BDIR Podcast Episode-007

TOPIC: A little known guide of hacking tactics - ATT&CK - PART 1 (TORA TORA TORA)

OUR GUEST WILL BE:

  • Katie Nickels, ATT&CK Threat Intelligence Lead, MITRE

  • @likethecoins and @MITREattack

SPONSORS OF OUR PODCAST

Humio.com

Humio.com

LOG-MD.com

LOG-MD.com

NEWS-WORTHY:

Credit Freezes after Sept 21st, 2018 are FREEEEEE

Brian Krebs article

Track your luggage or Tracking YOU ?

"Do you use a Tumi bag? Registered it with Tumi's Tracer service? Your bag might not be the only thing being tracked. A reliable source we know told us that one way or another, Tumi may have lost track of the details of users who registered their bags with the service, and that whoever got a hold of it could use it for sophisticated phishing campaigns."

British airways website hacked 380K users affected

Tesla Model S and X cars can be REMOTELY opened

TOR Browser 0-Day

Bad Actors Sizing Up Systems Via Lightweight Recon Malware

SITE-WORTHY

1.  BDIR - Olaf Hartong Sysmon Modular

2. BDIR - Roberto Rodriguez @Cyb3rWard0 - Threat Hunter Playbook

Guest - Katie Nickels

  1. MITRE ATT&CK website

TOOL-WORTHY

  1. BDIR - Sysmon View and Sysmon Shell

Guest - Katie Nickels

  1. MITRE ATT&CK Navigator

MALWARE OF THE MONTH

EMOTET - 2 Samples

Sample 1 - Word Doc

  • PowerShell BASE64 blob to hide download

  • Use of DOS Cmd line obfuscation

  • Extracted to AppData\Local\Microsoft\Windows\slskey.exe (root of folder)

  • Another long random.exe renamed same hash

  • Also \Users\Public 203.exe - root of folder (never good)

  • Lots of .tmp files in users tempt made by slskey.exe

  • Typical Run Key persistence

  • Changed Firewall Policy for Remote Assistance (Different Log !!!)

  • WerFault, so something crashed, watch those logs too

Sample 2 - EXE

  • Deleted loader/installer upon execution

  • Typical Run key persistence

  • AppData\Local\Microsoft\Windows\random_chars.exe

  • 2nd copy, different hash in ProgramData root (Duh)

  • 3rd copy in ProgramData\GUID folder different hash

  • Created a scheduled task name of a GUID

  • Folder and Task name GUID’s did not match

Lesson Learned

  • Because we are so quick at LOG-MD evals, the malware could wait to do more

  • In one sample it created a task 5 mins or more after running LMD. The Run Key was caught, but another version stored in ProgramData made a Scheduled Task

  • Remember what we said on the last podcast… ENABLE Scheduled Task logging !!!

  • Launch Chrome BEFORE malware eval.. Damn Google Update schedule tasks

  • You might Audit C:\Windows\System32\Tasks folder for Adds

TOPIC OF THE DAY

A little known guide of hacking tactics - ATT&CK - PART 1 (TORA TORA TORA)

INTERVIEW WITH:  Katie Nickels of MITRE ATT&CK

So what is ATT&CK all about?

  1. What is ATT&CK?

  2. What is the goal of the project?

  3. Why should people care about this project?

  4. What are the components of ATT&CK

  5. What are you working on that is coming up?

ARTICLES:

MITRE ATT&CK 101

The Design and philosophy of ATT&CK

Cyber Analytics Repository:

CAR Exploration Tool (CARET):


Katie’s blogs on applying ATT&CK to threat intelligence: Part 1 and Part 2

Katie and her colleague John Wunder’s BSidesLV slides (YouTube video coming soon!)

Upcoming events for Katie and the team:

  • Katie is briefing at the FireEye Cyber Defense Summit on October 3-4

  • Catch a few team members attending Derbycon

  • ATT&CKcon is on October 23-24 (it will be live streamed if you can’t make it in person)

  • Follow us on Twitter @MITREattack for updates

Contribute !!!
Please contribute to ATT&CK! Email us at attack@mitre.org.

-----------------------------------------------------------------------------------------------

PART 2 - A little known guide of hacking tactics - ATT&CK - PART 2

We will discuss some new Cheat Sheets and what to do with them and why we created them, and some other info you can use