 Stereo, presenting indicators of immunization. And with that, I will let Trio take away. Thank you. Hi, everyone. I think so much for coming here. So, let's, let's jump right in. So, really quick, I am not speaking on behalf of any of my employers. Everything I say is basically my opinion and not necessarily that of my employer. So, now that we have that out of the way, I'm going to do a TLDR on this and basically tell you that this talk is about taking the Windows command line arguments and PowerShell and seeing what the heck we can do with it as a cyber threat intelligence professional to provide to other teams in the organization. So, that basically sums up my talk in about a sentence. So, if you're interested in playing along, stick with me. So, Katie Kuzianovic, and I apologize. I probably didn't pronounce that right. I'm sorry. Her Derby Con 8 presentation. And she said that blocked data is the glitter of the TI data world. And so, ever since Derby Con 8, that's kind of really stuck with me. And in the spirit of the discovery theme this year for Def Con, I decided, hey, why not explore this a little bit further and see what I can do with actual like blocked data and see how I can extract intelligence and information to be able to feed to different teams. So, fast forward about 13 months. And I go to Matt Kelly's Beast Side Chicago talk in 2019. And it was a great presentation on threat emulation, adversary focused red teams. And in it, he gave a really interesting graph and information about some ideas as far as how threat intelligence can help feed red teams and adversary emulation. So, that kind of stuck with me. Then fast forward another five months. And I reached out to Bryson Bort because over at SIDE, they have something called a marketplace. And basically, it's, you know, I'm going to paraphrase horribly. So, please forgive me. It's like, it's like a thing for researchers to research threat actors out there and then help build out some of the, some of the, some of the adversary emulations that they have, right? So, I'm like, oh, that sounds so fascinating. I want to get involved. And so Bryson got me in touch with Adam Maschini and I apologize. I may have pronounced that wrong. Please forgive me. And he pointed out that there were a lot of threat intel reports with Linux commands, Linux related commands, but there wasn't too much with Windows. So, I decided that semester, I was doing a malware analysis course and I'm like, huh, this would be a really interesting project to take on and see just what it's about and where it will lead me, right? So, I'm like, okay, so I will, I will just enable Windows command line logging and that's just, it's just easy. So, what I did is I got a VM and then I figured out how to turn on the logs and all of that, right? Disable all the security stuff, especially the smart screen and God, it was so much disabling of so much security. It was crazy. And I just want to do a shout out to Microsoft Windows. Like I cannot tell you how hard it was for me, like how many things I had to disable and go through in order to execute malware on the VM. It was crazy. I'm like, holy crap, they do a really good job. Like, yeah, I mean, just try. It's involved. So, what I did too is I created a baseline. So, Windows command line logging, if you look over it, you're like, what's that? H is that, right? So, before, before introducing malware into the environment, I decided to just watch the command line a little bit and get a better understanding because defer isn't my 24 seven life, right? And also too, since I did it for a doctoral class, I decided, well, let's get a control too, you know, kind of make it an experiment so that I can have the control and I can have, you know, malware samples in the wild and kind of see what it is that's going on. So, I was like, how do I create a control? I don't know how to make malware. So, I don't know how to how to do all that stuff. So, there were three options that I found. One was making a quote unquote test malware, which I'll which I'll share with you on the screen there. You can see it on the on the left. Basically, I took sector seven's red team operator malware dev course. And, of course, he doesn't just have like start calc in his his class. But that gave me the idea to just do just compile a C plus plus program and have it start calc really benign the codes right up there. And see if it actually works right and it did. Another option was atomic red team. So, they did such a fabulous job at spelling out how to install it how to get it done. It was so quick, like, I just put in a couple commands and it was done and I could run the different PowerShell things to ensure the PowerShell logging and all that stuff was set up correctly. And then the final option is just to manually enter the commands myself. So, I did all of that and then I'm like, where am I going to get all this malware from? So, I tried and you run, you know, you change the extension from bin.bin.exe and didn't really get anything. And I'm like, well, is the malware dysfunctional? Like, is it not working? Or is it, you know, anti-VM stuff like defense evasion? What's going on? Or is it me? Am I just not clicking enough? Or who knows what, right? The security person in me is like, don't