Dr. Ali Hadi just lately posted one other problem picture, this one (#7) being rather a lot nearer to a real-world problem than a number of the CTFs I’ve seen through the years. What I imply by that’s that within the 22+ years I’ve completed DFIR work, I’ve by no means had a buyer pose greater than 3 to five questions that they needed answered, actually not 51. And, I’ve by no means had a buyer ask me for the amount serial quantity within the picture. By no means. So, getting a problem that had a reasonably easy and straight ahead “ask” (i.e., one thing unhealthy could have occurred, what was it and when??) was fairly near real-world.
I’ll say that there have been various instances the place, following the solutions to these questions, prospects would ask extra questions…however once more, not 37 questions, not 51 questions (like we see in some CTFs). And for essentially the most half, the questions have been the identical whatever the buyer; as soon as no matter it was was recognized, questions of threat and reporting would come up, was any knowledge taken, and if that’s the case, what knowledge?
I labored the case from my perspective, and as promised, posted my findings, together with my case notes and timeline excerpts. I additionally added a timeline overlay, in addition to MITRE ATT&CK mappings (with observables) for the “case”.
Jiri Vinopal posted his findings in this tweet thread; I noticed the primary tweet with the spoiler warning, and purposely didn’t pursue the remainder of the thread till I would accomplished my evaluation and posted my findings. As soon as I posted my findings and went again to the thread, I noticed this remark:
“…nevertheless it might be Home windows server and many others..so prefetching might be disabled…”
True, the picture might be of a Home windows server, however that is fairly trivial to examine, as illustrated in determine 1.
 |
| Fig 1: RRPro winver.pl plugin output |
Checking to see if Prefetching is enabled is fairly simple, as properly, as illustrated in determine 2.
 |
| Fig 2: Prefetcher Settings through System Hive |
If prefetching have been disabled, one would assume that the *.pf recordsdata would merely not be created, reasonably than having a number of of them deleted following the set up of the malicious Home windows service. The Home windows Registry is a hierarchal database that features, partly, configuration info for the Home windows OS and functions, changing the myriad configuration and ini recordsdata from earlier variations of the OS. Numerous what’s within the Registry controls numerous points of the Home windows eco-system, together with Prefetching.
Along with Jiri’s write-up/tweet thread of research, Ali Alwashali posted a write-up of research, as properly. When you’ve given the problem a shot, or assume you is perhaps curious about pursuing a profession in DFIR work, be certain to check out the completely different approaches, give them some thought, and make feedback or ask questions.
Remediations and Detections
Jiri shared some remediation steps, in addition to some IOCs, which I believed have been an awesome addition to the write-up. These are at all times good to share from a case; I included the SysInternals.exe hash extracted from the AmCache.hve file, together with a hyperlink to the VT web page, in my case notes.
What are some detections or risk looking pivot factors we are able to create from these findings? For a lot of orgs, on the lookout for new Home windows service installations through detections or looking will merely be too noisy, however monitoring for modifications to the /and many others/hosts file is perhaps one thing helpful, not simply as a detection, however for looking and for DFIR work.
Has anybody thought-about writing Yara guidelines for the malware discovered throughout their investigation of this case? Are there some other detections you may consider, for both EDR or a SIEM?
Classes Discovered
One of many issues I actually favored about this explicit problem is that, whereas the incident occurred inside a “compressed” timeframe, it did present a number of knowledge sources that allowed us for example the place numerous artifacts match inside a “program execution” constellation. When you have a look at the assorted artifacts…UserAssist, BAM key, and even ShimCache and AmCache artifacts…they’re all separated in time, however come collectively to construct out an total image of what occurred on the system. By trying on the artifacts collectively, in a constellation or in a timeline, we are able to see the event and development of the incident, after which by including in malware RE, the extra context and element will construct out an much more full image.
Conclusions
A few ideas…
DFIR work is a group effort. Sadly, through the years, the “tradition” of DFIR has been one which has developed right into a little bit of a “lone wolf” mentality. All of us have completely different ability units, to completely different levels, in addition to completely different views, and bringing these to bear is the important thing to really profitable work. The perfect (and I imply, THE BEST) DFIR work I’ve completed throughout my time within the trade has been after I’ve labored as a part of group that is come collectively, leveraging particular ability units to really ship high-quality evaluation.
Thanks
Due to Dr. Hadi for offering this problem, and because of Jiri for stepping up and sharing his evaluation!
