Silicon Shecky

Infosec Practitioner

Connect

New Year, New Post, from the start

By 1 Comment

So much has gone on since my last post back in 2023, but too much to go over honestly. I am rebooting this blog as of this post and hopefully can be more consistent in posting about stuff.  So as we enter 2025 I want to take a look at upcoming stuff.

First off I am going to be speaking at Cyphercon this year in Milwaukee. The talk is going to cover some basics on where we can improve and through those areas lessen some of the burnout we run into. Yeah, I’m tackling one of the 500 ton elephants in the room. We also have a date for Bsides312 this year of June 1, 2025. Watch the website and socials for more information as it becomes available.

For those that don’t know I’m a regular contributor/host on the Talking About Information Security News podcast from Black Hills. It’s available on most podcast systems (Apple, Google, Spotify, YouTube). I’ve also discovered the Simply Cyber podcast which gives some great insight and fun banter on a daily basis.

Finally I want to remind everyone that bad things happen, and nothing is ever perfect. Make sure to take care of yourself physically, mentally and emotionally. It takes all of us to make things secure as possible, so help each other.

 

-Shecky

First Defcon – The results

By Leave a Comment

This year marked the first time I made it out to Defcon. I have known about this conference since the 90’s, just had not figured out a way to get out there and experience it. For those that want a TL;DR, it is a supersized conference. There are also plenty of smaller conferences that I enjoy as much or more than Defcon. That is how I perceived it. Now lets get into the nitty gritty of it all.

In the Beginning…

Before I got to Vegas for Defcon, I had been told about things like linecon, the merchandise lines and the like. There are still people and especially news outlets that give advice based on what Defcon used to be in a different era. This covered what to and not to bring, use and be prepared for, and much of it has changed over the years. When I arrived and went to linecon, the fact that where I work pre-paid for my entry, meant that linecon itself was a much shorter and less involved situation. I did observe the old fashioned, cash only linecon going on though, and how everyone went about their business. It also, while many times longer than what I stood in, seemed to move pretty well. The Goons kept people in the right areas, and were quite helpful. Like with anyone, you be nice to them, they will be nice to you. Merchandise was another long wait, and the fear of things selling out is real. I get it, you can only afford to have so much on site. It makes people wonder if the item(s) they want will be in stock when they get up front or at least in their size. Having 30,000 plus of each item is not realistic, and of course people will be disappointed in the end, unless you get there early enough. The organization of it was well done though. The line again moved smoothly, and I did not see any incidents. After going through both lines I walked into a War talk, which that first day was held int he main track area. Considering they were the only talks going on Thursday that I saw in Hacker Tracker(an awesome piece of software by the way), I was surprised there was standing room and people allowed into the track.

The Main Event

Moving forward to Friday, Saturday and Sunday daytime, overall things were decent. There was a lot of walking. My knees hated me, and I do Ninja Warrior workouts multiple times a week. How spread out areas were from the main building is the problem. It also causes a problem of getting to talks, or even back to your room to watch talks on the closed circuit TV, or even twitch. WiFi in the hotels tends to be limited to guests unless you wish to pay for it, and mobile data in areas seem to be spotty, or flipping around between networks. I get that it is Defcon, and you “shouldn’t be trusting anything” but how else do you use things like Hacker Tracker to keep up on what is going on where? The closed circuit T.V. did not always have all the tracks in the hotels. Mine only carried track 1,2, 3. Some carried track 4. Both Twitch stream and the CCTV had network glitching and freezing making the talks tough to watch as you would miss things.

One of the more interesting things I had heard before going to Defcon was, “do not think you will get into the main talks, but watch them on T.V.” Also it was mentioned to focus on the villages. I personally had no problem getting into any of the main talks. Where problems came up were a number of village talks. Red Team Village, the Misinformation Village, and the A.I. Village all were at capacity most of the time, and in the case of Red Team Village, I did not even try to go in just to look at non-talk stuff due to how long the line was. Also most of the villages I did make it into were talk based. By that I mean, unless you were the to do the village CTF or see a talk there was nothing in the village of note. The 2 exceptions to this that I came across were the RF Village and the Ham Village. Both of those were easy to get into also. Blue Team Village, which I was excited about, I had heard was moved at the last minute so their layout had to be adjusted, and that could be the cause of it not having some things that I thought it should, at least from a non-talk perspective. I did love that there was a lot of focus in ti on training, and the organizers did their best with what they had.

The Nightlife

So much goes on in the evenings. There are tons of private, invite only room parties. Some people go out and just hang with friends. Then there are the main Defcon parties. I got a taste of all of the above. The Defcon parties are nice, with the exception of drink pricing, but there is not much Defcon can do about that. With no open bars at any of the main events, it seemed to keep trouble down to a minimum, except for one thing which I will get into in a moment. One of the things I was looking forward to was Hacker Karaoke. I love to sing, and had heard about how fun it was. MY issues had little to do with how long the wait was, and more about the feel. Having run karaoke in my past I know the line was going to be long. The only thing on that which could have been better is making sure first time singers got up first. Not always easy to keep track of, but it is possible. Instead, the big issues I had are, the sound system was awful. You couldn’t really hear the music, especially when on stage singing. The mix needed to be better. Next was the screen itself, which was projected on the wall. Makes it tough to make eye contact with the audience to bring them into the song. Finally, back to sound, it was very tough to hear the KJ. between ambient noise, echo on the mic, and the low quality sound system it became tough especially when the main KJ stepped away and their associate would take over, who was more soft spoken.

