Open Source Malware Hunting Lab

Transcript

1. Open Source Malware Hunting Lab Daisuke Arai

2. Who am I? NAME: DAISUKE ARAI Job: Security Engineer/Weekend Researcher

   X Account: @momomopas Recent joy: Obtaining the Certified CyberDefender certification.

3. Intro ・The reason I wanted to create this LAB is

   that I suddenly thought I would like to analyze it like THE DFIR Report.

4. This Time's Goal Create an environment that allows for analysis

   similar to THE DFIR Report.

5. How are they analyzing? • Analysis tools such as Defender

   for Endpoint and Splunk are being used, as can be inferred from the report. • The fact that they are conducting lateral movement analysis suggests that the environment is close to that of an enterprise.

6. Open Source Malware Hunting Lab CAPEv2 Sandbox Fog Security Onion

   Velociraptor Elastic Defend

7. Points for Consideration • Consideration of Analysis Environment ◦ Virtual

   Environment vs. Physical Environment ◦ Virtual Environment ◦ Physical Environment • Consideration of Detection Environment ◦ SIEM, EDR, Sandbox

8. Consideration of the Analysis Environment

9. Virtual vs. Physical

10. Virtual vs. Physical merit demerit Virtual Environment ・Conservation of Resources

    ・Snapshot and Restore ・Isolation ・Virtual Environment Detection ・Performance Overhead Physical Environment ・Realistic Operating Environment ・Avoidance of Virtual Environment Detection ・Cost ・Difficulties in Environment Setup and Restoration

11. Virtual Environment

12. Which product should you use: Virtual Environment Edition • Install

    Windows on each virtual software, use tools designed to detect virtual environments and malware analysis environments to compare the detection results of each tool, and verify which virtual software is most suitable. • This time, Pafish and al-khaser will be used.

13. Verification environment ▪VM Detection Tools • Pafish：Version 0.6 • al-khaser：Version

    0.81 ▪VM Spec • CPU：4vCPU • Memory：8192MG • DISK：128GB ▪OS • Windows10 Enterprise Evalution • Version：22H2 • Build ：19045.2006 ▪Software • VMware、VirtualBox、KVM/Qemu

14. Number of Detections by Pafish VMware VirtualBox KVM/Qemu Detection Results

    10 18 9

15. Number of Detections by al-khaser VMware VirtualBox KVM/Qemu Detection Results

    31 45 27

16. Summary VMware VirtualBox KVM/Qemu Pafish 10 18 9 al-khaser 31

    45 27

17. Conclusion • Based on the detection results, KVM/QEMU is the

    best option when using a virtual environment. • If using VMware or VirtualBox, the detection of the virtual environment must be taken into account. ＞ ＞

18. Cho-Physical

19. Which product should you use: Physical Environment Edition • While

    the difficulty of restoration has been mentioned as a disadvantage of the physical environment, there are tools available that solve this drawback. Fog Project Clonezilla

20. Which product should you use: Physical Environment Edition merit demerit

    Fog Project ・Efficient Deployment ・Remote Management ・Open Source Software (OSS) ・Complexity of Setup Clonezilla ・Number of Supported File Systems ・Open Source Software (OSS) ・Booting from Bootable Media ・User Interface

21. Physical Fog Project Clonezilla ◦ OSS ▲ ☓ OSS ▲

    Sandbox Licensing Setup

22. Conclusion • FOG, which allows for cloning HDDs and deploying

    HDDs from a WebUI, is optimal.

23. FOG Project It operates on a Linux-based server and uses

    PXE (Preboot eXecution Environment) to allow client machines to boot over the network and perform tasks such as image deployment and other tasks.

24. Consideration of the Detection Environment

25. SIEM Tools Description Splunk It is a big data analytics

    tool that can collect, index, search, analyze, and visualize machine data in real time. Elastic Stack It consists of Elasticsearch, Logstash, and Kibana, and is an integrated platform for searching, analyzing, and visualizing data. Qradar It is IBM's security information and event management (SIEM) solution that assists with threat detection and incident response.

26. SIEM Tools Description Alienvault ossim It is an open-source security

    information and event management (SIEM) tool that provides threat detection and compliance management. Security Onion A free, open-source platform that provides network security monitoring and logging, supporting threat hunting and incident response. Graylog An open-source log management solution that aggregates, searches, and analyzes logging data to support threat detection and analysis. Opensearch A free and open-source distributed search engine that enables data searching and analysis, forked from Elasticsearch.

