We are going to provide a new training course named “Practical Incident Response With Digital Forensics & Malware Analysis” at Black Hat USA 2018 in this August. The course outline is in the above link. In this blog, we focus on several highlights of our course, and we also provide several course slide samples.
Comprehensive and Practical DFIR (Digital Forensics and Incident Response)
In incident response for targeted attacks, we have to perform many tasks, such as identifying malware and other attack tools, identifying their functions, analyzing the root cause, and examining lateral movements. These tasks are necessary for identifying data leakage, understanding the whole behavior of the attacker, identifying the damage to your network and data, and preventing recurrence.
We have well-prepared exercises with a large number of hands-on activities. This means we will prepare command outputs for long time-consuming processes (e.g. file carving, keyword search) in advance. Therefore, attendees can get results as soon as they input commands.
If you are interested, please check the following sample slides for file system timeline analysis.
Effective Malware Analysis
Malware analysis is indispensable because malware and attack tools are closely involved in targeted attacks. However, DFIR and malware analysis are separated in other training courses.
The main purposes of this task in incident response are:
- to discover effective IoCs of the malware and find the same malware on other hosts.
- to identify where evidence is left by the malware.
To achieve this, we cover both dynamic analysis and reverse engineering in this course.
Dynamic analysis is effective to quickly obtain information about a part of the malware’s features and its configurations such as host names / IP addresses of C2 servers, user agent, mutex and so on before beginning reverse engineering. Of course, there are already many sandbox systems such as Cuckoo and other commercial sandboxes, but you will need to use a combination of reverse engineering and manual dynamic analysis because there are sandbox evasion techniques. In our course, we provide information on how to discover various indicators of compromise in a short time using Process Monitor, Process Explorer, Process Hacker, Noriben, Fakenet-ng, x64dbg, Scylla Hide and so on while avoiding anti-analysis techniques. And we also do hands-on exercises for unpacking malware to reveal the malware’s original code with x64dbg, OllyDumpEx and Process Hacker before we move on to reverse engineering tasks.
We provide a training slide sample for dynamic analysis and how to deal with the Reflective PE Injection technique with debuggers. The malware samples in the slides are not for cyber espionage, but those techniques are used in targeted attacks as well.
In many cases, only performing dynamic analysis might not be sufficient. For example, a certain RAT has a file uploading function to an infected host. When a file is uploaded, the malware creates a temporary file whose name ends with “.tmp” extension with the original name. Once you determine this by malware analysis, you will be able to discover the file which the attackers sent by analyzing the NTFS journal file. But it cannot be found in dynamic analysis since file uploading operations will not be executed unless RATs receive a file uploading command from the attackers. This is why we believe reverse engineering is required in incident response.
In reverse engineering tasks, we analyze the malware’s capabilities and functions which could not be obtained by dynamic analysis. For example, those tasks include discovering dispatch routines for handling C2 commands, enumerating capabilities of RATs by investigating routines underneath the dispatch routines, identifying strings decode routines and decoding obfuscated important strings rapidly. In order to investigate these efficiently, we provide some IDC scripts and IDAPython scripts for IDA Pro. We also teach the attendees how to create such scripts. Since we provide all the scripts, students can freely modify, improve those scripts and learn how to use the APIs.
Please look at a slide sample below on how to identify string decode routines.
Scenario and Artifacts
Our training course provides HDD/memory images for investigation reproduced from a Windows enterprise network. It’s comprised of the latest windows versions (Windows 7/8.1/10 and Server 2012 R2/2016).
We also reproduce the attack scenarios obtained from actual incidents. For example, attackers use exploits. The attackers abuse PowerShell and WMI. They gain domain administrator privileges and execute Mimikatz to generate “Golden Ticket” to move laterally. Finally, they steal victim’s confidential documents.
In addition, participants can get knowledge of other attack methods that are not included in our scenario, since we also provide additional artifacts and HDD/memory images with those attacks recreated.
Windows Event Log
The Windows event log is one of the most important artifacts for incident response. We teach how we can analyze event logs, and how we are able to discover attacks as well as explanations of each event ID. We provide scripts based on python-evtx, and we also offer logics and filters for finding attacks using Event Log Explorer.
The following samples introduce parts of our event log analysis methods.
- Task Scheduler / AT
We have been accumulating methods for detecting attack tools to be used in post-exploitation of targeted attacks. And we have created the following report in collaboration with JPCERT/CC, which is a national CSIRT in Japan. Please see the message “Research supported by Internet Initiative Japan Inc.” in this link.
In addition to these research results, we have more, newly discovered detection methods for major attack tools such as Mimikatz by further investigation. We cover the following topics in this section.
- Remote Logon Events
- Task Scheduler / AT
- PowerShell Remoting
- Pass-the-Hash Detection
- Pass-the-Ticket Detection
- Golden Tickets Detection
- Silver Tickets Detection
- Mimikatz Related Events
- Mimikatz DCSync Detection
- Mimikatz DCShadow Detection
- Mimikatz Skeleton Key Detection
- Mimikatz Detection With Sysmon
- In-Memory Mimikatz Detection
- Kerberoasting Attack Detection
- WCE Detection
- DNS Timeout Events
- File Sharing Related Events
- Event Log Cleared Events
Because of its importance, event logs are often deleted by attackers. It is also often seen that event logs are not held for a long time in the actual scene of the incident response because administrators have not configured it correctly. Therefore, in addition to restoring lost event logs from VSS, we carry out carving event log records from unallocated space of disk images and analyze the restored event logs as hands-on exercises.
VSS is a well-known function for recent Windows. It is a commonplace artifact and to be discussed in many other training courses.
Of course we cover this, and we also cover the latest topic about recovering deleted VSS snapshots. VSS manages “store” which has differential data. “Store” files will be deleted if the used disk space for VSS snapshots reaches a specific value. And attackers and malware could delete snapshots. However, we could recover backup files, which were managed by deleted VSS snapshots, if we could carve a deleted “store”. We can cover such new topics because we have developed and maintain vss_carver.