CompTIA CYSA+ CS0-002 – Analyzing Host-related IOCs Part 1
In this section of the course, we’re going to discuss how we can detect and analyze host related indicators of compromise. In this section, we’re going to continue to focus on domain four, with a focus on Objective 4. 3. Now, Objective 4. 3 states that given an incident, you must analyze potential indicators of compromise. In this section of the course, we’re going to focus on those host related IOCs, like I said. Now, as we move through this section section, we’re going to start looking at exactly what a host related IOC is and how they’re used to detect malicious activity within our workstations and our servers. Then we’re going to move into some commonIOC types and how to identify them.
This includes malicious processes, conducting memory forensics, analyzing processor consumption, analyzing disk or file system consumption, identifying unauthorized privileges and use, scanning for unauthorized software software, detecting unauthorized changes or hardware additions, and the concept of persistence. Finally, I’m going to perform a demonstration where we’re going to analyze some host related IOCs together inside my lab so you can better understand what these various attacks look like when you’re working as a cybersecurity analyst. All right, let’s start analyzing our workstations and servers to see if we can find any host related IOCs on them.
Host related IOCs or indicators of compromise. Now, there are many contexts for analyzing indicators of compromise or IOCs including instant response forensic investigations and proactive threat hunting as we’ve discussed before. Now, in the last section, we focused on network related IOCs but in this section we’re going to focus on host related indicators of compromise. Now, what exactly do we consider a host? Well, for the purposes of this section we’re really going to focus on the world’s most popular hosts windows based computers, laptops and tablets. Now, while it’s true that things like smartphones, tablets and other devices can be considered hosts we really are going to be focused more on Windows and to some extent Linux in this section due to their popularity as workstations and servers in the business environment.
In a later section, we’re going to cover mobile IOC separately because those are going to rely on different operating systems and different tools to analyze them. So in the rest of this section, we are going to focus on the different ways of identifying bad behavior on a given host. Essentially, we need to find an indicator, a compromise which we define as a sign that an asset has been attacked or is currently under attack. Now, once we find an indicator of compromise we can then use that IOC to create defenses against these attacks and we can use them in our threat hunting. These indicators of compromise can help us identify the presence of malware on a host whether unauthorized accounts and permissions have been created and if the files have been accessed or exfiltrated. So let’s start identifying these IOCs by examining system memory, the file system and the operating system logs on a given host.
Malicious processes. So the real question we have to ask ourselves when we start dealing with malicious process indicators of compromise is how do you tell if something is malicious? Well, one of the ways you do this is by first creating a baseline. You need to know what normal looks like on a system. So when you have a system and you know it’s clean because maybe it hasn’t been connected to the network yet, you can run some baselines on it. You can identify what are the normal processes that this thing is going to be using. And then as new processes are launched, you could see if there are ones you know about or they’re ones that are now suspicious that we would look into. When we talk about a suspicious process, we then need to determine is it just suspicious or is it really malicious? If it’s a malicious process, this means it’s a process that was executed without proper authorization from the system owner for the purpose of damaging or compromising the system.
Now, when you deal with a malicious process, this usually comes as a result of malicious code because malicious code will often be injected into a host process by making it load the malware code as part of a dynamic link library or DLL, within Windows. Now, in Linux we use a different file called an So file, but we’ll talk about that a little bit later. For now, I want you remember that malware can actually be shimmed or injected into a process inside of Windows, especially by using dynamic link libraries. Now, when this happens, this can cause abnormal process behavior to occur. Abnormal process behavior is an indicator that a legitimate process has been corrupted with malicious code for the purposes of damaging or compromising the system.
Now, when we talk about abnormal behavior, we’re talking about things like a process that’s making changes to a registry file without permission, accessing data files in temporary locations on the file system, or using the network for malicious activity, such as beaconing or command and control signals connecting to unknown DNS resolvers, or even trying to use a covert channel. All of these things would be abnormal process behavior because that isn’t approved and isn’t what we’ve designed the system to do. Now, to be able to determine if a process is doing something abnormally, you need to use tools to track and report on the processes. This way you can see what processes are or have been in the past running, and we compare that against our baseline image. Again, if we know what normal looks like and we compare it to what’s running now, we can quickly identify anything suspicious.
