6. Behavior Analysis (OBJ 3.1)
Behavioral analysis. Now, in the last lesson, we talked about shellcode. And shellcode is really easy to hide and obfuscate because you can do a lot of things with it to evade signature-based antivirus detection if you’re an attacker. Because of this, threat hunting and security monitoring must use behavioral-based techniques to really identify infections. Now, to do this, we’re going to use a lot of different tools. And one of the most common ones we’re going to use is a tool suite called Sysinternals. Sysinternals is a suite of tools designed to assist in troubleshooting issues with Windows.
It was originally made for system administrators, but a lot of these tools are well suited to investigating security issues as well. These tools are all available for free on Microsoft’s website and are part of their tool suite. Now, the great thing about these tools is that they allow us to start building up a baseline to identify what normal is. One of the first areas we want to do this in is what’s called “process analysis,” where we want to start figuring out what processes are running on a Windows system. Now we can use a tool called Process Explorer to do this. And this is part of the Sysinternal tool site. Process Explorer can filter out legitimate activity—what we know to be good. And in this way, we can quickly identify what is abnormal behavior. The way this works is essentially that we can run the system and see what normal looks like, and we can save inside a Process Explorer all those running processes.
Then we can run some malware in a sandbox, and we can run that process tool again. And now we can compare what we had as our baseline with what is running now. and that can help us identify what the malware is doing. That’s how you can do it inside a sandbox to identify malware patterns. But if you already have a good baseline for a system that’s a production system, like your workstation on your desk, and then we think you’re infected, we can run this tool again and compare it to that known good baseline to see if there are any changes. And if there are, that could be a suspicious area that we want to investigate further. This is extremely useful for threat hunting and incident response. When we’re doing this, the main idea is to first understand what legitimate processes are so that you can identify anything else that is suspicious.
So to help you with that, let’s go through and talk about a couple of processes on an atypical window system and what is considered legitimate. Anything outside of these would be something you should label as suspicious and look into further. The first two I want to talk about are system idle, which is PID zero, and system, which is PID four. Now, these two are always going to have a PIDS, which is the process identification number. These are kernel-level binaries that are used as the parent of the first user mode process, which is called Session Manager Subsystem, or SMS Exe. If you open Process Explorer or look at the Processes tab in Windows, you’ll notice that these two processes are always present. Next, we have the client server runtime subsystem, which is CSRSS Execute. This manages low-level Windows functions, and it’s normal to see several of these running. These are now legal as long as they are run from the system root system 32 and have no parent. If you start seeing them and they have some kind of parent, it means it may be malware that’s trying to masquerade as this process. The following one is Win in International.
Now Win in IE is going to manage drivers and services and should only have a single instance running as a process. When you look at Process Explorer, if you see more than that, again, it could be masquerading as malware. The next one we have is Services.exe, and this is what I see a lot of malware trying to masquerade as. So this is what you want to look closely at. Service Exe is going to host non-boot drivers and background services for you, and this process should only have one instance of Service Exe running, and it should be a child of Win and End. Now, there are other service processes that you should see. Those are the offspring of Services dot Exe or Service host Exe. If it’s a child anywhere else, it probably is something that is malicious, and you should look into it further. Another thing to remember about services is that they should always be started by the system’s local or network service accounts. If it was started by somebody who has an unusual name, that is usually a malicious process. So you should flag it and look into it further. The local security authority subsystem, or LSAs exe, comes next. This is going to handle authentication and authorization services for the system, and it should have a single instance running as a child of Winin Exe.If you see it elsewhere, that might be suspicious. Next, we have Winlogon, which is Winlogin exe.
This is going to manage access to the user’s desktop, and it should only have one instance of each user session with the desktop window manager, the DWM Exe, as its child process in most of the modern versions of Windows. Another one that’s very common to see is User Init.User-initiated Exe sets up the shell, typically your Explorer Exe file, and then it quits. So you should only see this briefly during your log-on process. If the computer has been logged on for 30 or 40 minutes and you go to look and see Username Exe, that should raise a red flag. And finally, we have Explorer. Explorer. Exe.
This is the typical user shell, and it’s launched with the user’s account privileges rather than the system’s. And it’s likely going to be the parent for all of the processes that are started by the logged-on user. So when I go into Windows and I launch the computer, I’m starting up Explorer.exe, and that’s my desktop. Then if I open up Microsoft Word, Word should be a child of Explorer.exe because I’m the logged-on user and I launched Word; anything other than that would be suspicious, and you should flag it and look at it. Now, I’ve mentioned a couple of times that you should flag something and say, “This is suspicious,” and you should look into it further. What else might make a process look suspicious to you? Well, for me, any process name that I don’t recognise is something that would be suspicious, and when I say something is suspicious, it means I should look into it further. That’s all. It doesn’t mean it’s necessarily bad, but it’s just something I don’t know, and so I need to learn a little bit more about it.
So if I see an unrecognised name, what I should do is start looking online to see if it’s a known process, and usually I’m going to use Microsoft’s website to do that since they are the official source. Second, any process name that’s similar to a legitimate system process—if I see something like SCV host, that’s very similar to SVC host, and so that looks like something that somebody is trying to trick me with.
