8:45 am - 9:00 am CT 1:45 pm - 2:00 pm UTC | Track 1 & Plenary Welcome & Opening Remarks |
9:00 am - 9:45 am CT 2:00 pm - 2:45 pm UTC | Track 1 & Plenary Keynote: DFIR Evidence Collection and Preservation for the Cloud
The assumption that a change in where or how data is stored always seems to lead to the false belief that forensics is dead. With the cloud, digital forensics is given new capabilities and depth that do not exist in the on-premise world. However, this is only useful if you know how to correctly configure and set up evidence preservation for your cloud environments. One of the most significant challenges with cloud environments today is that evidence retention works on a continuous sliding time window. This could mean your evidence is slowly aging out of existence, if you don't know where to collect it immediately, or that your evidence may never have been generated if you have not already configured your cloud platform correctly. This presentation will take attendees through a quickfire set-up of how best to configure their; Azure, Amazon Web Services, Google Cloud Platform, Microsoft 365, or Google Workspace platforms, to ensure they have the best possible chance of maintaining evidence for digital forensics and incident response investigations. The techniques shown during this session are derived from the SANS FOR509: Enterprise Cloud Forensics and Incident Response course.
Show More
|
9:45 am - 10:00 am CT 2:45 pm - 3:00 pm UTC | Track 1 & Plenary Break |
10:00 am - 10:40 am CT 3:00 pm - 3:40 pm UTC | Track 1 & Plenary Text Editor Tricks for Blue Teamers Threat Hunting
Got a few thousand lines of logs to parse? How about a needle buried in a couple-million-line CSV haystack? What about sorting every single endpoint in your org into buckets by custodial group?
Believe it or not, the easiest, fastest tool for these jobs is probably your text editor.
Let's turn tasks like these from impossibly dull, frustrating hours of mouse jockeying into to a few enjoyable minutes with some text manipulation strategies. The best part? Once you learn these strategies, it's simple to scale them via your SIEM and scripts.
In this presentation, you'll learn to: - identify ways to hook into data structures;
- employ multiple visual analysis techniques;
- automate repetitive search and replace operations;
- zero in on specific kinds of data;
- easily find differences in two or more lists of data;
- recognize cases when a different approach might be better.
We'll use three real-world examples to illustrate these techniques: - Parsing a multi-million line CSV file of malware observables and indicators;
- Using depuplication to track a third-party service's effectiveness;
- Building the supersedence chain for a Microsoft patch.
But wait; there's more!
To help you operationalize these techniques when you're back in your bat cave, you'll get: - Cheat sheets for the techniques above;
- Copy-pasta regex sweetness;
- Your own fresh copies of the example files, so you can learn by doing
Show More
|
10:00 am - 10:40 am CT 3:00 pm - 3:40 pm UTC | Track 2 Hunting Powershell Obfuscation With Support Vector Classifiers Threat Hunting
If you’re serious about defending your enterprise from evil, you should be familiar with finding Powershell used for evil purposes. Powershell is commonly seen in adversary tooling due to its ubiquity and effectiveness. However, it is also ubiquitous for benign purposes. This means that it can be very hard to distinguish the small amounts of bad from the potentially huge amounts of normal. Luckily, the evil has a tell. Most evil Powershell has been in some way obfuscated, to hide its true intentions from investigators. While there is no way to detect every feasible obfuscation mechanism, there are effective ways of finding Powershell commands that were obfuscated by ANY mechanism. These are the items that are most likely to be malicious, and these will be of most interest to investigators. This talk will demonstrate a simple supervised machine learning technique known as a Support Vector Classifier, that can be used to classify voluminous Powershell logs as either “obfuscated” or “non-obfuscated”. This implementation uses Python’s sklearn module to rapidly build and train a model that you can then use in your own environment to find unknown obfuscated Powershell commands. And it’s quick and easy to set up! A working implementation will be shared, so attendees can use this right away and adapt it to their needs. If you’re looking for a simple and effective ML project that can directly improve your defensive posture, come check this out!
Show More
|
10:45 am - 11:25 am CT 3:45 pm - 4:25 pm UTC | Track 1 & Plenary Missing Pieces - Tips and Tricks on how to ensure your acquisitions aren’t missing critical data What could you be missing from your acquisitions? Sometimes we don’t know what we don’t know and we unknowingly leave data on the ground. Join Jessica Hyde and Cesar Quezada as they share examples of uncommon acquisition pitfalls that could lead to incomplete acquisitions that appear complete. We will explore acquisitions from hard drives, iOS, and Android devices. We will provide tips on how to avoid these pitfalls as well as techniques for determining if your acquisition is missing critical data.
