Boston BSides - Ryan Nolette - Protect Against CryptoLocker Ransomware

let's go into big eyes um so if you guys attended a the earlier session at nine this morning about crypto wall you're going to be familiar with some of the topics that we're going to cover today so welcome to the presentation I'm Ryan to let I currently run security operations for a company called carbon black their local in boston they do endpoint security as a disclaimer some of the slides in here do you have snippets of our product in it but it's not marketing a promise marketing HR and sales has never seen this as you'll soon find out ah today I'm going to talk about how attackers particularly around the ransomware variants are abusing legitimately signed Microsoft binaries

and how to defend your enterprise against nice type of tax using free and open source stuff that you can replicate in any of your environments I'll go over quickly uh you know who I am what I've been doing and a high level of the topic I can kind of assume that the majority of you in here know what ransomware is at least at a conceptual level so we can just skim through all that um so carondelet for the past 15 years I've been doing Incident Response forensics threat Intel and most recently more and more security operations focus stuff currently I'm handle basically the day-to-day operations of the sock handle our analysts going through the compliance doing security oversight all

that good stuff I have a very long list of things I'm responsible for but they can all get summed up pretty quickly um basically any of you who work in sec ops know this feeling um you just we might as we told waste management really so so what's ransomware well if you type that question into google you get a definition of a particular piece of software that's designed to block access to a computer system until a sum of money is paid I can't really argue with that definition it's not mine I don't really think there is much room to argue but when it comes down to what can ransomware actually do to your system ah

it does a ton of things a short list of them up here the most common are encrypting your files and not allowing you to use your system without paying the ransom there's also the scareware ransomware which just as a pop up that it just downloaded terrible things to your system and it will tell the cops about it if you don't pay but by far and away the most devious and evil thing I've ever seen right somewhere do is make you complete surveys and I would like to find out where that guy lives cuz how that's like it took me 20 minutes to get through the survey so I could finish executing the ransomware in my lab you can't automate that so what's

v shadow v shadow is a command line tool that microsoft created to allow you to create and manage volume shadow copies a shadow copies technology that's included that allows taking the backup copies of computer files or an entire volumes on the system these backups can be taken even when files are in use which adds to a whole bunch of use cases for this because you don't actually have to stop anything in order to start messing around the Shadow Copy um it's implemented in Windows as a service called the volume Shadow Copy Service or VSS so throughout the presentation you're going to hear a couple of terms they all kind of mean the same thing VSS

VSS admin V shadow volume Shadow Copy um I'm just going to stick them in a shop gonna point it and you're going to get one of them but they all relate to the same concept they're just our names of different aspects of the same tool um I I can see from some of your expressions that you know why this is a bad thing right this is a legitimately sign microsoft binary that exists on your system already that when we abuse it doesn't raise any flags right from your normal detection sources so let's uh let's break something right so what I'm going to show you guys is actually how to do this attack um I cut out a few

things there's one or two steps missing in there and I'm not telling you how to get on to the system because I'm not liable for the terrible things or pranks you will do with this there's my caveat and liability gun so some variants of the crypto Locker family particularly i'm going to talk about cryptolocker version 1 and its variants and by variants I mean they're minor revisions there's both probably thousands to different variants at this point there's you know ransomware in general the blocky the crypto wall cryptolocker all this stuff and at a conceptual level they're the same idea right they lock your [ __ ] down and they don't let you use it until you pay them um we're going

to focus on one because you only have like 40 minutes to talk about it um so if you guys want to talk about the newer stuff I'm sure I can find beer somewhere and we'll go through it so the technique that I'm going to show you uh is what I've seen most recently with these minor variants and it's being utilized to avoid detection and for something called anti forensics or anti analysis depending on who you're talking to for terminology the technique consists of dropping your malware onto the file system via whatever mechanism you choose the second steps creating a volume shadow copy then mounting the volume shadow copy dropping them our on it executing the malware and then

unmounting and deleting the shadow what's very unique about this technique is that even after unmounting and deleting of the shadow the mount we're still running so what we're really doing is we're taking away all the filesystem artifacts that exist it from the attack and having it still run that would really piss off your AV vendor so on windows XP the VSS admin tool doesn't exist natively later on microsoft supplied a patch that would add it to their but basically windows vista and up have built into the sdk the VSS admin executable once the volumes of sorry what's the Shadow Copy ends up getting executed on the system the attacker uses it to create persistent shadows what

