Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL May 17, 2014 Glenn P. Edwards Jr. Senior IR Consultant BsidesNola ‘14 Mo’ Memory No’ Problem Ian Ahl Senior IR Consultant 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL $ whoami $ more Glenn – @hiddenillusion – hiddenillusion.blogspot.com 2014 $ more Ian – 1aN0rmus – I’m around… • @TekDefense • TekDefense.com 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Why aren’t others utilizing it? • Harder on large scale engagements, especially geographically dispersed networks • Not applicable to engagement • No tool/process • Limited knowledge in this area • Privacy concerns • No easy button 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Why do we use it? One artifact to rule them all! – Network – Processes – Registry – Event Logs – Files – Timelines – Information not stored on disk – Harder to hide …bang for buck 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 So what do we do? • Treat it like having a live system in front of you • Answer questions that otherwise couldn’t be answered without memory • Targeted approach (pivot vs. automated) • Looking for anomalies • Timelining • Ability to answer specific questions based solely on this one artifact • Feed that intelligence gained back into the cycle 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 What kind of questions? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Plugin/Tool Explanation connections Displays TCP connections that were active at the time of the memory acquisition. connscan Pool scans for _TCPT_OBJECT structures to find both active and terminated connections. sockets Displays sockets that were active at the time of the memory acquisition. sockscan Pool scans for _ADDRESS_OBJECT structures to find both active and terminated sockets. netscan Pool scans for TcpE, TcpL and UdpA structures (Vista+) to find both active and terminated connections/sockets. pslist Walks the doubly-linked list pointed to by PsActiveProcessHead and displays processes that were active at the time of the memory acquisition. psscan Pool scans for _EPROCESS structures to find both active and terminated processes. psxview Displays a cross-view table indicating whether or not a particular process was found in a certain table/list/pool scan. 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 What do those names mean? With regards to Volatility plugins, a general rule is any *scan plugin: • Might find terminated data (e.g. network connections) in addition to data that was active during the acquisition • Relies on pool tag scanning instead of walking lists so may find something hidden/unlinked 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 ...but how? – Infection Vector (propagation too) – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Sequence of events? mftparser, shimcache, timeliner, usn_parser Attack script used? yarascan, mftparser, vaddump/memdump, strings, bulk_extractor Any C2? connections, connscan, netscan, sockets, sockscan Who/Where? evtlogs, filescan/dumpfiles/EVTXtract, getsids, pslist, psscan, psxview 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Plugin/Tool Explanation consoles Searches the memory of csrss.exe/conhost.exe for the CONSOLE_INFORMATION structure and displays the entire screen buffer (Input & Output). cmdscan Searches the memory of csrss.exe/conhost.exe for the COMMAND_HISTORY structure but only displays the Input contents. It can also find commands from both active and closed consoles. 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 ...man, they tunnel fast... – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs What’d they type? consoles, cmdscan Any C2? connections, connscan, netscan, sockets, sockscan Tasks used? Logins/Accounts compromised? evtlogs, filescan/dumpfiles/EVTXtract Any shares accessed? handles, symlinkscan 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 ...do we need to call the lawyers? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Data transferred? consoles, cmdscan, ethscan, connections, connscan, netscan, sockets, sockscan Files executed? mftparser, evtlogs/filescan/dumpfiles/EVTXtract, ShimCache, UserAssist, printkey 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 ...do we need to make a public disclosure? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Where is it? yarascan, mftparser, filescan, handles What was accessed? iehistory, notepad, clipboard How is it stored? yarascan, strings, procdump, dlldump Can I recover it? filescan/dumpfiles 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 ...how is it still generating alerts? – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs Where is it? printkey/hivedump, mftparser, mbrparser, svcscan, hashdump 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 ...what can we sweep our environment for? – Propagation – Infection Vector – Lateral Movement – Data Exfiltration – Keylogging Data – Persistence Mechanism – IOCs • Registry keys • File names/locations • C2 IPs/domains • Malware’s commands/capabilities/uniqueness (exports etc.) • Persistence mechanism(s) • Mutexes 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 • The system is a critical server • There’s no way you can get everything you need by solely analyzing a memory dump • It takes too long to acquire memory • Over the network acquisitions are difficult …haters gon’ hate 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Memory can be manipulated with tools like ADD. – Yes, but it is very apparent when these types of tools are used. – Multiple ways to view similar data to find inconsistencies – e.g. - pslist vs. psscan – @JACKCR: http://blog.handlerdiaries.com/?p=363 Keep hat1n 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 • VM’s • Corrupt dumps? • Possibly missing data from artifacts (paged?) • That thing called Unicode (U+1F4A9) • The person creating the dump • Your toolkit hm, that's odd… what went wrong? 