ECIH Tools
Performing Strings Search Tools
▪Strings communicate information from the program to its user ▪Analyze embedded strings of the readable text within the program's executable file Ex: Status update strings and error strings ▪Use tools such as BinText to extract embedded strings from executable files ▪ BinText Source: https://www.aldeid.com BinText is a text extractor that can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode text, and Resource strings, providing useful information for each item. Some of the additional string searching tools include: ▪ FLOSS (https://www.fireeye.com) ▪ Strings (https://docs.microsoft.com) ▪ Free EXE DLL Resource Extract (http://www.resourceextract.com) ▪ Hex Workshop (http://www.hexworkshop.com)
Report Writing Tools
▪Report writing tools help incident handlers to generate efficient reports on detected incidents during incident handling and response process. ▪ MagicTree Source: https://www.gremwell.com MagicTree stores data in a tree structure. This is a natural way of representing the information that is gathered during a network test: a host has ports, which have services, applications, vulnerabilities, and so on. The tree-like structure is also flexible in terms of adding new information without disturbing the existing data structure: at some point, if you decide that you need the MAC address of the host, you just need to add another child node to the host node. While tree structure is natural for representing the information, it is not very convenient for actually using the data. To feed data to programs we generally want lists or tables of items. MagicTree allows extracting the data and presenting it in the table (or list) form. The query interface uses XPath expressions to extract data. ▪ KeepNote Source: http://keepnote.org KeepNote is a note taking application that works on Windows, Linux, and MacOS X. With KeepNote, you can store your class notes, TODO lists, research notes, journal entries, paper outlines, and so on in a simple notebook hierarchy with rich-text formatting, images, and more. Using full-text search, you can retrieve any note for later reference. KeepNote is designed to be cross-platform (implemented in Python and PyGTK) and stores your notes in simple and easy to manipulate file formats (HTML and XML). Archiving and transferring your notes is as easy as zipping or copying a folder.
Files and Folder Monitoring Tools
-Malware normally modify system's files and folders after infecting a computer. -Use file and folder integrity checkers like Tripwire and Netwrix Auditor to detect changes in system files and folders. -You can also use windows utility tools like SIGVERIFFile and Folder Integrity Checkers/ Tools ▪ SIGVERIF Source: https://support.microsoft.com SIGVERIF is a built-in Windows tool that comes inbuilt in Windows 10/8/7 and searches for unsigned drivers on a system. This tool will help to find unsigned drivers. When you observe an unsigned driver, you can move that to a new folder, restart the system, and test the program and its functionality for errors. Below are the steps for identifying unsigned drivers using SIGVERIF: o Click Start → Run, type SIGVERIF, and then click OK. o Click the Advanced button. Click Look for other files that are not digitally signed. o Navigate to the Windows\System32\drivers folder, and then click OK. o After Sigverif is finished running its check, it displays a list of all unsigned drivers installed on the computer. One can find the list of all signed and unsigned drivers found by Sigverif in the Sigverif.txt file in the %Windir% folder, typically the Windows folder. Some of the additional File integrity checking Tools include: ▪ Tripwire File Integrity Manager (https://www.tripwire.com) ▪ Netwrix Auditor (https://www.netwrix.com) ▪ Verisys (https://www.ionx.co.uk) ▪ PA File Sight (https://www.poweradmin.com) ▪ CSP File Integrity Checker (https://www.cspsecurity.com) ▪ NNT Change Tracker (https://www.newnettechnologies.com) ▪ AFICK (Another File Integrity Checker) (http://afick.sourceforge.net) ▪ Fsum Frontend (http://fsumfe.sourceforge.net) ▪ OSSEC (https://www.ossec.net) ▪ IgorWare Hasher (https://www.igorware.com)
Windows Services Monitoring Tools
-Malware spawns Windows services that allow attackers remote control to the victim machine and pass malicious instructions. -Malware rename their processes to look like a genuine Windows service in order to avoid detection. -Malware may also employ rootkit techniques to manipulate HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services registry keys to hide its processes. Use Windows services monitoring tools such as Windows Service Manager (SrvMan) to trace malicious services initiated by the malware. ▪ Windows Service Manager (SrvMan) Source: http://tools.sysprogs.org SrvMan has both GUI and Command-line modes. It can also be used to run arbitrary Win32 applications as services (when such service is stopped, main application window is closed automatically). You can use SrvMan's Command Line interface to perform the following tasks: o Create servicessrvman.exe add <file.exe/file.sys> [service name] [display name] [/type:<service type>] [/start:<start mode>] [/interactive:no] [/overwrite:yes] o Delete servicessrvman.exe delete <service name> o Start/stop/restart servicessrvman.exe start <service name> [/nowait] [/delay:<delay in msec>] srvman.exe stop <service name> [/nowait] [/delay:<delay in msec>] srvman.exe restart <service name> [/delay:<delay in msec>] o Install and start a legacy driver with a single callsrvman.exe run <driver.sys> [service name] [/copy:yes] [/overwrite:no] [/stopafter:<msec>] Some of the additional Windows service monitoring tools include: ▪ Advanced Windows Service Manager (https://securityxploded.com) ▪ Netwrix Service Monitor (https://www.netwrix.com) ▪ AnVir Task Manager (https://www.anvir.com) ▪ Service+ (https://www.activeplus.com) ▪ Easy Windows Service Manager (https://archive.codeplex.com) ▪ Nagios XI (https://www.nagios.com) ▪ Windows Service Monitor (https://www.manageengine.com) ▪ PC Services Optimizer (https://www.smartpcutilities.com) ▪ SMART Utility (https://www.volitans-software.com)
Installation Monitoring Tools
-When the system or users install or uninstall any software application, there is a chance that it leaves traces of the application data on the system. -Installation monitoring will help in detecting hidden and background installations which the malware performs. -Use an installation monitoring tool such as Mirekusoft Install Monitor for monitoring installation of malicious executable. Installation Monitoring Tools- ▪ Mirekusoft Install Monitor Source: https://www.mirekusoft.com Mirekusoft Install Monitor automatically monitors what gets placed on your system and allows to uninstall it completely. Install Monitor works by monitoring what resources such as file and registry are created when a program is installed. It provides detailed information about the software installed. You can find out how much disk, CPU, and memory your programs are using. It also provides information about how often you use different programs. The program tree is a useful tool that can show you which programs were installed together. Some of the additional installation monitoring tools include: ▪ SysAnalyzer (https://www.aldeid.com) ▪ Advanced Uninstaller PRO (https://www.advanceduninstaller.com) ▪ Revo Uninstaller Pro (https://www.revouninstaller.com) ▪ Comodo Programs Manager (https://www.comodo.com)
Checking the Email Validity Tools
A valid email address is the one to which we can send or receive emails. There are particular standards and guidelines for validating email addresses. In the process of detecting and containing malicious emails, as an incident handler, it is your responsibility to check the validity of the received emails. Some of the tools that IH&R team can use to check the validity of emails are Email Dossier and Email Address Verifier. ▪ Email Dossier Source: https://centralops.net Email Dossier is a part of the CentralOps.net suite of online network utilities. It is a scanning tool that the incident handler can use to check the validity of an email address. It provides information about email address, including the mail exchange records. This tool initiates SMTP sessions to check address acceptance, but it never actually sends email. Some of the other tools to check email validity are as follows: ▪ Email Address Verifier (https://tools.verifyemailaddress.io) ▪ emailvalidator (http://www.emailvalidator.co) ▪ Email Checker (https://email-checker.net) ▪ G-Lock Software Email Verifier (https://www.glocksoft.com)
Anti-Forensics Techniques: Artifact Wiping/ Tools
Anti-Forensics Techniques: Artifact Wiping Artifact Wiping refers to the process of deleting or destroying the evidence files permanently using various tools and techniques, such as disk-cleaning utilities file-wiping utilities and disk degaussing/destruction techniques. Anti-Forensics Techniques: Artifact Wiping Tools ▪ Disk-cleaning utilities: The attackers use the tools that can overwrite the data on disks through various methods. However, these tools are not completely effective as they leave footprints. Some of the commonly used disk-cleaning utilities include CCleaner, BCWipe Total WipeOut, Active@ KillDisk, CyberScrub's cyberCide, DriveScrubber, ShredIt, and Secure Erase. ▪ File-wiping utilities: These utilities delete the individual files from an OS in a short span and leave a much smaller signature when compared with the disk-cleaning utilities. However, some experts believe that many of these tools are not effective, as they do not accurately or completely wipe out the data and require user involvement. The commonly used file-wiping utilities are BCWipe, R-Wipe & Clean, Eraser, and CyberScrubs PrivacySuite.