we're going to work with here is persistence as defined by survives between reboots so there's different forms of persistence there's different definitions of it depending on your use case and whatnot I'm very specifically talking about you can reboot the system and the malware remains and will run again so for this we're going to create this persistent shadow by having the dash p option p for persistence see for cookie whatever you like to have to remember it so we're going to point this towards the location on the file system of where we want to create the shadow what we're doing here is we're creating the shadow of the full C Drive the entire volume and what this is doing is

it's allowing us to drop files into basically a file system that doesn't exist yet will mirror your active file system in the example what's going to happen when we kick off the initial V shadow executable with these options it takes a few seconds to run and what you see is the second output here that I have highlighted in red the thing I want to pay attention to is the ending name of it because that's what it's going to be referred to in the further not that this is you know something you have to memorize like CD dot dot means go back it's just what one we're going to use I probably could have named it

something easier like Batman but I didn't take it at the time so going into the actual attack we created a shadow it's persistent it's there on the system well you have to mount it so what we're going to do is we're going to use this end link command to create a symbolic link which is very commonly done in lenox you can also do it in windows all here the attackers are creating the link in the system32 directory and what we did is we created another directory under it called msdc what we're doing is we're pointing the shadow into that directory so that new virtual file system that we just created a minute ago now exists in 6 32 / MS DC / volume

shadow and everything that's under all the child directories all the child processes everything like that now exists in that one folder um the malware itself after this is mounted is dropped in /c of the volume shadow so you dropped in the root of it yet when you look at the system as you can see from the directory listing that we did that malware isn't in /c its insist 32 / ms DC / mallard exe that's not real malware that's command da da to you that i renamed just to show you that any binary can be used for this um so when you actually do a file listing of this you're not seeing anything weird or

funky you're seeing a path that looks pretty legitimate if you saw a path insist 32 the directory named ms DC during your initial analysis of a system would that make the top of your list or would that fall towards the bottom of something that could be legitimate and I'll come back to it to look at it if nothing else pops up well for most of the time you're looking for weird things randomly generated file names some of this stuff that you'll see in a minute happening but this adds in a little bit of the not anti forensics but forensic deterrence right there making it harder for the investigators to find it by making themselves mimic the native

tools native directories to native paths they're trying to hide themselves by living off the land so to speak so once the symlinks been created and the contents of the Shadow Copy are accessible via any normal means so you can use your command prompt to get to it you can use file explorer any batch script you write anything really can now interact with this file as if it existed on your actual file system well that's not connected I once the file systems in place the malware started just like any felder executable you know choose your weapon so to speak when the malware started you can look at it in a tool like process explorer I used um you know

task manager for this to make it just basically look at what it's doing and we can see that the malware isn't running out of the rootsy directory where we actually dropped it it's running out of this msdc directory because it's linked to it and this is how the file system is actually representing the location of this malware now so the path doesn't really that suspicious and when you're looking for in your normal tools if I didn't have this named mallory XE you probably wouldn't do a second glance at it so once the malware started the attacker can unmount and delete the shadow and the matter will continue to run up here you can see that I have the structure of

the msec I go in and I delete the Shadow Copy there's unmount commands and stuff but you know I like the break thing so I just didn't bother unmounting properly my USB would yell at me but the same kind of ideas here I just delete the Shadow Copy say yes to it but even after that our Mauer is still running so now what we see is it's a hiding mechanism and there's an empty friends have started because now you've removed filesystem artifacts that didn't really exist to begin with so how do you find it detected how are you going to end up finding this malware running on a system in your environment if most your tools

are filed based security tools and file based sorry file system based visibility there's no registry values for this at the moment there's no new files there's not even temp files or metadata associated with it everything has been deleted and unless you're watching everything in real time and actually have this logged out to somewhere else you won't even see these commands that happened and your virus scanner won't detect them happening because it only scans at increments so basically your security tools have missed this completely and we just did in three seconds that you can do with the script surprise no I I like to end those sad notes with very happy things normally I dance but no so um so visibility right

though that's the main thing we're talking about for the rest of the presentation um you see basically how the attack was was outlined and how it was executed all this can be done from a script so there's really nothing fancy or secret about it but what's you know more difficult more interesting is how are we going to actually find this happening and then how are we going to stop it from happening so we're going to do a couple things here first and foremost let's talk about the things that we can see when I do any kind of malware investigation I'd like to bucket things into two big buckets visibility and accountability if you can't see it you

