Assignment 1 & 2
Assignment 2
Directions: Follow the download step and then fully answer each of the questions.
First: Download the enclosed image. Using a search tool, locate the enclosed list of words in the image.
After doing the above, answer/do the following questions/prompts:
· Record the offset or screen shot of their location and place them in a document.
1. Identify and discuss three examples of how searching for a string or part of a string can be valuable in an investigation?
2. Describe a strategy for searching a device with only part of a person’s name. In describing the strategy, address what you would look for and why and how you would search if the partial name was found on a deleted document. Also discuss two pros and two cons of this strategy.
3. Discuss the particularity requirement of the fourth amendment and its application to computer searches. Specifically, assuming that a person who is subject to the search and seizure of their computer as a reasonable expectation of privacy in the contents of the computer (therefore requiring a warrant), how should the particularity requirement be applied to computer searches?
4. Describe why establishing a baseline in memory forensics is important; and equally, describe how rogue processes are identified and why is it important to understand them.
ASSIGNMENT 3
Directions: Follow the download step and then fully answer each of the questions.
First: Download a free-imaging tool and install it on your computer. Image a hard drive/USB drive/Media to include the hash value. Provide a screenshot of your image or log file created once the image is completed.
After doing the above, answer/do the following questions/prompts:
Create a report of the media imaged that includes the screenshot, and specifically discusses the following:
1. Integrity of the evidence including a discussion regarding how you verified the integrity of the image created.
2. How did you verify that the imaging tool created the image? How would you test the tool prior to imaging the media or device? Why would you use this technique to test the tool?
3. Discuss the search technique used for finding documents. Describe a search strategy for the image you created that would find documents with the date “2020” on the device. Use this search strategy- how many total documents are there?
4. Discuss comparison methods used to examine the media image. What comparisons would you make in the image created to eliminate files without “2020” in them?
Format Requirements:
· Paper must be double spaced, 11 or 12 pt font and 1” margins all around.
· All APA 7th edition format requirements must be followed (cover page, in text citations, reference page). Refer to APA/UMGC – learning resources found in the content page of this course.
· You must have resources to support your thoughts/opinions/information. These must be cited both in text as well as at the end of the document. Your paper should not contain direct quotes, sourced material must be paraphrased.
DIGITAL EVIDENCE FORENSIC REPORT
Your Logo Here
Your address here
CASE INFORMATION:
Agency Case #:
Originating Agency Case #:
[removed] #:
[removed] #:
Remedy#:
Distribution:
|_| [removed] |_| [removed] |_| [removed] |_| IT |_| [removed] |_| Internal Audit |_| Emp. Relations |_| CI
|_| Other:
Date/Time Report Completed:
Date/Time Incident Occurred:
Type of Report:
INVOLVED:
|_| Involved
|_| Witness
|_| Complainant
|_| Mentioned
Name:
Last:
First:
Title:
Mailstop:
Email:
Cell Phone:
Work Phone:
Employee #:
|_| Involved
|_| Witness
|_| Complainant
|_| Mentioned
Name:
Last:
First:
Title:
Mailstop:
Email:
Cell Phone:
Work Phone:
Employee #:
|_| Involved
|_| Witness
|_| Complainant
|_| Mentioned
Name:
Last:
First:
Title:
Mailstop:
Email:
Cell Phone:
Work Phone:
Employee #:
OFFICIAL USE ONLY
OFFICIAL USE ONLY
[Agency] Case #:
Page 1 of 1
OFFICIAL USE ONLY
[insert scanned signature here]
Insert Name
Insert Title
Page 2 of 4
OFFICIAL USE ONLY
CLASSIFICATION LEVEL HERE
May be exempt from public release under the Freedom of Information Act (5 U.S.C. 552) exemption number and category: 7, Law Enforcement
Department of Name of Agency review required before public release
Name/Org: Your name/org Date:
Guidance (if applicable):
SUMMARY:
EVIDENCE SUBMITTED:
Item #
SOFTWARE UTILIZED
All software utilized in this examination is fully licensed and registered to [Agency Name] or its agents. All software and forensic hardware has been validated pursuant to [Agency Name] policies and procedures.
