Open Source Malware Hunting Lab Daisuke Arai

Who am I? NAME: DAISUKE ARAI Job: Security Engineer/Weekend Researcher X Account: @momomopas Recent joy: Obtaining the Certified CyberDefender certification.

Intro ・The reason I wanted to create this LAB is that I suddenly thought I would like to analyze it like THE DFIR Report.

This Time's Goal Create an environment that allows for analysis similar to THE DFIR Report.

How are they analyzing? ● Analysis tools such as Defender for Endpoint and Splunk are being used, as can be inferred from the report. ● The fact that they are conducting lateral movement analysis suggests that the environment is close to that of an enterprise.

Open Source Malware Hunting Lab CAPEv2 Sandbox Fog Security Onion Velociraptor Elastic Defend

Points for Consideration ● Consideration of Analysis Environment ○ Virtual Environment vs. Physical Environment ○ Virtual Environment ○ Physical Environment ● Consideration of Detection Environment ○ SIEM, EDR, Sandbox

Consideration of the Analysis Environment

Virtual vs. Physical

Virtual vs. Physical merit demerit Virtual Environment ・Conservation of Resources ・Snapshot and Restore ・Isolation ・Virtual Environment Detection ・Performance Overhead Physical Environment ・Realistic Operating Environment ・Avoidance of Virtual Environment Detection ・Cost ・Difficulties in Environment Setup and Restoration

Virtual Environment

Which product should you use: Virtual Environment Edition ● Install Windows on each virtual software, use tools designed to detect virtual environments and malware analysis environments to compare the detection results of each tool, and verify which virtual software is most suitable. ● This time, Pafish and al-khaser will be used.

Verification environment ■VM Detection Tools ● Pafish：Version 0.6 ● al-khaser：Version 0.81 ■VM Spec ● CPU：4vCPU ● Memory：8192MG ● DISK：128GB ■OS ● Windows10 Enterprise Evalution ● Version：22H2 ● Build ：19045.2006 ■Software ● VMware、VirtualBox、KVM/Qemu

Number of Detections by Pafish VMware VirtualBox KVM/Qemu Detection Results 10 18 9

Number of Detections by al-khaser VMware VirtualBox KVM/Qemu Detection Results 31 45 27

Summary VMware VirtualBox KVM/Qemu Pafish 10 18 9 al-khaser 31 45 27

Conclusion ● Based on the detection results, KVM/QEMU is the best option when using a virtual environment. ● If using VMware or VirtualBox, the detection of the virtual environment must be taken into account. ＞ ＞

Cho-Physical

Which product should you use: Physical Environment Edition ● While the difficulty of restoration has been mentioned as a disadvantage of the physical environment, there are tools available that solve this drawback. Fog Project Clonezilla

Which product should you use: Physical Environment Edition merit demerit Fog Project ・Efficient Deployment ・Remote Management ・Open Source Software (OSS) ・Complexity of Setup Clonezilla ・Number of Supported File Systems ・Open Source Software (OSS) ・Booting from Bootable Media ・User Interface

Physical Fog Project Clonezilla ○ OSS ▲ ☓ OSS ▲ Sandbox Licensing Setup

Conclusion ● FOG, which allows for cloning HDDs and deploying HDDs from a WebUI, is optimal.

FOG Project It operates on a Linux-based server and uses PXE (Preboot eXecution Environment) to allow client machines to boot over the network and perform tasks such as image deployment and other tasks.

Consideration of the Detection Environment

SIEM Tools Description Splunk It is a big data analytics tool that can collect, index, search, analyze, and visualize machine data in real time. Elastic Stack It consists of Elasticsearch, Logstash, and Kibana, and is an integrated platform for searching, analyzing, and visualizing data. Qradar It is IBM's security information and event management (SIEM) solution that assists with threat detection and incident response.

SIEM Tools Description Alienvault ossim It is an open-source security information and event management (SIEM) tool that provides threat detection and compliance management. Security Onion A free, open-source platform that provides network security monitoring and logging, supporting threat hunting and incident response. Graylog An open-source log management solution that aggregates, searches, and analyzes logging data to support threat detection and analysis. Opensearch A free and open-source distributed search engine that enables data searching and analysis, forked from Elasticsearch.

