Leveraging Threat Intelligence with Active Defense White ... - HBGary

LEVERAGING THREAT
INTELLIGENCE
IN THE ENTERPRISE
USING HBGARY’S ACTIVE DEFENSE
Cyber-espionage and digital crime became a dominant issue during the first decade of this century. As we step
into the next ten years we are going to discover that most of what we have known about computer security is
wrong. The perimeter-based view of the network is too narrow. Checksums and signatures are non-scalable. DNS
blackholes do not address advanced multi-protocol command and control. Software security efforts have not
delivered safe code. Networks are more at risk today than they were at the turn of the century. This is an emerging
threat landscape that is changing everything we know about risk. The bad guys are in. This paper illustrates how
HBGary is solving the problem.

2 THREAT INTELLIGENCE WITH HBGARY’S ACTIVE DEFENSE
SUMMARY OF ADVANCED CYBER THREATS
Traditional security solutions, many of which were designed over 10-20 years ago, are struggling to keep up with the
amount of malware being released daily. Signatures, blacklists, and other security solutions that require prior knowledge
of a threat are losing against adaptive attackers. The efficacy of traditional solutions dwindles as the sheer volume of
malware increases. There needs to be a change in thinking about security. Focus needs to be on understanding how
malware succeeds and why. Today, malware is a tool for persistent adversaries. These adversaries could be financially
or politically motivated. The attackers are using whatever tools they have to their advantage. This includes the ability
to create malware with toolkits that have the ability to evade detection at the perimeter. The war is being fought on
the desktop with exploitation methods such as PDF’s, Flash, spearfishing email, and other targeted approaches. While
existing tools may be cumbersome to manage, newer technological advances have made it possible to get a better
handle on the malware coming into an organization. This paper describes that approach and how it can be used to
leverage an Enterprises’s existing security investment.
ACTIVE DEFENSE
Active Defense is designed to combat advanced malicious
intrusions and cyber threats in the Enterprise. Active Defense
gives an unprecedented view of the host-level threat and
can succeed where traditional antivirus has failed. Active
Defense can detect unknown threats without prior knowledge
or signatures by leveraging HBGary’s patent-pending Digital
DNA system. Once a potential threat is detected, Active
Defense can follow-up with enterprise-wide, scalable hostlevel
scans for indicators of compromise. Active Defense
is designed for rapid threat detection and near-realtime
response. Critical intelligence about an intrusion can be
gained in just minutes, including discovery of additional
infections and information about communication protocols
that can be used to create IDS signatures and block
communication at network egress points.
DETECTING INTRUSIONS WITH DIGITAL DNA
Digital DNA is exceptional at detecting hidden backdoors
within the Enterprise. Digital DNA detects malicious backdoor
programs by evaluating program behaviors. Behaviors can
include how a program survives reboot, how it communicates
on the network, or detected capabilities such as file downloads
or remote command shells. No single behavior makes a
program suspicious. Digital DNA sums all the program
behaviors together to determine if the program is suspicious.
The sum of these behaviors is what creates the Digital DNA
sequence for the binary and also the resulting weight. If the
weight is over a certain value (30.0) the program is considered
suspicious.
Figure 1, Active Defense monitors physical memory, raw disk, and live
operating system across the Enterprise. This is an unprecedented view
of host-level threats.
Figure 2, Digital DNA detects unknown and emerging threats with no
prior knowledge or signatures. Software behaviors are revealed and no
reverse-engineering is required.

3
THE NATURE OF ADVANCED THREAT
Intruders will often leave backdoors installed so they
can have persistent ongoing access to the network. These
backdoor programs have the ability to connect outbound to
an external server on the Internet (called a ‘command and
control server’). This external sever is used by the intruders
to deliver command messages to the backdoor program.
This means the attacker has remote access to the internal
network.
External control servers are often unsuspecting victims,
such as a hacked webserver. Many times, the connections are
HTTPS and it can be difficult to block this traffic with firewall
policy or inspect it with IDS equipment. Many backdoor
programs are configured with multiple different control
server addresses. The attackers keep these DNS addresses
pointed to 127.0.0.1 until they are ready to attack. They use
multiple DNS addresses so they can rapidly switch over and
defeat filtering if they are detected at the network perimeter.
This means DNS black-holes are not enough to address the
threat.
Web traffic is not the only means for command and control.