click. So, I was like, okay, I don't know what's going on with that. And then I tried a malware hybrid analysis and then malware bizarre as well. And I didn't have any luck. So, I'm like, what is going on? So, finally, I was just like, screw it. I am just going to URL house, taking the most recent like posting that people submitted and going to the actual attacker's domain and pulling down the malware myself so that it's fresh. And so that I know that it's not user error. Who knows what else, right? And I tried multiple other malware repositories. I was like, why is this not executing? Or what's going on, right? And here's a funny story. Someone told me to go talk to sleeping computer and ask them. I'm like, yeah, that's probably a bad idea. Anyways, so that was a really fun, fun story. So, I put up here some of the results of the tests when I pulled the malware myself from the actual source. And as you can see, like, you know, some of them, some of them gave me command line arguments beyond the initial execution of the binary. Some of them didn't, most of them didn't. So, I'm like, huh, why? What is it doing? So, then I'm like, oh, they're static analysis. So, then I download Ghidra and of course, Ida and all of that. And I'm like, wait, I don't really know how to use this very well. So, Joe Slowick, he's like the meme master. He's awesome. He recently posted something with a guy trying to drink water and he's like, drink water like this, you know? Like, that's how I felt. It was so bad. I'm like, oh my God, like, the learning curve on that is just a little bit more than I'm willing to invest right now. I will. It's just, I wanted to get through this and make it accessible to as many people as possible. So, I decided to move on with my life and try something else. So, Sam's D for Summit 2020, actually July, not too long ago, you know, about five months after the Brice and Bort meeting, I spoke with Michael Gow, Mr. Malware Archaeology. He is super awesome. He did the command line logging cheat sheets. I don't know if you're familiar with those, just a wealth of information. And I told him some of the problems I was having and I'm like, what's wrong with me? And he suggested to just buy a computer and like bypass all of the anti-analysis stuff. And I was like, oh my gosh, I like never would have thought of that. Never, like in a gazillion years. So, I bought two computers, but not willingly. So, the first one I bought was dead on arrival and I'm like, I'm like, I don't have time to try to troubleshoot this. It's actually still sitting right next to me. So, then I bought another one that was delivered the next day and that one actually worked. Thank God. So, some of the results of that, as you can see, I had, I picked one random sample and threw it into a couple of different sandbox solutions to see the difference between the command line arguments that I would get from all these different solutions, right? The one in the upper left hand corner, virus total, as you can see, oh, okay. So, we got the initial binary executing, cool. Okay. So, Cape up in the right hand corner, okay. And then Joe Sandbox, holy crap, that's a lot of stuff. But then, what I got, I got 70-something pages of command line arguments and PowerShell commands and all of that from this one particular sample. Here's just some of it. Some of it looks like it could be useful for potential adversary emulation exercises, potentially. So, the funny thing about this, so I decided to do a little bit of research on the Raccoon Stealer and I came across a Cyber Reason blog on this and they said, oh, yeah, one of the main complaints about it by criminals is that it has a very low success rate of 45%. So, as I was going through on my actual real computer, not a VM, it asked me to install the .NET framework and I'm like, that's a lot of work for the average user to install this so that you can read an invoice or whatever. I'm like, no wonder why it has a low success rate, at least that's my understanding of it. And I didn't really find that anywhere in a lot of the blogs that I read, so definitely it's a huge advantage that now I know this, now it requires me in order for this particular variant of Raccoon Stealer to work, I have to install the .NET framework of that version. So, if your enterprise computers, whatever, aren't using that and would require the installation of that particular .NET framework, then this particular variant would be a really low threat to you so you wouldn't necessarily need to proceed with analysis. But here's a little fun tidbit. So, as I was going along, I got a little pop-up video and it said, Nioncat. Who doesn't love Nioncat, right? I'm like, Pop-Tarts? Cats? Rainbow? Sure. So, it said, make this connection available for all users or my use only. And I was like, I don't know what to do. Of course, I did this safely on and on and on. So, I was like, you know what? I'm just going to roll with it and click OK and see what happens. And so, I was really excited. I was hoping, like, you know, CrowdStrike came to mind. I'm actually wearing one of their shirts where the, you know, the activity of actors, how quick they are to jump on connections and stuff like that. And so, I was waiting and waiting and I'm, like, you know, excited