Aug 10, 2022
On first glance, the collection of tools that I chose for this article might seem all over the place. However, the idea behind this article is to talk more about some of the most important and well-known tools in the Infosec space.
Thus, I talk about Volatility (DFIR tool) and Metasploit (exploitation and exploit development) as well as Yara(Malware research & analysis) MITRE(Threat Intel knowledge base) and Sysmon(Advanced logging tool, that we can also use to hunt for threats).
Volatility is a memory forensics tool, developed by Volatility labs. It is a standard tool in virtually every Incident Responder’s/Blue Teamer’s toolkit, it can be easily expanded through a bunch of plugins that are available, and, most importantly, it is completely free.
There are many ways to acquire memory captures from a system, and we won’t go into that. We’ll just mention that the tools would differ depending on our system’s state (on/off). For example, for offline systems, specifically Windows OS, we can do this through the hiberfil.sys which is located in %SystemDrive% - if the disks are unencrypted.
This file is the compressed image of the previous boot, but that doesn’t mean we can’t do some forensics on it!
Notice I am using volatility standalone (because I am running Window/CMD in the image) otherwise the command would just be volatility.
Imageinfo is the command that gives the profile on which we can work. You need to identify the right one.
Further, we can look for hidden processes with psxview, we can use ldrmodules if we need more details – it will show inMem, inInit, inLoad (if they are False)… and all of these are quite bad as they indicate that module has been injected. Injected code is obviously very bad and we can look for it with malfind, and even dump it to a file.
Also, some of the usual hypervisor formats are:
.vmem – Vmware
.mem – Parallels
.sav – VirtualBox
Generally, the most common format is .raw – raw files are collections of unaltered, unprocessed data.
Further, we might want to check see what the community says about these processes and upload the dumps to VirusTotal.
MITRE ATT&CK is a global knowledge base, which documents adversary TTP’s (Tactics, Techniques, and Procedures). Their mission is to enable better Cybersecurity by connecting communities together. The framework, which is used for Threat Modelling is free, open, and available to anyone. If your role has anything to do with Cybersecurity – from SOC Analyst, to a Red Team Operator, or Pentester, you should know your MITRE ATT&CK.
ATT&CK® Navigator is a great place to start, and there you can see different matrices, from Enterprise to Mobile and ICS. They all describe how adversaries reach their goals, and what specific actions they might take for the said goals to be obtained. For example, they might deploy Rootkits if the goal is to evade your systems and hide their malicious activity.
A quote from VirusTotal is truly revealing of what kind of importance Yara holds in the Cybersecurity community today:
"The pattern matching swiss knife for malware researchers (and everyone else)."
Yara works by identifying binary as well as text patterns (strings contained in a file, etc.)
To detect those patterns, Yara uses rules, which you can think of as labels that we can write if we want to determine maliciousness of a file. Applications can use strings to store text data, and that string can be a Bitcoin address stored as a string inside some Ransomware.
Yara rules are easy to read and understand, and were made to resemble C. We are not going into details as to how you would create your Yara rules, instead, you can check out this awesome article by an Infosec Researcher named fr0gger_, where you can find out more by looking at his Anatomy of a Yara rule infographic.
Also, if you find this tool awesome (as we do!) and decide to follow down the path, be sure not to miss
Valhalla – an online Yara rule feed, made by Nextron-Systems.
Metasploit is the biggest and most well-known Exploitation framework. There are two versions, the paid one having a GUI – its called Metasploit Pro, and the free version being CLI-based.
Metasploit framework is basically a bundle of tools which can do scanning, exploitation, post-exploitation, exploit development, and more. Even though its mainly geared for Pentesters, it is invaluable for Exploit Developers.
The main components of Metasploit are: Modules, msfconsole, and standalone tools. The msfconsole is your CLI interface, modules are there to support your various exploits, payloads, and more… and your standalone tools can help you with exploit development, as well as with pentesting.
Sysinternals is a tool, rather, a collection of (70+) tools, that were created by Mark Russinovich, way back in the 90’s by him and Bryce Cogswell under the name of a software company called Wininternals – where he was a co-founder. In 2006 Microsoft acquired his company, and Mark Russinovich started working for Microsoft. Currently, he is the CTO of Microsoft Azure.
The Sysinternals suite is used literally by everyone. From seasoned IT veterans like Sysadmins and the like, to Red Teamers and even adversaries! And this is no surprise, since in the 70ish tools that come with the Sysinternals Suite you are covered on many, many fronts, such as: system information, security utilites, process utilites, networking utilities, and more.
These tools are real, and you should really learn to use them if you’re working in IT, it shouldn’t matter if you’re a Support Engineer, or a Security Engineer, Sysinternals is a must. (We will briefly look into one of those below - Sysmon)
Sysmon is a tool for logging and monitoring events on Windows machines. It is also a part of the Windows Sysinternals Suite (which is now also available in Microsoft Store – though originally made by Mark Russinovich). You can think of Sysmon as a Windows Event Log viewer on steroids. Similar to Process Explorer from the Sysinternals Suite and the in-built Task Manager.
Sysmon collects detailed logs, and even traces events – which can help with pinpointing abnormalities in your environment. Ideally, you would use Sysmon in conjunction with a SIEM (System Information and Event Management tool – most known example being Splunk) which can further parse the logs, and provide even more insight about your systems and the potential abnormal behavior.
Sysmon requires a config to work, so you can either create, or download a config. With this, you can fine tune what you would like to log.
With Sysmon you can filter the events, in order to reduce clutter and further hunt for threats, malware, persistence, even evasion techniques. You can also detect Mimikatz – one of the most used Windows post-exploitation tools, for dumping credentials from memory; and Metasploit – which needs no introduction – too.
Mimikatz signature might be well known and an Antivirus will pick it up, but your adversary can obfuscate this, thus rendering the AV useless. The idea is to use a config that will help us focus on hunting the threat. On MITRE, we can find Mimikatz activity documented here. Information on hunting Metasploit (and more – PsExec, netstat, net, etc.) can be found here.
These are some extremely powerful features to have, and also it goes to show we don’t need to break our bank to protect our systems, there’s a plethora of tools out there that have much to offer. Just like Sysmon.
My ideal audience for this article are people newer to the Infosec field, who are naturally curious and hungry for knowledge.
However, I hope that there’s some interesting bits and pieces of info even for some of the more experienced Cybersecurity practitioners – there also might be a link or two above that you find interesting.
Stay tuned for Part 2!
#MITRE #yara #volatility #sysinternals #tooling
Online Casino Heist Shreds Confidence in CybersecurityPaul Lighter November 30, 2022
New Subscription TabShahar Reichman November 30, 2022
The Dark Stuff - Tor - Continuedacephale 4w November 29, 2022
Choosing the Right Access Control ModelJenny R November 25, 2022
Fortinet Authentication Bypass Vulnerability - CVE-2022-40684Khurram Arif November 25, 2022