Attackers will often install multiple backdoors with multiple
different control protocols (for example, using instant
messaging instead of HTTPS). These secondary backdoors
are used as backup in case the primary backdoor program is
blocked or detected. If the primary backdoor is detected,
the attacker uses the secondary system to re-infect the
network with a new version of the primary tool. Removing
infections on a host-by-host basis without an enterprise
view of the problem is doomed to failure.
Many backdoor programs can be upgraded in the field and
allow the attacker to upload and download files. Attackers
can request, via the command server, that the backdoor
program download and execute any program. Furthermore,
most of these backdoors can connect out and offer a live
system shell to an attacker. This offers almost limitless
capabilities to the attacker.
Advanced attackers will typically leave multiple backdoor
programs within a single enterprise environment. Some
backdoors will be designed to hide for an extended period
of time without detection. They may sleep for weeks before
attempting to connect out to a command server. They may
have innocuous sounding names so they appear to be part
of the normal operating environment (such as a registered
service). Regardless of the name, the code-level behaviors
of the backdoor program will remain suspicious in physical
memory. Very often, the variant remote access tools are all
compiled from a common source base that can be detected
in physical memory. This is why it’s absolutely critical to
have a host-level view of the enterprise.
Figure 3, Active Defense supports triage of systems in large groups.
CONTINUOUS CYCLE OF PROTECTION
The optimum use of Active Defense is continuous scanning
of the network for early detection of intrusion. Detection
can be made in two ways. First, the Digital DNA system is
integrated into Active Defense. The Digital DNA system
is maintained by HBGary as a subscription and is updated
frequently. Digital DNA will detect suspicious programs
that will need a closer analysis. Second, the user can
add their own search patterns to Active Defense custom
to their environment. This allows the user to extend the
detection capability of Digital DNA with known indicators of
compromise.
To support ‘continuous cycle’ protection, HBGary
recommends a triage process in conjunction with Active
Defense. Within Active Defense, machines can be organized
into groups and subgroups (Figure 3, A.). For example,
physical locations and offices can be separated into groups.
Figure 4, Continuous cycle of protection - the goal is to get all machines
into the ‘CLEAN’ group and continuously verify they stay clean.

4 THREAT INTELLIGENCE WITH HBGARY’S ACTIVE DEFENSE
For each primary location, HBGary recommends that the
following subgroups be created:
- Clean
- Look at closer (LAC)
- Infected
The clean group is for all machines that don’t appear to
have host-level threats. This can be determined using Digital
DNA and verified using scans for indicators of compromise.
Machines that have suspicious binaries or behaviors can
be put into the ‘Look at closer (LAC)’ group. Finally, if the
machine is suspected as containing malware, remote access
tools, or other evidence of intrusion, they are placed into the
‘Infected’ group. Ultimately, the goal is to get all machines
into the ‘Clean‘ group (Figure 3, B.). On a periodic schedule,
a full scan for indicators of compromise (see next section)
should be applied against the set of ‘Clean’ machines, and any
machines that have suspicious behaviors are pulled back into
the ‘Look at closer’ or ‘Infected’ groups. This is a continuous
process.
INDICATORS OF COMPROMISE
Cyber threats are ever-present. In almost all cases, it is
not possible to fully eliminate the human attacker behind the
cyber threat. Even if an attacker is cut off from a network,
they are very likely to re-infect over time (i.e., eventually
someone will click on the infected PDF file).
Because of the constant nature
of threats, enterprises need to
focus on early detection and loss
prevention. The good news is that
because these attacks are digital,
there is almost always an artifact
that can be detected. Attackers
Because these
attacks are
digital, there is
almost always an
artifact that can
be detected.
not only use exploits, they also use tools to steal credentials,
move laterally about the network, and compress and exfiltrate
data. All of these activities leave behind forensic toolmarks
that can be detected with Active Defense. Once a threat is
detected, indicators can be developed to detect the attacker’s
tools, techniques, and methods.
Some example indicators are:
- Code-specific data within malware and remote access
tools, even those that are packed, obfuscated, or have
polymorphic MD5 checksums
- Compiler signatures specific to the attacker - detecting
any tool that may have been compiled by the attacker
- Last access times of command-line tools known to be
used by the attacker, such as ‘net.exe’, ‘at.exe’, and ‘ping.
exe’, detecting lateral movement
- Existence of deleted files, such as tools that were
downloaded to the system by the attacker, used, and then
deleted
- Artifacts of tool usage in memory, such as pass-the-hash
attack kits and network scanners
- Protocol-specific strings used by the attacker’s
command-and-control channel
Active Defense excels at detecting these indicators
of compromise and can detect re-infection when applied
continuously over time. Inevitably, new attacks will be
discovered and new indicators of compromise will be added
to the Active Defense scan policies. This creates a constant
opposing force that works against the attacker.
