Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Open Source Malware Hunting Lab

DiscoNinja
November 11, 2023

Open Source Malware Hunting Lab

DiscoNinja

November 11, 2023
Tweet

More Decks by DiscoNinja

Other Decks in Programming

Transcript

  1. Who am I? NAME: DAISUKE ARAI Job: Security Engineer/Weekend Researcher

    X Account: @momomopas Recent joy: Obtaining the Certified CyberDefender certification.
  2. Intro ・The reason I wanted to create this LAB is

    that I suddenly thought I would like to analyze it like THE DFIR Report.
  3. How are they analyzing? • Analysis tools such as Defender

    for Endpoint and Splunk are being used, as can be inferred from the report. • The fact that they are conducting lateral movement analysis suggests that the environment is close to that of an enterprise.
  4. Points for Consideration • Consideration of Analysis Environment ◦ Virtual

    Environment vs. Physical Environment ◦ Virtual Environment ◦ Physical Environment • Consideration of Detection Environment ◦ SIEM, EDR, Sandbox
  5. Virtual vs. Physical merit demerit Virtual Environment ・Conservation of Resources

    ・Snapshot and Restore ・Isolation ・Virtual Environment Detection ・Performance Overhead Physical Environment ・Realistic Operating Environment ・Avoidance of Virtual Environment Detection ・Cost ・Difficulties in Environment Setup and Restoration
  6. Which product should you use: Virtual Environment Edition • Install

    Windows on each virtual software, use tools designed to detect virtual environments and malware analysis environments to compare the detection results of each tool, and verify which virtual software is most suitable. • This time, Pafish and al-khaser will be used.
  7. Verification environment ▪VM Detection Tools • Pafish:Version 0.6 • al-khaser:Version

    0.81 ▪VM Spec • CPU:4vCPU • Memory:8192MG • DISK:128GB ▪OS • Windows10 Enterprise Evalution • Version:22H2 • Build :19045.2006 ▪Software • VMware、VirtualBox、KVM/Qemu
  8. Conclusion • Based on the detection results, KVM/QEMU is the

    best option when using a virtual environment. • If using VMware or VirtualBox, the detection of the virtual environment must be taken into account. > >
  9. Which product should you use: Physical Environment Edition • While

    the difficulty of restoration has been mentioned as a disadvantage of the physical environment, there are tools available that solve this drawback. Fog Project Clonezilla
  10. Which product should you use: Physical Environment Edition merit demerit

    Fog Project ・Efficient Deployment ・Remote Management ・Open Source Software (OSS) ・Complexity of Setup Clonezilla ・Number of Supported File Systems ・Open Source Software (OSS) ・Booting from Bootable Media ・User Interface
  11. FOG Project It operates on a Linux-based server and uses

    PXE (Preboot eXecution Environment) to allow client machines to boot over the network and perform tasks such as image deployment and other tasks.
  12. SIEM Tools Description Splunk It is a big data analytics

    tool that can collect, index, search, analyze, and visualize machine data in real time. Elastic Stack It consists of Elasticsearch, Logstash, and Kibana, and is an integrated platform for searching, analyzing, and visualizing data. Qradar It is IBM's security information and event management (SIEM) solution that assists with threat detection and incident response.
  13. SIEM Tools Description Alienvault ossim It is an open-source security

    information and event management (SIEM) tool that provides threat detection and compliance management. Security Onion A free, open-source platform that provides network security monitoring and logging, supporting threat hunting and incident response. Graylog An open-source log management solution that aggregates, searches, and analyzes logging data to support threat detection and analysis. Opensearch A free and open-source distributed search engine that enables data searching and analysis, forked from Elasticsearch.
  14. Consideration of SIEM Splunk Elastic Stack Qradar Alienvault ossim SecurityOnion

    Graylog Opensearch ◦ Commercial / Free ◦ ◦ ◦ Commercial / Free ◦ ◦ ◦ Commercial / Free ◦ ◦ ▲ Free ▲ ▲ ◦ OSS ◦ ◦ ▲ Free ▲ ▲ ▲ OSS ▲ ▲ Coverage of Data Sources Licensing Setup Analytical Capabilities
  15. EDR Tools Description Elastic Defend It provides an integrated security

    solution to enhance endpoint security and threat hunting as part of the Elastic Stack. OpenEDR An open-source Endpoint Detection and Response (EDR) platform that offers capabilities for collecting, analyzing, and responding to threats on endpoints. Wazuh An open-source platform that provides Security Information and Event Management (SIEM), threat detection, and endpoint security, offering an integrated solution for monitoring and analysis.
  16. Consideration of EDR Elastic Defend OpenEDR Wazuh ◦ Commercial /

