Above screenshot shows config from Danabot used by Affiliate ID 5 (zeus like) and Gozi ISFB RM3. Here, we can see that same inject server demo[.]maintrump[.]org is being used. This is clear indication that our adversaries are sharing infrastructure and working together.

Keitaro TDS

Keitaro TDS is a traffic distirbution system which is known to be used this group for web traffic filtering and distribution based on geo-location, user agents, device info etc.

BlackTDS

BlackTDS is a multitenant TDS tool that has been advertising its services on underground markets since the end of December 2017. BlackTDS offers a variety of services to its clients that they collectively refer to as a “Cloud TDS.” The operators claim that their Cloud TDS can handle social engineering and redirection to exploit kits (EKs) while preventing detection by bots — namely researchers and sandoxes. BlackTDS also includes access to fresh domains with clean reputations over HTTPS if required – https://www.proofpoint.com/us/threat-insight/post/drive-service-blacktds

Capabilities and Operations

 

With regards to monetization of stolen information we have seen new methods compared to just fund transfer to mule accounts. Few known methods are buying Bitcoins, buying products and resale once received, buying giftcards, cashapp transfer, transfer to paypal etc.

---

Mule recruitment Sample email

---

Above screenshot is a sample job advertisement to hire mules. Majority of times these mules are not aware that posters are part of such group. The mules are mostly looking for jobs from several days to weeks and are known to be in less fortunate demographics including students and immigrants. My next blog will concentrate on such environment that is responsible to fuel such activities.

Victims based on Configuration

RM3 Loader

Storing Victim Data

Hypothesized Operating model of the Adversary Group

• Overlord – the one who looks after complete operations. Possibility they are part of organised crime. Very few evidence on what they are doing with the money beside living life of luxury. P.S. the name overlord is given by me
• Operations
  • Coders
    • Senior Developers
      • Custom loaders
      • Bot developments
      • Writing banking injects
  • Junior developers
    • QA/review
    • minor updates
  • Botnet managers
    • Hosting providers
    • Traffic distribution system managers
• Researchers
  • Target research and information gathering : Group of people that either had an account with targeted financial institutions or a disgruntled employee who may share information about target
• Spammers
• Phishers : This group is responsible in getting information or login details collected via generic credential phishing who accounts can be use to host initial delivery documents or send out email from
• Recruitment
  • New coders
• Sellers : Either sells data or advertised the service on forums
• Accounts/Finance
  • Mule Operators/recruiters
    • Local
    • fly-in and fly-out
    • fraudsters to create fake business accounts
• Finance managers : Either receives money from mules or responsible to buy other data/tools that can be used in the operations

Final Words

• Understand our adversaries motives and intentions and make it hard for them to achieve their objectives.
• Target what hurts them the most – which is money – if we make it harder for them to get what they want, in long run either they will stop or move else where
• Another one is sharing – we do talk about sharing, creating standards, do lot of presentation, attend conferences and we have been doing this for years – however, do we need more ? Are we sharing information that useful or actionable ?
• More involvement of Local authorities and giving them information to help in their investigation instead acting on the information and close out the doors because you did your job.
• Look at a bigger picture in future – rather than a quick win in present.
• Emerging technologies seems to be assisting cyber criminals more than organisations due to ease of availability and deployment within their infrastructure. Does these technologies vendors have some kind of compliance or standards or as long as they getting the money. Do organisations understand and assest these technologies and have some logic to detect them based on its footprint ?
• As the group targets financial organisations, they do access the information via digital channels. Understand how they are accessing, baseline good traffic and monitor their digital identities/footprint. Keen eye will see difference which can be used a detection of such anomalies.
• Bulletproof hosting providers and their abilities to mask adversarial activities with competitive rates assist further to accomplish objectives which is mostly financial gain.
• Create mindset towards what these actors are doing and what kind of information they have at their disposal. With this we can answer what can happen. In intelligence, we gather information and assess it and based on that we find something to action on.
• Lack of cyber laws within a region and corruption to certain extent also assist these cyber criminals to go on without any repurcusions. Can this change ?
• Organisation concentrate on in-house awareness training and improving security contols and reducing risk by implementing various best practices, however most of the victims are non-employees and unaware of such existent threat. There should be programs to make sure these portential victims are well of an existent threat. Think beyond just a updating a website with known bads.