So I’m going to look into that further. If I see something that has a scrambled name or something that looks like it was randomly generated, that would also be something that would be suspicious to me. Another thing I’d be looking at is any process that appears without an icon, version number, information, a description, or a company name. All of these are things that are just suspicious to me, which either means it’s poor coding or it might be malicious. After that, I might look at any processes that are unsigned, especially if they’re from a well-known company like Microsoft. Microsoft signs all of their stuff.
So if you find something that says “Microsoft Corporation” and it’s unsigned, it’s most likely malicious or at least suspicious. The fifth thing I like to look at is any process whose digital signature doesn’t match the identified publisher. Now, what this means is that sometimes somebody might have stolen somebody’s digital key, and if they stole the developer’s private key, they could then issue their own stuff and pretend to be that company. But if the company field and the digital signature aren’t matching, that is usually an indication that this is a piece of malware or at least something very suspicious. The 6th thing I want to look at is any process that doesn’t have a parent-child relationship with a principal Windows process. Now, when I talk about a principle Windows process, what is that? Well, that’s something like explorer exe.
Remember, I said Explorer.exe should be launching pretty much all the processes for a logged-in user. And so if I’m not seeing that and I see those processes somewhere else that might be something that’s suspicious, I’d look into them further. The second thing I like to look at, and this is obviously much further down my list, is any process hosted by Windows utilities like Explorer. Explorer should have some things underneath it, but I like to look at them all and make sure I know what they are and trust them. But I also want to look at things like Notepad and Task Manager because a lot of times malware will embed itself under those and try to have those things launch it as malware.
And so if I see something like Notepad calling some other executable, that’s usually a little funny because Notepad doesn’t usually run other executables; it runs text files, right? And so that would be something that would be suspicious, and we’d look into it further. The 8th thing is any process that is packed or compressed because, again, as I talked about earlier, yes, there are legitimate uses for packed files, but in general, that is something that is heavily used by malware. So it doesn’t necessarily mean right away that it is malicious, but it is something I want to look further into. If you’re using Process Explorer, anything that’s highlighted purple is considered a packed or compressed file, and that should draw your attention to it pretty quickly and analyse that as potential malware. Now, what do you do when you find one of these suspicious processes? I just gave you eight different ways to identify things that may be suspicious. What do you do with them now? Well, the first thing you are going to do is identify how the process interacts with the registry and the file system now that this file or process has been launched.
What is it doing? Is it making modifications to your registry? Is it putting additional files on the system? And if so, are those things allowed? This is something that malware likes to do. When you run malware, it tries to embed itself further, and it does that by going into the registry or the file system. The second thing is you have to ask yourself, “How is this process being launched?” Who started this process? Did the user do it? Was it done by a service? Did some kind of scheduled task do it? And once you figure that out, that will help you eliminate it if it’s something malicious and you need to turn it off. The third thing is, is that image file located in the system folder or a temporary folder? A lot of times, when you get malware, it’s coming from and being launched from a temp folder, not from the system folder.
So if a process is being launched from a system folder, It’s probably more trustworthy than if it came from a temporary folder. So it’s another area I look at. And then, four, what files are being manipulated by the process? Again, when you launch this file, what is it touching? Is it reading files? Is it changing files? All that stuff is information you want to gather about this process so you can determine what it’s doing and if it’s malicious or not. The fifth thing you want to do is figure out if the process restores itself after a reboot if you deleted it. If I went in and deleted this process and then rebooted my computer and it came right back, that’s an indication that there’s something malicious or suspicious going on. And the 6th thing I want to look at is: is a system privilege or service getting blocked if I delete the process? Now, sometimes if you have shimmed something into it or injected that code into some kind of system DLL, that can cause problems if you delete it. And again, malicious people want to make sure their software stays intact. And so if you take something out and delete that process, does that break your system?
Does it cause privilege issues? If so, that’s another thing that adds to your toolkit as you start looking at and investigating this piece of software. And then the 7th and final one is: is the process interacting with the network? This is a big one because we want to see if there’s any communication going in and out because, again, malware likes to communicate with its owner. It goes out into a C2 network. We need to figure out what the domain is or what the IP is. So then we can potentially block that. Now, in this lesson, I focused a lot on manual analysis, but a lot of these UEFA products that we talked about earlier can automate this process for you and make it much easier. Now, a lot of these UEFA programmes are relying on the capabilities of artificial intelligence and machine learning to help you orchestrate and automate a lot of this work for you. But it is still important for you, as well as anyone else, to know how to do this manually so you can identify these things on your own and know what you’re looking at. We don’t always want to be relying on the machines, even though the machines are there to help.
7. Malware Analysis (OBJ 3.1)
Malware analysis. In this lesson, I’m going to do a little bit of static and dynamic malware analysis, and then we’re going to go through and look at how we can look through a debugger and decompile to analyses some of the code. Now again, stick with me here. You don’t have to actually be able to do all the things I’m going to show you here. This is just an introduction to some of the tools and techniques that reverse engineers use. Let’s go ahead and get started.
