You Need a PROcess to Check Your Running Processes and Modules

you and uh man i thought people in texas talked uh with an accent holy moly let me share my screen here hopefully we'll get this correct you can see that all that's right sharing just yet whilst you're doing the sharing thing just a reminder to folks if you've got questions please post them in slido uh the code is ncl2020 it's giving me an error oh of course first the afternoon i may have to drop and get back on last time this happened to me and zoom this is what uh it did yeah sharing screen share please try again later i'll be right back come back on that's no problem we can we can be right back at you no worries

yeah and for anybody again i'm gonna repeat myself every time i do i get like 10 dms from slackbot telling me people have signed up if you haven't already there is a slack community available it should be in the descriptions down below in the stream uh if you if you're not willing to join slack you can just hang out on twitter tweet besides newcastle tweet ben tweet sam please do say block me um if you want that's absolutely fine we do have slido for q a um and we're back we're cooking my gas yeah a perfect filler my friend i've got sides yep we've got slides uh you'll need to unmute yourself and we'll be good to go

yep there we go grand all righty now we're going let me get the slack page up all right now you can see my screen all right so we're going to talk about needing a process to check your running processes that's why we have process versus process and their modules the bad guys the red teams are coming after them i am michael goff i am a principal for ncc group founded there in the uk and i'm founder of malware archaeology if you're not familiar with the cheat sheets uh that'd be me and also imf security the home of vlogmd so i'm a blue team defender defender ninja malware archaeologist logaholic and the principal at ncc i love properly configure logs because

they tell us who what where when and hopefully how that's why i created these cheat sheets so that uh they came out of an effort of fighting the chinese in the gaming industry and uh once we caught them in good logging we're like hey there should be a cheat sheet for this and that's how these are born there's now about seven of them and if you haven't heard about them they're free resources please go check them out they far exceed some of the cis benchmarks and other regulatory requirements that are out there i am also co-creator of log md the login malicious discovery tool i've got a couple screenshots in here uh in regards to processes and i am the

co-host of the incident response podcast so take a listen available on your favorite consumption platform so why this talk well because these things can't tell you enough right here's tas list on the left and on the right you've got uh process explorer from sysinternals and there's lots of data in here but unfortunately it doesn't tell you enough when it comes to running processes or if you go to the command line which most of us should be doing again not enough because fileless and memory only malware right and this is why we have to talk about this to address this expanding threat that is becoming more and more common too common what used to be an occasional thing and

you know basically reserved for apt and and the wind nti group that attacked gaming we're now seeing in commodity malware right red team engagements use it with uh cobalt strike and metasploit and of course apt uses it quite heavily and this method can avoid many many security tools so i'll mention one of those as we get going so let's first rethink or redefine fileless malware invisible bower right wireless malware marketing scareware uh i get it saying filas is an easy way to sum up a threat for management sales products etc to sum up and understand a new type of threat right we have fileless malware but you know as security practitioners as blue teamers and instant responders

you know i'm like no there's a file right i can get a file on the wire and get a file in memory i can get a file off disk i can get a file anywhere in the registry et cetera but for those of us having to deal with it from an ir or forensic perspective notice the proper spelling forensic i'm speaking at the forensic conference so i thought i'd throw that in here we need more than just the word philos so let's take a look at another more detailed way to look at fileless malware that immediately tells us something and how to go about looking for it fileless malware that can only be found in the memory of a running system

malware plus memory is memoir right instead of calling it malware if i now say memwear after what i just talked about you can suddenly picture yourself ah i've got to focus in memory for this malware no files can be found if you scan the disk that's why it's fileless while the system is running anyway um or very short-lived just long enough to drop it execute it and and delete it and this is a great technique to bypass film we saw this with the chinese apt group went nti they would drop detonate and delete the malware and and the film would go hey we're good i don't see anything typical infection vectors are injection dll side loading

hijacking process hollowing you know download the source code compile on the fly with net jsc etc the user click the user can even double click this type of malware no problem at all it doesn't really matter how it gets started but the word fileless right the file lives somewhere so let's do a better job of guiding people where to look for signs of it so other types so let's now categorize fileless malware in types like these regwear right malware plus the payload in the registry this is common in kofter and when nti did this as well so if we have malware hiding in the registry that's called with some some asap otter run we can call that

