Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Open Source Malware Hunting Lab

DiscoNinja
November 11, 2023

Open Source Malware Hunting Lab

DiscoNinja

November 11, 2023
Tweet

Other Decks in Programming

Transcript

  1. Open Source Malware
    Hunting Lab
    Daisuke Arai

    View full-size slide

  2. Who am I?
    NAME: DAISUKE ARAI
    Job: Security Engineer/Weekend Researcher
    X Account: @momomopas
    Recent joy: Obtaining the Certified CyberDefender certification.

    View full-size slide

  3. Intro
    ・The reason I wanted to
    create this LAB is that I
    suddenly thought I would
    like to analyze it like THE
    DFIR Report.

    View full-size slide

  4. This Time's Goal
    Create an environment that allows for analysis
    similar to THE DFIR Report.

    View full-size slide

  5. How are they analyzing?
    ● Analysis tools such as Defender for Endpoint and Splunk are
    being used, as can be inferred from the report.
    ● The fact that they are conducting lateral movement analysis
    suggests that the environment is close to that of an
    enterprise.

    View full-size slide

  6. Open Source Malware Hunting Lab
    CAPEv2
    Sandbox
    Fog
    Security
    Onion
    Velociraptor
    Elastic
    Defend

    View full-size slide

  7. Points for Consideration
    ● Consideration of Analysis Environment
    ○ Virtual Environment vs. Physical Environment
    ○ Virtual Environment
    ○ Physical Environment
    ● Consideration of Detection Environment
    ○ SIEM, EDR, Sandbox

    View full-size slide

  8. Consideration of the Analysis
    Environment

    View full-size slide

  9. Virtual vs. Physical

    View full-size slide

  10. Virtual vs. Physical
    merit demerit
    Virtual
    Environment
    ・Conservation of Resources
    ・Snapshot and Restore
    ・Isolation
    ・Virtual Environment Detection
    ・Performance Overhead
    Physical
    Environment
    ・Realistic Operating Environment
    ・Avoidance of Virtual
    Environment Detection
    ・Cost
    ・Difficulties in Environment
    Setup and Restoration

    View full-size slide

  11. Virtual Environment

    View full-size slide

  12. Which product should you use: Virtual
    Environment Edition
    ● Install Windows on each virtual software, use tools designed
    to detect virtual environments and malware analysis
    environments to compare the detection results of each tool,
    and verify which virtual software is most suitable.
    ● This time, Pafish and al-khaser will be used.

    View full-size slide

  13. Verification environment
    ■VM Detection Tools
    ● Pafish:Version 0.6
    ● al-khaser:Version 0.81
    ■VM Spec
    ● CPU:4vCPU
    ● Memory:8192MG
    ● DISK:128GB
    ■OS
    ● Windows10 Enterprise Evalution
    ● Version:22H2
    ● Build :19045.2006
    ■Software
    ● VMware、VirtualBox、KVM/Qemu

    View full-size slide

  14. Number of Detections by Pafish
    VMware VirtualBox KVM/Qemu
    Detection Results 10 18 9

    View full-size slide

  15. Number of Detections by al-khaser
    VMware VirtualBox KVM/Qemu
    Detection Results 31 45 27

    View full-size slide

  16. Summary
    VMware VirtualBox KVM/Qemu
    Pafish 10 18 9
    al-khaser 31 45 27

    View full-size slide

  17. Conclusion
    ● Based on the detection results, KVM/QEMU is the best option
    when using a virtual environment.
    ● If using VMware or VirtualBox, the detection of the virtual
    environment must be taken into account.
    > >

    View full-size slide

  18. Cho-Physical

    View full-size slide

  19. Which product should you use: Physical
    Environment Edition
    ● While the difficulty of restoration has been mentioned as a
    disadvantage of the physical environment, there are tools
    available that solve this drawback.
    Fog Project Clonezilla