HOST LEVEL THREAT INTELLIGENCE
Active Defense has three primary information sources for
host threat intelligence:
1. Physical Memory and Digital DNA
2. Raw physical disk volumes
3. Live operating system data
Physical memory contains decrypted data buffers,
fragments and artifacts of activity, and all code that is
executing on system - even if that code is hiding from the
operating system (see Figure 5). Even packed or obfuscated
binaries are visible and present in physical memory. Physical
memory is superior in every way for the detection of malicious
code. Physical memory is the primary means by which Digital
DNA is calculated.
Figure 5, Digital DNA detects an injected memory module, even
though it has been unlinked from the list of loaded DLL’s. This
screenshot is from Responder PRO, HBGary’s stand-alone product
for physical memory analysis. Responder PRO integrates with
Active Defense for detailed memory analysis of compromised
systems.
Raw physical disk volumes are also a powerful source
of host-level information. Because the scan is against a
physical volume, files can be scanned even if they are inuse,
slackspace can be examined, and deleted files can be
scanned. Critical files can obtained in a forensically sound
manner, including the system registry, event logs, copies
of files that are locked or in-use, prefetch queue, user.DAT,
Figure 6, Active Defense is used to scan for last access times on
the ‘net.exe’ and ‘at.exe’ command line tools during the window of
compromise. This reveals machines the attacker has used.

5
and last access times (Figure 6, A). This information can be
used to reconstruct a timeline of host-level events. Raw
volume scanning performance is very fast, in excess of 4GB
per minute. The scans are distributed and parallel, no data
is transferred over the network unless a hit is found. With
Active Defense, wordlist and pattern scans are now scalable
across the Enterprise. Results are easily exported into .XLS
spreadsheet form (Figure 6, B).
Active Defense can also query the live operating system.
Although the live operating system is not used with Digital
DNA , it still provides highly valuable information that can
be used during an incident response. The advantage to a live
operating system scan is the speed. Live operating system
scans have been known to complete in seconds. Incident
responders can scan thousands of machines in the Enterprise
for processes, DLL’s, strings, events, and registry keys. These
types of scans are often used to detect additional machine
infections.
ACTIVE DEFENSE QUERIES
Active Defenses supports a
simple-to-use query language that
will let you scan for host-based
Indicators of Compromise (IOC’s)
across the enterprise. This allows
systems with abnormal or specific
behaviors to be isolated as a subset
of the entire population of systems.
Anyone who is
skilled enough
to use Google
‘advanced query’
is skilled enough
to use the Active
Defense query
builder.
A query has several parts
(Figure 8). Queries can be executed against archived data,
or deployed live across the Enterprise. Queries allow the
user to build custom search criteria for their environment,
specific to the intrusions and threats that are known in that
environment. Over time, the set of queries will grow as more
intelligence is gained about the attacker’s and their methods.
Queries can be made against any data source that Active
Defense supports (Figure 7). These include:
- Physmem, a physical memory snapshot and analysis data
- LiveOS, a query against the live running operating system
- RawVolume, a query against a raw physical disk volume
Figure 8, The Active Defense query builder. Queries are very easy
to build. Anyone who is skilled enough to use Google ‘advanced
search’ can use the Active Defense query builder.
A query can be thought of as a statement like “match A in
B” where A is your search term, and B is a fully qualified path
to an object type. An example object type would be:
RawVolume.File.FileName
The above object type would target the raw physical
disk volume. Then, every filename on that volume would be
matched against your search term. For example, consider
Figure 9 - this simple query is made against filenames,
irrespective of path. The scan is forensically sound and will
not alter access times on files.
Figure 9, A simple query to detect the presence of ‘rar.exe’ on disk
The query builder interface (Figure 8) allows you to specify
multiple AND and OR relationships between search terms,
and has convenient drop-down lists to help you select search
criteria. A full description of all available searches can be
found in the Active Defense user documentation. Throughout
the rest of this whitepaper you will find example queries that
are useful for incident response.