FORENSIC EXAMINATION OF EVIDENCE
ITEM #1
Item #1 – Can be described as
[insert photo here]
[insert photo here]
[insert photo here]
[insert photo here]
HASH OF ORIGINAL EVIDENCE
The original media was connected to a forensic hardware write blocker (asset tag #) and the write blocker connected to a forensic computer (asset tag #). Prior to doing anything with the original media, the media was hashed to obtain a baseline hash value. This allows the hash value of the original media to later be compared to the hash value of the forensic image created of the original media. By comparing the hash values of the original media and that of the forensic image, the forensic image can be authenticated as an exact duplicate copy of the original evidence.
The hash values obtained from the original evidence were as follows:
|_| MD5:
|_| SHA1:
|_| Other:
FORENSIC IMAGING
After obtaining the hash value(s) of the original media, a forensic image was created. The forensic image was placed on a:
|_| Government owned, forensically wiped hard drive
|_| Government owned, forensically wiped Storage Area Network (SAN)
The forensic imaging software utilized in this process creates an imaging report, detailing the hash value(s) of the newly created forensic image. The hash value(s) of the forensic image was compared to the original hash value obtained prior to imaging the device. The hash value(s) of the forensic image:
|_| Matched exactly the hash value(s) of the original media.
|_| Did not match the original hash value(s) of the media. If checked, provide explanation below.
VIRUS AND MALWARE
The original media was scanned for malware. Prior to the scan, all malware definitions were updated. The results were:
|_| No malware detected.
|_| Malware detected. If checked, identify and report on malware located below.
DRIVE GEOMETRY
BIOS EXAMINATION
Once the hard drive was removed, the computer was turned on and the BIOS (Basic Input/Output System) checked. The following was found:
|_| The date and time were accurate.
|_| The date was accurate, but the time was inaccurate. List time offset from correct time:
|_| The time was accurate, but the date was inaccurate. List date offset from correct date:
|_| Forensic computer was adjusted to compensate for any time differences.
What was used as a time reference:
|_| Cellular phone set by network.
|_| Other:
FORENSIC EXAMINATION OF FILES
DISPOSITION
EVIDENCE DISPOSITION
FORENSIC EXAMINER’S CONCLUSION
DISPOSITION
ATTACHMENTS
APPROVALS
Report Author Digital Signature: Report Approver Digital Signature:
SANSInstitute
Information Security Reading Room
Indicators of Compromise in
Memory Forensics
______________________________
Chad
Robertson
Copyright SANS Institute 2020. Author Retains Full Rights.
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express
written permission.
http://www.sans.org/info/36909
http://www.sans.org/info/36914
[1.0 February 2013]
Indicators of compromise in memory forensics
GIAC (GCFA) Gold Certification
Author:
Chad Robertson, chad@rocacon.com
Advisor: Tim Proffitt
Accepted: TBA
Abstract
Utilizing memory forensics during incident response provides valuable cyber
threat intelligence. By both providing mechanisms to verify current compromise
using known indicators and to discover additional indicators, memory forensics can
be leveraged to identify, track, isolate and remediate more efficiently.
Indicators of compromise in memory forensics 2
Chad Robertson, chad@rocacon.com
1.0 Introduction
There has been a recent increase in the availability of intelligence related to
malware. New IP addresses, hostnames, MD5 hashes, mutex values, and other attacker
artifacts are shared often. Historically, there exist many host-based and network-based
standard methods to utilize these artifacts, such as intrusion detection/prevention systems,
firewalls, anti-virus, and file whitelisting. While these solutions provide various benefits,
they can fall short of confirming an infection.
Consider antivirus for example. In an article published June 11
th
, 2012, MIT
Technology Review boldly proclaimed “The Antivirus Era Is Over”. Mikko Hypponen,
Chief Research Officer of F-Secure, wrote that it was “a spectacular failure of our
company, and for the antivirus industry in general” (Hypponen, 2012) that they had
possessed samples of Flame, one of the most complex pieces of malware ever discovered,
for at least two years without examining it closely and developing detection mechanisms.
