Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mo' Memory No' Problem

A42b2d4612d22106b03b16f3da821bdf?s=47 hiddenillusion
May 17, 2014
17k

Mo' Memory No' Problem

BsidesNOLA '14

A42b2d4612d22106b03b16f3da821bdf?s=128

hiddenillusion

May 17, 2014
Tweet

Transcript

  1. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    May 17, 2014 Glenn P. Edwards Jr. Senior IR Consultant BsidesNola ‘14 Mo’ Memory No’ Problem Ian Ahl Senior IR Consultant
  2. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    $ whoami $ more Glenn – @hiddenillusion – hiddenillusion.blogspot.com 2014 $ more Ian – 1aN0rmus – I’m around… • @TekDefense • TekDefense.com
  3. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014
  4. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014
  5. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Why aren’t others utilizing it? • Harder on large scale engagements, especially geographically dispersed networks • Not applicable to engagement • No tool/process • Limited knowledge in this area • Privacy concerns • No easy button
  6. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Why do we use it? One artifact to rule them all! – Network – Processes – Registry – Event Logs – Files – Timelines – Information not stored on disk – Harder to hide …bang for buck
  7. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 So what do we do? • Treat it like having a live system in front of you • Answer questions that otherwise couldn’t be answered without memory • Targeted approach (pivot vs. automated) • Looking for anomalies • Timelining • Ability to answer specific questions based solely on this one artifact • Feed that intelligence gained back into the cycle
  8. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 What kind of questions? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs
  9. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 <Primer /> Plugin/Tool Explanation connections Displays TCP connections that were active at the time of the memory acquisition. connscan Pool scans for _TCPT_OBJECT structures to find both active and terminated connections. sockets Displays sockets that were active at the time of the memory acquisition. sockscan Pool scans for _ADDRESS_OBJECT structures to find both active and terminated sockets. netscan Pool scans for TcpE, TcpL and UdpA structures (Vista+) to find both active and terminated connections/sockets. pslist Walks the doubly-linked list pointed to by PsActiveProcessHead and displays processes that were active at the time of the memory acquisition. psscan Pool scans for _EPROCESS structures to find both active and terminated processes. psxview Displays a cross-view table indicating whether or not a particular process was found in a certain table/list/pool scan.
  10. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 What do those names mean? With regards to Volatility plugins, a general rule is any *scan plugin: • Might find terminated data (e.g. network connections) in addition to data that was active during the acquisition • Relies on pool tag scanning instead of walking lists so may find something hidden/unlinked
  11. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 ...but how? – Infection Vector (propagation too) – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Sequence of events? mftparser, shimcache, timeliner, usn_parser Attack script used? yarascan, mftparser, vaddump/memdump, strings, bulk_extractor Any C2? connections, connscan, netscan, sockets, sockscan Who/Where? evtlogs, filescan/dumpfiles/EVTXtract, getsids, pslist, psscan, psxview
  12. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 <Primer /> Plugin/Tool Explanation consoles Searches the memory of csrss.exe/conhost.exe for the CONSOLE_INFORMATION structure and displays the entire screen buffer (Input & Output). cmdscan Searches the memory of csrss.exe/conhost.exe for the COMMAND_HISTORY structure but only displays the Input contents. It can also find commands from both active and closed consoles.
  13. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 ...man, they tunnel fast... – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs What’d they type? consoles, cmdscan Any C2? connections, connscan, netscan, sockets, sockscan Tasks used? Logins/Accounts compromised? evtlogs, filescan/dumpfiles/EVTXtract Any shares accessed? handles, symlinkscan
  14. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 ...do we need to call the lawyers? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Data transferred? consoles, cmdscan, ethscan, connections, connscan, netscan, sockets, sockscan Files executed? mftparser, evtlogs/filescan/dumpfiles/EVTXtract, ShimCache, UserAssist, printkey
  15. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 ...do we need to make a public disclosure? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Where is it? yarascan, mftparser, filescan, handles What was accessed? iehistory, notepad, clipboard How is it stored? yarascan, strings, procdump, dlldump Can I recover it? filescan/dumpfiles
  16. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 ...how is it still generating alerts? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Where is it? printkey/hivedump, mftparser, mbrparser, svcscan, hashdump
  17. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 ...what can we sweep our environment for? – Propagation – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs • Registry keys • File names/locations • C2 IPs/domains • Malware’s commands/capabilities/uniqueness (exports etc.) • Persistence mechanism(s) • Mutexes
  18. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014
  19. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 • The system is a critical server • There’s no way you can get everything you need by solely analyzing a memory dump • It takes too long to acquire memory • Over the network acquisitions are difficult …haters gon’ hate