Show More
|
10:45 am - 11:25 am CT 3:45 pm - 4:25 pm UTC | Track 2 Threat hunting in Microsoft 365 Environment Anurag Khanna, Manager - Incident Response & Consulting Services, Crowdstrike Services Threat Hunting
Over the last few years, Threat Actors have augmented their efforts in developing novel and sophisticated attack techniques to target Enterprise Cloud environments. Microsoft 365 is a cloud based software as a service provided by Microsoft and includes services like Exchange online, Flows, SharePoint online, Teams. Attackers consistently target M365 services in order to gain initial access, maintain persistence and perform data exfiltration. Several investigations have revealed that threat actors have not only been able to successfully compromise Cloud environments but also persist and move laterally. Organizations have found it increasingly difficult to protect Cloud services and detect threat actor activities. We will talk through ways of how blue teams can hunt for some of the techniques that threat actors use to target M365. Some of the areas that we will cover include, - Automated Email Forwarding
- Delegation
- Mailbox folder Permissions
- OAuth Grants
- Flows to automate Data Extraction
- MFA Bypass Scenarios
- Privileged roles
- Suspicious Sign-in
- Message Trace & eDiscovery
- Hunting from Unified Audit Logs
Show More
|
11:30 am - 12:10 pm CT 4:30 pm - 5:10 pm UTC | Track 1 & Plenary A little bit of this, a little bit of dat With personal computers and corporate networks becoming more integrated with cloud solutions, cloud forensics has become an important part of the investigative process. When investigating OneDrive, there are multiple artifacts that need to be checked to ensure all files/folders are collected. The process becomes complicated quickly on multi-user systems. This can lead to data loss if these artifacts are not checked or known about, making automation harder. Developed through personal research and available on GitHub, OneDriveExplorer solves these issues. OneDriveExplorer rebuilds the folder structure and parses more data, while preventing storage space and scope of authority issues that come along with collecting files via reparse points. This presentation aims to walk through important OneDrive artifacts, how to use OneDriveExplorer, and what value can be added from using OneDriveExplorer compared to conventionally used tools
Show More
|
11:30 am - 12:10 pm CT 4:30 pm - 5:10 pm UTC | Track 2 Hunting Windows U-boats with Cyber Depth Charges Threat Hunting
As defenders, a lot of our time is focused on the most common ATT&CK techniques seen daily and weekly. Underneath common privilege escalation and defense evasion lies a deeper dark art - Windows rootkits. Rootkits are hard to identify as they can reside in the user or kernel level, or lower. The most advanced adversaries will persist and hijack systems using rootkits. As a defender, how do we hunt, where do we hunt and what do we hunt? The attendee will leave with an understanding of Windows driver rootkits, how to identify suspicious drivers, and what to do about rootkits today.
Show More
|
12:15 pm - 1:15 pm CT 5:15 pm - 6:15 pm UTC | Track 1 & Plenary Lunch |
1:15 pm - 1:55 pm CT 6:15 pm - 6:55 pm UTC | Track 1 & Plenary Stepping Out of the Android Malware Sandbox - Running & Analyzing Malware on a Physical Honeyphone While there was an overall decrease in the number of mobile malware infections in 2021, there was a noticeable increase in mobile malware complexity. Authors have continued to add to features to mobile malware to the point that they have feature parity with desktop malware variants. Because Android has more devices, globally, it makes it a lucrative target for malware operators. Mobile device examiners, now more than ever, need to be on the lookout for malware on the Android platform, especially since more users are part of remote workforces and utilize Android-based devices. This presentation will be from a mobile examiner’s point of view, and will involve the use of a “honeyphone,” the mobile equivalent of a honeypot. Mobile device examiners will get a glimpse at a phone that has been infected with mobile malware, and, hopefully, walk away with ideas to detect it during their examinations. The presentation will discuss artifacts left behind after having run mobile malware on the honeyphone for an extended period of time, including Android system artifacts related to battery, device usage, and application permissions in addition to those that may be unique to the malware variant.
Show More
|
1:15 pm - 1:55 pm CT 6:15 pm - 6:55 pm UTC | Track 2 Hunting for Active Directory persistence Thomas Diot, Senior Consultant | Incident response, Wavestone For a few years now, Active Directory has been the preferred target of ransomware operators, and some APTs, to elevate privileges, maintain persistence, and execute malware at scale. Attackers had for instance obtained privileged Active Directory access in 95%+ of the IR on large perimeters handled by the CERT-W in 2021. As DFIR analysts, we are often asked to help reduce the risk of re-infection during Active Directory forest recovery. Uncovering and addressing Active Directory persistence is not an easy task, as numerous techniques can be leveraged by attackers to maintain persistence once a forest is compromised. In this talk, we will give a brief overview of a forest recovery procedure, and focus on unveiling different means of persistence, some well-known, other less so. Following the presentation, a (markdown) checklist and an associated PowerShell toolkit, that complement existing tooling, will be publicly released. The following Active Directory persistence techniques will be presented: - Special privileges groups (Operators, Dns Admins, etc.)
