Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
464 views151 pages

330 Hunting Malware

This document discusses tools and techniques for hunting malware. It covers malware detection tools like PE Capture, ProcScan.rb, Meterpreter Payload Detection, and Reflective Injection Detection that can help identify malware in processes, memory, and files. It also discusses memory analysis and malware analysis techniques for further examining potential threats.

Uploaded by

madhugouda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
464 views151 pages

330 Hunting Malware

This document discusses tools and techniques for hunting malware. It covers malware detection tools like PE Capture, ProcScan.rb, Meterpreter Payload Detection, and Reflective Injection Detection that can help identify malware in processes, memory, and files. It also discusses memory analysis and malware analysis techniques for further examining potential threats.

Uploaded by

madhugouda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 151

Threat Hunting

Professional

Hunting Malware
S e c t i o n 0 3 | M o d u l e 0 3
© Caendra Inc. 2020
All Rights Reserved
Table of Contents

MODULE 03 | HUNTING MALWARE

3.1 Introduction 3.4 Memory Analysis

3.2 Detection Tools 3.5 Malware Analysis

3.3 Detection Techniques

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.2


Learning Objectives

By the end of this module, you should have a better


understanding of:
✓ Malware detection tools
✓ Malware detection techniques
✓ Memory hunting and analysis
✓ The importance of malware analysis

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.3


3.1

Introduction

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.4


3.1 Introduction

Malware is not going anywhere anytime soon. Malware


authors use various tools and techniques to remain
undetected for as long as possible.

We also need various tools and techniques to hunt for


them.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.5


3.1 Introduction

We are hunting for malware in various locations:


• Hiding in plain sight
• Injected into other processes
• In files (macros, for example)
• In email attachments
• In memory (known as Fileless malware)
• Etc.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.6


3.1 Introduction

The tools presented in this module do not represent an


exhaustive list by no means, but remember, you’re being
trained to hunt and to take a proactive approach.

This module will reveal that there are tools available to aid
you in your hunts.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.7


3.2

Detection Tools

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.8


3.2 Detection Tools

In this section, we will look at various tools that will aid us


in hunting for malware in our networks.

Whether it’s a Meterpreter session or a DLL injection, we


should have a plethora of tools at our disposal when we’re
hunting for specific attack signatures.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.9


3.2.1 Detection Tools – PE Capture

The NoVirusThanks’s PE Capture tool captures PE files,


executables, DLLs, and drivers loaded into the operating
system. Any loaded executable (PE, EXE, etc.) is displayed
within the GUI, and a copy is saved in the intercepted folder
for further analysis.

The copied file is named as the hash value of the file.


Additionally, the tool will log execution events to help you
easily find a specific PE file that was previously captured.
You can download the tool here.
http://www.novirusthanks.org/products/pe-capture/ THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.10
3.2.1 Detection Tools – PE Capture

PE Capture is also available in a service-only version.


• This will allow you to install it on multiple PCs.
• It does not have a GUI.
• The program is free for personal use only. You can
read more about the tool, and/or download the tool
here.

http://www.novirusthanks.org/products/pe-capture-service/ THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.11


3.2.1 Detection Tools – PE Capture

Viewing the screenshot


on the right, we can see
the suspicious DLL
loaded in memory. The
GUI shows us the path
of the DLL as well as the
hash.

We can now look into


the Intercepted folder,
or the Logs folder, to
see what information is
saved for us.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.12
3.2.1 Detection Tools – PE Capture

In the File menu, we can either choose Open “Intercepted” Folder


or Open “Logs” Folder.

You can now analyze the exported file to see if it is benign or


malicious.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.13
3.2.1 Detection Tools – PE Capture

Based on the indicators shown below, we can already


confirm that this is malicious.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.14


3.2.1 Detection Tools – PE Capture

Reviewing the logs is useful


to determine what was
loaded onto the system
earlier that day. You might
catch something that you
didn’t know was loaded
since the GUI is displaying
information in real time.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.15
3.2.2 Detection Tools – ProcScan.rb

ProcScan, which is written in Ruby, can be used to scan


process memory looking for code injection. Unfortunately, it
only works for 32-bit systems? applications? and does not
support 64-bit systems/applications. You can download the
tool here.