because I'm expecting, like, you know, something, something to happen, anything to happen. And hours later, still nothing. And I'm like, all right, like, I have to move on with this. But it was fun and exciting for a little bit, like, waiting. It was good. And another thing, because it dropped files in the temp directory, I was like, oh, well, let's just go look there and for fun and see what happens. Right. So, one of them was disable Windows Defender. I'm like, ooh, that looks nasty. So, I threw it up into virus total and it was nasty. So, you know, yeah. So, that was that particular sample because I'm assuming a lot of places have Windows 10 without the dot net framework. I'm like, meh. So, then last night at 515 p.m. Pacific Standard Time, like yesterday, like literally yesterday, less than 24 hours before my talk, a friend contacted me and said that his company was willing to let me look at their junk data to go through this as an example. So, I'm like, cool. Like, yeah, like, I'll totally do that. But can I do it or can I not do it for, you know, prepping in less than 24 hours to analyze this? Well, let's see. Like, it's not unrealistic for Enterprise and corporate America for you to get off the wall like crazy ass, you know, last second. So, I'm like, why not? Let's do this. You only live once, right? Yellow. So, I got the sample and I tried to make it as realistic as possible, like pretending your boss comes to you and says, I need this yesterday. So, you know, and let's say that, I don't know, whatever. I just did the sandbox stuff, Opsec, blah, blah, blah. So, do whatever you do with your organization, whatever, everyone has different things that they can and can't do. So, with this sample, I loaded it to any run and virus total already had an entry and then I loaded it to malware bizarre. And the wonderful thing about malware bizarre is that I get extra stuff. So, I loaded to malware bizarre, I get Joe sandbox, and I get Cape. And Cape took a while, like, I had to wait until the morning, like, probably around 1pm, which would be what 11, 11, yeah, 11am Pacific time. So, to look at the results of those. So, I just went with what I had. And of course, the threat intel and me knowing that this came from an actual company, you know, I wanted to share additional context with the person that sent it to me. So, I'm like, oh, you know, according to virus total, it does a call out with the DNS traffic to a Nigerian based hosting company. And I pivoted off that. And I ended up creating a custom rule for a YAR rule for this particular company. And interestingly enough, that particular DNS call out was only associated with four other files. So, I did a diff on it and then shared the particular YAR rule that was associated with that and passed it off to my contact. And so, then I go to a MITRE attack, right? And I'm like, oh, MITRE attack will save the day. They'll have something on Hawkeye, that's what the sample ended up being. And then I go to MITRE attack and I'm like, no, they don't have it up there yet. Why? So, I'm like, okay, what do I do next? And this is kind of realistic, you know? So, then I'm like, well, let's try to create a repeatable process for this. And so, I have such a short amount of time to make this doable. And I decided to just use MITRE attack's framework anyways and analyze it and tactics to guide the research as far as what to look at. And this is from Joe Sandbox and output of all the different MITRE attack variants, right? But we want specifics because if I just say native API to or, you know, process injection or WMI to the red teamers, they'll be like, okay, great. And then so, so I decided to go a little bit of digging. And with this, the initial access, it was an email with the XC attachment. And the subject said invoice attached invoice attached, right? And another thing with this particular sample, it can propagate via USB. So, I didn't want to, you know, get too friendly with it, if you know what I mean. The other good thing though, is that this particular sender was not a third party recipient or was not a third party of the recipient of the particular email. And I really love how they set up their attached is the reverse invoice. So, obviously, they might not necessarily have the best English. I went to one of the domains that was in the email on the upper right hand corner, the big yellow thing. That was the FPE 2000.IT. Not too exciting. And then at the bottom is the actual domain from the sending organization. So, I'm not going to comment further on that. But malicious XCs are coming from there. And it happens to be from Nigeria, too. So, the sender company from Nigeria and DNS call up to Nigeria that gave me four other samples that were malicious. So, execution. Obviously, we have user execution of a malicious file, which is the T1204.002. So, we have that. And then we have WMI. So, specifically, what it is about WMI is that it checks if the AV antivirus firewall program is installed. As you can see here, it has select from antivirus product, select from firewall product. So, and with this, I used it as an experiment. And here's the process that I came up with that I repeated for each and every single tactic was basically I look at Joe Sandbox and the mitre attack section. And