Readers!

I have been working as a Cyber Threat intelligence area from quite a long time and today I want to talk about a question that I often get asked.

Do we need Cyber Threat Intelligence?

With this article I will try to answer as much as I can based on my personal experience.

Firstly, one must understand Cyber Threat intelligence and how it can help your organisation. But before we venture into Cyber world we must know Intelligence has always been there before Cyber was even a word. Simply, put Intelligence is ability to acquire certain knowledge and skills and apply where applicable or where they fit. However, as we know Intelligence is a very broad and there can be multiple answers to the question, how can we select one single answer?

Article from Martin T. Bimfort evaluates multiple definitions and perceptions of the person who is defining Intelligence in there own context with the knowledge and skills they have gathered in there field.

SANS CTI course generalized the definition as following:

Intelligence is the collecting and processing of information about a competitive entity and its agents, needed by an organisation or group for its security and well-being.

So, meaning of Intelligence for military individual and a chess player can be completely different and they both be right. However, is it possible they can have same goal? Yes. We all want to win!

Who are we are trying to win against? Enemies, nation state attackers, rival organizations or someone sitting next to you. Let’s call them Threats – internal or external. So does this threat existed before Cyber? Of course they did. However, the threats themselves were limited with their knowledge and skills compared to now.

From the beginning of the world, there has been war, where Intelligence helped to prepare against enemies. However, this was mostly HUMINT – Human Intelligence, where one of your trusted individual would go around enemy states and give the information back. We didn’t had emails so Falcon, dove were used to transfer messages. Than came ciphers to hide actual messages, morse code etc. From then to now we have seen tremendous uptick on tools and technologies that aids us in defending against these threats. Main point still remains, our threats have same tools and technologies. As time went by, Cyber Intelligence came into existence and now everybody wants to do it.

Note: Intelligence is a field of expertise and not everybody can do it. Steer away from those who claims, we provide Cyber intelligence or Threat intelligence services and just sharing IP addresses and sending email notification without context.

So coming back to the main point what should organizations consider if and when they require Cyber Threat intelligence services and what it actually is.

For me main reason to have a Cyber Threat intelligence program is that it provides actionable outcome or information that helps any organization to understand their security posture, how to deal with current threats, fills any security gaps and assist in reducing over all risk. For any organization that is planning to get into Cyber Threat Intelligence following are my prerequisites:

1. Have a management agreement|vision|understanding in why they want the Cyber Threat intelligence program.
2. Make sure its not a checkbox that needs to be ticked because of a compliance or insurance or its just cool to have it.
3. Understand current Risk model of your organisation and works towards a strategy that aligns to your risk model.
4. Understand Intelligence have different categories and they all require equal attention. Will discuss more in coming articles.
5. 1. Operational
6. 1. Tactical
7. 1. Strategic
8. Hire expertise – being blunt, companies do tend to transfer or promote internal staff who lacks knowledge and experience in cyber intelligence including adversaries tools and techniques and believe it will yield positive results but actually steers the team to never ending ocean.

Organization may have more or less prerequisites, however I have seen some organization will just implement a program without considering any of the above points.

Consider following DONT’S:

1. Do not believe that Cyber Threat intelligence is achievable by getting a platform or a service. It will help but they are just to supplement an established Threat intelligence program and assist in finding missing pieces.
2. PowerPoint presentation IS NOT EQUAL TO expertise in Cyber Threat Intelligence. There are lot of vendors now jumping in Cyber Threat intelligence that believes a nice platform with indicators going to SIEM is the intelligence. They are just pretenders and one should stay away from them.
3. Peer pressure : Do not think that your peer has Cyber threat intelligence program|vendor|platform, we should have that as well. Many organizations have done that mistake by just following what peers do or are doing, but forget the most important part to understand their own organization requirements, threats etc. This leaves them starting their journey with somebody else’s goal.

Once we understand our prerequisites and what is required we take a step further and understand what and Cyber Intelligence program should do. I have created my own Pyramid of Cyber Threat Intelligence and hope it can help others.

So how I read this. The bottom tip of the pyramid is where Intelligence provides actionable information which can be one or more shown under the line.

