Hiding in Plain Site
In this video, John Hammond and Ahmet discuss the fascinating topic of malware and its evasion techniques. They delve into the complexities of how malware can hide in plain sight and evade antivirus detection through clever obfuscation and multi-stage payloads. This session highlights the importance of human analysis in cybersecurity to uncover hidden threats and protect networks effectively.<ul><li>The webinar covered a presentation titled 'Hiding in Plain Sight,' which focused on a piece of malware using advanced techniques to evade detection and antivirus software.</li><li>The presentation highlighted the importance of human analysis in cybersecurity to effectively detect and respond to complex threats that automated systems might miss.</li><li>The session discussed a Capture the Flag (CTF) event where participants acted as incident responders to trace and mitigate a real-world botnet attack, demonstrating practical cybersecurity skills.</li></ul>
Guests
Video Transcript
All right. We are a minute early, but we wanted to get things. I was so excited for this. I'm like, John Amit, let's get going. Let's get out here. Um, we had a few things we wanted to share with everybody before we started, but, uh, we can see the, uh, the numbers ticking up here, and I'm sure they'll continue to. John, really looking forward to, um, your presentation today, uh, hiding in plain sight. Maybe just give a, what's a, a a, a quick vignette, if you will, of what we're covering today.
Yeah. In this session. No, absolutely. Thank you. Uh, hiding in plain sight is, uh, talk and presentation showcasing a snippet of malware that we found and uncovered that used some really, really interesting techniques to kind of hide under the radar evade antivirus, and it had like different layers and levels of complex. If you, we would use one stager to pull down another payload and then another, and another, it, it, it's the gift that that keeps on giving.
So it's a really cool story and I hope you guys enjoy it. Well, John, it's been a real treat to get to know you over the last, uh, few weeks. You're, uh, uh, one of the newer hires at Huntress. Um, can you tell us just a touch about yourself? Um, I like to brag right away about your YouTube channel. I love going there, 105,000 plus followers. Um, I think you have a little bit of a background in red teaming and, and, uh, CT can capture the flag events.
We just give us a, maybe just a quick overview and then what we'll do of, um, is we're gonna briefly talk about who this capture the flag winner was day one, and that's why Amit's here, and then we'll turn it right back to you. But John, a little bit about yourself would be awesome. Sure. Yeah. So, hello, I, my name is John Hammond, like you mentioned, and thank you for the, the small plug. I, I have a cheesy, silly YouTube channel where I showcase like cybersecurity videos.
Um, but I guess my background, I kind of got started in the Coast Guard and found my way through some DOD kind of government, military side of the house. Uh, I worked with the Department of Defense Cyber Training Academy as an instructor and a teacher there, and then worked a bit with the Defense Threat Reduction Agency to kind of be really on keyboard as a, as a red team cyber operator. So a lot of fun stuff, but, uh, just, it, it's a passion, it's a hobby.
It's kind of just what I love between cybersecurity and computers. Yeah, You can see it. Jim, you're asking a question in chat. If you could just clarify me and I'll take care of this e either way, are you asking about recordings, John's recordings, or are you asking about the recordings that have happened thus far in the cyber trifecta? And if you could just clarify for me, I can answer your question. Um, as John's um, presentation goes today, I'm gonna minimize my window. Um, thanks, Jim.
I'll tell you in a second, I'm gonna minimize my window. I'll keep an eye on chat in case there's questions for John, and I can queue those up for him. There's also a, you know, what's easiest for me to keep an eye on, if you guys could, um, if you, there's an ask a question section, you'll see it down toward the bottom versus chat, that would, uh, be awesome. David Patterson, yes, that's exactly the, uh, YouTube handle. Thank you for that, Jim.
Um, your question about where were the, um, recordings for the sessions thus far? If, if you were looking right, right at your computer screen in the upper left, you'll see schedule and we should be on session five. There's a echo. Are you guys getting an echo for me? No, no, no. Maybe you have two windows open. Look, look for this. I don't think so. Do you guys hear an echo? Yeah, Tim not, doesn't hear an echo. I don't personally know. Okay. Alright. Um, yeah, Becky, I'm not sure.
I, I, I'm not sure. Yeah. Sound everyone's saying it's good.
Um, so, uh, by the way, Jim, so you'll see it in the upper how crowd cast work, no matter what crowd cast you're using, if it's a multi-session event, um, you just go into the upper left and it'll say Session X of Y right now, um, uh, the, we're in session five of seven, and, uh, if you click literally on that, it'll pl you know, literally pull down everything for you and you can click to the prior sessions, like for example, Wes Spencer, CISO of Perch, who I see out there right now, Jim, um, their session yesterday was phenomenal.
Um, I highly encourage you guys to, to see that. Okay. So without further ado, like I said, just pop your stuff in to ask a question. Ideally, I'll try to keep, um, an eye on both, but that would be easier for me to queue up John, if you have questions as this goes on. Okay. So, um, CTF Capture the Flag event going on right now. Um, day two is going on as we speak.
And a huge thanks to Amit and the team from Cyber Phish for, I, I mean, I think there's over $2,000 of cash you guys are giving out and it was really nice of you guys. Um, so, uh, you know, we have day one winners, day two, day three, and it increases in terms of the cash value. And then we have an overall winner. So, um, Ahmed I'll have you announce the winners in just a second, but John, very high level, what was day one about?
Yes, day one was really Cool because it, it put you in the position of like an incident responder, right? You had logs, you had pera, that perched security instance of Kibana and you were looking through to try and like trace back the footsteps of an intrusion of a real attack and uncovered this pearl botnet that was in place. So that was a little bit of playing blue team, playing defense, playing, okay, just hunt and look for what is out there and what is necessary.
What are those, what are those next steps? So super cool day one. Yeah, yeah, yeah. And the comments were, it was not easy. Uh, um, and so Amit, who were our winners, plural, and the reason I'm saying winners is because, because of John's following, which is totally cool, we had a lot of non MSPs join the competition. So Amit was kind enough to say, Hey, look, if you win and you're not an msp, we'll give you a prize anyway.
But the main prizes are gonna go to the MSP slash MSPs that are competing. So Amit, who do we have as our winners? Yeah. And uh, I'm pretty excited about this. Yeah. Yeah. So the greatest situation ever, right? Two number one winners. So the first one, the non MSPs is, uh, Jacob Denlinger, right? $150. There you go, Jason. Yeah. And the second one, Jason sl. Yeah, right? slagel? Yep. From CNR msp. SP, right? Yep. 350. Yeah. Yeah. Jason Work. Yeah. Yeah. JA, Jason. And, um, Yeah, go ahead.
Sorry. Yeah, yeah, I'm just saying that you have, speaking about the other prizes you have just shortly, you have another opportunity to win down there. The $500 from Cyber Phish themselves. At the end of the event, we're going to announce one of them who deploy one of the MSPs who will deploy or schedule a demo for another $500. So you have another opportunity today and tomorrow to do so. Yeah, exactly. I, you took, you, you know, you should steal my thunder.
What I was saying in the lastly right, is there's a call to action, uh, a little green thing at the bottom here. Um, for those of you that are interested in or wondering what Cyber Phish is about, you can click on that and there's also, um, uh, a competition, uh, issue. Absolutely you can compete. Uh, so anybody can compete in the CTF, uh, in fact the winner, the actual winner was a non MSP and that's who won $150. So absolutely you can compete.
