 dan keadaan keadaan. Atau lebih kisah bagaimana adonan keadaan adalah juga mengalami kita. Jadi, hanya sebuah permintaan yang kecil tentang saya. Saya adalah penyelamatan dan penyelamatan di Khamisab, perusahaan keadaan keadaan. Oleh itu, kami adalah firm konsultasi. Saya di dalam timpang dan respon. Jadi, kerja saya adalah penyelamatan dan respon. Untuk tempat penyelamatan, saya melakukan sesuatu yang mengenai keadaan keadaan keadaan keadaan keadaan. Bersama itu, saya melihat berada di klinik saya. Di keadaan keadaan, apabila saya melihat sesuatu yang tak tergantung, saya menjawab keadaan dan meminjakan mereka. Ter Utama diperlukan penyelamatan, keadaan keadaan keadaan, MFT. Jadi, anda boleh fikir lebih seperti keadaan segera keadaan keadaan. Saya melakukan sedikit keadaan keadaan keadaan keadaan, juga. Jadi, sebahagian saya, seorang seorang penyelamatan yang berpenyelamatan, saya selalu harus menjaga keadaan saya dengan penyelamatan. Dan itu sebabnya saya melakukan sesuatu keadaan keadaan keadaan keadaan keadaan keadaan. Dan jika ia menarik dan besar, saya menghubungi mereka. Jadi anda dapat mencari panggilan saya di website KonoSat sebenarnya. Saya adalah sebuah jengkel kode yang sedikit juga. Saya suka untuk menghubungi kerja. Saya suka untuk menghubungi skrips untuk menghubungi beberapa kerja saya. Dan ia membantu saya banyak dengan kerja saya juga, sehingga saya perlu menghubungi banyak data pada masa. Dan akhirnya, saya adalah edit Netflix. Saya suka untuk bergantung di rumah saya, dan duduk di sini dan mencari TV. Jadi ya, ada 4 perkara untuk saya. Dan mari kita bergerak kepada agenda, yang adalah sebabnya kita di sini hari ini. Pertama, saya akan berbincangkan pentingnya tentang deteksi donat. Kenapa kita sebenarnya perlu melakukan itu? Dan bagaimana kita sebenarnya melakukan deteksi itu? Jadi saya akan menghubungi sebabnya pentingnya tentang deteksi donat. Jadi, sehingga saya menghubungi kerja saya, saya menghubungi sedikit sebuah pekerja dan penerbangan. Dan saya telah melihat keputusan saya. Dan sebagainya, sebagainya, apa yang anda inginkan adalah sesuatu yang digunakan sebagai tekanan penerbangan, sehingga mereka biasanya memulakan proses penggunaan yang biasanya digunakan pada masyarakat Windows, seperti PowerShell, di mana saya telah melihat PowerShell menghubungi sebuah penerbangan dengan sebuah channel C2, menghubungi mempunyai mempunyai Kats, VB Script, penggunaan penggunaan penggunaan, atau bahkan sebuah makro-makro yang anda melihat mencari orang-orang untuk menghubungi mereka untuk menghubungi iPhone 3. Dan sebagainya, PowerShell adalah penerbangan yang panjang. Saya percaya. Mungkin kerana ia sangat kuat, anda dapat melakukan banyak aktiviti dengan PowerShell, seperti menghubungi penggunaan penggunaan dengan mempunyai menghubungi sebuah API Donut, sebaiknya apa yang PowerShell berdasarkan, dan menghubungi sebuah API Windows negatif. Dan jika anda inginkan, ia cukup mudah untuk sebenarnya melihat sesuatu dengan PowerShell, hanya untuk membuat konsol pop-up dan menghubungi sebuah kode. Dan jika anda menghubungi pergerakan dan melakukan pergerakan dengan PowerShell, anda mungkin dapatkan banyak kebiasaan dari GitHub yang memberikan kebiasaan yang panjang untuk PowerShell. Tetapi, sebagai penggunaan, kami juga melihat lebih baik. Seperti yang dipercaya, ia tidak susah untuk menghubungi PowerShell lagi. Dengan keadaan EDR, kami dapat mengalami perjalanan perjalanan perangkat dan ini memberi kami kejapan kejadian pada penggunaan PowerShell. Di sini, kami melihat perjalanan Perangkat Microsoft atau perjalanan pergerakan berkeluaran yang menghubungi PowerShell. Dan itu sangat mengemal kerana anda tidak akan menunggu perjalanan pergerakan perangkat atau perjalanan pergerakan PowerShell. Maksud saya, anda adalah menarik untuk berkeluaran pergerakan anda dan sebagainya. Meskipun, saya melihat pergerakanan pergerakan yang berkeluaran saya. Tetapi ia sangat menarik. Jadi anda akan menunggu sesuatu seperti ini untuk mengemal dan sebagainya. keadaan. Kita juga dapat melihat keadaan yang terbaik untuk membuat pilihan kecil baru seperti di sini. Kita dapat lihat apa yang pilihan kecil yang dibuat. Sebenarnya, apa yang pilihan kecil yang dibuat adalah membuat pilihan yang terbaik dan pilihan yang tidak terbaik. Jadi, tidak ada keadaan. Tapi dari sini, saya harap anda boleh sebenarnya faham bahawa dengan keadaan ini sebagai pengguna, kami dapat mencubanya apakah pengguna yang terbaik sebenarnya telah diluncurkan. Dan ada yang ada pengguna yang terbaik juga, seperti MZ, yang dapat mengajar antivirus yang dapat mengajar antivirus dengan pengguna terbaik dengan pengguna yang telah diluncurkan. Jadi, jika saya ambil contoh dengan keadaan ini yang saya ada, apabila saya masukkan MZ-U2 ke