regware wmi wmyware where the malware and the payload lives in the wmi database whether it's a powershell script or an actual binary living in the wmi database let's call that wmi ware because now you can see a pattern if i tell you hey go look for some regwear you can now think i'm going to need tools to scan the registry to look for malware in the registry if i if you say wmi where i've got to go look at wmy executions and look inside the wmi database for malware powershell where well this is just uh malware plus payload and powershell wherever that may be pull down detonated on the fly with cobalt strike hidden in wmi database hidden registry

it doesn't really matter or just commodity malware however it gets on the box but at least now i can focus and understand i'm going to look at powershell compile where malware plus payload compiled on the fly right the dot cs files dot command line files are pulled down csc compiles and executes the net code and now we have a course of compile where again only running in memory and then download where all right this could also be known as low bass where to give a shout out to our friends that we had on the podcast to talk about the subject right but this is malware plus payloads downloaded each time and some of these infections in memory

right some of these these these process based malwares can be a combination of download wear compiled on the fly powershell wmi redux etc so auto runs run for us run keep in mind not all malware will have an autorun asip right there's no persistence the latest trick bot for example that attacks domain controllers to an smb opening again infects into memory runs as a process in the memory hidden or otherwise and nothing else on disk no files on disks no auto runs no a steps no nothing so as a ir going in and looking for something all the typical things we look at as an analyst won't be there so running processes is the place to focus you know

especially the red teams right they don't like to leave ioc so they're going to run cobalt strike or metasploit or one of the other kits and they're going to inject their code and they're going to leave it there and they're going to start hopping around and they're going to try to get you know domain admin and the way the game plays and of course you know i have to deal with our red team all the time at ncc group so i kind of see some of their foo and their attempts at foo or the auto run is created on shut down then deleted on startup right we saw this with nti but also drydex commonly did this in

the past where you typically run an autoruns tool and there's nothing there and then as you reboot the box if you were to go into safe mode or you had good file and registry auditing there's a cheat sheet for that by the way if you want to dig into that area as the system shut down the malware would say ah request to terminate write to disk write to registry the system would start up the auto run would be red it would run the malware the malware would say oh go delete the registry key go delete it off of disk very common drydex technique back in the day still used by common malwares today so what is in memory may be all that we

can see right the running process so we need to we need a process for this for sure so latest trick bot like i mentioned before here's an article from palo alto networks where they found that trick buck on the domain controller does not survive a reboot that means what's the processes that are running and the modules that are attached to them however they want to inject or or load that's where we need to start focusing our attention on because this is their their new mo so how do we find this stuff how do we go about looking for this stuff first and foremost everything you do should be mapped to mitre attack yes it's a colony-based solution over

here at mitre so sorry about that but it's really good work if you haven't looked at mitre attack especially now that sub techniques are here you can join your sub technique id numbers we'll see a couple of those in a minute to your queries in splunk or log management or gray log or whatever um but the the things you do and the things you look for should be mapped to minor attack you know for example here's t 1500 compile after delivery this is the compile where t1055 process injection this is where they're injecting a process of let's say explorer t1196 control panel items this is a common uh cobalt strike control panel applet exploit you know

etc etc there's lots of minor attack ids and the sub techniques further let us break that down even further allowing us to get more refined in our process of what we're looking for right so t 1574 now has hijacked execution flow now has 11 sub and techniques not always numbered by the way 001 through 011 it has to do with where they sit in their in their actual higher end techniques but in this case uh 157 1574.002 is where they dll side load right just one of them of the of the 11. this is what drydex does they put a good microsoft binary out of system 32 in an odd directory they put the dll that's

required by that that truesign microsoft binary in the same directory they're using that's that load order within windows flaw and they're side loading the dll and malware into memory and that's what they're doing here so they're taking advantage of a 1574.02 t1055 process injection 11 sub sub techniques again um again 1055.02 is portable execution codes right so this is a very portable code this is another process injecting where they just loaded a binary in the memory so we need a process and uh for those who don't know i'm going to reference uh one of your colonies canada that's andrew haye that's where process came from if you ever listened to andrew talk you know he's