Um, but because this is A-M-S-P-M-S-S-P event, the rules were perfect. Glad you got it. Alright, so Ahmed, again, thank you. We'll see you back here tomorrow. Thank you. Welcome. Thank you guys. Yeah. And, um, I'll move you over to the audience. We'll see you tomorrow. And then John, I will let you take it away. I will mute myself and, um, put myself my camera away. And then again, like I said, I'll keep my eye on questions for everybody and let you roll. Go Ahead. Awesome. Thanks so much.
Okay, let me, uh, spin up my screen share here. A lot of responsibility, you guys. Keeping me alone here. Trying to entertain everybody. Alrighty. I'm sharing a black screen now because before I jump into the slides, I do want to say thank you. First of all, I know this is a virtual event, right? I know we're kind of in the middle of the work week for some folks, so thank you, thank you, thank you. I can't say it enough. Really appreciate you guys tuning in.
Hope you guys can see the, uh, screen everything. Please just shout at me in the chat if there's anything that goes wrong. But let's dive into hiding in plain sight. Okay? Classic obligatory introduction, you know, to a, a formal piece of work. We've got an abstract, right? I wanna lay the foundation, I wanna set the scene. We're talking about cybersecurity in the hacker universe. In the hacker verse, right?
There's no end to the amount of innovation and creativity that we're seeing coming up in the latest modern, like real world current and today threats. The adversary that's out there as defenders, as the good guys, right? We don't always have to like what's happening out there because sometimes it can be really complex and really hard to deal with. But we've gotta take this stance and have this perspective where we can appreciate and understand how that nefarious bad stuff malware is working.
How's that all put together? We wanna look under the hood. 'cause if we understand that, then we're bettering our own defense, right? We're training our minds to know how that hacker might think to really kind of get behind there and see their perspective. So what are they gonna look for? What are they gonna use and what are they gonna do to take advantage of our network and our cybersecurity setup?
So in this session, what we're gonna be talking about hiding in plain sight, I am really, really excited about this 'cause I think this is super duper cool and I hope you do too. We're gonna do a deep dive. We're gonna take a look at we, one fascinating piece of malware that's using really unusual and creative tricks and techniques and idiosyncrasies to try and obfuscate itself and hide under the radar and evade antivirus. Do all those stealthy like hacker things, right?
And I kind of wanna top it off. I wanna make the moral of this talk in this presentation. I wanted to highlight just how necessary having a threat operations team or having real people that go through and take a look at this malware and look at this code and reverse engineer what it's doing and why. I wanna emphasize that and foot stomp it so, so much because this is where you're gonna see, man, this is where the real gems are. This is where the real treasure is. So that's the pitch, right?
Here we go. This is hiding in plain sight. Hello, I'm John Hammond, I'm over here at Huntress, but let's dive in. Okay, what do you guys see here? What is this? Take a look at this file. What does this look like? Would you be able to kind of identify this, if you saw this on your computer, it kinda looks like a log file, right? Looks like there are a lot of lines, kind of similar entries in there.
Over on the left we have a timestamp what it looks like as we kinda read on and read along through it. Maybe there's an operating system or an OS version, some maybe some kind of type of log messages. It looks kinda weird though, right? Do you notice anything odd or anything peculiar and strange with really what is in this log file? There's some oddity there. There's something weird there. You might already be able to, to pick up on it. You might see it already.
But if you don't, I want you to keep this in mind. I want you to keep this in the back of your mind for as we discuss and start to talk about this malware. Maybe that weird spot is sticking out like a sore thumb to you. But keep this in your mind. This is a, a text file, a log file that we found on a computer system on a host. This is another thing that we found on that host or that computer system. This would actually, this is something that we discovered as a scheduled task.
This is something that would just kick off or run repeatedly on that computer or probably running Windows, right? Obviously for a scheduled task. And it's really interesting. This is the same location, the same computer where we found that strange log file. But it looks really peculiar too. So this is a tiny little implant. It's a small little persistence hook, but it looks innocent enough, right?
I mean if you look at some of those program names, okay, maybe that's something that might naturally be running on that computer. How, who knows? How do we know? Well, we could look more and more into these command line arguments and we could kind of reverse engineer and deep dive on that. And we'll do that in just a second. But I wanna tell you that this is a real thing. Like this is common. We found this on a real computer, right? This is out there in the world how it got on that computer.
Oh, it could be the usual, right? Maybe, uh, email attachment, maybe some malware that came as a spam email, a download attachment that you opened. Some word maybe, I dunno, PowerPoint, Excel, Microsoft office document with some macros enabled. However it got there, we don't need to be extremely concerned with for this talk, but it's there, right? And we need to kind of uncovered it and unwrap it. You guys see anything interesting right off the bat? I'm really excited.
I wanna, I wanna see some, some stuff thrown out in the chat as to what looks really weird here. Let's zoom in on it though. Let's take a look at this code. Let's take a look at the syntax. It looks like we're running a path C Windows system 32 and then a program name bfe on service do xe. And then it has command line arguments or parameters that are passed to it. And you can see a syntax here. VB script create object WScript shell, oh it looks like it's gonna run something.
Okay, it's gonna kick off and start another program. And it's starting cmd. Do XE or the Windows command prompt. Okay, that's fishy, right? First of all, that's weird. That's suspicious. Why is something starting CMD exe but we see a little forward slash capital C there. So that's an argument or a parameter to now that command prompt to run another standalone command. And that invokes the C Windows system 32 engine exe. That's funky.
I don't know, have you guys ever heard of an engine exe on your Windows computer and they're using again, another hyphen C or a taxi there to pass along a command and it's, it's got this weird gibberish or technical jargon in there, IEX and a bunch of dollar signs GC and then C Windows a chk and there's more random nonsense in there. Care in split a bunch of stuff. Okay, now let's kind of drop the facade, right?
If you guys aren't familiar with some of this stuff, maybe we could check in with some of your other threat ops personnel or some of your folks that hey, we could zoom in on this and we could actually kind of determine just knowing based off of the arguments that are being passed to this, that's not a BFE on service program, that's not an engine exe command or program that's being run. It's funky. You'll recognize some of that syntax, those things that are passed as arguments.
BFE on service dot XE is actually kind of a renamed copy or just a clone of uh, an actual Windows program. A legitimate built-in and native to almost all Windows operating systems, right? And that's ms. HTA xe. Some of you might be familiar with that one. But M-S-H-T-A is a legitimate Windows binary that's going to interpret kind of old school, old Microsoft HTML applications.
So typically those are like a dot HTA file, but that's native, like that's something that Windows will just naturally do. MSS HT A could also work with Visual Basic Script or JS script or somebody that might be able to reach back to that. But you can see that Syntex here, we're using VB script to create an object WScript shell. Okay? So we're kind of pulling back to get some of the deeper internals of this operating system and we're just going to run CMD xe.
But CMD XE will then open engine exe, okay? But looking at those command line arguments, taking a look at that text, we know that's another dummy as well. Maybe that's kind of masquerading and hiding and just changing its name or it's gonna be another renamed or clone or copy of PowerShell. PowerShell EXE again, okay, native and on the host built into Windows operating systems. How could you tell, what's the giveaway here? Well take a look at that.