dalam konsol, antivirus itu sebenarnya berhenti dan menghubungi. Jadi, ini berlaku kerana MZ berlaku sebagai pengguna. Apabila pengguna masuk ke konsol PowerShell, MZ berlaku sebagai pengguna yang harus menghubungi pengguna ke dalam pengguna untuk menggunakan. Jika sebuah pengguna telah diluncurkan, antivirus akan menghubungi pengguna yang telah diluncurkan. Ada yang lain pengguna yang berlaku juga, seperti PowerShell Scriptboard Logging, apabila untuk PowerShell Version 5 dan berlaku, apabila sebenarnya segalanya pengguna yang telah diluncurkan dalam pengguna PowerShell akan diluncurkan ke dalam pengguna terbaik. Dan ini berlaku untuk pengguna yang telah diluncurkan. Jadi, apabila pengguna sebagai pengguna yang telah diluncurkan, pengguna yang telah diluncurkan, kita ada lebih banyak kemungkinan untuk menghubungi pengguna yang telah diluncurkan. Dan pengguna yang telah diluncurkan, pengguna yang terbaik, mereka mengawal. Mereka tahu bahawa PowerShell tidak seperti yang terbaik di dalam masa lalu, dan beberapa mereka mempunyai pelajaran yang berlaku di kualiti seperti .NET, di mana anda mengambil pengguna yang telah diluncurkan tanpa memilih sesuatu seperti PowerShell, bagi contoh. Dan mengapa PowerShell, jika anda fikir tentangnya, ia sangat berlaku dengan PowerShell. Anda memiliki kemungkinan yang kuat, anda berguna mengawal kemungkinan di dalam masin Windows, tetapi dengan satu kemungkinan, ada sekarang sebuah kemungkinan mengenai .NET. Jadi saya akan membuat sebuah kata-kata di sini, tetapi saya akan mempunyai pengguna yang telah diluncurkan dan .NET. Mereka berdua akan membuat sebuah perkara yang sama, pertama, mereka akan membuat sebuah kata-kata menggunakan pengguna yang telah diluncurkan dengan perjalanan .NET. Kemudian, mereka akan mengubah sebuah pasangan dengan pengguna yang telah diluncurkan dengan pengguna yang telah diluncurkan. Jadi APIève habis, elekan kemungkinan Windows, di mana sekolah kita sebenarnya mem DP perkuasaan windows. Dещan membuat dua mana-midi Mari kita klik proses PowerShell dulu. Jadi saya akan klik botan untuk mengalami kode PowerShell saya. Dan seperti yang anda lihat, saya mempunyai box mesej dari Colour32. Dan saya sebenarnya menerimanya juga. Jadi kita akan melihat kata-kata tentang ini sekarang. Jadi kita akan melihat kelas proses. Dan dari sini, kita dapat melihat proses PowerShell yang dibuat dan ia telah dibuat dari proses parent yang adalah mesej.exe. Jadi ini sangat berlaku dengan diri sendiri. Dan kemudian, kita boleh melihat kelas prosesnya di sini. Jadi kita mempunyai kode PowerShell yang mengalami kode yang saya akan melihat di depan anda sekarang. Jadi saya akan melihat kode PowerShell yang mengalami kode dan dari sini, kita dapat melihat kode PowerShell yang telah dibuat. Jadi sebagai penggambaran saya, sekarang saya tahu kenapa ia telah dibuat dari proses ini dan saya tahu bagaimana untuk dibuat dari proses ini. Jadi mari kita mengalami semua kelas proses saya sekarang dan kita akan menunjukkan file hta. Saya akan menunjukkan kelas prosesnya yang kita ada di hta sekarang dan kenapa ia lebih susah dibuat dari PowerShell? Jadi sama sekali, saya akan mengekalkan kode hta dengan langsung. Dan sekarang saya mengambil kode mesej dan saya telah menerimanya kelas proses. Dan jika anda melihat kode proses saya sekarang, ada satu kode mesej yang mengambil kode hta yang mengambil file hta. Dan dengan itu, kita tidak mempunyai banyak kelas proses untuk mengambil kode proses yang lebih susah dibuat. Jadi hanya sebuah sumber yang saya sebenarnya telah dibuat. Pertama, untuk kode PowerShell, saya menggunakan kode mesej untuk menghubungi kode PowerShell yang setelah itu, saya menghubungi kode PowerShell untuk menghubungi kode mesej dan menghubungi kode mesej. Untuk kode mesej, saya melakukan perkara yang sama. Saya menggunakan proses mesej untuk menghubungi kode mesej untuk menjelaskan kode mesej yang sama. Dan ini adalah pertanyaan, bagaimana saya sebenarnya menerimanya ini? Kerana proses mesej tidak dapat menerimanya kelas proses mesej. Jadi saya menerimanya ini sesuatu yang dikenalkan dan mempunyai kode mesej whereby firstly, on the victim's machine, I will compile a C-sharp code into a donut assembly. I will then serialize it and embed it within a delivery mechanism. In my case, I use a hate shade delivery mechanism but you could, technically you could use any delivery mechanism. With that, I will deliver my payload to the attacker's machine and load it into the victim's machine memory. And once in the victim's machine memory, I will de-serize it back to the donut assembly and once it de-serize, I will use reflection to actually reference this assembly and create an instance out of it. So this entire flowchart, basically what is it trying to replicate is