canadian and he has that twang of canadians so he says process and that's what kind of gave me the idea here separating process we're pros we need a process to look for processes so thank you andrew for that one he now lives here in austin so he's becoming a canadian texan there's such a thing we need to create this process to start looking for this condition whether you're using tools whether you're using scripts i don't really care how you do it utilities but this is something as we look in our infections and also again compromise assessments or you're you're looking at threat hunting we need to start looking at this pretty deeply because this is a great condition

that bypasses a lot of security tools right and some are just not preventing this technique i work in a large house that had one of the big edr solutions and the red team consistently got through and bypassed the security tool one of the big edr's because they were taking advantage of this technique and the er did not actually monitor for this technique we need to build this process into our hourly daily or weekly and even monthly routines to detect and alert for this technique so if you can run something that can dump the running processes and their modules you potentially could upload those to your sim or create an alert with any a manual a

manual alert with an edr or however else you can come up with this email solution however you want to be alerted slack whatever but we should start looking for this for sure to alert us on these techniques we need to build a process into our daily weekly monthly yearly routines to threat hunt for this technique this is a great example of something to threat hunt with something used by not only combat commodity malware but also apt two basic ways right we can do this two basic ways dump memory and analyze the memory dump using tools like volatility and all the plug-ins time-consuming again you know kind of burdensome kind of hard but also we can check the

running processes on their modules for signs of additional dll or injected code you can use a tool like log nd premium to scan live system for modifications to running processes and their modules right so we can do it live which is quicker we're not altering the system or not having to power it down we're not having to copy this ginormous mem files off the box but there are two ways to address this right and yes as we are doing things live we're potentially messing with the evidence but in ir sometimes we have to think outside the forensics box finding memoir traditional forensics has us dumping a memory image and running tools like volatility against it some of

these checks api hooks for example can take 30 45 60 minutes or more to run uh just identifying the image of the box is also very time consuming can sometimes takes hours depending how fast you are processing these images logs contain a ton of details that can alert you to this behavior if you collect uh then detect or hunt right so if you are doing a good job of logging back to the cheat sheets remember the cheat sheets i mentioned in the beginning and you turn this stuff on in the windows environment uh we'll talk about some some nick stuff here uh just kind of translate processes into daemons but for the most part it's the same idea

all right the process command line the execution of what's happening after the command's executed is the key thing to catching these attacks how did i call the stuff to actually inject it and sometimes not right sometimes it's just a binary that will then inject code into memory checking running processes of their module on a live system is a great option because i can do this at scale if i've got an sscm or i've got a big fix boy if you have big fix you get the best security tool on the planet i can push out a check for this on all my systems daily weekly monthly yearly whatever and i can dump all the things that are running and

then run through a process that checks all those files against a masher a master database of hashes or master digest as we call them and get rid of the known good items and then focus of the items that are unknown or new and then you can go through your analysis process a process of that and of course better better yet look for signs of injection right the thing that's common here is you will see signs of injection where there's there's manipulation of memory and the code where injection will stick out by various techniques to look for them and you can look for other artifacts like auto runs and asap and registry keys that are large

uh storing scripts or payloads in the wmi database you know the the scripts are the and or payloads in the wma wmi database as well as a registry and of course odd powershell large blocks obfuscation etc right these are the ways that the stuff might get on the box and then persist uh later secretly so we can definitely search and look for those as well so signs of injection so what does this look like a running process shows signs of additional or replaced code this condition is detectable by a few tools so obviously volatility can do it with their with some of their plugins and obviously an indicator of indicator of bad not a dead giveaway of bad you

will have to perform some analysis of these extracted files from memory through volatility very common right i do it i do a file dump dll dump and driver dump out of volatility i then have to post process those files to determine and at this point the hashes are worthless to us because they're memory dumps so they don't match the hashes on disk and so i have to look at static analysis of a static analysis of that sort of stuff to determine whether those files are worth looking at before i maybe upload them to a thread intel solution like virus total or oriented or something like that where they detonate the malware on the fly or

