Profile picture
Steve @stvemillertime
, 15 tweets, 7 min read Read on Twitter
One #DFIR / #INFOSEC thing that is useful to me that I wished I had learned sooner: the art of PDB path pivoting for #threatintel and mal analysis. This is pretty easy, but can be a crazy strong pivot for anyone studying large, tenured threat groups such as many espionage actors.
PDB Path Pivoting Primer

This is a tweet thing about malware PDB paths and their role in the disco, DFIR and/or #threatintel processes, using #KeyBoy as an example.

3/4) What are PDBs?
5) Where/why will I see PDB paths?
6/7) How can I use PDBs paths?
8-n) PDB paths and #KeyBoy
What are PDBs?

Program Data Base (PDB) files are used to store debugging info about a program when it is compiled. The PDB stores symbols, addresses, names of resources etc. Malware devs often have to debug their code and end up creating PDBs as a part of their dev process.
Inside another sample PDB we see links to the original CS code files in the development folder. This malware must be super l33t because the devs username is DarkSkeleton.
Where will I see PDB paths?

If a malware dev has "debugging enabled", the PDB path is often embedded in the debug portion of a PE upon compilation. The PDB path gives insight into the dev computer and can leave clues that for analysts discover additional malware.
How can I use PDB paths?

Analysts use PDB paths to: infer things about the malware development environment; cluster/relate malware families; discover new malware and tools made in the same dev environment. Here we see a PDB path under IMAGE_DEBUG_TYPE_CODEVIEW
You'll want to tokenize the PDB path and search for the most unique values, especially for user and PDB file names, which often do a great job at contextualizing the program's development, purpose, and history.
PDB paths and #Keyboy

I used the unique values in the PDB to start searching for related malware and ended up with a cluster of ~300 samples, ~250 PEs, ~80 of which had embedded PDB paths in the main file or a subfile.
With a simple chart of samples by timestamp and export DLL name, we see a concerted development effort for several related malware families, each with increasing sophistication, over a span of 10+ years (actually 2005 - 2018, but alas, I can only show so much...)
Naturally, the devs evolved their malware over time. Launching backdoors went from HTTP downloading to search-order hijacking to bitsadmin jobs. Persistence moved from services to registry to memory-only (none). C2 moved from HTTP to binary to binary-over-built-in @wolfSSL.
PDB paths are an important pivot for any analyst studying malware, mal developers, or mal operators. I started with one random file PDB (d:\work\project\vs\) and built my cluster from 2018 backwards in time using string pivots (Yara scans and a lot of Googling and reading)
A decade ago, the code was sloppy, the malware was noisy, and the error comments were childish. The current malware shows code and capabilities that are modern and professional.
There are no smoking guns here. These dev environments may have supported multiple devs and multiple threat actors over the years. We will never know. Still, it is worthwhile to note that nearly *every* single sample of #KeyBoy malware uses pieces of a common older code base.
Hope that was a fun and maybe informative (?) read. I leaned heavily on public #KeyBoy lit from @rapid7, @TrendMicro, @citizenlab, @PwC_UK, @alienvault and VSEC. Thanks y’all.
Pro tip: dont forget to turn off debugging before you build your implants. #adversarymethods
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Steve
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#DFIR #INFOSEC #threatintel #KeyBoy #adversarymethods

