C842 tools
mail storming
It is the flurry of junk mail sent by accident
Live System Analysis: Network Traffic Monitoring
Malware connect back to their handlers and send confidential information to attackers Use network scanners and packet sniffers to monitor network traffic going to malicious remote addresses Use network scanning tools such as Capsa to monitor network traffic and look for suspicious malware activities Capsa Network Analyzer Capsa is an intuitive network analyzer, which provides detailed information to help check if there are any malware activities on a network
Windows-based Tools to Analyze Incidents - process analysis tools
Process Monitor (https://docs.microsoft.com) Process Explorer (https://docs.microsoft.com) Tasklist (https://docs.microsoft.com)
Live System Analysis: Process Monitoring tools
Process Monitor: shows real-time file system, registry, and process/thread activity other tools: Process Explorer (https://docs.microsoft.com) M/Monit (https://mmonit.com) ESET SysInspector (https://www.eset.com) System Explorer (http://systemexplorer.net) Security Task Manager (https://www.neuber.com)
Collecting Volatile Information: System Information
Tools and commands to collect the information: Systeminfo.exe (Windows) PsInfo (Windows) Cat (Linux) Uname (Linux)
Live System Analysis: API Calls Monitoring
Use API call monitoring tools such as API Monitor to monitor API calls made by applications API Monitor - allows you to monitor and display Win32 API calls made by applications other tools: APImetrics (https://apimetrics.io) Runscope (https://www.runscope.com) AlertSite (https://smartbear.com
Checking the Email Validity
Use Email Dossier scanning tool to check the validity of an email address other tools: Email Address Verifier (https://tools.verifyemailaddress.io) emailvalidator (http://www.emailvalidator.co) Email Checker (https://email-checker.net) G-Lock Software Email Verifier (https://www.glocksoft.com
incident handling response steps
1. Preparation 2. Incident Recording 3. Incident Triage 4. Notification 5. Containment 6. Evidence Gathering and Forensic Analysis 7. Eradication 8. Recovery 9. Post-Incident Activities- Incident Documentation- Incident Impact Assessment- Review and Revise Policies- Close the Investigation- Incident Disclosure
detecting forensic tool activities
Anti-forensics tools (AFTs) have the capability to change their behavior on detecting the use of CFT
Anti-Forensics Techniques
Golden Ticket - In this technique, the attacker having access to an Active Directory domain manipulates the Kerberos ticket to impersonate any user in the domain Data/File Deletion Password Protection Steganography - a technique of hiding a secret message within an ordinary message, and extracting it at the destination to maintain confidentiality of data Program Packer - Packer is a program used to compress or encrypt the executable programs. Intruders use packers to hide attack tools from being detected by reverse-engineering, or scanning. Some of the widely used packers: PECompact, BurnEye, Exe Stealth Packer, Smart Packer Pro Virtual Machine - Attackers often use isolated environments such as virtual machines and sandbox to perform attacks Artifact Wiping - involves various methods aimed at permanent deletion of particular files or entire file systems methods used include disk cleaning utilities, file wiping and disk degaussing. some tools include BCWipe Total WipeOut, Active@ KillDisk, CyberScrub's cyberCide, DriveScrubber, ShredIt, and Secure Erase Memory Residents - refer to programs that always remain in the internal memory and operating system have no permissions to swap them out to external storage methods include syscall proxying: It is a technique to play with memory, whereby the attacker uploads system call proxy, which receives remote procedure calls from the attacker's machine, executes them on the victim's machine, and sends back the results to the attacker. and method Userland Execve Technique: This allows a Unix process load and execute an ELF binary image from a memory buffer. Without using Unix execve() kernel call, it loads and runs programs on the victim's machine, thus defeating kernel-based security solutions alternate data stream - a feature of Windows New Technology classification system (NTFS) that contains metadata for locating a particular file by author or title
Memory Dump/Static Analysis: Identifying Packing/ Obfuscation Methods
Attackers often use packers to compress, encrypt, or modify a malware executable file to avoid detection It complicates the task for the reverse engineers in finding out the actual program logic and other metadata via static analysis Use tools such as PEiD, which detects most common packers, cryptors, and compilers for PE \files PEiD tool provides details about Windows executable files. It can identify signatures associated with over 600 different packers and compilers UPX (https://upx.github.io) Exeinfo PE (http://exeinfo.atwebpages.com) ASPack (http://www.aspack.com)
Hardware tools for malware analysis
A ready-to-use jump kit with different types of connectors to acquire data from the compromised system and create its backup Storage media to store the acquired and backup data A write protect device to protect the modification of data during acquisition and backup A system installed with virtual client to run sandbo
Intrusion Analysis: Detecting Malware by Its Covert Communication Techniques
After intrusion, malware connects back to the attackers and operates on the basis of the instructions received from the attackers Following are some of the covert communication techniques employed by malware Covert Malware Beaconing Use network monitoring tools like CapLoader and Wireshark to detect any regular outbound malicious beaconing traffic Covert C&C Communication Use network monitoring tools like PRTG Network Monitor and GFI LanGuard to identify any unwanted traffic to malicious and unknown external entities