Figure 8, A: the name of the query. Queries are saves and can be
re-used in multiple scan policies or report templates.
Figure 8, B: drop down listing available objects that can be
queried (also shown in Figure 7, A).
Figure 8, D: The subtype. This allows object meta-data to be
queried, such as path or timestamps, or internal data such as the
raw binary contents of the object, to be queried.
Figure 8, E: This is where you specify your match criteria. You
can specify a substring, timestamp, or a binary pattern with
wildcards.
Figure 8, F: OR boolean logic. You can specify multiple patterns
to be OR’d together.
Figure 8, G: AND boolean logic. You can specify multiple
patterns to be AND’d together. AND and OR can be combined.
Figure 8, H: Click here to save your query.
Figure 7, The various data sources that can be queried with Active
Defense.
QUERY BUILDER

6 THREAT INTELLIGENCE WITH HBGARY’S ACTIVE DEFENSE
The query builder lets you define one or more statements
into a single query. First, a query is given a descriptive name
(Figure 8, A.) All statements in a query must draw from the
same source. For example, if the query targets physical
memory, then all statements in the query are considered
rooted in the Physmem.* namespace. The source for a query is
set using a drop-down (Figure 8, B.).
After selecting the source, you must choose the full path of
the target you want to match against (Figure 8, D.). Here are
some examples:
Physmem.Process.CommandLine
LiveOS.Module.BinaryData
RawVolume.File.LastAccessedTime
The next step is to choose an operator. The list of available
operators may change depending on the object type that is
being queried. Example operators include:
“Contains”
“Matches Exactly”
“>=”
“=”
“Ends With”
Finally, once you have chosen the operator, you enter the
pattern or word that you want to match against (Figure 8, E.).
In addition to single-word queries, Active Defense supports
wordlists and pattern files.
Multiple queries can be combined together into an OR
relationship (Figure 8, F.). This would allow you to create a
query such as:
What follows is a description of a typical cyber-intrusion.
The attacker is a human being who is operating malware
and hacker tools from remote in order to steal information
from the Enterprise. This is sometimes called an ‘Advanced
Persistent Threat’ or APT attack. Because the attack is digital
in nature, malware is involved and forensic artifacts are left
behind. Detecting the malware and the forensic artifacts are
crucial to reconstructing the attack. In the following sections
we will use Active Defense to collect evidence and scan for
indicators of compromise across a large Enterprise deployment
covering tens of thousands of nodes.
INITIAL EXPLOITATION
In order to gain initial access to the network, the attacker
will typically use spearfishing, booby-trapped documents, and
web-browser exploits. Open source directories and domain
research can be used to recover hundreds of potential emails
to use for spearfishing attacks. Social networking sites that
cater to professional industry segments are also an avenue for
attack.
INITIAL DETECTION OF COMPROMISE
Initial detection of an intrusion can take many forms.
RawVolume.File.FileName = “mssrv.sys”
OR
RawVolume.File.FileName = “acxts.sys”
You can also combine AND and OR together (Figure 8, G.).
This would allow you to create a query like:
AND
RawVolume.File.FileName = “mssrv.sys”
OR
RawVolume.File.FileName = “acxts.sys”
RawVolume.File.Deleted = TRUE
The above query would match if a deleted file with the
name “mssrv.sys” or “acxts.sys” was detected. By using a
combination of multiple statements, very specific queries can
be crafted. Once a query has been defined, simply click SAVE
(Figure 8, G.).
ANATOMY OF AN ATTACK
Figure 10, Boobytrapped documents often contain javascript to call
out to exploitation servers. The actual exploit target is delivered
from the server and exploits the browser.
Digital DNA may reveal a strange program that appears to
be malware. SEIM products may produce alerts, or employees
may notice spearfishing emails or strange computer
behavior. This may alert you to an initial attack. In the case
of spearfishing, message archives can then be used to reveal
who has been targeted and which subnetworks may have been
attacked.
Machines that suffer from initial attacks may execute
boobytrapped documents, such as PDF documents, that
contain embedded shellcodes. These shellcodes must be
small by design, so these types of attack payloads will connect
out onto the Internet to download an additional executable.
Advanced server-backends exist to supply downloads and
exploit payloads to victim machines (Figure 10). After
execution, these malicious shellcodes will leave forensic
artifacts in physical memory, including the addresses and
URL’s of the external servers used for subsequent executable

7
downloads (Figure 11).
