RMISC logging for hackers

Proper logging would have caught the retail Point of Sale breaches,

here’s how

Michael Gough – Founder

MalwareArchaeology.com

IMFSecurity.comMalwareArchaeology.com

Who am I• Blue Team Defender Ninja, Malware Archaeologist, Logoholic

• I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How

Creator of“Windows Logging Cheat Sheet”

“Windows File Auditing Cheat Sheet”

“Windows Registry Auditing Cheat Sheet”

“Windows Splunk Logging Cheat Sheet”

“Malware Management Framework”

• Co-Creator of “Log-MD” – Log Malicious Discovery Tool

– With @Boettcherpwned – Brakeing Down Security PodCast

• @HackerHurricane also my Blog


Malware evolves

• So must we

• Darwin says so

• Evolve or die

• Well… Evolve or get breached anyways

• Which means an RGE !!!– Resume Generating Event


• We discovered this May 2012

• Met with the Feds ;-)

Why you should listen to me?


2014 - We gave an infected VM to one of the Big IR Firms… They came back “Yup.. It’s clean” #Fail

Were the Retail PoS

breaches

Sophisticated?


Retail PoS Malware

• MWZLesson

• BackOff (PoS)

• Chewbacca (PoS)

• Dexter/Project Hook (PoS)

• BlackPoS/Kaptoxa (PoS)

• Many other variants

• They all have one thing in common


Retail PoS Malware

• A service was installed


Retail PoS Malware

• FTP was used (Process Create)

• FTP traffic (IP’s and Process Create)

• External traffic (IP’s – normal?)

• PSExec was used (Process Create)

• Network connections made (Share accessed)

• User activity (Login & Lateral movement)

• Services installed (#1 thing to detect)


Retail PoS Malware

• I say this is and was noisy, lots of things to detect… easily

• NOT sophisticated

• We will look at other attacks and show you what was detected and how


A quick look at

Advanced Malware

Artifacts


WINNTI 2012 Summary

Pretty typical advanced malware• DLL Injection

– \WBEM– \Windows– \System32 – Files stored– \ProgramData – Files stored

• Sysprep Cryptbase.dll exploit• Boot up back door, deletes on load, writes on shutdown

– Killed by pulling the power ;-)

• New Services installed• Multiple infections per machine hoping you miss one


WINNTI 2014

• Summary of improvements for WINNTI 2014– PlugX used as a base, modules added– Dll injection on SQL Server (5 dirs. Deep)

• Allowed for SQL Mgmt utilities to enable XP Command Shell and run .NET commands

– Binary infector – altered existing management binaries to call main payload – and STILL worked!

– Driver infector – Added driver to look like existing management software

– Hid scripts in the Registry– Hid payload in the Registry!

• The Registry is a Huuuuuuuuuuuuuuuuge Database


Initial Infectors

• Perflogs– C.exe – Communication to infected system

• Thanks for the Port and Password• For once WE compromised THEM!

Now who is “sophisticated” ;-)

• PROOF of the power of Command Line Logging!


Persistence• C:\Program Files\Common Files

– WLXSys64.sys – NOT ON DISK ANYWHERE ????

• Modified existing service

– WERCplSupport (Who needs WER Support)

– Changed ServiceDll to:

• Program Files\Common Files\WLXSys64.sys


• So how did it load if it was NOT on disk???

Normal

NOT Normal

Persistence

• Avoided leaving key files behind like they did before, well one anyways… the persistence piece


A quick look at

Commodity Malware

Artifacts


Angler delivered Kovtar

• Unique way to hide the persistence

• Inserted a null byte in the name of the \Run key so that RegEdit and Reg Query fail to read and display the value


Dridex Artifacts


Dridex Persistence• New method towards the end of 2015

• Nothing in the Registry showing persistence while system was running

• In memory only until system shutdown

• Then we caught the bugger, with good auditing of course and


Artifacts• Dll Injection – New Files dropped in Windows

core directories• Command Line details• Admin tools misused• Delete on startup, write on shutdown• New Services (retail PoS should know this)• Drivers used (.sys)• Infected management binary (hash changed)• Scripts hidden in the registry• PAYLOAD hidden in the registry (256k binary)


How to Detect

Malicious Behavior


So what is the #1 logging item?Command Line Logging !!!!