(Hypponen, 2012) Later, in the same article, Mr. Hypponen states, “The truth is,
consumer-grade antivirus products can’t protect against targeted malware created by
well-resourced nation-states with bulging budgets. They can protect you against run-of-
the-mill malware: banking trojans, keystroke loggers, and e-mail worms. But targeted
attacks like these go to great lengths to avoid antivirus products on purpose. And the
zero-day exploits used in these attacks are unknown to antivirus companies by
definition.” (Hypponen, 2012)
SC Magazine’s Tom Cross states, “Although basic controls like anti-virus will
always have a place in the security arsenal, they are not up to the task of defending
networks against sophisticated, targeted attacks.” (Cross, 2012) “It is going to take
human analysts to recognize the subtle and often unpredictable patterns of evidence that
sophisticated attacks leave behind. Therefore, the best strategies are going to focus on
arming incident responders with the tools that they need to monitor their environments
and actively hunt for active attack activity.” (Cross, 2012)
“So what’s the next-generation solution? The future of security lies in shifting
toward behavior-oriented scanning, says Dennis Pollutro, president and founder of cloud
Indicators of compromise in memory forensics 3
Chad Robertson, chad@rocacon.com
security vendor Taasera. While “there will always be a place for signatures,” security
products have to begin identifying malware by what it’s doing, rather than what it looks
like, he says.”
(Rashid, 2012)
“Several things have to happen before the malware infection results in damage or
data theft on the compromised computer, which gives defenders a “couple hundred
processes” to monitor for, Pollutro adds. Threat intelligence allows administrators to
recognize patterns of behavior, such as creating directories on a file system or
communicating with an IP address that had previously been flagged as suspicious.”
(Rashid, 2012)
Malware can be identified by seeking out common TTP’s (tools, techniques, and
procedures) used during development and infection. These relationships help analyst
gain a better understanding of the adversary and develop attacker profiles. From the
profiles we can draw inferences to better adapt and respond to attacks.
Categorization techniques vary among researchers. David French, Senior
Malware Researcher at CERT suggests a malware-centric approach. “To express such
relationships between files, we use the concept of a “malware family”, which is loosely
defined as “a set of files related by objective criteria derived from the files themselves.”
Using this definition, we can apply different criteria to different sets of files to form a
family.” (French, 2012)
Michael Cloppert, a senior member of Lockheed Martin’s Computer Incident
Response Team suggests taking a more adversary-centric approach. “The best way to
behaviorally describe an adversary is by how he or she does his job…that “job” is
compromising data, and therefore we describe our attacker in terms of the anatomy of
their attacks.” (Cloppert, 2009). “We as analysts seek the most static of all indicators
[those closest to the adversary] but often must settle for indicators further from the
adversary until those key elements reveal themselves.” (Cloppert, 2009)
According to Greg Hoglund, Founder of HBGary, “It makes no sense to separate
the human from the malware and TTP’s. They are two ends of the same spectrum. This is
not a black and white science; it works because humans aren’t perfect. It works because
Indicators of compromise in memory forensics 4
Chad Robertson, chad@rocacon.com
humans are creatures of habit and tend to use what they know. They use the same tools
every day and don’t rewrite their malware every morning. They don’t have perfect
OPSEC. They put their digital footprints out on the Internet long ago – and it’s usually
just a few clicks away from discovery. There is a reflection of the threat actor behind
every intrusion. To discount this is to discount forensic science.” (Hoglund, 2011)
According to The MITRE Corporation, “to be proactive, cyber defenders need to
fundamentally change the nature of the game by stopping the adversary’s advance,
preferably before the exploit stage of the attack [which] requires defenders to evolve
from a defensive strategy based primarily on after-the-fact incident investigation and
response to one driven by cyber threat intelligence.” (The MITRE Corporation, 2012)
Identification of singular characteristics of malware helps to automate future
identification tasks. Often malware from the same family share these characteristics,
which helps analysts, identify related files. These characteristics can be used by analysts
to organize malware within repositories, root out additional infections present on the
network, or identify new variants of malware.
Memory forensics allows analysts to “reconstruct the state of the original system,
including what applications were running, what files those applications were accessing,
which network connections were active, and many other artifacts” (Michael Ligh, 2010).
