BSidesMCR 2019: Malicious Behavior Detection Using WMI - Ben Lister

welcome in yes this is my talk on malicious behavior detection with WR mine we start the little caviar I have a function on the timings this could be a 20 minute job could be applied with it young but it's look next so like the way I'll get you all out room and I'll be happy and get to lunch early alright so Who am I mouki science or math graduate graduated in July from the University of Manchester I've been an intern nzc groups in just over two years now and on Monday I'm gonna start a proper job you know become an advil into big wide world and this photo is me for a week ago when I was jumping off tower

in Australia I'm hoping that the Rose didn't snap all I heard was bungee jumping and I'll say I was less nervous about doing that that answer right now alright so what this top going to be about this is going to be part of the research of my final year project at university so why give them up on your project if I created a rudimentary detection system built around WRI and try to get a better idea about how to view my works but also one problem probably tackle some issues with where comes to detecting a fishy focus on living offline binaries or bobbins so if you don't know these are binaries executables which you'll find on Windows

operating system every day to come with home with the build and you normal use of them they're pretty standard so I'm going to do anything what people find ways for using them or using them in a way trying to malicious activity so what is WR mine this curry that toughest part makes its it's not exactly a nice simple concept to work with so the easiest one that got was is an interface for applications act data provided by the operating system and hardware components so what does that mean well this basically sudhish into the paper it's basically you've got everything every aspect of the operating system the affinity book processes services to start commands what you can think of it

there's probably an object which is record WI represents where and if this objects have properties associated with them and we basically have all these all this data all jumbled together and then got ways of working with it to be a protocol to transmit the data around and we have this service that runs and this service that manages that stuff and how is its execution around them all right so what's the most useful thing I found and so when frame this text and system was how do we query the data now to do this w life has its own query language it's called WQ are very similar tasks you up it's got a few keywords they're

different and it's somehow more useful features like joins and Union that kind of thing but for all intensive purposes are pretty useful and we have these two objects here these are the eventful or object and the event consumer object now what we can hear winny's in the event filter we give a we're given a query or what the service will do is the service will run it will query for it will look for this brilliant and return the data now what will we actually querying for well we'll have you have look in a foe on the right gives you a query so that is looking for the instance creation of wind and the process objects that is

named Mike Harsha so it's pretty simple we look for instances creative modified or deleted and then we can pick one of these objects which represent some part of the operating system and it will return or any data so in this case it will return any process which is what starts with the word what does the event consumer objecting well leave a consumer get to be linked with the event filter this will run on the query data on the return data from the query so what we can do is we can run scripts we can combine lines we can log events send emails through it this whole thing together with the filter to consumer binding object which is just links or

two sort of service will run it looks for the event filters it queries to the data any days this return passwords the event consumer the event consumer months so what the example on the right what we're doing here so we're querying for any powerful object I mean how would process object of the name PowerShell and then we're going to run this VB script on the return data so looking at all this so this is where I got the idea of trends in context we've got a lot of data we've got a way of querying the data or a goal way of acting upon the query data so we can query for events and that we can act upon them and that

gives us the basis of some bomb detection so how is this going to run out of it so the B on the right is what we call more files that manage object wanna now this is how we create objects or one of the ways cream objects tax to W my repository well neighbors stop and this is just a stand informant what we do is you would write it this is a text file with right it would never use a utility that comes with Windows called Malcolm run that through and it will compile the the tax kill hook and put the objects into the WI repository that they themselves will be queried this will be my service back and look at them

we can read them and this is the main way if we can use two things so did it section system file is there so we get a big well we're going to create some more files so the each rule if you like we're gonna cram more file we're going to have event shelter we should have pulled some suspicious event this might be like purchase tration service equation it might be DLL loading and it might be could be of various fun things anything that returns that's just look at it from our VB script with it the VB script might perform some additional checks if needed it might be that yeah we want to think it's a little bit suspicious we want to

try a little bit more we've got a bit more functionality by reading the script and then what we're going to do so we're going to compile this mod file it's going to go into our pod the tree the service is then going to pull through it's going to go through it finds your men it runs it runs our script we lock the event biff-bash-bosh sort see ya so this is a crudely put together diagram found out with word up in ms word kind of described wise but it's es we're gonna have our detection systems and create the more file it's going to work within the building of my architecture the service is going to run it's gonna

execute our script it's going to write 12 so what sort of things are we going to be sending so I kind of split into some more simples and then some more kind of complex rules so what we're talking about simple rules we're just looking at things that happening the behavior of stuff happening at one one time so this might be looking at command line arguments like I said so these the 11th one wineries that normal use from is fine which is when a pack is trying to abuser that's what we're looking for Tricia's events all of the ways of looking at that is understanding how is being run and a good way understood how is being run is what come on line

arguments beans so a great example of this it might be PowerShell via road and some of using the back exec bypass like yeah that might be a normal or might be an indicator to only indicators that might be sufficient or might be growing and code again pretty normal but it could this end here specialist and the floors don't offer examples first I'm probably gonna use PowerShell demotes just because it works well with a lot of the examples but Shaw a little bit of thinking think some other other things that could be happening yeah next one they look at was looking at parent processes so we're looking at not what's being run but what is running it so again I'll get using

example a PowerShell is PowerShell runs normally this run is parent practice is going to be exploring on XE you know storms justice click the power icon opened up but it's get suspicious when maybe you get Word or Excel sporting PowerShell you know you're not probably gonna have some kind of malicious macro in there and then you can look over other examples of the kind of check the hierarchy processes so what all you want so I don't be the way around this would be you just call its florida exceed and powerful I see that would get on the first rule but then you're looking to explore to exceed masking run from say from CMD so you know that's special so

