triaging suspicious artifacts
play

Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. - PowerPoint PPT Presentation

Oct 17, 2023 •452 likes •723 views

Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. Proprietary and Client Confidential About Us Jonas, GREM Security Risk Advisors (sra.io) Service lines: DFIR, CTA, A&E Clay (ttheveii0x), GREM Security Risk Advisors (sra.io)

  1. Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. Proprietary and Client Confidential

  2. About Us Jonas, GREM Security Risk Advisors (sra.io) Service lines: DFIR, CTA, A&E Clay (ttheveii0x), GREM Security Risk Advisors (sra.io) Service/Project Lead: CTI, CTA, SOC Training Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  3. Topics • Overview o Why Do This o General Approach o Actionable Outputs • File Formats • Tools • Demos • Resources Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  4. Overview Securit y Risk Advisors, Inc. Proprietary and Client Confidential

  5. Overview • Why Do This o Enable SOC analysts o Assessment o Is the artifact malicious? o What’s the threat? o IOCs o Identify techniques of the attack o Improve defense/alert capabilities o Gain intelligence into current threats Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  6. Overview • Does this scale? o Focus on a few artifacts, not all artifacts o Opportunity to maintain/sharpen existing skills o Training opportunity Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  7. Overview • General Approach o OPSEC! Don’t tip off the attackers o Examine the artifact for anomalies o Locate embedded code o Extract/document suspicious code or objects Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  8. Overview • Actionable Outputs o Indicators Of Compromise • Email headers • Domain(s)/URLs • File hashes • Threat hunts (tactics and techniques) o LSASS (non system accounts) o WMI (new event consumer) o DLL injection (CreateRemoteThread) Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  9. File Formats Securit y Risk Advisors, Inc. Proprietary and Client Confidential

  10. File Formats – OLE2 Object Linking & Embedding • Structured storage • Compound File Binary (file-system like structure) • File extensions .doc, .xls • Still used today Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  11. File Formats - OOXML Open Office XML • Multiple files • Macros stored in OLE2 file included in the ZIP • File extensions .docm, .xlsm Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  12. File Formats - PDF PDF • Collection of elements o Header o Object o Stream o Object o Object o Stream o Xref o Trailer Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  13. Tools Securit y Risk Advisors, Inc. Proprietary and Client Confidential

  14. Tools – oledump & olevba Oledump.py • Analyze OLE streams, detect macros, plugin-in support • Only supports Office 97-2003 file formats (doc,xls,ppt,..etc) olevba • Part of oletools package • Detect VBA macros in OLE and OpenXML structures, extract source code. • Detects security related patterns, extract IOCs, detects common obfuscation techniques Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  15. Tools – mraptor • Detect malicious macros using generic heuristics • Can work in bulk mode against multiple files • Detects keywords based on the following criteria: • A: Auto-execution trigger • W: Write to the file system or memory • X: Execute a file or any payload outside the VBA context Suspicious = A + (W OR X) Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  16. Tools – vipermonkey • VBA Emulation engine written in python, relies on oletools Go from • Emulates vba, dll calls, activeX this -> objects, file writes • Great for analyzing highly complex or obfuscated VBA payloads speed/automation tips: To this! -> • Run using PyPy instead of default Python interpreter. • Run using – s to strip out useless statements; if it fails, rerun without. Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  17. Tools – peepdf, pdf-parser, pdfid peepdf • Pdf analysis toolbox • View elements, metadata, use filters • analyze javascript and shellcode via PyV8 and Pylibemu pdf-parser.py • Identify PDF elements • search, filter, and display objects Pdfid.py • Quickly triage a pdf and view occurrences and obfuscation of important pdf references Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  18. Tools – CyberChef • All around great webapp for analysis • Can be used to further decode obfuscated payloads, extract IOCs • can create “recipes” for repeat decoding that can be shared with other analysts! • Runs client-side in your browser or can be downloaded and used offline as well. Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  19. Demos Securit y Risk Advisors, Inc. Proprietary and Client Confidential

  20. Demo - olevba Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  21. Demo - peepdf Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  22. Demo - vipermonkey Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  23. Resources File Formats https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oleds/71120485-e1b9-4a46-ae5d-f7851e8fbaff https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/53989ce4-7b05-4f8d-829b-d08d6148375b https://support.microsoft.com/en-us/office/open-xml-formats-and-file-name-extensions-5200d93c-3449-4380-8e11- 31ef14555b18 Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  24. Resources Tools https://remnux.org/ http://www.decalage.info/en/python/oletools https://blog.didierstevens.com/programs/pdf-tools/ https://gitlab.com/kalilinux/packages/peepdf Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  25. Thank you! Securit y Risk Advisors, Inc. Proprietary and Client Confidential