Many free tools are available to analyst for local memory imaging as well as several
enterprise solutions for remote imaging. While memory forensics shouldn’t be
considered a replacement for any other security technology, it is most certainly a valuable
tool and should be considered, as is stated in the Malware Analyst’s Cookbook,
“extremely important to incident response” (Michael Ligh, 2010).This paper discusses
analyzing malware. It does not describe designing a safe and effective malware analysis
environment. If you are new to malware analysis and wish to perform any of the
examples within this paper please spend some time researching how to do so safely.
Indicators of compromise in memory forensics 5
Chad Robertson, chad@rocacon.com
2.0 Scope and Assumptions
The research discussed herein focuses on the creation of signatures to help speed
up memory analysis during incident response. Because they are not meant to be used as
host-based indicators deployed uniformly there is a greater tolerance for false positives.
If, instead, the task was to develop signatures to deploy to all client machines then there
would be a much greater need to tune each rule since, in that case, any false positive
could have an immediate impact on the client experience. For this research, the resulting
signatures will be run by the analyst, for the analyst, to expedite the identification,
containment, and eradication of threats.
We will touch on many topics related to malware analysis and memory forensics.
To limit the scope of this research, specific malware analysis techniques will not be
discussed. We will rely on various publicly available materials from which to understand
our topic. If malware analysis is of interest to the reader, they are encouraged to see the
reference section for the articles cited and the appendix for a list of additional resources.
There are many tools mentioned throughout this paper. Detailing each tool is out
of scope, but links to the tools mentioned will be included within the appendix for
reference.
3.0 Finding Indicators
Indicators can come from a variety of sources. There are numerous blogs
dedicated to malware reversing and analysis. “Malwaremustdie”, “Joe Security LLC”,
and “Hooked on Mnemonics worked for me” to name a few (see Appendix 1). There are
also many security companies that publish some of their own internal findings publicly.
Organizations such as Mandiant, Fireeye, and Dell Secureworks are great sources of
detailed reports that include indicators.
Another option is to acquire malware samples for analysis. Enterprising and
ambitious analysts could mine the internet for malware themselves. There are a variety
of sites (See Appendix 1) that note active malware sources that can be downloaded
manually or scrapped via script (such as maltrieve – See Appendix 1) to automate
Indicators of compromise in memory forensics 6
Chad Robertson, chad@rocacon.com
collection. Alternatively, one could setup a honeypot (such as Dionea – See Appendix 1)
to glean current samples from the internet by allowing attackers access to seemingly
vulnerable services.
Another approach is to turn to the numerous websites that provide users access to
malware. Sites such as virusshare.com, malwr.com, malware.lu, offensivecomputing.net,
and contagiodump offer access to millions of samples (See Appendix 1).
3.1 YARA
To help aid in scanning memory samples for indicators of compromise, we will
use a tool called YARA. “YARA is a tool aimed at helping malware researchers to
identify and classify malware samples. With YARA you can create descriptions of
malware families based on textual or binary patterns contained on samples of those
families. Each description consists of a set of strings and a Boolean expression which
determines its logic.” (YARA in a nutshell, 2013)
YARA provides a mechanism to match indicators such as strings and hexadecimal
within memory samples.
3.2 Indicators Defined
Michael Cloppert wrote a phenomenal blog post in 2009 on the computer forensic
blog on SANS called Security Intelligence: Attacking the Kill Chain. In it he describes
classifying indicators into one of three categories: atomic, computed, and behavioral.
Michael’s description of each is shown here:
“Atomic indicators are pieces of data that are indicators of adversary activity on
their own. Examples include IP addresses, email addresses, a static string in a Covert
Command-and-control (C2) channel, or fully-qualified domain names (FQDN’s). Atomic
indicators can be problematic, as they may or may not exclusively represent activity by
an adversary.” (Cloppert, 2009)
“Computed indicators are those which are, well, computed. The most common
Indicators of compromise in memory forensics 7
Chad Robertson, chad@rocacon.com
amongst these indicators are hashes of malicious files, but can also include specific data
in decoded custom C2 protocols, etc. Your more complicated IDS signatures may fall into
this category.” (Cloppert, 2009)
“Behavioral indicators are those which combine other indicators — including
other behaviors – to form a profile.” (Cloppert, 2009)
As an example of a complex behavioral indicator, consider the following. An
adversary is identified that tends to rely on “spear phished” email attachments. The
emails tend to come from a specific range of IP space. When the attachment is executed,
the dropper malware gains persistence by writing to specific registry keys and then
installs a PoisonIvy variant. From there the attacker uses Windows Credential Editor to
move laterally within the network. Once interesting data has been identified, Winrar is
used to zip up the files and exfiltrate them to a set of IPs. These indicators could have
been identified during separate incident response engagements, and may has little
significance alone, but when viewed together build behavioral indicators that can be
assigned to specific attacker profiles. We will discuss identifying atomic and computed
indicators in depth here, and will leave the creation of behavior indicators to the reader.