Threats are known to the organization via social media, vendor posts and direct notification and/or news articles. Information gathering starts from there and multiple phases that are shown in the pyramid.  Assessing and analyzing available data and identifying actionable information and disseminating the same to the relevant teams within organization to prepare our defenses against the identified threat is an output of Intelligence.

I also use the Pyramid to set my priorities. Closer to the intelligence section higher the priority it is. Organizations can take similar approach but may have different pieces that makes the pyramid. Remember the pieces should align to your organization Risk model and/or managements vision for what Cyber Intelligence team are supposed to do.

So answer to the question do I need Cyber Intelligence program is YES. Following points summaries my ideology that organization may want to follow when you want to start with the program:

1. Gather requirements from your management and understand their vision of the Intelligence program.
2. Understand current Risk model of your organization.
3. Identify key people in your team with expertise|experience in Cyber Threat Intelligence and if not available consider hiring them.
4. Once requirements are set, plan to put the requirements into action. This involves creating processes. Processes should be created keeping your audiences in mind. Audiences are the people who will receive this actionable information.
5. Identify current tools and technologies already in place that aids the team in providing the information.
6. If provided tools are not able to assist Intelligence team in their tasks look for alternatives. Alternatives firstly should be in-house development or an open source tools. However, these alternatives although has no direct cost involved, one must understand there is an indirect cost involved such as maintenance, hiring expertise to build the tool and managing the tool etc.
7. Collect evidence for what is working and what is not. The evidence can help the team to prepare case to the management if there is any chance of asking more finance if/when required.
8. If the team is decided to get external help identify which gaps are you trying to fill. Convert the gaps into use cases and the evidence collected will help us in the stage And if we decide external help is required, following are the few point to identify vendors:
9. 1. Identify vendors
10. 1. Convert the gaps into use cases. Provide the use cases to about 3 vendors.
11. 1. Check with your peers. This helps in to understand why they choose certain vendor.
12. 1. Do a bit of research of known vendors with expertise in your line of business
13. 1. Look up there external presence such as public articles, intelligence reports, known work with law enforcement etc.
14. Once identified give them the use case and see the outcome and verify whether it is actually filling your gaps.
15. If yes take it to the management
16. Cross Fingers 🙂

Before finishing DO NOT consider following vendor types :

1. Vendors with no public presence or any evidence of helping community.
2. Consultancy firms who just talks about in social media and conferences with no actual work in intelligence.
3. Vendors who are not in expert and does multiple things and thinks adding Cyber Intelligence service on the brochure is the way to go.

I would still like to name few vendors that one should check out. This is purely based on my personal experience and their assistance to community.

1. GroupIB : Good with their malware and carding information. Been known of IR in multiple countries.
2. Proofpoint : Good with their malware intelligence.
3. Recorded Future : Good with their public blog articles and presentations.

Also, wanted to thanks Robert M. Lee, instructor in SANS for Cyber Intelligence course.

Final words:

Intelligence should assist in making decision to assist organization in improving its security  posture. Intelligence starts with your logs so make sure you listen to them what they have to say. Intelligence should sit in the middle of all other teams and can assist at every stage within organization so transparency and sharing of information helps.

I hope the article is useful. Thoughts and feedback are welcome.

Part II

Once the target is identified/determined attackers begin their tasks. Now we must understand, to launch an attack or gather information, they will rely on the available tools and capabilities that they have.

As per my previous post targets are also determined based on the tools that they can buy or create based on their intent, motives and capabilities. Most of the time their motive is financial gain. Below are few tools that are available to sophisticated attackers and script kiddies as well:

• Kali Linux comes with plethora of tools starting from gathering information to launch attacks.
• AutoSploit
• MetaSploit
• PowerSploit
• Exploit builders – Available on multiple marketplaces – these are usually for sale/rent.
• XXXXX-as-a-service – Malware, ransomware, crypto and others. These services are either for sale or rent. Customized services are also available based on requests such as banking injects.
• Services like BlackTDS – BlackTDS is a multitenant TDS tool that has been advertising its services on underground markets since the end of December 2017. Proofpoint article.
• Underground forums/marketplaces where the mentioned or other services and/or tools are advertised.
• Cracked vendor tools
• Tools/Project available on Github.