So let’s dive into Windows for a little bit and talk about a couple of tools that we can use to identify malicious processes. Now, like I said earlier, malicious processes could be inserted into some regular process or like a DLL file. Now, if you suspect something is wrong on your Windows system, you might want to run the System File Checker. This program written out as FFC for System File Checker will allow you to scan all the files on the system that are made by the system. It’ll check all those protected files and make sure that they’re all running the correct versions and they haven’t been modified. It does this by using a digital signature on each of those files and checking that it hasn’t been changed. In addition to this, we can analyze the processes themselves.
We can do this using tools like Process Monitor and Process Explorer. Both of these tools come as part of the Sysinternals tool suite and they can be used for live analysis and logging of the processes that are being run on the system. In addition to those, we can use Task List which is a command line version of the Task Manager and we can use that to display things like memory usage, the state of running threads or process trees and individual operations for each process. Another tool we might use is PE Explorer. Now PE Explorer is a proprietary software but it has a lot of different features including the ability to browse the structure of an executable Windows file.This is a very useful program to dig into certain processes and see what they’re calling. For instance, which DLLs are they calling up and using.
That way you can identify what processes are calling which possibly suspicious DLLs. Now, in addition to Windows, there’s a lot of people who are using Linux systems, especially Linux servers. And so we have to look at some Linux tools too. On Linux we have tools like pstree and PS. Now both of these will allow you to look at processes but in a very different way. Before we dig into these two tools though, we need to talk about some basic terms within Linux because it’s important to understand these before we can look at processes within Linux because they do run a little bit differently than Windows. First, we have the term daemon. Now a daemon is a background service in the Linux operating system and it runs as a process with the letter D after it.
For instance, if you’re running an Http server it would be known as Httpd which is the Http Damon. We also have the secure shell damon or the file transfer protocol daemon. All of these are basically background services that can run inside the system. Now, there is a specific daemon that we need to talk about before we jump into processes and this is the first daemon that’s launched on a system. It’s known as System D.The init daemon in Linux is the first executed by the kernel during your boot up process and it’s always going to have a ProcessID or PID of one. Now that brings up the term PID which is a ProcessID. Now a Process ID or Process Identification Number is a PID and this is a unique identification number of a process launched by a Linux system.
We use this PID to identify the process and if needed, kill that process. Now, in addition to a PID every PID has a parent PID and a parent PID is a unique identification number of the parent process for every process launched by a Linux system. So now with all of that background behind us we can now go into our tools and the first one is pstree. Now PS Tree is a Linux command that provides a parent child relationship of all the processes on a given system. So if I run PS Tree I’m going to see something like this. Now notice the first process we see System D with a process ID of one. This is the first process that is launched when you start the system. All the other processes you see on this screen are going to be children of System D.
Now the first process on my screen here is Modem Manager which shows up as Process ID 936. This is the child of System D and it is a child of parent Process ID one. Now underneath Modem Manager we have additional processes that have been launched. You can see here GD bus. Now notice next to GD Bus we have the same process ID of 936 that’s because it’s saying 936 launched me which in this case was the Modem Manager. So GD Bus is a sub process or child process of the Modem Manager. Now if I jump down to the next one you can see Network Manager and under that we also have GD Bus. But this version of GD Bus this process was launched under 928 which is the Network Manager.
So you can have processes that are launched multiple times from multiple different other processes and the child process will always link back to the parent ID using that parentheses after its name. Now the other process analysis tool we have in Linux is PS and PS is a command that lists the attributes of all the current processes. So if I use the PS command by default it’s only going to show processes started by the current user when you launch it. So if I go to my command prompt and type in PS Enter all I’m going to get is the one process that was launched by me. In this case I’ve only launched one process on my system the Bash command which was the shell that I’m typing into.