Related threads

Profile picture
#Analysis: Ending #BirthrightCitizenship for the children of illegal immigrants and birth tourists has long been the crown jewel of pro-sovereignty immigration reformers. It's about interpreting the #14Amendment of the #Constitution correctly. Thread.
First, to quote the great Ann Coulter, it's laughable to think that any Founder, Framer or Amender of the Constitution intended for American citizenship to be the prize in a game of Red Rover with the Border Patrol. We're a nation of laws, after all.
Second, #14Amendment was one of three emancipation-related amendments to the #Constitution, designed to grant citizenship to former slaves and their children. The congressional record shows nobody believed 600,000 Americans died to give Congress the chance to open the borders.
Read 5 tweets
Profile picture
One analytical struggle in my life is whether a group executed poorly conceived tradecraft, or well executed deception. Deception is rarely discussed on the "threat intelligence" side of information security. Maybe folks are unfamiliar, or intimidated, I don't know. #threatintel
We're naive to think we cannot be deceived. Governments with seemingly infinite resources and elaborate espionage capabilities get deceived. It's a thing. I'll go further, there's plenty of regular intelligence analysts who rarely discuss deception. It probably scares them.
An entire field is dedicated to carefully misleading intelligence apparatuses. That means understanding your processes, requirements, and capabilities in order to craft essentially an illusion for you to consume. You may execute sound analysis and still be dead wrong.
Read 5 tweets
Profile picture
#History/#Art thread – From my recent trip to Madurai/Tirunelveli. On Jain sites (some with a rich history dating back to at least the 3rd cent. BCE), early Pandyan rock-cut cave temples (7th-8th cent. CE) & the amazing Vettuvan koil.

Pic: Mahavira (~8 cent CE), Kizhakuyilkudi
Before I start on the places, the history around all this is fascinating & splits opinion. Is it apt to call the script Tamili/Tamil Brahmi? Did it develop independently in the Tamil country/come with the Jain monks from the north? Were 8,000 Jains actually impaled in Madurai?>
>Were the Saivites overaggressive in promoting their faith? Shall only be happy to discuss on these separately (unless it gets too long/irrational). And I’m not posting every inscription from the places here, despite their importance. Again, shall be happy to discuss them.
Read 40 tweets
Profile picture
Remediation strategy in #DFIR is always a fun topic - with many opinions & not always a clear rule book to follow. It's like the English language for every rule there are 5 exceptions. My views have evolved over time - from combo of experience & as monitoring tools have improved
If you catch attacker early in attack lifecycle - this one is pretty easy. Take action immediately before they get a strong foothold. Very few exceptions to this rule. Tipoffs you are early in attack lifecycle. Malware owned by primary user of system or malware in startup folder
Opposite end of spectrum - if attacker has been there for months/years - it will take at the very (and I mean very) least a few days to get bare minimum handle on infected systems & how accessing the environment. Bigger challenge is client ability to take "big" remediation steps
Read 8 tweets
Profile picture
#infosec moment:

1/ Met a gentleman this morning outside our agency building today. Enjoyed some small talk; turns out he just got picked up for a dream infosec job. His first actually. Had joined the USAF in aircraft maintenance, pushed himself to learn IT after hours.
2/ You could tell within the first 30 seconds how passionate he is about this field, and how his intelligence and drive would take him far. By 60 seconds, you could also see his self-doubt & tendencies towards Impostor Syndrome.
3/ Ended up spending nearly 30 minutes just mentoring. He had seen me around in cyber (new here myself), and heard my honestly undeserved nickname “MegaMind”. Turns out it wasn’t entirely a chance encounter.
Read 8 tweets
Profile picture
#threatintel thread! For the past couple of weeks I've focused on #threatintel REQUIREMENTS. As a consultant working with clients to develop their programs, I focused on this a lot--requirements are important. As a full-time analyst, it's much harder: because OPS!
But, really honing-in on the requirements--the specific questions that customers have, the topics they are interested in, how they can best consume information--has been a valuable investment. Here's what I've learned or re-discovered...
For each requirement (or set of requirements), there is information you need to answer the question and a process to follow to fulfill the requirement. Sometimes you'll have the information you need; sometimes you won't which means that you have to go get it (collection).
Read 16 tweets

Trending hashtags

#Infosec #smartciities #baseline #infosec #painting #RecordStoreDay2019 #threatintel #Constitution #smartcites #music #pivot #MerryXmas #TrumpRussia #AltGovDaily #HappyLaborDay #PeakTV #ComeyCYA #ElvisCostello #opendata #au #MeepMeep #chc17 #smarcities #aii #History

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!