• At the time of Winnti 2014 ONLY Win 8.1 and Win 2012 R2

• Which we had, then we saw this in our alerts of suspicious commands (Cscript & cmd.exe & cacls & net & takeown & pushd & attrib)

• Scripts too


Hidden in the Registry• Command Line execution led us to Registry Keys.

The main payload and scripts to infect were stored in the registry – \Classes and \Client Keys


Hidden in the Registry• HEX in some cases where infection was not complete

or when we recreated it in the lab because we were missing something (the infected persistence binary)

• A Binary when complete, encrypted in some way


Hiding in the Registry

• This was new for WINNTI 2014, other advanced malware uses this method too

• They added three values to the Keys

• HKLM\Software\Clients or \Classes– putfile

– file

– read• This found on only a few systems to hide another backdoor

– HKLM\Software\Wow6432Node\BINARY\Acrobat.dxe


HKLM\Software\Clients• putfile

• file

• read


4D5A = MZ in HEX

Persistence

• Infector… One for the DLL (infect.exe) and one for the Driver (InfectSys.exe)

• Altered system management binaries

– McAfeeFrameworkService

– BESClientHelper

– Attempted a few others, some failed


• We tried the infector on several other system files and it worked

Persistence

• Infected management binary read key, decrypted payload and dropped into:– \Program Files\Common Files

• NOW WERCplSupport ServiceDll exists!

• As soon as it was loaded… it was deleted making it hard for us to find it


But we were better than that ;-)

So what led us there?

• Malware Discovery Baseline

• Compared infected system hashes (Suspect) to a known good system hashes (Master-Digest)

• Showed some single hashes in directories that were odd to us (our own management software)?

• So we looked for these binaries across all systems

• ONLY the infected systems had these odd hashes


Persistence

• BAM! Got ya – PROCMon on bootup


FINALLY !

• Malware Management allowed us to setup alerts on artifacts from other malware analysis– Retailers and all of us really need to learn this

• Of course our own experience too

• Malware Discovery allowed us to find odd file hashes, command line details, registry locations

• Malware Analysis gave us the details


What we need to look for• Logs of course, properly configured - Events

– Command Line details– Admin tools misused – executions– New Services (retail PoS should know this)– Drivers used (.sys)

• New Files dropped anywhere on disk – Hashes• Infected management binary (hash changed)• Delete on startup, write on shutdown - Auditing• Scripts hidden in the registry – Registry Compare• Payload hidden in the registry – Large Reg Keys• Malware Communication – IP and WhoIS info• Expand PowerShell detection• VirusTotal Lookups


So what did we

take away

from all of this?


Log Management

• This is the BEST Security Tool, because it is not your typical security tool

• Not all of us can afford 100% coverage with our Log Management solution

• It is recommended you should have 100% coverage, so get it on the budget radar

• Logging and Auditing provides the details needed to understand and discover the malicious behavior


But I don’t have Log Management

• How many of us have 100% coverage on all endpoints, network devices, email and web gateways, IDS/IPS, applications, etc.

• I usually see 10% raise their hands

• So what is there for the rest of us?

• Critical to enable and configure and collect the logs locally at a minimum

• You will increase your chance to catch things


What to do without Log Management

• Enable and configure logging and auditing on all systems

• Best chance you have

• For Windows systems there wasn’t anything worth while to evaluate the things we needed to collect the malicious activity outside having everything in log management


Since it didn’t exist

We created it!

So you can do it too!


LOG-MD.COM

• Log and Malicious Discovery tool

• When you run the tool, it tells you what auditing and settings to configure that it requires

• LOG-MD won’t harvest anything until you properly configure the system!