27. Consideration of SIEM Splunk Elastic Stack Qradar Alienvault ossim SecurityOnion

    Graylog Opensearch ◦ Commercial / Free ◦ ◦ ◦ Commercial / Free ◦ ◦ ◦ Commercial / Free ◦ ◦ ▲ Free ▲ ▲ ◦ OSS ◦ ◦ ▲ Free ▲ ▲ ▲ OSS ▲ ▲ Coverage of Data Sources Licensing Setup Analytical Capabilities

28. EDR Tools Description Elastic Defend It provides an integrated security

    solution to enhance endpoint security and threat hunting as part of the Elastic Stack. OpenEDR An open-source Endpoint Detection and Response (EDR) platform that offers capabilities for collecting, analyzing, and responding to threats on endpoints. Wazuh An open-source platform that provides Security Information and Event Management (SIEM), threat detection, and endpoint security, offering an integrated solution for monitoring and analysis.

29. Consideration of EDR Elastic Defend OpenEDR Wazuh ◦ Commercial /

    Free ◦ ◦ ▲ OSS ☓ ▲ ▲ OSS ◦ ◦ Coverage of Data Sources Licensing Setup Analytical Capabilities

30. SandBox Tools Description Cuckoo Sandbox It is an automated malware

    analysis system capable of analyzing malicious files for Windows, macOS, Linux, and Android. It monitors malware behavior, records malware activity, and reports in a secure environment. CAPEv2 Sandbox Derived from Cuckoo, it is designed to automate the process of malware analysis. It extracts payloads and configurations from malware, detects malware based on payload signatures, and automates the objectives of malware reverse engineering and threat intelligence. DRAKVUF Sandbox An automated black-box malware analysis system utilizing the DRAKVUF engine. It does not require an agent on the guest OS and provides a user-friendly web interface for uploading and analyzing suspicious files. It allows for easy setup and customization and is suitable for experienced users.

31. Consideration of Sandbox Cuckoo Sandbox CAPEv2 Sandbox DRAKVUF Sandbox ▲

    OSS ▲ ◦ ◦ OSS ◦ ◦ ◦ OSS ▲ ◦ Frequency of Development Licensing Setup Analytical Capabilities

32. Forensics Tools Tools Description Velociraptor It is an open-source tool

    for exploring endpoints and collecting artifacts, assisting with tasks in digital forensics and incident response. KAPE (Kroll Artifact Parser and Extractor) A forensic tool aimed at accelerating the collection and analysis of digital artifacts. It is command-line based and extracts and analyzes data from target directories or registries. GRR (Google Rapid Response) An open-source framework for conducting remote forensic operations on live endpoints, supporting data collection and analysis on endpoints, and assisting with incident response.

33. Consideration of Forensics Tools Velociraptor KAPE GRR ◦ OSS ◦

    ◦ ◦ Commercial / Free ◦ ◦ ◦ OSS ▲ ◦ Coverage Licensing Setup Can it be acquired remotely

34. Conclusion • Detection Environment ◦ Security Onion + Elastic Defend

    ◦ Velociraptor ◦ CAPEv2 Sandbox

35. SecurityOnion Security Onion is an open-source Linux distribution for network

    security and incident response. This platform aims to combine a variety of security tools to provide a comprehensive solution. Security Onion is used for network monitoring and log management, as well as for analysis and response when security incidents occur.

36. SecurityOnion Network Endpoint Data Sources Tools Analysis

37. Velociraptor Velociraptor is an advanced open-source tool for digital forensics

    and incident response (DFIR). This tool is designed for rapid investigations and data collection across a network. Velociraptor is capable of extracting detailed information from endpoints using a complex query language.

38. Velociraptor Collect Data System

39. CAPEv2 Sandbox CAPE is an open-source automated malware analysis system.　It’s

    used to automatically run and analyze files and collect comprehensive analysis results that outline what the malware does while running inside an isolated Windows operating system.

40. CAPEv2 Sandbox • Traces of win32 API calls that were

    performed by all processes spawned by the malware. • Files that were created, deleted, and downloaded by the malware during its execution. • Memory dumps of the malware processes. • Network traffic trace in PCAP format. • Screenshots of Windows desktop taken during the execution of the malware. • Full memory dumps of the machines.

41. Network Configuration

42. Reference：Money Laptop1：Lenovo ThinkPad E480(About 70,000-80,000 yen at that time) Laptop2：Lenovo

    ThinkPad x240(Used 20,000~30,000) Mini PC：From an unfamiliar manufacturer(27,980 yen) Switche：TP-Link SG108E(3,544 yen)

43. Flow of Analysis

44. Flow of Analysis No. Action Description 1 Submit Sample Submit

    the sample to CAPE. Make sure to set a timeout. 2 Wait Wait 3 Collection Before timing out, acquire forensic artifacts with Velociraptor. 4 Restoration Once the timeout period is reached, FOG will execute automatically. 5 Analysis Analyze with Security Onion and Velociraptor.
45. None
46. None
47. None
48. None
49. None
50. None
51. None
52. None
53. None
54. None

55. Summary • It is possible to analyze malware even in

    a physical environment. • By utilizing OSS tools, an environment can be created that allows for analysis similar to THE DFIR Report. • In the future, additions such as AD environments and honey files will be made.

56. Thank you.