    View full-size slide

  20. Which product should you use: Physical
    Environment Edition
    merit demerit
    Fog Project ・Efficient Deployment
    ・Remote Management
    ・Open Source Software (OSS)
    ・Complexity of Setup
    Clonezilla ・Number of Supported File Systems
    ・Open Source Software (OSS)
    ・Booting from Bootable Media
    ・User Interface

    View full-size slide

  21. Physical
    Fog Project
    Clonezilla
    ○ OSS ▲
    ☓ OSS ▲
    Sandbox Licensing Setup

    View full-size slide

  22. Conclusion
    ● FOG, which allows for cloning HDDs and deploying HDDs from
    a WebUI, is optimal.

    View full-size slide

  23. FOG Project
    It operates on a Linux-based server and uses PXE (Preboot
    eXecution Environment) to allow client machines to boot over the
    network and perform tasks such as image deployment and other
    tasks.

    View full-size slide

  24. Consideration of the Detection
    Environment

    View full-size slide

  25. SIEM
    Tools Description
    Splunk It is a big data analytics tool that can collect, index, search, analyze, and
    visualize machine data in real time.
    Elastic
    Stack
    It consists of Elasticsearch, Logstash, and Kibana, and is an integrated platform
    for searching, analyzing, and visualizing data.
    Qradar It is IBM's security information and event management (SIEM) solution that
    assists with threat detection and incident response.

    View full-size slide

  26. SIEM
    Tools Description
    Alienvault
    ossim
    It is an open-source security information and event management (SIEM) tool
    that provides threat detection and compliance management.
    Security
    Onion
    A free, open-source platform that provides network security monitoring and
    logging, supporting threat hunting and incident response.
    Graylog An open-source log management solution that aggregates, searches, and
    analyzes logging data to support threat detection and analysis.
    Opensearch A free and open-source distributed search engine that enables data searching
    and analysis, forked from Elasticsearch.

    View full-size slide

  27. Consideration of SIEM
    Splunk
    Elastic Stack
    Qradar
    Alienvault ossim
    SecurityOnion
    Graylog
    Opensearch
    ○ Commercial / Free ○ ○
    ○ Commercial / Free ○ ○
    ○ Commercial / Free ○ ○
    ▲ Free ▲ ▲
    ○ OSS ○ ○
    ▲ Free ▲ ▲
    ▲ OSS ▲ ▲
    Coverage of Data
    Sources
    Licensing Setup
    Analytical
    Capabilities

    View full-size slide

  28. EDR
    Tools Description
    Elastic Defend It provides an integrated security solution to enhance endpoint security
    and threat hunting as part of the Elastic Stack.
    OpenEDR An open-source Endpoint Detection and Response (EDR) platform that
    offers capabilities for collecting, analyzing, and responding to threats on
    endpoints.
    Wazuh An open-source platform that provides Security Information and Event
    Management (SIEM), threat detection, and endpoint security, offering an
    integrated solution for monitoring and analysis.

    View full-size slide

  29. Consideration of EDR
    Elastic Defend
    OpenEDR
    Wazuh
    ○ Commercial /
    Free
    ○ ○
    ▲ OSS ☓ ▲
    ▲ OSS ○ ○
    Coverage of
    Data
    Sources
    Licensing Setup
    Analytical
    Capabilities

    View full-size slide

  30. SandBox
    Tools Description
    Cuckoo Sandbox It is an automated malware analysis system capable of analyzing malicious files for
    Windows, macOS, Linux, and Android. It monitors malware behavior, records
    malware activity, and reports in a secure environment.
    CAPEv2 Sandbox Derived from Cuckoo, it is designed to automate the process of malware analysis. It
    extracts payloads and configurations from malware, detects malware based on
    payload signatures, and automates the objectives of malware reverse engineering
    and threat intelligence.
    DRAKVUF Sandbox An automated black-box malware analysis system utilizing the DRAKVUF engine. It
    does not require an agent on the guest OS and provides a user-friendly web
    interface for uploading and analyzing suspicious files. It allows for easy setup and
    customization and is suitable for experienced users.

