The assumption that a change in where or how data is stored always seems to lead to the false belief that forensics is dead. With the cloud, digital forensics is given new capabilities and depth that do not exist in the on-premise world. However, this is only useful if you know how to correctly configure and set up evidence preservation for your cloud environments. One of the most significant challenges with cloud environments today is that evidence retention works on a continuous sliding time window. This could mean your evidence is slowly aging out of existence, if you don't know where to collect it immediately, or that your evidence may never have been generated if you have not already configured your cloud platform correctly. This presentation will take attendees through a quickfire set-up of how best to configure their; Azure, Amazon Web Services, Google Cloud Platform, Microsoft 365, or Google Workspace platforms, to ensure they have the best possible chance of maintaining evidence for digital forensics and incident response investigations. The techniques shown during this session are derived from the SANS FOR509: Enterprise Cloud Forensics and Incident Response course.

Threat Hunting

Got a few thousand lines of logs to parse? How about a needle buried in a couple-million-line CSV haystack? What about sorting every single endpoint in your org into buckets by custodial group?

Believe it or not, the easiest, fastest tool for these jobs is probably your text editor.

Let's turn tasks like these from impossibly dull, frustrating hours of mouse jockeying into to a few enjoyable minutes with some text manipulation strategies. The best part? Once you learn these strategies, it's simple to scale them via your SIEM and scripts.

In this presentation, you'll learn to:

•  identify ways to hook into data structures;
• employ multiple visual analysis techniques;
• automate repetitive search and replace operations;
• zero in on specific kinds of data;
• easily find differences in two or more lists of data;
• recognize cases when a different approach might be better.

We'll use three real-world examples to illustrate these techniques:

• Parsing a multi-million line CSV file of malware observables and indicators;
• Using depuplication to track a third-party service's effectiveness;
• Building the supersedence chain for a Microsoft patch.

But wait; there's more!

To help you operationalize these techniques when you're back in your bat cave, you'll get:

• Cheat sheets for the techniques above;
• Copy-pasta regex sweetness;
• Your own fresh copies of the example files, so you can learn by doing

Threat Hunting

If you’re serious about defending your enterprise from evil, you should be familiar with finding Powershell used for evil purposes. Powershell is commonly seen in adversary tooling due to its ubiquity and effectiveness. However, it is also ubiquitous for benign purposes. This means that it can be very hard to distinguish the small amounts of bad from the potentially huge amounts of normal. Luckily, the evil has a tell. Most evil Powershell has been in some way obfuscated, to hide its true intentions from investigators. While there is no way to detect every feasible obfuscation mechanism, there are effective ways of finding Powershell commands that were obfuscated by ANY mechanism. These are the items that are most likely to be malicious, and these will be of most interest to investigators. This talk will demonstrate a simple supervised machine learning technique known as a Support Vector Classifier, that can be used to classify voluminous Powershell logs as either “obfuscated” or “non-obfuscated”. This implementation uses Python’s sklearn module to rapidly build and train a model that you can then use in your own environment to find unknown obfuscated Powershell commands. And it’s quick and easy to set up! A working implementation will be shared, so attendees can use this right away and adapt it to their needs. If you’re looking for a simple and effective ML project that can directly improve your defensive posture, come check this out!

What could you be missing from your acquisitions? Sometimes we don’t know what we don’t know and we unknowingly leave data on the ground. Join Jessica Hyde and Cesar Quezada as they share examples of uncommon acquisition pitfalls that could lead to incomplete acquisitions that appear complete. We will explore acquisitions from hard drives, iOS, and Android devices. We will provide tips on how to avoid these pitfalls as well as techniques for determining if your acquisition is missing critical data.