Few underground marketplaces :

• exploit.in
• antichat.ru
• cop.su
• zloy.bz
• hackersoft.ru
• darkweb.ws

Why this is important to know? As a target (any organisation or individual users) one should know about the tools that can be used against that. Monitoring such tools and understanding them can assist to prepare against whats coming.

More about information gathering can be found on my previous blog entry : https://fl0x2208.com/2015/11/28/information-gathering-then-now-and-why/

Consider a scenario of phishing users to get the credentials. Now understand when these credentials are collected they are mostly sold on marketplaces.

1. Motive : Financial Gain
2. Targets : To phish a user they need to contact them. Its mostly done via their email address or phone.
3. Getting Emails/phone numbers : Again, this goes back to marketplaces where people sell dumps containing emails and phone numbers from other site. These hacks are mostly done to get vouches and recognition on the underground marketplaces. Other way to get emails/phone numbers are scanning social media sites and other publicly available.
4. Tools : Bought a phishing kit or created phishing kit. There are document templates and pages available that these actors can use for phishing.
5. Phishing hosting or compromise a site : Tools mentioned about such as blackTDS, VPS service providers etc helps to host the phishing site. If not attackers looks for vulnerable public sites and host their phishing pages. To compromise they use tools available in Kali for example.
6. Actions : Mostly the credentials are stored on a database via POST information to php or they are sent to an email address. These credentials are then either used or sold on underground marketplaces.

The cycle continues with number 1 for same scenario or different.

What can we do to stop this?

This can’t be stopped. However, we can make it harder for the phishers or not fall for the phishing by educating ourselves. Being pro-active and notifying phishing attempt to authorities or the organisation that has been phished can also help to take down the phishing site as early as possible.

Following are some links showing some phishing examples:

• http://www.phishing.org/phishing-examples
• https://smallbiztrends.com/2017/08/phishing-examples-small-business.html
• https://security.berkeley.edu/resources/phishing/phishing-examples-archive

Recently, organizations are being targeted with new ransomware labelled as WanaCry.

Being curious, I downloaded the sample to understand how the malware actually behaved. The tests were performed on VM connected to internet and NOT connected to the internet. In both tests, machine was successfully infected.

Sample analysed : 84c82835a5d21bbcf75a61706d8ab549

As seen in the screenshot the executable is “Wana Decryptor 2.0”.

Following screenshot shows the process tree.

In the screenshot above, the malware creates taskhsvc.exe which contains TOR data and the CnC server addresses :

• 57g7spgrzlojinas.onion
• gx7ekbenv2riucmf.onion

Looked at the dump file for @WanaDecryptor@.exe and identified same domains with additional .onion sites

• xxlvbrloxvriy2c5.onion
• 76jdd2ir2embyv47.onion
• cwwnhwhlz52maqm7.onion

Malware using .onion domains for CnC communications is a technique to stay resilient.

The sample, in my opinion, is a packer/installer that unpacks files shown in below screenshot and also creates @WanaDecrypto@.exe that continuously runs as a process. It is worth noting the folder “msg” and “TaskData” were created when VM was infected connected to internet connection. I will explain each file in the later section.

Executable when connected to internet creates two additional folder
called “msg” and “TaskData”.

Below are MD5 of the files that were in the “TaskData” Folder.

MD5 (./TaskData/Tor/libeay32.dll) = 6ed47014c3bb259874d673fb3eaedc85
MD5 (./TaskData/Tor/libevent-2-0-5.dll) = 90f50a285efa5dd9c7fddce786bdef25
MD5 (./TaskData/Tor/libevent_core-2-0-5.dll) =
e5df3824f2fcad0c75fd601fcf37ee70
MD5 (./TaskData/Tor/libevent_extra-2-0-5.dll) =
6d6602388ab232ca9e8633462e683739
MD5 (./TaskData/Tor/libgcc_s_sjlj-1.dll) = 73d4823075762ee2837950726baa2af9
MD5 (./TaskData/Tor/libssp-0.dll) = 78581e243e2b41b17452da8d0b5b2a48
MD5 (./TaskData/Tor/ssleay32.dll) = a12c2040f6fddd34e7acb42f18dd6bdc
MD5 (./TaskData/Tor/taskhsvc.exe) = fe7eb54691ad6e6af77f8a9a0b6de26d
MD5 (./TaskData/Tor/tor.exe) = fe7eb54691ad6e6af77f8a9a0b6de26d
MD5 (./TaskData/Tor/zlib1.dll) = fb072e9f69afdb57179f59b512f828a4

Folder “msg” contains language packs which also gets encrypted and gets
extension “.wnry”.