Anti-Forensics Techniques: Anti-forensic tools
Anti-forensics tools (AFTs) have the capability to change their behavior on detecting the use of CFT. Ex: A Worm may not propagate if it discovered that the network is under surveillance. ▪ Trail Obfuscation Trail Obfuscation is one of the anti-forensic techniques that attackers use to mislead, divert, complicate, disorient, sidetrack, and/or distract the forensic examination process. The process involves different techniques and tools, such as o Log cleaners o Spoofing o Misinformation o Backbone hopping o Zombie accounts o Trojan commands. ▪Timestomp, which is part of the Metasploit Framework, is one of the trail obfuscation tool that attackers use to modify, edit, and delete the date and time of a metadata and make it useless for the incident responders. ▪Transmogrify is another tool used to perform trail obfuscation.
Detecting Malware by Its Covert Communication Techniques
As an incident responder, you can use network monitoring tools like CapLoader and Wireshark to detect any regular outbound malicious beaconing traffic. o CapLoader Source: https://www.netresec.com CapLoader is a Windows tool designed to handle large amounts of captured network traffic. CapLoader performs indexing of PCAP/PcapNG files and visualizes their contents as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. This tool can be useful in analysis of the network traffic activity and finding out if a single host makes multiple DNS requests to 8.8.8.8. Such flows are merged together as one row in the services tab of the CapLoader interface. You can use network monitoring tools like PRTG Network Monitor and GFI LanGuard to identify any unwanted traffic to malicious and unknown external entities. o PRTG Network Monitor Source: https://www.paessler.com PRTG Network Monitor is a network monitoring tool effectively used to monitor entire network infrastructure. PRTG supports most technologies including SNMP (all versions), Flow technologies (i.e., NetFlow, jFlow, sFlow), SSH, WMI, Ping, and SQL. Powerful API (Python, EXE, DLL, PowerShell, VB, Batch Scripting, REST) is used to integrate everything else. It is a tool that is available for every platform.
Analyzing Email Headers Tools
Discussed below are some of the important email header analysis tools that help incident handlers to detect spam/malicious emails: ▪ MxToolbox Source: https://mxtoolbox.com This tool will make email headers human readable by parsing them according to RFC 822. Email headers are present on every email you receive via the internet and can provide valuable diagnostic information like hop delays, antispam results, and so on. Incident handlers can use this tool to analyze email headers and detect spam emails. Listed below are some of the additional tools for analyzing email headers: ▪ E-Mail Header Analyzer (https://www.gaijin.at) ▪ Message Header Analyzer (https://testconnectivity.microsoft.com) ▪ ipTRACKEREonline.com (https://www.iptrackeronline.com) ▪ G Suite Toolbox (https://toolbox.googleapps.com) ▪ Email Header Analyzer (https://www.whatismyip.com)
Email Tracking Tools
Email tracking tools help incident handlers to track an email and extract information such as sender identity, mail server, sender's IP address, location, and so on. These tools send notifications automatically when the recipients open the mail and give status information about whether the email was successfully delivered or not. Discussed below are some of the important email tracking tools: ▪ eMailTrackerPro Source: http://www.emailtrackerpro.com eMailTrackerPro analyzes email headers and reveals information such as sender's geographical location, IP address, and so on. It allows an attacker to review the traces later by saving past traces. The following are a few of the most widely used email tracking tools: ▪ PoliteMail (https://politemail.com) ▪ Yesware (https://www.yesware.com) ▪ ContactMonkey (https://contactmonkey.com) ▪ Zendio (http://www.zendio.com) ▪ ReadNotify (https://www.readnotify.com) ▪ DidTheyReadIt (https://www.didtheyreadit.com) ▪ Trace Email (https://whatismyipaddress.com) ▪ Email Lookup - Free Email Tracker (http://www.ipaddresslocation.org) ▪ Pointofmail (https://www.pointofmail.com) ▪ WhoReadMe (http://whoreadme.com) ▪ GetNotify (https://www.getnotify.com) ▪ G-Lock Analytics (https://glockanalytics.com)
Forensic Analysis Tools
Forensic Explorer- It recovers and analyzes hidden system files, deleted files, slack space, and unallocated clusters. Forensic Toolkit (FTK)- It is a computer forensic investigation tool that delivers cutting edge analysis, decryption, and password cracking. Event Log Explorer- It is a software solution for viewing, monitoring, and analyzing events recorded in security, system, application, and other logs of Microsoft Windows operating systems. OsForensics- It helps discover relevant forensic data faster with high performance file searches and indexing as well as restores deleted files. Helix3- It is an easy to use cyber security solution integrated into your network giving you visibility across your entire infrastructure revealing malicious activities such as Internet abuse, data sharing and harassment. Autopsy- It helps incident handlers to view the file system, retrieve deleted data, and perform timeline analysis during an incident response. EnCase Forensic- It is a multi-purpose forensic platform that includes many useful tools to support several areas of the digital forensic process. Foremost- It is a console program to recover files based on their headers, footers, and internal data structures. Some of the additional forensics analysis tools are given below: ▪ Belkasoft Evidence Center (https://belkasoft.com) ▪ RegScanner (https://www.nirsoft.net) ▪ MultiMon (https://www.resplendence.com) ▪ Process Explorer (https://docs.microsoft.com) ▪ Security Task Manager (https://www.neuber.com) ▪ Memory Viewer (http://www.rjlsoftware.com) ▪ Metadata Assistant (https://new.thepaynegroup.com) ▪ HstEx (https://www.digital-detective.net) ▪ XpoLog Log Management (https://xpolog.com)
Detecting Phishing/Spam Mails Tools
Incident handlers can use various automated tools for detecting phishing and spam emails. Discussed below are some of the important tools for detecting phishing emails: ▪ Netcraft Source: https://toolbar.netcraft.com The Netcraft Toolbar provides updated information about the sites users visit regularly and blocks dangerous sites. The toolbar provides you with a wealth of information about the sites you visit. This information will help you make an informed choice about the integrity of those sites. Features: o Protects your savings from phishing attacks o Observes the hosting location and risk rating of every website visited (as well as other information) o Helps in defending the internet community from fraudsters o Checks if a website supports perfect forward secrecy (PFS) o Observes if a website is affected by the aftermath of the Heartbleed vulnerability ▪ PhishTank Source: http://phishtank.com PhishTank is a collaborative clearinghouse for data and information about phishing on the internet. It provides an open API for developers and researchers to integrate antiphishing data into their applications.