Threat Hunting

Over the last few years, Threat Actors have augmented their efforts in developing novel and sophisticated attack techniques to target Enterprise Cloud environments. Microsoft 365 is a cloud based software as a service provided by Microsoft and includes services like Exchange online, Flows, SharePoint online, Teams. Attackers consistently target M365 services in order to gain initial access, maintain persistence and perform data exfiltration. Several investigations have revealed that threat actors have not only been able to successfully compromise Cloud environments but also persist and move laterally. Organizations have found it increasingly difficult to protect Cloud services and detect threat actor activities. We will talk through ways of how blue teams can hunt for some of the techniques that threat actors use to target M365. Some of the areas that we will cover include,

1. Automated Email Forwarding
2. Delegation
3. Mailbox folder Permissions
4. OAuth Grants
5. Flows to automate Data Extraction
6. MFA Bypass Scenarios
7. Privileged roles
8. Suspicious Sign-in
9. Message Trace & eDiscovery
10. Hunting from Unified Audit Logs

With personal computers and corporate networks becoming more integrated with cloud solutions, cloud forensics has become an important part of the investigative process. When investigating OneDrive, there are multiple artifacts that need to be checked to ensure all files/folders are collected. The process becomes complicated quickly on multi-user systems. This can lead to data loss if these artifacts are not checked or known about, making automation harder. Developed through personal research and available on GitHub, OneDriveExplorer solves these issues. OneDriveExplorer rebuilds the folder structure and parses more data, while preventing storage space and scope of authority issues that come along with collecting files via reparse points. This presentation aims to walk through important OneDrive artifacts, how to use OneDriveExplorer, and what value can be added from using OneDriveExplorer compared to conventionally used tools

Threat Hunting

As defenders, a lot of our time is focused on the most common ATT&CK techniques seen daily and weekly. Underneath common privilege escalation and defense evasion lies a deeper dark art - Windows rootkits. Rootkits are hard to identify as they can reside in the user or kernel level, or lower. The most advanced adversaries will persist and hijack systems using rootkits. As a defender, how do we hunt, where do we hunt and what do we hunt? The attendee will leave with an understanding of Windows driver rootkits, how to identify suspicious drivers, and what to do about rootkits today.

While there was an overall decrease in the number of mobile malware infections in 2021, there was a noticeable increase in mobile malware complexity. Authors have continued to add to features to mobile malware to the point that they have feature parity with desktop malware variants. Because Android has more devices, globally, it makes it a lucrative target for malware operators. Mobile device examiners, now more than ever, need to be on the lookout for malware on the Android platform, especially since more users are part of remote workforces and utilize Android-based devices. This presentation will be from a mobile examiner’s point of view, and will involve the use of a “honeyphone,” the mobile equivalent of a honeypot. Mobile device examiners will get a glimpse at a phone that has been infected with mobile malware, and, hopefully, walk away with ideas to detect it during their examinations. The presentation will discuss artifacts left behind after having run mobile malware on the honeyphone for an extended period of time, including Android system artifacts related to battery, device usage, and application permissions in addition to those that may be unique to the malware variant.

For a few years now, Active Directory has been the preferred target of ransomware operators, and some APTs, to elevate privileges, maintain persistence, and execute malware at scale. Attackers had for instance obtained privileged Active Directory access in 95%+ of the IR on large perimeters handled by the CERT-W in 2021. As DFIR analysts, we are often asked to help reduce the risk of re-infection during Active Directory forest recovery. Uncovering and addressing Active Directory persistence is not an easy task, as numerous techniques can be leveraged by attackers to maintain persistence once a forest is compromised. In this talk, we will give a brief overview of a forest recovery procedure, and focus on unveiling different means of persistence, some well-known, other less so. Following the presentation, a (markdown) checklist and an associated PowerShell toolkit, that complement existing tooling, will be publicly released. The following Active Directory persistence techniques will be presented:

• Special privileges groups (Operators, Dns Admins, etc.)
• ACL based persistence on AdminSDHolder and other objects not protected by the SDProp mechanism
• DCSYnc and DCShadow minimal access rights persistence
• SID history persistence
• primaryGroupId persistence
• Golden and silver tickets persistence
• Kerberos (unconstrained, constrained, and resource-based constrained) delegations persistence
• Group Policy persistence (on GPO object and GPO files)
• ADCS and PKI related persistence (certificates, shadow credentials, User-Principal-Name / Alt-Security-Identities)

Attendees will learn about the inaccuracies of USB tracking and identification, and how to understand and avoid the pitfalls associated with themdetection, investigation, and response. This session will include live demos, and all the code will be made available after the session.