Below are the files that were created :

1. @Please_Read_Me@
2. @WanaDecryptor@.exe
3. 00000000.res
4. c.wnry – contains links to .onion sites and tor browser
5. f.wnry – List of random files that are encrypted
6. u.wnry – @WanaDecryptor@.exe decrypter file
7. b.wnry – bitmap file containing decryption details
8. r.wnry – some more information about decryption and instructions for the decryption tool
9. s.wnry – Tor zip file
10. t.wnry – encryption format instructions
11. 00000000.eky – Infected machines private RSA key
12. 00000000.pky – Microsoft public key – RSA 2048
13. 00000000.res — Data for C2 communication
14. taskdl.exe – file deletion tool
15. taskse.exe – enumerates RDP connection and executes malware – TOR process runs underneath
16. msg – language packs. See screenshot below.

    

17. TaskData – TOR browser executable and other files. See screenshot below.

    

When the malware got executed it queried following domains :

– tor.relay.wardsback.org
– tor.ybti.net
– javadl-esd-secure.oracle.com
– belegost.csail.mit.edu
– tor1.mdfnet.se
– zebra620.server4you.de
– maatuska.471.se

System also communicated to 212.47.241.21 which resolves to sa1.sblo.ch. Ran the malware again and this time it went to different domains :

– tor.dizum.com
– tor1e1.digitale-gessellschaft.ch
– lon.anondroid.com

This could likely be due to malware using TOR. Analysed TOR process and saw multiple IP addresses hard-coded. Here you can find all the directory servers used by TOR.

Extensions that are getting encrypted :

Extract from PE Explorer :

Extract from Sysmon can be found sysmon logs.

WannaCry Fact Sheet – Here.

Kill-chain Phases – Here.

Final Words :

1. The malware was not delivered via phishing, but rather via EternalBlue Exploit, taking non-traditional way of infecting systems.
2. No obfuscation was done – meaning when you open the executable you can see the functions.
3. Exploit such as EthernalBlue, suggests that getting access to vulnerable systems with user interaction is available. The only we detected this was attacker actually use EternalBlue exploit for financial gain – WannaCry ransomware – however, others can just gain access to the system and perform other tasks. Motive, based on evidence, is financial gain.
4. Although, patching of systems would have definitely helped, however, we must understand the exploit was only used after dump by Shadow Brokers. Although, the intention of the group would be to expose NSA and its tools, the exploit was used for financial gain. So, may be intention to expose NSA may have been for good, it just did more damage.
5. Number of articles says that creator of malware made mistakes and they just earned 55 K. However, one must understand all those money are paid ransomware and one must also understand the affects/impact of the malware attack. Although, we cannot quantify the time spent to patch the systems, re-image infected systems, people not being in production globally, it is not small. Although, some analysis suggests that attackers were not sophisticated, but it worked.
6. Can host based security controls would have helped? Controls such as Application whitelisting, no admin rights to logged in users, use of AppLocker in Windows may have helped in reducing the impact. However, how feasible is to apply this in a corporate environment ?

Readers!

From last couple of weeks I have been doing some analysing of malware. Mostly, are via phishing attempts. What our adversaries are doing is to first gain easy access to the machine via phishing and creating background processes that calls the compromised domains that downloads the executable, packed with malicious payload. Below is basic timeline of a phishing email with attachment.

The technique is neither new or unique, however if we are to come up with a trend we can see that most of them have similar tools and procedures.One such tool is PowerShell. The blog is not about what PowerShell is, but how our adversaries are using the tool that was just created to automate admin tasks within Windows environment. As automation is was one of the key points PowerShell was given scripting. The scripting allows to automate admin tasks such as configuration management etc. Here I go explaining what PowerShell is.