To run the tool, type the following command: ruby ProcScan.rb

https://github.com/abhisek/RandomCode/tree/master/Malware/Process THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.16


3.2.2 Detection Tools – ProcScan.rb

Here is the
output of the
command if
it finds code
injection:

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.17


3.2.2 Detection Tools – ProcScan.rb

The tool is alerting us that there is possible code injection


within thread id 2516 of the rundll32 process.

Unfortunately, the tool doesn’t give us the PID within the


same output, but this can easily be obtained using
PowerShell.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.18


3.2.2 Detection Tools – ProcScan.rb

Simply type get-process or ps (alias) to retrieve a list of the


processes running on the system.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.19


3.2.2 Detection Tools – ProcScan.rb

You can also confirm the thread id of the process using


PowerShell.

You can use the following command:


ps | % {$_.Name ; $_.Threads} | % {“`t{0}” –f $_.ID}}

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.20


3.2.3 Detection Tools – Meterpreter Payload
Detection

The next tool is called Meterpreter Payload Detection. As


the name of the tool implies, it will scan? all the running
processes on the system to detect Meterpreter.

You can download the tool here.

https://github.com/DamonMohammadbagher/Meterpreter_Payload_Detection THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.21


3.2.3 Detection Tools – Meterpreter Payload
Detection

You run the tool by simply executing the binary from an


elevated command prompt.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.22


3.2.3 Detection Tools – Meterpreter Payload
Detection

Similar to PE Capture, it’s a live capture, so the tool will


continually run and alert you of a Meterpreter session in
memory, as long as that Meterpreter session is active.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.23


3.2.3 Detection Tools – Meterpreter Payload
Detection
Here is the output from the tool if it detects a running
Meterpreter session in memory.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.24


3.2.3 Detection Tools – Meterpreter Payload
Detection

NOTE: Don’t be confused by the Thread ID displayed in the


output. This process is not the same as the one shown in
the PE Capture snapshots.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.25


3.2.4 Detection Tools – Reflective Injection Detection

This tool was created to detect reflective DLL injections


running in memory by looking for a PE header. The program
also dumps what it finds concerning the injected process,
as well as other unlinked executable pages to the root
folder.

You can download the tool here.

https://github.com/papadp/reflective-injection-detection THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.26


3.2.4 Detection Tools – Reflective Injection Detection

You run the tool by simply running the binary from an


elevated command prompt.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.27


3.2.4 Detection Tools – Reflective Injection Detection

You may recall from the output from Meterpreter Payload


Detection that the process with a running Meterpreter
session is PID 3808.

The Reflection Injection Detection tool successfully alerts


us about this rundll32 process.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.28


3.2.4 Detection Tools – Reflective Injection Detection

If we navigate to the root folder of the


Tool, we will find everything the tool
dumped for us, so we can further
analyze the artifacts.

Each of the files are named as the PID.


This will allow us to easily correlate the
file with its process.

You may also notice how the files


dumped from process 3808 indicate
that ‘MZ’ was found by listing that
information within the name of the
dump.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.29
3.2.5 Detection Tools – PowerShell Arsenal

“PowerShellArsenal is a PowerShell module used to aid a


reverse engineer. The module can be used to disassemble
managed and unmanaged code, perform .NET malware
analysis, analyze/scrape memory, parse file formats and
memory structures, obtain internal system information, etc.”

https://github.com/mattifestation/PowerShellArsenal THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.30


3.2.5 Detection Tools – PowerShell Arsenal

Remember that with the previous tool, Reflective Injection


Detection, the output gives us the base address and the
PID.

