You can’t detect what you can’t see.
Red Canary, Carbon Black, and MITRE ATT&CK shine a light on defense-evading malware. This informative webinar shows a comparative across operating systems, sharing examples of defense evasion in Windows, macOS, and Linux environments.
You will learn:
- Real-world insights into what security teams are facing in their environments
- Examples of prominent, defense-evading malware
- Common adversary techniques like scripting, masquerading, code obfuscation, and disabling security tools
- Actionable advice on how to hunt for and build detection strategies around defense evasion
00:34 Presenter Introduction
02:22 Webinar Agenda
03:35 MITRE and Red Canary’s Top Technique By Tactic
04:50 “Three of those techniques in our top 20 were Disabling Security Tools, Obfuscated Files or Information, and Masquerading.” -Katie
06:54 A Supporting Tactic
08:59 “As adversaries are doing these other goals, they are trying to evade defense and that gives us another opportunity to try to detect them.” -Katie
09:17 Brief History of Defense Evasion
09:30 “Even though the tactic itself is very old, there have been a lot of evolutions and morphing of that capability over the years.” -Phil
12:09 Sample #1: TrickBot
12:43 TrickBot Defense Evasion Techniques
13:19 “I talked about those supporting tactics that defense evasion is. It’s PowerShell for the execution, and the defense evasion side is disabling security tools.” -Katie
14:53 “In the last 30 days, 86% of the times we saw this, it was TrickBot, it was malicious. It is something that becomes a very high-fidelity, powerful alert for us.” -Tony
19:00 Recognizing the Technique
19:20 “That’s what it all comes down to at the end of the day. Understanding where your assets are, where your most critical data is, and building out from there.” -Greg
21:22 Sample #2: Shlayer
22:00 “It’s an interesting sort of software that floats somewhere between adware and malware.” -Tony
25:45 “We reversed the malware and started looking at what it actually does once it has infected the system.” -Greg
25:55 Defense Evasion Techniques
26:09 “When we looked across our datasets here just looking at xxd, base64, and openssl in this order progressively, every sample we found came back to a known Shalyer infection.” -Greg
27:11 Unique Use of curl
27:56 “The way this malware worked was everytime we saw these requests going out, there were multiple hops, like a minimum of four per request.” -Greg
29:18 “Marrying up your EDR data, maybe your SIM data, and your IDS data, using all of that together to correlate this activity, then you can start to build some high-fidelity detections.” -Greg
33:27 Recognizing the Technique
34:22 “On the Windows side in terms of deobfuscation, a common technique we are starting to see is certutil.” -Katie
37:42 “Having some of these other layers of characterization to plaster on top of that takes you from a ‘maybe’ to a ‘definitely’ very quickly.” -Phil
39:00 Sample #3: Rocke
39:53 “Rocke is an adversary that gets into cryptojacking. The idea behind cryptojacking is an adversary compromises a web server or compromises some sort of publicly available service on the internet. They subvert the system it is running on for their own crypto-mining processes.” -Tony
42:09 “If you went to do a search ‘what is kworker on my file system,’ you’re going to encounter a bunch of forums and documentation saying kworker is a kernel thread—don’t mess with it. They bank on you having that fear, uncertainty and doubt of what is running on your system. -Tony
45:17 Further Masquerading in Windows
45:23 “Basically the same concept, but now we are shifting what we learned on a Linux side onto a Windows environment.” -Phil
47:06 Recognizing the Technique
47:07 “Recognizing that becomes something that requires a whole lot of memorization, maybe some tooling that will allow you to frame out what is expected and what’s normal with certain file names, and then go beyond that looking for things in unusual directory locations.” -Phil
54:30 Key Takeaways
54:34 “Adversaries aren’t going to stop trying to evade the defensive measures that we put into place.” -Phil
55:00 “If we can build an approach to detecting this tactic, then it’s going to pay off a lot better than if we are looking at individual command lines.” -Phil
58:00 Questions and Answers
01:00:35 Question 1: What’s the value of network recording?
01:01:48 “It becomes a very good end-of-the-road type of investigative medium.” -Phil
01:02:47 Question 2: Do you have a best top level entry to ATT&CK?
01:03:00 “We recently added a Getting Started page for ATT&CK.MITRE.org site.” -Katie
You can also learn more about getting started with ATT&CK here.