Microsoft definitely didn’t intended the tool to be security aware, and therefore till this date one can use PowerShell to perform malicious activities. However, certain controls or functionality within PowerShell can assist us in controlling type of scripts that can run on the systems.

There are indeed multiple security controls that we will discuss later in the blog but first let’s see what our adversaries are doing. I will not be going in specific analysis of a malware as I am trying to reach out to the teams which are responsible to detect/prevent these type of attacks by placing feasible and actionable security controls with regards to PowerShell.

Below is a sample PowerShell command seen in most cases :

Frequently used parameters :

1. ExecutionPolicy bypass – Execution policies  in  PowerShell determines whether a script can run and what type of scripts can run and also sets default policy. Microsoft added a Flag called ‘bypass’, which when used bypasses any currently assigned execution policy and runs the script without any warnings. There are 4 types of Execution policies:
   1. Restricted
   2. Unrestricted
   3. AllSigned
   4. RemoteSigned
2. windowstyle hidden – This parameter is used when PowerShell script requires to be run in background without the users knowledge.
3. noprofile – PowerShell profile are set profile or commands (it is actually a PowerShell script), normally for current user and host. Setting -noprofile will just launch any script and will not look for profiles.
4. DownloadFile – For downloading the file via web

Tools, Technique and Procedures:

1. The attachments as shown in the first screenshot, are mostly Word/Excel doc with Macros or zip files with JavaScripts.
2. The Macros or JS are heavily obfuscated and sometimes lightly. For heavily deobfuscated scripts I rely on dynamic analysis(the best way to know what malware is written for). Some scripts, due to practice, I can deobfuscate within minutes.
3. PowerShell command to download the file are mostly on sites with HTTP rather on HTTPS (there are some sophisticated adversaries created/compromised HTTPS websites). Sometimes, also have noticed use of cmd.exe /c being used which will invoke specified command and terminates it.
4. File on the compromised domain are mostly windows executables with ‘.exe’ or sometimes the extension is hidden. This depends on the adversary and the packers that they have used. Sometimes, you can unpack the ‘exe’ via 7zip.
5. Based on the commands the file will be first downloaded and executed. In certain cases I have seen the file gets deleted after execution. Again, it depends on the command.
6. Most malwares that I have analysed were either ransomware or trying to steal information and sometimes combination of both.

Above TTPs are very simple to understand however, implementing security controls, lets say for each steps to detect and prevent, is much harder. We as a team or individual are working towards reducing the impact of the incident. Consider the phases of cyber kill-chain and perform an analysis of incidents within your team, and understand at which phase you are able to catch the adversary and can you do that earlier?

Observables such as IP addresses, domains, URLs and file hashes with context are the IOCs that normally we look for and use it for detection and prevention. Some people call that Threat Intelligence. Darwin would have gone here Seriously?

Security controls such as Endpoint solutions, Proxy, IDPS and FW can help us but they are heavily dependent on what they know and history has shown us that they can be bypassed. However, they are indeed very good controls to either reduce the impact and/or preventing the known attacks or IOCs.

What we need is security controls based on TTPs. So let’s see some of the following controls that can be implemented to either detect and/or prevent such attacks :

1. DO NOT give admin privileges to the local account. If required based on their role give have a Admin pass generator with User Access Control (UAC) enabled, that will prompt to enter password for Administrator every time a system change such as installing a program, running an Admin task etc is created.
2. Group policies to have certain tasks especially script execution and writing to registry and windows directory only allowed by Administrator. Can use Administrative Templates.
3. Group policy to not allow any executables in TEMP directory to be saved/executed.
4. Sign all PowerShell script. If not possible or the team not willing to sign at restriction placed via above mentioned points can assist.
5. Can also set the Execution Policy to Restricted, PowerShell can only be used interactively to run the script. Organisation who are not pushing any policies via PowerShell can choose this option.
6. Application whitelisting – Windows AppLocker. The tools can assist to define what level of access a user can have on the system with regards to executables, scripts and DLLs.
7. Having AppLocker in Allow Mode can assist the team with a rule that only scripts at trusted location can run on the system. A attacker can re-write the rule provided, he/she has access on the system with Admin privileges.
8. PowerShell Language Mode – Admin can setup the language modes to Constrained Language Mode that permits all Windows cmdlets and all Windows PowerShell language elements, but it limits permitted types. It has list of types that are allowed within a PowerShell script. For example, New-Object type cmdlet can only be used with allowed types which does not contain system.net.webclient.
9. Logging of PowerShell is also important. Here, in my opinion Sysmon is a must have. The logs can be forwarded to SIEM for correlation. If Sysmon is not feasible, enabling PowerShell Module logging is highly recommended. Enhanced logging is always recommended and will  write another blog on that.
10. Organisation proxy to be configured properly to detect/prevent web request invoked via PowerShell. Have tested with command Invoke-request that can show WindowsPowerShell within User-Agent. However, no User-Agent string is noted when above mentioned to DownloadFile is used. May be Proxies can be configured to disallow any traffic without User-Agent – still have to verify whether such functionality exists. If not a SIEM rule can be used to alert on web traffic that has no User-Agent string, going to external sites and downloading files.