Antivirus Tools
ClamWin - It comes with a super-fast installer and an easy-to-use interface which makes it convenient to detect and clean infections from a computer system other tools ▪ Bitdefender Antivirus Plus 2019 (https://www.bitdefender.com) ▪ Kaspersky Anti-Virus (https://www.kaspersky.com) ▪ McAfee Total Protection (https://home.mcafee.com) ▪ Norton AntiVirus (https://in.norton.com) ▪ Avast Premier Antivirus (https://www.avast.com) ▪ ESET Smart Security (https://www.eset.com) ▪ AVG Antivirus FREE (https://www.avg.com) ▪ Avira Antivirus Pro (https://www.avira.com
Tools for Collecting Volatile Evidence
CyberTriage - It helps the incident responders to determine if a host is compromised through simplified collection and analysis of endpoint data Process Explorer - It shows the information about the handles and DLLs of the processes, which have been opened or loaded ▪ PMDump (http://www.ntsecurity.nu) ▪ ProcDump (https://docs.microsoft.com) ▪ Process Dumper (PD) (https://www.trapkit.de) ▪ PsList (https://docs.microsoft.com) ▪ Tasklist (https://docs.microsoft.com)
Memory Dump/Static Analysis: Malware Disassembly
Disassemble the binary code and analyze the assembly code instructions Use tools such as IDA that can reverse machine code to assembly language Based on the reconstructed assembly code, you can inspect the program logic and recognize its threat potential. This process is carried out by using debugging tools such as OllyDbg (http://www.ollydbg.de) IDA is a Windows, Linux, or Mac OS X hosted multi-processor disassembler and debugger that can debug through Instructions tracing, Functions tracing, Read/Write-Write-Execute tracing features other tools: WinDbg (http://www.windbg.org) odjdump (https://sourceware.org) ProcDump (https://docs.microsoft.com) KD (https://docs.microsoft.com) CDB (https://docs.microsoft.com
data imaging tools
FTK imager - It is a data preview and imaging tool that enables analysis of files and folders on local hard drives, CDs/DVDs, and network drives R-Drive image - buck-security allows incident handlers to identifying the security status of a system. It gives an overview of the security status of the system within a couple of minutes ▪ EnCase Forensic (https://www.guidancesoftware.com) ▪ Data Acquisition Toolbox (https://in.mathworks.com) ▪ RAID Recovery for Windows (https://www.runtime.org) ▪ R-Tools R-Studio (https://www.r-studio.com) ▪ F-Response Imager (https://www.f-response.com
Memory Dump/Static Analysis: File Fingerprinting
File fingerprinting is a process of computing the hash value for a given binary code You can use the computed hash value to uniquely identify the malware or periodically verify if any changes are made to the binary code during analysis Use tools like HashMyFiles to calculate various hash values of the malware file HashMyFiles produces hash value of a file using MD5, SHA1, CRC32, SHA-256, SHA-512, and SHA-384 algorithms other tools Hashtab (http://implbits.com) HashCalc (http://www.slavasoft.com) md5deep (http://md5deep.sourceforge.net) MD5sums (http://www.pc-tools.net)
Forensic Analysis Tools
Forensic Explorer - It recovers and analyzes hidden system files, deleted files, slack space, and unallocated clusters Forensic Toolkit (FTK) - It is a computer forensic investigation tool that delivers cutting edge analysis, decryption, and password cracking Event Log Explorer - It is a software solution for viewing, monitoring, and analyzing events recorded in security, system, application, and other logs of Microsoft Windows operating systems OSForensics - It helps discover relevant forensic data faster with high performance file searches and indexing as well as restores deleted files Helix3 - It is an easy to use cyber security solution integrated into your network giving you visibility across your entire infrastructure revealing malicious activities such as Internet abuse, data sharing and harassment Autopsy - It helps incident handlers to view the file system, retrieve deleted data, and perform timeline analysis during an incident response EnCase Forensic - It is a multi-purpose forensic platform that includes many useful tools to support several areas of the digital forensic process Foremost - It is a console program to recover files based on their headers, footers, and internal data structures ▪ Belkasoft Evidence Center (https://belkasoft.com) ▪ RegScanner (https://www.nirsoft.net) ▪ MultiMon (https://www.resplendence.com) ▪ Process Explorer (https://docs.microsoft.com) ▪ Security Task Manager (https://www.neuber.com) ▪ Memory Viewer (http://www.rjlsoftware.com) ▪ Metadata Assistant (https://new.thepaynegroup.com) ▪ HstEx (https://www.digital-detective.net) ▪ XpoLog Log Management (https://xpolog.com)
Antiphishing tool
Gophish is an open-source phishing toolkit meant to help incident responders and businesses conduct real-world phishing simulations Gophish is a phishing framework that makes the simulation of real-world phishing attacks simple It makes it easy to test your organization's exposure to phishing
Email Security Tools
Gpg4win - It enables users to securely transport emails and files with the help of encryption and digital signatures other tools: ▪ Advanced Threat Protection (https://www.hornetsecurity.com) ▪ SpamTitan (https://www.spamtitan.com) ▪ Symantec Email Security.cloud (https://www.symantec.com) ▪ Barracuda Email Security Gateway (https://www.barracuda.com) ▪ Mimecast Email Security (https://www.mimecast.com) ▪ Comodo Dome Anti-spam (https://www.comodo.com) ▪ Spambrella (https://www.spambrella.com) ▪ The Email Laundry (https://www.theemaillaundry.com) ▪ GFI MailEssentials (https://www.gfi.com) ▪ Cisco Email Security (https://www.cisco.com)