then I look at the specific entry in Joe Sandbox as far as the detailed information you can see there in that picture. And then I go to atomic red team to see if they have the particular technique available. And I look at the YAML contents of that particular file. And then I Google what isn't there. So, here's an example of that. So, atomic red team has, when I looked for the T1047 for the WMI, I didn't find specifically what I was looking for. But later, like a lot later in the process, I found what I needed in T1518.001. And put that right up there at the bottom. And then prior to that, I did a little bit of stack overflow searching and also found a similar command. I don't know if it works or not. Like, would have to do testing on that. But I have that information available to provide to red team to cut down their research time. So, next we have the native API. And specifically, this is related to .NET source code references. And I was like, what the heck do they mean by that? So, I looked that up at the bottom. And as you can see, it comes from particular Xs. And I'm like, okay, so I searched through the whole like analysis report and it was still like not helpful. So then I went to atomic red team. And as you can see here, I put the big arrow. They have the .NET framework version, you know, 4.0, whatever. And I searched that. And then I found a command line argument, but no, but no, like qualifiers or information behind that. So, there is an atomic red team for it, but it doesn't necessarily state how to engage the different APIs and leverage those, but they're there. So, I'm like, okay, I'll include that for context. Persistence is next. So, one of the ways that this particular sample gets persistence is through trying to load missing DLLs. And I searched in the sandbox report and found that were WER fault. I don't know if I'm saying that right, sorry. And I was like, oh, this is interesting. I'm like, interesting. I'm like, I wonder if that particular XC is actually like legitimate or like what's going on with it. So, there was a hash for this particular sample and I threw it into virus total, and it came back clean. So, I'm like, okay, well, that's interesting. Okay. So, I'll put that down. There is an atomic test, but it's based on PowerShell. So, next is Provesk. And it does include the previous DLL side loading technique that I had of there. Plus, it also had process injection. So, there was a lot of process injection with this one. And there's an atomic test for it too. And below here, there was a command line argument down at the bottom related to process injection here. So, I provided that as context for the red teamers. Defense evasion, a ton of defense evasion, everything from invalid code signing, software packing, sandbox evasion, lots. And I pulled out the ones that might be helpful to emulation exercises. One was masquerading. So, this one, it creates files inside the user directory. So, when I looked up atomic red team, they didn't have information specific to that. There were a bunch of other tests, but that is the specific user directory. So, I'm assuming they could take care of that. The next one, Modify Registry. Stores large binary data to the registry and then it modifies the registry key. And hidden files and directories. There's key that's created or modified. And obfuscated files. So, this one, I assumed that they were talking about the process environment block, since that's pretty standard with the exploit dev and trying to walk that in order to find the address of kernel 32 DLL. So, I assume that that's what the shell code was about. Especially here it says contains functionality to read the PEV. So, that was just my educated guess regarding the shell code. Credential to access, there was a ton of that since it's a stealer credential dumping, all of that takes credentials from web browsers. There is an atomic test for that as well. And then discovery, there's a couple of different things. So, process discovery, there's an atomic test available. Remote system discovery, atomic test available, atomic test for this as well. And I put it at the bottom machine GUID doing a lateral movement. I just put it has the replicate via USB. Obviously, yeah, I don't know if they're using it to pivot or whatever. It just seems like it's a standard stealer for credentials to use later. Credential collection. So, key logging and then data from local system is another one, T1005. And then archived collected data. So, with this, I'm assuming they meant that they would either compress or encrypt the data prior to Exfil. So, that's good info for the red teamers to use in their exercises. Of course, also too, they take the clipboard data, local email collection, and there's an actual atomic test for this as well too. And all of the specific folders that were accessed in order to get the contents. And I provide that. So, C2 encrypted channel. So, I know that Jorge Archiles has the C2 matrix along with Bryson Bort. And so, they have a lot of different fun things that you can pick through to be like, okay, I need an encrypted channel. So, that'll be really easy for you to go through. And there is there is an atomic test available for these as well. Exfiltration. I assume that they exfil they encrypted or compressed