expanding response: deeper analysis for incident handlers

1SANS Technology Institute - Candidate for Master of Science Degree 1

Expanding Response: Deeper Analysis for Incident Handlers

Russ McReeNovember 2011

GIAC GCIH Gold, GCFA, GCIA, GPEN, GWAPT, GSEC Gold

SANS Technology Institute - Candidate for Master of Science Degree 2

Objective

• Expand incident response tactics beyond common horizons

• Sample Overview – SpyEye• Demonstrate tools for expanded

toolkit• Volatility 2.0• Xplico• Maltego• Confessor

• Summary


Broaden IR perspective

• Opportunities to enhance IR tactics via:• Memory analysis (Volatility)• Network Forensic Analysis Tooling (Xplico)• Derive disparate entity relationships

(Maltego)• Analysis of systems at scale with uniform

results (Confessor, MOLE)

• Review sample’s attributes with all tools


Sample Overview

• Trojan.SpyEye – MD5: 00b77d6087f00620508303acd3fd846a

• Modifies registry– [HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run]• cleansweep.exe = "C:\cleansweep.exe\

cleansweep.exe"

• Creates directory C:\cleansweep.exe– Populates with .exe and config file


Volatilty 2.0

• For the extraction of digital artifacts from volatile memory image

• “A Python version of the Windows Internals book, since you can really learn a lot about Windows by just looking at how Volatility enumerates evidence.” - Michael Hale Ligh


Volatilty 2.0

• Gather image info:– vol.py imageinfo –f HIOMALVM02.raw

• Network connections:– vol.py --profile=WinXPSP3x86 connscan -f

HIOMALVM02.raw

• Active processes:– vol.py --profile=WinXPSP3x86 pslist -P -f

HIOMALVM02.raw


Volatilty 2.0

• Process tree:– vol.py --profile=WinXPSP3x86 pstree -f

HIOMALVM02.raw

• Discover malware attributes:– vol.py --profile=WinXPSP3x86 -f

HIOMALVM02.raw malfind -p 1512 -D output/

• Demonstration


Xplico

•Xplico decodes packet captures (PCAP) extracting the likes of: • email content (POP, IMAP, and SMTP

protocols) • HTTP content• VoIP calls (SIP)• IM chats• FTP• TFTP


Xplico

• Demo: SpyEye PCAP analysis


Maltego

• Maltego: open source intelligence & forensics application offering extraordinary data mining and intelligence gathering capabilities

• Results are well represented in a variety of easy to understand views

• In concert with its graphing libraries, Maltego identifies key relationships between data sets and identifies previously unknown relationships between them


Maltego

• PCAPs can be converted to CSV then directly imported by Maltego

• tcpdump ‑vttttnnelr SpyEye.pcap | /usr/local/bin/tcpdump2csv.pl "sip dip dport" > SpyEye.csv produces a CSV that Maltego can consume easily


Maltego

• Demo: IP address relationships


Confessor

•Confessor collects from hundreds or thousands of systems simultaneously via Sysinternals:• System logs• Volatile data• User and account information• MAC times• Can run SecCheck on 32-bit systems

•Search for reg keys and existence of specific files


Confessor

• Confessor configuration optimized for specific registry keys and file checks


Summary

• Tools offered to enhance the incident handler toolkit and address challenges

• Takeaways:– Tool to scale– Seek unique opportunities to correlate– Build what you can’t buy or borrow

• Q&A: russ at holisticinfosec dot org

expanding response: deeper analysis for incident handlers

Documents

winxpsp3x86 f

imageinfo f hiomalvm02

winxpsp3x86 pslist p

ir tactics

key relationships

unknown relationships

spyeye md5

data sets