0 évaluation0% ont trouvé ce document utile (0 vote)
49 vues36 pages
This document provides an overview of memory forensics and incident response techniques. It discusses analyzing processes, network artifacts, and detecting code injection in memory to identify malicious activity. Tools mentioned include Redline, Volatility, and Mandiant's IOC Editor for developing indicators of compromise to automate forensic analysis. The document emphasizes the importance of memory forensics for incident response since so much runtime system state is stored in RAM.
This document provides an overview of memory forensics and incident response techniques. It discusses analyzing processes, network artifacts, and detecting code injection in memory to identify malicious activity. Tools mentioned include Redline, Volatility, and Mandiant's IOC Editor for developing indicators of compromise to automate forensic analysis. The document emphasizes the importance of memory forensics for incident response since so much runtime system state is stored in RAM.
This document provides an overview of memory forensics and incident response techniques. It discusses analyzing processes, network artifacts, and detecting code injection in memory to identify malicious activity. Tools mentioned include Redline, Volatility, and Mandiant's IOC Editor for developing indicators of compromise to automate forensic analysis. The document emphasizes the importance of memory forensics for incident response since so much runtime system state is stored in RAM.
Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years in the trenches 0 SANS Forensics and Incident Response Instructor & Author chad@forensicmethods.com ForensicMethods.com
@chadtilbury The Ugly Im with the government and Im here to help.
I cant tell you how, but we have evidence of malicious activity originating from several of your internal systems.
<EOT>
Organizations Simply Fail to Detect Intrusions 6 Step IR Process and Forensics Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned No Identification = No Containment Memory Forensics & Triage Deep Dive Forensics Network Forensics Malware Analysis Intrusion Analysis Why Memory Forensics? Everything in the OS traverses RAM 0 Network sockets, URLs 0 Windows Registry keys 0 Hardware configuration 0 Passwords, caches, clipboards 0 User generated content 0 If you have a problem, if no one else can help Malicious Code One Slide Primer: Windows Memory Analysis Find the Kernel Processor Control Region (KPCR) or Kernel Debugger Data Block (KDBG) 1. Identify Context Executive Process (EPROCESS) blocks Process Environment (PEB) blocks DLLs loaded Virtual Address Descriptors (VAD) Tree List of memory sections belonging to the process Kernel modules / drivers 2. Parse Memory Structures Unlinked processes, DLLs, sockets and threads Unmapped memory pages with execute privileges Hook detection Known heuristics and signatures 3. Scan for Outliers 4. Analysis: Search for anomalies Memory Forensics Triage Identify rogue processes 1 Analyze process DLLs and handles 2 Review network artifacts 3 Look for evidence of code injection 4 Check for signs of a rootkit 5 Dump suspicious processes and drivers 6 Suspicious Processes Step 1: Analyzing Processes
Image Name Legitimate process? Spelled correctly? Matches system context? Full Path Appropriate path for system executable? Running from a user or temp directory? Parent Process Is the parent process what you would expect? Command Line Executable matches image name? Do arguments make sense? Start Time Was the process started at boot (with other system processes)? Processes started near time of known attack. Introducing: edline Free GUI tool for guided memory analysis Processes Handles Network Connections Memory sections Hooks and drivers x86 and x64 support for: Win2000 | WinXP | Win2003 | Vista | Win2008 | Win7 | 2008R2 | Win8 | Win2012 Heuristics for suspicious processes and code Live memory analysis and IR capability Indicator of Compromise (IOC) matching File whitelisting Comprehensive timelining