  20. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Memory can be manipulated with tools like ADD. – Yes, but it is very apparent when these types of tools are used. – Multiple ways to view similar data to find inconsistencies – e.g. - pslist vs. psscan – @JACKCR: http://blog.handlerdiaries.com/?p=363 Keep hat1n
  21. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014
  22. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 • VM’s • Corrupt dumps? • Possibly missing data from artifacts (paged?) • That thing called Unicode (U+1F4A9) • The person creating the dump • Your toolkit hm, that's odd… what went wrong?
  23. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014
  24. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 • DarkComet • PIVY • XtremeRAT • Find the Malz • Unknown variants • POS scrapers • “Advanced Attackers” …we’ve been through some stuff
  25. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Scenario: Customer said their host had ‘malware’ so uploaded a memory dump and some triage. Goal was to confirm infection and look for evidence of “Advanced” activity. Steps: 1. Reviewed processes 2. Dumped suspicious processes and stringed through them 3. Found DC config 4. Viewed open file handles and found keylogs 5. Reviewed keylogs to find what data was captured 6. Timeline to figure out date of infection and potential vectors 7. Watering hole attack 8. No further attacker activity DarkComet
  26. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 DarkComet
  27. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Scenario: Customer had a ‘Backdoor.APT.Xtremerat’ alert trigger on their appliance so they uploaded a memory dump and some triage data of the responsible host for analysis. Steps: 1. Searched for C2 that was provided from the alert 2. Dumped the process found associated with the C2 3. Found a suspicious mutex 4. Suspicious filenames in $MFT found 5. Dumped suspicious files (that we could) 6. Dynamic analysis of files confirmed suspicions & provided other IOCs 7. Visually determined one to be XOR’ed, decrypting resulted in keylogged data & were able to use that knowledge to decrypt logfiles on other endpoints. XtremeRAT
  28. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Scenario: User sees traffic going to the “wrong IP” when attempting to go to an internal resource and thinks malware is redirecting traffic. Sent a memory dump for analysis. Steps: 1. Spent hours looking for signs of malware via the normal methods 2. Found no malware 3. What else could have caused such a thing 4. Let’s check the hosts file … 5. Wait where is that in memory? 6. For this host, sitting in LSASS.exe 7. Stringed it out, admin found a host entry redirecting the traffic 8. Not malicious … Admin did it for “testing”. Find the Malz
  29. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Hosts file here I come $ python vol.py yarascan -Y “rhino.acme.com” *Thank you @JACKCR for the recommendation!
  30. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014
  31. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 • Automate2.0.sh • YARA rules • dllfind • filepath • autoruns • …in the queue Plugins / scripting
  32. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Yara DarkComet Config Artifact from Yarascan!
  33. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Yara
  34. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Custom Plugins FTW • filepath • dllfind • autoruns
  35. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014
  36. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Triage with Splunk
  37. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Triage with Splunk
  38. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Process Frequency
  39. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Parsed Proccesses
  40. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Mutex Frequency
  41. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Mutex Frequency
  42. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014
  43. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 We hacked the Gibson, find us.
  44. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Finding C2 Traffic connections
  45. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Finding C2 Traffic – How else? iehistory shellbags
  46. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Mapping Network Connections to Processes Spot the questionable activity psscan
  47. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Any Event Log Details? evtlogs Ruh Roh
  48. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Any Code Injection? malfind
  49. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 What’s the $MFT say about this? mftparser
  50. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Can I dump any of these files? filescan
  51. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 How else can we possibly grab the data? yarascan
  52. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Dump it like it’s hot… vaddump/memdump Hm… password dumping?
  53. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Any persistence? hashdump • No registry persistence • No search order hijacking • No BHO’s • No trojanized/replaced binaries • No services created • New account added (recall previous slide)
  54. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    2014 Attackers Script • Exploit – exploit/windows/browser/ms10_046_shortcut_icon_dllloader • Escalate – getsystem -1 • Pillage – hashdump • Persist – post/windows/manage/enable_rdp – execute -f cmd.exe -i -H – net user Tony /add – run persistence -A -S -i 3600 – execute -f cmd.exe -i -H – sc start <service name> – migrate <LSASS PID> • Clear up – clearev – timestomp c:\\ -r
  55. Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL

    $ ./preso -h To ask a question, raise your hand as such: 2014