Detect stealth scan and full connect scan attempts using Wireshark
Half Open/Stealth Scan Attempts Attackers use the TCP Half Open/Stealth port scan technique to find open TCP ports on the target system An attacker sends a SYN packet and receives a SYN+ACK response if the port is open and a RST response if the port is closed A Stealth scan attempt is recognized if there are a large amount of RST or ICMP type 3 packets Go to Statistics → Conversations and click on the TCP tab to view and analyze multiple TCP sessions If the TCP session is less than 4 packets communication then it is a sign of a TCP port scan on the network Full Connect Scan Attempts In a TCP full connect scan, the attacker performs a complete three-way handshake to find open ports on the target system A TCP full connect scan is recognized using the same methods used for detecting a stealth scan attempt To detect Full connect scan using Wireshark tool, check for SYN, SYN+ACK, and RST+ACK packets or ICMP type 3 packets
tools for calculating hash value
HashCalc MD5 Calculator HashMyFiles
Detect null scan attempts using Wireshark
In a Null port scan, an attacker sends a TCP packet without setting a flag on it If they receive a RST packet in response, then the port is closed. If there is no response, then the port is open or filtered Use the following filter to view the packets moving without a flag set: TCP.flags==0x000
Detect xmas scan attempts using Wireshark
In a TCP Xmas scan, an attacker sends packets with the FIN, PSH, and URG TCP flags set and waits for the response If they receive a RST packet in the response, then the port is closed. If there is no response, then the port is either open or filtered For detecting Xmas Scan attempts, use the following filter to view the packets with FIN, PSH, and URG TCP flags set: tcp.flags==0X029
Detecting Sniffing and Spoofing Attacks: ARP Poisoning Attempts
In an ARP poisoning attack, the attacker's MAC address is associated with the IP address of the target host or a number of hosts in the target network Check for 'Duplicate IP address configured' messages in the Warnings tab in Wireshark To locate duplicate IP address traffic use the filter: arp.duplicate-address-detected Use XArp tool to detect ARP based attacks in the network other tools: Capsa Network Analyzer (http://www.colasoft.com) ▪ ArpON (http://arpon.sourceforge.net) ▪ ARP AntiSpoofer (https://sourceforge.net) ▪ ARPStraw (https://github.com) ▪ shARP (https://github.com
analyzing SMTP logs
In organizations using Microsoft Exchange Servers for emails, responders can analyze the SMTP logs directly
IDS evasion techniques
Insertion Attack Evasion Denial-of-Service Attack Obfuscating False Positive Generation Session Splicing Unicode Evasion Fragmentation Attack Overlapping Fragments Time-To-Live Attacks Invalid RST Packets Urgency Flag
Collecting Volatile Information: DLLs or Shared Libraries
It helps to determine possible rogue or modified DLLs and shared libraries Tools that help to identify currently loaded DLLs or shared libraries include: ListDLLs (Windows) displays all loaded DLLs with their version numbers Ldd (Linux) the shared object files to which an executing binary links Ls (Linux) display the shared libraries to which each executing binary links
Malware Detection Techniques: Live System Malware Analysis Techniques
It is also called as behavioral analysis since it detects the presence of malware based on the malicious behavior or functioning of malware Port monitoring Process monitoring Registry monitoring Windows services monitoring Startup programs monitoring Event logs monitoring Installation monitoring Files and folder monitoring Device drivers monitoring Network traffic monitoring DNS monitoring/resolution API calls monitoring Scheduled task monitoring Browser activity monitoring
report writing tools
MagicTree - stores data in a tree structure This is a natural way of representing the information that is gathered during a network test: a host has ports, which have services, applications, vulnerabilities, etc. KeepNote - is used to store class notes, TODO lists, research notes, journal entries, paper outlines, etc. in a simple notebook hierarchy with rich-text formatting, images, and more
Tools for Analyzing Email Headers
MxToolbox - This tool will make email headers human readable by parsing them according to RFC 822 other tools: ▪ E-Mail Header Analyzer (https://www.gaijin.at) ▪ Message Header Analyzer (https://testconnectivity.microsoft.com) ▪ ipTRACKEREonline.com (https://www.iptrackeronline.com) ▪ G Suite Toolbox (https://toolbox.googleapps.com) ▪ Email Header Analyzer (https://www.whatismyip.com
Live System Analysis: DNS Monitoring/Resolution
Malicious software called DNSChanger is capable of changing the system's DNS server settings and provides the attackers with control of the DNS server used on the victim's system Use DNS monitoring tools such as DNSQuerySniffer to verify the DNS servers that the malware tries to connect to and identify the type of connection DNSQuerySniffer is a network sniffer utility that shows the DNS queries sent on your system other tools: DNSstuff (https://www.dnsstuff.com) DNS Lookup Tool (https://www.ultratools.com) Sonar (https://constellix.com)
Live System Analysis: Device Drivers Monitoring
Malware is installed along with device drivers downloaded from untrusted sources and they use these drivers as a shield to avoid detection Use device drivers monitoring tools such as DriverView to scan for suspicious device drivers and to verify if the device drivers are genuine and downloaded from the publisher's original site Go to Run → Type msinfo32→ Software Environment → System Drivers to manually check for installed drivers DriverView - DriverView utility displays a list of all device drivers currently loaded on the system along with information such as load address of the driver, description, version, and product name other tools: Driver Booster (http://www.iobit.com) Driver Reviver (https://www.reviversoft.com) Driver Easy (https://www.drivereasy.com) Driver Fusion (https://treexy.com) Driver Genius (http://www.driver-soft.com)
