SANS 508 Book 4

Malware Discovery Detection tools

Sigcheck

yara

maldump

capa

Sigcheck

Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains.

this is mainly used for anomaly detection

yara

YARA is an open-source tool that helps identify and classify malicious software, or malware:

What it does

YARA uses pattern matching to scan files and data streams for patterns and strings associated with malware. It can also create custom signatures to identify specific types of malware

-signature based detection

- can run on linux, mac, and windows

- yara rules can be compiled through the yarac64.exe tool

maldump

Maldump is a tool that can extract quarantined files from multiple antivirus programs from a live system or mounted disk image.

A memory dump is a collection of a system's RAM (random access memory) at a specific point in time. Memory dumps are often created when a program crashes or the system fails, but can also be created manually for memory forensics.

- this tool tests an image for the existence of quarantined files from multiple vendors like avast, forti, malwarebytes, msdefender

- this tool can provide meta data like time of quarantine, file size, file hash, and extracted copy of the file

-maldump provides two sets of info: metadata and filedumps

capa

capa detects capabilities in executable files. You run it against a PE, ELF, . NET module, shellcode file, or a sandbox report and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.

-Made by the FireEye FLARE team and it is an opesource crowd contributed and it contains hundreds of patterns to look for. This is a Hivemind tool

-capa is meant to be aimed at a file of interest and it can parse shell code

Data Hiding Techniques

-deleting indicators of entry to a system after compromise (log files, file mods/access, dates, system processes

-obfuscating running malware by changing its names or exe profile

-storing data in disk is a "packed" format. this is usually encrypted or encapsulated

-custom data encryption/routines

sigcheck notes

- the purpose of sigcheck is checking the code signing characteristics of executable files in a directory.

- a vast majority of malware in the wild is not signed

-sometimes malware is signed by fraudulent companies

-signing code can help blend in, but once its found anything else signed by that is highly visible

-sigcheck has the capability to dump certificate stores to identify any root certificates not explicitly trusted by microsoft

Entropy

"entropy" refers to a measure of randomness or unpredictability within a system, typically used in cryptography to generate secure random numbers by collecting random events from hardware sources like keyboard presses, mouse movements, or disk activity; essentially, it's the degree of uncertainty in data, with higher entropy meaning greater randomness and better security.

- this can help identify files containing large amounts of compressed or encrypted data

- normal exe values tend to vary between 4.5 to 6. cobalt strike shellcode is valued around 7.2 to 7.4

Timeline Benefits

examine system activity around time of incident

detect c2 channels

hard for anti-forensics due to so many time entries

adversaries leave footprints everywhere

- data is sourced from the operating system files and not network level

-nearly impossible for an attacker to delete all footprints due to the thousands they generate

Windows Forensic Trinity

1. File system metadata

2. Windows artifacts

3. registry keys

- this is the key parts of being able to analyze a super timeline effectively

conversational forensics

conversational forensics means you are familiar with most terms all though you may not have all of them memorizaed

Detecting Compromised Endpoints without active malware: program execution

prefetch

shimcache

amcache

userassist

srum

Detecting Compromised Endpoints without active malware: file opening

shortcut files

jumplists

shellbags

prefetch

opensaveMRU

Detecting Compromised Endpoints without active malware: file knowledge

wordwheelquery

last visited MRU

shortcut files

recycle bin

types paths

Detecting Compromised Endpoints without active malware: event logs

user logons

rdpusage

runas events

process tracking

pwershell logs

Detecting Compromised Endpoints without active malware: browser usage

history

cookies

cache

session restore

typed urls

opensaveMRU

OpenSaveMRU is a Windows registry key that tracks files a user has opened or saved using the "Open" or "Save As" dialog box. MRU stands for "Most Recently Used".