can't account for it you can't say who did what and when right if you're trying to do a friendship timeline or an IR it's one of your you know critical tasks you have to show time lining what happened over time what was the scope of it all this really boring paperwork but what's really important about it is it also finds those gaps you have in your security already and it's really about adding more and more visibility until you slowly but surely kind of tie a fence around the accountability right we find those gaps and you start trying to detect things so what I'm going to do is I'm going to go over this from two

points of view what's it look like from the host point of view so using only native tools on the system what can we find and then the second one is I have two slides with an IR tool which is carbon black one because it's free I don't have to pay for it and ignites and very nice pretty pictures but going to show these two techniques after that I'm going to go into had actually block this from happening using only native tools that if you have a Windows environment you already own these tools and have a fully licensed so all so you don't have to memorize this I noticed a crap ton info but I'm going to

quiz you all later and since we detonated this malware on purpose right we have this short list we don't really have that luxury in the real world right you're not going to have a list of you know I ox and things like that square off the bat you'll be lucky if you have a basic alert when this thing tried to beacon home or talk about something to make this work a little bit more realistic what I'm going to do is I'm going to create what I call watch lists which are basic things that I have for monitoring on my local system that happened in real time so as this event goes off I know about it think of it as

you know like I think the like a like a trip wire or any other kind of automated script you up running that'll tell you a file systems change hashing anything like that basically tell me when this behavior or event occurs up so what I'm going to look for is conditions that occur if VSS admin was executed from the command line der from a batch script so let's do it from the IR tool so once again does pretty pictures of what's interesting about the malware that I executed so when I did this full attack I ended up using a copy of crypto Locker that I got from Mauer calm right I just pulled it down and I executed it and I

wanted to see what happened the file that I pulled down ended up having some kind of extension obfuscation what it represented itself as is a PDF file yet we know unfortunately cut off the really long hash name of it that even though it's showing itself as a PDF it's actually an executable so when you try to read that PDF on your system it opens up a couple of child processes and start spawning off things to look at based on the alert you know alone a PDF is an executable is hiding itself as a PD is a warning flag and something you should investigate but the fact that a PDF is spawning off child processes gives me even more worried to look at so

let's go up the tree and kind of look at what the originating file was so the original file is it has this really long hash number and that's because I pulled it down off you know place that's a malware database and that's how they store the models by hashes but the icons that it shows itself is something to give us a warning but also the hash when I go look it up it's like a 43 out of 56 score a that's probably something you should look at and check out in your environment but if we break it down to what are the things that actually did on the system it spawned three new child processes which then spawned grandchild

process these great grandchild processes all the way down to do its dirty work throughout the system it ended up creating for new registry values and from these registry values we can infer that it is doing extra persistence mechanisms on your system it's adding registry values to the run once and run registry keys so that way it can try to execute itself on boots and at login which is a common persistence mechanism and then it also created ten new files on the system y you can see them in the different paths but i'll talk about them a little more in the next section that actually details the full file path in and how tiding the persistence

mechanisms based on our findings no you can tell pretty well easily that you're owned right and you basically need to reimage at this point so how do we go through the manual process of detecting this and then removing these files having only tools that's on you know your grandmother's computer you know i'm not talking about in the enterprise when you can pay for a half-million-dollar technology i'm talking about you know your grandma calls you up that her system has a weird red pop up on it can you help her out and that's what we're going to go into the hunting native so what happens on the host point of view well what we can see is we can do some

time stamp mapping so up here at the top I have a little powershell snippet because batch scripting is weird and if you try to do this in batch script you actually have to say show me all files modified in a certain time then show me all files modified within a different set of time and then do a diff between the two and that's what you get left with that's confusing that's annoying so powershell just very straightforward and what this is doing is basically looking for tell me all files that were created on the system in the last 24 hours so how many people here have done some kind of mal reverse engineering or I our

stuff so you guys know malware changes its time stamps right it usually changes its modified timestamp but it's really rare for it to change its creation timestamp for automated attacks for very specific campaigns or specific targeted attacks yeah it'll change everything possibly can but in this case since it was all automated we can depend pretty well on the creation time for this detection and what I've done is I basically I ran the script and I got a list of tell me every single file that was created in this time frame when it was created I was then either able to just parse through the list and look for what a rent what looks like a randomly

generated file name and out of a location where a new binary shouldn't have been created so we have a brand new binary that looks pretty randomly generated in your roaming directory from app data for those you who have worked with you know Trojans before Zeus SpyEye this is where all of the Trojans drop their executables or in a child directory of this directory it's extremely common to the point where this is one of the first places I look on a system if I'm trying to see if it's owned there's a couple other directories i'm going to show you that i look at that are the first places I look for so now that we found this thread right