Now the first thing we’re going to do before trying dynamic analysis is go and look at it statically. And so we’re going to open up a command prompt. So click on your Windows icon and type in the word “command.” And from the command prompt, we want to change directories to the desktop. And if you notice here, we do have Trickster on the desktop. Now we need to extract Trickster. So we’re going to right-click it, go to 7-Zip, and go to extract here. It’s going to ask us for the password, and the password is malware. One, two, three. We’ve password-protected this to make sure you don’t accidentally unzip it on a system you don’t want to. So in this case, we’re going to go ahead and hit OK. Trickster will now appear on your desktop. If we hit Dir again, you’ll see—there it is. So what we want to do is pull out any ASCII strings inside that binary by going through a programme called Floss. And it’s floss, and then the name of the file you want it to search through, which will be trickster exe. And we’re going to pipe that into a text file called Trickster Rings. TXT that’s going to go through that entire file, find anything that looks like an ASCII character text that we can read, and put it into a file for us to review.
So to look at that, we’re just going to use type, then tricksterstrings TXT, and then the command more to see it a page at a time. Now notice here that it says there’s a comment: “This programmer cannot be run in DOS.” That’s fine. And then it’s going to start outputting any ASCII characters it finds. And then you can see that it discovered two W, three, this garbage, text, our data, and then a bunch of stuff that appears to be encrypted. And if I go a few more pages here, you’ll see that there’s a lot of content that I simply cannot read. It doesn’t make any sense. What is all this data about? Well, what I’m really looking for is IP addresses. I’m looking for host names, email addresses, programme file names, or anything like that.
But in the case of Trickster, all I’m finding is a garbled mess that indicates that this malware has been protected using encryption to keep people like us trying to do malware analysis from detecting its true source. And that means that static analysis here isn’t going to work really well because it’s all encrypted. Okay, so Trickster was encrypted, and we couldn’t do static analysis. But here’s where it gets fun. We’re going to look at this thing dynamically. We’re going to start running the programme and try to identify its purpose and what the file does. We’re going to try to figure out what the malware does to the system. What changes does it make? Does it call out to a remote website? Does it download files? Does it mess up your registry? What is it going to do? Well, we’re going to figure that out here. So the first thing we want to do here is create a known-good baseline for our system.
What I want to figure out is what the registry looks like, what the task manager looks like, what the scheduled task looks like—all of those types of details. And to do that, we can use a programmer from system internals called “auto runs.” A-U-T-O-R-U-N-S. Auto runs. Just go ahead and enter it from your command prompt and hit enter, and the programmer will launch for you. I’m going to go ahead and maximize it here, and I’m going to go ahead and go to File, where there’s a setting called “run.” As an administrator, I want to do that so that system internals and auto runs can see the entire system regardless of who the user is. And so we’re going to let it run here for a second. It’ll take about 30 seconds, and when it’s done, it’s going to stay ready in the bottom left corner, as it just did. This is the baseline. This is a system that is not infected with malware. Nothing bad has happened yet. So what we want to do is go to File and save this, and I’m going to save this to the desktop and call it baseline. Go ahead and save, and you’ll see that it does show up here on my desktop right there. Baseline auto-run file Now what do we want to do next? Well, we want to run Trickster, and we want to run it as an administrator.
So we’re going to right-click it and say “run as administrator.” And infect this machine, go ahead and press yes; give it a second here, and Trickster will run and begin doing whatever it does to our machine, which we don’t know yet, but we can figure it out. So what we’re going to do is maximize our auto runs again. Go over here to the refresh button and hit refresh. It’s going to scan your system again and figure out what an infected system looks like. So, now that it’s finished and ready, we’ll go to File and compare it to our known-good baseline, that ARN file. And all this is going to do is take what the current system found and then take away anything that was in the old baseline system, and whatever’s left is what Trickster did. So if we go ahead and hit open, we have one thing. All Trickster did when it ran was add a task scheduler. And it has one called “Services Update.” This user’s ieuserappdata. Roaming winuppusjdltufs exe is the file it’s telling it to run. Now as I talk about this file, when we go through our analysis, I’m going to refer to it as “U Exe,” because I don’t want to have to keep saying “USJ dlt UFS,” because that’s just a really long and weird name. So anyway, we see here that this was a change to the task scheduler.
With the exception of putting this one file here in this path, it didn’t touch the registry or the file system. and it’s being run through the task scheduler. So to look further into it, we’re going to go into our task scheduler. So let’s go ahead and open up our task scheduler by clicking on the Windows icon and typing in “Task Scheduler.” And there it is. Go ahead and open it. We’ll maximise this here, and you can see that task name. Services Update is showing up here, and it’s set to run in about three minutes from now. And it has multiple triggers to find. So let’s go ahead and look at these triggers and figure out what this file does. So if I double-click on it, it will open up, and you’ll see that the name was Services Update. The description reads “Look for Services Monitor,” which doesn’t make much sense in English. So that tells me that this may also not be a legitimate program. Now let’s go ahead and look at triggers.