put it in a sandbox et cetera right but it is an indicator of bad and yes some drivers will show up there too uh definitely the bloatware that's installed on servers and pcs and laptops definitely are written a lot like malware's written it uses the same kind of things a lot of control calls to hardware and memory and the like so here's an example of what we execute log md to look for this condition minus proc again checking running processes and modules minus md exclude the known good with the master digest right so i say okay get get rid of explorer.exe because that's not what i'm looking for i'm trying to filter out all the things that i've dumped

list processes of signs of injection so we look for any signs of injections hooks etc you know ads and whatnot then once we dump those files the minus x we can run our b9 module against them and do a static analysis you know you can do a sig check against these files you can string out these files something else we do with our b9 module however you go through your normal static analysis of these extracted files or any binary you're going to go through the same process here with distracted memory whether it comes from volatility or whatnot and of course vt you can obviously send these file hashes and or the files up to virustotal to see what they know

about it often for commodity malware it'll be known by the time you upload it and of course if you don't see any anything that virustotal has never seen it before it better be a custom written app by you guys or you've definitely found some good bad so that's just an example here's output of our b9 module that gives us their inform indication so if i did process one of these extracted processes from memory that was injected um you know in this case i named it bad dot exe you can see at the bottom b9 will tell us it's likely suspicious that would point the analyst to the direction to say i need to look into

this more hear some hashes so you can go do your investigation on on the vts or other repos and you can start uh doing your your post processing of it so here's some examples of stuff that can be that typical uh commodity malware we know about here's kofter right so kofter again shows hooking hooking is fairly normal fairly common a lot of tools do it office does it all your browsers will do it so it's not really a great indicator of bad you'll get a lot of noise out of hooking but implanting definitely not right so kofter is in planting and we can see here that it's using the 32-bit service host again some ninja tip here

if it's ever on a 64-bit system calling 32-bit programs investigate it it's going to be a very short list of normal it will most likely be pointing you to the bad but here's an example of implants using 32-bit service hosts so yes we need to investigate this box and this happens to be kofter quackbot um i actually did a malware write up for ncc group we're going to be publishing that but here's an example of two implants and again using a 32-bit explorer right so explorer.exe itself is good but there's now injected code or implanted code in this case into explorer that then can be dumped using volatility or or extracted with log nd or other

tools that are out there and then of course the side loading drydex dll here's an example of where i just put it and you can see the parent uh shows signs of of injection that's that's because it is a trusted known uh binary from microsoft rundler32 it's signed by microsoft so we know you know if you were to do all the analysis on that file it's fine um but again there's a side loaded dll involved here and it would show up as malicious and suspicious right it's not in the catalog for microsoft is unsigned and yes it's showing in looking at all these they're showing it's malicious and suspicious with our b9 module and login devaluation right

so we're trying to guide the analyst to find this stuff easier so dumping and extracting files if you use a tool to extract or dump files from memory to disk you can statically evaluate them like i just talked about right b9 can point you to the fact that it's bad but i now have to go and look at the strings and maybe upload them to my favorite my favorite sandbox or just detonate them in a sandbox however my pro my process uh to do these are full reverse engineer if you sew shoes but again ir we tend to have to do things quickly so we need to be pointed to the suspicious as fast as possible to

then go uh look at that in in bulk um and again look up uh hashes and virustotal uh integer wherever you want to go look at them evaluate the makeup of the file to determine good suspicious and malicious indicators right is it packed does it have indications of weird metadata uh is there a bunch of unreadable lack of readable strings things that you know the makeup of the file itself a lot of things that reverse engineers look at we do that with the b9 module uh in azer does that by just literally reversing it as you detonate it some sandbox solutions will look at this stuff as well you can extract the strings and of

course go down the full reverse if needed once you extract these files you can use the mdump or volatility to extract these files these dlls and drivers uh you know just a reminder if using the windows 26 version it only works on the older versions of wind 10 you'll have to go to the next version to get newer versions of windows 10. um but you can do a dump right volatility files dlls and drivers and then once you extract those files you're free to then post process them outside of volatility uh even if you're running malfun or api hooks or whatnot plugins you can then once you extract those files do whatever you want with them you

can loop them through your big api key whatever it is that you have available to you pull reverse on whatever you want and of course we use log md premium to extract these files that's what we use the volatility works really well and so here's some extracted files from uh log in b and volatility quack quack cove turned drydex so i named and make it easy but here's where their locations were right here's some suspicious uh things we do we look for pdbs right project28.pdb see users so there's the actual username and wrote the malware source repos project28 so sometimes these things are telling sometimes they're not so here's kofter showing you that its original file name is diffuse gravity