OpenSaveMRU is important for digital forensics because it can reveal information about downloaded files and the user's most recent activity. The key contains the full path of the file and auto-complete terms for the dialog box. The key's location depends on the version of Windows:

shellbags

Shellbags are a set of registry keys in Windows that store information about a user's folder preferences and activities:

What they contain

Shellbags store details about folders, such as their size, position, thumbnail, and timestamps. They also contain information about a user's view preferences, such as the icon size, view mode, and window size.

wordwheelquery

WordWheelQuery is a registry key in Windows that stores recently searched terms:

Location

The WordWheelQuery key is located in the Windows registry at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

last visited MRU

"Last Visited MRU" refers to a Windows registry key that tracks the applications used to open or save files, essentially recording the last directory accessed by a specific application when using the "Open" or "Save As" dialog box, providing crucial information for digital forensic investigations by revealing recently accessed files and their associated applications; MRU stands for "Most Recently Used".

Pivot Point start to end list

1. timeline of incident (siem, AV alert)

2. network activity (malicious urls accessed, dns requests)

3. process activity (related running processes, dll injections)

4. name of a file (files name, file type like exe, rar, py)

5. user account (user account with suspicious acitivty)

6. activity ( lateral movement, file copy, anti-forensics tools)

SleuthtoolKit FLS or MFTECmd

-file system metadata ONLY (like name, path, timestamps and size)

-allows file types from solaris (UFS), apple (HFS), Linux (EXT), Windows (FAT/NTFS)

-wider OS system capabilities

- very efficient at extracting data from $MFT master file table

PLASO (supertimeline: log2timeline)

-obtains everything (much wider data gathering set like meta data. artifacts, logs, browser activity etc)

-filesystem metadata

-artifact timestamps

-registry timestamps

-only for windows, linux and mac

-all inclusive parse takes 12-24 hours

-a targeted collection takes 5-30 mins

Timeline Analysis process

1. determine timeline scope

2. narrow pivot points (time or artifact based)

3. determine best process for timeline creation (filesystem timeline with FLS MFTECmd or supertimeline with log2timeline

4. filter timeline

5. analyze timeline (focus on evidence)

FileSystem Timeline

The FileSystem Timeline collects data from all the files and directories in a volume. this will include both allocated and unallocated metadata

- the most common timestamps record data modification (M), data access (A), meta data change time (c), and file creation (B for birth)

-this combo can tell us when a file was created and copied t oa location or deleted

NTFS file system times

M - last modification time

A - last access time

C - last MFT record (change)

B - file creation time (birth)

MACB Notes

-some timestamps can take up to 1 hour to update the last access time

-NTFS stores times in UTC format and are not affect by daylights savings

-FAT system stores in time values based on the local time of the computer

- file timestamps on ntfs are in hundreds of nano seconds

-using CLI to move a file, it will have a modified time predating the creation, which shouldnt be possible

- timestamps update differently for moved using the COPY/Cut/Paste and may not have a change in times

Time rule change Exceptions

applications (office products, winzip)

antiforensics (timestomp, touch, privacy cleaners)

archives (zip, rar, tgz, retains original time stamps, usually affects MODIFIED TIME ONLY)

scanning (depends on how well the antivirus is written)

Lateral Movement timestamps

1. bad file is transfered throught netuse or via scheduled task or psexec.

2. the file modified time will be inhereted from the original, but the created time will be when the file was copied over, which is usually after the modified time

SleuthKit (TSK) FLS notes

-fls is designed to extract filename and metadata information for files

collects 3 types of data: allocated, deleted, and orphan files

-difference between fls and mftecmd is fls is designed to extract metadata using an image filesystem volume while MFTECmd just uses the MFT file for C drive

-MFTECmd only supports NTFS

MACtime tool (TSK Sleuth kit tool)

mactime tool takes a bodyfile as input and parses the file to present it into a format that can be easily analyzed by an investigator.

mactime will attempt to convert your timestamps to your local forensic workstation by default

PLASO: log2timeline

plaso is a python backed engine user for creation of super timelines. plaso and log2timeline terms are used interchangeably.

log2timeline can be used to extract events from a group of files, mount point, or a forensic image and save the results in a plaso storage file for future processing (typically psort)

Log2timeline was built to scan and extract logs and time related artifacts from windows operating systems. this info can be registry, browser history, shell items, prefetch etc.