Now, if I want to take this further and be able to see a full list of all the running processes for all the users, I’m going to use the command PSA or PS e. Both of these are equivalent to show me a full list of all the running processes for all the users. And it will look something like this. Notice here I use PSA and you can see PID One. It was the first one launched and it was launched as SBIN launchd, which again launches the system daemon. And then I have other process IDs going down. For instance, 43 shows me that I launched the syslog daemon, 44 shows me that I launched the user event Agent.
All of these are different daemons and different processes that have been launched on my system, but they weren’t launched by me. A lot of these were launched by other users or the operating system itself. In this case, it was launched by the operating system when I booted up my computer. Now, as you can see here on the screen, there is a lot of information inside the PS command. I get the PID, which tells me what process it is, I get the TTY if we’re connected remotely, I get the time which tells me how long has this been up and running and then I have the command that launched it. So when you’re looking at all this data, it actually goes on for several pages.
I only showed you a small chunk of my operating system here if you wanted to find certain commands, for instance, I want to search and find the Cron command, I can do that by using PSC for command, and then the command I’m looking for Cron. This command will display the process for the Cron command, essentially just the one line I need. Now if I want to sort all that display, I can do that by using PSA and then piping that over to the Sort command. We talked about the Sort command previously. When we’re dealing with the sort command with K three, what does that mean? Well, it means I’m going to sort the third column, which was execution time, and that I’m going to display to the screen.
So now I can see what has been executed the longest, or what has been executed the shortest. This way I can sort things by execution time, and if I know something happened five minutes ago in my system, I can go back and look what happened five minutes ago that may be malicious and identify that process. Now, as I mentioned earlier, when you’re dealing with Windows, malware will try to inject itself into DLLs. Well, in Linux, Malware is often going to use injection into Linux shared libraries. These are also known as shared objects or So files. If you’re responsible for conducting threat hunting on Linux systems, it is recommended that you start learning about these shared objects or these So files because they are often the target of malicious code being injected into them.
Memory forensics. Nowadays, a lot of malware is using fileless techniques. This way they store most of their code or all of their code inside of memory. Now, fileless malware will execute from memory without saving anything to the file system. And if it does save anything to the file system, it’s very careful to delete that as quickly as possible. This makes it harder to detect and harder for you to do your threat hunting. Now, file list detection techniques are techniques that require the analysis of the contents of system memory and of the process behavior rather than relying on scanning of the file system. Because file list malware doesn’t leave a lot of traces on the hard drive or the file system, you have to use special techniques to find it.
In this lesson, that’s what we’re going to focus on. Now, a memory analysis technique is going to allow you to reverse engineer the code used by the process. It will allow you to discover how the process interacts with the file system, also known as the handles, and how it reinteracts with the registry. Also, it’ll help you to examine network connections, retrieve cryptographic keys, and extract strings from within the memory. This can all be done once you have a memory dump. And we’ve talked about how to collect memory dumps all the way back in our forensic lessons. Now, what kind of strings could you extract from one of these memory dumps? Well, let’s say I was making a communications call over Skype.
As I place that call, Skype is going to write a specific string to memory for every message sent or every call that goes out. So I could use that to be able to search that string inside of memory to identify where in that memory they have been storing those messages. So if I was a bad actor, for instance, and I was communicating with somebody else over Skype and you’ve collected an image of my computer, you could go into that and figure out exactly what I was saying and to who I was saying it to, because that string would act as a pointer to the rest of the message. Now, if you think back to our forensic lessons, we talked about FTK and Nk’s.
Both of these are commercial and proprietary software that are dedicated forensic suites for collecting information. Now, one of the functions they have is a memory analysis module. It allows you to collect the memory and then analyze it for all of these different types of artifacts. In addition to using FTK or NK, you can also use several different open source and freeware options that are out there. For instance, we have one known as the Volatility Framework. This is an open source memory forensics tool that has many different modules for analyzing specific elements of memory, such as web browser module that looks at your history, command prompt, history, modules that will look at your command prompt, history, and many others.