Live System Analysis: Files and Folder Monitoring
Malware normally modify system's files and folders after infecting a computer Use file and folder integrity checkers like Tripwire and Netwrix Auditor to detect changes in system files and folders You can also use windows utility tools like SIGVERIF SIGVERIF is a windows inbuilt utility used for checking integrity of the files and track changes to the files other tools: Tripwire File Integrity Manager (https://www.tripwire.com) Netwrix Auditor (https://www.netwrix.com) Verisys (https://www.ionx.co.uk) PA File Sight (https://www.poweradmin.com) CSP File Integrity Checker (https://www.cspsecurity.com) NNT Change Tracker (https://www.newnettechnologies.com
Live System Analysis: Browser Activity Monitoring
Malware use browsers to connect with their C&C servers to download malicious files You should monitor the browsing and download history of all browsers that are installed on the network systems Use network monitoring tools such as WireShark and Colasoft Network Analyzer to monitor browsing activities of users other tools: Colasoft Network Analyzer (https://www.colasoft.com) OmniPeek (https://www.savvius.com) Observer Analyzer (https://www.viavisolutions.com) PRTG Network Monitor (https://www.paessler.com) NetFlow Analyzer (https://www.manageengine.com)
Intrusion Analysis: Detecting Malware by Its Covert Storage/Hiding Techniques
Malware use various covert storage techniques to hide themselves from detection after successful intrusion Following are some of the techniques employed by the malware to hide themselves from detection: SSDT Patching Use analysis tools like SSDT View and ReKall to identify SSDT patching operations performed by rootkits Kernel Filter Drivers Use antimalware tools like RogueKiller to identify and detect such kernel-mode rootkits which affect filter driver
Live System Analysis: Startup Programs Monitoring
Manually check or use startup monitoring tools like Autoruns for Windows and WinPatrol to detect suspicious startup programs and processes Steps to manually detect hidden malware: Check startup program entries in the registry editor Check device drivers automatically loaded ➢ C:\Windows\System32\drivers Check boot.ini or bcd (bootmgr) entries Check Windows services automatically started ➢ Go to Run→ Type services.msc → Sort by Startup Type Check startup folder ➢ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup ▪ WinPatrol (https://www.winpatrol.com) ▪ Autorun Organizer (https://www.chemtable.com) ▪ Quick Startup (https://www.glarysoft.com) ▪ StartEd Pro (https://www.outertech.com) ▪ Chameleon Startup Manager (http://www.chameleon-managers.com) ▪ BootRacer (http://www.greatis.com) ▪ WinTools.net: Startup Manager (http://www.wintools.net) ▪ EF StartUp Manager (http://www.efsoftware.com) ▪ PC Startup Master (https://www.smartpcutilities.com) ▪ CCleaner (https://www.piriform.com) ▪ Startup Delayer (https://www.r2.com.au
Tools for Detecting Missing Security Patches
Microsoft Baseline Security Analyzer - MBSA lets incident handlers scan local and remote systems for missing security updates as well as common security misconfigurations ▪ GFI LanGuard (https://www.gfi.com) ▪ Symantec Client Management Suite (https://www.symantec.com) ▪ MaaS360 Patch Analyzer (https://www.ibm.com) ▪ Solarwinds Patch Manager (https://www.solarwinds.com) ▪ Kaseya Security Patch Management (https://www.kaseya.com) ▪ Software Vulnerability Manager (https://www.flexera.com) ▪ Ivanti Endpoint Security (https://www.ivanti.com) ▪ Patch Connect Plus (https://www.manageengine.com) ▪ Automox (https://www.automox.com) ▪ Prism Suite (https://www.newboundary.co
analyzing email logs - Examining Microsoft Exchange Email Server Logs
Microsoft Exchange uses the Microsoft Extensible Storage Engine (ESE) It uses Messaging Application Programming Interface (MAPI), which allows collaboration of various email applications in an organization While investigating Microsoft Exchange server for email crimes, an incident handler should primarily focus on the following files: .edb database files (responsible for MAPI information) .stm database files (responsible for non-MAPI information) checkpoint files temporary files
Suspicious Network Incident Detection Techniques
Monitoring Network Traffic Sniffing Network Traffic Performing Packet Analysis Performing Log Analysis Performing Host Analysis
Tools for Detecting Phishing/Spam Mails
Netcraft - The Netcraft antiphishing community is a giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks Phishtank - PhishTank is a collaborative clearing house for data and information about phishing on the internet It provides an open API for developers and researchers to integrate antiphishing data into their applications
Collecting Volatile Information: Network Connections
Netstat with -ano switch displays details of the TCP and UDP network connections including listening ports, and the identifiers Netstat with the -r switch displays details of the routing table and the frequent routes enabled on the system
Linux-based Tools to Analyze Incidents - network analysis tools
Nmap (https://nmap.org) Netstat (https://docs.microsoft.com) Wireshark (https://www.wireshark.org)
Windows-based Tools to Analyze Incidents - network analysis tools
Nmap (https://nmap.org) Wireshark (https://www.wireshark.org) TCPView (https://docs.microsoft.com)
Windows-based Tools to Analyze Incidents - file system analysis tools
PE Explorer (http://www.heaventools.com) Pescan (https://tzworks.net) PEView (https://www.aldeid.com