and diffuse gravity p uh you know generally the internal original file name doesn't match what malware does it's definitely in windows more closely related to one another so those tend to point you to the right direction here's drydex and clearly a suspicious pdb file so again helping the analyst focus at this dumped you know in memory malware to say ah that's an interesting pdb i'm gonna go look and investigate that dll further right so details of the file you can look for simple indicators like is it signed um is it isn't is it in the microsoft uh trusted repo right so this is the the the big files that microsoft extracts all the windows files from and so it has to come from

the catalog if it's microsoft provided in a patch or an os and then of course it'll be signed in many cases though microsoft's doing a more poor and poor job as future versions rolled out not signing all their code aka like all the.net stuff is not signed uh the metadata right the actual file name versus internal file name that i showed you dead indicator you can use sysinternals tools for any of this stuff you know long d whatever you want to use is it packed that's a big indicator they pack it to make the code smaller they pack it to hide the parts that can be detected in antivirus and potentially edr from from a string memory string

perspective you can look up again hash lookups in an api like virustotal uh it's a waste of time when you're looking at patches of dumped files and virustotal because the hashes are not the actual hash you'll have to actually upload the file by the way and then the file will be then digested through the av engines and then they'll find the strings and then tell you that it's drydex or copter or whatnot but again determining the makeup for the file being likely good suspicious or malicious however you go about doing that is the process i'm speaking of whatever tools utilities you want to use whatever output of volatility or whatnot we'll talk more about the tools

take a drink of my breakfast while you guys are drinking beer with whiskey over there so let's talk about some download wear examples so they the bad guys or the red team from my perspective they're also the bad guys to my ncc colleagues out there you're bad good bad but bad they can call out to the internet to download the code to compile or fetch the malware so it does not live on disk right so examples are cobalt strike and scythe you can uh scythe is a solution you can sign up for subscribe to where you can compile your own malware and all kinds of whatever you want it to do it'll compile a version for you and

then you use it your red team packages or test your edr tools or your defenses with it we worked with them on a project and and created some malware they sound somehow where we evaluated it for them say here's what we saw so it's a great testing solution but it lets you test these kinds of conditions or the red teams will use them against you and test you not for real on the fly uh low bins low bass run the l32 reg serve regism etc you can go look at uh on vermoe's project on github the law best projects i'll talk about the linux one in a minute uh compilers csc ms bill jsc etc

watch for those executions right they may write to disk on shutdown delete on startup if they're clever if they want to persist if persistence is part of the game or part of the method or need for them that that's a great way to bypass a lot of tools and so here's an example of csc i'm using against this internal process explorer you can see the chain the process tree of command exe launching power shell always something to investigate then launching csc definitely should trigger edrs if it doesn't get a new edr and that's how you know compile and fly is occurring oops go back to that slide and on the right you can see the dot cs and

command line files of a funky name but that is pretty common within compiled uh malware or compiled programs in general these files generally are randomly named so looking for that uh random name isn't really going to help you if you do have some normal compiling occurring which does occur on a windows box but you'll see the random js as i indicate down the bottom some random command line and then csc no config full paths will be executed as we can see here in the command from the process explorer there on the fourth line down windows.net framework blah blah blah csc slash no config full paths and then the path to where the file actually resides which is the temp folder over

here to the right and you can go look at didier stephen's powershell ad article on csc but this is an example of how compile on the fly malware works and it goes you can just load it right into memory right so we need a process to actually go hunting for that so why running processes why look at running processes versus memory down so speed right it's far faster and more scalable option to scan a system live for running processes and their modules i'm from i'm an ir right so my job is to go find the bad guys or investigate stuff and if i go to a box and i find a case of a bot a piece

of malware apt on a box i now got to say okay i i know that this network's flat and i know that they've got a thousand systems that potentially are accessible from this one infected host i now have to go a one to many all right i have to go now execute my foo against my good foo my hunt foo against all these systems in order to find the bad food that i just found on this system and the best way i can do that is live right live ir and so uh that's why it's speed it's fastball it's more scalable whatever tool you have whether it's using winram with something like uh arthur a konzafork that we worked on to allow