Indeed, the identification of atomic and computed artifacts is the easiest step in
malware analysis. Sources of unique strings, IP addresses, registry keys, file locations,
etc. related to malware are numerous. The task of determining the relevance of each
accumulated artifact and its contribution to the attacker profile falls upon the analyst
team.
3.2.1 Avoiding poor indicators
As we have been discussing, not all indicators are equal. Some artifacts are easily
changed by the attacker. For example, consider GhostRat – a popular RAT (remote
access tool) used in many recently documented attacks. According to Norton, “the most
stable indicator of GhostRat is its network communication. It is well documented and
quite distinctive, as it always begins with a “magic word” which in its default
configuration is “Gh0st”” (Norman, 2012). However, because the source code for
Gh0stRAT is freely available, modifying this “magic word” is simple.
Indicators of compromise in memory forensics 8
Chad Robertson, chad@rocacon.com
Figure 1
Several known values of Gh0stRAT’s “Magic word” — Source:
http://
download01.norman.no/documents/ThemanyfacesofGh0stRat
4.0 Writing indicator-based YARA rules
Consider the differences between host-based signatures, such as those used by
anti-virus, and incident response rules used for YARA. Because many anti-virus
platforms have real-time functionality, they must constantly monitor the file system and
memory for both static and heuristic based signatures. Thus, system performance is
impacted by the simple addition of anti-virus, regardless of the quality of its signatures.
If the signatures written for the anti-virus platform are vague, the resulting additional
overhead on the system impacts the user experience at best by simply slowing down
processing and, at worse, incorrectly identifying files as malicious, quarantining them,
and denying the user access until a patch can be deployed.
YARA signatures, specifically those focused on memory forensics, involve only a
snapshot of memory, frozen in time and independent of the host machine, thus there is no
real-time performance impact to consider. Also, because incident response engagements
typically involve a small number of systems, performing matches for less precise
characteristics is tolerated and, in some cases, preferred.
To that end, as we create YARA signatures we will test them against a corpus of
malware to assess the false positive rate. We will ask ourselves if, in some cases,
defining signatures based upon characteristics that might be considered poor form for
anti-virus platforms is more tolerated for memory analysis.
Indicators of compromise in memory forensics 9
Chad Robertson, chad@rocacon.com
4.2 Python and IDA
To help speed up the process of creating YARA rules based on disassembled
malware, we turn to IDA Pro and Python. Within idc.py, the Python plugin for IDA, the
o_* constants allow for the identification of variable memory addresses within malware.
These addresses require the use of wildcards within YARA. A very useful script to
automate the substitution of the variable memory addresses with ‘??’ was written by Case
Barnes of Accuvant (Barnes, 2012). His script relies on the following operands, o_mem,
o_phase, o_displ, o_far, o_near, which are defined within idc.py:
Figure 2
Operands within idc.py – Source: Author created
5.0 Demonstrations
To test our ability to identify indicators in one piece of malware, and then use
them to create signatures to identify the same or similar malware across multiple memory
dumps, we will turn to three pieces of malware; Stabuniq, X0rb0t, and a sample from
APT1. Each sample will be assessed for indicators, and then YARA will be used to scan
across several memory images to verify the effectiveness of the rule.
5.1 Stabuniq
Stabuniq is not considered APT, but due to its availability and interesting
characteristics it is an excellent example for our purpose.