Command line arguments, these strings or those quotes that we're, we're gonna keep going back to. It's running IEX. What the heck is that? So in PowerShell, which is kind of meant to be Windows new upgraded command line opposed to old school CMD XE or that black box command prompt PowerShell has a bunch of commandlets that will be able to run and get information out of more Windows internals, right? the.
net framework, the stuff that Windows is built on top of and it has long verbose commandlets. Sometimes it takes a lot of time to write out, okay, get network address or whatever the case may be. It's very, very English friendly and that you're using verbs and nouns. But that's not what we're concerned about, right?
We're wondering what is that IEX that is an alias or a nickname or a shorthand convenience function to call invoke expression, which is essentially going to allow PowerShell to run commands as if there were a string or just kind of on the fly in memory as needed, invoke expression and run some code. That's why that IEX looks kind of odd because IEX and invoke expression could be used for malicious things. It could be kind of nefarious, but we're passing along more information to that.
We're using some dollar signs there and that GC GC is weird. It looks like that's another PowerShell alias that's gonna end up running. Get content to read the contents of a file. You just pass that along as an argument. So what's that file that we're going to get the content out of? That's C Windows a chk or a check? I'm just gonna call it a check. That's a weird file. Has that ever been on any of your Windows systems? I don't. I don't know. I don't think so. I sure hope not, right?
Because all this PowerShell syntax looks like gobbledygook. It looks kind of like nonsense to a regular human eye. They're just random letters and symbols going on. But what is really happening? Well, we've worked through some layers of obfuscation. We've renamed these common windows utilities, MA HTA and PowerShell exe to hide behind the veil, right? That way maybe we're not going to trigger or alert or alarm any of that kind of easy off the shelf antivirus software.
I'm sure whatever endpoint detection response or EDR service and software might automatically trigger or flag if some, for some reason MS HTA and PowerShell are all in the same line. That's weird. That's not normally a good thing. But we've hidden that and we're gonna do some interesting things with apparently this a dot check file or a dot C hk. What are we doing with that? So here we're gonna kind of deep dive more into that PowerShell syntax.
You can see we've ran that GC or get content command to retrieve all the data that's in that file. And now we're going to pipe that along with our vertical bar. And what we're gonna do or what the malware is doing in this case is it's going to loop through every single line and every single entry in that text file or that log file, you can tell that because of the percent sign.
That's another symbol and alias convenience function nickname in PowerShell to do like a for loop or to loop through all of these entries for every line. We're going to do interesting things with that entry, with that data. When we're looking at this programmatically, when we're looking at the source code, we tend to work with the innermost function that's happening or innermost parentheses. 'cause that's what's going to naturally run first.
So kind of believe me here, trust me for a little bit. Let me, let me kind of handhold you and walk you through this. Press the I believe button if you have to. But that dollar sign underscore, that's going to be the entry, that's going to be the variable for that specific line in the loop as it iterates and works through every line in that file. We do weird things with it. That dollar sign underscore is split on an X character.
You can see that as a little kind of argument to that split function. So we're splitting on an X character like chopping it up into different data pieces. And if you don't know that or you're just kinda not familiar with that, you can think back to kind of a CSV file, right? Or a comma separated value file where there are different entries, there are different columns that are separated by a comma. The comma is the delimiter. That's what's splitting up those different sections.
In this case, we're specifying a custom delimiter with that letter X and then we index it. We're grabbing a specific, an individual piece of that line. That's that those square braces and that negative one. It's an interesting thing because they're using a negative one index. So using a negative index actually means that we're going to work backwards or from the end.
So we're getting the very, very last section or element in that long list or line after an X character using X as R delimiter and then working out of that, we interpret that as an integer. You can see it that cast to an INT or INT there. And then once again, we cast it to a character or A-C-H-A-R that care weird. What is, what is that doing? Why is that happening? Then we join those altogether, all those maybe characters or letters that have been created with that little loop and code there.
And that's what's being passed to that IEX or invoke expression command. So PowerShell is gonna run that, but we're going through like three layers of abstraction. We have M-S-H-T-A calling command prompt calling PowerShell to invoke odd code that came somewhere else. That's that a dot check file. So what does that a dot check file look like? That's that guy. This log file is a check. So it looks innocent enough, right?
You could be fooled and this is just a regular log file maybe created by some third party program you have on your computer, but there's a weirdness here. And looking back at that code, now we know, okay, that very, very last entry after an X character is being interpreted and used somehow in some way. So take a look over here on that far right column.
We're gonna go through that loop and split on X, grab that last entry, interpret it as an integer, take it as a character and then join it all together. Some of you might have noticed that over on the far right side, that zero x syntax that makes it look like hexa decimal, that zero x prefix is typically for hex, hex being okay, base 16, meaning the symbols that we use are zero through nine and then A through F.
So if you were looking at a bite or a raw bite in a computer or some data, typically you'll see a zero x maybe, I don't know, zero A and that's a new line and those all have different representations and meanings because of the asky character table. But looking at this, this is really weird because we don't see any of those letters A through F. We're only seeing decimal numbers zero through nine.
So that might be an inclination that might nudge you or as a researcher toward that's not real hex, that's decimal data and numbers. So this code is going to actually take that number and take the character representation of it. What that means is it's gonna do a lookup on that askie table and formulate the proper letter or character that associates with it. So over on the right hand side of the slide here you can see, okay, let's reverse what that malware sample or that code was really doing.
Let's take a look at what that really looks like once we've joined together. All those numbers taken out of their non hexa decimal, decimal form and brought into asci. This is all that's being passed into invoke expression through PowerShell. You can see the top line there. Uh, dollar sign log engine lifecycle is set to log engine, health log provider log provider health, et cetera et all that is set to false.
Hmm, is it turning off logging again, malware's trying to hide, stay under the radar, not be caught by anything or at least not leave any traces. Don't leave any fingerprints on what it's working with. It'll turn off logging. Very cool, very neat. And then later on we see more junk, more nonsense and gibberish that this code is going to end up running. It's executing. You'll see more split lines.
You can see that kind of there at the bottom or character and convert and it, it has this weird form and shape to it, right? 'cause it's using like random uppercase or random lowercase letters. That's another interesting tidbit, right? Because PowerShell, this executable, this Windows interpreter that's running this code. PowerShell is actually case insensitive. It doesn't care whether you leave caps lock on or not.
Whether your commands are in all caps or they're just all lowercase, you got lazy, it'll run the code for you. So kind of a clever technique that a lot of malware authors or hackers are going to use is that when they're obfuscating their PowerShell they'll use random uppercase and lowercase letters because maybe that'll evade some silly antivirus that only checks for okay static string invoke expression.
If we're gonna have those random uppercase and lowercase letters, maybe we can just slide right under that radar once more. Kind of a cool technique. All right, so we zoomed in on that right hand column. We figured out that it's going to be interpreted read out, invoked and executed through PowerShell all the while through CMD and M-S-H-D-A regular living off the land native windows binaries and now it's executing PowerShell code. It's doing even more interesting things.
