Exploit code for wormable flaw on unpatched Windows devices published online
(SMBGhost) - Processing of a malformed compressed message - Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as ThreatPost points out, is the same version that was targeted by the WannaCry ransomware a couple of years ago
The US Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible
ENABLE THE WINDOWS FIREWALL !!!! BLock SMB to workstations, and you will get better logging too ;-)
TOPIC OF THE DAY: Fileless Malware, we don’t think so
What is “Fileless Malware”?
Cyberreason - Unlike file-based attacks, fileless malware does not leverage traditional executable files. Fileless attacks abuse tools built-in to the operating system to carry out attacks. Essentially, Windows is turned against itself.
Without an executable, there is no signature for antivirus software to detect. This is part of what makes fileless attacks so dangerous - they are able to easily evade antivirus products.
McAfee - Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.
CarbonBlack - Fileless malware refers to a cyberattack technique that uses existing software, allowed applications, and authorized protocols to carry out malicious activities.
WikiPedia - Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM.
It does not write any part of its activity to the computer's hard drive meaning that it's very resistant to existing Anti-computer forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify illegitimate activity.
As malware of this type is designed to work in-memory, its longevity on the system exists only until the system is rebooted.
MGs definition
So what do WE think Fileless Malware is?
The IR crew
Tyler
Martin
A better way to define Fileless Malware and WHY
Memware
Regware
WMIware
PowerShellware
Wormware
LolBin/LolBasware
And malware
.NETware compile on the fly (compileware)
bootware
How does this change our evaluation of malware?
How does this change our IR or THreat Hunting process?
How does this change how we detect and alert on malware?
wscript/csript downloads bad binary named Chrome.exe
Calls Scheduled task for persistence
Chrome calls msra.exe for comms
C:\Windows\syswow64\Msra.exe chrome.exe
So another LOLBin ? This is what prompted this podcast
TOPIC OF THE DAY: Laughing at Binaries - LOLBin/LOLBas
What is a LOLBin and LOLBas?
It stands for Living off the Land Binary and Scripts
Libraries too, Dlls
What started all this?
@SubTee Casey Smith efforts on Application Whitelisting bypasses from 2015 ish where he found ways to use existing binaries on the system to do bad things like RegSvr32, RegAsm, RunDll32, and several others
Why are these an issue for us Defenders?
Well Pentesters and Red Teams use them to get around security solutions like AV, EDR and App Whitelisting
Do these normally execute? If so how noisy are they?
Some are noisy
What do we need to watch out for?
Command line parameters are key
What is are the parameters they are executing with these utilities
Are there any lists people can use?
Malware Archaeology Logging page has a list and link to Oddvar’s page
What about security solutions, do we need to be concerned with these?
Yes, many AV and EDRs will not have alerts for these items
You will need to build some alerts and filter out the good/noise
What about logging theme?
Use the list(s) and build a lookup list that you can add to 4688 events or Sysmon 1 and 7 events and monitor them
What about MITRE ATT&CK, do they reference these?
Yes, there are several of these mentioned in MITRE ATT&CK, so map your tools to ATT&CK Techniques
Ep 011 - ARTHIR - ATT&CK Remote Threat Hunting Incident Response tool
May 17, 2020
www.LOG-MD.com/podcasts
BDIR Podcast Episode-010
Feb 26, 2019
Newsworthy Items: • INSURANCE COMPANY REFUSES TO PAY NOTPETRYA BILL, SAYS IT WAS AN ACT OF WAR, COMPANY SUES FOR $100M • 2-FACTOR AUTH BYPASSED ??? • 773 MILLLLLION PASSWORDS CIRCULATING THE INTERNET FROM PAST BREACHES • BYPASS BLACKLISTED WORDS FILTER (OR FIREWALLS) VIA WILDCARDS Malware of the month - First Sednit UEFI Rootkit Unveiled Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share
BDIR Podcast Episode-009 - MITRE ATT&CK Part 2
Dec 27, 2018
Newsworthy Items: Over 1 BILLION Pwned Dell Breach Marriott/Starwood Breach Malware of the month - LOKIBot Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share
BDIR Podcast Episode-008
Oct 14, 2018
Newsworthy Items: 1. NSS Labs fires off anti-malware-testing lawsuit at infosec toolmakers 2. Gartner says EDR will be a 1.5 BILLION, with a B business by 2020 3. Forrester Report on is EDR overblown
BDIR Podcast Episode-007
Sep 16, 2018
Newsworthy Items: ----------------------- After Sept 21st Credit Freezes are FREEEEEE - Article - by Krebs "Do you use a Tumi bag? Registered it with Tumi's Tracer service? British airways website hacked 380K users affected How Hackers Slipped by British Airways' Defenses - Wired Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob - WIRED Exploit vendor drops Tor Browser zero-day on Twitter - zdnet Bad Actors Sizing Up Systems Via Lightweight Recon Malware Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share Malware of the month - EMOTET
BDIR Podcast Episode-006
Aug 26, 2018
Newsworthy Items: The most expensive Cyber attack EVER !!! (wired) City of Atlanta 17 million ransom attack APT32 proves what we say about logging - Monitor Scheduled Tasks Malware of the month - None, so send us something interesting... Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share
BDIR Podcast Episode-005
Jul 10, 2018
Newsworthy Items - New Sysmon and Autoruns versions released. Be careful of VirusTotal uploads Malware of the month - None, so send us something interesting... Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share
BDIR Podcast Episode-004
Jun 03, 2018
Newsworthy Items - The FBI asks us to reboot our routers Malware of the month - None, so send us something interesting... Site-worthy - websites of the trade to share Tool-worthy - some tools of the trade to share
BDIR Podcast Episode-003
Apr 27, 2018
News-Worthy Site-Worthy Tool-Worthy
BDIR Podcast Episode-002
Apr 01, 2018
News-Worthy Site-Worthy Tool-Worthy
BDIR Podcast Episode-001
Mar 01, 2018
News-Worthy
Site-Worthy Tool-Worthy
BDIR Podcast Episode-000
Jan 18, 2018
"Incident Response, Malware Discovery, and Basic Malware Analysis, Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR"
ANNOUNCING The Incident Response Podcast
Jan 12, 2018
Brian and I are embarking on an expansion of the The Incident Response Podcast.
This will be a once a month podcast with a few extra casts here and there. The focus will be in the area of Detection and Incident Response, Malware Discovery, Basic Malware Analysis, Threat Hunting and improvements to your overall security posture.
Our TOPPODCAST Picks 
Stay Connected