I will refer to indicators identified within two public analysis posts:
Indicators of compromise in memory forensics 10
Chad Robertson, chad@rocacon.com
1. http://quequero.org/2013/01/stabuniq-
financial-infostealer-trojan-analysis/
2. http://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-
institution-servers
According to Symantec, Stabuniq was first spotted in 2011 on servers belonging
to financial institutions, banking firms, and credit unions. (Gutierrez, 2012) Symantec
published an analysis in December 2012. During that same month, Mila Parkor of
Contagio Malware Dump posted links to samples of the malware (see Appendix 1).
The initial executable contains a second executable that is decoded and dropped at
runtime. Because our approach cares only about what eventually ends up in memory, the
initial binary is of little interest. Therefore, to identify pertinent indicators, we must
review the final executable dropped on the system.
After the malware has been run and the subsequent memory image acquired,
similar artifacts to those noted within the online analysis can be seen using Volatility. To
follow along, we must identify the injected process PID:
Figure 3
Injected processes — Source: Author created
Indicators of compromise in memory forensics 11
Chad Robertson, chad@rocacon.com
The malware uses StabililtyMutexString as its mutex. We can confirm that by
using the Volatility mutantscan plugin.
Figure 4
Output from Volatility’s mutantscan plugin — Source: author created
To create a YARA rule to identify this sample by this mutex, we must consider how the
data looks within memory. One way to see is to use volshell to display the contents of
memory:
Figure 5
The mutex as stored in process memory — Source: author created
As you can see above, the string is encoded with two bytes per character. The ‘wide’
YARA modifier must be used:
Indicators of compromise in memory forensics 12
Chad Robertson, chad@rocacon.com
Figure 6
YARA rule to match Stabuniq’s mutex – Source: author created
The signature is checked and verified to match:
Figure 7
Results shows match – Source: author created
Because the mutex name is likely easy to change, we return to the quequero.org
analysis for a preferred indicator. The analysis also mentions the segment of code used to
re-injecting Internet Explorer. Perhaps this function would be more difficult for the
malware author to change and thus make a better signature.
Figure 8
Interesting code block from Stabuniq – Source: http://quequero.org/2013/01/stabuniq-
financial-infostealer-trojan-analysis/
Indicators of compromise in memory forensics 13
Chad Robertson, chad@rocacon.com
Using the Python script mentioned above, we use this bit of code to create a YARA rule:
Figure 9
Using Python to create YARA rule – Source: Author created
While process could certainly be done manually, the script automatically inserts
wildcards where needed to adjust for memory addressing.
Indicators of compromise in memory forensics 14
Chad Robertson, chad@rocacon.com
To validate the rule, I will use various publicly available memory images, including all
those linked to from the Volatility website. I will also include various known-infected
memory images acquired during research. These memory images are shown below:
Figure 10
Sample memory images – Source: author created
The results are shown here:
Figure 11
Stabuniq YARA signature matched – Source: author created
As you can see, the rule matched the two Stabuniq-infected memory dumps, but
none of the other dumps in the folder. To further test the resilience of the rule, we can
extract the malware from memory by using Volatility’s malfind command:
Indicators of compromise in memory forensics 15
Chad Robertson, chad@rocacon.com
Figure 12
IEXPLORE.EXE injected process #1 – Source: author created
Figure 13
IEXPLORE.EXE injected process #2 – Source: author created
Indicators of compromise in memory forensics 16
Chad Robertson, chad@rocacon.com
If we now run the same scan against the dumped binaries we see the same results:
Figure 14
Stabuniq YARA rule matched – Source: author created
As a final verification, we can use Virus Share’s malware corpus. Scanning 131073
samples returns zero results.
5.2 X0rb0t
Next, we take a look at one of the public analysis posted by Malware.lu called
X0rb0t. The analysis can be found here:
1. http://code.google.com/p/malware-lu/wiki/en_x0rb0t_analysis
This malware sample uses XOR for encoding. Let’s focus on that function to
create a YARA rule to test.
The function is shown below:
Figure 15
Related xor function – Source: author created
Indicators of compromise in memory forensics 17
Chad Robertson, chad@rocacon.com
and the resulting YARA rule:
Figure 16
Output of Python script in IDA – Source: author created
When tested against the same set of memory dumps as was used for Stabuniq,
with the addition of a memory dump from an x0rb0t infection, the Yara rule matches only
the known x0rb0t-infected dump:
Figure 17
X0rbot YARA rule matched – Source: author created
When run against a corpus of 131073 files, the rule matches 8 times. Taking a
closer look at one of the matches (503783a11080777a35b6349099fb3c3d) revels that the
same function is utilized within both samples.