    View full-size slide

  31. Consideration of Sandbox
    Cuckoo Sandbox
    CAPEv2 Sandbox
    DRAKVUF Sandbox
    ▲ OSS ▲ ○
    ○ OSS ○ ○
    ○ OSS ▲ ○
    Frequency of
    Development
    Licensing Setup
    Analytical
    Capabilities

    View full-size slide

  32. Forensics Tools
    Tools Description
    Velociraptor It is an open-source tool for exploring endpoints and collecting
    artifacts, assisting with tasks in digital forensics and incident
    response.
    KAPE (Kroll Artifact Parser
    and Extractor)
    A forensic tool aimed at accelerating the collection and analysis of
    digital artifacts. It is command-line based and extracts and analyzes
    data from target directories or registries.
    GRR (Google Rapid
    Response)
    An open-source framework for conducting remote forensic
    operations on live endpoints, supporting data collection and
    analysis on endpoints, and assisting with incident response.

    View full-size slide

  33. Consideration of Forensics Tools
    Velociraptor
    KAPE
    GRR
    ○ OSS ○ ○
    ○ Commercial / Free ○ ○
    ○ OSS ▲ ○
    Coverage Licensing Setup
    Can it be
    acquired
    remotely

    View full-size slide

  34. Conclusion
    ● Detection Environment
    ○ Security Onion + Elastic Defend
    ○ Velociraptor
    ○ CAPEv2 Sandbox

    View full-size slide

  35. SecurityOnion
    Security Onion is an open-source Linux distribution for network
    security and incident response. This platform aims to combine a
    variety of security tools to provide a comprehensive solution.
    Security Onion is used for network monitoring and log
    management, as well as for analysis and response when security
    incidents occur.

    View full-size slide

  36. SecurityOnion
    Network Endpoint
    Data Sources
    Tools
    Analysis

    View full-size slide

  37. Velociraptor
    Velociraptor is an advanced open-source tool for digital forensics
    and incident response (DFIR). This tool is designed for rapid
    investigations and data collection across a network. Velociraptor
    is capable of extracting detailed information from endpoints using
    a complex query language.

    View full-size slide

  38. Velociraptor
    Collect Data System

    View full-size slide

  39. CAPEv2 Sandbox
    CAPE is an open-source automated malware analysis system. It’s
    used to automatically run and analyze files and collect
    comprehensive analysis results that outline what the malware
    does while running inside an isolated Windows operating system.

    View full-size slide

  40. CAPEv2 Sandbox
    ● Traces of win32 API calls that were performed by all
    processes spawned by the malware.
    ● Files that were created, deleted, and downloaded by the
    malware during its execution.
    ● Memory dumps of the malware processes.
    ● Network traffic trace in PCAP format.
    ● Screenshots of Windows desktop taken during the execution
    of the malware.
    ● Full memory dumps of the machines.

    View full-size slide

  41. Network Configuration

    View full-size slide

  42. Reference:Money
    Laptop1:Lenovo ThinkPad E480(About 70,000-80,000 yen at that
    time)
    Laptop2:Lenovo ThinkPad x240(Used 20,000~30,000)
    Mini PC:From an unfamiliar manufacturer(27,980 yen)
    Switche:TP-Link SG108E(3,544 yen)

    View full-size slide

  43. Flow of Analysis

    View full-size slide

  44. Flow of Analysis
    No. Action Description
    1 Submit Sample Submit the sample to CAPE.
    Make sure to set a timeout.
    2 Wait Wait
    3 Collection Before timing out, acquire forensic artifacts with
    Velociraptor.
    4 Restoration Once the timeout period is reached, FOG will execute
    automatically.
    5 Analysis Analyze with Security Onion and Velociraptor.

    View full-size slide

  45. Summary
    ● It is possible to analyze malware even in a physical
    environment.
    ● By utilizing OSS tools, an environment can be created that
    allows for analysis similar to THE DFIR Report.
    ● In the future, additions such as AD environments and honey
    files will be made.

    View full-size slide