You see we have some odd function names and you don't have to know code. It's kind of look through this. You don't have to be elite hacks or or cool crazy programmer to kind of understand what's happening here under the hood. I don't want you to be intimidated by that. But I do wanna keep following you. I want you to keep following me along with this because this is gonna do some crazy stuff. Now we're breaking out a power shell and we're gonna invoke C sharp.
We're gonna invoke another lower level language that Windows will be using and trusting inherently 'cause it's kind of what the.net framework and those windows and terminals are built off of. And that's gonna do even more interesting and peculiar things. You can see them random letter function names, but you can see we're defining some variables to run C or specific C version.
Then we'll do crazy cool stuff like okay allocate memory or determine some procedure addresses and we'll invoke new things. We'll call different functions that could do interesting nefarious stuff. This one I actually wanna draw attention to before we kind of move on and show you that next stage of the payload because this technique that it uses is really interesting down to the down in the bottom in red I've highlighted in showcase some syntax to run more PowerShell code.
You can tell it's PowerShell with that syntax for each object in the random uppercase and lowercase letters. But it's working off of one variable dollar sign ENV comm spec and it's indexing some numbers there. So specific elements in that string or in that list or that iterable and it's joining them together. Once again, what is it really doing there? It's trying to hide the use of that IEX string or that commandment or primitive, right? Because that will run invoke expression for us.
But we don't want to literally use IEX because again we're trying to hide it on the radar. We're being as stealthy as we can be. So let me show you that real quick. Let me fire up a PowerShell just a, just so you believe me. I wanna make sure you trust me on this. If I'm looking at that ENV variable comm spec, it returns C windows system 32 CMD exe.
But if I took that string and I indexed it at different parts, I could build out and I could put together the puzzle pieces that make me the super supers simple call invoke expression or that IEX alias that shorthand function. You might not know it because that tiny little thing doesn't look like IEX. It doesn't look like something that might be nefarious but upon a closer look you can figure that out and you can track that down. Okay cool. I hope you guys like that, that trick and technique.
I thought that one was kind of clever. We'll have to use that. Who knows. Let's get back to the C sharp code. Let's get back to what this payload is doing. This is gonna do some peculiar stuff 'cause it's now it's got a foothold, now it's got its its claws and its fingers in the computer system. So what's it gonna do? Well it's gonna like turn off all the alarms. It's going to silence itself. So make sure no one can tell that that malware is sneaking around doing things that it shouldn't do.
That payload again, M-S-H-T-A to CMD to PowerShell to now C Sharp. Getting that lower language. We can do interesting things like disable A MSI and A MSI is kind of a a Microsoft like trusted like technology and software that will attempt to or try to offer real time protection against malware. It's that anti-malware scan interface. So if Windows sees anything wonky, it sees anything bad happening, it can try to stop that. But this malware is one step ahead.
It's gonna turn that off, okay now there's nothing holding him back, right? So he'll do other interesting things. He'll do some system diagnostics or kind of enumerate what other information might be on that computer. What is the specific operating system version that I'm running? What's the processor look like? Can I look around me? Are there any other computers that that are networked with me? Is there a printer available? What about network shares? What else can I reach my claws into?
All just enumerating doing system diagnostics, trying to learn a little bit more about this target and victim environment and it's all flying under the radar. But this does another crazy cool thing. This is just like the gift that keeps on giving right now. We're gonna grab another payload. What this, what this malware sample does is that it reaches out to an external location, an external endpoint and it's going to grab a payload through DNS or the domain name system.
And that's kind of common, right? That's kind of usual. So okay, maybe you could do whatever exfiltration or communication through DNS 'cause that that just has to be allowed. You have to have DNS running to make sure your environment, your computer networking system actually functions.
But it doesn't do it in the traditional classic DNS realm because DNS is obviously pretty heavily monitored it, it has to be in place but it's often an easy trick or an easy thing that an attacker might use or reach for to do more nefarious things. What this malware does is that it grabs another payload through DNS over HTTP over a web connection. The same thing you use when you're using your internet browser or you're just walking around on the internet.
This is the thing, it reaches out to this address, https dns.google.com. It's gonna resolve a regular domain name query or make a request for some resource records. It's reaching out and asking for, okay, what can you tell me about DAC dot jQuery update js.com? You might, you might kind of be scratching your head at that domain name too, right? jQuery update js.com. That doesn't really sound all that official if you kind of know some of the background behind it.
Okay, jQuery the library to use within JS or JavaScript. Sure, maybe it's believable but it's another trick in technique to look like something innocent when it's absolutely not. So we're reaching out, we're asking this DNS name server. We're requesting some information with DNS over H TTPs asking about dmar dot j cory update.j.com and we're asking for a text record. This is pretty common, right? You see this a lot.
Okay, text records, any information could kind of be spat up there in a domain name server. Maybe they're using that to leverage some more payloads or command and control. So we would investigate, we would go take a look at what is really over there. If we were to make this request, not acting as the malware but just acting as our own researchers, our own threat ops division and department. What is actually going to be returned when someone requests that page?
Just making a simple HTTP web request. A simple get request. We're passing it in. Just a simple get argument there. The type being a text record. But I think that's cool. I think that's kind of crazy using DNS over HT tps. If DNS is gonna be heavily monitored and you don't wanna set off any alarms for reaching out to a weird, unnecessary and outlandish alien DNS or domain name server, you could funnel it through H-T-T-P-S, kind of hide it behind another protocol. Very cool.
So here's the result. When we queried that DNS test record, here's what came back to us. This is kind of interesting. So you're looking at this code here, this is A-J-S-O-N or the JavaScript object notation. There's a little boilerplate stuff up at the top, you don't really need to care about it, but we'll zoom in on the really, really cool thing here. Take a look at that data block. That's the response that comes back from that text record. What that domain name server responded to us.
But it's funny, it looks like a DK Im signature or dm. That's a domain keys identified male. That's kind of a technology that's typically used to like validate responses for associating a domain name with an email message and that would help tell the whatever recipient, okay, this is from a valid and legitimate source. This is not the case. We're doing some nefarious and malicious stuff with this now, right? Because this is all bundled in, weaved into the cool orchestration of this malware.
So take a look at what we've got. This looks like almost base 64, doesn't it? Maybe you aren't familiar with base 64 and that's totally okay, right? We're all here to learn. So let me give you a quick crash course in base 64 before I dive into this. Uh, I mentioned earlier base 16 and that was HEXA decimal, right? Zero through nine and A through F. Obviously we have base 10, the number and counting system that we as humans use zero through nine going up to 10 restarting.
There's a course base two binary how computers use zeros and ones and ones and zeros. There's also really any base you might want. But base 64 is super duper common because it takes all of the character set that we could use bites in data and information and it transforms it or encodes it into one representation that is safe. And it's weird for me to say that it's weird to say safe, right?
But I say it's safe 'cause it can transfer across the wire, it can be used in packets, it can, it can be used in internet routing, be used in URLs because it's just transformed into letters and numbers. With the occasional forward slash and plus sign.
There's actually a derivative of base 64, the uh, base 64 URL safe where you sure you have 64 characters as your limit between okay uppercase and lowercase letters numbers and then adding in some extras to reach that base 64 number a plus sign in a forward slash URL safe base. 64 actually changes that plus sign in forward slash to use a hyphen and an underscore. Kind of neat, not i, I know that kind of deep diving into the nerd lingo that maybe you don't care about.