you've got a saw about looking at the the behavior of how the processes linked together how what parent process does well from finding simple would be D are learning so we're going to look at what dll's are being loaded into the process so this uses the slow this is the query right at the bottom and uses a slightly different type of query will see from the top to they're both looking for any instance creation event the bottom one doesn't use it just like these are looking for the creation of something this guy's own event is the modulo trace which is event that comes up every time a DLL is loaded into a process so what

this will return this will return the name of the deal are being loaded and the name of the process is going into so the system that management automation deal is but powerful deal it's basically if you're if you're running some kind of power shotguns or you're looking into that functionality you're going to need this dll so obviously if powder loading in that's fine that's normal behavior but you may look at other processes loading in anything yeah that's not right something's going on there I'll give an example of a little later on and then that we have so there are a lot of simple rules and then I don't have to have any examples to these we have some ideas and more

complex rules so these are what you're looking at maybe a bit of a wider picture you're not just looking at what's happening a very shortly and the first one is looking at frequency based schools so this is where you're looking at an event might if you just happen once it might not be suspicious if it's happening a lot of times in a very short period of time then that might be something that you're looking at and you can run all that with these WMI queries so if there's a special clause but having which is where you do like a select your a been within the women clause in keywords all about the period of time of

looking at removing one means within the last minute and if you then I'm having it maybe having 100 and I'm saying this events happened over hundred times in the last minute maybe that's that big enough something suspicious and finally linking rules together so again one process doing one thing might not be suspicious multiple processes doing slightly different things so you might have the creation of file say my Psalms written to deal fast death and then they've run from dealer well maybe that might be a suspicious event you know they're not exactly you're not exactly looking at that happening a lot it might just almost drop their malicious payload and then using one of these logins to run it so

you can create those like that by linking them adding you some line logical operators into your commands enter your queries you can get pretty intense with it they can be as long as you want they match will you just lay by the few keywords that you have all right and yeah I said pretty sure yeah yeah if you want more there is this market Humber there's a the whole project so there's a nice long read over fall which goes into a lot more detail than Apple in today and yet this mobile cook does one example that will give actually house can have a demo video for laps about passwords it'll be alright yeah the example the demo video is gonna

show is going to give example the deal a lot everyone and this is a little most fun part my project was working out how it's because it's not something that you see them all kind of thing so why that was a bit is I've created a malicious macro trying to malicious think that Trinidad malicious dotnet 0 which had to make but which was an unmanaged year also could be loaded in by the word process and I created malicious micro and the macro load with live she had was a one-liner Peng it loaded in this DLL and random function this function excuse and PowerShell and what that meant is the macro had full capabilities of your

PowerShell commands yeah you could run you militias payloads about this kind of thing but never actually use PowerShell if you looked up your practicing support ourselves never called you know they shoot is all coming from it with all excelled IX e so this is like so there's not a lot of indicators for something that I've got you there upon a macro to be alone so what we have there is an example of the deal are being loaded in and what will happen is that module load rings event would be called Oh systems automation dot management have been loaded loaded into Excel by XE that's suspicious and we would have a good happen it's a lot more interesting in the video but I

thought the memories were good but watch it anacondas up but hey thanks for coming I hope you've enjoyed it I hope you got one job any questions soon you're like handsome to fight those pitchbook postures yeah testing it was lengthy process especially the some lights on the dl uploading rules that was basically a runner rule look at my logs how maybe like at one point I ran it I just had it running for about a minute and my log file had about thousand entries that I had to go through like work hard what is this process doing it was one of the big things this is a kind of a background process that pre-compile a lot on that

do deals so I can notice existed so when you're looking at DLL loading this wall with load in so we'll do a little bit pre-population before the process needs them so I can have to light this that one and then look back through log this is a lot less thing is but yeah but intense process so possi old things that was around detection wanted to say bill to prevent yeah so like not going to detection I was just writing for logs yeah kind of restricted by just having BB scripts like that was pretty much all be excused my heart it's not I finally saw right in this moment it's it's old for reason no one uses it for reason

there is a discount I never implemented it but a good way of getting around that would have been if you implement in a college jet sure a BB script can then will not call again but come object could be written like C++ or the seashell that gives you a bit more functionality you don't look there's more prevention stuff so like this process is running we think it's dodgy alright let's fill operands are looking at a more yet more product if you're trying to walk not using the comics is the philosophy a good way of looking to the notch like Windows notifications so like what suspicious have had occurred you could pop up a notification guess want

to check it money leave yeah I'm call of I never really got round time restraints a unique on had enough time tapes monopoly but it's got to be something that without how old cabbage I just feel a lot more fit thanks Jesus person saying okay yes yeah Sevilla the the big downside of this disease relied on the process name as if someone's changing the person's name you gonna get around them I didn't realize this yet bit to lay out but they're all they're all moving indicators you would have a look for like you could then you go to the thing is create an event for the file modification event so someone's saying alright I want to run PowerShell

maliciously I'll get change it its name that make you look for a pop modification os1 changing the name back seat or DLL awesome blog and the new credit is that would be an overhaul and another suspicious event that you pick up so people changing it into system file is also not at all be tempted using the same double your libraries I so the best way to learning yeah is to copy PowerShell today I legitimate yeah I see and yeah I mean yeah be good dipping into you then have a look at so I'm crazy legitimate yeah we told by something else yeah I don't recognize that but that we get into by adding some pot like so

by to the farm motor casing and just change things it's like songs copying stuff but I said or deleting stuff actually it says in Texas as strong as the amount of effort that you want to put in to create rules like I think so you have to like happy citizen part of that days of my life to to stop people doing so by that you had overalls which detected people doing but if you just have the basic will that them Fred stay then yeah you're right so now if you think internet that easy job okay I think about like a minute lesser by one by sure maybe is everywhere I'm gonna like a lunch great stuff

[Applause]