Downloaded executables will typically be camouflaged to
look like a non-executable file. This is specifically to evade
Figure 11, The physical memory of a compromised host reveals
the path used on the command and control server. Stripped of
the domain name, this becomes a generic IDS signature to detect
additional infections regardless of server address.
IDS systems. These files may be camouflaged as JPG images or
other binaries to evade IDS systems.
If such a file is detected as downloaded to a host, this
means the shellcode executed properly and thus the host
machine was successfully compromised. Machines that are
detected in this manner should be immediately scanned
with Digital DNA using Active Defense. If the URL’s of the
download path are known, the physical memory of the victim
host should be scanned for the URL path (Figure 11). This
may reveal the malware executable and reveal other potential
network IDS patterns.
INITIAL INFECTION
Only a small percentage of initial attacks may succeed, but
any single success becomes an avenue for network infiltration.
These initial systems are exploited and provide a beachhead
for deeper attacks into the network. Some of these initial
infections can be configured as sleeper agents. The systems
will wait anywhere from a few days to a few weeks before
making connections back to the command & control server.
These initial beachhead infections may also involve multiple
different malware and multiple different command and control
server addresses. For example, the attacker may have several
dynamic DNS domains registered for command and control and
several different protocols for communication. Any single
network indicator is not enough, there will be multiple
methods of communication.
Once established, these initial infections are used by a
live attacker to probe deeper into the network. Of the initial
infections, only a few will be used and the rest will be used as
backup in case the initial nodes are detected. This means that
network level indicators are not enough to detect the scope of
the attack. Host level data is absolutely required to evaluate
the extent of an attack.
When an attack agent wakes up, it may report back to a
command and control server. It will usually report system
information about the infected host, the network, and user
accounts.
Once an agent has reported in, it can then be controlled
from remote. The attackers will now take remote-control of
these beachhead machines. Not all of the beachhead machines
will be used at once. Some of them will be reserved as backups
in case of detection. A common next-step is for the attacker
to upload command-line tools to the infected host. A remote
shell will be established using the malware, or commands will
be executed one-at-a-time from remote. The attacker’s goal at
this point is to probe the internal network, steal credentials,
and spread laterally through the enterprise. He will then
locate data and intellectual property worth stealing and
exfiltrate it.
COMMAND AND CONTROL
Once agents have reported in, they will register as a
controllable node with a central server. The attacker will
typically spread laterally through the network, installing
additional malicious agents as needed. Potentially hundreds
of these malicious agents are monitored from a central
location. The attack system will usually have a central
management console that resembles an enterprise console
(Figure 12). There are many different attack systems available,
some custom built and some available for purchase in the
criminal underground. Remember that a human attacker is
behind the malware, and even malware systems thought to be
common to only petty theft, such as Zeus, are in fact capable
of full access to the network and represent a clear and present
threat to intellectual property.
In order to evade IDS systems, the attack system will
typically use compliant protocols such as HTTPS. Using Active
Figure 12, the Zeus management console is better than most products
shown on the RSA ® Conference vendor floor.
Defense, the malicious binary can be extracted and analyzed
for protocol strings that are unique to the attack system. For
example, if the malware is using a specific User-Agent string,
this would make a very good IOC for scanning. Even if the
malware program is registered in different ways, as long as
the attacker is re-using the same protocol string then Active
Defense would catch it. In Figure 13, we see an IOC scan for

8 THREAT INTELLIGENCE WITH HBGARY’S ACTIVE DEFENSE
a query on last access times for net.exe.
dumpacls: this tool is a swiss-army-knife for making
queries about machines in a windows domain. A RawVolume.
File.BinaryData scan will detect if dumpacls has ever been
downloaded to a machine.
Figure 13, Scanning the entire physical memory of the enterprise for
known command-and-control strings.
two Mozilla User-Agent strings, one of which has a peculiar
combination of upper and lower case. This effectively detects
any system which has had recent command-and-control
protocol activity and has a near-zero false positive rate.
COMMAND ACTIVITY
Most remote access tools will have the ability to control
the infected computer, including the ability to spawn a
command shell or allow remote desktop control. Remote
controls can be quite complex and feature-rich. Figure
14 shows GhostNet, a Chinese remote access tool that was
suspected to be used for Chinese state-sponsored attacks on
political dissidents. The GhostNet tool has extensive features
for monitoring the desktop, browsing activity, keylogging,
and has full access to the network and filesystem.