Email Security Tools
Incident handlers can use various email security tools to prevent evolving email threats. Discussed below are some of the important email security tools: ▪ Gpg4win Source: https://www.gpg4win.org Gpg4win enables users to securely transport emails and files with the help of encryption and digital signatures. Encryption protects the contents against an unwanted party reading it. Digital signatures make sure that the mails were not modified and come from a specific sender. Gpg4win supports both relevant cryptography standards, OpenPGP and S/MIME (X.509), and it is the official GnuPG distribution for Windows. Listed below are some of the additional tools for securing email communication: ▪ Advanced Threat Protection (https://www.hornetsecurity.com) ▪ SpamTitan (https://www.spamtitan.com) ▪ Symantec Email Security.cloud (https://www.symantec.com) ▪ Barracuda Email Security Gateway (https://www.barracuda.com) ▪ Mimecast Email Security (https://www.mimecast.com) ▪ Comodo Dome Anti-spam (https://www.comodo.com) ▪ Spambrella (https://www.spambrella.com) ▪ The Email Laundry (https://www.theemaillaundry.com) ▪ GFI MailEssentials (https://www.gfi.com) ▪ Cisco Email Security (https://www.cisco.com)
DLLs or Shared Libraries Tools
It helps to determine possible rogue or modified DLLs and shared libraries Tools that help to identify currently loaded DLLs or shared libraries include: ▪ ListDLLs ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all DLLs loaded into all the processes, into a specific process, or to list the processes that have a DLL loaded. ListDLLs can also display full version information for DLLs, including their digital signature, and can also scan processes for unsigned DLLs. Syntax: listdlls [-r] [-v | -u] [processname|pid] listdlls [-r] [-v] [-d dllname] Parameters: o Processname: Dump DLLs loaded by process (partial name accepted) o Pid: Dump DLLs associated with the specified process id o Dllname: Shows only processes that have loaded the specified DLL o -r: Flags DLLs that relocated because they are not loaded at their base address o -u: Lists unsigned DLLs o -v: Shows DLL version information The tool displays the full path of the loaded module as well as the version of the loaded DLL. By using this information, the responders can find the actual code. Spyware, Trojans, and even rootkits use a technique called DLL injection to load them into the memory space of a running process.
Hash Value Tools
Listed below are some of the tools used to calculate the hash value: ▪ HashCalc Source: https://www.slavasoft.com Free calculator is used to compute multiple hashes, checksums, and HMACs for files, text, and hex strings. It allows to calculate hash (message digest), checksum and HMAC values based on the most popular algorithms: MD2, MD4, MD5, SHA1, SHA2 (SHA256, SHA384, SHA512), RIPEMD160, PANAMA, TIGER, CRC32, ADLER32, and the hash used in eDonkey (eDonkey2000,ed2k) and eMule tools. ▪ MD5 Calculator Source: http://www.bullzip.com MD5 Calculator helps in calculating the MD5 hash value of the selected file. Right click the file and choose "MD5 Calculator," the program will calculate the MD5 hash. The MD5 Digest field contains the calculated value. To compare this MD5 digest to another, one can paste the other value into the Compare To field. Obviously, an equal sign ("=") appears between the two values if they are equal; otherwise, the less than ("<") or greater than (">") sign will tell you that the values are different. ▪ HashMyFiles Source: https://www.nirsoft.net HashMyFiles is a small utility that allows to calculate the MD5 and SHA1 hashes of one or more files in the system. It allows copying of the MD5/SHA1 hashes list into the clipboard or save them into text/html/xml file. One can launch HashMyFiles from the context menu of Windows Explorer and display MD5/SHA1 hashes of the selected file or folder.