we found one thing that looks kind of weird let's pull on it a bit and see where it takes us I keep thinking this is plugged in oh well in the process of researching ways of trying to find these detections I was thinking about how can I create my own little tool to end up basically be in my virus total check right virustotal is a database of hashes that associated good and bad known files and basically every AV vendor has an engine up there I'll assault all the most prominent ones so you can actually see if any of them have a signature for the file that you're working with what's nice is they have an API so i can use

python just the toss the file up or check the hash and returns a bunch of data for me in this case what i did is i found out that window is actually has a native hashing tool that i had no idea it existed I've always used the third party tool to do it but this command up here was very useful for me um it's a cert util command and you I threw this in a script and went through all those files that I found the last PowerShell so I just put those two things together so for every file that was created in last 24 hours hash it and then drop it into my virustotal check goes out and

checks the hash comes back with the score and tells me those things and prints me out a nice pretty CSV it did your return doesn't look like the nice fires total picture but CSDs not that pretty to put up so once again we can see off this check you know using just native tools that are already installed on your system that this has a score of 44 out of 56 and virustotal and it's on your system we should look at it but let's look at some other associated things right we have the creation timestamp of this file now well if this was done through a script there should be other created files within a very

short time frame around it because it's all automated so let's start looking for those so next up we find that created at roughly the same time is a file actually by the same name this isn't always true with the same name but in this case it was created at pretty much the exact same time stand-in your start menu programs start a folder this is the second place a commonly look because this has been a persistence location for the past two or three years at least with the cryptolocker variants that I've been working with so first place I check is app data looking local local oh and roaming and then I come over to the startup directory this is

where applications that start on login are so things like if you want your outlook to start at login it drops of basically a redirect link in here now outlook starts when you log into your system so on next up going through the timestamps again I'm able to find a hidden directory actually at the root sidra directory which once again is named the same thing I'm starting to think you know this off it doesn't have much imagination they should have make better names but I'm going off timestamps at this point in time and I find get another thing so I end up doing a search for all hidden in this directory at end up finding this and get

some more information about it inside this directory is actually another binary by the same name which is the exact same hash as the stuff we've been finding so if for those of you who accounting that's three new binaries that it's done in different places it's in your roaming directory which is the primary when it's working off of it's in your startup directory which is unknown persistence mechanism and then if you found both of those it created hidden directory and through the binary in there as well alright and the best part is after it does this it then deletes the originating binary from where you downloaded it to so it's trying to hide its tracks so if we look in this hidden

directory we find once again that binary that's the exact same thing the author is very much afraid of this being found so the creating backup plans for the backup is for the backup plans and I for one feel that that kind of paranoia is not healthy and they should really talk to someone about it so talking about those persistent mechanisms something that you're not really able to search for it's that time stamping but because we did the original time stamp search first we're able to know file names so an full file paths so now we can search the registry for those file names and file paths to find more so she ated artifacts so if we search through it um we can

actually find some things these are in the run and run once which are the registry keys that are used for when things boot sorry when applications launch either at boot or login I can't remember which ones which I think run is for a regular login and run once is for safe mode or it's the other way around if anybody knows shout it out I don't remember off top of my head but what I can infer from these being in existence is that once again the attacker is aiming for more and more mechanism persistence they're trying to get more ways on there they're making it harder for them to be removed from the system next up ah if you're after this stuff is

run well you can start to see a list so there's a registry value called cryptolocker for other malwares this doesn't exist but in this case this is a list of everything that's encrypted right in your registry I refer to this as the pissed list because the more you read it the angrier you get and if this ends up on your executives machine you have a real problem right oh this is not a happy person to deal with no no just soak it in really that's originally I had the JIP of us steve ballmer and Bill Gates doing the dance with the huge shoulder pads but now this one wins um so how do we detect this

attack how do we avoid the whining exact that's really upset so let's let's talk about a bit we're going to stick to different kinds of indicators here so I broke it into two categories right there's I ox which are I consider static kind of indicators so things like hashes file names registry values even full paths and network connections I consider those static the IP addresses and domain names are not static so I group those into the behaviors category because any of you familiar with DGA to Trojans of domain generating an algorithm so an author will basically register a couple thousand domains based off an algorithm and the algorithm is put into the actual code so depending on some kind of

