triaging suspicious artifacts
play

Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. - PowerPoint PPT Presentation

Oct 17, 2023 •452 likes •723 views

Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. Proprietary and Client Confidential About Us Jonas, GREM Security Risk Advisors (sra.io) Service lines: DFIR, CTA, A&E Clay (ttheveii0x), GREM Security Risk Advisors (sra.io)

  1. Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. Proprietary and Client Confidential

  2. About Us Jonas, GREM Security Risk Advisors (sra.io) Service lines: DFIR, CTA, A&E Clay (ttheveii0x), GREM Security Risk Advisors (sra.io) Service/Project Lead: CTI, CTA, SOC Training Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  3. Topics • Overview o Why Do This o General Approach o Actionable Outputs • File Formats • Tools • Demos • Resources Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  4. Overview Securit y Risk Advisors, Inc. Proprietary and Client Confidential

  5. Overview • Why Do This o Enable SOC analysts o Assessment o Is the artifact malicious? o What’s the threat? o IOCs o Identify techniques of the attack o Improve defense/alert capabilities o Gain intelligence into current threats Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  6. Overview • Does this scale? o Focus on a few artifacts, not all artifacts o Opportunity to maintain/sharpen existing skills o Training opportunity Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  7. Overview • General Approach o OPSEC! Don’t tip off the attackers o Examine the artifact for anomalies o Locate embedded code o Extract/document suspicious code or objects Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  8. Overview • Actionable Outputs o Indicators Of Compromise • Email headers • Domain(s)/URLs • File hashes • Threat hunts (tactics and techniques) o LSASS (non system accounts) o WMI (new event consumer) o DLL injection (CreateRemoteThread) Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  9. File Formats Securit y Risk Advisors, Inc. Proprietary and Client Confidential

  10. File Formats – OLE2 Object Linking & Embedding • Structured storage • Compound File Binary (file-system like structure) • File extensions .doc, .xls • Still used today Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  11. File Formats - OOXML Open Office XML • Multiple files • Macros stored in OLE2 file included in the ZIP • File extensions .docm, .xlsm Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  12. File Formats - PDF PDF • Collection of elements o Header o Object o Stream o Object o Object o Stream o Xref o Trailer Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  13. Tools Securit y Risk Advisors, Inc. Proprietary and Client Confidential

  14. Tools – oledump & olevba Oledump.py • Analyze OLE streams, detect macros, plugin-in support • Only supports Office 97-2003 file formats (doc,xls,ppt,..etc) olevba • Part of oletools package • Detect VBA macros in OLE and OpenXML structures, extract source code. • Detects security related patterns, extract IOCs, detects common obfuscation techniques Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  15. Tools – mraptor • Detect malicious macros using generic heuristics • Can work in bulk mode against multiple files • Detects keywords based on the following criteria: • A: Auto-execution trigger • W: Write to the file system or memory • X: Execute a file or any payload outside the VBA context Suspicious = A + (W OR X) Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  16. Tools – vipermonkey • VBA Emulation engine written in python, relies on oletools Go from • Emulates vba, dll calls, activeX this -> objects, file writes • Great for analyzing highly complex or obfuscated VBA payloads speed/automation tips: To this! -> • Run using PyPy instead of default Python interpreter. • Run using – s to strip out useless statements; if it fails, rerun without. Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  17. Tools – peepdf, pdf-parser, pdfid peepdf • Pdf analysis toolbox • View elements, metadata, use filters • analyze javascript and shellcode via PyV8 and Pylibemu pdf-parser.py • Identify PDF elements • search, filter, and display objects Pdfid.py • Quickly triage a pdf and view occurrences and obfuscation of important pdf references Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  18. Tools – CyberChef • All around great webapp for analysis • Can be used to further decode obfuscated payloads, extract IOCs • can create “recipes” for repeat decoding that can be shared with other analysts! • Runs client-side in your browser or can be downloaded and used offline as well. Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  19. Demos Securit y Risk Advisors, Inc. Proprietary and Client Confidential

  20. Demo - olevba Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  21. Demo - peepdf Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  22. Demo - vipermonkey Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  23. Resources File Formats https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oleds/71120485-e1b9-4a46-ae5d-f7851e8fbaff https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/53989ce4-7b05-4f8d-829b-d08d6148375b https://support.microsoft.com/en-us/office/open-xml-formats-and-file-name-extensions-5200d93c-3449-4380-8e11- 31ef14555b18 Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  24. Resources Tools https://remnux.org/ http://www.decalage.info/en/python/oletools https://blog.didierstevens.com/programs/pdf-tools/ https://gitlab.com/kalilinux/packages/peepdf Securit y Risk Advisors Intl, LLC. Propriet ary and Client Confidenti al