something like this. For those of you who are aware of siege object-oriented programming, you realise that this entire flowchart is attempting to replicate this behaviour whereby you're attempting to reference assembly and with the reference assembly, you invoke the class constructor to create an object and with that object, you can call its method. And what can this loaded object do? Basically, anything that PowerShell can do, it can do. So just to give a midpoint check summary of what we have discussed, we have loaded an C-sharp object through the use of in-memory assembly loading. This object is capable of doing anything that PowerShell can do with one key difference. There's currently a lack of telemetry to detect it. And here's our challenge today. Can we actually detect this? And there is where I'm going to talk about now the actual detection portion of donut attacks. So first, I'm going to do some form of initial triage, initial investigation with Process Hacker. Process Hacker is a tool which allows you to analyse the process behaviour. You can look at the process threads, the module it loads, the string that it has. And I'm going to use it to analyse the MSHA process which was responsible for running the .NET code. So right here, we see something interesting here. For the MSHA process, we will actually see some interesting module loads here which are actually module roads related to the .NET runtime engine DLL. And this is quite interesting. And this is quite interesting because MSHA actually requires this engine to execute the .NET assembly code. But it's also very dodgy if you think about it, very suspicious. Why would MSHA require such a .NET runtime DLL engine when typically it only runs HTML or JavaScript code? So this analogy can be whole truth for other pandemi as well. You'll not expect like Microsoft Word, Microsoft PowerPoint to execute .NET code. So such runtime engine DLLs should not actually be within this process. So with this, we can actually think of an interesting hypothesis to HAN whereby, for example, we can HAN for processes that typically do not execute .NET code and HAN to see whether these binaries contain a runtime engine DLL. But unfortunately, this hypothesis is not perfect. What if a binary that was related to .NET was used such as msbuild.exe which is an application that is used to build .NET applications? Or perhaps a third-party application such as SQL Server in which it allows a user to run C-sharp code on it? So if you think about applications like this, it's not uncommon for them to actually have a .NET runtime DLL being loaded into it. So we're going to need something better than this and fortunately for us, the answer actually lies deep within Process Hacker. Deep within Process Hacker, there's a section that only appears when it detects events related to assembly load and these assembly loads have to be .NET assembly loads. And what's interesting about this section here is that you can actually detect any event related to a .NET assembly load. And if you look closely to one of the assembly load, one of them is without a path as compared to the other three. So lack of a path potentially indicates some form of in-memory or semi-loading which is what I was trying to do in my previous flowchart whereby I was trying to load and load an assembly through the use of in-memory. And one question is how did Process Hacker actually achieve this? We realized that deep within Process Hacker code, they actually leverage on a set of ETW providers and right here in front of us, there is a great wealth of information that we can potentially leverage on. And with this information, we at Counterstep, we rolled up a Python proof of concept code to consume these .NET ETW events with the help of FireEye's ETW tracing library. So with this information, let's try to detect the tech that I did in my demonstration earlier. Let's try to find indicators related to in-memory assembly load which we saw or covered earlier with Process Hacker. Let's try to find indicators related to registry creation through the use of .NET API. And finally, let's try to find indicators related to the invoking of native API. So let's continue our discussion on in-memory assembly loads. Previously, with Process Hacker, we're actually able to use events related to the loading of .NET assembly to flag out such various events. There's another event we can use and this is something known as the GIT compiler, just in time compilation. So before I dive deep into just in time compilation, we need to first understand the .NET code compilation architecture. A .NET code is essentially a managed code whereby they run within a virtualized environment which is something known as the common language runtime. So