To link the output from that tool and the output from
PowerShell Arsenal, we will run Reflective Injection
Detection again and capture the output. Afterward, we will
run the cmdlet Find-ProcessPEs from PowerShell Arsenal.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.31
3.2.5 Detection Tools – PowerShell Arsenal

Output from Reflective Injection Detection

The suspicious process is ID? PID? 3624 and we see 4 base


addresses displayed in the output. Now, let's run Find-
ProcessPEs and compare the output.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.32
3.2.5 Detection Tools – PowerShell Arsenal

In this case, the syntax is: Find-ProcessPEs –ProcessID


3624

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.33


3.2.5 Detection Tools – PowerShell Arsenal

We see that Find-ProcessPEs also


gives us the same information as
far as the base address, but this
cmdlet also gives us a bit more.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.34


3.2.5 Detection Tools – PowerShell Arsenal

Here we can see detailed output for


the next detected PE.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.35


3.2.5 Detection Tools – PowerShell Arsenal

Here we can see detailed output for


the next detected PE.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.36


3.2.5 Detection Tools – PowerShell Arsenal

Here we can see detailed output for


the next detected PE.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.37


3.2.6 Detection Tools – Get-InjectedThread.ps1

This PowerShell tool can aid you on the hunt to detect code
injection. This tool will scan active threads on the system. It
will retrieve the starting address of certain functions, such
as NTQueryInformationThread, and if executable code is
found, it will flag it as injected.

You can download the script here.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684283(v=vs.85).aspx THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.38


https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
3.2.6 Detection Tools – Get-InjectedThread.ps1

We will run this tool


against the same
suspicious process,
rundll32 (PID 3624).

We recommend you
conduct independent
research to fully
understand the
output from this tool.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.39
3.3

Detection
Techniques

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.40


3.3 Detection Techniques

In this section, we will discuss various techniques to hunt


for malware within your network.

Malware authors will try various techniques to ensure that


their malware remains undetected. Most of the time,
however, the malware in the wild is reused from other
malware. This reused malware might be recompiled using a
different compiler or modified to remove/add different
functionality. In either case, there are techniques to aid us
in this hunt.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.41
3.3 Detection Techniques

We will also look at:


• Fuzzy hashing and import hashing detection techniques
to hunt for malware that is reused and is part of an
already defined malware family.

• How to detect malware that was already executed on a


machine and to correlate various actions that took place
on the machine near the time of execution.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.42
3.3.1 Detection Techniques – Fuzzy Hashing

Fuzzy Hashing is a technique where a program, such as


SSDeep, computes context triggered piecewise hashes
(CTPH). This technique:
• Can match inputs that have sequences of identical bytes
in the same order, although bytes in between the
sequences may be different in both content and length.

• Will divide the file into smaller pieces and examine those
smaller pieces rather than the file as a whole.
https://ssdeep-project.github.io/ssdeep/index.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.43
3.3.1 Detection Techniques – Fuzzy Hashing
Virus Total uses SSDeep, which performs fuzzy hashing, against files that are
uploaded to the platform. The output from SSDeep is displayed when the
analysis of the uploaded file has completed.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.44


3.3.1 Detection Techniques – Fuzzy Hashing

You can read more about this technique in a paper released


by the Digital Forensic Research Workshop here. You can
also read about an example usage of SSDeep here.

SSDeep is available on GitHub, here.

http://dfrws.org/sites/default/files/session-files/paper-identifying_almost_identical_files_using_context_triggered_piecewise_hashing.pdf
https://dfir.science/2017/07/How-To-Fuzzy-Hashing-with-SSDEEP-(similarity-matching).html
https://github.com/ssdeep-project/ssdeep

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.45


3.3.2 Detection Techniques – Import Hashing

The “imphash” technique has been coined by Mandiant, and it is yet another
technique implemented by Virus Total. It’s part of the output report displayed
when a sample has been analyzed, similar to SSDeep.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.46


3.3.2 Detection Techniques – Import Hashing

“One unique way that Mandiant tracks specific threat groups'


backdoors is to track portable executable (PE) imports.
Imports are the functions that a piece of software (in this
case, the backdoor) calls from other files (typically various
DLLs that provide functionality to the Windows operating
system). To track these imports, Mandiant creates a hash
based on library/API names and their specific order within
the executable. We refer to this convention as an "imphash"
(for "import hash").”
http://blog.virustotal.com/2014/02/virustotal-imphash.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.47
3.3.2 Detection Techniques – Import Hashing

“Because of the way a PE's import table is generated (and


therefore how its imphash is calculated), we can use the
imphash value to identify related malware samples. We can
also use it to search for new, similar samples that the same
threat group may have created and used.”