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs

Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs

Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs Tong Zhao, Matthew Malir, Meng Jiang DM2 Laboratory Computer Science and Engineering University of Notre Dame Suspicious Behavior on Bipartite Graph

584 views • 40 slides
Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the

Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the

Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the evidence and artifacts of earlier times help us to reconstruct the past? 2.) What are the consequences of technology? Can you guess the purpose of

587 views • 17 slides
Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Ninth International Workshop on Managing Technical Debt (MTD 2017) Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies Thorsten Haendler, Stefan Sobernig, and Mark Strembeck Vienna University of Economics

286 views • 13 slides
An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts

An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts

An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts LISA '09, November 5, 2009 David Plonka & Andres Jaan Tack {plonka,tack}@cs.wisc.edu Motivation and Goals Like software quality, network

406 views • 36 slides
WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 Sangho Lee and Jong Kim

WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 Sangho Lee and Jong Kim

WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 Sangho Lee and Jong Kim POSTECH, Korea February 8, 2012 Suspicious URLs in Twitter Twitter suffers from malicious tweets. Containing URLs for spam, phishing,

332 views • 21 slides
DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2

DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2

DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2 Artifacts Per Year Starting in 3rd Grade 5th: 6 Artifacts 8th: +6 Artifacts (Including ICP) 11th: +8 Artifacts The 4 Career 1. Career Awareness

366 views • 17 slides
Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in

Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in

Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in programs with floating-point numbers Michel RUEHER University of Nice Sophia-Antipolis / I3S CNRS, France (joined work with Olivier Ponsini, Claude

529 views • 26 slides
Trust Forum Nassau, Bahamas Process of Analyzing Suspicious Transactions Reports Presented By:

Trust Forum Nassau, Bahamas Process of Analyzing Suspicious Transactions Reports Presented By:

Association of International Banks and Trust Forum Nassau, Bahamas Process of Analyzing Suspicious Transactions Reports Presented By: Mrs. Joann Fritz-Creary Legal Counsel and Training Officer (FIU) 13 th April 2016 Property of the

937 views • 11 slides
Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy

Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy

Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy Webb, Adriana Gregory, Mostafa Fatemi, Azra Alizad GTC 2018, San Jose, USA SIGNIFICANCE Breast cancer is most common and leading cause of death in

303 views • 13 slides
AUSTRAC the value of suspicious matter reporting Markus Erikson, Director Intelligence, AUSTRAC

AUSTRAC the value of suspicious matter reporting Markus Erikson, Director Intelligence, AUSTRAC

AUSTRAC the value of suspicious matter reporting Markus Erikson, Director Intelligence, AUSTRAC July 2020 About AUSTRAC Serious crime is motivated by profit, and no matter the size, most criminal acts leave a financial trail. AUSTRAC is the

274 views • 9 slides
Knowledge Artifacts Evolution: A Human-centered, Community-driven, Data-based Approach Kazuaki

Knowledge Artifacts Evolution: A Human-centered, Community-driven, Data-based Approach Kazuaki

Knowledge Artifacts Evolution: A Human-centered, Community-driven, Data-based Approach Kazuaki Yamada and Yasuhiro Yamamoto KID Lab, RCAST, Univ of Tokyo, Japan 1 1 knowledge artifacts designed and created by human being not only:

313 views • 8 slides
Critical Infrastructure Protection and Suspicious Activity Reporting Texas Department of Public

Critical Infrastructure Protection and Suspicious Activity Reporting Texas Department of Public

Critical Infrastructure Protection and Suspicious Activity Reporting Texas Department of Public Safety Intelligence & Counterterrorism Division GOAL: Prevent terrorist attacks in Texas and prevent criminal enterprises from operating

421 views • 27 slides
DISCOVERY & FINDINGS SUSPICIOUS MOLLUSKS WERE FOUND ON PATROL BOAT #1 DECEMBER 18, 2013

DISCOVERY & FINDINGS SUSPICIOUS MOLLUSKS WERE FOUND ON PATROL BOAT #1 DECEMBER 18, 2013

DISCOVERY & FINDINGS SUSPICIOUS MOLLUSKS WERE FOUND ON PATROL BOAT #1 DECEMBER 18, 2013 AND SUBSEQUENTLY ON 2 SUBSTRATE SETTLING DEVICES SAMPLES WERE COLLECTED BY BOTH STAFF & DFW STAFF AND SENT TO LAB FOR DNA TESTING

377 views • 14 slides
MRO Security Advisory Council (SAC) Webinar Suspicious Packages and Bomb Threat