    Free ◦ ◦ ▲ OSS ☓ ▲ ▲ OSS ◦ ◦ Coverage of Data Sources Licensing Setup Analytical Capabilities
  17. SandBox Tools Description Cuckoo Sandbox It is an automated malware

    analysis system capable of analyzing malicious files for Windows, macOS, Linux, and Android. It monitors malware behavior, records malware activity, and reports in a secure environment. CAPEv2 Sandbox Derived from Cuckoo, it is designed to automate the process of malware analysis. It extracts payloads and configurations from malware, detects malware based on payload signatures, and automates the objectives of malware reverse engineering and threat intelligence. DRAKVUF Sandbox An automated black-box malware analysis system utilizing the DRAKVUF engine. It does not require an agent on the guest OS and provides a user-friendly web interface for uploading and analyzing suspicious files. It allows for easy setup and customization and is suitable for experienced users.
  18. Consideration of Sandbox Cuckoo Sandbox CAPEv2 Sandbox DRAKVUF Sandbox ▲

    OSS ▲ ◦ ◦ OSS ◦ ◦ ◦ OSS ▲ ◦ Frequency of Development Licensing Setup Analytical Capabilities
  19. Forensics Tools Tools Description Velociraptor It is an open-source tool

    for exploring endpoints and collecting artifacts, assisting with tasks in digital forensics and incident response. KAPE (Kroll Artifact Parser and Extractor) A forensic tool aimed at accelerating the collection and analysis of digital artifacts. It is command-line based and extracts and analyzes data from target directories or registries. GRR (Google Rapid Response) An open-source framework for conducting remote forensic operations on live endpoints, supporting data collection and analysis on endpoints, and assisting with incident response.
  20. Consideration of Forensics Tools Velociraptor KAPE GRR ◦ OSS ◦

    ◦ ◦ Commercial / Free ◦ ◦ ◦ OSS ▲ ◦ Coverage Licensing Setup Can it be acquired remotely
  21. SecurityOnion Security Onion is an open-source Linux distribution for network

    security and incident response. This platform aims to combine a variety of security tools to provide a comprehensive solution. Security Onion is used for network monitoring and log management, as well as for analysis and response when security incidents occur.
  22. Velociraptor Velociraptor is an advanced open-source tool for digital forensics

    and incident response (DFIR). This tool is designed for rapid investigations and data collection across a network. Velociraptor is capable of extracting detailed information from endpoints using a complex query language.
  23. CAPEv2 Sandbox CAPE is an open-source automated malware analysis system. It’s

    used to automatically run and analyze files and collect comprehensive analysis results that outline what the malware does while running inside an isolated Windows operating system.
  24. CAPEv2 Sandbox • Traces of win32 API calls that were

    performed by all processes spawned by the malware. • Files that were created, deleted, and downloaded by the malware during its execution. • Memory dumps of the malware processes. • Network traffic trace in PCAP format. • Screenshots of Windows desktop taken during the execution of the malware. • Full memory dumps of the machines.
  25. Reference:Money Laptop1:Lenovo ThinkPad E480(About 70,000-80,000 yen at that time) Laptop2:Lenovo

    ThinkPad x240(Used 20,000~30,000) Mini PC:From an unfamiliar manufacturer(27,980 yen) Switche:TP-Link SG108E(3,544 yen)
  26. Flow of Analysis No. Action Description 1 Submit Sample Submit

    the sample to CAPE. Make sure to set a timeout. 2 Wait Wait 3 Collection Before timing out, acquire forensic artifacts with Velociraptor. 4 Restoration Once the timeout period is reached, FOG will execute automatically. 5 Analysis Analyze with Security Onion and Velociraptor.
  27. Summary • It is possible to analyze malware even in

    a physical environment. • By utilizing OSS tools, an environment can be created that allows for analysis similar to THE DFIR Report. • In the future, additions such as AD environments and honey files will be made.