a .NET code doesn't compile directly to native code. What happen is when a .NET code compiles, it compiles to something known as the common intermediate language within the CRR and before it's and when it's going to be executed basically when you double-click it, it will go through something known as the GIT compilation which will compile this to the Windows native code. Once the code has been compiled to a native code, it will be cache and the GIT compiler will not be used. And this is interesting to us because when the GIT compiler is used an event will be generated which means that an event will be generated wherever a .NET method is first utilized. Subsequently, it will not be generated because the code will be having cache. So with this, we actually have two events that we can use to detect in-memory assembly load indicators. Firstly, the loading of the event related to the loading of .NET assembly as well as event related to GIT compilation. So what I have here is an output snippet from my Python POC code. So firstly, we can detect the loading of my assembly without a path and that is through the events of assembly load. And secondly, we can actually attempt to trace what the assembly was doing. In this case, we see that the assembly was trying to call upon the constructor class. And if you look back at what I was trying to achieve previously with my flowchart, I was actually trying to reference an assembly and load an instance out of it. So to sum it up, we actually are able to detect indicators related to in-memory assembly loads. So now, let's look at another indicator. We're going to look at indicators for .NET API related to registry creation. So we use .NET compilation was quite useful for us previously. So can we use this? Unfortunately, we can't because .NET compilation doesn't occur for native .NET assembly. And what I mean by native .NET assembly? I mean libraries like .System.Tex whereby as a C-sharp programmer, you'll reference .System.Tex so allow you to call upon the console.WriteLine function to print out statements to output out statements to the console. And this happens because when a .NET framework is installed, the .NET native .NET assemblies are installed as well. And once it is installed, dealership will compile to native code and cache by something known as the native image generator engine. So essentially it compiles the .NET assembly to native images and it will cache them. And because of this, because there are cache, .Jig compilation will not occur. And because of that, we are not really able to actually detect indicators related to the use of native .NET APIs for registry creation. So let's move on to our final indicator. Indicators related to the invoking of native API. So we can use an ETAW event known as interop events to help us with this. So these are essentially events generated wherever a .NET assembly make a call towards the Windows native API. And this is an example of a native code as you have seen earlier from a message box. It was actually a native function that imported from the user .32 DLL library. And with that, we're actually able to detect an event towards it whereby you're able to see my assembly called invoking the message box. So native API is very useful, like you could usually do a lot of interesting activities such as you could use a native API to send an outbound network connection. But traktors can also abuse this. Traktors can use it to do keylogging. They can use it to extract credentials from memory and any other malicious activities that you can think of. So us having visibility on this is really useful as well. So to sum it up, we're actually able to detect two out of three. So pretty good, I would say. Now let's use what we have learned on an actual demonstration. We're going to demonstrate our indicators on a real example, Silent Trinity. So Silent Trinity is a post-exploitation framework which allows which is coded in IAM Python. So IAM Python is essentially Python that is tightly coupled towards the Donut Library. And with that, we're going to see we're going to do two things. We're going to launch a Donut Assembly which will be responsible for launching all the other assemblies all the Silent Trinity assemblies. And we're going to launch safety cats. We're going to do something malicious now. We're going to launch safety cats a credential extraction too. So on my right, right here is a console which basically holds my stagia, my Silent Trinity stagia is an MS build. It's an XML file which will be built by an MS build.exe. And on the left here is my Python POC script. That is mainly used for the event tracing. So I'm going to execute the Python script first before executing the Silent Trinity stagia. So I've executed the