Event Logs Monitoring analysis tools
Log analysis is a process of analyzing computer-generated records or activities to identify malicious or suspicious events Use log analysis tools like Loggly to identify suspicious logs or events with malicious intent. Log Analysis Tools: ▪ Loggly Source: https://www.loggly.com Loggly automatically recognizes common log formats and gives a structured summary of all your parsed logs. It provides real-time log monitoring, system behavior, and unusual activity. It brings logs from the depths of an organization's infrastructure to track activity and analyze trends. It shows how components interact and identify correlations. Logs can be captured in real-time either on syslog or HTTP. Features: o Tracks SLA compliance, and identify anomalies and suspicious events o Secures log data transmission o Generates a realtime, bird's-eye view of logs o Monitors proactively. ▪ SolarWinds Log & Event Manager (https://www.solarwinds.com) ▪ Netwrix Event Log Manager (https://www.netwrix.com) ▪ LogFusion (https://www.logfusion.ca) ▪ Alert Logic Log Manager (https://www.alertlogic.com) ▪ EventTracker Log Manager (https://www.eventtracker.com)
Startup Programs Monitoring Tools
Malware can alter the system settings and add themselves to the startup menu to perform malicious activities whenever the system starts Manually check or use startup monitoring tools like Autoruns for Windows and WinPatrol to detect suspicious startup programs and processes. Steps to manually detect hidden malware: Check startup program entries in the registry editor Check device drivers automatically loaded ➢ C:\Windows\System32\drivers Check boot.ini or bcd (bootmgr) entries Check Windows services automatically started➢ Go to Run→ Type services.msc → Sort by Startup Type Check startup folder➢ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup Startup Program Monitoring Tool: ▪Autoruns for Windows Source: https://docs.microsoft.com This utility can autostart the location of any startup monitor, display what programs are configured to run during system bootup or login, and show the entries in the order Windows processes them. As soon as this program includes in the startup folder, Run, RunOnce, and other Registry keys, users can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, and autostart services. Autoruns' Hide Signed Microsoft Entries option helps the user to zoom in on third-party autostarting images that add to the users' system, and it has support for looking at the autostarting images configured for other accounts configured on a system. Some of the additional startup programs monitoring tools include: ▪ WinPatrol (https://www.winpatrol.com) ▪ Autorun Organizer (https://www.chemtable.com) ▪ Quick Startup (https://www.glarysoft.com) ▪ StartEd Pro (https://www.outertech.com) ▪ Chameleon Startup Manager (http://www.chameleon-managers.com) ▪ BootRacer (http://www.greatis.com) ▪ WinTools.net: Startup Manager (http://www.wintools.net) ▪ EF StartUp Manager (http://www.efsoftware.com) ▪ PC Startup Master (https://www.smartpcutilities.com) ▪ CCleaner (https://www.piriform.com) ▪ Startup Delayer (https://www.r2.com.au)
Preparation of Network Security Incident Handling Toolkit- Linux-based Tools to Analyze Incidents
Network Analysis Tools ▪Nmap (https://nmap.org) ▪Netstat (https://docs.microsoft.com) ▪Wireshark (https://www.wireshark.org) ▪ Tcpdump (http://www.tcpdump.org) ▪ MD5sums (http://www.pc-tools.net) ▪ md5deep (https://github.com) Command Line Tools ▪ traceroute ▪ ARP ▪ ifconfig ▪ File system ▪ lsof ▪ dd ▪ df ▪ fdisk ▪ strings ▪ grep Malware Analysis Tools ▪VirusTotal (https://www.virustotal.com) ▪IDA Pro (https://www.hex-rays.com) ▪Cuckoo Sandbox (https://cuckoosandbox.org) Command Line Tools ▪ Processes ▪ htop ▪ top ▪ ps Volatile Memory Analysis Tools ▪Rekall (https://github.com) ▪Memfetch (http://lcamtuf.coredump.cx) ▪LiME (https://github.com) ▪ Volatilitux (https://code.google.com) Session Management Tools ▪ w/who ▪ rwho ▪ Lastlog
Malware Analysis Tools- (Additional)
Other Supporting Tools for Malware Analysis Following are some of the supporting tools required to perform malware analysis: Virtual Machines Tools ▪ Hyper-V (https://docs.microsoft.com) ▪ Parallels Desktop 14 (https://www.parallels.com) ▪ Boot Camp (https://www.apple.com)Screen Capture and Recording Tools ▪ SnagIt (https://www.techsmith.com) ▪ Jing (https://www.techsmith.com) ▪ Camtasia (https://www.techsmith.com) ▪ Ezvid (https://www.ezvid.com)Network and Internet Simulation Tools▪ ns-3 (https://www.nsnam.org) ▪ Riverbed Modeler (https://www.riverbed.com) ▪ QualNet (https://web.scalable-networks.com)OS Backup and Imaging Tools ▪ Genie Backup Manager Pro (https://www.genie9.com) ▪ Macrium Reflect Server (https://www.macrium.com) ▪ R-Drive Image (https://www.drive-image.com) ▪ O&O DiskImage 10 (https://www.oo-software.com)
Risk Analysis and Management tools
PILAR Risk Analysis and Management tool helps incident handlers to assess risks against critical assets of the organization in several dimensions such as confidentiality, integrity, availability, authenticity, and accountability. It performs both the qualitative and quantitative risk analysis. To eradicate the identified risks, you can implement various countermeasures and security policies. Using PILAR, you can generate risk assessment reports in RTF or HTML format. Risk Management Tools (additional): ▪ A1 Tracker (http://www.a1tracker.com) ▪ Risk Management Studio (https://www.riskmanagementstudio.com) ▪ IsoMetrix (https://www.isometrix.com) ▪ Sword Active Risk (https://www.sword-activerisk.com) ▪ iTrak (https://www.iviewsystems.com) ▪ Certainty Software (https://www.certaintysoftware.com) ▪ Resolver's ERM software (https://www.resolver.com) ▪ Isolocity (https://www.isolocity.com) ▪ Enablon (https://enablon.com)
Process Monitoring Tools
Process monitoring will help in understanding the processes malware initiates and takes over after execution. They should also observe the child processes, associated handles, loaded libraries, and functions to define the entire nature of a file or program, gather information about processes running before execution of the malware, and compare them to the processes running after execution. This method will reduce the time taken to analyze the processes, injected codes, and modified functions and help in easy identification of all the processes that the malware starts along with the identification of the common techniques for process injections by malware. Use process-monitoring tools such as Process Monitor to detect suspicious running processes, malicious parent/child processes, malicious DLLs, and sockets. ▪ Process Monitor Source: https://docs.microsoft.com Process Monitor is a monitoring tool for Windows that shows real-time file system, registry, and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and so on. Unique features of Process Monitor make it a core utility in system troubleshooting and malware hunting toolkit. Features o More data captured for operation input and output parameters. o Non-destructive filters allow you to set filters without losing data. o Capture of thread stacks for each operation makes it possible in many cases to identify the cause of an operation. o Reliable capture of process details, including image path, command line, user, and session ID. o Configurable and movable columns for any event property. o Filters can be set for any data field, including fields not configured as columns. o Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data. o Process tree tool shows the relationship of all processes referenced in a trace. o Native log format preserves all data for loading in a different Process Monitor instance. Some of the additional process monitoring tools include: ▪ Process Explorer (https://docs.microsoft.com) ▪ M/Monit (https://mmonit.com) ▪ ESET SysInspector (https://www.eset.com) ▪ System Explorer (http://systemexplorer.net) ▪ Security Task Manager (https://www.neuber.com) ▪ HiJackThis (https://sourceforge.net) ▪ Yet Another (remote) Process Monitor(http://yaprocmon.sourceforge.net) ▪ Process Network Monitor (https://securityxploded.com) ▪ OpManager (https://www.manageengine.com)