Memory Dump/Static Analysis: Finding the Portable Executables (PE) Information
PE format is the executable file format used on Windows operating systems Analyze the metadata of PE files to get information such as time and date of compilation, functions imported and exported by the program, linked libraries, icons, menus, version info, and strings that are embedded in resources Use tools such as PE Explorer to extract the above-mentioned information PE Explorer lets you open, view, and edit a variety of different 32-bit Windows executable file types (also called PE files) ranging from the common, such as EXE, DLL, and ActiveX Controls other tools: Portable Executable Scanner (pescan) (https://tzworks.net) Resource Hacker (http://www.angusj.com) PEView (https://www.aldeid.com)
Risk Assessment Management tools
PILAR - It helps incident handlers to assess risks against critical assets of the organization in several dimensions such as confidentiality, integrity, availability, authenticity, and accountability A1 Tracker Risk Management Studio
Tools and commands used to determine logged-on users
PSLogged on Net Sessions LogonSessions
firewall evasion techniques
Packet Fragmentation Source Routing IP Address Decoy IP Address Spoofing Proxy Server Port Scanning Firewalking Banner Grabbing ICMP Tunneling ACK Tunneling HTTP Tunneling SSH Tunneling
detecting packet sniffing attempts
Packet sniffing is a process of monitoring and capturing all data packets passing through a given network using a software application or hardware device It allows an attacker to gather sensitive information such as Telnet passwords, email traffic, syslog traffic, web traffic, DNS traffic, and FTP password Passive sniffing is used to sniff a hub based network while active sniffing is used to sniff a switch based network An attacker uses Mac flooding and ARP poisoning to sniff the network traffic and perform attacks like Man-in-the-Middle Incident responder can identify sniffing attempts by detecting the signs of a Mac flood and/or an ARP poisoning using Wireshark Sniffers turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment
Common Techniques Attackers Use to Perform Identity Theft
Physical theft (Theft of wallets, computers, laptops, etc. Internet searches Phishing Skimming Social engineering Dumpster diving and shoulder surfing Pretexting Pharming Hacking (Compromising user system) Malwares Wardriving Insider theft
Memory Dump/Static Analysis: Identifying File Dependencies
Programs need to work with internal system files to function properly Programs store the import and export functions in kernel32.dll file Check the dynamically linked list in the malware executable file Finding out all the library functions may allow you to guess what the malware program can do Use tools such as Dependency Walker to identify the dependencies within the executable file Dependency Walker lists all the dependent modules of an executable file and builds hierarchical tree diagrams. It also records all the functions of each module exports and calls other tools: Snyk (https://snyk.io) Hakiri (https://hakiri.io) RetireJS (https://retirejs.github.io)
Detecting Sniffing and Spoofing Attacks: Other Sniffing Detection Techniques - Using Promiscuous Detection Tools
PromqryUI - a security tool from Microsoft that can be used to detect network interfaces that are running in promiscuous mode Nmap - Nmap's NSE script allows you to check if a target on a local Ethernet has its network card in promiscuous mode
Vulnerability Analysis Tools to Analyze Incidents
Qualys Nessus OpenVAS AlienVault OSSIM
Email Recovery Tool: Recover My Email
Recover My Email is mail recovery software that can recover deleted email messages from either Microsoft Outlook PST files or Microsoft Outlook Express DBX files
Windows-based Tools to Analyze Incidents - volatile memory analysis tools
Rekall (https://github.com) Memdump (https://support.microsoft.com) MemGator (http://e5hforensics.com)
Linux-based Tools to Analyze Incidents - volatile memory analysis tools
Rekall (https://github.com) Memfetch (http://lcamtuf.coredump.cx) LiME (https://github.com)
Antispamming tool
SPAMfighter is a spam filter that works instantly by automatically removing the spam and phishing emails from your inbox
Sender Policy Framework (SPF) and DKIM
SPF is an email validation protocol used by domain owners for preventing spoofing of emails Incident responders can analyze the authenticity of the sender using the SPF results DKIM is an email authentication standard designed to detect spoofing Using this standard, the domain owner can encrypt the domain's outgoing mail headers and add a digital signature to the outgoing emails for better authentication Incident responders can analyze the integrity of the email by analyzing its DKIM results
Memory Dump/Static Analysis: Local and Online Malware Scanning
Scan the binary code locally using well-known and up-to-date antivirus software If the code under analysis is a component of a well-known malware, it may have been already discovered and documented by many antivirus vendors You can also upload the code to online websites such as VirusTotal to get it scanned by a wide variety of different scan engines VirusTotal - a free service that analyzes suspicious files and URLs, and facilitates the detection of viruses, worms, Trojans, and so on other tools: Jotti (https://virusscan.jotti.org) Metadefender (https://www.metadefender.com) Online Scanner (https://www.fortiguard.com) IObit Cloud (https://cloud.iobit.com) ThreatExpert (https://www.symantec.com)
analyzing email logs - Examining Linux Email Server Logs
Sendmail is the command used to send emails via Linux or UNIX system
Windows-based Tools to Analyze Incidents - service analysis tools
Services.msc (https://docs.microsoft.com) MSConfig (https://docs.microsoft.com) SrvMan (http://tools.sysprogs.org)