When you load up the Volatility Framework, it looks something like this. This is a text based command line interface tool. It allows you to take a memory dump of a system and then go through it for particular information. In this example, I have a dump that was taken from a Windows Seven virtual machine, and I’m going into it using the Volatility Framework and searching that dump for any processes that were running at the time this memory dump was conducted. Now, notice here on the screen I’m using PS List, which is that module, to do that at the end of the first line. This then loads up, searches the memory, shows me the offset location, the name of the processes that were running, the PID, the parent PID, the threads, the handles, the sessions, and then the information of when it was started.
If you see here, I’ve highlighted one called salter exe. As I’ve looked through this list, that is the one process that looks suspicious to me. So I would look at that process, I would find out the information on that process, and then I would start doing some research to figure out what is suspicious about it and whether or not it’s actually malicious in nature. The reason I highlighted that process is because that process is one that I don’t recognize as a legitimate process. All of the other ones I see, there are things that I recognize as legitimate processes as part of my baseline. So now that I’ve identified that process, I can take it one step further. Notice the PID here, 18, eight, and I have 134 handles, which means different files or parts of files that are being touched by that process.
So as I dig a little deeper, I’m going to want to identify what types of files were being touched by Salter Exe. Now, as I do that, I’m going to use Volatility Framework again, going into that memory dump, and I’m going to look at a specific PID and look at the handles for it and the different object types, which in this case are files. So as I do that, I’m seeing again all the ones for PID, 18, eight. Now, I’ve highlighted one that looks interesting to me, and I’ve actually blown that up here on the screen for you. Notice that it has the name nine seven, 8164-274-1292, PDF. Now, why does that look interesting? Well, as I look at the screen here, everything else there looks pretty mundane. But this file has a really weird name.
How many people actually name their files with a random string of digits like this? Most people don’t, but the people who do tend to have malicious intent, and so they’re trying to send this information out, and they send out lots of different random files. And this number, if there was malware embedded in it, might be the unique ID that beacons back and says, hey, this machine is now known by that serial number, because that serial number will identify this part of my botnet. So let’s take it one step further. We’ve identified a process we thought was suspicious. We’ve identified a handle to a file that we think is suspicious. So what else might we look at? Well, as we run Volatility again against this memory dump, the next thing I’m going to look at is network activity.
So I’ll use the netscan module here. You’ll see, I’ve highlighted one all the way at the bottom of the screen. Again, this is the same process, 18 eight being run by the Salter exe file. You’ll see, we have a connection between two IP addresses. And so now we can look at those two IP addresses. We have the first IP, which is our local address. Ten 10 101, coming from port 10 95. This is connecting to the foreign address. The foreign address in this case is 192, 168, 2192, and it’s going on port 80. And so this is essentially either a call out or a beacon or a connection to download, maybe a second stage malware. We don’t know exactly what it is yet, but we do know that this machine, the 101, has made a connection to this remote host over port 80.
And so we can look at that further and then dig in deeper and keep doing our threat hunting as we dive in. So, as you can see here, in this brief example of using the Volatility Framework, there is a lot of information you can get, and it’s just a matter of slicing and dicing that memory dump in different ways using different modules. First, we use the PS list to look at the processes. Second, we looked at the files, and third, we looked at Netscan. Now, in addition to the Volatility Framework, there is another open source tool out there known as Memorize. It works a lot like the Volatility Framework, but it does have a little bit of a cleaner interface. Memorize is a free memory forensic software tool by FireEye that helps incident responders find evil inside live memory.
Now, for the exam. Do you need to know how to use Volatility Framework or Memorize? Well, no, you should know what they do, but you’re not expected to actually perform the analysis like I did in this lesson. If you become an incident responder in the real world, you will be doing threat hunting, and these tools will become invaluable to you.
Popular posts
Recent Posts