PLASO: log2timeline - pinfo

plaso storage file containsa variety of info about how the collection took place. this info can contain stuff like things and tools used in the preprocessing stages (like log2timeline).

Pinfo is designed to simply PRINT OUT this info from the storage database file

PLASO: log2timeline - psort

psort is the PROCESSING tool that is used to filterm sort, and process the plaso file tgat was made by the log2timeline. This is the tool used for all POST PROCESSING, sorting, and tagging.

PLASO: Winreg Parser (windows registry)

plaso excells at pullin info from windows registry hive files like ntuser.dat, shellbag, recentdocs, open/save mru etc. others include bam, usb, typedurls, winrar, amcache, appcompat cache, mountpoints 2, networks, taskscheduler

PLASO: Webhistory parser

plaso has many webhistory parsers for ie6-9 index.dat, ie10/11. esedb files, sqlite, chrome, firefox, safari, java idx

Log2timeline usage

log2timeline requires a specified storage file and a specified source of data to parse. the storage data file holds normalized parsed data resulting from the log2timeline analysis of artifacts.

- the source of data to parse can be directory files, mount point, or image file containing artifact files.

-when running against a collection of files, the timezone should be included as it is best practice to not take any chances.

Log2timeline parser preset list

win_gen

winxp

win7

webhist

linux

macosx

- each one of these options has a set list of data sets and locations is goes to parse information from

Log2timeline Filter Files

- filter files allow log2timeline to skip a majority of irrelevant files and folders present in a file system. this speeds up processing orders.

Log2timeline Filter Files - TEXT BASED

text based formats contain a single line for each file path separated by a forward slash

/users|Documents and settings)/.+/ntuser.dat

.+ is usually the sign for anything

{ } is a path expansion variable

expressions in the file are casesensitive

if a file or path is NOT defined the the filter file, then it will be ignored by log2timeline

Log2timeline YAML filters

yaml based filters supports exclusion rules. these rules can be created to not only define what to include, but also what to not include

-these filters have been able to reduce processing time on a full disk image by 90%

(full disk images are the golden standard because it gives the greatest number of analysis options and datasets)

log2timeline: triage image timelining

- another way to speed up timelining is to point log2timeline to a collection of triage files

- a combination of KAPE (triage collection tool) and log2timeline to timeline these events is very powerful

Plaso Log2timeline filtering super timeline

-py.info displays the contents of the plaso database

the following if information stored in the out.plaso (plaso.dmp) storage container:

-information when and how the tool was run

-list of all plugins/parsers used

-filter file information

-information gathered during the preprocessing stage

-a count of each artifact parsed

-errors and storage metadata

the command to dump this info is: pinfo.py out.plaso

Plaso Log2timeline filtering - psort.py

psort is a command line tool to post-process the plaso storage database. it provides filtering, sorting, and deduplication of the contents in the plaso database

log2timelike is a sqlite database containing serialized event, metadata, tags, reports. psort allows post process filtering and it also removes duplicate entries from the output.

psort is essentially a tool that creates a timeline from a set of extracted data.

-psort uses utc as a defualt timezome but one can be specified

-psort also has a time slice function that can extract all events in a 5 min before and 5 min after window of a specified time.

Timeline Explorer notes

timeline explorer is tailor made to process timelines.

-it can open nearly any csv and the data is read only

-tagging allows for selecting subset of data

-double clicking an item in a plaso timeline brings up the details window

-search menu lets you search off filter or just a search

-layouts contain settings for filetypes which can change what columns and conditional formatting settings are present

ELK

ELK is an acronym for elasticsearch, logstash, and kibana. This is a tool used to load multiple timeline files into a database like splunk. plaso ships with an output format for elk called "elastic"

Timesketch

a timeline tool that allows multiple investigators to collaborate across many timelines in real-time all while tagging, annotating and enriching data.