Some remote access tools are full-featured, but the
attackers will typically download tools and use the command
Figure 14, The Gh0st remote access tool
line to probe the network, as opposed to using built-in
features of the malware. While the latter is possible, in
general this has not been seen in the wild. There are many
commands and tools that are commonly used for Windows
network exploitation. These include:
password hash dumping: using tools that dump password
hashes - these can later be cracked. There are many versions
of this tool, including PTH toolkit, Gsecdump, and pwdump.
snmputil: this tool ships with the Windows Resource Kit
and can be used to gather account names from remote hosts,
even when RPC connections are disabled. A RawVolume.
File.BinaryData scan will detect if snmputil has ever been
downloaded to a machine.
at: this command is already present on windows and is
used to schedule services on remote machines. This is often
used with drive shares to infect remote nodes with additional
copies of the malware backdoor program. Figure 6 shows a
query for last access times for at.exe.
psexec: another method for running a program on a
remote node, can be used to infect a node with a copy of the
malware backdoor. A LiveOS.Registry.Path query can be used
to detect the psexec service.
event log utilities: there are many variations and they can
be used to locate recent account logons on remote nodes, in
order to gather usernames, and can also be used to clean-up
event logs to remove evidence of attack. Again, RawVolume.
File.BinaryData is the most powerful way to detect if files
have ever been downloaded to the machine.
LATERAL MOVEMENT
Once the attacker has access, the goal is to steal user
credentials and spread throughout the network. Attackers
will often scan the network for vulnerable hosts and probe
systems before launching a full scale attack. Machines will be
infected with additional sleeper agents, and files will copied
and zipped up for subsequent transfer out of the network. All
of these activities leave traces on the machine that Active
Defense can detect in physical memory and on the raw disk
volume.
For example, assume the attacker manages to crack a
password hash for a domain-level account that is not typically
used for interactive logon. For example, this could be the
case if the attacker were to steal the admin account used with
a security or patching framework. If the attacker uses that
account to perform interactive logon sessions, a directory
net: the net command ships with windows and is commonly
used to query information about the network. Figure 6 shows
Figure 15, Searching for machines that have had an interactive logon for
the epo_admin account.

9
will be created under ‘Documents and Settings’ that would
not normally be present on a system. To detect all the
systems where the attacker has interactively logged on, you
could run a query similar to the one shown in Figure 15.
stealth since the scan is against physical memory.
Figure 18 shows an IOC scan for variants of the PsKey400
keylogger. The scans are against strings found in the base
DOMAIN CONTROLLER ENUMERATION
The attacker may use a variety of utilities to enumerate
the domain controllers in the forest. Most of these utilities
will use a common set of API functions. Figure 16 shows
the physical memory artifacts left behind after a domain
enumeration tool was executed. Scanning the physical
memory of the enterprise for these strings will reveal which
machines have had domain enumeration tools loaded.
STEALING PASSWORD HASHES
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00018630 6F 73 4E 61 6D 65 57 57 00 00 00 00 FF FF FF FF osNameWW....ÿÿÿÿ
00018640 16 00 EE 94 44 43 4C 69 73 74 45 6E 74 72 79 44 ..î”DCListEntryD
00018650 6E 73 48 6F 73 74 4E 61 6D 65 57 57 00 00 00 00 nsHostNameWW....
00018660 70 0E 00 00 13 00 D5 4A 44 43 4C 69 73 74 45 6E p.....ÕJDCListEn
00018670 74 72 79 53 69 74 65 4E 61 6D 65 57 00 00 00 00 trySiteNameW....
00018680 9C 1A 00 00 19 00 F3 20 44 43 4C 69 73 74 45 6E œ.....ó DCListEn
00018690 74 72 79 43 6F 6D 70 75 74 65 72 4F 62 6A 65 63 tryComputerObjec
000186A0 74 57 57 57 00 00 00 00 8C 13 00 00 17 00 51 73 tWWW....Œ.....Qs
Figure 16, Artifacts of domain controller enumeration tools
Attackers will commonly dump password hashes to gain
access to additional user accounts, with the goal of reaching
the domain admin account. Figure 17 shows a simple scan
across the enterprise for pass-the-hash toolkit. Any toolkit
imaginable could be scanned for in a similar manner. The
key lies in selecting unique strings from the toolkit binaries
that are certainly going to exist on-disk if the tool was ever
downloaded to a system.