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 • DarkComet • PIVY • XtremeRAT • Find the Malz • Unknown variants • POS scrapers • “Advanced Attackers” …we’ve been through some stuff 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Scenario: Customer said their host had ‘malware’ so uploaded a memory dump and some triage. Goal was to confirm infection and look for evidence of “Advanced” activity. Steps: 1. Reviewed processes 2. Dumped suspicious processes and stringed through them 3. Found DC config 4. Viewed open file handles and found keylogs 5. Reviewed keylogs to find what data was captured 6. Timeline to figure out date of infection and potential vectors 7. Watering hole attack 8. No further attacker activity DarkComet 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 DarkComet 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Scenario: Customer had a ‘Backdoor.APT.Xtremerat’ alert trigger on their appliance so they uploaded a memory dump and some triage data of the responsible host for analysis. Steps: 1. Searched for C2 that was provided from the alert 2. Dumped the process found associated with the C2 3. Found a suspicious mutex 4. Suspicious filenames in $MFT found 5. Dumped suspicious files (that we could) 6. Dynamic analysis of files confirmed suspicions & provided other IOCs 7. Visually determined one to be XOR’ed, decrypting resulted in keylogged data & were able to use that knowledge to decrypt logfiles on other endpoints. XtremeRAT 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Scenario: User sees traffic going to the “wrong IP” when attempting to go to an internal resource and thinks malware is redirecting traffic. Sent a memory dump for analysis. Steps: 1. Spent hours looking for signs of malware via the normal methods 2. Found no malware 3. What else could have caused such a thing 4. Let’s check the hosts file … 5. Wait where is that in memory? 6. For this host, sitting in LSASS.exe 7. Stringed it out, admin found a host entry redirecting the traffic 8. Not malicious … Admin did it for “testing”. Find the Malz 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Hosts file here I come $ python vol.py yarascan -Y “rhino.acme.com” *Thank you @JACKCR for the recommendation! 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 • Automate2.0.sh • YARA rules • dllfind • filepath • autoruns • …in the queue Plugins / scripting 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Yara DarkComet Config Artifact from Yarascan! 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Yara 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Custom Plugins FTW • filepath • dllfind • autoruns 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Triage with Splunk 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Triage with Splunk 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Process Frequency 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Parsed Proccesses 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Mutex Frequency 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Mutex Frequency 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL Agenda • Why/How we use it • Haters • Issues/Limitations/Odd use cases • War stories • Ninja foo • Splunking • Triage walk through 2014 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 We hacked the Gibson, find us. 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Finding C2 Traffic connections 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Finding C2 Traffic – How else? iehistory shellbags 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Mapping Network Connections to Processes Spot the questionable activity psscan 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Any Event Log Details? evtlogs Ruh Roh 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Any Code Injection? malfind 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 What’s the $MFT say about this? mftparser 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Can I dump any of these files? filescan 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 How else can we possibly grab the data? yarascan 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Dump it like it’s hot… vaddump/memdump Hm… password dumping? 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Any persistence? hashdump • No registry persistence • No search order hijacking • No BHO’s • No trojanized/replaced binaries • No services created • New account added (recall previous slide) 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2014 Attackers Script • Exploit – exploit/windows/browser/ms10_046_shortcut_icon_dllloader • Escalate – getsystem -1 • Pillage – hashdump • Persist – post/windows/manage/enable_rdp – execute -f cmd.exe -i -H – net user Tony /add – run persistence -A -S -i 3600 – execute -f cmd.exe -i -H – sc start – migrate • Clear up – clearev – timestomp c:\\ -r 

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL $ ./preso -h To ask a question, raise your hand as such: 2014