2. Incident Triage
Triaging an incident defines the success of incident response. The latest attacker tools and
techniques are increasingly stealthy and happens in multiple stages, which makes traditional AVs
helpless.
Identifying key indicators and finding the artifacts will decide how effectively you can do incident
triage.
Some key questions triaging should address are:
Identifying potential malwares
Identifying the mode of Infection
Identifying how they lateral movements
Identifying Privilage Escalation and Persistence Mechanism
And what was it trying to accomplish?
4. General Hunting Scenarios
- Hunting with intelligence
◦ Consume threat intelligence
◦ Yarascan for know malwares, web shells and other indicators.
◦ Search based on Intel's – IOC (Open-IOC, STIX, Hash, TTP, Filenames etc..)
◦ Network and host based indicators.
- Hunting with zero intelligence
◦ Collect specific data from all your hosts.
◦ Look for anomalies and outliers
◦ Network and host forensics.
5. Windows Task Scheduler
Schedules commands and programs to run periodically or at a specific time.
Task can be scheduled using ‘schtasks.exe’, ‘task scheduler’, ‘at.exe’
A persistence method which can possibly do privilege escalation/lateral movement
◦ Location:
◦ C:WindowsTasks (XP - Windows Job Format)
◦ C:WindowsSystem32Tasks (Win7+ - XML)
◦ C:WindowsSysWow64Tasks (Win7+ - XML)
◦ C:> schtasks
◦ Files for triage -
◦ C:WindowsTasksSchedlgu.txt
◦ C:WindowsTasksAt*.job
◦ C:WindowsSystem32winevtLogsMicrosoft-Windows-TaskScheduler*
Legitimate Windows file rundll32.exe has been scheduled as a job to load a malicious DLL with export function “Afght”
6. ShimCache
PARSER-
https://github.com/mandiant/ShimCacheParser/blob/master/ShimC
acheParser.py
o Windows Application Compatibility Database – Used by operating system to identify
application compatibility issues
o Good source for while investigating lateral movement
Records -
File Full Path, File Size, $Standard_Information (SI) Last Modified time, Shimcache Last Updated time,
Process Execution Flag
Location:
HKLMSYSTEMCurrentControlSetControlSession Manager
AppCompactCache|AppCompatibilityAppCompatCache
7. Cont..
Indicators to start with >
Keep and eye on -
◦ Directories like system32, %temp% , %Windows%, Recycle, %AppData%
Web root Directories - Inetpub, wwwroot, etc..
◦ Reserved file names and its location.
◦ Binaries with less than 1000 bytes in size.
◦ Single, double and triple character file names.
◦ Files with suspicious extensions (rar, tmp, tar, dat, etc..).
◦ Hidden files, batch files, scripts, *.job, at*.job etc..
◦ Search based on specific date and time.
◦ Search based on suspicious file names (svch0st.exe, scvhost.exe, expl0ree.exe etc)
Etc..
8. AmCache & RecentFileCache
AmCache
Helpful in identifying recently executed application.
• C:WindowsAppCompatProgramsAmcache.hve)
RecentFileCache
Useful in identifying evidence of suspicious process creation
C:WindowsAppCompatProgramsRecentFileCache.bcf
9. Rogue Services
• A service is a program that is automatically started by Windows NT/XP/2000/2003 on startup or
through some other means and is generally used for programs that run in the background.
• Service can be loaded on start-up either by –
◦ Windows directly – File that launches the service can be found in HKEY_LOCAL_MACHINESYSTEM
CurrentControlSetServicesservicename
• Using svchost.exe
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost
10. Demo..
• A simple bat script to install a backdoor as a service using svshost.exe ..
Tools –
SysInternals Suite (PsService.exe etc..)
http://www.bleepingcomputer.com/download/getservices/
11. Common Indicators to detect Rogue
Services >
Look for suspicious services registry entry (eg- Registry access denied message
on HIPS @ImagePath Or @ServiceDll entry )
Error Control Set = 0 (User will not get service fails erroe during startup.)
Services running from program data.
Autorun enabled on unsigned ServiceDLL.
Auto Start (Type 2) services with suspicious names ..
12. Timeline Analysis using MFT
MFT analysis is helpful to identify if any additional tools were dropped on the system and also
other artefacts left due to the execution of the malware.
NTFS has 8 timestamps
Standard Information Attribute ($SI)
Filename Information Attribute ($FN) - They are not exposed to user space.
Both $SI and $FN has 4 time stamps (crtime, mtime, atime and MFT Entry Modified)
Worth checking if you identified a files that are time stomped.
TimeStomp module in msf
https://www.offensive-security.com/metasploit-unleashed/timestomp/
13. DLL Side Loading
A popular cyber attack method that takes advantage of how Microsoft Windows applications
handle DLL files.
When an exe is loading the windows loader will parse the IAT and load it by checking the
following registry key (A list of Known windows dlls) -
HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerKnownDLLs
◦ And if any dll being imported is not in the list of knowndll, it will search on the current directory of the
executable module.
Attackers can take advantage of this and can load a malicious on a genuine executable.
Possible Indicators –
Unsigned dll loaded in process, Autorun, Services running from suspicious location, Unknown DLL import
14. DLL injection – User Mode Rootkits
[Demo]
• Identifying the DLLs loaded by a process at runtime is a vaulbe information, as it is a common
technique used by rootkits – “Dll Injection”.
Unsigned creates remote thread
15. Autorun
Where are the autoruns?
•Registry run keys
•Services
•Drivers
•Browser add-ons
……
16. Wdigest downgrade
• One common attack vector that has been around for several years is to use a tool called
Mimikatz and steal cleartext credentials from memory of compromised Windows systems.
• Newer versions such as Windows 8 / 10 and Windows Server 2012 / 2016 introduced a registry
setting that disables storage of clear-text for credentials the WDigest provider by default.
If the value of UseLogonCredentialvalue is set to “1”, WDigestwill store credentials in clear
text in memory and might be an indication attempt of password dumping.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWDigestUseLog
onCredential
• KB2871997 “back-ports” the registry setting to Windows 7, 8, Server 2008R2 and 2012.