Building a Canarytoken to Monitor Windows Process Execution

Presented at CactusCon 11 (2023), Jan. 28, 2023, 5 p.m. (60 minutes).

Have you ever wanted a simple alert if an unexpected Windows process runs on a host? The open source Canarytokens project allows teams to build simple tripwires to alert on attacker actions. From opening documents, to fake QR codes, the platform is simple and easy to use. We’ve recently built a new free Canarytoken type that allows you to set up a quick alert when you want to know any time a specific windows file is executed. In nearly every ransomware report, we can see attackers running a series of commands on endpoints. What if you wanted to monitor critical systems and endpoints for sensitive commands? For example, suppose you wanted to see an alert if someone runs nltest.exe or qwinsta.exe or bitsadmin.exe on a device? With this new token, we can create Canarytoken alerts for some of these commands as an early warning tripwire that something is wrong, or someone is running a command that they should not be. Coupled with other telemetry, these Canarytokens may be just the rapid tipoff you need. This talk will explore our research and creation of the new Canarytoken. From windows internals to encoding alerts over a DNS channel, we think these classical offensive techniques can strengthen your defense

Presenters:

  • Casey Smith - Senior Security Researcher at Thinkst Applied Research
    Casey Smith is a Senior Security Researcher at Thinkst Applied Research. He enjoys continually working to understand and evaluate the limits of defensive systems. He led the development of Atomic Red Team, an open-source testing platform that security teams can use to assess detection coverage. His background includes security analysis, threat research, penetration testing, and incident response. Casey has spoken at several security conferences. DerbyCon, Shmoocon, BlackHat USA, BlueHat, BlueHat IL, and Troopers.
  • Jacob Torrey - Thinkster
    Jacob is the Head of Labs at Thinkst Applied Research. Prior to that he managed the HW/FW/VMM security team at AWS, and was a Program Manager at DARPA's Information Innovation Office (I2O). At DARPA he managed a cyber security R&D portfolio including the Configuration Security, Transparent Computing, and Cyber Fault-tolerant Attack Recovery programs. Starting his career at Assured Information Security, he led the Computer Architectures group performing bespoke research into low-level systems security and programming languages. Jacob has been a speaker and keynote speaker at conferences around the world, from BlackHat USA, to SysCan, to TROOPERS and many more. When not in front of the computer, he enjoys trail running, volunteering as a firefighter/EMT, and hiking with his family.

Links:

Similar Presentations: