Tips for an Information Security Analyst/Pentester career - Ep. 57: Forensic challenge (pt. 1)
I was watching this John Strand's video on live memory analysis some days ago.
I love his tutorials because they're really inspirational but, in this case, John came out with a series of labs intended for his forensic students at SANS.
I thought to myself, "Yes, I got this, I can do it". You know, I graduated in Cyber Security & Forensics, so I thought I should've been able to follow through.
Here's my tutorial about it.
In this first part I'll analyze a clean Window configuration, for us to have a baseline, and in the second part I'll perform the same steps against a system compromised with a Meterpreter shell.
Simulation
I create a backdoor by running netcat on TCP port 2222 (in the upcoming second part of this tutorial, I'll create an actual Meterpreter backdoor).
If we run netstat -nao and we include an interval parameter of 5 in the command, we can see a list of active network connections that will be redisplayed every 5 seconds.
You'll notice a connection to TCP port 2222 in LISTENING state, which means the port is open.
Intelligence on running processes
To have information on running processes, we can run three different commands, which return a different amount of intelligence about the system.
a) Task Manager (taskmgr.exe): That's a well-known command. Not everyone knows, though, Task Manager can display information on the processes from all users and not only from the user currently logged on.
b) Tasklist (tasklist.exe): It's Task Manager's command line version and it comes very handy if you want to create a file listing all running processes (you can simply redirect the command).
tasklist /svc allows to map what services are running based on what processes.
c) wmic process list full: It returns a huge load of information on each individual running process.
Also, don't overlook services.msc to have an overview about the status of each individual service installed and about their dependencies.
A very handy solution to view all auto-starting entries in your system, including some I haven't mentioned here, is to install Autoruns for Windows.
A very handy solution to view all auto-starting entries in your system, including some I haven't mentioned here, is to install Autoruns for Windows.
Retrieve large files
Both from command line and from Windows Explorer, we can search for files larger than a certain size.
This can allow us to retrieve malicious file the attacker might have uploaded to or created in our analyzed system.
In the below example, I researched all files greater than 10 MB.
Registry analysis
Malware can try to get persistent on a system by creating auto starting registry keys, that Windows will automatically run at boot-up time.
Analyzing these keys can sometimes reveal interesting surprises.
In more detail, the following keys should always be checked out for malware analysis/troubleshooting purposes:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServicesOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunServices
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunServicesOnce
If any suspicious key is found in one of these locations, you can export it and delete it.
If all such entries are removed, we eliminate one of the most important way malware can obtain persistence on a system.
Network shares and use
We can see what sessions the local machine has opened with other systems.
As I'm analyzing a VMware VM not part of a domain, we only obtain the VMware shared folder as an output.
Firewall rules
We can view the current Windows firewall settings through the netsh advfirewall show current profile command.
Analyzing local users and groups
We can load the Local Users and Groups Manager through the lusmgr.msc command.
We notice there's an Administrators group and two users belong to it.
Here nothing malicious pop up, but, in other cases, we might find that an unknown user account is listed within this group, but no sysadmins remembers to have created such a user. Guess what this might mean.
Auditing logons
Security policies are another place to go analyzing a system.
We want to start the tool (secpol.msc) and, in Local Policies/Auditing Policies/Audit Logon Events, enable logging for failure events, as shown below.
This way, when a user fails to log in, we'll have an entry for it in the Security log.
At that point, I purposefully tried to log in with the wrong password and a Security event log was correctly generated in the system.
We can also retrieve specific event IDs by using a Powershell script (more details in the video).
Wrap-up
The whole point is of this challenge is to stress how important is to be able to use native system tools for live memory analysis.
Yes there are proprietary tools and they're often very good, but (like John points out), what if they don't work in your specific configuration or if some of them are discontinued?
System tools are always there and work with any Windows configuration.
Though they don't cost thousands of dollars, these tools are able to deliver outstanding results, if correctly used.
Episode 56
Episode 56
Comments
Post a Comment