Preparation of Network Security Incident Handling Toolkit- Windows-based Tools to Analyze Incidents
Registry Analysis Tools ▪jv16 Power Tools 2017 (https://www.macecraft.com) ▪regshot (https://sourceforge.net) ▪Reg Organizer (https://www.chemtable.com) ▪ Registry Viewer (http://accessdata.com) ▪ RegScanner (http://www.nirsoft.net) Network Analysis Tools ▪Nmap (https://nmap.org) ▪Wireshark (https://www.wireshark.org) ▪TCPView (https://docs.microsoft.com) ▪ Netstat (https://docs.microsoft.com) ▪ Nbtstat (https://docs.microsoft.com) ▪ Tracert (https://support.microsoft.com) ▪ Packet Capture (https://www.netscantools.com) ▪ Real-Time NetFlow Analyzer (https://www.solarwinds.com) ▪ ManageEngine NetFlow Analyzer (https://www.manageengine.com) File System Analysis Tools ▪PE Explorer (http://www.heaventools.com) ▪Pescan (https://tzworks.net) ▪PEView (https://www.aldeid.com) ▪ Resource Hacker (http://www.angusj.com) ▪ WinDirStat (https://windirstat.net) ▪ DiskSavvy (https://www.disksavvy.com) ▪ MD5sums (http://www.pc-tools.net) ▪ md5deep (https://github.com) ▪ Hashtab (http://implbits.com) Malware Analysis Tools ▪VirusTotal (https://www.virustotal.com) ▪IDA Pro (https://www.hex-rays.com) ▪Ollydbg (http://www.ollydbg.de) ▪ Windbg (https://docs.microsoft.com) ▪ Cuckoo Sandbox (https://cuckoosandbox.org) ▪ Blueliv Sandbox (https://www.blueliv.com) Processes Analysis Tools ▪Process Monitor (https://docs.microsoft.com) ▪Process Explorer (https://docs.microsoft.com) ▪Tasklist (https://docs.microsoft.com) ▪ Monit (https://mmonit.com) ▪ ESET SysInspector (https://www.eset.com) ▪ System Explorer (http://systemexplorer.net) Services Analysis Tools ▪Services.msc (https://docs.microsoft.com) ▪MSConfig (https://docs.microsoft.com) ▪SrvMan (http://tools.sysprogs.org) ▪ Net start (https://docs.microsoft.com) ▪ Task Scheduler (https://docs.microsoft.com) Volatile Memory Analysis Tools ▪Rekall (https://github.com) ▪Memdump (https://support.microsoft.com) ▪MemGator (http://e5hforensics.com) ▪ Memoryze (https://www.fireeye.com) ▪ KnTTools (http://www.gmgsystemsinc.com) Active Directory Tools ▪SolarWinds Server & Application Monitor (https://www.solarwinds.com) ▪Adaxes (https://www.adaxes.com) ▪ADManager Plus (https://www.manageengine.com) ▪ Anturis Active Directory Monitor (https://anturis.com)
Malware Analysis Tools-Software
Software tools required for detection and analysis of malware include: ▪ Virtualization software such as VirtualBox, VMware vSphere Hypervisor, and Microsoft Virtual Server ▪ Forensic image extraction tools such as FTK Imager for data acquisition ▪ PE analysis tools such as PEView, PeStudio, PEiD, and PEBrowse ▪ Tools for taking snapshots of the hosts such as Regshot, RegMon, FileMon, and Total Commander ▪ Memory dumping tools such as Scylla and OllyDumpEx ▪ Network sniffing tools such as WireShark ▪ Network simulation software such as iNetSim ▪ Process exploring and monitoring tools such as Process Monitor and Process Explorer ▪ Hex viewing tools such as HexEditor, 010 Editor, and Hexinator ▪ Debugging tools such as OllyDbg and IDA Pro ▪ Tools for searching malicious strings include ResourcesExtract, Bintext, and Hex Workshop ▪ Tools such as Dependency Walker for finding program dependencies
Malware Analysis Tools- Hardware
The IH&R team must build a malware toolkit having the following hardware tools: ▪A ready-to-use jump kit with different types of connectors to acquire data from the compromised system and create its backup ▪Storage media to store the acquired and backup data ▪A write protect device to protect the modification of data during acquisition and backup ▪A system installed with virtual client to run sandbox
Analyzing Email Logs Tools
The responders can use tools such as EventLog Analyzer to analyze email logs at server level and detect the emails that attackers used for phishing or spamming. ▪ EventLog Analyzer Source: https://www.manageengine.com EventLog Analyzer provides log management with agent and agentless methods of log collection, custom log parsing, and complete log analysis with reports and alerts. It allows you to audit all your critical application servers. With predefined reports for the applications listed here, the solution also allows you to monitor custom applications. Its custom log parser enables you to easily parse and validate custom log formats. The responders can use this tool to analyze email logs at server level and detect the emails that attackers used for phishing or spamming.
Registry Monitoring Tools
Windows registry stores OS and program configuration details, such as settings and options. If the malware is a program, the registry stores its functionality. The malware uses the registry to perform harmful activity continuously by storing entries into the registry and ensuring that the malicious program run whenever computer or device boots automatically.Use registry monitoring tools like jv16 Power Tools 2017 and RegScanner to scan registry values for any suspicious entries that may indicate the malware infection. ▪ jv16 Power Tools 2017 Source: https://www.macecraft.com Jv16 Power Tools is a PC system utility software that works by cleaning out unneeded files and data, cleaning the Windows registry, automatically fixing system errors, and applying optimization to your system. It allows to scan and monitor the Registry. It helps in detecting registry entries created by malware. "Clean And Speedup My Computer" feature of Registry Cleaner in jv16 Power Tools 2017 is a solution for fixing registry errors and system errors, cleaning registry leftovers, as well as unneeded files such as old log files and temporary files. Some of the additional registry monitoring tools include: ▪ Regshot (https://sourceforge.net) ▪ Reg Organizer (https://www.chemtable.com)▪ Registry Viewer (https://accessdata.com) ▪ RegScanner (http://www.nirsoft.net) ▪ Registrar Registry Manager (https://www.resplendence.com) ▪ Active Registry Monitor (https://www.devicelock.com) ▪ MJ Registry Watcher (https://www.jacobsm.com) ▪ Buster Sandbox Analyzer (https://bsa.isoftware.nl)
Monitoring tools
incident monitoring is performed using tools such as IDS/IPS, SIEM, and firewalls.
