tilbury issa 2013

8/11/2019 Tilbury ISSA 2013

1/36


2/36

CHAD TILBURY0 Former: Special Agent with US

Air Force Office of Special

Investigations0 Current:Incident Response and

Computer Forensics Consultant

0 Over 12 years in the trenches

0 SANS Forensics and IncidentResponse Instructor & [email protected]

ForensicMethods.com

@chadtilbury


3/36

The Ugly

Im with the governmentand Im here to help.

I cant tell you how, butwe have evidence ofmalicious activityoriginating from several

of your internal systems.


4/36

Organizations Simply Fail

to Detect Intrusions


5/36

6 Step IR Process and

Forensics

Preparation

Identificationand Scoping

Containment/ Intelligence

Gathering

Eradication /Remediation

Recovery

Follow Up /Lessons

Learned

No Identification =

No Containment

MemoryForensics& Triage

DeepDive

Forensics

NetworkForensics

MalwareAnalysis

IntrusionAnalysis


6/36

Why Memory Forensics?

Everythingin the OS traverses RAM

0Network sockets, URLs

0Windows Registry keys

0Hardware configuration

0Passwords, caches, clipboards

0User generated content

0

Ifyou have a problem, if

no one else can help

Malicious Code


7/36

One Slide Primer:

Windows Memory Analysis

Find the Kernel Processor Control Region (KPCR) or Kernel Debugger DataBlock (KDBG)

1. Identify Context

Executive Process (EPROCESS) blocks

Process Environment (PEB) blocks DLLs loaded

Virtual Address Descriptors (VAD) Tree List of memory sections belonging to the process

Kernel modules / drivers

2. Parse Memory Structures

Unlinked processes, DLLs, sockets and threads Unmapped memory pages with execute privileges

Hook detection

Known heuristics and signatures

3. Scan for Outliers

4. Analysis: Search for anomalies


8/36

Memory Forensics Triage

Identify rogue processes1

Analyze process DLLs and handles2

Review network artifacts3

Look for evidence of code injection4

Check for signs of a rootkit5

Dump suspicious processes and drivers6


9/36

Suspicious

Processes


10/36

Step 1: Analyzing Processes

Image Name

Legitimate process?

Spelled correctly?

Matches systemcontext?

Full Path

Appropriate pathfor systemexecutable?

Running from a user

or temp directory?

Parent Process

Is the parentprocess what youwould expect?

Command Line

Executable matchesimage name?

Do arguments makesense?

Start Time

Was the process startedat boot (with othersystem processes)?

Processes started neartime of known attack.


11/36

Introducing: edline

Free GUI tool for guided memory analysis Processes Handles Network Connections Memory sections Hooks and drivers

x86 and x64 support for: Win2000 | WinXP | Win2003 | Vista | Win2008 | Win7 | 2008R2 |

Win8 | Win2012

Heuristics for suspicious processes and code

Live memory analysis and IR capability Indicator of Compromise (IOC) matching File whitelisting Comprehensive timelining

http://www.mandiant.com/resources/download/redline/


12/36

Identify Rogue Processes:

MRI - Malware Risk Index1. Process Anomalies

0 Code injection detection

0 Process Image Path Verification0 svchost outside system32 = Bad

0 Process User Verification (SIDs)0 dllhost running as admin= Bad

0 Process Handle Inspection0 iexplore.exe opening cmd.exe= Bad

0 )!voqa.i4 = known Poison Ivy mutant

2. Verify Digital Signatures

0 Only available during live analysis0 Executable, DLL, and driver sig checks

0 Not signed?

0 Is it found in >75% of all processes?


13/36

Conficker Worm


14/36

APT Hiding in Plain Sight


15/36

Step 2: Analyzing Process Objects

(Least Frequency of Occurrence)

0Malware and its associated artifacts should be among

the rarest objects in a memory image

0Redline keeps a count of each time a process object is

referenced

0 Sort by the Occurrences column to identify outliers

** A process object occurring only once is not de facto malicious, but

should be trusted less than one that appears in 50 instances


16/36

Least Frequency of Occurence


17/36

Network

Artifacts


18/36

Step 3: Network Artifacts

Suspicious Ports

Communication viaabnormal ports?

Indications of listeningports / backdoors?

SuspiciousConnections

External connections

Connections to knownbad IPs

TCP / UDP connections

Socket creation times

SuspiciousProcesses

Why does this processhave networkcapability (opensockets)?


