tilbury issa 2013
TRANSCRIPT
-
8/11/2019 Tilbury ISSA 2013
1/36
-
8/11/2019 Tilbury ISSA 2013
2/36
CHAD TILBURY0 Former: Special Agent with US
Air Force Office of Special
Investigations0 Current:Incident Response and
Computer Forensics Consultant
0 Over 12 years in the trenches
0 SANS Forensics and IncidentResponse Instructor & [email protected]
ForensicMethods.com
@chadtilbury
-
8/11/2019 Tilbury ISSA 2013
3/36
The Ugly
Im with the governmentand Im here to help.
I cant tell you how, butwe have evidence ofmalicious activityoriginating from several
of your internal systems.
-
8/11/2019 Tilbury ISSA 2013
4/36
Organizations Simply Fail
to Detect Intrusions
-
8/11/2019 Tilbury ISSA 2013
5/36
6 Step IR Process and
Forensics
Preparation
Identificationand Scoping
Containment/ Intelligence
Gathering
Eradication /Remediation
Recovery
Follow Up /Lessons
Learned
No Identification =
No Containment
MemoryForensics& Triage
DeepDive
Forensics
NetworkForensics
MalwareAnalysis
IntrusionAnalysis
-
8/11/2019 Tilbury ISSA 2013
6/36
Why Memory Forensics?
Everythingin the OS traverses RAM
0Network sockets, URLs
0Windows Registry keys
0Hardware configuration
0Passwords, caches, clipboards
0User generated content
0
Ifyou have a problem, if
no one else can help
Malicious Code
-
8/11/2019 Tilbury ISSA 2013
7/36
One Slide Primer:
Windows Memory Analysis
Find the Kernel Processor Control Region (KPCR) or Kernel Debugger DataBlock (KDBG)
1. Identify Context
Executive Process (EPROCESS) blocks
Process Environment (PEB) blocks DLLs loaded
Virtual Address Descriptors (VAD) Tree List of memory sections belonging to the process
Kernel modules / drivers
2. Parse Memory Structures
Unlinked processes, DLLs, sockets and threads Unmapped memory pages with execute privileges
Hook detection
Known heuristics and signatures
3. Scan for Outliers
4. Analysis: Search for anomalies
-
8/11/2019 Tilbury ISSA 2013
8/36
Memory Forensics Triage
Identify rogue processes1
Analyze process DLLs and handles2
Review network artifacts3
Look for evidence of code injection4
Check for signs of a rootkit5
Dump suspicious processes and drivers6
-
8/11/2019 Tilbury ISSA 2013
9/36
Suspicious
Processes
-
8/11/2019 Tilbury ISSA 2013
10/36
Step 1: Analyzing Processes
Image Name
Legitimate process?
Spelled correctly?
Matches systemcontext?
Full Path
Appropriate pathfor systemexecutable?
Running from a user
or temp directory?
Parent Process
Is the parentprocess what youwould expect?
Command Line
Executable matchesimage name?
Do arguments makesense?
Start Time
Was the process startedat boot (with othersystem processes)?
Processes started neartime of known attack.
-
8/11/2019 Tilbury ISSA 2013
11/36
Introducing: edline
Free GUI tool for guided memory analysis Processes Handles Network Connections Memory sections Hooks and drivers
x86 and x64 support for: Win2000 | WinXP | Win2003 | Vista | Win2008 | Win7 | 2008R2 |
Win8 | Win2012
Heuristics for suspicious processes and code
Live memory analysis and IR capability Indicator of Compromise (IOC) matching File whitelisting Comprehensive timelining
http://www.mandiant.com/resources/download/redline/
-
8/11/2019 Tilbury ISSA 2013
12/36
Identify Rogue Processes:
MRI - Malware Risk Index1. Process Anomalies
0 Code injection detection
0 Process Image Path Verification0 svchost outside system32 = Bad
0 Process User Verification (SIDs)0 dllhost running as admin= Bad
0 Process Handle Inspection0 iexplore.exe opening cmd.exe= Bad
0 )!voqa.i4 = known Poison Ivy mutant
2. Verify Digital Signatures
0 Only available during live analysis0 Executable, DLL, and driver sig checks
0 Not signed?
0 Is it found in >75% of all processes?
-
8/11/2019 Tilbury ISSA 2013
13/36
Conficker Worm
-
8/11/2019 Tilbury ISSA 2013
14/36
APT Hiding in Plain Sight
-
8/11/2019 Tilbury ISSA 2013
15/36
Step 2: Analyzing Process Objects
(Least Frequency of Occurrence)
0Malware and its associated artifacts should be among
the rarest objects in a memory image
0Redline keeps a count of each time a process object is
referenced
0 Sort by the Occurrences column to identify outliers
** A process object occurring only once is not de facto malicious, but
should be trusted less than one that appears in 50 instances
-
8/11/2019 Tilbury ISSA 2013
16/36
Least Frequency of Occurence
-
8/11/2019 Tilbury ISSA 2013
17/36
Network
Artifacts
-
8/11/2019 Tilbury ISSA 2013
18/36
Step 3: Network Artifacts
Suspicious Ports
Communication viaabnormal ports?
Indications of listeningports / backdoors?
SuspiciousConnections
External connections
Connections to knownbad IPs
TCP / UDP connections
Socket creation times
SuspiciousProcesses
Why does this processhave networkcapability (opensockets)?