Do you know how to locate, identify and collect relevant artifacts from Unix-like systems such as AIX, BSDs, ESXi, Linux, macOS, and Solaris? Reserve your seat and join me in this presentation where I will show you how to perform a quick artifact collection on different Unix-like operating systems using UAC (Unix-like Artifacts Collector) tool. UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of Unix-like systems artifacts.

All too often during an investigation, it comes to light that adversaries are leveraging existing remote access tools for initial access and lateral movement. This trend is continuously on the rise and tends to go unnoticed due to the lack of available logging or not understanding what the available logs provide. This talk will not only address the aforementioned but I also will be sharing custom tools that have proved to be beneficial in analysis against some of the most sophisticated actors. Walking away, attendees will be able to use these capabilities in their own environment and be better postured to identify maliciousness.

Malware continues to advance in sophistication and prevalence. Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications. But one place malware cannot easily hide itself is within volatile computer memory (RAM). Many problems and inefficiencies exist with our current approach of conducting memory analysis: it takes too much time, is very labor intensive, and artifact extraction comes with a deluge of raw data that is not practical to analyze on real-world computer systems compromised with malware. These inefficiencies ultimately result in greater time and resource expenditure to conduct the analysis while impairing accuracy of results since it is too easy to miss a key artifact from the overload of data during the analysis. I have seen many people struggle with capture the flag memory challenges as well due to these same issues. I have solved this problem by engineering a new construct for memory analysis along with a new tool release to provide an automated process for advanced memory analysis, correlation, and user-interaction that increases investigation accuracy, reduces analysis workload, and better detects obfuscated malware. This talk is especially perfect if you have conducted memory analysis before and understand the pain and difficulty with completing this type of investigation. During this session, I will provide many new features that optimize memory analysis to include a new, revolutionary interactive construct that provides a visual representation of artifacts and indicators extracted from memory. We will also cover a new data cross-reference (data xref) ability I built into the open-source tool (Xavier Memory Analysis Framework) that creates a new index and memory context feature to view how your keyword data is coupled with processes, modules, and events captured in memory. This data xref feature also allows you immediately pivot to create specific process-memory dumps and file extraction directly from each keyword entered by the user. Finally, a new concept called a System Manifest is delivered by this research. The System Manifest is a single file detailing significant artifacts (and their relationships) distilled from a memory image. This manifest allows Xavier to immediately reload the full memory image context in seconds versus hours to without this tool. The most beneficial feature about the manifest file creation is the new ability to create and analyze memory snapshots. This uniquely provides a new light-weight yet very powerful and precise memory analysis capability to automatically detect system changes captured in memory from malware execution especially useful for exploit dev and malware analysis and software reverse engineering! This talk is full of live-demos as we will take a real-world capture the flag memory analysis engagement, and demonstrate how the Xavier Construct optimizes memory analysis.

Threat Hunting

Threat actors and red team members routinely use turnkey offensive security tools such as Cobalt Strike and other commodity malware to carry out intrusion campaigns and emulate adversary behavior. Many of these tools are designed to validate security detection capabilities, but in the wrong hands, can be configured to operate in an abusive way. These generic offensive platforms carry a wealth of information about the campaign configuration. As a defender, knowing this information can significantly equip you to dismantle malicious campaigns and proactively defend your network. This talk will focus on collecting memory segments from several malware families, extracting and parsing configurations, writing the data back into an open-source data analytic platform, and use cases on how defenders can use this data to impose costs on adversary activities and campaigns. The collection, extraction, parsing, and analysis will be accomplished by using open-source tools we have released to the community.