Under triggers, there are two triggers. Anytime somebody logs on to the system, this task is going to be run, and then it’s going to happen daily at 5:00 p.m. Every day, which was also when we ran Trickster Exe, And after it’s triggered, it’s going to happen every three minutes for one day. So every three minutes for the next 24 hours, it’s going to keep doing this program. And what is it going to do? Well, it’s going to start this programme, this UXE program. Now we don’t know what UExe does yet, but we do know that Trickster wants it to run every three minutes. So if you had to venture a guess as to what the function of this programme is, what do you think it would be? I think it’s probably a beacon. It’s probably calling out to a command and control server and saying, “Hey, I’ve infected this machine.”
I’m here and I’m ready for orders. That’s what I think this is doing. but we’ll look into that as we go. through and try to prove our thoughts on this. Next, we can look at the conditions, and you can see that it will start all the time. It will only stop if the computer ceases to idle, and we can look at our settings here. It’s going to be a task that’s run on demand. It’s going to run it as soon as possible, and we can see the history. Has it happened yet? Well, not really, because history was disabled here and there is no logging. On a good system in an enterprise network, however, you might have this enabled and be able to see all of the times it ran. But since we don’t, we’re going to go ahead and look at the system and see if we can figure it out. And so we can see that the next time this is going to run is in just about a minute. Now if we sit here for a minute, we’re not going to see anything because this programme is running in the background.
This programme is run as a beacon, and that’s just going to run where we can’t even see it. And so we’re going to have to look at something like a process explorer or be able to see the network traffic and see that call occur. We’ll use a programme to verify that the callout occurred and determine whether or not this is a beacon. Now, if you remember, we had a file called UExe that was being run on our machine. It is located under the C drive and then under the user drive, under our user account for IE users, under app data under roaming, and then under Windows apps. And there you have it. Now there are three other things here. one folder and two files. Let’s see if there’s anything inside this modules folder. There isn’t one yet. The reason for this is stage one malware. This US exe file has been making its callout, but we stopped it before it ever had a chance to download any modules or malware. And really, the reason why is because the IP addresses it’s calling to are benign. They are not malicious.
But if this was a real piece of malware that was dangerous, it could be calling out and downloading that stuff into these modules and running that stage-two malware to make it part of a botnet, steal your files, conduct ransomware, or whatever its decided method would be. Next, it has two text fields: client ID and group tag. I’m going to open up the client ID first, and we’re going to go ahead and open this with Notepad. Now the client ID is here; this is my host name, Ms. Edgewin Ten. What is all of this behind it?Well, this becomes a unique identifier or a serial number, and that’s what this malware is doing. It is going to connect to all of these machines and try to do something with that information. It needs to know what machines are if it’s going to put them in a botnet; if it’s going to do ransomware, it needs to know who you are. So when you pay them, they can release your machine or not, depending on how the attacker is going to do their job. But again, they need a way to identify you. And that’s what this client ID is.
It’s just a simple serial number. Next we have this group tag, and if we open up the group tag in Notepad, we can see it just says “TT 2,” which is just an alphanumeric code for this group that your machine is being put into. And again, if you’re going to be part of a botnet, maybe I want to be able to sell off 100 machines, or 10 machines, or 100 machines at a time to conduct a DDoS attack. Well, I need a way to group those together. And this group tag is simply that. So those are those two files and the module, and that’s what it did to our hard drive. But it really hasn’t done anything malicious yet because this is just the first dropper. Now you can see how we might go all the way through and dig really, really deep into this. Now we’re going to figure out exactly what it’s doing and how it’s doing it.
And you can keep following these breadcrumbs all the way down, but at this point, we already have three different indicators of compromise. The first would be the file hash for Trickster Exe. The second would be the fact that it goes and creates this process, this executable, and this U exe file and places it in the roaming Winamp directory. Another one is the fact that it creates this client ID, this group tag, and this modules folder. So we already have three right there. But if we want to dig deeper, we can actually start digging into this further and further and further.
So now that we’ve done the dynamic analysis and figured out that this is a stage one dropper, that it’s beaconing out every three minutes, that it’s calling out to this particular IP address, and that it’s creating this client ID and this group tag, Let’s go and look at it statically and dig just a little bit deeper to figure out what else we can determine about of trickster.So now that we’ve kind of exhausted what we can do dynamically, we’re going to dig back into static analysis just a little bit. So the way we’re going to do this is by opening up the U.exe file in a programme called IDA. Now IDA is a decompiler, and we can find it here inside of Flare and then in disassemblers. Now that we have this D compiler, we’re going to open up AsIDA Free, which is the freeware version of IDA Pro. It’s going to allow us to do quite a bit, and we’re only going to use a very little bit of it. So what we’re going to do is disassemble a new file, and all we have to do here is drag it on here to disassemble it.