  25. Thank you! Securit y Risk Advisors, Inc. Proprietary and Client Confidential

Recommend

Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs

Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs

Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs Tong Zhao, Matthew Malir, Meng Jiang DM2 Laboratory Computer Science and Engineering University of Notre Dame Suspicious Behavior on Bipartite Graph

584 views • 40 slides
Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the

Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the

Artifacts of the 20 th century Essential Questions to Consider: 1.) How does examining the evidence and artifacts of earlier times help us to reconstruct the past? 2.) What are the consequences of technology? Can you guess the purpose of

587 views • 17 slides
Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Ninth International Workshop on Managing Technical Debt (MTD 2017) Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies Thorsten Haendler, Stefan Sobernig, and Mark Strembeck Vienna University of Economics

286 views • 13 slides
An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts

An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts

An Analysis of An Analysis of Network Configuration Artifacts Network Configuration Artifacts LISA '09, November 5, 2009 David Plonka & Andres Jaan Tack {plonka,tack}@cs.wisc.edu Motivation and Goals Like software quality, network

406 views • 36 slides
WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 Sangho Lee and Jong Kim

WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 Sangho Lee and Jong Kim

WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 Sangho Lee and Jong Kim POSTECH, Korea February 8, 2012 Suspicious URLs in Twitter Twitter suffers from malicious tweets. Containing URLs for spam, phishing,

332 views • 21 slides
DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2

DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2

DASD Career Readiness Education #DowningtownReady Another Mandate... Career Portfolio 2 Artifacts Per Year Starting in 3rd Grade 5th: 6 Artifacts 8th: +6 Artifacts (Including ICP) 11th: +8 Artifacts The 4 Career 1. Career Awareness

366 views • 17 slides
Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in

Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in

Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in programs with floating-point numbers Michel RUEHER University of Nice Sophia-Antipolis / I3S CNRS, France (joined work with Olivier Ponsini, Claude

529 views • 26 slides
Trust Forum Nassau, Bahamas Process of Analyzing Suspicious Transactions Reports Presented By:

Trust Forum Nassau, Bahamas Process of Analyzing Suspicious Transactions Reports Presented By:

Association of International Banks and Trust Forum Nassau, Bahamas Process of Analyzing Suspicious Transactions Reports Presented By: Mrs. Joann Fritz-Creary Legal Counsel and Training Officer (FIU) 13 th April 2016 Property of the

937 views • 11 slides
Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy

Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy

Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy Webb, Adriana Gregory, Mostafa Fatemi, Azra Alizad GTC 2018, San Jose, USA SIGNIFICANCE Breast cancer is most common and leading cause of death in

303 views • 13 slides
AUSTRAC the value of suspicious matter reporting Markus Erikson, Director Intelligence, AUSTRAC

AUSTRAC the value of suspicious matter reporting Markus Erikson, Director Intelligence, AUSTRAC

AUSTRAC the value of suspicious matter reporting Markus Erikson, Director Intelligence, AUSTRAC July 2020 About AUSTRAC Serious crime is motivated by profit, and no matter the size, most criminal acts leave a financial trail. AUSTRAC is the

274 views • 9 slides
Knowledge Artifacts Evolution: A Human-centered, Community-driven, Data-based Approach Kazuaki

Knowledge Artifacts Evolution: A Human-centered, Community-driven, Data-based Approach Kazuaki

Knowledge Artifacts Evolution: A Human-centered, Community-driven, Data-based Approach Kazuaki Yamada and Yasuhiro Yamamoto KID Lab, RCAST, Univ of Tokyo, Japan 1 1 knowledge artifacts designed and created by human being not only:

313 views • 8 slides
Critical Infrastructure Protection and Suspicious Activity Reporting Texas Department of Public

Critical Infrastructure Protection and Suspicious Activity Reporting Texas Department of Public

Critical Infrastructure Protection and Suspicious Activity Reporting Texas Department of Public Safety Intelligence & Counterterrorism Division GOAL: Prevent terrorist attacks in Texas and prevent criminal enterprises from operating

421 views • 27 slides
DISCOVERY & FINDINGS SUSPICIOUS MOLLUSKS WERE FOUND ON PATROL BOAT #1 DECEMBER 18, 2013

DISCOVERY & FINDINGS SUSPICIOUS MOLLUSKS WERE FOUND ON PATROL BOAT #1 DECEMBER 18, 2013

DISCOVERY & FINDINGS SUSPICIOUS MOLLUSKS WERE FOUND ON PATROL BOAT #1 DECEMBER 18, 2013 AND SUBSEQUENTLY ON 2 SUBSTRATE SETTLING DEVICES SAMPLES WERE COLLECTED BY BOTH STAFF & DFW STAFF AND SENT TO LAB FOR DNA TESTING

377 views • 14 slides
MRO Security Advisory Council (SAC) Webinar Suspicious Packages and Bomb Threat