utilities be pushed reports to be pulled back something kansa did not do then you know that's that's an option for windows scenarios whether i have to ssh into all the boxes from a linux perspective uh however i might do that in scale right um and so yeah you have to you have to come up with a way to do this one-to-many and that's what i mean by process you'll you'll have to think about this if you have sscm you got a great tool for windows only if you have bigfix you got a great tool for mac linux and windows where you can literally create a script within bigfixes module and push out a check for

these conditions and pull them back and i'm going to share some of that for the next environment with you here in a second and again dumping memory takes time you might cause some issues on the box there are cases in gaming for example when we did this the gamer the game developers and game management says hey what the hell is going on with this you know then we were doing a bunch of dumps um right so determine the image info takes a long time like i spoke about earlier i have run image infos for a couple hours in some cases and these servers are so big now with how much memory they hold it can be really painful to deal with

those memory images if you're sucking them over say from the pond and i gotta bring them back here over there to the colonies so yeah this this can be a challenge for a lot of us right and running all those plugins takes time api hooks for example takes a long time to run so speed so let's talk about these control these evil control panel outputs so cpl files are all those control panel update right so it's those things on the right when we open up control panel on windows we see that flash player java etc so uh i definitely worked on one where run dll 32 whatever directory location see windows temp wherever it was they'll generally

if the red team is any good they'll know where cpl files normally live and then they'll push their file to that location fake java.cpl and then they will load it with control or run the ll-32 and boom this will get by some well-known edrs and they now have persistence in a c2 channel back and if there's no network based ids ips they're in they own it and the only thing that's running is what's in memory because they can delete what's on disk at this point so it launches a bad dll on the memory hello bin because they're using run dll 32 or control.exe known good signed microsoft binary right cpo files load all the time with

all these control panel applets so they are noisy that means you normally will see them so you will have to filter them out if you're trying to make an alert for this so or to the to the why's in the morning this will be something that requires some tuning if you uh go down this path and i do recommend you go down this path creating a process to look at cpl loads uh on your boxes for sure uh third-party applets are not well signed great that thing i told you to look for was it's an indicator well yeah unfortunately control panel outlets aren't always signed so now you got to deal with that and your static analysis part and again

many adrs don't learn on this method and the red team loves them cobalt strike has an option to do this built into the product yay yay for the red team on that one so for me this is probably the number one red team attack i see because it works so well using the low bins control and run the l32 it's hard to detect due to normal noise well that's why a lot of eurs don't alert to it good luck trying to create some alerts in your edr uh what i really like is the concept of how not to promote splunk but how splunk has the concept of a lookup list where it can populate the combinations

either the name of a file or the combinations of a patent and by the way never do just the binary name always include the path when you're trying to exclude a file in a lookup list or or exclusion list but the lookup list concept of splunk is nice because as i find known goods i can put well it must be this location and this path and this file name and and even this parent for example i can i can build these lookup lists so that every time i find a false positive i can add it and then exclude it and a lot of these edr solutions don't have that kind of logic you just have to build static not this

file path and so there's there's a challenge with some of these tools of how to do a good job that's why some of these fail in this area so how do you catch this highly used and successful method well i'm going to say back to logging all right logging executions of 4688 to windows this would not be a nix attack obviously look for cpl files and or control and or run dll-32 also look for the parent of those lull bins who is executing control.exe and run dll32 and understand who normally execute those and that's what i mean by the combination right parent child what's the what's the parent uh the windows logs we'll tell you what that is

if you're a sysmon fan you definitely get that information in there and that will help you determine whether or not there's some something odd going on here right baseline what is normal create a process the paths will be the same as normal if they're any good because they will drop the files in the same folders that generally uh cpo files occur user space temp folder uh see windows temp requires admin privs by the way so they've already escalated privilege if they're doing that and then also c c temp right off the root and temp folder off the root so they'll utilize those locations but you can also use program data i mean you dump these things anywhere right