So I’m going to bring back up that file, Uexe, and drag and drop it onto IDA. So we’re going to load it up, and we have to choose: is it an executable from DOS, a portable executable, or a binary file? In our case, I believe it to be portable because it’s running inside of Windows and not inside of DOS, as we saw from the comment we pulled out using the Floss tool. So we’re just going to go ahead and hit OK and Up. It’s going to pop. Now, if you notice here in Itawa on the left side, it’s going through and giving us the assembly code for this programme the best it can based on decompiling it and making its best guesses. Now, what we really care about here in Idaho is what we import and export using this thing using.So I’m going to go ahead and hit exports, and we really don’t see anything. If I go ahead and hit imports, you can see all of the different processes and functions that are called from the kernel and from the APIs in Windows.
And so here we have our imports, and we can see the different types of functions that this programme calls. For instance, it opens and closes registry keys and queries them. And we notice that in Process Monitor, a lot of things were done with the registry. We can see that it can create files or get the current directory. It can get command-line arguments and run commands; it can load strings; it can register classes; it can do all sorts of different things. And as we scroll through this, we can learn a little bit about the programme and what it’s capable of doing just by looking through the different processes that it may be able to run. Now, that gives us some information, but it doesn’t give us a whole lot to go on.
So unless you’re able to actually read these assembly-language programmes and be able to go through them step by step, this is not really going to help us with an introductory level of malware analysis. Now, if you want to go through and reverse engineer this entire thing, well, you’re going to have to take a different class because that is way, way more in depth than this class is going to be looking at. Now let’s go ahead and close out of IDA, and we’ll go ahead and just say, OK, and what we’re going to look at here is that we are going to take this program, U. exe, and run it through a debugger. Now, a debugger allows us to run a programme step by step, one instruction at a time as it goes through, so we’re going to go ahead and say yes here and yes there. Now what I want to do is open up our file inside of Ali Debug, and to do that, I’m just going to go in here to the C drive, go down to users, IE user app, data roaming, and then down to the bottom for WinAPP. And there is U Exe.
Once we open that up here, you can see just like before, we have all of our assembly language here, which this can decompile and run step by step. Now, a lot of malware is going to protect itself from being run step by step. Let’s see if Trickster and U Dotexe are among those malicious programs. So what we are going to do is go ahead and play it, and if you see the little play icon right here, it’s going to go through; just say yes; it goes through and attempts to play this programme step by step. Now when we do it, it runs very quickly, and then it just terminates. Nothing really happened for us, right? Well, that means that this piece of malware is most likely detecting the fact that it’s in a debugger and going step by step. And so we’re going to have to use a little bit more complex method to be able to pull out that code and then analyse it. In our static analysis, we saw that it was encrypted when we tried to run Floss earlier on, and now when we try to run it through a debugger, we are actually getting it where it stops immediately. So it’s detecting the fact that it’s being stepped through the program. So instead, what we’re going to have to do is run the process, capture it in memory while it’s being unpacked, and then be able to analyse it.
Now, to do that, we have to start with a clean VM again. And so what I’m going to do here is pause this and bring ourselves back up to a clean VM with our antivirus turned off, our firewall turned off, and Trickster expanded onto the desktop. So we are back, and we now have our Flare VM. We should have turned off our antivirus software, disabled our firewall, and unzipped the Trickster file. But before we move any further, we need to download a piece of software called Process Dump. So we’re going to go ahead and open up our Edge browser, and from our Edge browser, we want to go to Split Code Process Dump HTML, which is splitcode.com Process Dump HTML. And when we get there, you’ll be able to download the Process Dump file, which is currently Version 2, in either 32 or 64 bit format. And since we’re operating on a 64-bit operating system, that will work fine for us. We’re going to go ahead and hit open, and it’s going to open it here on our desktop. We’re going to take PD 64 and drop it onto our desktop, so it’s ready for us to use, and we can go ahead and close our Edge browser.
So now that we have PD 64 on the desktop, we want to go ahead and open up a command prompt. But this time, I’d like to right-click on it and run it as administrator. So go ahead and say yes. So now that we have our command prompt open as administrators, we want to get into the directory that is our desktop, which is going to be under C users’ Ieuser desktop. And if we hit Dir, you can see Trickster and PD 64 sitting there on the desktop. So now I want to go ahead and run PD 64 and create a hash database of all of the processes that are currently running before I put any malware in there. So I’m going to do that by doing PD64 exe DB for database generation or GE for generate, and then go ahead and hit Enter. Now this is going to go through and find all of the processes that are sitting there on this system, and it’s going to capture them and create a hash value for all of those processes.
Now this is going to take somewhere around five to ten minutes, depending on how fast your system is. And so I’m going to go ahead and pause the video here and come back. Once that hash database has been created, we’re going to be able to go and run Trickster and capture that malicious process, dump it, and then look at it inside of IDA. Now that the programme is done, you’re going to get this finished. The clean hash database has now been created, and you’ll notice here on your desktop that you have the clean hash file that is going to serve as that database. The next step to capture Trickster is to type in the command PD 64 exe p and then the name of the file that’s going to be running, which is Trickster exe. But don’t hit Enter just yet. We have to go and create Trickster first, because if I try to hit Enter right now, it’s not going to find anything because Trickster doesn’t exist. So I’m going to get it ready to go.