DETECTING INSTALLED PASSWORD SNIFFER
Figure 18, Scanning the entire enterprise for an injected keylogger.
source code and thus detects variants, regardless of MD5
checksum.
Some password sniffing tools will install a packet sniffer
Figure 19, Scanning the entire enterprise for machines that have a
packet sniffer.
such as winpcap. In this case, a scan is quite simple. Figure
19 shows a scan to detect machines that have a packet sniffer
installed.
Figure 20 shows a scan for a password sniffer that injects
into LSASS.EXE. This sniffer is of Chinese origin and is
Figure 17, Scanning the entire enterprise for components of pass-thehash
toolkit.
Attackers may also install password sniffers and
keyloggers. These are almost always injected into memory
somehow. Scanning physical memory for strings that are
known to be in the keylogger will reveal systems that have
one installed. This approach will usually defeat packing and
Figure 20, Scanning the entire enterprise for machines that have a
password sniffer injected into LSASS.
injected into heap memory, there is no associated DLL or
module.
DATA EXFILTRATION
Attackers may collect multiple files together and compress

10 THREAT INTELLIGENCE WITH HBGARY’S ACTIVE DEFENSE
them into a single archive before uploading it to a remote
server. The attacker will commonly use ZIP, RAR, or CAB files
for this purpose. The following figures show a variety of
scans.
Figure 21, Searching for ZIP archives
Figure 22, Searching for RAR archives
CONCLUSION
There is no silver bullet. Cyber threats are here to stay.
Enterprise security needs to focus on early detection and
loss prevention. By detecting intrusions early, damage and
loss can be prevented. Because it takes time and money to
build software, even malicious software, the adversaries
won’t be able to change their malware every single day. The
attackers will re-use their software again and again. They
will infect multiple hosts with the same remote access tool,
or compile all their variants from the same source code base.
By focusing on code idioms and root behavioral patterns,
Active Defense can detect all of these variant threats with
a small number of patterns and over a much longer period
of time. Furthermore, with such extensive host-level detail
available, there simply is no better approach for detecting
malicious code in the Enterprise. The HBGary methodology
is sound and applies constant pressure against the adversary,
detecting all variants of a remote access tool within hours of
initial detection. Even when the attacker uses command-line
tools and features that are built-in to Windows, the forensic
toolmarks can be detected with Active Defense. Active
Defense will put you ahead of the threat curve.
Figure 23, Searching for split RAR archives
IDS SIGNATURE CREATION
In figure 11 is shown malicious URL artifacts from an
infected machine. Based on the URL we can build an IDS
signature. The domain name itself is stripped but the URL
path is preserved. In this way, even if the attacker moves the
command and control server to a new domain, the path will
still be detected. Based on the physical memory artifacts,
the resulting IDS signatures were created:
alert tcp any any $MyNetwork (content:”kaka/getcfg.
php”;msg:”C&C to rootkit infection”;)
alert tcp any any $MyNetwork (content:”/1/getcfg.
php”;msg:”C&C to rootkit infection”;)
IDS rules such as the above will trigger when the malware
attempts to communicate with it’s command server.
Additional infected machines can be detected at the gateway.
Furthermore, these connections can be blocked at the egress
point and the malware can be cut off from the mothership.
Potential data exfiltration can also be blocked. It should be
noted that blocking connections without first knowing the
extent of the infection may tip off the attacker that he has
been detected.

MORE INFORMATION
11
ABOUT HBGARY, INC
HBGary, Inc. was founded in 2003 to develop products to
counter APT and other unknown cyberthreats. HBGary has
in-depth expertise in advanced malware, rootkits, zero-day
exploits, and targeted threats. Customers include Fortune
500 corporations, DOD and other U.S. government agencies.
HBGary, Inc. is headquartered in Sacramento, Calif. with
offices in the Washington D.C. area. For information, please
visit http://www.hbgary.com.
Contact:
sales@hbgary.com
support@hbgary.com
Web:
www.hbgary.com
Corporate Address:
3604 Fair Oaks Blvd Suite 250
Sacramento, CA 95762
Phone: 916-459-4727
Fax 916-481-1460
Sales@hbgary.com

CORPORATE OFFICE
3604 Fair Oaks Blvd. Ste. 250
Sacramento, CA 95864
916.459.4727 Phone
CONTACT INFORMATION
info@hbgary.com
support@hbgary.com
www.hbgary.com