anywhere the user has rights to is is a target for the bad guys or the red teamers right so percent temp oops percent temp percent app data and uh you know program data are all writable places to a user with no admin privs so look out for that and then of course you can static analyze these cpl files uh or whatever extension they may be if you see control.exe being used and it's not called cpl it doesn't have to be called.cpl they're just doing that to try to to hide under the normal noise and extensions that we expect um but yeah you can look at these statically and see so take a look at oddvar mars pro

project project we had him on the podcast listen to our old podcast about it and you get some details about low bins low bass uh here's a full list we also maintain one in our archaeology that points to uh to add var's list so that you can get a short list of some of the admin utilities and some of these low bins to look for but this is definitely something you need to build in your process is look for these odd executions or the executions of these law based low bins because they can lead too bad and it is being more and more common with commodity malware definitely apt and the red team so next pro tip see i'm

talking about windows related stuff all the time but now now i'm getting some some nicks uh it is easy for nick's root kits to hide right we ran into this with the uh struts vol back in i don't know what it was 2005 a long time ago um you know it's easy for this stuff to hide but there is a slash proc directory in nics right and if you look at the slash product directory the slash proc slash one two three dot dot dot ten thousand ten thousand one dot dot dot dot twenty thousand twenty right so you got all these directories which correspond to the execution of the thing running in the process that's running very easy to

hide you try to do an ll uh i used to work at hp so ll would be my my thing uh with with hpx h bucks horn ls minus l and you don't see uh slash proc 1001 for example but it's there right so it's really easy for these these root kits and nicks to hide stuff if we know what is in the file in each flash proc and the pid then we know to look at the command execution line and say well how about i just crawl through all these folders and i dump out the execution line that's in that folder's file and then i dump those out and then you create a known good file of the ones you

say yep that's normal yep that's normal and then you feed that through the loop and eventually this running process list of odd things will become much shorter and you can quickly check for hidden processes because again if i do a minus p p s minus a f whatever um again they're going to hide the running process with the built-in linux tools and so that's not gonna do any good but you can compare a slash process to ps if you can do that in some way and be able to see some of these hidden items but there's a ninja tip for uh querying the proc directory and finding what's running on an xbox monitoring for and threat hunting so we

need a we need to develop a process to monitor and detect for things uh that we want to threat hunt right signs for these techniques that we talked about with minor attack i would definitely say focus on minor attack in regards to threat hunting everything you threaten for should map to a minor attack item so you can just print a big poster of the miter attack matrix and start highlighting the ones with you know purple and green and whatever colors you want to use to say that i've looked for that and start tracking that as as your as your methodology to thread hunting i would say is a great ninja tip there um enable the data so one of the things

we find often in threat hunting is there's nothing there not because there's nothing there but because there's nothing enabled to see that there's nothing there or that there is something there so please enable the data again reference to the cheat sheets so the cheat sheets definitely are important across the board uh this would apply to your linux environment as well make sure security.log firewall d has the accepts not just the denies for example make sure docker logging is turned on for example make sure my sql logging is turned on for example make sure flow logs and abs are turned on for example right you must enable the data to hunt the data right so if you are in windows and linux

arena make sure you're collecting the process command line this is where a lot of bad food will be caught this is actually how we caught the wind nti group uh by the process command lines that they executed and we see a lot of malware just launches a binary and then does all of its stuff in memory so there is no process command line but again other ways to detect that as i've discussed already step two create detections for many of these techniques process command line's key of course and its parameters will be a great way to hunt for this stuff all right those two two items here step three come up the process to scan

running processes and their loaded modules i gave you a technique for nyx we've been talking about windows quite a bit in this presentation so that's definitely something you should you should come up with mac would be pretty similar to linux as well you can look at the objective-c tools um or crowdstrike's project for their triage project for the mac if you're looking for something on the mac but detect these in-memory only infections or or persistence items red team activity whatnot this should be used both for regular detection and for threat hunting right the threat hunt things you come up with should definitely feed back to your your stock alerts and your ir and all that right you guys are a cyclical

entity and you should be all helping one another and your detections and what you hunt for and then watch for indications of injection that's the big one what's going on there static eval files for strings you can evaluate files for known indicators of strings um we do this with b9 we have a module and a script that i just you know i dump all the strings b9 and then i have a list of words and i basically look for those words uh which i'll list here in a second and then that'll kind of give me an idea of whether or not there might be some indication of of a binary doing memory related string activity