Right-click on Trickster and tell it to run as an administrator. Then, as soon as I hit yes, I’m going to click on the command prompt and hit Enter to capture that process. So yes, click Enter, and you’ll see here that it is dumping that exe file to the file trickster exe PID edtrickster exe, which is this big, long file name right here, and as you can see, that file is now on the desktop, which is that piece of malware unpacked and straight from memory. So the next step is to open this up in IDA again. So we’re going to go ahead and go to our Windows icon, type in IDA, and IDA should show up. We’ll open that up, tell it we don’t need the information displayed, agree to the terms and conditions, and tell it “new,” and we’ll go ahead and hit cancel.
Then we need to go ahead and get the file from the desktop—that trickster Exe file, that new one that we just dumped—and drop it into IDA. Go ahead and hit OK and OK.And now we have that file we just captured from memory that we dumped from that process. and we can start looking at it to see if there’s anything of interest to us. This should be a little bit more fruitful than the first time we looked at it in IDA. So let’s go ahead and look at our imports one more time. Now, we have a couple of new ones here that we didn’t have last time, namely the sleep and the tick count. Now, what do these do? Tick count, on the other hand, counts the processes. It’s basically a clock. And then there’s the sleep function. Now, what is that doing? Well, let’s go ahead and double-click on sleep. We can see that this sleep will last for a few milliseconds. And if I go ahead and look at this, I can see here that it says “push 1388 H,” which is the amount of milliseconds that it’s going to wait as it’s sleeping.
Now, what does that equate to? Well, that equates to 5 seconds. Now, why might it be waiting 5 seconds? Well, if we start walking through this program, you’re going to see that the reason it is sleeping for 5 seconds and using that tick count to figure out what time it is is so that it has time to launch the program. And then create the file and folder, copy them in UExe to the hard drive, and then run U Exe.That’s what these calls are there for. So it starts; it waits; it creates the folder; it waits; it runs the program; it waits. That’s the idea here. So those are two new functions. Now, why does it do that? The reason why is because it is doing this to detect if things are ready for the next step. So you can see if you can read assembly code while going through all of the things that this specific piece of malware does. Now, again, we’re not going to go through and dig into every single line of this code. It’s just too much and too in-depth for this course. This is not a class in assembly language or malware reverse engineering. But I just wanted to give you an idea of the type of information that you can find by processing this dump and loading it up into IDA and doing a very cursory search.
So again, this class is not designed to have you dig through this static analysis and learn every single piece about this programme and how to reverse engineer it. Instead, I just wanted to give you a couple of quick tidbits so that you can kind of whet your appetite if you want to go down this malware reverse engineering route and really start digging into assembly code and how these things work. This is just to give you a little exposure to it, not to make you an expert. Wow. I know. That was a long video, and that was a lot of information that was in-depth. Now, the good news is that, for the exam, you do not need to know how to do everything I just walked through in this video. Instead, I was doing it just to give you an introduction so you could see how this stuff works and start putting some of these pieces together early in the course. Now, as we go through the rest of this course, we’re going to dive deeper into a lot of these different concepts as we talk about indicators of compromise on the network, as we talk about indicators of compromise from the file system, as we talk about persistence, like we saw with the scheduled tasks and things like that. So this just gives you a good overview, and then we’re going to dig deeper into each of those areas, and you’ll really be answering multiple-choice questions on the exam about these concepts as opposed to having to actually do the physical work of analysing every single piece of this malware like I was doing.
8. EDR Configuration (OBJ 3.2)
Endpoint detection and response configuration Now, like any other automated intrusion detection, endpoint detection response requires tuning to reduce false positives because these rules can actually start generating a lot of false positives for us, and if they do, that starts to stretch the direction of our analysts and bury the relevant information so they can identify what’s real.
So one of the ways we can do this is by taking something that we think is malware and sharing it with other people in the community. By working together with different community and industry portals, we can share that information and that threat intelligence, and we can all learn from each other. This will help us develop better signatures and, therefore, reduce our false positives. One such tool is called Virus total. Now Virus Total is going to inspect your items with over 70 different antivirus scanners and URL and domain blacklisting services, in addition to a myriad of other tools they have to extract signals from the study content. This allows Virus Total to get more information about more malware, and they share that with all the different antivirus companies so we can develop better signatures and get them out to you faster. Now, one note about Virus Total: before you upload a file there, you need to make sure your organisation is okay with it.
The reason I say this is because if you have been infected with malware and you take that and submit it to virus totals to let the rest of the community know, the attackers also monitor virus totals, so they would know that their malware is now known and they might then change their techniques again. So this is something you have to think about. It’s more a case of risk versus reward. But in general, Virus Total is a great thing to use, and it is free to be a part of their community and be able to submit things and get results back. And this will help you figure out if you have a piece of malware on your hands or if it’s just a file that looks a little suspicious. Another thing you can do with your malware samples is actually submit them to your antivirus company or your cyber threat intelligence vendor. If you have a subscription with a cyberthreat intelligence vendor like FireEye, Semantic, Microsoft, or somebody like that, they would actually like you to send them your samples so they can use them to build better rules and protect you and their other customers better.