Detecting Firewall and IDS Evasion Attempts: Intrusion Detection Using Snort
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks It can perform protocol analysis and content searching/matching, and is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, and OS fingerprinting attempts It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture Intrusion detection systems like Snort detect any anomaly in the network and trigger alerts
Windows-based Tools to Analyze Incidents - active directory tools
SolarWinds Server & Application Monitor (https://www.solarwinds.com) Adaxes (https://www.adaxes.com) ADManager Plus (https://www.manageengine.com)
Memory Dump/Static Analysis: Performing Strings Search
Strings communicate information from the program to its user Analyze embedded strings of the readable text within the program's executable file Ex: Status update strings and error strings Use tools such as BinText to extract embedded strings from executable files BinText is a text extractor that can extract text from any kind of file, and it includes the ability to find plain ASCII text, Unicode text, and Resource strings, providing useful information for each item other tools: FLOSS (https://www.fireeye.com) Strings (https://docs.microsoft.com) Free EXE DLL Resource Extract (http://www.resourceextract.com) Hex Workshop (http://www.hexworkshop.com)
Tools for Detection and Validation of Suspicious Network Events
Suricata - Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing ntopng - ntopng is a web-based network traffic monitoring application released under GPLv3 Wireshark - a network protocol analyzer which captures and intelligently browses the traffic passing through a network Features: Deep inspection of hundreds of protocols Live capture and offline analysis Standard three-pane packet browser Runs on Windows, Linux, OS X, Solaris, and many others Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility other tools: Colasoft Network Analyzer (https://www.colasoft.com) OmniPeek (https://www.savvius.com) Observer Analyzer (https://www.viavisolutions.com) PRTG Network Monitor (https://www.paessler.com) NetFlow Analyzer (https://www.manageengine.com)
Collecting Volatile Information: Network Information
The Windows inbuilt command line utility nbtstat can be used to view NetBIOS name table cache The nbtstat -c option shows the contents of the NetBIOS name cache, which contains NetBIOS name-to-IP address mappings
Collecting Volatile Information: Current System Date and Time/Command History
The incident responder should use the doskey /history command, which shows the history of the commands typed into that prompt
Live System Analysis: Scheduled Task Monitoring
The malware can enable time or action based triggers as scheduled tasks Incident responders need to check the scheduled tasks in a system Use command like schtasks or tools like Windows Task Scheduler to detect scheduled task other tools: Monitoring Task Scheduler Tool (MoTaSh) (https://github.com) ADAudit Plus (https://www.manageengine.com) CronitorCLI (https://cronitor.io) Solarwinds Windows Scheduled Task Monitor (https://www.solarwinds.com
detect social engineering attempts
There is no specific security mechanism that can protect from social engineering techniques used by attackers. Only educating employees on how to recognize and respond to social engineering attacks can minimize attacker's chances of success
Collect the information about the files opened by the intruder using remote login
Tools and commands that show files opened remotely on a system include net file command, psfile.exe openfiles.exe
Collecting Volatile Information: Current System Uptime
Tools to collect uptime information include: PsUptime (Windows) Net Statistics (Windows) Uptime and W (Linux)
tracing the email origin
Tracing the origin of an email begins with looking at the message header All email header information can be faked, except the "Received" portion referencing the victim's computer (the last received) Once it is confirmed that the header information is correct, the investigator can use the originating email server as the primary source Once it is established that a crime has been committed, the incident handler can use the IP address of the originating source to track down the owner of the email address The following are some acceptable sites that incident handler can use to find the person owning a domain name: www.arin.net www.internic.net www.freeality.com
Live System Analysis: Installation Monitoring
Use an installation monitoring tool such as Mirekusoft Install Monitor for monitoring installation of malicious executable. It automatically monitors what gets placed on your system and allows you to uninstall it completely other tools SysAnalyzer (https://www.aldeid.com) Advanced Uninstaller PRO (http://www.advanceduninstaller.com) Revo Uninstaller Pro (https://www.revouninstaller.com) Comodo Programs Manager (https://www.comodo.com)
Live System Analysis: Event Logs Monitoring
Use log analysis tools like Loggly to identify suspicious logs or events with malicious intent Loggly automatically recognizes common log formats and gives you a structured summary of all parsed logs other tools: SolarWinds Log & Event Manager (https://www.solarwinds.com) Netwrix Event Log Manager (https://www.netwrix.com) LogFusion (https://www.logfusion.ca) Alert Logic Log Manager (https://www.alertlogic.com) EventTracker Log Manager (https://www.eventtracker.com
Collecting Volatile Information: Running Processes - Windows Operating System
Use netstat -ab output to determine all the executable files for running processes Use ListDLLs to determine DLLs loaded into processes Use Pslist.exe to display basic information about the already running processes, including the amount of time each process has been running Create a process memory dump using the pmdump.exe utility and then perform string searches on the file to know about suspected rogue process