But I hope that kind of showcases and indicates what we're really looking at here. 'cause this gibberish, random letters, uppercase and lowercase things, these numbers that come out of nowhere, you might be able to identify that as base 64. You can see the forward slashes here, but they're kind of interesting. Normally in base 64, uh, an encoded data always has to be a length that is a multiple of four.
That's kind of an interesting idiosyncrasy because if you see a base 64 string and it's not a multiple of four in length, what it'll do is it'll add on equal signs as padding at the very, very end. And that's a good little telltale to identify, hey, that nonsense, that gibberish that looks like base 64. They're doing a weird thing here because we don't see any of those equal signs and there are a lot of forward slashes.
The forward slashes are typically an encoding that will say, okay, you encoded a null bite or some raw data that's not normally English text or what you might expect to see in a a written message.
So there might be something peculiar here, but I want to tell you when we look through at that malware code, when we were reversing that PowerShell and and C sharp information, they were doing a peculiar thing where they would actually use the slashes as a delimiter the same way we saw, okay, we'll split on X earlier, now we're going to split on these forward slashes.
So that's an indicator that every single element here, every single entry that's its own individual base 64 string, it ends at a forward slash, it's not one giant long, okay? Three line multiple line base 64 string. It actually has a multiple embedded in here. So what are all of these base 64 strings and why don't they have equal signs? Are they supposed to do, they have to.
Interesting questions that again we want to uncover, we want to manually take a look at as our own research and threat ops department. Take a look at this. This is cool. Each of those base 64 strings, those little segments or snippets, they don't have those equal signs that we mentioned. Interestingly enough, the code, the malware will try and add those equal signs, the padding back in so it can properly decode and it can work with that data.
But it's nested base 64 as in you could take, okay, one layer, one level of the abstraction with the base 64 encoding and and you can decode it, but then you're gonna have the result be even more base 64 text. So you'll have to decode that, okay, they could have done this as many times as they wanted to, but I think even just that extra layer, again, another level of complexity, another piece of abstraction, another thing to veil and hide and masquerade itself.
That'll slip right under antivirus for EDR. There are a lot of peculiar idiosyncrasies here and let me show you another one. This is like the coolest thing. This base 64 decodes and base 64 decodes again and we're left with the raw data, the real text. The original plain text is not the right word 'cause it's not cryptography, but the original message, the non encoded form, the decoded data and what does it look like? It just looks like a number, right? Huh? What is that number?
How is that number useful whatsoever? Is that number useful whatsoever? It just looks like random decimal base 10 numbers. Check this out. That's an IP address and I don't know, I don't know if I blow your mind or not. It, it blew my mind the first time. It was like what? You can actually have a computer networks like internet protocol address.
So an IPV four to reach out to whatever it is out there on the internet or in your local network address represented just as decimal, not the regular, you know, octet dotted octet notation where you have 1 9 2 1 6 8 1 1. You could totally just represent that internet address as a number. Super cool. All right, uh, let me prove this to you again 'cause I don't want you to not believe me and I'm going to simply copy this and I'll fire PowerShell back up again so you can see it.
I'm just gonna simply ping that IP address and I failed to copy it. Cool. A weird syntax, right? This doesn't look like how you're normally going to interact with a webpage or an IP address or whatever the case may be, but we're actually getting data back that responds because it is actually 88 1 19, 1 75, 81. You wouldn't know it looking at that, right? Kind of funky. A really cool trick. More layers of abstraction. Check it out.
You could see those IP addresses that are used for a final payload. Okay, let me discuss this a little bit more because there's an interesting tidbit in how it's using those IP addresses, the IP addresses that it's calling out to. It might grab one of those. Obviously there are a ton of these base 64 strings here. So each of those is going to be again, an a double encoded or a nested base 64 string that will represent a different IP address.
All of these might be endpoints that the hacker or whatever malware author is in control of. So when they call out to that IP address hidden and obfuscated and masked, they will again send a final payload and of course that payload, okay? That's gonna be command and control, that's gonna be actual remote access, typing in commands, moving in files, delete in files, dropping ransomware, doing whatever they want to do.
'cause now they have control and they hit it through layers and layers of these techniques. Multi-stage, multi payload attack that will slip right under the radar. Neat. Okay, here's a little recap, right? Starting at the top we found some weird programs, some weird Windows EXE files that were renamed or just copies of regular native built-in Windows utilities that live off the land, right?
Those are known and always going to be on every Windows computer that will M-S-H-T-A to CMDW XE to PowerShell to C Sharp to do things like disable that anti-malware scanning interface and download yet another payload all through DNS over HTTP. That might slip under the radar as well. We could reach out to a text record, but that text record is actually looking like a D Kim signature. That sure looks kind of valid.
But going under the hood, doing that deep dive we know is absolutely not a real DM signature That will pull down to more IP addresses and it could choose any of those at random. It could just decide, okay, if this IP address, if this external point got hosed, let me just use another one because there are plenty more and they can adjust that, they can control that. They can modify that external resource without having to have to ever modify the individual victim.
The actual target itself, kind of neat. They've got control and they have other, other places they have redundancies and backups in place to make sure their malware takes effect. Those standard file names won't be detected by antivirus signature bypass DNS filtering with DNS over H-T-T-P-S and you could potentially reuse this malware over and over and over again. Very cool.
I did want to note that because we've actually found this more than once and it's really interesting because you'll see the same exact scheduled task, but just slightly different where it's going to end up changing those pertinent names or what is actually being used by this malware. Our old BFE on service EXE is now suddenly changed maybe on a different host to something like task update. Sure, whatever we could, we could press the I believe button on that and it's gonna call processor exe.
Obviously these are those decoys of M-S-H-T-A and PowerShell and now it's going to get content from P Lve or, or whatever random single letter file name and three letter file extension. That's interesting because we were able to kind of determine there are some similarities that innocent looking log file that we know now is not so innocent. Always had the semantics of a single letter file name, maybe just a random letter and then a three letter file extension. Maybe that's peculiar.
Also, interestingly enough, that first executable that they run are old BFE on service or this task update exe, interestingly enough, that is always named after an active running installed service on the target system. So there is a real service name, that's okay. Task update or real service name BFE on service.
And it's trying to blend in, trying to camouflage, trying to look like something that could really be real and used as part of that program while it's doing some pretty nefarious evil stuff. Okay. Wow. Wow. We walked through a lot, I hope. I hope that wasn't like drinking from a fire hose or anything, but goodness.
It's really cool because at every single level, at every single new layer of abstraction or complexity that we were able to unfold, they had an interesting technique that decimal encoded IP address, the nested base 64, the DNS over HT TPS or invoking invoke expression by building out the string with other, again, regular native, always available command variables and environment stuff you could use. So let me ask you, would this slip through your antivirus?
Like would you be able to detect this? Would your automated program, whatever you use for defense or EDR, would that track this down? Would it find those IP addresses? Would it know that adversary now using command and control with a persistent implant? I don't know. I do wanna drive home though. This is why it is so important to have humans like real people, you and I, all these researchers defenders with the hacker mindset to be able to look through this and analyze it themselves.
Because that's where you're really going to determine it based on context. Does this look normal? Does this, does a, should a program be running CMD exe? Probably not.