- ACL based persistence on AdminSDHolder and other objects not protected by the SDProp mechanism
- DCSYnc and DCShadow minimal access rights persistence
- SID history persistence
- primaryGroupId persistence
- Golden and silver tickets persistence
- Kerberos (unconstrained, constrained, and resource-based constrained) delegations persistence
- Group Policy persistence (on GPO object and GPO files)
- ADCS and PKI related persistence (certificates, shadow credentials, User-Principal-Name / Alt-Security-Identities)
Show More
|
2:00 pm - 2:40 pm CT 7:00 pm - 7:40 pm UTC | Track 1 & Plenary The Truth About USB Device Serial Numbers – (and the lies your tools tell) Attendees will learn about the inaccuracies of USB tracking and identification, and how to understand and avoid the pitfalls associated with themdetection, investigation, and response. This session will include live demos, and all the code will be made available after the session.
Show More
|
2:00 pm - 2:40 pm CT 7:00 pm - 7:40 pm UTC | Track 2 Fast Unix-like Incident Response triage using UAC tool Do you know how to locate, identify and collect relevant artifacts from Unix-like systems such as AIX, BSDs, ESXi, Linux, macOS, and Solaris? Reserve your seat and join me in this presentation where I will show you how to perform a quick artifact collection on different Unix-like operating systems using UAC (Unix-like Artifacts Collector) tool. UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of Unix-like systems artifacts.
Show More
|
2:45 pm - 3:00 pm CT 7:45 pm - 8:00 pm UTC | Track 1 & Plenary Break |
3:00 pm - 3:40 pm CT 8:00 pm - 8:40 pm UTC | Track 1 & Plenary Establishing Connections: Illuminating Remote Access Artifacts in Windows All too often during an investigation, it comes to light that adversaries are leveraging existing remote access tools for initial access and lateral movement. This trend is continuously on the rise and tends to go unnoticed due to the lack of available logging or not understanding what the available logs provide. This talk will not only address the aforementioned but I also will be sharing custom tools that have proved to be beneficial in analysis against some of the most sophisticated actors. Walking away, attendees will be able to use these capabilities in their own environment and be better postured to identify maliciousness.
Show More
|
3:00 pm - 3:40 pm CT 8:00 pm - 8:40 pm UTC | Track 2 Exploiting Advanced Volatile Memory Analysis Challenges for Fun and Profit Malware continues to advance in sophistication and prevalence. Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications. But one place malware cannot easily hide itself is within volatile computer memory (RAM). Many problems and inefficiencies exist with our current approach of conducting memory analysis: it takes too much time, is very labor intensive, and artifact extraction comes with a deluge of raw data that is not practical to analyze on real-world computer systems compromised with malware. These inefficiencies ultimately result in greater time and resource expenditure to conduct the analysis while impairing accuracy of results since it is too easy to miss a key artifact from the overload of data during the analysis. I have seen many people struggle with capture the flag memory challenges as well due to these same issues. I have solved this problem by engineering a new construct for memory analysis along with a new tool release to provide an automated process for advanced memory analysis, correlation, and user-interaction that increases investigation accuracy, reduces analysis workload, and better detects obfuscated malware. This talk is especially perfect if you have conducted memory analysis before and understand the pain and difficulty with completing this type of investigation. During this session, I will provide many new features that optimize memory analysis to include a new, revolutionary interactive construct that provides a visual representation of artifacts and indicators extracted from memory. We will also cover a new data cross-reference (data xref) ability I built into the open-source tool (Xavier Memory Analysis Framework) that creates a new index and memory context feature to view how your keyword data is coupled with processes, modules, and events captured in memory. This data xref feature also allows you immediately pivot to create specific process-memory dumps and file extraction directly from each keyword entered by the user. Finally, a new concept called a System Manifest is delivered by this research. The System Manifest is a single file detailing significant artifacts (and their relationships) distilled from a memory image. This manifest allows Xavier to immediately reload the full memory image context in seconds versus hours to without this tool. The most beneficial feature about the manifest file creation is the new ability to create and analyze memory snapshots. This uniquely provides a new light-weight yet very powerful and precise memory analysis capability to automatically detect system changes captured in memory from malware execution especially useful for exploit dev and malware analysis and software reverse engineering! This talk is full of live-demos as we will take a real-world capture the flag memory analysis engagement, and demonstrate how the Xavier Construct optimizes memory analysis.