Live System Analysis: Port Monitoring tools
Use port monitoring tools such as netstat and TCPView to scan for suspicious ports and look for any connection established to unknown or suspicious IP addresses other tools CurrPorts (https://www.nirsoft.net) dotcom-monitor (https://www.dotcom-monitor.com) PortExpert (http://www.kcsoftwares.com) PRTG Network Monitor (https://www.paessler.com) Nagios Port Monitor (https://exchange.nagios.org)
Detecting PING Sweep Attempts using Wireshark Tool
Use the filter icmp.type==8 or icmp.type==0 to detect an ICMP ping sweep attempt ➢ Use the filter tcp.dstport==7 to detect a TCP ping sweep attempt ➢ Use the filter udp.dstport==7 to detect an UDP ping sweep attempt
tools for analyzing email logs
Use tools such as EventLog Analyzer to analyze email logs at server level and detect the emails that attackers used for phishing or spamming
Collecting Volatile Information: Running Processes - linux operation system
Use top command to display system summary information as well as a list of processes or threads Linux kernel is currently managing Use w command to display the current processes for each shell of each user Use ps command to display information about the root's currently running processes Use pstree command to display the processes on a system in the form of a tree
other supporting tools for malware analysis
Virtual machine tools - ▪ Hyper-V (https://docs.microsoft.com) ▪ Parallels Desktop 14 (https://www.parallels.com) ▪ Boot Camp (https://www.apple.com screen capture/recording tools - ▪ SnagIt (https://www.techsmith.com) ▪ Jing (https://www.techsmith.com) ▪ Camtasia (https://www.techsmith.com) ▪ Ezvid (https://www.ezvid.com network and internet simulation tools - ▪ ns-3 (https://www.nsnam.org) ▪ Riverbed Modeler (https://www.riverbed.com) ▪ QualNet (https://web.scalable-networks.co OS backup and imaging tools - ▪ Genie Backup Manager Pro (https://www.genie9.com) ▪ Macrium Reflect Server (https://www.macrium.com) ▪ R-Drive Image (https://www.drive-image.com) ▪ O&O DiskImage 10 (https://www.oo-software.co
Software Tools Required for Malware Analysis
Virtualization software such as VirtualBox, VMware vSphere Hypervisor, and Microsoft Virtual Server Forensic image extraction tool such as FTK Imager for data acquisition PE analysis tools such as PEView, PeStudio, PEiD, and PEBrowse. Tools for taking snapshots of the hosts such as Regshot, RegMon, FileMon, and Total Commander Memory dumping tools such as Scylla and OllyDumpEx Network sniffing tools such as WireShark Network simulation software such as iNetSim Process exploring and monitoring tools such as Process Monitor and Process Explorer Hex viewing tools such as HexEditor, 010 Editor, and Hexinator Debugging tools such as OllyDbg and IDA Pro Tools for searching malicious strings include ResourcesExtract, Bintext, and Hex Workshop Tools such as Dependency Walker for finding program dependencies
Windows-based Tools to Analyze Incidents - malware analysis tools
VirusTotal (https://www.virustotal.com) IDA Pro (https://www.hex-rays.com) Ollydbg (http://www.ollydbg.d
Linux-based Tools to Analyze Incidents - malware analysis tools
VirusTotal (https://www.virustotal.com) IDA Pro (https://www.hex-rays.com) Cuckoo Sandbox (https://cuckoosandbox.org)
Memory Dump/Static Analysis Using Volatility Framework
Volatility is a python-based memory analysis tool that is capable of performing various forensic operations It can be used by the incident handler to analyze the digital artifacts from the memory dumps in order to identify any anomaly
Live System Analysis: Windows Services Monitoring tools
Windows Service Manager (SrvMan): used to trace malicious services initiated by the malware other tools: Advanced Windows Service Manager (https://securityxploded.com) Netwrix Service Monitor (https://www.netwrix.com) AnVir Task Manager (https://www.anvir.com) Service+ (https://www.activeplus.com) Easy Windows Service Manager (https://archive.codeplex.co
Detecting Sniffing and Spoofing Attacks: Mac Flooding Attempts
Wireshark detects MAC flooded packets using the Expert Information window Wireshark considers these as malformed packets To view these malformed packets, go to the Analyze menu and select Expert Information The signs of a MAC flooding are detected by analyzing the source IP, destination IP and the TTL values Check if the traffic is originating from various IP addresses going to the same destination IP addresses with the same TTL values This is an indication of a MAC flooding attempt on the network
Common Techniques Attackers Use to Distribute Malware on the Web
black hat seo - Ranking malware pages highly in search results social engineered click jacking - Tricking users into clicking on innocent-looking webpages spearphishing sites - Mimicking legitimate institutions in an attempt to steal login credentials malvertising - Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites compromised legitimate websites - Hosting embedded malware that spreads to unsuspecting visitors drive by downloads - Exploiting flaws in browser software to install malware just by visiting a web page spam emails - Attaching the malware to emails and tricking victims to click the attachment
Tools for Incident Analysis and Validation
buck-security - allows incident handlers to identify the security status of a system. It gives an overview of the security status of the system within a couple of minutes kiwi syslog server - It allows you to centrally manage syslog messages, generates real-time alerts based on syslog messages, and perform advanced message filtering and message buffering splunk light - It is a tool for collecting, monitoring, and analyzing log files from servers, applications, or other sources ▪ Loggly (https://www.loggly.com) ▪ InsightOps (https://www.rapid7.com) ▪ Logz.io (https://www.logz.io) ▪ Logmatic.io (https://www.logmatic.io) ▪ Graylog (https://www.graylog.org