You can read more about this technique here and an open
source tool to generate PE Import Hashes here.
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.48
https://github.com/Neo23x0/ImpHash-Generator
3.3.3 Detection Techniques – Execution Tracing

If you’re familiar with forensics, then you know about the


ShimCache. The Windows ShimCache was created to track
compatibility issues with executed programs and stores
various file metadata. You can read more about the
ShimCache here.

Five years ago, Mandiant released a tool called


ShimCacheParser to gather this metadata within Windows
machines to aid them in their investigations. The tool can
be downloaded here.
https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.49
https://github.com/mandiant/ShimCacheParser
3.3.3 Detection Techniques – Execution Tracing
This year, they released an updated tool called AppCompatProcessor, and it
contains some analytics to look at the execution trace artifacts obtained from
AppCompat / AmCache metadata.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.50


3.3.3 Detection Techniques – Execution Tracing

You can read more about how this tool can be used to
detect Temporal Execution Correlation, Time Stacking, etc.,
here.

You can also download the tool from GitHub here.

https://www.fireeye.com/blog/threat-research/2017/04/appcompatprocessor.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.51


https://github.com/mbevilacqua/appcompatprocessor
3.4

Memory Analysis

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.52


3.4 Memory Analysis

Traditional file-system detection techniques are highly


unreliable when dealing with memory-resident malware, and
therefore it is necessary to perform Memory analysis to
detect malware, and also to understand what the purpose
and capabilities of the malware are.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.53


3.4 Memory Analysis

Memory forensics can provide unprecedented visibility into


the run-time state of a system. It is possible to extract
which processes were running, open network connections,
and recently executed commands in a manner that is
independent of the system. This will reduce the chance of
sophisticated malware (rootkits for example) interfering
with the results by, for example, modifying them. Moreover,
it is likely that critical data exists in memory, such as
encryption keys and memory-resident injected code
fragments.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.54
3.4 Memory Analysis

Malware often performs injection or system manipulation


directly in memory to avoid detection. Some of the
techniques often employed, which we'll discuss later are:
• Shellcode injection
• DLL and Reflective DLL injection
• Process hollowing
• API hooking
• Gargoyle
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.55
3.4 Memory Analysis

However, before an analyst can analyze the memory, it


needs to be acquired (also referred to as dumped, meaning
a 1:1 mapping of physical memory to a file, called a
memory image) first.

There are two approaches for acquiring memory from a


physical device:
• Hardware acquisition
• Software acquisition
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.56
3.4 Memory Analysis

Hardware acquisition has the advantage of being more


resilient against rootkit modification. It communicates
directly the memory controller with no communication to
the OS, which you may not be able to trust in the case of a
compromised system. Hardware acquisition requires a PCI
card to be installed to perform the acquisition.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.57


3.4 Memory Analysis

Software acquisition is used to acquire the object at


\\Device \\PhysicalMemory (essentially the Windows
memory manager’s view of the system). A software tool
maps that object and reads its content, which requires
kernel mode access to read it. Among some of the
requirements for a stable tool are: OS support, memory
footprint, ability to capture reserved sections without
crashing the system, and output file support.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.58


3.4 Memory Analysis

A drawback of using a software solution is that it will


always require process and kernel memory (for itself), as it
needs to execute and will therefore overwrite possible
evidence. Another drawback is that software solutions are
vulnerable to the previously mentioned rootkit modification
attacks.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.59


3.4 Memory Analysis

Some of the non-commercial tools available are FTK


Imager, DumpIt, and MAGNET RAM Capture.

https://accessdata.com/product-download/ftk-imager-version-4-2-0
https://my.comae.com/
https://www.magnetforensics.com/resources/magnet-ram-capture/

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.60


3.4 Memory Analysis

Memory can always be acquired from virtual machines.