Python script and now I'm going to execute the Silent Trinity. As you can see, there's a whole bunch of output coming out now because these are ATW events. They are whole lot of information. So we're going to ignore all this information for now and we're going to move towards my attacker's machine which is right here. And I'm going to run safety cats. I'm going to extract user credentials from my victim's machine. As you can see here I grab out a bunch of user credentials and now let's move back to our victim's machine. And as you can see we're still getting so much output here and frankly most of them aren't probably going to be very useful. So I'm going to ignore this and I'm going to minimise it. So I've actually filtered out a bunch of necessary information for us to look at and that is what you expect to do in a real world. In a real world your base Windows telemetry our whole bunch of data and as defenders of self we have to know how to filter the necessary data for us to look at. So firstly what I have right here is a bunch of assembly loading of IMPyton assemblies and as you can see here there is no path tag towards it which is quite suspicious. IMPyton by itself is not malicious but it loading with a path is very anonymous and most organisation typically will not execute IMPyton on the estate. So having visibility of this will definitely give some form of anonymous activity. So other than the IMPyton assembly loads we're going to see what it was actually doing. So as you can see below here several interesting native API calls were actually made such as load library virtual airlock get prompt address. So probably legitimate stuff but they are actually activities that can be used to do code injection as well. And there's one more native API that is quite interesting which is which will be more specific to what we're actually looking at and it's something known as the mini-dump write dump which I will show you now. So for extranet credentials from memory typically you will target a process such as lsess and your dump is contents out. Mini-dump write allows a user to grab a handle towards a process and dump is contents to a file and that is essentially So having all this visibly actually help us in trying to determine whether a bad donet code was being run. So just to sum up of all all the telemetry that I have discussed. Firstly donet runtime DLL so basically we can hunt for binaries that do not execute donet code and we see that this binary contain a donet runtime DLL there is something suspicious that we can potentially leverage on. We can also look at donet EW events and with EW events it's a wealth of information for us to loop through to actually determine what the donet code was attempting to run and we have other telemetries as well. If we base on a cyber queue chain you expect a donet code to occur at the to occur at the execution phase and typically you can argue that a donet code could be executed at the persistent phase the control phase but all these leave different indicators. At the persistent phase you can hunt for registry locations scheduled tasks at the control channel and an attacker can use a donet code to communicate with the C2 channel but there will leave network indicators you could find within a day how many outbound connections towards a particular IP address and how about before even the donet code was being executed how was it even delivered what are the delivery mechanisms used to actually deliver we can hunt for such behaviour and with all these indicators put together we actually paint a whole complete picture on how to detect a bad donet code which allow us to determine what actually happened so having a robust detection strategy like this is us in trying to actually determine in trying to detail bad traktors so I guess to wrap it up on what I've discussed PowerShell is still daily is still a very good weapon of choice for traktors but defenders have gotten better at detecting them there are more opportunities to detect bad PowerShell code so as compared to what's in the past it's not as hard as it was before and attackers being attackers they're always moving to different techniques and tooling and one of them is being is donet attacks but as I've shown here donet attacks aren't that invincible themselves we can actually detect them and lastly more importantly is to try all this yourself all the things that I've demonstrated here they are all open source the Python POC code that I was demonstrating earlier you can actually find on counter-step github 7 Trinity you can also find on github Process Hacker is also an open source tool so I guess this marks the end of my presentation so any questions? alright then thank you alright, is there a question? alright