Look under the hood: bypassing antimalware tactics and ...
Transcript of Look under the hood: bypassing antimalware tactics and ...
![Page 1: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/1.jpg)
Explore adventures in the underland: Forensic techniques against hackers evading the hook
Paula JanuszkiewiczCQURE: CEO, Penetration Tester / Security ExpertCQURE Academy: TrainerMVP: Enterprise Security, MCTContact: [email protected] | http://cqure.us
@paulacqure @CQUREAcademy
BRK3293
![Page 2: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/2.jpg)
![Page 3: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/3.jpg)
![Page 4: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/4.jpg)
There is pretty much always something you can find…
![Page 5: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/5.jpg)
Searching for a Trace: DiskDiskProfile, NTUSERRun dialogMost Recently Used (MRU), Management Console (MMC)Remote Desktop connectionsPrefetch filesRecent documentsAutomatic Destinations (LNK)Security LogRDP Operational LogApplication LogsTemporary Internet FilesDeleted files – recoverable from the diskNTFS StructuresHiberfil.sysMemory dumps
![Page 6: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/6.jpg)
Demo: Data on Disk Analysis
![Page 7: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/7.jpg)
Techniques for Hiding vs. Recovering Data
File Level GamesExtension changeJoining filesAlternative data streamsEmbeddingPlaying with the contentSteganographyDeletion
Disk Level GamesHiding dataEncryption
![Page 8: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/8.jpg)
Demo: Data Recovery
![Page 9: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/9.jpg)
Searching for a Trace: MemoryMemoryHandlesProcessesHidden Processes (ActiveProcessLinks)Files that can be extractedThreadsModules Registry API HooksServicesUserAssistShellbagsShimCacheEvent LogsTimeline
![Page 10: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/10.jpg)
Demo: Extracting Logs from Memory
![Page 11: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/11.jpg)
Demo: Dump Analysis
![Page 12: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/12.jpg)
Agenda
Intro
1
Proactive Monitoring
32
Passive Data Collection
4
Summary
![Page 13: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/13.jpg)
SysmonEntry InformationAllows to build an attack timelineAllows to define an entry point and anomaliesCollects and records system events to the Windows event logIt is free and easy to set up
Good practicesFilter out uninteresting events (image loads etc.)Make sure event log is big enoughCentralize the events in a separate server
You can download Sysmon from Sysinternals.com
![Page 14: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/14.jpg)
Demo: Sysmon in Action
![Page 15: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/15.jpg)
Sysmon: Events and Filtering ExamplesFiltering RulesInclude thread injections into lsass:<CreateRemoteThread onmatch="include">
<TargetImage condition="image">lsass.exe</TargetImage> </CreateRemoteThread >
Exclude all Microsoft-signed image loads:<ImageLoad onmatch="exclude">
<Signature condition="contains">Microsoft</Signature> <Signature condition="contains">Windows</Signature>
</ImageLoad>
Recorded EventsEvent ID 1: Process creationEvent ID 2: A process changed a file creation timeEvent ID 3: Network connectionEvent ID 4: Sysmon service state changedEvent ID 5: Process terminatedEvent ID 6: Driver loadedEvent ID 7: Image loadedEvent ID 8: CreateRemoteThreadEvent ID 9: RawAccessReadEvent ID 10: ProcessAccess
![Page 16: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/16.jpg)
Demo: Sysmon Customized
![Page 17: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/17.jpg)
Demo: Sysmon and Network+ getting info about the IP addresses
![Page 18: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/18.jpg)
Forensics adventures: Summary Make sure all tracing features on the drive and in the system are enabled: USN, Prefech etc. Image first then play Create Incident Response Procedure (most of the Customers we start the adventure with do not have it…)
![Page 19: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/19.jpg)
![Page 20: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/20.jpg)
![Page 21: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/21.jpg)
![Page 22: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/22.jpg)
From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com
From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp
Please evaluate this sessionYour feedback is important to us!
![Page 23: Look under the hood: bypassing antimalware tactics and ...](https://reader034.fdocuments.in/reader034/viewer/2022052607/58a1a71c1a28ab5c788bf12f/html5/thumbnails/23.jpg)
© 2016 Microsoft Corporation. All rights reserved.