Antivirus Tools
▪ ClamWin Source: http://www.clamwin.com ClamWin is a free, open-source antivirus program for Windows systems. It comes with a super-fast installer and an easy-to-use interface, which makes it convenient to detect and clean infections from a computer system. It provides high detection rates for viruses and spyware and a scanning scheduler. Listed below are some of the additional tools for eradicating malware: ▪ Bitdefender Antivirus Plus 2019 (https://www.bitdefender.com) ▪ Kaspersky Anti-Virus (https://www.kaspersky.com) ▪ McAfee Total Protection (https://home.mcafee.com) ▪ Norton AntiVirus (https://in.norton.com) ▪ Avast Premier Antivirus (https://www.avast.com) ▪ ESET Smart Security (https://www.eset.com) ▪ AVG Antivirus FREE (https://www.avg.com) ▪ Avira Antivirus Pro (https://www.avira.com)
Collecting Volatile Evidence Tools
▪ Cyber Triage Source: https://www.cybertriage.com Cyber Triage is an incident response software which helps incident responders and forensic investigators to determine if a host is compromised through simplified collection and analysis of endpoint data. It can perform a comprehensive analysis on a system image, a memory image or over a network on a live system. This enables the incident response teams to gather data about a system remotely without having to install an agent on the remote system. ▪ Process Explorer Source: https://docs.microsoft.com Process Explorer shows the information about the handles and DLLs of the processes, which have been opened or loaded. The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in. If it is in handle mode, you will see the handles that are opened by the process selected in the top window; if the Process Explorer is in DLL mode, you will see the DLLs and memory-mapped files that the process has loaded. Some of the additional tools for collecting volatile information are listed below: ▪ PMDump (http://www.ntsecurity.nu) ▪ ProcDump (https://docs.microsoft.com) ▪ Process Dumper (PD) (https://www .trapkit.de) ▪ PsList (https://docs.microsoft.com) ▪ Tasklist (https://docs.microsoft.com)
Data Imaging Tools
▪ FTK Imager-FTK Imager is a data preview and imaging tool that enables analysis of files and folders on local hard drives, CDs/DVDs, network drives, and examination of the content of forensic images or memory dumps. FTK Imager can also create MD5 or SHA1 hashes of files, review and recover files deleted from the Recycle Bin, export files and folders from forensic images to disk and mount a forensic image to view its contents in Windows Explorer. ▪ R-Drive Image-R-Drive Image is a potent utility that provides creation of disk image files for backup or duplication purposes. R-Drive Image restores the images on the original disks, on any other partitions, or even on a hard drive's free space. Using R-Drive Image, one can restore the system after heavy data loss caused by an operating system crash, virus attack, or hardware failure. Features: o A simple wizard interface o Image file compression o Removable media support o Image files splitting o Image Protection Some of the additional data imaging tools are listed below: ▪ EnCase Forensic (https://www.guidancesoftware.com) ▪ Data Acquisition Toolbox (https://in.mathworks.com) ▪ RAID Recovery for Windows (https://www.runtime.org) ▪ R-Tools R-Studio (https://www.r-studio.com) ▪ F-Response Imager (https://www.f-response.com)
DNS Monitoring/Resolution Tools
▪ Malicious software called DNSChanger is capable of changing the system's DNS server settings and provides the attackers with control of the DNS server used on the victim's system ▪ Use DNS monitoring tools such as DNSQuerySniffer to verify the DNS servers that the malware tries to connect to and identify the type of connection ▪ DNSQuerySniffer Source: https://www.nirsoft.net DNSQuerySniffer is a network sniffer utility that shows the DNS queries sent on your system. For every DNS query, the following information is displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request Time, Response Time, Duration, Response Code, Number of records, and the content of the returned DNS records. You can easily export the DNS queries information to CSV/tab-delimited/XML/HTML file, or copy the DNS queries to the clipboard, and then paste them into Excel or other spreadsheet application. Some of the additional DNS monitoring/resolution tools include: ▪ DNSstuff (https://www.dnsstuff.com) ▪ DNS Lookup Tool (https://www.ultratools.com) ▪ Sonar (https://constellix.com)
Network Traffic Monitoring Tools
▪ Malware connect back to their handlers and send confidential information to attackers ▪Use network scanners and packet sniffers to monitor network traffic going to malicious remote addresses ▪Use network scanning tools such as Capsa to monitor network traffic and look for suspicious malware activities ▪ Capsa Network Analyzer Source: https://www.colasoft.com Capsa is a portable network analyzer application for both LANs and WLANs, which performs real-time packet capturing, 24/7 network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis. Capsa is an intuitive network analyzer, which provides detailed information to help in checking if there are any Trojan activities on a network. It helps incident responders to pinpoint and resolve application problems. Features o Real-time packet capture, as well as the ability to save data transmitted over local networks, including wired network and wireless network like 802.11a/b/g/n. o Identifies and analyzes network protocols, as well as network applications based on the protocol analysis. o Identifies "Top Talkers" by monitoring network bandwidth and usage by capturing data packets transmitted over the network and providing a summary and decoding information about these packets. o Monitors and saves internet email and instant messaging traffic, helping identify security and confidential data handling violations. o Diagnoses and pinpoints network problems by detecting and locating suspicious hosts. o Maps the traffic, IP address, and MAC of each host on the network, allowing identification of each host and the traffic that passes through. Some of the additional network activity monitoring tools include: ▪ Wireshark (https://www.wireshark.org) ▪ Nessus (https://www.tenable.com) ▪ NetResident (https://www.tamos.com) ▪ PRTG Network Monitor (https://kb.paessler.com) ▪ GFI LanGuard (https://www.gfi.com) ▪ NetFort LANGuardian (https://www.netfort.com) ▪ CapMon (https://www.capmon.dk) ▪ Nagios XI (https://www.nagios.com) ▪ Total Network Monitor (https://www.softinventive.com)
Tools for Detecting Missing Security Patches
▪ Microsoft Baseline Security Analyzer (MBSA) Source: https://www.microsoft.com Microsoft Baseline Security Analyzer (MBSA) is a tool designed for IT professionals and helps small-and medium-sized businesses to determine their security state in accordance with Microsoft security recommendations. It lets incident handlers scan local and remote systems for missing security updates as well as common security misconfigurations. MBSA includes a graphical and command line interface that can perform local or remote scans of Microsoft Windows systems. To assess missing security updates, MBSA will only scan for missing security updates, update rollups and service packs available from Microsoft Update. Some of the additional tools for detecting missing security patched are listed below: ▪ GFI LanGuard (https://www.gfi.com) ▪ Symantec Client Management Suite (https://www.symantec.com) ▪ MaaS360 Patch Analyzer (https://www.ibm.com) ▪ Solarwinds Patch Manager (https://www.solarwinds.com) ▪ Kaseya Security Patch Management (https://www.kaseya.com) ▪ Software Vulnerability Manager (https://www.flexera.com) ▪ Ivanti Endpoint Security (https://www.ivanti.com) ▪ Patch Connect Plus (https://www.manageengine.com) ▪ Automox (https://www.automox.com) ▪ Prism Suite (https://www.newboundary.com)
logged-on users Tools and commands
