Maybe North Korea does not _care_ about attribution. They don't care about being named for an attack, because the attribution does not seem to hinder ops or increase any friction whatsoever, and what's more is that by sacrificing attrib, it affords them iterative speed. States are rarely monolithic, so when we see cyber stuff that appears to emanate or relate to a region or country, analysts try to assess the nature of it so that they can plot the alignment with the state. With China, Russia, U.S., that can be tough. Yet with DPRK, it's ~easy.

The "detection evasion paradox" is where attackers attempt to circumvent detection but in doing so they actually _generate_ new things that can be detected. It takes a well trained eye to spot these things, but the paradox benefits orgs w/ mature defense capabilities... One example, an adversary may attempt to hide C2 channel communications by using Cloudflare workers.dev, but the decision to use that creates a new signal. They don't know that this is unusual, exceptionally rare, any I can look for binaries that comm out like that.

Thread? I'm researcher and I do lots of malware analysis through network and endpoint data, but more so than technical artifacts, I study humans. I study the decisions they make, the designs, the things that they include and exclude when they develop malware and conduct attacks. Behind every C2, every persistence mechanism, every third party library included, every encoding or code language used, every feature, command and plugin, there are are deliberate and accidental fingerprints left because of human decisions that went into the development.

FLARE #AdvancedPractices has a rep of being a rowdy, hell raising analyst squad (in a nice, fun way). Our culture is to challenge our company norms, demand excellence, take risks, make mistakes, fail & succeed repeatedly. It's who we are.

A #FF of some teammates & team friends: @ItsReallyNick and @danielhbohannon taught me to $DoTheNeedful, whether I was asked to or not, Ship It and See What Happens

@reesespcres taught me to take chances and make bold moves in our production infrastructure, to get innovate despite seemingly-immobile technology

We track a few dozen code languages as they relate to malware and other binary blobs, but I am particularly interested in: Lua, Go, D, NIM, F#, Rust, Python (and various packagers/bundlers/installers/futzers for all of those) (inspired by both @TheEnergyStory and @k_sec) One way malware developers get extra mileage out of their work is once it has been burned/detected in one code language, they simply rewrite it in another! Many antivirus engines and ML models do not have sufficient sample data for new code language features.

Everyone has diff vernacular for their models and ideas, but I define detection on a spectrum, where logic for the purpose of finding evil is measured by output fidelity, result set size, time/expertise requirements for review, and most importantly, “threat density.” #detectrum The #detectrum is just a mental model for me, a way to explain the different intents and purposes for all sorts of logic and technologies and haystacks that help us find and attribute intrusion activity.

#ConventionEngine: Part Cinq - OLE Edition

ConventionEngine is *mostly* about PDBs, directory paths that reflect something about the original code project and development environment. The paths are the signal. Where else will they show up? Why, in OLE objects! Let's explore... We had a revelation that seeing an RTF with an OLE is not that crazy, but when that inside OLE has, for whatever reason, a full directory path, the whole object becomes so much more interesting. For example, RTF with OLE with C:\Users\ in it. Let's use Yara to take a measurement.

How do @Mandiant UNC clusters get formed, merged, and graduate to APT groups or even personas? Look at serial crimes and sprees in meatspace. Multiple crimes on multiple victim systems, multiple places. It takes forensic evidence to tie the cases together. It's the same process. Foot impression from the crime scene. Is it unique? What shoe is it, where was it sold? How many made in that size? You have to know if the evidence is unique. All the casings, latents, entry toolmarks. Technical evidence is how we group crimes together and move towards an actor.

Students of #infosec: @Mandiant and @FireEye folks have put out tons of blogs over the years. Careful reading of these can help you build familiarity with threat actors, intrusion TTPs, and threat data. And sometimes they're just fun. Here's a thread with some of my favorites: FIN7 related

LNKs
fireeye.com/blog/threat-re…

SDB persistence
fireeye.com/blog/threat-re…

RDFsniffer
fireeye.com/blog/threat-re…

CARBANAK
fireeye.com/blog/threat-re…

ExportEngine: Find Evil by PE Export DLL Names

(a #dailyyara thread)

PE files w/ exported functions often contain an image directory entry that we usually call something like "PE DLL name" or "export DLL name"

This string is "analytically rich" and is surfaced in many tools Here in a sample of EVILTOSS (APT29) we see lots of valuable metadata in the IMAGE_EXPORT_DIRECTORY but it also contains the plain-as-day export DLL name "install_com_x32_as_dll.exe"