If a parent process to that is not something that it should be, okay, we've got some weird stuff going on, it's a little fishy, maybe your out, sure your EDR might be able to determine that, but when they use these other tricks like renaming or modifying or reaching out or encoding or double encoding, all of those small things add up to make this crazy cool sample of malware that's multi-stage, multi payload. So I hope you get that takeaway. I hope you see the value in human analysis. Sure.
Automation is incredible. Automation is divine, right? We have computers, we should use computers to what they're useful for automation, but manual testing, manual analysis, that is a must. Cool. Okay. That's a wrap. That's everything we've got. Thank you so much for tuning in. Uh, if you like this presentation, if you wanna kind of see more of us at Huntress where we'll be next, we're gonna be over at Kaseya connect it, that's August 24th, the 27th.
Uh, we, we'll be at Build It September one through two and Glue X another event September 27th through the 29th. If you have any questions at all, if you wanna keep up this conversation, we're here for you. If you're interested in this stuff, drop us an email marketing at Huntress. We really appreciate it. But thank you again and again. I hope you enjoyed this. Thanks so much. Hey, that was awesome, John. Thank you so much. Um, I based on the chat that was going on over here.
Wow, it was nonstop. So, uh, fantastic job. Um, there was one question about 20 or so 25 minutes ago. Um, and uh, I don't know if it'll mean anything at this point, but the question was curious, um, is, uh, it was from Joe is c uh, interpretive? Uh, I don't know. Does that mean anything based on where you were in the presentation? Uh, c is typically compiled and I might need a spot check on that 'cause Windows can do some whatever weird idiosyncratic stuff with it.
Uh, you can invoke it like through PowerShell. Uh, whatever deal loading is is kind of neat. Um, I would need to kind of go a little bit more deep in the weeds on that, but it, they were able to pull through and call some of those c functions net stuff, so. Very cool. Yeah. Questions from you guys and gals out there, uh, things you'd like to ask John. Um, we don't have a session right behind this, so we do have a little bit of time.
Uh, we can even have you guys come up now that Crowdcast has six windows. I don't even know if, is Wes Spencer out there? I saw Wes who loves this stuff. John. Uh, I could, I'd love to pull him up if he is out there. He'll chat me up if he's still with us. But, um, um, and we can bring any, uh, you know, raise your hand if you'd like to come up and ask John some questions and we can, you know, kind of have a little town hall style. Um, thanks. So, um, uh, did you find the guy? Yo, I'm on.
All right. So Cher's asking, did you find the guy or a group, um, where this comes from? It's, it's funny. I don't like to say like, oh, we're, we're still doing research because kind of a silly answer, but I mean, obviously there's a lot to unravel here. Uh, and we've seen this more than once. When we were kind of preparing the presentation, we went back through to go take a look at okay, the host and the files and what was in question, and then it looked like we saw a different payload.
Like it looked like it either reached a different IP address and it grabbed something different and it was like, oh man, there's just even more. So I don't think we have, uh, I, I can't like definitively 0.1 way or the other did we find someone, uh, but we've, we've got a lot of traction and it's just really cool to see it unravel more and more. John, there's a question here. Um, what's from Richard? What's the difference slash similarities between Java and Java script? Sure. Uh, sure.
Java is so kind of the hybrid language that can be used with the Java runtime environment, um, and that whatever JVM or virtual machines that end up running it wherever, that Java's everywhere. Um, and that is typically, I think that boils down to byte code.
I think don't, don't hold me to that, but typically that's more for larger applications, bigger programs, and you can do a lot with Java, standalone, Java, end of word, uh, JavaScript is ECMA script or kinda the language that is used most often for web application stuff.
Um, you could do some desktop and server side stuff with that if you were using Node and Express, uh, other, other things for JavaScript, but the, the real pertinent stuff of JavaScript in the context of this talk, the JavaScript object notation or that JSON, that was the response we saw back from the DNS over HTTP, um, request. And that's just going to be like a, a, a schema or, or layout language that can define the architecture of the object and the data that's returned. Got It.
I hope that answered the question. I know, I know I went all over the place on that. Fair enough. I think, and Richard, maybe just let us know if in chat, if that got you the answer you needed. Um, uh, let's see what else, uh, questions you might have. Wes, while we're looking for questions here, any comments? I saw you really active out there. I know you're really passionate about this stuff.
I know you, it's really cool you dig, you know, you dig into this kind of stuff with the perk sock, so, um, which I don't think is too common for a CISO to be doing. So it's really cool that you, you geek out on this, but what were you, what were your, some of your takeaways and thoughts? Well, Uh, first of all, John, fantastic job. That was, uh, that was awesome. I'll just, uh, echo what everyone else said. Uh, you hit it, uh, really, really well.
Um, you know, I think one of the things, so sometimes the sock lets me in on these things, but not always Andrew. They're like, get that guy outta here. Uh, sometimes I stir up more trouble that I'm worth. Um, but John, one thing you pointed out I want you to elaborate a little bit more on is, uh, you know, the human element, right? So like, I come out of enterprise where, um, you know, the enterprise has, I always call it like leave no vendor, leave, no budget left behind, right?
Uh, they have armies of these people doing these things and for most, uh, partners, especially those that are on this call, they're beret of that, right? They're, they're sitting here, you know, they're handling what security tools they can, uh, but diving into an EDR and seeing what's happening, um, at that endpoint level and really truly diving into, um, what's going on, it's just not possible for them, right?
And so, um, you're really hitting on one of the things that I think has always been missing for the longest time in the channel is, um, not just capable tools, but capable, um, human analysts that come alongside, right? Absolutely. Yeah. I know obviously there's an incredible learning curve, right? Not anyone, not someone can't just roll out of bed and say, I am going to reverse engineer this zero day today.
Uh, it obviously there's a lot to learn and obviously there's a huge piece of education that comes with it, but the, the prowess and the caliber and the quality that you just kind of get it deep diving, doing the research with your own eyes is, I dunno, it's so rewarding and you'll find so much more that you're not gonna be reliant on whatever quick, simple scan, something else might, a tool might run. Uh, so hopefully we can just keep emphasizing and showcasing education.
We're all here to learn and we all want to kind of be, be better so we can all Okay. Find the good stuff. Stop the bad guys. Absolutely. Okay. Did we get, yeah. One, one here, one Second. Hey, I've got another question if you want me to burn some more time for you, Andrew. John, here's another one I'll throw at you. So you see a lot of stuff here in the comments about like, red team blue team, and now, you know, this iteration of purple teaming and like DevSecOps and all that.
You wanna kind of distill that really quickly for folks here that, uh, want to kind of know the differences between the two or three? Sure. Yeah. Okay. Um, oh man, it's a tough one because I feel like there are, there are communities that might define that in a different way, at least on edge cases, right? So you hear the term red team and you think adversarial, you think penetration testing, you think emulating a threat.
Um, you could boil down that conversation into, okay, are you red teaming if you are performing a, a one week penetration test? Or are you red teaming if you act as an a PT an advanced persistent threat? Or you might have a six month long engagement, you have a lot more time. I, I, I can't definitively put you and, and kind of compartmentalize those that really depends on the world of the industry that you're working in. Blue team. Sure.