MRO Security Advisory Council (SAC) Webinar Suspicious Packages and Bomb Threat

MRO Security Advisory Council (SAC) Webinar Suspicious Packages and Bomb Threat Considerations John Breckenridge, Director Corporate Security Business Continuity, KCP&L and Westar, Evergy Companies May 30, 2019 John Breckenridge is

413 views • 25 slides
Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov

Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov

Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov TWGRID/EGI What can be wrong in a cloud?! Agenda Methods Case Studies Lessons Learnt The DATA Raw Data (network packet captures)

408 views • 30 slides
Intercepting Suspicious Chrome Extension Actions Michael Cypher Department of Computing

Intercepting Suspicious Chrome Extension Actions Michael Cypher Department of Computing

Intercepting Suspicious Chrome Extension Actions Michael Cypher Department of Computing Imperial College London June 26, 2017 Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 1 / 31

561 views • 54 slides
Challenges in multi-modal transport planning Jochen Mundinger, Founder & Chairman, routeRANK

Challenges in multi-modal transport planning Jochen Mundinger, Founder & Chairman, routeRANK

Challenges in multi-modal transport planning Jochen Mundinger, Founder & Chairman, routeRANK routeRANK Ltd / Parc Scientifique EPFL / CH-1015 Lausanne Public Web: www.routerank.com / Email: info@routerank.com Introduction and context

914 views • 13 slides
SMT-based model checking techniques for formal software verification of synchronous dataflow

SMT-based model checking techniques for formal software verification of synchronous dataflow

An insight into SMT-based model checking techniques for formal software verification of synchronous dataflow programs Jonathan Laurent Ecole Normale Sup erieure, National Institute of Aerospace, NASA Langley Research Center August 11 th ,

1.01k views • 67 slides
x HE xdt5 L tz x Cti t t l I titsititz titts t's Ez t.tt more generally simply laced x Lt

x HE xdt5 L tz x Cti t t l I titsititz titts t's Ez t.tt more generally simply laced x Lt

Fibers of Meps to Non negative Totally Spaces Patricia Hersh North Carolina State University 1903.01420 joint work arXiv See with James Davis Ezra Miller A Key Calculation tittz titz Lt X xzLtz Coo f x 3 t z Il tits x HE xdt5 L tz x

444 views • 17 slides
Spatial Mixing of Coloring Random Graphs Yitong Yin Nanjing University Colorings undirected

Spatial Mixing of Coloring Random Graphs Yitong Yin Nanjing University Colorings undirected

Spatial Mixing of Coloring Random Graphs Yitong Yin Nanjing University Colorings undirected G(V,E) q colors: max-degree: d temporal mixing of Glauber dynamics approximately counting : 2 11/6 or sampling almost uniform proper q

687 views • 21 slides
Integrating Defenders & Attackers into Cyber Security Risk Models Varun Agarwal Diane

Integrating Defenders & Attackers into Cyber Security Risk Models Varun Agarwal Diane

Integrating Defenders & Attackers into Cyber Security Risk Models Varun Agarwal Diane Henshel, Alexander Alexeev, Mariana Cains SRA Annual Meeting, Arlington VA, 10-14 December 2017 Outline Motivation & Research Goals Technical

537 views • 32 slides
Typing for a Minimal Aspect Language Peter Hui, James Riely DePaul CTI {phui,j riely}@

Typing for a Minimal Aspect Language Peter Hui, James Riely DePaul CTI {phui,j riely}@

Typing for a Minimal Aspect Language Peter Hui, James Riely DePaul CTI {phui,j riely}@ cs.depaul.edu ABC Minimal Aspect Calculus - First presented: Bruns, Jagadeesan, et. al (CONCUR 04) - First version of ABC - source/ target/

786 views • 43 slides
Research questions for Tor Part one: research questions, current and soon. Part two:

Research questions for Tor Part one: research questions, current and soon. Part two:

Research questions for Tor Part one: research questions, current and soon. Part two: research questions we need help on. Decentralizing the directory Server descriptors are self-signed, so get them anywhere. Each dirserver

529 views • 20 slides
INVARIANT Priese/Wimmel 2008 ANALYSIS Lautenbachs miracle - EXAMPLES

INVARIANT Priese/Wimmel 2008 ANALYSIS Lautenbachs miracle - EXAMPLES

dependability engineering & Petri nets November 2013 dependability engineering & Petri nets November 2013 I NDEX Starke 90, p.121 exponential number of invariants Starke 90, p. 111 CPI & CTI, but not live INVARIANT

605 views • 14 slides

More recommend