▪ PsLoggedOn Tool PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on. Syntax: psloggedon [-] [-l] [-x] [\\computername | username] [-] Shows the options and the measurement units for output values. [-l] Displays only local logons [-x] Does not display logon times. [\\computername] System name for which logon information should be shown [username]Searches the network for those systems to which that user is logged on. ▪ net sessions Command The net sessions command helps to manage server connections. It is used without parameters and it displays information about all logged in sessions of the local computer. By using this command, one can view the computer names and user names on a server. It can also help us to see if users have any open files and how long each user's session has been in the idle mode. Syntax: net session [\\ComputerName] [/delete] [\\ComputerName] Identifies the computer for which you want to list or disconnect sessions. [ /delete] Ends the computer's session with ComputerName and closes all open files on the computer for the session. [net help command] Displays help for the specified net command. ▪ LogonSessions Tool It lists the currently active logged-on sessions and, if you specify the -p option, it can provide you the information of processes running in each session. Syntax: logonsessions [-c[t]] [-p] [-c] Prints output as CSV [-ct] Prints output as tab-delimited values [-p] Lists processes running in logged-on sessions
Local and Online Malware Scanning Tools
▪ Scan the binary code locally using well-known and up-to-date antivirus software ▪ If the code under analysis is a component of a well-known malware, it may have been already discovered and documented by many antivirus vendors ▪ You can also upload the code to online websites such as VirusTotal to get it scanned by a wide variety of different scan engines ▪ VirusTotal Source- https://www.virustotal.com VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the detection of viruses, worms, Trojans, and so on. It generates a report that provides the total number of engines that marked the file as malicious, the malware name, and if available, additional information about the malware. It also offers important details of the online file analysis such as target machine, compilation timestamp, type of file, compatible processors, entry point, PE sections, data link libraries (DLLs), used PE resources, different hash values, IP addresses accessed or contained in the file, program code, and types of connections established. Some of the additional local and online malware scanning tools include: ▪ Jotti (https://virusscan.jotti.org) ▪ Metadefender (https://metadefender.opswat.com) ▪ Online Scanner (https://www.fortiguard.com) ▪ IObit Cloud (https://cloud.iobit.com) ▪ ThreatExpert (https://www.symantec.com) ▪ Malwr (https://malwr.com) ▪ Valkyrie (https://valkyrie.comodo.com) ▪ Dr.Web Online Scanners (https://vms.drweb.com) ▪ UploadMalware.com (http://www.uploadmalware.com) ▪ ThreatAnalyzer (https://www.threattrack.com) ▪ Payload Security (https://www.payload-security.com) ▪ Anubis (https://sourceforge.net) ▪ Windows Defender Security Intelligence (WDSI) (https://www.microsoft.com) ▪ Bitdefender Quickscan (https://www.bitdefender.com)
Scheduled Task Monitoring Tools
▪ The malware can enable time or action based triggers as scheduled tasks ▪Incident responders need to check the scheduled tasks in a system ▪Use command like schtasks or tools like Windows Task Scheduler to detect scheduled task Some of the additional tools used to monitor windows scheduled tasks are as follows: ▪Monitoring Task Scheduler Tool (MoTaSh) (https://github.com) ▪ ADAudit Plus (https://www.manageengine.com) ▪ CronitorCLI (https://cronitor.io) ▪ Solarwinds Windows Scheduled Task Monitor (https://www.solarwinds.com)
Collecting System Information Tools
▪ Tools and commands to collect the information: o Systeminfo.exe (Windows) o PsInfo (Windows) o Cat (Linux) o Uname (Linux)
API Calls Monitoring Tools
▪Application programming interfaces (APIs) are parts of the Windows OS that allow external applications to access OS information such as file systems, threads, errors, registry, and kernel ▪Malware programs make use of these APIs to access the operating system information and cause damage to the system ▪Analyzing the API calls may reveal the suspected program's interaction with the OS ▪Use API call monitoring tools such as API Monitor to monitor API calls made by applications ▪ API Monitor Source: https://www.apimonitor.com API Monitor is a software that allows you to monitor and display Win32 API calls made by applications. It can trace any exported APIs and display a wide range of information, including function name, call sequence, input and output parameters, function return value, and more. It is a useful developer tool for seeing how win32 applications work and learn their tricks. Some of the additional API monitoring tools include: ▪ APImetrics (https://apimetrics.io) ▪ Runscope (https://www.runscope.com) ▪ AlertSite (https://smartbear.com)
Identifying Packing/ Obfuscation Methods- Tools
▪Attackers often use packers to compress, encrypt, or modify a malware executable file to avoid detection ▪It complicates the task for the reverse engineers in finding out the actual program logic and other metadata via static analysis ▪Use tools such as PEiD, which detects most common packers, cryptors, and compilers for PE \files ▪ PEiD Source: https://www.aldeid.com PEiD is a free tool that will provide details about Windows executable files. It can identify signatures associated with over 600 different packers and compilers. This tool also displays the type of packers used in packing the program. Additional details it displays include entry point, file offset, EP Section, and subsystem used for packing. Some of the additional packaging/obfuscation tools include: ▪ UPX (https://upx.github.io) ▪ Exeinfo PE (http://exeinfo.atwebpages.com) ▪ ASPack (http://www.aspack.com)
Malware Disassembly and Debugging Tools
▪Disassemble the binary code and analyze the assembly code instructions ▪Use tools such as IDA that can reverse machine code to assembly language ▪Based on the reconstructed assembly code, you can inspect the program logic and recognize its threat potential. This process is carried out by using debugging tools such as OllyDbg (http://www.ollydbg.de) ▪ IDA Pro Source: https://www.hex-rays.com IDA Pro is a multiplatform disassembler and debugger that explores binary programs, for which source code is not always available, to create maps of their execution. It shows the instructions in the same way as a processor executes them in a symbolic representation called assembly language. Thus, it is easy for you to find the harmful or malicious processes. Features o Disassembler As a disassembler, IDA Pro explores binary programs for which source code is not always available to create maps of their execution. o Debugger The debugger in IDA Pro is an interactive tool that complements the dissembler to perform the task of static analysis in one step. It bypasses the obfuscation process, which helps the assembler to process the hostile code in-depth. Some of the additional debugging tools include: ▪ OllyDbg (http://www.ollydbg.de) ▪ WinDbg (http://www.windbg.org) ▪ objdump (https://sourceware.org) ▪ ProcDump (https://docs.microsoft.com) ▪ KD (https://docs.microsoft.com) ▪ CDB (https://docs.microsoft.com) ▪ NTSD (https://docs.microsoft.com)
File Fingerprinting Tools
▪File fingerprinting is a process of computing the hash value for a given binary code ▪You can use the computed hash value to uniquely identify the malware or periodically verify if any changes are made to the binary code during analysis ▪Use tools like HashMyFiles to calculate various hash values of the malware file ▪ HashMyFiles Source: https://www.nirsoft.net HashMyFiles produces a hash value of a file using MD5, SHA1, CRC32, SHA-256, SHA-512, and SHA-384 algorithms. The program also provides information about the file such as the full path of the file, date of creation, date of modification, file size, file attributes, file version, and extension. This data will help in searching and comparing the similar files them. Some of the additional file fingerprinting tools include: ▪ Hashtab (http://implbits.com) ▪ HashCalc (http://www.slavasoft.com) ▪ md5deep (http://md5deep.sourceforge.net) ▪ MD5sums (http://www.pc-tools.net) ▪ tools4noobs—Online hash calculator (https://www.tools4noobs.com) ▪ Cryptomathic (http://extranet.cryptomathic.com)