or any other thing you use yara as well uh be not future b9 stuff will be uh have er a real capability as well um however you want to do that to look for what's in those strings uh will work and so here's an example of a string output right whoops uh just boof you know here's all the strings dumped out hello world static readable whatnot you can see at the bottom uh pj plugger license dinkum ware all rights reserved and so then what you do is you would then create a file put all these known uh used for bad process injected related strings into a file and then you would basically go through these string outputs and do a find and

look for all these things again lots of false positives there will definitely be false positives here but it is just one method and one process option you have and i wanted to share with you um but that's an example of a short list watching for downloading of low bins and low bass right it's not so much the execution of these trusted binaries but what happens afterwards any lull bass that does any kind of download or internet communications investigate it that's where the process command line will come in handy you know run the ll-32 or register 32 space http uh oh that's how i would react right alert on these baseline what's normal there will not be

many but there will be some uh obviously microsoft uh but they have their own way of downloading stuff so they shouldn't be using lol bins and low bass for that and then watch these executions closely for downloading to the internet for sure here's a short list thanks to uh to tallow's team for saying that all the things they evaluated here's the short list mshta cert util bits admin uh that's end of life uh registered 32 and powershell are all commonly used to go phone out to the internet phone home so if you want to start somewhere here's your short list uh again now archaeology maintains a list of the stuff and links to the other solutions and this

presentation has it as well right process command line is key so please map this stuff to mitre attack and collect your process or focus on process command line whatever osu you're using so here's the next the nyx low bins or gtfo bins a list of these um here's the url for them so thanks to somebody actually mapping this out and the cool thing is it talks about the functions that these commands are used for so there is also a next version of this as well so again alert on lol bin or in this gtfo bins in your sim to watch for this kind of nefarious activity from the bad guys best options for process tools log management is your

best friend here uh i love log management other vlogs we talked about that very entry that tells you what where and why but if not you will need a process to manually check running processes their modules and signs of injection log into premium that i talked about sysinternal tools sysmon if you use that the id eights and tens using unrm with arthur to be able to go remotely execute against your windows environment of course memory dumps and volatility for all os's are all possible options here many of which are free right and i guess log management is my best friend so conclusion create a process to look at running processes and their modules modules being the dlls processes being

binaries look for signs of injection or replacement code or etc log the process command line execution and definitely get that into your sim watch for low bass or gtfo bin utilities monitor for the executions discussed in this presentation some tools to consider login the uh has a free version premium version the stuff i talked about is not free unfortunately for you guys but again it's an option volatility is free again the hollow fine doesn't work that well i don't think it's 110 compatible uh pe civ is an injection checker utility you can use you can check that out loki has it integrated as well as log of d does uh get injected thread from uh our

friends over there jared and manifestation ps reflect um don't have a lot of luck with this i think it needs to be updated uh with the current version of windows 10 that's always a problem the free stuff is chasing the latest version of windows of course you can look at ger recall which is no longer i guess available i got bought sucked up by the google googs invetero and mem hunter which is an older tool requires.net 35. i mention these because maybe people can resurrect them into a current version because they did do the job at the time that they were in use as recall nem hunter once showed for us so some resources again homework red

canary presentation attack deep dive look on their website it was a recent webinar they're doing several in this space right now as we speak if you don't know who devin kerr is he's actually brilliant don't tell him i said that but i guess this is being recorded so maybe he'll hear that uh he now works with the the elk team with the red canary oh sorry victoria wrong group minor attack people uh uh katie went over there red canary folks over there are quite bright on this and they're doing a lot on process injection um articles on minor attack sub techniques they're they're out there so go read up on them uh deep uh instinct process injection

and manipulation go read that end game which is where devon kerr is which is now owned by elk elastic uh anything he does and his team does is phenomenal he's brilliant so take a look what they're doing so some researchers resources to further understand this space and what to look for and maybe where your edrs leave off and with that here's the websites go find some stuff and you know there you go and we will definitely make these available in the pdf here shortly and you can find us here and i am hacker hurricane and because in texas we have to protect from hackers and yes hurricanes fortunately the last one went to the state tour east

so no no no harm done here in texas but that's where you can find us and i am done