Not unlike the Corona Virus and its variants, the infosec community need to accept the fact that Ransomware is not going away anytime soon. This talk focuses on how busines can move away from the elimination approach towards a managed prevention approach. This is a presentation that covers everything you need to know to get started towards transforming your organisation to be ransomware resilient. Ransomware has been around for quite some time now and the good thing about that is that we have learnt a lot about this threat in that time. We dig deep into our past experiences from responding to security incidents involving ransomware and share our learnings with the audience. We discuss what to focus on while analysing ransomware and how to create effective detections for ransomware, based on core components of the malware and it’s behaviour. We share our ideas on how to create an environment within organisations that is ransomware aware and ready for response when an attack involving ransomware eventuates. From our experiences across industries spanning healthcare, technology, finance, manufacturing and commerce, we share knowledge that can be used to build a ransomware-resilient infrastructure. We cover topics such as what to look for when taking out a cyber insurance policy, along with strategies on how to handle communications during and after the incident. Let’s face it, ransomware is a threat that is here to stay, we need to adapt to living with it and best preparing organisations to manage it when it strikes. Proposal Details / Session Outline Ransomware is one of the biggest and most common security threats to organisations globally today and attacks involving ransomware are on the rise, as are ransom payments across all major industries. And yet, most organisations today do not have a ransomware-readiness plan or basically, do not know what the basic steps of ransomware response are. In this presentation, we describe the current ransomware threat landscape based on the real-world security incidents that our team at Ankura’s DFIR practice responds to, combined with research and intelligence gathering activities that we undertake as part of our efforts in enhancing our defensive capabilities. We present several techniques that we have successfully deployed in defending against this threat, covering both preventive and mitigation-focused approaches. Specifically, we share the following with the audience: Introduction: What does the current ransomware threat landscape look like and why we need organisations to be ransomware aware and ransomware resilient. How are ransomware groups operating and what are the main motivations behind these attacks as we see in real-world incidents. How do we respond to these incidents in a way that is simple to implement and easy to manage. We take a look at some real-world cases and how we responded to them successfully and share the learnings with the audience. We share with the audience how to build and implement systems that help create an environment that supports detection and response in the event of a ransomware incident, including how to develop a ransomware-readiness task-force. We talk about what to look for when it comes to cyber insurance policies for your organisation We present on how to build a communication strategy that works out of the box during an incident involving ransomware We share resources and further reading for the audience Q&A.

Threat Hunting

This session is about finding, confirming and mitigating fresh Indicators of Compromise (IoC) with true automation. It is very important nowadays to stay up to date with all of the cyber threats posed all over the world. It is widely known that there are not enough resources to be found to fill up every security operation center (SOC). Therefore, many organizations struggle with coping with massive amounts of new types of attacks and generated alerts from their tooling. During this session, you will learn how to hunt (and automate your hunt) for active cyber threats in your environment and contain them using integrated connections to network, endpoint, and cloud products. The key component here to battle false positives, is correlation of sightings into a single incident.. This session is targeted at SOC management, cyber security engineers, threat hunters, and analysts. It will touch on threat

Session details to come.

This talk focuses on the researchers work with one of the largest medical device companies Medtronic. As a patient herself with an implanted medical device she has skin in the game. Medical devices have become more interconnected. It is estimated that there are 3-6 networked medical devices next to a patient's bed at any given time. There are nontraditional devices in that they are implanted in a patient, it often connects to an application that has valuable logs. These are often not ingested or centralised. This talk focusses on the Project Observability which builds in Incident Response capabilities in the design phase of medical device manufacturing, measuring the logs and finally ingesting and visualising the data. This talk also focusses on nontraditional approaches to logging on low energy embedded devices. Traditional DFIR deals with data that already exists, however the line in the sand is being drawn in that building better logs for better observability allows for the understanding of threats, or attempts made to breach the medical device. From having bad or no logs to have logs that allow for early detection and threat analytics. Understanding baseline behavior of the medical device eco-system allows for earlier detection. The industry is moving away from prevention as the standards towards detecting fast and responding faster. This talk will present the good the bad the ugly and now the observable.