Indicators of compromise in memory forensics 18
Chad Robertson, chad@rocacon.com
Below, on the right is the segment from x0rb0t, and the left the same code
segment from 503783a11080777a35b6349099fb3c3d:
Figure 18
Output of Python script in IDA – Source: author created
As expected, the same instructions are present in both binaries.
5.3 APT1
Soon after Mandiant released their report on APT1 (See appendix 1), Alienvault
released several YARA signatures to identify malware seemingly associated with that
group. Both the YARA signatures and the malware samples are easily found online (See
Appendix 1). To test the effectiveness of utilizing the YARA rules to identify APT1
activity within memory, a sample from the set is selected
(8934aeed5d213fe29e858eee616a6ec7), executed, and the memory from the
compromised host dumped to disk.
To start, we test the Alienvault YARA rule against the malicious binary to verify
the rule works:
Figure 19
The known malicious bilary matches the rule – Source: Author created
Indicators of compromise in memory forensics 19
Chad Robertson, chad@rocacon.com
The Alienvault rule matches the malware as expected. Now, the malicious binary
is executed on a test system, and the memory from the test system acquired. The same
YARA rule is then used to scan the memory dump:
Figure 20
The Alienvault YARA rule matches the memory dump – Source: Author created
With very little effort we were able to take publically available indicators
contained within YARA rules and make them actionable against the test machine. The
same techniques can be utilized to identify compromised systems across production
environments during incident response.
Conclusion
Incident response is evolving. Malware authors are constantly coming up with
new ways to compromise systems. They have the ability to adapt quickly and often
circumvent our slower moving, often signature-based, archaic security solutions. As
such, we must begin to consider how we can achieve similar agility in the way we
respond. Perhaps the best way to meet today’s threats is to stop relying solely on these
legacy tools and begin to focus more on the analyst, our human capital, to piece together
Indicators of compromise in memory forensics 20
Chad Robertson, chad@rocacon.com
malware artifacts.
The research conducted during the writing of this paper set out to identify how
memory forensics can be leveraged to aid incident response. We began by discussing the
limitations of standard security platforms. Next, we discussed how behavioral indicators
can be created based on the tools, techniques, and procedures utilized by attackers. Then,
we discussed how we might find data to be used as indicators, how YARA can be used to
aid us, and how we might label and group our identified artifacts. Finally, we took a
quick look at two pieces of malware and how we can use readily available analysis data
to identify them using YARA.
With the techniques discussed here, an analyst can begin to accumulate and utilize
indicators from both publicly disclosed sources and private research. These indicators
can then grouped together to form behavioral indicators to move our overall intelligence
closer to the adversary. Volatility provides analysts an unprecedented capability to
analyze memory images and acquire intelligence. Finally, YARA can be leveraged to
identify those indicators across binary data and memory images, allowing for rapid
response capabilities.
Indicators of compromise in memory forensics 21
Chad Robertson, chad@rocacon.com
References
Barnes, C. (2012). Retrieved from Accuvant: http://blog.accuvantlabs.com/blog/case-b/making-
ida-1-part-one-%E2%80%93-yara-signature-creation-1
Cloppert, M. (2009). Security Intelligence: Attacking the Kill Chain. Retrieved from SANS.org:
http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-
the-kill-chain/
Cross, T. (2012, November 20). Is the era of anti-virus over? Retrieved from SC Magazine:
http://www.scmagazine.com/is-the-era-of-anti-virus-over/article/269210/
French, D. (2012). Writing Effective YARA Signatures to Identify Malware. Retrieved from
Software Engineering Institute – Carnegie Mellon:
http://blog.sei.cmu.edu/post.cfm/writing-effective-yara-signatures-to-identify-malware
Gutierrez, F. (2012, Dec). Trojan.Stabuniq Found on Financial Institution Servers. Retrieved from
http://www.symantec.com: http://www.symantec.com/connect/blogs/trojanstabuniq-
found-financial-institution-servers
Hoglund, G. (2011). Is APT really about the person and not the malware? Retrieved from Fast
Horizon: http://fasthorizon.blogspot.com/2011/04/is-apt-really-about-person-and-
not.html
Honig, M. S. (2012). Practical Malware Analysis. No Starch Press.
Hypponen, M. (2012, June 2). Why antivirus companies like mine failed to catch Flame and
Stuxnet. Retrieved from Arstechnica: http://arstechnica.com/security/2012/06/why-
antivirus-companies-like-mine-failed-to-catch-flame-and-stuxnet/
Michael Ligh, S. A. (2010). Malware Analyst’s Cookbook and DVD: Tools and Techniques for
Fighting Malicious Code. Wiley.
Norman. (2012, August). The many faces of Gh0st Rat. Retrieved from norman.com:
download01.norman.no/documents/ThemanyfacesofGh0stRat
Rashid, F. Y. (2012, Nov). How To Detect Zero-Day Malware And Limit Its Impact. Retrieved from
Dark Reading: http://www.darkreading.com/advanced-
threats/167901091/security/attacks-breaches/240062798/how-to-detect-zero-day-
malware-and-limit-its-impact.html
The MITRE Corporation. (2012). Standardizing Cyber Threat Intelligence Information with the
Structured Threat INformation eXpression (STIX(tm) ).
YARA in a nutshell. (2013). Retrieved from yara-project: http://code.google.com/p/yara-project/
Indicators of compromise in memory forensics 22
Chad Robertson, chad@rocacon.com
Appendix A
Blogs, companies, and tools mentioned within this paper:
http://malwaremustdie.blogspot.jp/ – Malware Must Die!
http://joe4security.blogspot.ch – Joe Security LLC
http://hooked-on-mnemonics.blogspot.com – Hooked on Mnemonics worked for me
http://www.mandiant.com/ – Mandiant
http://www.fireeye.com/ – FireEye
http://www.secureworks.com/cyber-threat-intelligence/blog – Dell Secureworks
https://github.com/technoskald/maltrieve – Maltrieve
http://dionaea.carnivore.it – Malware honeypot
http://virusshare.com/ – Virus Share
http://malwr.com/ – Malwr
http://offensivecomputing.net/ – Offensive Computing / Open Malware
http://contagiodump.blogspot.com/ – Contagio Malware Dump
http://code.google.com/p/yara-project/ – YARA Project
https://www.mandiant.com/blog/mandiant-exposes-apt1-chinas-cyber-espionage-units-
releases-3000-indicators/ – Mandiant’s APT1 Report
http://www.threatexpert.com/ Threat Expert automated threat analysis
Last Updated: November 23rd, 2020
Upcoming SANS Training
Click here to view a list of all SANS Courses
SANS Essentials Australia 2021 Melbourne, AU Feb 15, 2021 – Feb 20, 2021 Live Event
SANS OnDemand OnlineUS Anytime Self Paced
SANS SelfStudy Books & MP3s OnlyUS Anytime Self Paced
http://www.sans.org/courses?utm_source=Print&utm_medium=Reading+Room+Paper&utm_content=Indicators_of_Compromise_in_Memory_Forensics+Cover&utm_campaign=SANS+Courses
http://www.sans.org/link.php?id=67155&rrpt=Indicators_of_Compromise_in_Memory_Forensics&rret=SANS_Essentials_Australia_2021
http://www.sans.org/link.php?id=67155&rrpt=Indicators_of_Compromise_in_Memory_Forensics&rret=SANS_Essentials_Australia_2021
http://www.sans.org/link.php?id=1032&rrpt=Indicators_of_Compromise_in_Memory_Forensics&rret=SANS_OnDemand
http://www.sans.org/link.php?id=1032&rrpt=Indicators_of_Compromise_in_Memory_Forensics&rret=SANS_OnDemand
http://www.sans.org/link.php?id=208&rrpt=Indicators_of_Compromise_in_Memory_Forensics&rret=SANS_SelfStudy
http://www.sans.org/link.php?id=208&rrpt=Indicators_of_Compromise_in_Memory_Forensics&rret=SANS_SelfStudy