You may not think attribution matters, but I think attribution is also on the detection spectrum, or #DETECTRUM. I'm trying to think about it as layers of additive traps that enable us to hedge our bets for visibility, resilience in detection, sometimes to figure out who dun it. I think the #DETECTRUM can be used to model both inputs and outputs of the detection engineering process - whether you're plotting "logic designed to find evil," alerts, the tech, or the or the data itself. The graphs might look a bit different, but same ideology might be useful

The basis for #SwearEngine is that malware developers are developers too. The catharses in their malware code manifest in a multitude of coarse expressions. Thus we can use the presence of swear words as a "weak signal" to surface interesting files. #threathunting You may balk at #SwearEngine for being #basic but consider that this rule, looking for PEs with one single "fuck", detects malware samples used by APT5, APT10, APT18, APT22, APT26, Turla, FIN groups, dozens of UNC espionage clusters. Too many to list.

Hopefully the 2019 @CrowdStrike “heat map” and global prevalence of @MITREattack will set a precedent for how vendors publicly discuss TTPs, allowing defenders to prioritize detection efforts based on evidence rather than cool factor: crowdstrike.lookbookhq.com/web-global-thr…

https://twitter.com/stvemillertime/status/1061999557205143552

The @CrowdStrike report does not discuss the biases nor provide real hard numbers on the TTPs, which I know from experience are hard to deduplicate on intrusions (some are over represented and some are under represented). Maybe @_devonkerr_ or someone can shed some light here.

Mal devs themselves introduce some of the funniest & hi-fi (although short lived) detection opportunities. Amongst several applicable HTTP methodologies, we see "Content-Type:application/octect-stream." Don't manually type out your HPTP headers for your C2 protocolols. #dailypcap This network traffic comes from newish backdoor ExileRAT (compiled 2019-01-30T07:05:47Z) 606e943b93a2a450c971291e394745a6 that was hanging (with a multitude of other evil) on recently #opendir "http://27.126.188[.]212" There are ties to a humongous cluster of probs CN espionage.

Another quick .NET triage/analysis of a related #PUBNUBRAT dropper/launcher (?) 1d155032232cd40c1788271546af36ec (U4.conf). This one we start immediately with extracting the 'app' resource using dnSpy to get 5bbe762b83e051776f1b5ea30ffc0050 (application/x-lzip). 5bbe762b83e051776f1b5ea30ffc0050 decompressed to the goliath ~8MB ca19c3c3c2ef656b33d7173a49186f5a (application/x-dosexec) which is also a .NET binary. Back in dnSpy, which nearly chokes on the size, we finally get to a main decryption routine.

This is malware analysis 101 for most folks, but I thought I'd share a quick thread on easy .NET analysis using a recent wave of a malicious xlsx downloading PUBNUBRAT. cc @issuemakerslab @blackorbird and @navSi16 who all tweeted about this in Jan. #threathunting #dfir

https://twitter.com/issuemakerslab/status/1088027746649792512

88017e9f2c277fa05ee07ecc99a0a2dc (홍삼6품단가 .xlsx) is a doc that has multiple follow-on payloads including 05683b9a13910d768b7982d013c31cb9 (U3.conf)... see also 홀리데이 와이퍼(Operation Holiday Wiper)로 귀환한 로켓맨 APT 캠페인 by @alac blog.alyac.co.kr/2089

My @FireEye friends @DavidPany and @deeemdee4 put out a badass blog on tunneled RDP. What is it? How is it used? What can you do to find it? Read more here: fireeye.com/blog/threat-re… Tunneled RDP typically refers to an interactive RDP session that occurs over the same "channel" as another comms session. This is done in a variety of ways, but primarily established through either a backdoor implant or a utility with some sort of port forwarding setup.

Today at #S4x19, @electricfork and I debated different sides of "if OT tools and talent are needed to detect attacks on ICS." Some thoughts on ICS attacks and #TRITON in a tweep thread. For the debate, I'm not convinced either way because there are few *public* intrusion data sets for either side of the argument. I think peeps are over it now, maybe no point to sharing this, but to get the convo started let's dump/share some rando #TRITON #TRISIS TTPs.

One #DFIR / #INFOSEC thing that is useful to me that I wished I had learned sooner: the art of PDB path pivoting for #threatintel and mal analysis. This is pretty easy, but can be a crazy strong pivot for anyone studying large, tenured threat groups such as many espionage actors. PDB Path Pivoting Primer

This is a tweet thing about malware PDB paths and their role in the disco, DFIR and/or #threatintel processes, using #KeyBoy as an example.

3/4) What are PDBs?
5) Where/why will I see PDB paths?
6/7) How can I use PDBs paths?
8-n) PDB paths and #KeyBoy