Just the color, Hey, you feel a little bit more defensive. You're protecting, you are fortifying, you are hardening your, making sure that your system is secure and safe. Obviously you could bleed into more incident response type type stuff with that. You could be on the hunt. You could be actively searching for, uh, adversaries and intrusions. And again, that might take another definition or, or kind of segment of that, of that understanding.
When you talk about the purple team, that one's kind of fuzzy. 'cause I don't even, I, I know that people like to throw that around, but it's hard to Yeah. Is that an established thing? Who knows? A lot of times I think that is red team and blue team working together to like culminating communication, compiling everything that we're finding so that they can better prepare their security posture.
Uh, sure, we found this foothold, we found this vulnerability, we fired off this exploit Blue team now knows. Okay, let's, let's fortify that. Let's lock that down. Good defense. Yeah. Yeah. Those are good explanations. Um, and you're kind of right. That's what we see too, is sort of this, uh, uh, they're, they're, it's almost like marketing terms, right? It's like when someone tells me, like, again, I know a lot of folks from Enterprise 'cause that's where I come out of, right?
And they're like, oh yeah, I'm on our purple team now. I'm like, cool, what does that mean? Because, yeah, a lot of different things for a lot of, a lot of people. Uh, so yeah. Andrew, back to you. Yeah. Last good question. So there was a question in the queue, John. Is there a way to discover the original script that was imported by social, by the social engineering exploit? How do you, you know, how do you suspect the initial exploit was actually delivered?
Oh, getting the scheduled task on the box. I think they're, yeah, they're referring to, yeah. Yeah. So the question of is it possible to determine that? Maybe yes, probably. Definitely. Uh, I, I can't come to you and tell you what the exact thing was that got it on there. Um, oftentimes obviously the easiest foothold is okay, sure. User error, someone downloading something, they shouldn't something open up an attachment that had whatever macros enable and you just click run and yes.
Of our time's over again. Uh, it, it could be, yeah, we could do more investigation to kind of dial that out and figure out how that came to be. Um, right now, as I'm standing in front of you, I couldn't give you the exact answer. Okay. Excellent. Uh, let's see. I think we got another, hi, John. Okay. Hi John. This is, uh, Richard B from Discord. My question is, what cybersecurity job do you think will be both lucrative and fun? Oh boy. Oh boy. That's a tough one to answer.
What cybersecurity job will be lucrative and fun, Obviously. Si I'm gonna give you a a bad answer. Si. Cybersecurity is a ginormous, absolutely humongous field. Um, we're trying to do the good stuff to stop hackers, to prevent the bad ransomware, to like eliminate, okay, all this malware and adversary that's out there. Uh, so we do a lot of education and stuff, uh, about that.
And we're kind of more about persistence and lateral movement and privilege escalation, all those things that are part of that bad actor procedure and work. Um, if you want something that is lucrative, okay, uh, I don't know, whatever. You be a bad guy. Hmm. Be a Bad Guy. Yeah. I don't know. And if you want something in Europe, if you want something that is fun, unfortunately I can't give you the, the direction sign for that, that that's, it's whatever you have the most interest in.
Are you interested in Blue team? Are you interested in red team? Do you wanna get into cryptography? Your web forensics or binary exploitation? There's just so, so much out there, but go for what you love, do what you're passionate about and be the good guys. Any, Any, Wes Do you have any chime in on that too? Yeah, so John's right, it, it really depends on what you're bent towards and the world of security.
Like I know so many people that have pivoted from one thing to another, from one industry to another, from different role types. Uh, I'm in a couple of different private trust sharing groups and one of 'em, uh, a lot of times they'll announce that they have like a change in their job or what they're doing. And I see it all the time and usually it's like, Hey, I've moved into ir, I've been really excited about learning IR and what this thing is all about.
In big companies in particular have that ability and opportunity for you to move into different, uh, role orgs inside of the entire security program. Uh, and that's great, right? Anything from security architecture to, you know, like John mentioned, red and blue team kinds of things. Handling tools and controls, doing testing, even audit if you like, that kind of stuff.
I mean, it's an enormous field and there's nothing wrong with picking something and seeing if you like it and going that direction and pursuing it, or being one of those people that I know are also successful and they, they switch one thing to another. And I, I can just tell you like from my career trajectory, I started very technical. I still have a bent towards it. I love it. I'll always love it. But, you know, moving into like senior security leadership is a different story for me, right?
It's really more about strategy, communication, execution, those kinds of things. And I've just found as I've grown, that's really where I enjoy and that's what what, you know, I, I love, but I have a lot of friends that are not that way and they'll always be technical. Uh, and that's what they love. It's what gets 'em up and going, um, every day. And so I always say when it comes to security, do what you love.
And it is okay if what you love changes, uh, now on the lucrative side of the house, um, you know, hey, security typically does pay quite well, um, but not always. And uh, sometimes you gotta get your feet wet and get some experience going, that sort of thing as well. Uh, so, you know, I'll just leave it there. I can talk to people offline more if they wanna know more, but, uh, that's what I'd say.
But you, you know, you both said something, Wes, if I could summarize it, and this is just my 2 cents of it. Um, somebody with, you know, 20 plus years in the channel, um, you know, I've had a lot of different roles and you know, you might find yourself because you've had a lot of different roles. Like you said, you have, you started technical and then got into leadership, and now you are in a soft flip from practitioner into vendor.
Um, you know, you might find yourself one day, you know, as a consultant talking to private equity, um, or on a private equity team or a vc. I mean, it's really, so, so I'm just kind of packaging up what you're both saying and saying. Sometimes the lucrative part doesn't come for a little, you know, in terms of real lucrative stuff. Maybe it's a journey, right? And, and everything's a journey in life. The more experience you have, you know, that. Anyway, does that make sense to you guys at all?
It does make sense, and I'll just end it with this.
Um, if you had told me 10 years ago when I'm sitting, uh, as a Linux admin in a like complete open source environment, that my career trajectory would go from that to like a network administrator university to teaching InfoSec, uh, InfoSec classes for a few years to going to a CIO at a bank and then going from the corner office, you know, CIO executive job to a startup that at the time had one month of funding, uh, to where we're at today at Perch. Never would I have believed you with that.
Never. Uh, but I'll tell you one thing about me is I love, uh, challenges. I really love them. And when I get to a point in my career, I'm like, I'm not being challenged anymore. It's time for something new. Uh, and that to me is what gets me going. And I think that's what has led to the different changes in my career, is just one challenge after another. John, I don't know about you. Yeah, absolutely.
I always tell people like, it, you'll find your passion if this is the stuff that you're interested in, but it, it's, it's cool because there's always going to be a certain kind of person, or at least you see some personality trait where they're absolutely inquisitive. They, they are so curious and they wanna understand how everything works. They wanna know how, how does it work and how can I make it not work? How can I take it apart and dissect it and how can I make it do different things?
And that's all part of the challenge. It's all part of always learning and always growing. So. Absolutely. I I echo your sentiments a thousand percent. So there's a last question here, um, that I'm seeing in the queue. And I'll, I'll turn this one to you and then to you Wes. 'cause I think, I think it's probably partial, you know, it's kind of objective or objective or subjective. Subjective, best technical security focus certificate you recommend like C-S-S-C-S-C-P-C-S-A plus.