19/36

TDL3/TDSS


20/36

Finding Beacons: Zeus


21/36

Code

Injection


22/36

Step 4: Detecting Injection

0 DLL injection is very common with modern malware0 VirtualAllocEx( ) & CreateRemoteThread( )

0 SetWindowsHookEx( ), etc.

0 Process hollowing is another form

0 Malware starts a new instance of legitimate process0 Original process code de-allocated and replaced

0 Retains DLLs, handles, data, etc. from original process

0 Code injection is relatively easy to detect

0 Review memory sections marked as executable andhaving no memory-mapped file present

0 Scan for DLLs (PE files) and shellcode

0 Process image base not backed with file on disk

C d


23/36

Detecting Code Injection:

Stuxnet Process Hollowing (1)

D i C d I j i


24/36

Detecting Code Injection:

Stuxnet Process Hollowing (2)

ProcessHollowing!


25/36

Introducing: Volatility

Python-based memory analysis framework:http://code.google.com/p/volatility/

Tremendous versatility via plug-in architecture

Opens the door for very advanced analysis

Supports x86 & x64 bit versions of:

WinXP | Win2003 | Vista | Win2008R2 | Win7 | Linux |

Mac OSX and more!

Pre-installed on SANS SIFT Workstation:

http://computer-forensics.sans.org/community/downloads


26/36

Volatility Malfind (Stuxnet)

vol.py

f stuxnet.img malfind --dump-dir output_dir


27/36

Putting it All Together

Identify rogue processes Name, path, parent, command line, start time, SID, MRI score

1

Analyze process DLLs and handles Digital signatures and Least Frequency of Occurrence helpful

2

Review network artifacts Suspicious ports, connections, and processes

3

Look for evidence of code injection Injected memory sections and process hollowing

4

Check for signs of a rootkit SSDT, IDT, IRP, and inline hooks

5

Dump suspicious processes and drivers Review strings, sandbox, reverse-engineer

6


28/36

Intelligence Sharing


29/36

Indicator of CompromiseFile MD5 checksum is 88195c3b0b349c4edbe2aa725d3cf6ff

File name is ripsvc32.dllFile path contains \system32\mtxes.dll

File PE header compile time is 2008-04-04T18:14:25

Registry key text contains ripsvc32.dll

Registry path contains \SYSTEM\CurrentControlSet\Services\Iprip\Parameters\ServiceDLL

Service DLL is ripsvc32.dllProcess has a handle named RipSvc32.dll

File path contains \system32\msasn.dll

File path contains \system32\msxml15.dll

File size is between 500000 and 900000

File name is SPBBCSvc.exeFile name is hinv32.exe

File name is vprosvc.exe

File name is wuser32.exe

Service name is IPRip

Service DLL is not iprip.dll

Or

And

Or

And

And Courtesy of Mandiant


30/36

IOC Editor

0 IOC Editor (free)0 Allows users to create, edit and compare Indicators of

Compromise in XML format

0 http://www.mandiant.com/resources/download/ioc-editor/


31/36

Automating IOC Analysis

0 IOCs allow a wide range of alert triggers to be set forknown malware0 Processes, hooks, drivers, handles, strings

0 IOCs can be used with any live / dead memory analysis inRedline0 Scan for a single IOC or hundreds


32/36

Redline IOC Analysis (Zeus)

Zeus Indicator of

Compromise (IOC Editor)

Redline IOC Report

6 St IR P d


33/36

6 Step IR Process and

Forensics

Preparation

Identificationand Scoping

Containment

/ IntelligenceGathering

Eradication /Remediation

Recovery

Follow Up /Lessons

Learned

No Identification =

No Containment

MemoryForensics& Triage

DeepDive

Forensics

NetworkForensics

MalwareAnalysis

IntrusionAnalysis


34/36

Links0 Getting started with Redline

0 https://www.mandiant.com/resources/download/redline0 http://holisticinfosec.org/toolsmith/docs/february2009.html

0 http://forensicmethods.com/windows-8-server-2012-memory-forensics

0 Volatility references and sample memory images0

http://code.google.com/p/volatility/w/list

0 Detailed Analysis using Volatility0 http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-

memory.html

0 http://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-

volatility-2-0/0 http://computer-forensics.sans.org/blog/2013/07/08/getting-started-

linux-memory-forensics


35/36


36/36

tilbury issa 2013

Documents