Purpose

LOG-MD.COM

• Improve and promote Logging and Auditing• Help MOVE or PUSH security forward• Malware Analysis Lab• Investigate a suspect system• Audit - Advanced Audit Policy settings• Give the IR folks what they need and the Feds too• Take a full system (File and Registry) snapshot to compare to

another system and report the differences• Discover tricky malware artifacts – Retail PoS malware and APT• Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc…• Replace several tools we use today with one easy to use utility that

does much more

• To answer the question: Is this system infected or clean?• And do it quickly ! SPEED !

Improve your Logging and Auditing

LOG-MD.COM

• Guides you enable and configure Windows logging and auditing

• With or Without Log Management

• Helps makes your log management better!

• Guides you to enable and configure File and Registry auditing to catch the bad stuff when it happens

• When you don’t have a log management solution, gives you something you can use

Free Edition

LOG-MD.COM

• Harvest security relevant log data

• Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations

• Perform a full File Baseline of a system

• Compare a suspect system to a Baseline or Dir

• Perform a full Registry snapshot of a system

• Compare a suspect system to a Reg Baseline

• Look for Large Registry Keys for hidden payloads

LOG-MD.COM

• Everything the Free Edition does and…• More reports, breakdown of things to look for• Specify the Output directory• Harvest Sysmon logs• Harvest WLS Logs• Whitelist Hash compare results• Whitelist Registry compare results• Create a Master-Digest to exclude unique files• Free updates for 1 year, expect a new release

every quarter• Manual – How to use LOG-MD Professional

Professional Version

LOG-MD.COM

Future Versions – In the works!

• WhoIs lookups of IP Addresses called

• VirusTotal lookups of discovered files

• Find parent-less processes

• Assess all processes and create a Whitelist

• Assess all services and create a Whitelist

• VirusTotal lookups of unknown or new processes and services

• PowerShell details

• Other API calls to security vendors

Professional Version

LOG-MD.COM

Malicious

Activity

Caught

Crypto Event

LOG-MD.COM

• C:\Users\Bob\AppData\Roaming\vcwixk.exe

• C:\Users\Bob\AppData\Roaming\vcwpir.exe

• C:\WINDOWS\system32\cmd.exe /c del C:\Users\Bob\AppData\Roaming\vcwixk.exe >> NUL

• C:\Windows\System32\vssadmin.exe delete shadows /all /Quiet

Malicious Word Doc

LOG-MD.COM

DRIDEX

Malicious Word Doc con’t

LOG-MD.COM

More DRIDEX

So what is the goal of proper logging?

LOG-MD.COM

• WHAT Processes executed

• WHERE it executed from

• IP’s to enter into Log Management to see WHO else opened the malware

• Details needed to remediate infection

• Details to improve your Active Defense!

• I did this in…

15 Minutes!

So what tools worked?


• Log Management is #1, by far• A tool that allows you to ask a system a question

– BigFix (Best Blue Team and IR Tool hands down – My favorite)– Tanium– Google Grr Rapid Response– Mozilla InvestiGator– Facebook OSQuery

• LOG-MD was created to fill the gap where agents did not exist

• Malware Analysis in a Lab – Recreate payloads, execute artifacts

Resources

LOG-MD.COM

• Websites– Log-MD.com The tool

• The “Windows Logging Cheat Sheet”– MalwareArchaeology.com

• Malware Analysis Report links too– To start your Malware Management program

• This presentation and others on SlideShare– Search for MalwareArchaeology or LOG-MD

– Top 10 Windows Event ID’s - SlideShare

Questions?

LOG-MD.COM

You can find us at:

• Log-MD.com

• @HackerHurricane• @Boettcherpwned

• MalwareArchaeology.com• HackerHurricane.com (blog)

• http://www.slideshare.net – LinkedIn now

Technology

RMISC logging for hackers