So John, you, you first. Oh boy. Okay. I might be biased. I naturally lean a little bit more towards the technical side. Um, so I, I'm looking at other certifications. I see CI ISSP out there and other, uh, other things along that caliber and, and League of Certifications. Uh, I like to be on keyboard. I like to be an operator. I like to be doing the stuff that's real close to the tech and close to the wire.
Um, so if there's a application based exam or if it's really testing what I know and, and how to do it, I love certifications and the, the proof of that, I think that merit is really, really cool to show. Um, so the best certification that, that's totally up to the employer.
Uh, my, my favorite certification that I, I I think I really like a lot of eLearn security stuff 'cause they have some hands-on practical things and they have A-E-C-P-P-T, which is a long acronym, but it's a certified professional penetration tester. Okay. Excellent. Wes, how about you?
Um, I get asked that question a lot, and this also goes back to probably the career stuff as well as, and John was saying the same thing is, I think it depends on where you want to go, but I'll throw some things out there. I mean, obviously if you, if you like red team stuff and you like what John is diving into, you know, I had a friend that did this. He walked, he was in IT audit at a hospital, like literally like a box checker, right?
And I don't mean to demean the world, but he was like, I want to do something more technical. I'm tired of just box checking it out. You know what he did? He texted me one day, he is like, Wes, you ever heard of OSCP? I'm like, yeah, I've heard of it. He's like, I'm gonna get it. I'm like, sure you are Nate, I believe you, you Know, Well two years later, I mean, he studied his rear end off and he got that thing and now he works for coal fire. He's a pin tester for coal fire power two.
In fact, I'd like to bring him on cyber call at some point, but just mad respect for it. Right? And I'll just throw that one out there because it's not easy to get. I know several people that have it. Uh, John, I know you do as well. It's not easy to get. It is super technical, but that's if you wanna go in that red team world, right? Or if you just wanna learn that piece. Um, the other that I'd throw out there, just to give you some frames of reference is like, look at what, um, SANS is doing.
You know, I I think their GIAC stuff is really good. You just go to uh, giac.org and they've got things that really align to different job positions, right? So just in their classic cyber defense section, uh, the incident response and handler stuff, um, they, they've got really good course material as well. And yes, someone I'm sure is gonna slip in the whole, uh, what happened with Sands recently, but hey, look, it can happen to all of us, right? Um, so I would throw those out there for sure.
And then on the leadership side, you know, the CI ISSP is of course classic. Um, but you know, I always say certifications don't really mean a lot to me. Uh, I see a lot of people with certifications that are fantastic. I see a lot of people without them, they're also fantastic. And the opposite is true as well. And so, um, you know, I I think they, they set at least a minimum standard of things that objectively you can say that person should know.
Um, but uh, the ones that are very, very technical and have a technical component and not just a question bank that you answer those I have a lot of respect for, for sure. Um, you know, like an OSCP for example, we're actually hunting flags, right? That's a lot different than answering an A, B, C multiple choice. Well, speaking of which, uh, we did get one last question. Uh, Richard says, Hey, I don't know if what job this entitles, but I enjoy finding hidden flags in a server.
Basically like a CTF. Yeah. Yeah. CTF job. Uh, so I don't know if there's, you Know, let me say this real quick. So we're in, in an era today that is awesome for people like that because in this age of bug bounties, like you can literally just start going for these people. I know people online that like I'll connect with on LinkedIn, uh, that have just done bug bounty after bug bounty, and there's like no barrier to entry for that other than you being good at it and finding stuff, right?
And so, like in the early days of security that did not exist, you go and find some kind of vulnerability or bug, you're gonna be slapped with an NDA and lawsuits and all this kind of stuff. And we remember those days. Today's day and age, not only are you welcome to find these things, but you're going to be rewarded for it. And there are professional bug bounty people that, that's literally all they do. Wow. And then those that are hobbyists, um, that's awesome. Really cool stuff. Well, good.
Well we can wrap it up there. Before we all just jump off, I put, um, you know, John put some stuff in there, there's some Mihir, thank you so much for putting stuff in. I put in the Cyber Nation, um, as, as a URL. Um, we have a bunch of people we just launched. Um, think of this as your place, your community to continue to collaborate together, right? You know, the, the, the problem I had back when we did our first event back in April was called Be Cybercom.
We had 1600 people on it and everybody was loved all the content. It was a huntress and perch event, and then it was like done, you know, nothing happened. You know, it was like, so we built the cyber call. We almost have, we're just, I mean, Wes, there's people joining today. We're so close to 2000.
Um, uh, the cyber call, if you ever want to join us, it's, um, and, and I'll put it out there, uh, the URL as well, but every Monday at one o'clock, um, it's Wes, Kyle slo and the CEO of Huntress, Gary Pika. So we have the business side, the technical side, uh, Wes who has the practitioner, the governance side, as well as the technical side. And then we bring on different, um, disciplines every single week this coming week.
Um, we are thrilled we're gonna have the Center for Internet Security with us. They are utterly thrilled to, um, come on and talk. They are literally enamored this year with Ms. P and MSPs. We've been on calls with them week after week. They really, really wanna work with us. So anyway, each week there's more stuff on there. Um, I'll wrap things up with this. First off, again, John, fabulous job today, man, you know, just fabulous, fabulous. We're very, very fortunate and grateful.
We're working with you. Wes, same thing, man. Yesterday, you guys knocked it out of the park in terms of, um, you know, business enablement and, you know, we continue to hear where do I start? Which framework do I use? Um, how do I go to market? How do I package in price? How do I talk to my customers? I mean, it is managed services 14, 15 years ago. And trust me, I was there that era also when people were trying to figure out that whole thing. And we'll get it here too.
It's gonna take some time. Um, but, um, anyway, just want to thank everybody collectively, those that are in the audience, those that are competing, man, this is just a phenomenal community we are building and we couldn't do it without you. So look forward to seeing you guys tomorrow. Um, morning. If you're competing, if you're competing right now, can you know best of success to you? Um, I, I'm not wearing a white shirt today, Jason.
I think I've spilled something on all of them, so I'm keeping them away right now. Um, but best of success to you. We'll be back at it tomorrow morning at 1130 Eastern with today's winner. Again, cyber fish. Thanks a million. Um, it's three 50 I think for today, or 400 and then it goes 4 50, 500 for overall. So, um, that's it. And then we'll final, our final thing will be Kevin Lancaster from ID agent tomorrow. Same time, one o'clock for his session. Wes closing comments or thoughts? Okay.
Uh, nothing other than John. Fantastic job. Thanks for joining us. Uh, this is what makes the community great, all of us together. So thanks guys. Yeah, John, thanks a million. Thank you. Take care guys. Take care.
Related Videos

Right of Boom 2025 – Steve Rivera – Logically
Right of Boom 2025 – Steve Rivera – Logically

Right of Boom 2025 – Calvin Engen – F12.net
Why Vendors and MSPs Prioritize Right of Boom – Hear why Right of Boom attracts the most security-focused MSPs—and how it creates unique value for vendors and partners.

Right of Boom 2025 – Bill McLaughin – Thrive
Right of Boom continues to raise the bar as a cybersecurity conference built for MSPs. With attendance surging from a few hundred to over 1,300, the event delivers more than just technology—it’s a ...