The OST map: mapping malware usage of open-source offensive security tools

Thursday 1 October 10:00 - 10:30, Green room

Paul Litvak (Intezer)



The development and publication of offensive security tools (OSTs) has become one of the more controversial talking points in the information security community. Some argue releasing such tools to the Internet is irresponsible as it allows adversaries to outsource the development of tools and techniques from the InfoSec communities. Others believe the publication of these tools serves as a cornerstone to the education of new researchers, allowing defenders to mitigate newly discovered techniques and probe their own defences. However, little research has been presented to support either argument.

This research was conducted in order to show the extent of the influence of offensive security tools on adversary operations, specifically the use of open-source OSTs. We gathered relevant leading open-source projects (such as MimiKatz, UACME, and many more) and compiled them with various configurations and flags in order to generate all possible binary code patterns. Using the code patterns we generated, we searched for similar code reuse patterns across a database of millions of malware samples and were able to create a map of open-source OST adoption by malware families.

In this talk, a comprehensive map of the relationship between various OST open-source projects and threat actors is presented, i.e. the use of code injection, privilege escalation, lateral movement technique implementation projects. We will also cover the steps undertaken to build the map and explain each one of them. Finally, we will explain how familiarity with these projects allows defenders to build YARA signatures based on code patterns and expose real, undetected malware campaigns that were discovered based on this technique, together with the relevant YARA signatures.

 

Paul-Litvak-web.jpg

Paul Litvak

Paul is a security researcher and reverse engineer at Intezer. Paul previously served in the Israeli Defense Force (IDF) intelligence corps as a developer and later as a technical researcher specializing in OSINT automation. In his free time, Paul tinkers with various technologies and solves CTF challenges.

@polarply



Back to VB2020 Programme page

Other VB2020 papers

Hello from the OT side!

Daniel Kapellmann Zafra (FireEye)

Tonto Team: exploring the TTPs of an advanced threat actor operating a large infrastructure

Daniel Lunghi (Trend Micro)
Jaromir Horejsi (Trend Micro)

Unveiling the CryptoMimic

Hajime Takai (NTT Security)

Shogo Hayashi (NTT Security)

Rintaro Koike (NTT Security)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.