Now your organisation may also need to create its own custom malware signatures or detection rules. Now, this is only done in very certain circumstances, and depending on the type of organisation you work for, most organisations don’t have to get too in-depth with making custom signatures. But depending on your use case, you may be asked to do this. If you are, you need to be able to make your signatures work with other programs, though. And to do this, you can make sure that you’re using a certain scheme. One of the most common ones out there is Malware Attribute Enumeration and Characterization. Scheme, or Mike as it is spelled, Now, Mike is a standardised language for sharing structured information about malware, and it is complementary to sticks and taxi to improve the automated sharing of threat intelligence between people. So, if your organisation wants to share something with someone else, putting it in this format will be a great idea because both of you will be able to communicate in the same format because it is using sticks and taxi.
Now, another thing we can use is what’s called Yara. Now Yara is a multiplatform programme that runs on Windows, Linux, and macOS and allows you to identify, classify, and describe malware samples. Yara now creates what are known as Yara rules. And the Yara rule is a test for matching certain string combinations within a given data source. And that data source can be a binary file, an analogue file, a packet capture, or even an email. Now, what you do is create this rule that looks something like this. Here is a Yar rule set that was created by somebody back in 2015. and you can see the format here. The rule is called backdoor, and then it has some metadata, a description of what it is. In this case, an autogenerated rule called Filebackdoor.exe It tells you who the author was. In this case, it was an automatically generated rule by the software. The reference was not set. That reference could be something like a mitre attack number, and then we have the data that was created and the hash value for this rule that gives it the integrity to know nothing has been changed. And then you see all the different strings; these are different strings that it’s looking for based on these strings. These are the things that it found, and it’s going to use those to detect other copies of this malware as it goes across the network and as it goes through that data set.
This is how you generate a rule. Now, again, for the exam, you don’t have to write your own Yarrow rules. I’m just showing this to you because this is something you will use in the real world when you do your threat hunting. I have a lot of friends who work in the world of instant response and threat hunting, and they use Yarn all the time to create their own rules and start scanning their networks and their data sets for these. files to see if anything matches it as it’s going across their sensors, particularly using PCAP data and packet capture to be able to identify everything going over the network and make sure none of that particular malware they’re looking for matches one of their rules. I have a lot of friends who still work in the incident response and threat hunting world, and they use Yara a lot. They’re able to find the needle in the haystack of what they’re looking for by creating these rules. Most often, they’ll set these up against packet capture because they’ll have a network sniffer setup like Security Onion. They’ll be grabbing all that data off the network and running it through Yara to see if they’re going to get any hits on what they’re looking for. particularly a piece of malware to verify an infection has occurred.
9. Blacklisting and Whitelisting (OBJ 3.2)
Blacklisting and whitelisting. In this lesson, we’re going to talk about two important concepts: blacklisting and whitelisting. First, blacklisting. Blacklisting is the process of blocking known applications, services, traffic, or other transmissions to and from your systems. But the idea with blacklisting is that this is a security configuration where access is permitted unless the entry appears on a blacklist. Let me give you an analogy. Let’s say you and I decide to go to a nightclub tonight. We show up at the front door. The bouncer looks at his list. He doesn’t see our name on the list, which means we’ve never caused trouble before, and he lets us in the building.
That’s the idea behind a blacklist. Since our name wasn’t on the list, we’re allowed in. If our name was on the list, he wouldn’t have let us in. Now, that’s the whole idea behind a blacklist. You know what’s bad, and you’re looking for those bad things to block them. Now, blacklists are useful in incident response because of their ability to block the source of malware if you know something’s bad and you know what you’re looking for. For instance, we know that it goes to this particular IP address as part of its c2 network. We can put in all those IP addresses and block them. On the screen, you can see I have a total of 3903 IP addresses in my list. These are all the things I know are bad and don’t want to be able to go toward them. Now that’s great, except for the fact that there are millions and millions of other IPS that aren’t on my list and could potentially be bad.
As a result, blacklisting may cause you to overlook something. So what are some limitations that we have when we use blacklists? First, we have the risk of false positives that could block legitimate traffic. Let’s say we had a false positive that showed up and said, “This IP address is bad,” and so we went ahead and blocked it. Well, that IP address may not have been bad, and if it wasn’t, we put it on our block list. Now we have denied legitimate users access to it. This actually happened to my company when we first launched our website. When we first launched our website, we were issued an IP address from our service provider. Well, that IP address apparently used to be used by a spammer, and so it was put on a lot of block lists. And so when people tried to get to our site, they were getting blocked by their providers, who said, “Don’t go to the site; it’s bad.” And so we had to go and get a new iPad address so we could get off of that block list, even though we weren’t the ones who had the problem. And so our legitimate traffic was being blocked because of that false positive.