factors in some fancy math it knows which domain name to reach out to and all these domain names redirect one single cnc host right um sorry somebody out there's name is Ryan and so is mine so every time so he says it I kind of twitch um so so I'm sticking the indicators that you can use in other tools right not just the the fancy ones that I have but pretty much any kind of IR tool so these hashes which is not a full list they constantly update these and the hash changes but to give you an example here's the hashes that I pulled off of msdn for windows 7 8 and 8 10 even vista

you know that that are 32-bit and 64-bit and then what I did is I took them and I threw them into whatever I are two lad at the time you could do this search manually if you really want you do a powershell script to do it but I just threw it into my script so um you know process md5 is that hash and then you see an or state Matt the end because originally had them all on there but space and I forgot to delete the or so you can grab these indicators and start searching for them in your tools these hashes are specifically for the s2k versions of V shadow so these are the

ones that are not natively on your system so you can find these and it's not a developer and that's a bad sign because you know your marketing guy is not going to install copies of the shadow to look at Salesforce what if he does I want to talk to him cuz that dudes a genius um so let's take a little bit closer look at the v shadow that EXT process um one of the attributes that we're looking for is unique characteristics right how do you choose between a legitimate execution V shadow and an illegitimate use of it well here we can see that parent process ease would be something like you know commanded exe so if you see command that

exe Ron you know that either somebody manually type that in their command prompt or a batch file did it all right because it runs under the same parent process in this case I'm looking for very specific things such as the VSS underscore PS dll which is loaded only for v shadow so i can narrow this down to if i look for this dll being loaded I know that V shadow was executed and was executed out of a sprint so I ended up writing these queries down here which basically look for on the detection of the loading of the dsl sorry not the dsl the dll because that's faster than dsl and you gotta laugh or you'll cry oh so once

this loads up we have to look for a command-line argument of dash p for that persistence so this was the initial step that i showed you guys in the attack we're now looking for that happening in real time on the system below that we're looking for the make link command this is the attacker interacting with the Shadow Copy it's the second stage of the attack right we can look for that as well or you can look just for V shadow being run with those with those commands at the end of it what we're really trying to do is basically narrow down the script and rule out the false positives um I have a about 3000 hosts

that I can throw this stuff into so i can only i can detect a lot of false positives but your environments may vary depending on your users and what access to have the things in this case i only had one false positive and that was for something called we're fault exe it's a windows process off the top of my head I can't remember what it does but it apparently interacts with v shadow um I don't know why but it does oh one caveat that I found is on the make link command is a function of command that exe so depending on what tool you use you need to make sure your tool has the ability

to see command-line arguments not just the commands issued or else um now you have a bunch of gaps and your queries a lot broader either going to have false positives or you're going to have collateral damage depending on your command so once again we go back to this name of this thumb shadow so what we're doing is we're looking for a random process that is talking with this but we can actually cut this down a whole bunch we can just look for these shadow copies being created right um if you see these new volumes created on your system they are most likely not legitimate because most users don't interact with shadow copies most of them don't even enable this on

the system so unless this is enabled at the gpo level by your admins this is not a normal event in your environment and this is another unique characteristic that you can look for in order to detect this attack you can also look for processes running out of that path which would tell you that it's something terrible is happening as well um so I know I have couple minutes left so I'm going to bust through the last portion of this which I think try the most important how do you block this right let's who've gone through the attack we've gone through the you know all the legwork we've gone through a couple different ways to detect it there's a

million other ways to do this but in this case let's block this with tools that you guys have in your environment already all right so with any ransom where the two main things come up make sure you have good backups and train your users not to do terrible things one is easier than the other and both of them are backups so this is how I had up restoring previous versions of files there's ways to do it programmatically but what I liked this is that it's accessible on pretty much every window system right when you go on to that system you're going to have this console it might not be populated with anything and the copies might not be the most

recent they may help you and I use may dripping with hope that these could be restored and be used for you but it's not really something that you should depend on so you know the off-site backups and things like that are important that's all the proactive stuff and that doesn't have much to do with the actual blocking that we're about to do but it's good to remember anything you can do proactively is going to save you a lot of time doing this in your environment so um one of the things that i'm going to show you guys is whitelisting and this isn't whitelisting like my company's whitelisting product so don't let marketing hear you we're going to use a

free tool that's available for Microsoft once again don't let my marketing team here you uh-uh and um the reason why we're looking at white listing for this is think of the malware like you know like an arrow or you know how about like a basketball and wait listing is basically you know shot-blocking right and the malware author is this little kid and we want to crush his spirit we don't just want to win we want to make him cry so how are we going to do this the more you wash it better it gets us now I got this on like a little window on my side I can't I can't actually look over to my notes like I can't look away