http://www.mandiant.com/resources/download/redline/ Identify Rogue Processes: MRI - Malware Risk Index 1. Process Anomalies 0 Code injection detection 0 Process Image Path Verification 0 svchost outside system32 = Bad 0 Process User Verification (SIDs) 0 dllhost running as admin = Bad 0 Process Handle Inspection 0 iexplore.exe opening cmd.exe = Bad 0 )!voqa.i4 = known Poison Ivy mutant 2. Verify Digital Signatures 0 Only available during live analysis 0 Executable, DLL, and driver sig checks 0 Not signed? 0 Is it found in >75% of all processes? Conficker Worm APT Hiding in Plain Sight Step 2: Analyzing Process Objects (Least Frequency of Occurrence) 0 Malware and its associated artifacts should be among the rarest objects in a memory image 0 Redline keeps a count of each time a process object is referenced 0 Sort by the Occurrences column to identify outliers
** A process object occurring only once is not de facto malicious, but should be trusted less than one that appears in 50 instances Least Frequency of Occurence Network Artifacts Step 3: Network Artifacts Suspicious Ports Communication via abnormal ports? Indications of listening ports / backdoors? Suspicious Connections External connections Connections to known bad IPs TCP / UDP connections Socket creation times Suspicious Processes Why does this process have network capability (open sockets)? TDL3/TDSS Finding Beacons: Zeus Code Injection Step 4: Detecting Injection 0 DLL injection is very common with modern malware 0 VirtualAllocEx( ) & CreateRemoteThread( ) 0 SetWindowsHookEx( ), etc. 0 Process hollowing is another form 0 Malware starts a new instance of legitimate process 0 Original process code de-allocated and replaced 0 Retains DLLs, handles, data, etc. from original process 0 Code injection is relatively easy to detect 0 Review memory sections marked as executable and having no memory-mapped file present 0 Scan for DLLs (PE files) and shellcode 0 Process image base not backed with file on disk
Detecting Code Injection: Stuxnet Process Hollowing (1) Detecting Code Injection: Stuxnet Process Hollowing (2) Process Hollowing! Introducing: Volatility Python-based memory analysis framework: http://code.google.com/p/volatility/ Tremendous versatility via plug-in architecture Opens the door for very advanced analysis Supports x86 & x64 bit versions of: WinXP | Win2003 | Vista | Win2008R2 | Win7 | Linux | Mac OSX and more! Pre-installed on SANS SIFT Workstation: http://computer-forensics.sans.org/community/downloads Volatility Malfind (Stuxnet) vol.py f stuxnet.img malfind --dump-dir output_dir Putting it All Together Identify rogue processes Name, path, parent, command line, start time, SID, MRI score 1 Analyze process DLLs and handles Digital signatures and Least Frequency of Occurrence helpful 2 Review network artifacts Suspicious ports, connections, and processes 3 Look for evidence of code injection Injected memory sections and process hollowing 4 Check for signs of a rootkit SSDT, IDT, IRP, and inline hooks 5 Dump suspicious processes and drivers Review strings, sandbox, reverse-engineer 6 Intelligence Sharing Indicator of Compromise File MD5 checksum is 88195c3b0b349c4edbe2aa725d3cf6ff File name is ripsvc32.dll File path contains \system32\mtxes.dll File PE header compile time is 2008-04-04T18:14:25 Registry key text contains ripsvc32.dll Registry path contains \SYSTEM\CurrentControlSet\Services\Iprip\Parameters\ServiceDLL Service DLL is ripsvc32.dll Process has a handle named RipSvc32.dll File path contains \system32\msasn.dll File path contains \system32\msxml15.dll File size is between 500000 and 900000 File name is SPBBCSvc.exe File name is hinv32.exe File name is vprosvc.exe File name is wuser32.exe Service name is IPRip Service DLL is not iprip.dll Or And Or And And Courtesy of Mandiant IOC Editor 0 IOC Editor (free) 0 Allows users to create, edit and compare Indicators of Compromise in XML format 0 http://www.mandiant.com/resources/download/ioc-editor/
Automating IOC Analysis 0 IOCs allow a wide range of alert triggers to be set for known malware 0 Processes, hooks, drivers, handles, strings 0 IOCs can be used with any live / dead memory analysis in Redline 0 Scan for a single IOC or hundreds Redline IOC Analysis (Zeus) Zeus Indicator of Compromise (IOC Editor) Redline IOC Report 6 Step IR Process and Forensics Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned No Identification = No Containment Memory Forensics & Triage Deep Dive Forensics Network Forensics Malware Analysis Intrusion Analysis Links 0 Getting started with Redline 0 https://www.mandiant.com/resources/download/redline 0 http://holisticinfosec.org/toolsmith/docs/february2009.html 0 http://forensicmethods.com/windows-8-server-2012-memory-forensics
0 Volatility references and sample memory images 0 http://code.google.com/p/volatility/w/list