Consideration of SIEM Splunk Elastic Stack Qradar Alienvault ossim SecurityOnion Graylog Opensearch ○ Commercial / Free ○ ○ ○ Commercial / Free ○ ○ ○ Commercial / Free ○ ○ ▲ Free ▲ ▲ ○ OSS ○ ○ ▲ Free ▲ ▲ ▲ OSS ▲ ▲ Coverage of Data Sources Licensing Setup Analytical Capabilities

EDR Tools Description Elastic Defend It provides an integrated security solution to enhance endpoint security and threat hunting as part of the Elastic Stack. OpenEDR An open-source Endpoint Detection and Response (EDR) platform that offers capabilities for collecting, analyzing, and responding to threats on endpoints. Wazuh An open-source platform that provides Security Information and Event Management (SIEM), threat detection, and endpoint security, offering an integrated solution for monitoring and analysis.

Consideration of EDR Elastic Defend OpenEDR Wazuh ○ Commercial / Free ○ ○ ▲ OSS ☓ ▲ ▲ OSS ○ ○ Coverage of Data Sources Licensing Setup Analytical Capabilities

SandBox Tools Description Cuckoo Sandbox It is an automated malware analysis system capable of analyzing malicious files for Windows, macOS, Linux, and Android. It monitors malware behavior, records malware activity, and reports in a secure environment. CAPEv2 Sandbox Derived from Cuckoo, it is designed to automate the process of malware analysis. It extracts payloads and configurations from malware, detects malware based on payload signatures, and automates the objectives of malware reverse engineering and threat intelligence. DRAKVUF Sandbox An automated black-box malware analysis system utilizing the DRAKVUF engine. It does not require an agent on the guest OS and provides a user-friendly web interface for uploading and analyzing suspicious files. It allows for easy setup and customization and is suitable for experienced users.

Consideration of Sandbox Cuckoo Sandbox CAPEv2 Sandbox DRAKVUF Sandbox ▲ OSS ▲ ○ ○ OSS ○ ○ ○ OSS ▲ ○ Frequency of Development Licensing Setup Analytical Capabilities

Forensics Tools Tools Description Velociraptor It is an open-source tool for exploring endpoints and collecting artifacts, assisting with tasks in digital forensics and incident response. KAPE (Kroll Artifact Parser and Extractor) A forensic tool aimed at accelerating the collection and analysis of digital artifacts. It is command-line based and extracts and analyzes data from target directories or registries. GRR (Google Rapid Response) An open-source framework for conducting remote forensic operations on live endpoints, supporting data collection and analysis on endpoints, and assisting with incident response.

Consideration of Forensics Tools Velociraptor KAPE GRR ○ OSS ○ ○ ○ Commercial / Free ○ ○ ○ OSS ▲ ○ Coverage Licensing Setup Can it be acquired remotely

Conclusion ● Detection Environment ○ Security Onion + Elastic Defend ○ Velociraptor ○ CAPEv2 Sandbox

SecurityOnion Security Onion is an open-source Linux distribution for network security and incident response. This platform aims to combine a variety of security tools to provide a comprehensive solution. Security Onion is used for network monitoring and log management, as well as for analysis and response when security incidents occur.

SecurityOnion Network Endpoint Data Sources Tools Analysis

Velociraptor Velociraptor is an advanced open-source tool for digital forensics and incident response (DFIR). This tool is designed for rapid investigations and data collection across a network. Velociraptor is capable of extracting detailed information from endpoints using a complex query language.

Velociraptor Collect Data System

CAPEv2 Sandbox CAPE is an open-source automated malware analysis system.　It’s used to automatically run and analyze files and collect comprehensive analysis results that outline what the malware does while running inside an isolated Windows operating system.

CAPEv2 Sandbox ● Traces of win32 API calls that were performed by all processes spawned by the malware. ● Files that were created, deleted, and downloaded by the malware during its execution. ● Memory dumps of the malware processes. ● Network traffic trace in PCAP format. ● Screenshots of Windows desktop taken during the execution of the malware. ● Full memory dumps of the machines.

Network Configuration

Reference：Money Laptop1：Lenovo ThinkPad E480(About 70,000-80,000 yen at that time) Laptop2：Lenovo ThinkPad x240(Used 20,000~30,000) Mini PC：From an unfamiliar manufacturer(27,980 yen) Switche：TP-Link SG108E(3,544 yen)

Flow of Analysis

Flow of Analysis No. Action Description 1 Submit Sample Submit the sample to CAPE. Make sure to set a timeout. 2 Wait Wait 3 Collection Before timing out, acquire forensic artifacts with Velociraptor. 4 Restoration Once the timeout period is reached, FOG will execute automatically. 5 Analysis Analyze with Security Onion and Velociraptor.

No content

No content

No content

No content

No content

No content

No content

No content

No content

No content

Summary ● It is possible to analyze malware even in a physical environment. ● By utilizing OSS tools, an environment can be created that allows for analysis similar to THE DFIR Report. ● In the future, additions such as AD environments and honey files will be made.

Thank you.