um so let's uh let's block the stuff in your environment we're going to leverage three pillars of good I teamwork right we're gonna leverage gpo witchcraft and cursing because we're about to deal with the most complex in complex is the most polite word I can use example and that is we're going to start touching GPO so what we're going to use here is Microsoft's tool app Locker of course once again Proactive don't click on suspicious links zelda is upset and for any of you that think that's zelda on the screen I will slap you that is definitely linked um anyways uh what we're going to do here is we're taking some of that info that we found

earlier right oh so we did that initial query show me all the files that were created in 24 hours I went and I hashed him I found on virus total hits for them I know these are bad files and I know these are in these locations right these are all things that we have discovered and we have confirmed through this information so let's use these to build these proactive detections and blocks well which is the more important thing so what we're going to do is we're going to create software restriction policies um you can use oh you can do this on a single computer using the local security policy editor so you can do that at your

house grandma's computer whatever but if you have a domain you're going to end up using group policy editor in order to supply this for your entire enterprise a fun fact that I learned after initially doing all this research and ways to do this is that i found out that app Locker actually has an option excuse me to enforce dll blocking as well i didn't know that um i just found that out and then i tried doing it without reading any of the documentation around it this will destroy all the performance on your end point um basically it's very effective but it monitors every single execution of the dll um so it's going to dramatically decrease performance um and

I don't have to show you the picture of the exact again right that's what's kind of it up happening so what we're going to stick to is just the binaries here so first thing we're doing is we're open up the security policy editor this is kind of what it looks like um and through a couple of clicks you're able to create the policy on your system just like that five clicks you populate it with your path here I use a wild card wild cards are fun and easy ah but to come with collateral damage right when you're when you're going to evaluate what listing tools you might want to look for ones that have extra conditions involved

in them like trust ratings prevalence other useful things because if you're doing just plain white listing um that's like trying to open a pickle jar with a sledgehammer um you're going to get it open but you're gonna break [ __ ] everywhere um and for example here we're where we are going to block one of the initial infection vectors but we're also going to end up blocking spotify firefox chrome and any other application that i would consider poorly coded because they're executing binaries out of app data working fig file should be not binaries so that's my grievance I've aired it but here you're going to create exceptions and on your environment if you're going to do this or look for a

tool that has those extra conditions that you can add to your white listing if so you can get around that ended up not blocking legitimate files lastly you know here's the final product um you've now blocked cryptolocker from installing on your computer but you've also stopped Zeus and SpyEye they don't Ted serve and a whole bunch of other genres that were built off of the Zeus source code that one you know that one open source years ago so a lot of malware reuses the same code so you reuse the same directories once again you will have collateral damage so make sure you create those exceptions um because I love my Spotify and I'll be very upset if you walk it on

me in closing read somewhere is really annoyingly effective right the recent additional features of removing shadow copies make it even more dangerous because when you can no longer restore from backup you are at the attackers mercy right and your options are pretty slim at that point regardless what security products you use on your best defense for any of these attacks is user training and good backups even if you're Duncan hit by rain somewhere you get hit by some other variant rather than having to completely can rebuild the system can restore to a gold image and put your backups restoring backups to it and have all your data working again so anything preventative that you can do proactively

is is really going to help you out in the long run um so thank you for your time today and remember my motto flag it tag it and bag it also known as the double tap for any of the malware that you do questions once again HR has not seen these this used to have a lot more chips in it but when you try and system it like a 50 meg PowerPoint they start asking questions and they don't want to open it the way went to static pictures yeah what do you think hahaha where mothers day there's quite a few so the real purpose of this method of detection is living off the land so the tools that are

natively installed on your microsoft system already and because of that you have the limitations of those tools they were not designed for hunting malware so they don't have a lot of options and also if you're trying to do some kind of forensic investigation these will modify things on your system therefore your forensic timeline will be off and you will end up rained issues when people talk about your gold image and whatnot so if you're going to do this stuff on a known affected machine and you can only use Windows tools make a copy of the system and then run these tools against that copy so you don't mess up the original image and it's still some

what's the middle submissive belen court um there's also i mean if you get to the point where you're making a backup of this you should probably buy good enough tool to be able to do a lot of this automatically and get around a lot of the shortcomings of the tools and have more options and more things you can do anyone else all right thanks for the double tap enjoy