SwiftOnSecurity
@SwiftOnSecurity
Fri Jan 20 22:30:39 +0000 2017

Still working on my fully commented, production-quality Sysmon config. Lots of little things to tweak and refine. Will be ready for RSA2017. https://t.co/qpqJbeipBM

Here's Sysmon logging the uninstallation of a Winlogin notifier, which are DLLs loaded by the system at loginscreen https://t.co/zPxNlz4YGR https://t.co/nOgFfPU2W8

My deep understanding of the Windows desktop ecosystem is what makes this work possible. Your skillset is valuable, no matter what you think

You cannot secure something without understanding how it works.
Helpdesk? You have a front-row seat that security teams literally dream of.

For years, on every ticket I had, if there was any waiting, I would pull up Sysinternals Autoruns and HijackThis and just see the configs.

Security could do that, but you're in the prime spot to just dig into anything you want, and see how these configs work, for and against.

Hottest shit in InfoSec right now is "Threat Hunting."
If you're in helpdesk, waiting on an install on a user PC, guess what? Get hunting.

Let me tell you a story. I'd been in helpdesk for a year. I ran autoruns, I looked at logs, just to spend time and learn stuff. Then...

I notice something weird. Domain Admin is logging into the PCs pretty regularly. Wasn't sure. I asked network team, they brushed me off.

These logins come from random domain controllers. Is this a status check? Is something running? Nobody can tell me what it is. Nobody cares.

Setup a bait PC in a cube, start Process Monitor, exclude the normal stuff, and leave it for a few days. Cross-reference logins to the log.

Something called 2.exe was being dropped on the system, run, (other stuff I don't remember) and immediately exited. How do I get that file?

So made a batch file that forever looped copying c:\windows\2.exe to c:\temp, to try to grab it. I leave the PC for a day or so. I come back

I have it! I have 2.exe. Nothing detects it as a virus. What the heck is it?
I get our support contract info from my boss, contact Symantec.

A few days later, a weird IE bug we'd been having goes away. And we get tons of antivirus notification of "Trojan.Clampi.D" (or something).

I followed up on the case with Symantec over the phone, and the tech let slip they had seen like 10k or 100k detections of what I submitted.

Moral of the story is: Be curious. Learn how it works. Learn what's normal. More importantly, learn what's not normal and figure it out.

tl;dr all the domain controllers were infected and I told them there was a problem and they didn't believe me. They don't work here anymore.

This is why I emphasize the basics. That security isn't magic. Malware authors win with shitty code and old tricks because nobody's looking.

Fri Jan 20 23:19:36 +0000 2017