Topic - [ ] Pre-analysis action items and questions - [ ] Why was the evidence collected? - [ ] Not always necessary to know, but can be a time saver - [ ] What purpose does the machine play? - [ ] Web server - [ ] Database server - [ ] Domain controller or internal file server - [ ] Employee desktop or workstation - [ ] Any initial indicators? - [ ] IP addresses or hostnames involved - [ ] Keywords - [ ] File names or registry keys used - [ ] Time frames - [ ] What actions were taken by the person capturing RAM? - [ ] Acquisition tool used and output format - [ ] Tools ran on the live machine before or during the capture - [ ] Details on the suspect system - [ ] Host OS - [ ] Memory architecture (x86, x64, ARM) - [ ] Amount of RAM installed - [ ] Goals of your analysis should include: - [ ] What can be used as indicators of compromise on other machines? - [ ] What is the persistence mechanism? - [ ] When was the system infected? - [ ] Summary of activity performed on the system - [ ] Examine processes - [ ] Check outstanding process names (i.e. AAAAA.exe, smsss.exe) - [ ] There should only be one System process - [ ] There should only be one smss.exe, lsass.exe, and services.exe (all in %system%) - [ ] There can be multiple svchost.exe, but their parent should all be services.exe - [ ] There can be multiple csrss.exe, but only one per session - [ ] Applications like IE, Adobe Reader, and Word should not have child cmd.exe processes - [ ] On Vista+, lsass.exe and services.exe parent should be wininit.exe (all in %system%) - [ ] Pre Vista, lsass.exe and services.exe parent should be winlogon (all in %system%) - [ ] Pre Vista, csrss.exe and winlogon.exe parent should be smss.exe (all in %system%) - [ ] Are process priorities normal? - [ ] csrss.exe, winlogon.exe, wininit.exe, smss.exe, and services.exe should all be above normal (> 8) - [ ] Use the process creation times to draw temporal correlations with other artifacts - [ ] Or just use the timeliner plugin (already includes process timestamps) - [ ] Are there any web browsers, IM clients, or email applications running? - [ ] If a drive-by download or client-side exploit, likely the link was accessed by these apps - [ ] Any email fragments? - [ ] Any URL or chat history available? - [ ] If any rundll32.exe processes are running, view the command-line args so you can identify the DLL - [ ] Which processes belong to RDP sessions? - [ ] Investigating command shells (cmd.exe) - [ ] Are any standard handles being redirected to named pipes or network sockets? - [ ] Does cmd.exe exist in the proper path? (see Check the exe full path below) - [ ] Check the shell's current working directory - [ ] Can you recover the console's input/output buffer or attacker's commands? - [ ] Check the exe full path - [ ] Two sources: VAD and PEB. VAD is more reliable because its in kernel mode. Use ldrmodules --verbose to compare. - [ ] Anything running out of temp directories? - [ ] Misleading directories (i.e. c:\windows\system33) - [ ] Launched from \\.\globalroot? - [ ] Are there any suspicious command-line parameters? - [ ] svchost.exe -k should be a value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - [ ] URL passed to IE at startup time? - [ ] Clampi passed ASCII-armored shell code to IE as an argument - [ ] Are processes running at the right privilege level - [ ] Debug privilege, load driver privilege, etc - [ ] Is anything running as domain admin, enterprise admin? - [ ] Is there any evidence of DKOM / tampering with the _TOKEN objects? - [ ] Use the privs plugin to diff the Enabled and Present bits - [ ] Detecting hidden processes - [ ] List walking vs scanning (pslist vs psscan) - [ ] Check the process exit time - if its terminated, then finding it via psscan and not pslist is normal - [ ] Alternate process listings (psxview) - [ ] Only processes after csrss.exe are in the csrss handle list - [ ] Only processes after smss.exe are in the desktop threads and session lists - [ ] Extract main executables, DLLs, and VAD segments - scan with VirusTotal - [ ] Examine imported APIs (not an exhaustive list) - [ ] Networking - [ ] URLDownloadToFile - [ ] send, recv, listen, connect, accept, bind - [ ] HttpSendRequest, HttpOpenUrl, InternetReadFile - [ ] Protection / Crypto - [ ] CryptDecrypt - [ ] CertOpenStore - [ ] SamIConnect, SamIGetPrivateData - [ ] Process creation - [ ] CreateProcess - [ ] WinExec - [ ] ShellExecute - [ ] System Info - [ ] GetAdaptorsInfo - [ ] LSaEnumerateLogonSessions - [ ] NetShareEnum - [ ] Persistence / Hiding - [ ] CreateService - [ ] StartService - [ ] CreateRemoteThread - [ ] VirtualAllocEx - [ ] WriteProcessMemory - [ ] NetScheduleJobAdd - [ ] SetFileTime - [ ] SetWindowsHookEx - [ ] SetWinEventHook - [ ] Security - [ ] AdjustTokenPrivileges - [ ] IsNTAdmin - [ ] Scan process memory with Yara signatures - [ ] IPs, URLs, domains, CC, Phone, SSN - [ ] Antivirus and APT signatures - [ ] Malware Cookbook: https://code.google.com/p/malwarecookbook/source/brows e/trunk/3/5/capabilities.yara - [ ] Convert from ClamAV rules - [ ] AlienVault Labs: https://github.com/jaimeblasco/AlienvaultLabs - [ ] Yara Exchange Group: http://www.deependresearch.org/2013/02/yara-resources. html - [ ] Packer signatures from PEiD: https://code.google.com/p/malwarecookbook/source/brows e/trunk/3/4/packer.yara - [ ] Process handles - [ ] Any auto-run registry keys open? - [ ] Any suspicious file handles? (i.e. c:\keylogger.txt) - [ ] Or file opened from remote shares? (i.e. \\192.168.1.20\files\test.txt) - [ ] The handle prefix may be \Device\Mup or \Device\LanManRedirector - [ ] Any mutexes? - [ ] Named pipes from psexec (\Device\NamedPipe\psexecsvc-*) - [ ] Remember \Device\Tcp and \Device\Afd\Endpoint indicate network sockets/connections - [ ] Process threads - [ ] Orphan threads - floating code in the kernel - [ ] Hiding from debuggers - [ ] Hardware breakpoints - [ ] DLLs - [ ] Does the context make sense? - [ ] ws2_32.dll or urlmon.dll in processes that don't need networking - [ ] pstorec.dll in processes other than IE and explorer - [ ] sfc_os.dll in processes that don't need to backup or restore system files - [ ] Which DLLs could potentially be loaded by shell code? - [ ] Are any DLLs unlinked (check with ldrmodules) - [ ] Remember the exceptions (fonts aren't in the lists, exe is not in initialization order list) - [ ] VADs can be unlinked too - check for "holes" in the page tables - [ ] Environment variables - [ ] Any PATH or PATHEXT modifications (i.e. load order hijacking) - [ ] Mask persistent ones, is anything left? - [ ] Code injection - [ ] Cross reference DLLs with VADs (see DLLs / ldrmodules) - [ ] Check process hollowing (ImageBase VAD characteristics don't check out) - [ ] Distinguish malfind false positives with disassembly and hex dumps - [ ] MZ or function prologue at the base is almost always malicious - [ ] Look for PUSH, POP, MOV, JMP, CALL at the top of the disassembly - [ ] Typically all pages in an injected region are committed at once (commit charge) - [ ] Memory checks - [ ] Any handles to suspicious named shared memory (i.e. Global\MySharedMem) - [ ] Anything in KUSER_SHARED_DATA callpad pointers (TDL3) - [ ] API hooks - [ ] Know the commonly hooked APIs, lookup unknown ones on MSDN - [ ] Standard IAT/EAT/Inline - [ ] Winsock hooks - [ ] SYSENTER hooks - [ ] Do they lead to trusted or untrusted modules/code? - [ ] Extract data around the hook function, examine with strings and/or IDA - [ ] Look for artifacts of encryption or compression - [ ] Find base64 strings heuristically (see Malware Cookbook recipe) - [ ] "OpenSSL" strings are commonly found in malware static linked with openssl - [ ] Check entropy for encoded/encrypted/compressed data - [ ] Scan for known crypto and hash constants - [ ] PE files - [ ] Extract binaries individually or in bulk - [ ] Know the difference between procexedump and procmemdump (no slack vs slack) - [ ] To extract DLLs use dlldump with --base=ADDR (works with normal and injected DLLs) - [ ] Extract kernel modules or PE files in kernel space with mod dump - [ ] If dumping fails, the reason is usually corrupt or paged PE headers - [ ] Dump VADs if you're in process mode - [ ] Also volshell can read arbitrary regions of memory and dump to a file - [ ] Analyzing PE version info - [ ] Networking - [ ] Any unexpected connections to internal systems? (DCs, LDAPs, DBs, file servers, etc) - [ ] Any active connections to external systems on non-standard ports? (i.e. 6667) - [ ] Any connections to external systems in suspicious countries or net blocks? - [ ] Any open listening ports? - [ ] Especially if there have been recent changes to the firewall policies of the local machine - [ ] Can you find fragments of internet browsing history? - [ ] Use the iehistory plugin or scan for URL regular expressions - [ ] Any raw sockets? (promiscuous NICs) - [ ] Scan for abnormal User-Agents - [ ] Exclude well-known agents: http://www.user-agents.org/allagents.xml - [ ] Examine services - [ ] Check the registry's last write time for services to see which (if any) were recently added - [ ] The linked list shown by svcscan shows relative temporal order (last in the list were last to load) - [ ] Check ServiceDlls registry value for any SERVICE_WIN32_SHARED_PROCESS - [ ] Any hidden/unlinked services? - [ ] Are any important services stopped that should be running - [ ] wscsvc - [ ] firewall - [ ] antivirus - [ ] eventlog service - [ ] Strings - [ ] Step 1: extract strings, Step 2: translate with volatility - [ ] GNU flags: -a (all) -el (also get unicode) -td (decimal offsets) - [ ] Sysinternals flags: -t -o - [ ] Strings in deallocated/free storage won't have owners - [ ] Command histories - [ ] Are there any active command shells? - [ ] Did the attacker leave input/output buffers in memory? - [ ] Kernel modules - [ ] Do any SSDT hooks point to the module? - [ ] Do any registered timers or callbacks point to the module? - [ ] Does another driver's IRPs point to the module (and do any of this module's IRPs point to another driver) - [ ] Check the path on disk - [ ] Any unlinked modules (modlist vs modscan) - [ ] Anything suspicious recently unloaded? - [ ] Are true crypt drivers loaded? - [ ] Kernel hooks - [ ] IOCTL for tcpip.sys (especially IRP_MJ_DEVICE_CONTROL) - [ ] Layered drivers for keyboard (Kbdclass), ntfs, fat, smb, vmware, usb, cdrom - [ ] Which drivers have monitors installed? - [ ] Process creation, thread creation, image load - [ ] File system changes - [ ] Registry changes - [ ] Bug checks (anti-crash dump) - [ ] x86 only: are there any call gates installed in the GDT? - [ ] x86 only: are there any IDT hooks? (mainly 0x2E for sys enter) - [ ] There should be 4 SSDT slots, 2 of them used - [ ] First (native) table functions all point to nt - [ ] Second (gui) table functions all point to win32ks.sys - [ ] Can be additional ones if IIS is installed - [ ] UNKNOWN means driver can't be identified - sometimes its antivirus (esp. Symantec) hooking in similar ways as malware - [ ] Inline hooks of SSDT functions (ssdt --verbose) - [ ] Breakpoints in the CPU context debug registers? - [ ] Registry - [ ] user assist - recently executed programs (with full paths and time stamps) - [ ] shimcache - last accessed files and directories - [ ] shellbags - enumerate past mounted volumes, deleted files, and user actions - [ ] Any auto run locations? (extract the hives with dump files and load in registry decoder) - [ ] Were any new users added recently? (check the LastWriteTime on the users' profile keys) - [ ] File systems - [ ] Scan for MFT records, build a timeline - [ ] Were any private documents accessed? - [ ] Which files executed recently (prefetch)? - [ ] Any new NTFS ADS streams? - [ ] Scan for MBRs and look for infections - [ ] Cached files: what was being accessed and by which process(es) - [ ] Event logs - [ ] Did someone log in recently? Failed logins (i.e. brute force) - [ ] Are there any tasks scheduled? - [ ] Did any applications crash? (indication of heap spray, attempted exploit, etc) - [ ] Were the logs cleared recently? - [ ] GUI space - [ ] Are any processes monitoring the clipboard? - [ ] Are there any suspicious named desktops or windows (ransomware, fake AV) - [ ] Any global message hooks (particularly those monitoring keystrokes, mouse movements, and general messages) - [ ] Is there any data in the clipboard? - [ ] Examine AV status - [ ] Were there any HIPS or AV installed on the system?