Now, the second thing you have is that you don’t always know everything that should be blocked. Now this is a big problem because, when you’re dealing with blacklisting, you have to know what you want to block. And if you don’t know what you want to block because the bad guy keeps moving to different IP addresses, then your blacklist isn’t going to do you any good. And so this is one of the big issues you have with blacklisting. So on the other side of the coin, we have this thing called whitelisting. Now, whitelisting is the process of allowing only known applications, services, traffic, and other transmissions to and from your systems. Essentially, you get a list. And this security configuration list is where access is always going to be denied to everybody unless they’re on the white list. So let’s go back to our nightclub example. We go up to the front of the door, we go to the bouncer, and we say, “Hi, my name is Jason.” He looks at his list, he sees my name, and he lets me in because I’m on the white list.
You go up next to him, and you say, “Oh, my name is Susan.” And they look, and they say, “No, Susan is on the list; go away.” That’s how this whitelisting works. If your name is not on the list, you’re not getting in. We got a blacklisting. If your name was on the list, we pushed you away. That’s the concept here. Now whitelisting can be really effective as a fallback posture, especially when you’re doing an instant response. Let’s say you’re going through this and your network has come under attack. You want to get back online as quickly as possible and cut off all bad communication. What can you do? Well, you can move to a whitelist. You might have a preset whitelist that says, “Hey, here are the ten websites that I trust.” I trust Gmail, I trust Facebook, and I trust DEON training, whatever it is. And anything that’s not on that list, you’re going to block.
That could be a useful whitelist. And you can have that fallback posture. So you might have your banking on there, your email on there, and some basic functions like that, but you can cut off a lot of things you don’t need. That’s the idea of using this as a fallback posture. Now, a word of caution about whitelists: they are extremely restrictive and can prevent users and systems from transmitting data to new or different recipients. So let’s say you had me on the whitelist as deiontraining.com, but now I changed my site to become www.deontaining.com. Well, if I do that and you don’t have www.deontraining.com listed, I’m not on the white list. You’re not going to be able to get to me anymore because of that minor change. So you need to make sure you’re constantly fine-tuning these whitelists to avoid interference with business operations.
Now, in a lot of the organizations I’ve worked with In the past, we have kept a whitelist as a backup, but in general, we use the blacklist method. Now, if we get attacked or we need to go to a more restrictive method, we can switch over to whitelisting at any time because we have this list ready to go. But again, whitelists are very hard because there are always new challenges. For instance, you just started working with a new supplier, and they need you to go to another site to pay your bill. Well, if it’s not on the white list, you’re not going to get to that site, and that becomes an issue. Now, this isn’t to say that whitelists are all bad or all good. There’s a place for them, and one of the best places I’ve found to use them is actually inside of application whitelisting. Now, this brings us to the concept of execution control. Now, execution control is the process of determining what additional software may be installed on a client or server beyond its baseline.
So let’s say I gave you a workstation in your office, and it has some basic programmes on it. I’ve got Microsoft Office on there, maybe Adobe Acrobat, but you don’t have anything else, and you’re like, “Hey, I want to install Google Earth.” You try to download it and install it, but it won’t install. Why? Well, that might be because of my execution control and the way I’ve set this up. Now, execution control in Windows is handled by a couple of different things. Well, the first thing we have are software restriction policies, or SRP. Now, this is available for most versions of Windows, and it can be configured as a group policy object. This creates a whitelist file for different system locations where executables and scripts can launch from. For instance, you might say you cannot run any executables out of the temp directory, but you can run them out of the system directory and the programme files directory. This allows you to do that. Another way you can do this is by setting up rules configured by hash files on those programs. So if I install Microsoft Word, I take a hash of that, add it to my approved list, and that will then allow me to start running things.
Alternatively, if you wanted to, you could use software restriction policies to block things based on a blacklist instead of a whitelist. Personally, I prefer to whitelist applications; that way, I can control exactly what’s on my baseline. The second thing you can use is an app blocker. Now, the app blocker improves the configuration options and defaults of the SRP. Basically, app blocker policies can be applied to user or group accounts instead of just a computer. As a result, you have a little more granularity. You can only use this, though, inside the Enterprise and Ultimate editions of Windows. And the third thing we have is what’s known as Windows Defender Application Control, or WDAC.
This allows you to create a code integrity policy, which can be used on its own or in conjunction with Appblocker. Now these policies can allow the computer and the users to be affected, and they can be based on version awareness and digital signatures for a particular application using their image hash or file path. So they’re really good, and they allow you to prevent administrator accounts from disabling execution options and force them into having these controls as well. Now that’s great, but what about Linux? Well, we have execution control in Linux, and we have two methods: we have mandatory access control, or Mac, and we have Linux Security Modules, or LSM.
Now in Linux, we have Se Linux and App Armory, two of the most well-known Linux security modules, and they are used pretty heavily in the marketplace. The final point to make when discussing whitelisting and blacklisting is how to manage all of the configuration changes. You do that through configuration management. This will allow you to have a process in place for how you’re going to update your blacklist and your whitelist. This must be done in response to user requests, business operations, and immediate responses. Now that you’re doing all of these things, different changes will have to occur. Now, if you’re going to have a large change, you need to make sure it’s preceded by a risk assessment and a business impact analysis. Now we’re going to talk more about riskassessment, change control and business impact analysis lateron in this course as we move intothose sections and those domains.