Show More
|
3:45 pm - 4:25 pm CT 8:45 pm - 9:25 pm UTC | Track 1 & Plenary Cracking the Beacon: Automating the extraction of implant configurations Threat Hunting
Threat actors and red team members routinely use turnkey offensive security tools such as Cobalt Strike and other commodity malware to carry out intrusion campaigns and emulate adversary behavior. Many of these tools are designed to validate security detection capabilities, but in the wrong hands, can be configured to operate in an abusive way. These generic offensive platforms carry a wealth of information about the campaign configuration. As a defender, knowing this information can significantly equip you to dismantle malicious campaigns and proactively defend your network. This talk will focus on collecting memory segments from several malware families, extracting and parsing configurations, writing the data back into an open-source data analytic platform, and use cases on how defenders can use this data to impose costs on adversary activities and campaigns. The collection, extraction, parsing, and analysis will be accomplished by using open-source tools we have released to the community.
Show More
|
3:45 pm - 4:25 pm CT 8:45 pm - 9:25 pm UTC | Track 2 Living with Ransomware - The new normal in Cyber Security Not unlike the Corona Virus and its variants, the infosec community need to accept the fact that Ransomware is not going away anytime soon. This talk focuses on how busines can move away from the elimination approach towards a managed prevention approach. This is a presentation that covers everything you need to know to get started towards transforming your organisation to be ransomware resilient. Ransomware has been around for quite some time now and the good thing about that is that we have learnt a lot about this threat in that time. We dig deep into our past experiences from responding to security incidents involving ransomware and share our learnings with the audience. We discuss what to focus on while analysing ransomware and how to create effective detections for ransomware, based on core components of the malware and it’s behaviour. We share our ideas on how to create an environment within organisations that is ransomware aware and ready for response when an attack involving ransomware eventuates. From our experiences across industries spanning healthcare, technology, finance, manufacturing and commerce, we share knowledge that can be used to build a ransomware-resilient infrastructure. We cover topics such as what to look for when taking out a cyber insurance policy, along with strategies on how to handle communications during and after the incident. Let’s face it, ransomware is a threat that is here to stay, we need to adapt to living with it and best preparing organisations to manage it when it strikes. Proposal Details / Session Outline Ransomware is one of the biggest and most common security threats to organisations globally today and attacks involving ransomware are on the rise, as are ransom payments across all major industries. And yet, most organisations today do not have a ransomware-readiness plan or basically, do not know what the basic steps of ransomware response are. In this presentation, we describe the current ransomware threat landscape based on the real-world security incidents that our team at Ankura’s DFIR practice responds to, combined with research and intelligence gathering activities that we undertake as part of our efforts in enhancing our defensive capabilities. We present several techniques that we have successfully deployed in defending against this threat, covering both preventive and mitigation-focused approaches. Specifically, we share the following with the audience: Introduction: What does the current ransomware threat landscape look like and why we need organisations to be ransomware aware and ransomware resilient. How are ransomware groups operating and what are the main motivations behind these attacks as we see in real-world incidents. How do we respond to these incidents in a way that is simple to implement and easy to manage. We take a look at some real-world cases and how we responded to them successfully and share the learnings with the audience. We share with the audience how to build and implement systems that help create an environment that supports detection and response in the event of a ransomware incident, including how to develop a ransomware-readiness task-force. We talk about what to look for when it comes to cyber insurance policies for your organisation We present on how to build a communication strategy that works out of the box during an incident involving ransomware We share resources and further reading for the audience Q&A.
Show More
|
4:30 pm - 5:10 pm CT 9:30 pm - 10:10 pm UTC | Track 1 & Plenary Stay ahead of the game: automate your threat hunting workflows Threat Hunting
This session is about finding, confirming and mitigating fresh Indicators of Compromise (IoC) with true automation. It is very important nowadays to stay up to date with all of the cyber threats posed all over the world. It is widely known that there are not enough resources to be found to fill up every security operation center (SOC). Therefore, many organizations struggle with coping with massive amounts of new types of attacks and generated alerts from their tooling. During this session, you will learn how to hunt (and automate your hunt) for active cyber threats in your environment and contain them using integrated connections to network, endpoint, and cloud products. The key component here to battle false positives, is correlation of sightings into a single incident.. This session is targeted at SOC management, cyber security engineers, threat hunters, and analysts. It will touch on threat
Show More
|
5:15 pm - 5:30 pm CT 10:15 pm - 10:30 pm UTC | Track 1 & Plenary Day 1 Wrap-Up |