Please note, that AppLocker and Powershell constrained mode are not security feature but another layer of defense which can help to reduce the impact of the attack and in some cases completely prevent the execution of foreign scripts.

When making a business case to the board or C-Level executives to make any changes in the organisation the presenter should use language they understand. As part of the evidence it highly recommended to show actually incidents where current security controls failed which impacted the productivity of the user, loss of data and hours spent to recover and restore systems. They want to know how any new mentioned or suggested changes will help in reducing impact to the user or business.

If there are other methods that other organisations are using please let me know.

A good read – PowerShell for Blue Team

Readers!

Last year one of the member on SANS DFIR posted a question with regards to identifying whether there was any data leakage occurred in the environment via a USB thumb drive. As for the evidence investigator had USBStor artefacts. Shell bag analysis(TZ Works sbag) showed a large number of files touched (reg-UTC) within a very short time period and a few with the MRU (Most recently used list) flag set with different times.

This blog is a concise article of the tips provided by myself and other members. Provided tips assisted the investigator to support the theory of data leakage.

1. Evaluating USB dates as a group.  If any number of artefacts is detected with the same exact time stamp, investigate it further. Having such artefacts indicates that they were somehow modified. It is also, worth the effort to carve the data for deleted registry files and look for relevant keys there.
2. Normal users will/may access the files again after copying to any removable media to make sure the files were copied correctly and are not corrupted. This operation leaves shell items in the form of shell bags and link (.lnk) files. One can use Windows Time Rule to for evidence of file copy. Using the time rule examine the link files with target data pointing to files on removable media (tz works ‘lp’ is excellent for this). If the modified date of the target file data in the link file precedes the created date of the target file data in the link file, then this is an indication that the file was opened from the removable media, after the file was copied to the removable media. This means that even without access to the removable media, you can state that files were copied to the removable media and then they were opened from the removable media. The created date of the target data in the link file is when the file was copied to the removable media. One can state that the files were copied, but cannot state where the file was copied from, as that is not tracked.
3. Now to determine when the file was opened from the removable media, look at the times of the link file itself. The created date of the link files will be the first time the file was opened and the modified date of the link file will be last time the file was opened. To discover the removable media, locate the volume serial number of the removable media’s file system which will be stored in the link file’s data. Correlate the volume serial number to the data from your USB drive analysis and you will get the manufacturers unique serial number for that removable media. Find that unique serial number across your enterprise and you will discover other machines where that drive was connected to. Correlate the link file target data to the shell bag data and you should be able to get a neat timeline of what happened on the system.
4. Memory analysis of the system can assist. If the files were copied it should have data on the clipboard. Drag and drop will not likely have any artefacts.
5. Registry hives –  one can use FTK registry viewer for ease. Usbstor have last written values – dates when the last device was accessed or connected.
6. Look at the recent files in Windows section. Although if one is not able to open the file it may show which file from which volume – it may not prove that file was copied however if the document name is ‘organisationconfidential‘ than you can argue what was the file doing on USB? The link files should also contain volume serial that one can match/compare with removable media serials.
7. Registry restore points can also be used to check last written dates.
8. Look at the MFT records – they have sourceMFT and destinationMFT.

Tools mentioned : SBE – Shellbag Explorer and MFTparser

Links mentioned :

Click to access PlumbingtheDepthsShellBagsEricZimmerman.pdf