Little attention is given to tracking the perpetrators of cyber-attacks in the world of forensics. DFIR teams can usually attempt to answer the question of what an attacker did, how they did it and when, but rarely who has done something. Fortunately, there are some methods of answering this question using open-source intelligence – methods which have been used successfully to trace the location and identity of threat actors in recent years. Attendees will learn how to get OSINT leading to the identification of a threat actor, based on real life examples, techniques and demos of new free tools including:

• Revealing deleted parts of screenshots and PDF files
  
• Discerning fake social media accounts
  
• Finding IP addresses belonging to VPN services likely to be used by cyber criminals
  
• Results of original research of thousands of leaked accounts, into identifying gender, age and predicted passwords in use, from the chosen usernames and passwords.
  
• Uncovering identities from pseudonyms
  
• Using account leaks, search engine analytics, maps, social media, images and more, to hunt threat actors.
  

This talk will show how focusing more on finding the source of cyber breaches will reduce attacks in the long run and how OSINT can be harnessed legally to discover the identity of cyber criminals. Key takeaways:

Techniques and tools to find the identity of a threat actor based on real life examples, how focusing more on finding the source of cyber breaches will reduce these attacks in the long run and the types of OSINT and how it can be harnessed legally to discover the identity of threat actors.

vSphere is VMWare's virtualization platform composed of hypervisors (ESXi) and a management console (VCenter). According to VMWare more than 80 percent of virtualized workloads are running on VMware technology. As a consequence, it is a prime target for attackers. In this presentation I will show how to use the DFIR4vSphere PowerShell module to collect logs and forensics artefacts on both ESXi hosts and the VCenter console. With the combined analysis of both data sources, the forensic analyst is able to characterize malicious activity on the virtualization platform. This presentation will show how ransomware groups target the vSphere infrastructure for maximal damage. I will also present how espionage groups use this platform to maintain access and perform lateral movement and exfiltration on a Windows infrastructure without using a single Windows malware. By using the DFIR4vSphere collection tool the forensics analyst will be able to spot the TTPs used by attackers to bypass defenses and stay under the radar. After this presentation the attendee will know what is important to investigate on a vSphere infrastructure and will be given a few leads on how to secure it.

Network and data breaches are becoming more prevalent every day. The Zero Trust framework has become the accepted framework for approaching this problem, combined with the recent security mandate from the President of the United States internal security is only going to get tighter. These security measures also impact our ability to conduct forensic investigations within our organizations. This presentation will cover some of those challenges, and present some solutions for forensic collection and review within a Zero Trust network.

What’s your worse case incident response scenario? And if that horrible thing happens, what would your organization need to help understand the how, what, when and maybe who? There are a lot of recommendations out there for what logs should be kept and for how long, what evidence to preserve, and what objectives you should have for an investigation. The problem with all of that is, it may not jibe with what you really need based on your industry, any regulatory or legal obligations your organization has, or your commitments to your customers, partners or vendors. This talk will provide you with some starting points for determining what’s important to your organization and what you should be thinking about when building out evidence and logs preservation.

Properly analyzing an incident is paramount in gaining situational awareness to properly contain a threat. Further, a comprehensive analysis may also tell you how an attacker was able to gain access to the environment. The challenge is matching the right analysis methods to the goals an analyst needs to achieve. What is needed is an understanding of the various incident analysis levels and what they can tell us. During the course of the presentation, the attendees will be given the five levels of analysis and the corresponding tools, techniques and processes to achieve the goals of each of these levels. This will allow them to align their own analysis processes to match what they are trying to achieve. This talk will cover five analysis levels: Detection Analysis, Preliminary Analysis, Root Cause Analysis, Intrusion Analysis, Attribution Analysis.

