Mo' Memory No' Problem

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL
May 17, 2014 Glenn P. Edwards Jr. Senior IR Consultant BsidesNola ‘14 Mo’ Memory No’ Problem Ian Ahl Senior IR Consultant

$ whoami $ more Glenn – @hiddenillusion – hiddenillusion.blogspot.com 2014 $ more Ian – 1aN0rmus – I’m around… • @TekDefense • TekDefense.com

Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014

2014 Why aren’t others utilizing it? • Harder on large scale engagements, especially geographically dispersed networks • Not applicable to engagement • No tool/process • Limited knowledge in this area • Privacy concerns • No easy button

2014 Why do we use it? One artifact to rule them all! – Network – Processes – Registry – Event Logs – Files – Timelines – Information not stored on disk – Harder to hide …bang for buck

2014 So what do we do? • Treat it like having a live system in front of you • Answer questions that otherwise couldn’t be answered without memory • Targeted approach (pivot vs. automated) • Looking for anomalies • Timelining • Ability to answer specific questions based solely on this one artifact • Feed that intelligence gained back into the cycle

2014 What kind of questions? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs

2014 <Primer /> Plugin/Tool Explanation connections Displays TCP connections that were active at the time of the memory acquisition. connscan Pool scans for _TCPT_OBJECT structures to find both active and terminated connections. sockets Displays sockets that were active at the time of the memory acquisition. sockscan Pool scans for _ADDRESS_OBJECT structures to find both active and terminated sockets. netscan Pool scans for TcpE, TcpL and UdpA structures (Vista+) to find both active and terminated connections/sockets. pslist Walks the doubly-linked list pointed to by PsActiveProcessHead and displays processes that were active at the time of the memory acquisition. psscan Pool scans for _EPROCESS structures to find both active and terminated processes. psxview Displays a cross-view table indicating whether or not a particular process was found in a certain table/list/pool scan.

2014 What do those names mean? With regards to Volatility plugins, a general rule is any *scan plugin: • Might find terminated data (e.g. network connections) in addition to data that was active during the acquisition • Relies on pool tag scanning instead of walking lists so may find something hidden/unlinked

2014 ...but how? – Infection Vector (propagation too) – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Sequence of events? mftparser, shimcache, timeliner, usn_parser Attack script used? yarascan, mftparser, vaddump/memdump, strings, bulk_extractor Any C2? connections, connscan, netscan, sockets, sockscan Who/Where? evtlogs, filescan/dumpfiles/EVTXtract, getsids, pslist, psscan, psxview

2014 <Primer /> Plugin/Tool Explanation consoles Searches the memory of csrss.exe/conhost.exe for the CONSOLE_INFORMATION structure and displays the entire screen buffer (Input & Output). cmdscan Searches the memory of csrss.exe/conhost.exe for the COMMAND_HISTORY structure but only displays the Input contents. It can also find commands from both active and closed consoles.

2014 ...man, they tunnel fast... – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs What’d they type? consoles, cmdscan Any C2? connections, connscan, netscan, sockets, sockscan Tasks used? Logins/Accounts compromised? evtlogs, filescan/dumpfiles/EVTXtract Any shares accessed? handles, symlinkscan

2014 ...do we need to call the lawyers? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Data transferred? consoles, cmdscan, ethscan, connections, connscan, netscan, sockets, sockscan Files executed? mftparser, evtlogs/filescan/dumpfiles/EVTXtract, ShimCache, UserAssist, printkey

2014 ...do we need to make a public disclosure? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Where is it? yarascan, mftparser, filescan, handles What was accessed? iehistory, notepad, clipboard How is it stored? yarascan, strings, procdump, dlldump Can I recover it? filescan/dumpfiles

2014 ...how is it still generating alerts? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Where is it? printkey/hivedump, mftparser, mbrparser, svcscan, hashdump

2014 ...what can we sweep our environment for? – Propagation – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs • Registry keys • File names/locations • C2 IPs/domains • Malware’s commands/capabilities/uniqueness (exports etc.) • Persistence mechanism(s) • Mutexes

2014 • The system is a critical server • There’s no way you can get everything you need by solely analyzing a memory dump • It takes too long to acquire memory • Over the network acquisitions are difficult …haters gon’ hate

2014 Memory can be manipulated with tools like ADD. – Yes, but it is very apparent when these types of tools are used. – Multiple ways to view similar data to find inconsistencies – e.g. - pslist vs. psscan – @JACKCR: http://blog.handlerdiaries.com/?p=363 Keep hat1n

2014 • VM’s • Corrupt dumps? • Possibly missing data from artifacts (paged?) • That thing called Unicode (U+1F4A9) • The person creating the dump • Your toolkit hm, that's odd… what went wrong?