The second night, i was just moving around from room to room. I wasn’t able to get into Hacker Jeopardy, but did go into the Arcade Party, which was pretty cool, especially the physical pong machine and the huge Foosball table. The people I caught up with there, we started walking to check out some of the other rooms when we slipped into the Chill Out Space cause of things going on in the hallway. This wound up being the start of the lockdown and evacuation due to the suspicious package. The Goons, and security were amazing during this whole situation. Their calmness helps keep the rest of us calm and everything went smooth getting people out of the building.

The Highs/Lows/Conclusion

I got to see a few cool talks. I missed out on other village talks due to lines. I saw some of the things I expected, such as unique outfits, furries, and people just being themselves mixed in with parents and their kids. If there is still a counterculture/deviant aspect to Defcon, it was not out in the open. The truth is Defcon felt to me like a conference that has matured over the years into a more normal conference with some small aspects of its former self. Would I go back, yes. Most of what would stop me is cost. Talks will be online, or at other smaller conferences. There is only so much on person can go and see. That said, it was definitely worth going.

Defender, KQL and Lockbit

By Leave a Comment

Recently, SentinelOne had a blog post about how Lockbit Ransomware was using Windows Defender to side load Cobalt Strike. Considering that this technique I sat down to write up a query(that is available at my Github here) for a custom detection of this procedure based off the information in the SentinelOne Blog post. Here I am going to go through the query and break it down.

The full query looks like this:

DeviceFileEvents
| join DeviceFileCertificateInfo on DeviceName //This is for checking if it is a signed version of the dll joined on Device Name for distinct usage
| where Timestamp > ago(7d) // look back over the past week
| where InitiatingProcessFileName == "MpCmdRun.exe" and IsSigned // checks to make sure that mpclient is being run
| where FileName contains "mpclient"// checks for the misused dlls.
| where FolderPath !contains "\\programdata\\microsoft\\windows defender\\platform" // do not check the normal location for the dll being run
| distinct   DeviceName, Timestamp, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessFolderPath

So when I started writing the query I started simple. Look for the dll name which is mpclient not running from its normal location. this mean I would be starting in the DeviceFileEvents table. It simply came about to look like this:

DeviceFileEvents
| where FileName contains "mpclient"
| where FolderPath !contains "\\programdata\\microsoft\\windows defender\\platform"

This query returned the maximum number of results. First thing I noticed was the duplicate DeviceNames(computer names) in the list, so I added a line using the distinct command to get rid of that.

DeviceFileEvents
| where FileName contains "mpclient"
| where FolderPath !contains "\\programdata\\microsoft\\windows defender\\platform"
| distinct DeviceName, Timestamp, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessFolderPath

While better, this query still was noisy. Updaters and some normal network services tended to call upon that dll in some other locations. So the question became how could I reduce the noise without blinding myself to extra paths? I went back into the original blog post and saw that the intel said the dll was being run using the MpCmdRun.exe command and that the command was legit and signed. Unfortunately the DeviceFileEvents table does not have a way of checking for signatures. While I could have done this:

DeviceFileEvents
| where InitiatingProcessFileName == "MpCmdRun.exe"
| where FileName contains "mpclient"
| where FolderPath !contains "\\programdata\\microsoft\\windows defender\\platform" 
| distinct DeviceName, Timestamp, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessFolderPath

I felt that making sure the Initiating Process was signed would also help quell the noise a little. Checking for that required joining a table called DeviceFileCertificateInfo.  To bring in another table one must use the join command. The join command requires you to join the table with a common point. I originally thought the SHA1 of the process would be perfect, but came to realize that created a problem with my distinct output, so joining them on the DeviceName was the better option. When doing a join it never hurts to double check what field you can join the tables together on, as there are usually a number of options and it does make a difference.

| join DeviceFileCertificateInfo on DeviceName

Once joined I could use the IsSigned field to make sure there was a signature for the file/process. The question is where to put it. In the initial query I put it after checking for mpclient, but came to realize that doing it that way was also checking for a valid signature on the mpclient.dll file that was malicious. Since there would be no guarantee this would be the case I moved the join to immediately after the table call and added the IsSigned as a must have condition only for the InitiatingProcessFileName check.

At this point we have the full query as shown at the start. using  a couple of backslashes you can comment out any of the lines in the query for testing different parts of it.

When writing a query like this tables and field are listed on the left hand side of the Advanced Hunting screen. The value of having that right at your fingertips is huge. The hardest part is finding detailed information on fields or commands themselves. Even Microsoft’s own documentation on the web is pretty poor overall, so patience with trial and error is key. Kusto Query Language I have found is a powerful query language, and something people will need to know more going forward.