Other anti-forensic techniques
data hiding in file system structures - Intruders use tools and techniques that hide data in various locations of a computer system (slack space, memory, hidden directories, hidden partitions, bad blocks, ADSs, etc.), which are often overlooked by modern forensic tools Trail Obfuscation - The purpose of trail obfuscation is to confuse, disorient, and distract the forensics investigation process. Attackers mislead incident responders via log tampering, false e-mail header generation, timestamp modification, and various file headers' modification Overwriting Data/Metadata - Intruders use various programs to overwrite data on a storage device, making it difficult or impossible to recover. These programs can overwrite data, metadata, or both Encryption - Data encryption is one of the commonly used techniques to defeat forensics investigation process encrypted network protocols - Intruders deploy cryptographic encapsulation protocols such as SSL/TLS and SSH for anti-forensics purpose rootkits - The use of Rootkits can be considered as another data hiding technique that intruders often use to mask their tracks and the presence of malicious applications or processes running on the system Buffer Overflow against forensic tools - In the buffer overflow exploit, an intruder injects and executes the code in the address space of a running program, thereby altering the victim program's behavior
email tracking tools
eMailTrackerPro - It analyzes email headers and reveals information such as sender's geographical location and IP address other tools ▪ PoliteMail (https://politemail.com) ▪ Yesware (https://www.yesware.com) ▪ ContactMonkey (https://contactmonkey.com) ▪ Zendio (http://www.zendio.com) ▪ ReadNotify (https://www.readnotify.com) ▪ DidTheyReadIt (https://www.didtheyreadit.com) ▪ Trace Email (https://whatismyipaddress.com ▪ Email Lookup - Free Email Tracker (http://www.ipaddresslocation.org) ▪ Pointofmail (https://www.pointofmail.com) ▪ WhoReadMe (http://whoreadme.com) ▪ GetNotify (https://www.getnotify.com) ▪ G-Lock Analytics (https://glockanalytics.co
Malware Detection Techniques: Memory Dump/ Static Analysis
it is the process of analyzing a suspicious file or an application to find its functionality, making, metadata, and other details It is also known as code analysis, since it involves going through the executable binary code without actually executing it memory dump/static malware analysis techniques: File fingerprinting Local and online malware scanning Performing string search Identifying packing/obfuscation methods Finding the Portable Executables (PE) information Identifying file dependencies Malware disassembly
Windows-based Tools to Analyze Incidents - registry analysis tools
jv16 Power Tools 2017 (https://www.macecraft.com) regshot (https://sourceforge.net) Reg Organizer (https://www.chemtable.com)
Live System Analysis: Registry Monitoring tools
jv16 power tools 2017 - It is a registry cleaner used to find registry errors and unneeded registry junk and helps in detecting registry entries created by malware other tools: Regshot (https://sourceforge.net) Reg Organizer (https://www.chemtable.com) Registry Viewer (https://accessdata.com) RegScanner (http://www.nirsoft.net) Registrar Registry Manager (https://www.resplendence.com
Malware Detection Techniques
live system/dynamic analysis - Involves analyzing the live systems that are operational for the presence of malware memory dump/static analysis - Involves analyzing the memory dumps or binary codes for the traces of malware intrusion analysis - Involves analyzing the logs and alerts of intrusion detection systems, SIEMs, and firewalls for the detection of malware
Reconnaissance Techniques
ping sweeping - Scanning an IP range to detect live hosts port scanning - Scanning target for open ports DNS footprinting - Extracting DNS information from publically available sources social engineering - Tricking people to reveal sensitive information
mail bombing
process of repeatedly sending an email message to a particular address at a specific victim's site
Detecting Sniffing and Spoofing Attacks: Other Sniffing Detection Techniques
promiscuous mode - You will need to check which machines are running in the promiscuous mode Promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety IDS - Run IDS and notice if the MAC address of certain machines has changed (Example: router's MAC address) IDS can alert the administrator about suspicious activities Network Tools - Run network tools such as Capsa Network Analyzer to monitor the network for detecting strange packets Enables to collect, consolidate, centralize, and analyze traffic data across different network resources and technologies ping method - Sends a ping request to the suspect machine with its IP address and incorrect MAC address. The Ethernet adapter rejects it, as the MAC address does not match, whereas the suspect machine running the sniffer responds to it as it does not reject packets with a different MAC address DNS method - Most of the sniffers perform reverse DNS lookup to identify the machine from the IP address A machine generating reverse DNS lookup traffic will be most likely running a sniffer ARP method - Only a machine in promiscuous mode (machine C) caches the ARP information (IP and MAC address mapping) A machine in promiscuous mode responds to the ping message as it has correct information about the host sending the ping request in its cache; rest of the machines will send ARP probe to identify the source of ping request
Linux-based Tools to Analyze Incidents - session management tools
w/who rwho Lastlog