-
8/11/2019 Tilbury ISSA 2013
19/36
TDL3/TDSS
-
8/11/2019 Tilbury ISSA 2013
20/36
Finding Beacons: Zeus
-
8/11/2019 Tilbury ISSA 2013
21/36
Code
Injection
-
8/11/2019 Tilbury ISSA 2013
22/36
Step 4: Detecting Injection
0 DLL injection is very common with modern malware0 VirtualAllocEx( ) & CreateRemoteThread( )
0 SetWindowsHookEx( ), etc.
0 Process hollowing is another form
0 Malware starts a new instance of legitimate process0 Original process code de-allocated and replaced
0 Retains DLLs, handles, data, etc. from original process
0 Code injection is relatively easy to detect
0 Review memory sections marked as executable andhaving no memory-mapped file present
0 Scan for DLLs (PE files) and shellcode
0 Process image base not backed with file on disk
C d
-
8/11/2019 Tilbury ISSA 2013
23/36
Detecting Code Injection:
Stuxnet Process Hollowing (1)
D i C d I j i
-
8/11/2019 Tilbury ISSA 2013
24/36
Detecting Code Injection:
Stuxnet Process Hollowing (2)
ProcessHollowing!
-
8/11/2019 Tilbury ISSA 2013
25/36
Introducing: Volatility
Python-based memory analysis framework:http://code.google.com/p/volatility/
Tremendous versatility via plug-in architecture
Opens the door for very advanced analysis
Supports x86 & x64 bit versions of:
WinXP | Win2003 | Vista | Win2008R2 | Win7 | Linux |
Mac OSX and more!
Pre-installed on SANS SIFT Workstation:
http://computer-forensics.sans.org/community/downloads
-
8/11/2019 Tilbury ISSA 2013
26/36
Volatility Malfind (Stuxnet)
vol.py
f stuxnet.img malfind --dump-dir output_dir
-
8/11/2019 Tilbury ISSA 2013
27/36
Putting it All Together
Identify rogue processes Name, path, parent, command line, start time, SID, MRI score
1
Analyze process DLLs and handles Digital signatures and Least Frequency of Occurrence helpful
2
Review network artifacts Suspicious ports, connections, and processes
3
Look for evidence of code injection Injected memory sections and process hollowing
4
Check for signs of a rootkit SSDT, IDT, IRP, and inline hooks
5
Dump suspicious processes and drivers Review strings, sandbox, reverse-engineer
6
-
8/11/2019 Tilbury ISSA 2013
28/36
Intelligence Sharing
-
8/11/2019 Tilbury ISSA 2013
29/36
Indicator of CompromiseFile MD5 checksum is 88195c3b0b349c4edbe2aa725d3cf6ff
File name is ripsvc32.dllFile path contains \system32\mtxes.dll
File PE header compile time is 2008-04-04T18:14:25
Registry key text contains ripsvc32.dll
Registry path contains \SYSTEM\CurrentControlSet\Services\Iprip\Parameters\ServiceDLL
Service DLL is ripsvc32.dllProcess has a handle named RipSvc32.dll
File path contains \system32\msasn.dll
File path contains \system32\msxml15.dll
File size is between 500000 and 900000
File name is SPBBCSvc.exeFile name is hinv32.exe
File name is vprosvc.exe
File name is wuser32.exe
Service name is IPRip
Service DLL is not iprip.dll
Or
And
Or
And
And Courtesy of Mandiant
-
8/11/2019 Tilbury ISSA 2013
30/36
IOC Editor
0 IOC Editor (free)0 Allows users to create, edit and compare Indicators of
Compromise in XML format
0 http://www.mandiant.com/resources/download/ioc-editor/
-
8/11/2019 Tilbury ISSA 2013
31/36
Automating IOC Analysis
0 IOCs allow a wide range of alert triggers to be set forknown malware0 Processes, hooks, drivers, handles, strings
0 IOCs can be used with any live / dead memory analysis inRedline0 Scan for a single IOC or hundreds
-
8/11/2019 Tilbury ISSA 2013
32/36
Redline IOC Analysis (Zeus)
Zeus Indicator of
Compromise (IOC Editor)
Redline IOC Report
6 St IR P d
-
8/11/2019 Tilbury ISSA 2013
33/36
6 Step IR Process and
Forensics
Preparation
Identificationand Scoping
Containment
/ IntelligenceGathering
Eradication /Remediation
Recovery
Follow Up /Lessons
Learned
No Identification =
No Containment
MemoryForensics& Triage
DeepDive
Forensics
NetworkForensics
MalwareAnalysis
IntrusionAnalysis
-
8/11/2019 Tilbury ISSA 2013
34/36
Links0 Getting started with Redline
0 https://www.mandiant.com/resources/download/redline0 http://holisticinfosec.org/toolsmith/docs/february2009.html
0 http://forensicmethods.com/windows-8-server-2012-memory-forensics
0 Volatility references and sample memory images0
http://code.google.com/p/volatility/w/list
0 Detailed Analysis using Volatility0 http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-
memory.html
0 http://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-
volatility-2-0/0 http://computer-forensics.sans.org/blog/2013/07/08/getting-started-
linux-memory-forensics
-
8/11/2019 Tilbury ISSA 2013
35/36
-
8/11/2019 Tilbury ISSA 2013
36/36