MRO Security Advisory Council (SAC) Webinar Suspicious Packages and Bomb Threat

MRO Security Advisory Council (SAC) Webinar Suspicious Packages and Bomb Threat Considerations John Breckenridge, Director Corporate Security Business Continuity, KCP&L and Westar, Evergy Companies May 30, 2019 John Breckenridge is

413 views • 25 slides
Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov

Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov

Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov TWGRID/EGI What can be wrong in a cloud?! Agenda Methods Case Studies Lessons Learnt The DATA Raw Data (network packet captures)

408 views • 30 slides
Intercepting Suspicious Chrome Extension Actions Michael Cypher Department of Computing

Intercepting Suspicious Chrome Extension Actions Michael Cypher Department of Computing

Intercepting Suspicious Chrome Extension Actions Michael Cypher Department of Computing Imperial College London June 26, 2017 Michael Cypher (Imperial College London) Intercepting Suspicious Chrome Extension Actions June 26, 2017 1 / 31

561 views • 54 slides
Managing the co-evolution of software artifacts ir. J.M.A.M. Gabriels dr. ir. D.H.R. Holten ir.

Managing the co-evolution of software artifacts ir. J.M.A.M. Gabriels dr. ir. D.H.R. Holten ir.

Managing the co-evolution of software artifacts ir. J.M.A.M. Gabriels dr. ir. D.H.R. Holten ir. M.D. Klabbers ir. W.J.P. van Ravensteijn dr. A. Serebrenik LaQuSo, SynerScope Laboratory for Quality Software Part of TU/e department of

443 views • 15 slides
When is a Table not a Table? Toward the Identification of References to Communicative Artifacts

When is a Table not a Table? Toward the Identification of References to Communicative Artifacts

When is a Table not a Table? Toward the Identification of References to Communicative Artifacts in Text Shomir Wilson Carnegie Mellon University Timeline 2 2011: PhD, Computer Science, University of Maryland Metacognition in AI, dialogue

665 views • 31 slides
Validate Configuration against Build Artifacts: An Essential Step for your Build Process by

Validate Configuration against Build Artifacts: An Essential Step for your Build Process by

Validate Configuration against Build Artifacts: An Essential Step for your Build Process by Harold Fortuin, Ph.D. Principal Software Engineer Fortuitous Consulting Services, Inc. JavaEE projects rely on (XML) config files which reference

609 views • 28 slides
Novel View Synthesis for Stereoscopic Cinema: Detecting and Removing Artifacts ACM 3DVP2010,

Novel View Synthesis for Stereoscopic Cinema: Detecting and Removing Artifacts ACM 3DVP2010,

1 Novel View Synthesis for Stereoscopic Cinema: Detecting and Removing Artifacts ACM 3DVP2010, Firenze, October 29, 2010 Frdric Devernay and Adrian Ramos-Peon with lots of help from Sylvain Duchne INRIA Grenoble - Rhne-Alpes,

302 views • 27 slides
Automated Synthesis of Software Artifacts for Middleware-layer Protocol Interoperability in the

Automated Synthesis of Software Artifacts for Middleware-layer Protocol Interoperability in the

Automated Synthesis of Software Artifacts for Middleware-layer Protocol Interoperability in the IoT Georgios Bouloukakis Donald Bren School of Information & Computer Sciences DSM Group, UC Irvine, June 2018 Enabling Emergent mobile systems

277 views • 13 slides
DO THE ARTIFACTS Discuss with your DETAIL AN AREA OF group and explain your PEACE OR

DO THE ARTIFACTS Discuss with your DETAIL AN AREA OF group and explain your PEACE OR

DO THE ARTIFACTS Discuss with your DETAIL AN AREA OF group and explain your PEACE OR CONFLICT? response. Life in Western THE DEERFIELD RAID Massachusetts in the Early 18 th Century WHERE IS DEERFIELD? HOW PEOPLE SETTLED THE

338 views • 9 slides
Design science Design and investigation of artifacts Empirical validation research

Design science Design and investigation of artifacts Empirical validation research

17 5 2012 Design science Design and investigation of artifacts Empirical validation research Questions: methods What artefact(s) are you developing? How will you investigate its properties? Roel Wieringa University of Twente

570 views • 9 slides
Ownership of Archaeological Artifacts in Ontario Presentation to Red Hill Creek Joint

Ownership of Archaeological Artifacts in Ontario Presentation to Red Hill Creek Joint

Ownership of Archaeological Artifacts in Ontario Presentation to Red Hill Creek Joint Stewardship Board Ohsweken, December 19, 2013 (Rev. A.E. Jones 1908 Old Huronia , Fifth Report of the Bureau of Archives for the Province of Ontario,

501 views • 28 slides

More recommend