BDIR Podcast Episode-010

TOPIC: To Agent, or not to Agent, that is the question

SPONSORS OF OUR PODCAST

www.Humio.com

www.Humio.com

TRAINING:

Mitre ATT&CK: What is it, how to use, and apply it to your organization

When - April 9th - 1 Day

Where - HouSecCon - Houston Texas

——————————————————————————————————————

Malware Discovery and Basic Analysis - Michael Gough

When - April 10th-11th - 2 Days

Where - BSidesOK - Tulsa Oklahoma

——————————————————————————————————————

NEWS-WORTHY:

Insurance Company refuses to pay NotPetrya Bill, says it was an act of war, company sues for $100m

2-Factor Auth bypassed ???

773 Milllllion passwords circulating the Internet from past breaches

Bypass blacklisted words filter (or firewalls) via wildcards

  • https://twitter.com/omespino/status/1082361280248336384?s=19

  • C:\>powershell C:\??*?\*3?\c?lc.?x?                        calc

  • C:\>powershell C:\*\*2\n??e*d.*                     notepad

  • C:\>powershell C:\*\*2\t?s*r.*                        taskmgr

SITE-WORTHY

1.  Malware Archaeology - Home of the ‘WIndows Logging Cheat Sheet(s)‘

  • Windows and Windows Advanced Logging Cheat Sheets updated

TOOL-WORTHY

  1. BDIR - HaveIBeenPwned.com

2. BDIR - LastPass or equivalent

MALWARE OF THE MONTH

  1. First Sednit UEFI Rootkit Unveiled

  • https://mirror.netcologne.de/CCC/congress/2018/slides-pdf/35c3-9561-first_sednit_uefi_rootkit_unveiled.pdf

  • Drops rpcnetp.exe into \system32 - installs as a service

  • Injects Dll into svchost and then Internet Explorer

  • Replaces Autochk.exe - Checks your disks, so DISK ACCESS !!!

  • Drops Autoche which becomes AutoChk.exe

  • Found another binary named info_efi.exe on some systems with LoJack

  • Found RWEverything Kernel driver tool

  • Found ReWriter_read.exe to dump SPI Flash memory

  • Found ReWriter_binary.exe.. You guessed it, adds rootkit to the firmware

  • Modifies Registry %WINDIR%\System32\config\SYSTEM

    1. Changes “autocheck autochk*” to “autocheck autoche*”

  • HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute

    PREVENTION

    1. Enable Secure Boot

  • Firmware Security Assessments using CHIPSEC

    1. https://github.com/chipsec/chipsec

  • TZWorks suite of bootdisk tools

    1. https://tzworks.net/index.html

TOPIC OF THE DAY

To Agent, or NOT to agent, that is the question

So you were copied on a Twitter conversation by Frank McGovern…

  1. It started out from Florian Roth talking about CrowdStrike’s dividing endpoint solution into 3 categories

  2. But it morphed into something else.  Anton Chuvakin replied to your copy and then Richard Bejtlich (BateLick) chimed in about quantity of agents and it went from there and also included Thomas Fischer and Greg Barnes too….

  3. So describe how the conversation started and then went

  4. MG describes

  5. So it took a turn into how many agents are acceptable or wanted on any individual system

  6. Discussion…

  7. Who decides what agents get used and installed?

  8. Would a pilot and testing help here?

  9. And why I asked about scheduled tasks running occasional checks

  10. So whatever endpoint solution(s) you choose, make them easy and simple, wishfully set and forget

  11. We have to seriously look at an approach to securing our endpoints, maybe an agent for everything is not desirable, what other options do we have?

  12. Your AV/EDR choices should get you 80% there

  13. What do we do about the last 20%?

  14. Focus on Detection and Threat Hunting using the tools, maybe agentless solutions to avoid agent bloat

ARTICLES:

None this month, look up the Twitter conversation

-----------------------------------------------------------------------------------------------