Durante la investigación de incidentes de Business Email Compromise (BEC) el correcto manejo y la evaluación de características específicas en los componentes de evidencia, pueden dar luces para determinar elementos clave tanto del compromiso como de los disparadores que permitieron la intrusión del adversario en las comunicaciones. Esta charla pretende presentar algunas recomendaciones iniciales para evaluar puntos críticos en las líneas de tiempo, así como estrategias para determinar posibles involucrados (en complicidad o sin ella) en las actividades objeto de investigación.

Durante esta charla presentare:

• Recolección de evidencia y correlación.
• Identificación y análisis de técnicas y tácticas generales de suplantación y acceso.
• Identificación de infraestructura configurada por los adversarios.
• Configuración de líneas de tiempo.
• Identificación de comunicaciones clave y análisis de contenido (Mensaje y adjuntos).
• Automatización del proceso.
• Actividades adicionales de investigación (Análisis de involucrados, Tendencias, OSINT).

Have you ever wondered what goes on behind the scenes when you "love" an iMessage chat or when you delete a message for everyone in a WhatsApp chat? What happens when you add people to groups or use stickers? How many times does your device store attachments? This presentation will provide an overview of two of iOS's most popular communication platforms - iMessage and WhatsApp. We will dive into the nitty-gritty on what you can uncover based on how a user interacts with their device and whether the forensics matches the user's story.

Exposición de cómo, una herramienta como Google Colab, puede ayudarnos a detectar anomalías, y potenciales amenazas basándonos en registros de BD, Logs a través del enriquecimiento de datos mediante la utilización de servicios de threat-intel y geolocalización.

Subtitle: Automated digital forensic analysis on Google Workspace using MITRE ATT&CK Cloud Matrix Framework.

Abstract: The recent adoption of cloud-based office solutions has lead to an increased effort on the part of threat actors to compromise these environments. As a result, digital forensic analysis of such environments has become a topic of research in and of itself. Despite its rapid growth and more than 5 million businesses as clients, research into forensic analysis approaches to Google is lacking.

In this talk I will showcase and release a brand new open-source tool that is able to acquire Google Workspace audit logs and maps individual events to MITRE ATT&CK techniques. On top of that the tool can automatically identify kill chains based on the audit logs. The presentation contains examples of threat actor techniques to demonstrate this. Finally, I'll share a sample dataset of Google Workspace audit logs containing evidence related to attacks used by threat actors to the public to allow for further research into this topic.

Las amenazas internas son un método eficaz y a veces sencillo que pueden causar mucho daño a una compañía.

A pesar de existir por mucho tiempo, en tiempos recientes la delincuencia cibernética ha adoptado esta metodología con gran eficacia. En esta charla hablaremos de los tipos de amenazas internas y sus motivaciones. Describiremos las fases de este tipo de ataque (Insider Kill Chain) y demostraremos cómo identificar mediante Threat Hunting algunas de las técnicas y procedimientos usados por estas amenazas internas.

Finalmente cubriremos algunas detenciones eficaces que ayudarán a los participantes a identificar amenazas internas durante las diferentes fases del ataque.

Con la ayuda de ingeniería social podemos lograr que uno o varios individuos hagan una serie de acciones determinadas por medio de engaños, chantaje o sentido de pertenencia a un grupo. Una vez que la víctima realiza las acciones el ciberatacante toma control y puede extraer, alterar, eliminar e incluso subir información creando casos de infecciones persistentes. El atacante puede realizar una copia forense y analizar con mayor precisión la información obtenida y usarla para su beneficio. Se plantea resaltar que una de las formas más comunes de ataques exitosos son por medio del uso de ingeniería social y cómo prevenirla.