data. So, there is that that's what I put is exfiltration impact. There doesn't necessarily seem to be an impact other than stealing threads and private information. So, you know, no ransomware type anything. And I wanted to add additional context as well. So, I decided to look at the Yara rules that fired on this particular sample. And as you can see, there's consistent hits with this particular rule from our bizarre. And then I decided to go digging a little bit. And I'm like, huh, what is this rule about? So, I found a link to it on a GitHub. And same author, same all of that. And it looks like it was made in 2015. And it looks like they're using the same string of the holder mail dot txt, which was also a command line argument, as you can see down here at the bottom, since at least 2015. So, I'm like, oh, that's that would probably be good to include in the in the emulation exercise since that hasn't changed in what five years. The other thing is so that HTTP traffic doesn't have a header. I have different examples here of files written and then the process tree to if they want to try to emulate that as well for like security tools and and all of that for detection purposes, it dropped 11 files. And I included the different folders that they got dropped to and other characteristics. So, I thought that this was interesting. They use port zero. And so I just included stuff that I'm like, huh, this looks really interesting. They used DNS over HTTPS and and things like that so that red team can kind of pick and choose what they want and don't want. And so basically, this was literally junk data, like no one cared about locked, like who cares, right? But they but the org was being targeted with it. So just a little bit, you know, what less than 24 hours that I spent with this particular sample. We got all of this information out of it, was able to map it back to atomic red team or Google and like, you know, stack overflow and all of that and get somewhat of some commands and behaviors, TTPs associated with this that they can test within their own environment. And here's just some of the stuff that that they can get from this data that's essentially junk. I mean, that's that's pretty good. They got a yard rule out of it custom made by me from threat actors that they're actively being targeted with. They got basically kind of a purple team exercise where, you know, if you know it's using this or it's doing that, you can look at your defenses prior to that. Do you have, you know, WMI, all of that. So building out a purple team exercise around this and working with adversary emulation teams, whether that's a dedicated person or a team or blue teamers filling the red team, who knows, right, organizations have so many different things going on. So in summary, I'm going to leave it to you guys to decide if you think that junk data essentially blocked data can provide value to your organization. And whether or not you can use that block data or even delivered data, you see what I do a block data, imagine delivered, right? So, you know, whether or not you can kind of tailor and use this information that's specific to your organization that's being targeted, you know, having the MITRE attack heat map and knowing where your coverage is in your environment that people talk about, right? Cyber war dog talks about that, Olaf, like a ton of people. And so knowing that you can know where your weaknesses are, where your strengths are, where you have visibility, where you don't have visibility, and you can take this information. And as a threat intel analyst, you can see that you don't have to buy two computers to get some of this information. I really loved the Cape sandbox and also Joe sandbox and malware bizarre, absolutely love, love them, just combining all of it. And then also two of the different sandboxes, they're not like I got different data from different ones, even though it was the same sample. So I just kind of compiled it all. And then some of the analysis I did on my own, I added additional TTPs that weren't on the actual heat map that I showed you at the beginning. So there's a lot that you can do with this based upon your organization. You can also create a threat library or threat actor dossiers kind of, even though it's malware, but you can kind of start to paint a picture over time. So you see the Nigerian infrastructure and a Nigerian company sending you maliciousness. I'm not pointing fingers. So you can start to get a more holistic view of your threat landscape and what they could potentially be interested in. Obviously, if they wanted to disrupt your services, I mean, yeah, so I could talk a really long time about that. But I will leave that up to your conclusion and what you find valuable to your organization. And I just want to thank you so much for attending my talk. And that's it. Thank you. Enjoy DefCon. And thank you. Thank you very much, Terrio, for that wonderful presentation and talk. And as always, we recommend that you go to Track Talk 1 to direct your questions for the presenter on our Blue Team Village Discord. And if you have any questions, I'm sure she will be able to answer them. And I'm just going to look through real quick. I don't see any at the moment. So thank you very much. Thank you.