2014 • DarkComet • PIVY • XtremeRAT • Find the Malz • Unknown variants • POS scrapers • “Advanced Attackers” …we’ve been through some stuff

2014 Scenario: Customer said their host had ‘malware’ so uploaded a memory dump and some triage. Goal was to confirm infection and look for evidence of “Advanced” activity. Steps: 1. Reviewed processes 2. Dumped suspicious processes and stringed through them 3. Found DC config 4. Viewed open file handles and found keylogs 5. Reviewed keylogs to find what data was captured 6. Timeline to figure out date of infection and potential vectors 7. Watering hole attack 8. No further attacker activity DarkComet

2014 DarkComet

2014 Scenario: Customer had a ‘Backdoor.APT.Xtremerat’ alert trigger on their appliance so they uploaded a memory dump and some triage data of the responsible host for analysis. Steps: 1. Searched for C2 that was provided from the alert 2. Dumped the process found associated with the C2 3. Found a suspicious mutex 4. Suspicious filenames in $MFT found 5. Dumped suspicious files (that we could) 6. Dynamic analysis of files confirmed suspicions & provided other IOCs 7. Visually determined one to be XOR’ed, decrypting resulted in keylogged data & were able to use that knowledge to decrypt logfiles on other endpoints. XtremeRAT

2014 Scenario: User sees traffic going to the “wrong IP” when attempting to go to an internal resource and thinks malware is redirecting traffic. Sent a memory dump for analysis. Steps: 1. Spent hours looking for signs of malware via the normal methods 2. Found no malware 3. What else could have caused such a thing 4. Let’s check the hosts file … 5. Wait where is that in memory? 6. For this host, sitting in LSASS.exe 7. Stringed it out, admin found a host entry redirecting the traffic 8. Not malicious … Admin did it for “testing”. Find the Malz

2014 Hosts file here I come $ python vol.py yarascan -Y “rhino.acme.com” *Thank you @JACKCR for the recommendation!

2014 • Automate2.0.sh • YARA rules • dllfind • filepath • autoruns • …in the queue Plugins / scripting

2014 Yara DarkComet Config Artifact from Yarascan!

2014 Yara

2014 Custom Plugins FTW • filepath • dllfind • autoruns

2014 Triage with Splunk

2014 Process Frequency

2014 Parsed Proccesses

2014 Mutex Frequency

2014 We hacked the Gibson, find us.

2014 Finding C2 Traffic connections

2014 Finding C2 Traffic – How else? iehistory shellbags

2014 Mapping Network Connections to Processes Spot the questionable activity psscan

2014 Any Event Log Details? evtlogs Ruh Roh

2014 Any Code Injection? malfind

2014 What’s the $MFT say about this? mftparser

2014 Can I dump any of these files? filescan

2014 How else can we possibly grab the data? yarascan

2014 Dump it like it’s hot… vaddump/memdump Hm… password dumping?

2014 Any persistence? hashdump • No registry persistence • No search order hijacking • No BHO’s • No trojanized/replaced binaries • No services created • New account added (recall previous slide)

2014 Attackers Script • Exploit – exploit/windows/browser/ms10_046_shortcut_icon_dllloader • Escalate – getsystem -1 • Pillage – hashdump • Persist – post/windows/manage/enable_rdp – execute -f cmd.exe -i -H – net user Tony /add – run persistence -A -S -i 3600 – execute -f cmd.exe -i -H – sc start <service name> – migrate <LSASS PID> • Clear up – clearev – timestomp c:\\ -r

$ ./preso -h To ask a question, raise your hand as such: 2014

Mo' Memory No' Problem

Mo' Memory No' Problem

More Decks by hiddenillusion

Featured

Transcript