/Delete Form Please use this form after Booth Representative Form has been submitted

Lecture # 32.1 Lab 10: Server 1. Lab 10 Server 1 Add and delete names.

Lecture # 32.1 Lab 10: Server 1. Lab 10 Server 1 Add and delete names.

RIFANS Add/ Change/ Delete User Formcontroller.admin.ri.gov/documents/Forms/Misc Forms...RIFANS Add/ Change/ Delete User Form . Responsibility: INFORMATION ON RIFANS USER REQUIRING

RIFANS Add/ Change/ Delete User Formcontroller.admin.ri.gov/documents/Forms/Misc Forms...RIFANS Add/ Change/ Delete User Form . Responsibility: INFORMATION ON RIFANS USER REQUIRING

PHP MySQL Image Gallery. The admin section contain the following : Add New Album Album List Edit & Delete Album Add Image Image List Edit & Delete Image.

PHP MySQL Image Gallery. The admin section contain the following : Add New Album Album List Edit & Delete Album Add Image Image List Edit & Delete Image.

Gift Certificates, Gift Registry, and Gift Wrapping Gift Add-On v1

Gift Certificates, Gift Registry, and Gift Wrapping Gift Add-On v1