Collecting Volatile Information: Current System Uptime Tools
▪It indicates how long the system has been running since the last reboot ▪Assists in determining if volatile information collection is worth performing and whether the security incident has occurred during the uptime period ▪Tools to collect uptime information include: ▪ PsUptime (Windows) ▪Net Statistics (Windows) ▪Uptime and W (Linux)
Device Drivers Monitoring Tools
▪Malware is installed along with device drivers downloaded from untrusted sources and they use these drivers as a shield to avoid detection ▪Use device drivers monitoring tools such as DriverView to scan for suspicious device drivers and to verify if the device drivers are genuine and downloaded from the publisher's original site. ▪ Go to Run → Type msinfo32→ Software Environment → System Drivers to manually check for installed drivers ▪ DriverView Source: https://www.nirsoft.net DriverView utility displays the list of all device drivers currently loaded on the system. For each driver in the list, additional information is displayed such as load address of the driver, description, version, product name, and company that created the driver. Features o Displays the list of all loaded drivers on your system o Standalone executable Some of the additional device driver monitoring tools include: ▪ Driver Booster (https://www.iobit.com) ▪ Driver Reviver (https://www.reviversoft.com) ▪ Driver Easy (https://www.drivereasy.com) ▪ Driver Fusion (https://treexy.com) ▪ Driver Genius (http://www.driver-soft.com) ▪ Unknown Device Identifier (http://www.zhangduo.com) ▪ Driver Magician (http://www.drivermagician.com) ▪ DriverHive (http://www.driverhive.com) ▪ InstalledDriversList (https://www.nirsoft.net) ▪ My Drivers (http://www.zhangduo.com) ▪ Driver Agent Plus (https://scan.driverguide.com) ▪ DriverPack (https://drp.su)
Browser Activity Monitoring Tools
▪Malware use browsers to connect with their C&C servers to download malicious files ▪You should monitor the browsing and download history of all browsers that are installed on the network systems ▪Use network monitoring tools such as WireShark and Colasoft Network Analyzer to monitor browsing activities of users ▪ Wireshark Source: https://www.wireshark.org Wireshark is a widely used network protocol analyzer. It captures and intelligently browses the traffic passing through a network. The components of Wireshark are mentioned below: o Menu Bar: Hosts the features of Wireshark o Tool Bar: Hosts the more frequently used tools and icons o Filter Tool Bar: Filters the traffic based on filter options o Packet List Panel: Displays the captured packets o Packet Details Panel: Displays the detailed information about the captured packets at a granular level o Packet Byte Panel: Displays the captured packet's bytes in a hex dump format Features o Deep inspection of hundreds of protocols o Live capture and offline analysis o Standard three-pane packet browser o Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others o Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility Some of the additional tools that can be used to monitor network traffic are: ▪ Colasoft Network Analyzer (https://www.colasoft.com) ▪ OmniPeek (https://www.savvius.com) ▪ Observer Analyzer (https://www.viavisolutions.com) ▪ PRTG Network Monitor (https://www.paessler.com) ▪ NetFlow Analyzer (https://www.manageengine.com)
Memory Dump/ Static Analysis Tools
▪Memory dump/static analysis is the process of analyzing a suspicious file or an application to find its functionality, making, metadata, and other details ▪It is also known as code analysis, since it involves going through the executable binary code without actually executing it ▪It employs different tools and techniques to quickly determine whether a file is malicious or not ▪Analyzing the binary code provides information about the malware functionality, its network signatures, exploit packaging technique, dependencies involved, and so on Some of the static malware analysis techniques are: ▪ File fingerprinting ▪ Local and online malware scanning ▪ Performing strings search ▪ Identifying packing/obfuscation methods ▪ Finding the portable executables (PE) information ▪ Identifying file dependencies ▪ Malware disassembly
Finding the Portable Executables (PE) Information Tools
▪PE format is the executable file format used on Windows operating systems ▪Analyze the metadata of PE files to get information such as time and date of compilation, functions imported and exported by the program, linked libraries, icons, menus, version info, and strings that are embedded in resources ▪Use tools such as PE Explorer to extract the above-mentioned information ▪ PE Explorer Source: http://www.heaventools.com PE Explorer lets you open, view, and edit a variety of different 32-bit Windows executable file types (also called PE files) ranging from the common, such as EXE, DLL, and ActiveX Controls, to the less familiar types, such as SCR (Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL, and more (including executable files that run on MS Windows Mobile platform). Some of the additional PE extraction tools include: ▪ Portable Executable Scanner (pescan) (https://tzworks.net) ▪ Resource Hacker (http://www.angusj.com) ▪ PEView (https://www.aldeid.com)
Identifying File Dependencies Tools
▪Programs need to work with internal system files to function properly ▪Programs store the import and export functions in kernel32.dll file ▪Check the dynamically linked list in the malware executable file ▪Finding out all the library functions may allow you to guess what the malware program can do ▪Use tools such as Dependency Walker to identify the dependencies within the executable file ▪ Dependency Walker Source: http://www.dependencywalker.com Dependency Walker lists all the dependent modules of an executable file and builds hierarchical tree diagrams. It also records all the functions of each module exports and calls. It also detects many common application problems such as missing and invalid modules, import/export mismatches, circular dependency errors, mismatched machine modules, and module initialization failures. Some of the additional dependency extraction tools include: ▪ Snyk (https://snyk.io) ▪ Hakiri (https://hakiri.io) ▪Retire.js (https://retirejs.github.io)
Vulnerability Analysis Tools to Analyze Incidents
▪Qualys (https://www.qualys.com) ▪ Nessus (https://www.tenable.com) ▪ OpenVAS (http://www.openvas.org) ▪ AlienVault OSSIM (https://www.alienvault.com) ▪ Nikto (https://cirt.net) ▪ Burp Suite (https://portswigger.net)
Tracing the Email Origin Tools
▪Tracing the origin of an email begins with looking at the message header ▪All email header information can be faked, except the "Received" portion referencing the victim's computer (the last received) ▪Once it is confirmed that the header information is correct, the investigator can use the originating email server as the primary source ▪Once it is established that a crime has been committed, the incident handler can use the IP address of the originating source to track down the owner of the email address The incident handlers may use the following registry sites to determine the Email origin: ▪ www.arin.net: It employs the American Registry for Internet Numbers (ARIN) to match the domain name for an IP address. It also provides the point of contact for the domain name. ▪ www.internic.com: It provides the identical information given by www.arin.net. ▪ www.freeality.com: This site provides the various options for searching such as email address, phone numbers, and names. One can do a reverse email search, which could reveal the subject's real name. This site can do other searches such as reverse phone number searches and address searches.