Some of the VM vendors provide the physical memory file
directly if the guest OS has been suspended, or in a
snapshot (such as VMware in a .vmem file). Sometimes,
additional user interaction is required to generate a memory
image, often performed in debugging mode (VirtualBox).
Furthermore, memory dumps can be created from a system
crash file, hibernation file, and more.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.61


3.4 Memory Analysis

Before jumping into analysis mode, we need to outline what


it is that we flag as suspicious on a generic level.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.62


3.4 Memory Analysis

When identifying anomalies in processes, we are interested in:


• Image name - Legitimate process? Spelled correctly?
• Full Path - Appropriate path for system executable? Running
from a user or a temp directory?
• Parent process - Is the parent process what you would
expect?
• Command line - Do the arguments make sense?
• Start time - Was the process started at boot?
• Security identifier - Do the security identifiers make sense?
Why would a system process use a user account SID?
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.63
3.4 Memory Analysis

When identifying anomalies in network activity, we are


interested in:
• Any process communicating over port 80, 443, or 8080
that is not a web browser
• Any browser not communicating over port 80, 443, or
8080
• Connections to unexplained internal or external IP
addresses
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.64
3.4 Memory Analysis

When identifying anomalies in network activity, we are


interested in (CONTINUED):
• Web requests directly to an IP addresses rather than a
domain name
• RDP connections (port 3389), especially if originating
from odd IP addresses (e.g. a static IP address assigned
to a printer)
• Why does this process have network capability?
• DNS requests for unusual domain names
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.65
3.4 Memory Analysis

Moreover, other anomalies are:


• Unlinked processes
• Loaded suspicious DLLs
• Unlinked network connections
• Unmapped memory pages with execute privileges (code
injection)
• Hooked API functions
• Known bad heuristics and signatures (e.g. YARA
signatures).
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.66
3.4 Memory Analysis

Memory analysis is performed through the use of tools


specifically designed for that purpose. Within this section,
we’ll look at these tools that will aid us in it:
• Mandiant’s (FireEye) Redline
• Volatility
• Get-InjectedThreat.ps1
• Memdump
https://www.fireeye.com/services/freeware/redline.html
https://github.com/volatilityfoundation/volatility
https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
https://github.com/marcosd4h/memhunter

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.67


3.4.1 Memory Analysis - Redline

Redline is FireEye's free endpoint security tool that provides


host investigative capabilities to find signs of malicious
activity through memory and file analysis.

You can download Redline here.

https://www.fireeye.com/services/freeware/redline.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.68


3.4.1 Memory Analysis - Redline

With Redline, you can:


• Thoroughly audit and collect all running processes and
drivers from memory, file-system metadata, registry data,
event logs, network information, services, tasks and web
history.
• Perform Indicators of Compromise (IOC) analysis.
Supplied with a set of IOCs, the Redline Portable Agent is
automatically configured to gather the data required to
perform the IOC analysis and an IOC hit results review.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.69
3.4.1 Memory Analysis - Redline
Redline is a GUI-based tool.

We can create portable agents


that can gather a live memory
capture of a computer system or
many systems. We can also
perform an IOC scan against the
memory file.

We can also load a memory


image and load saved Redline
sessions (MANs files).
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.70
3.4.1 Memory Analysis - Redline

This tool automates the anomaly detection process and


gives a quick overview of a particular machine’s memory to
detect rogue processes, injections, root kits, etc. using the
MRI Score Index. Although not always accurate, Redline can
still point you in the right direction with your analysis.

The next screen shot will show you the Redline interface
along with an explanation as to what MRI Scores are.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.71
3.4.1 Memory Analysis - Redline

Processes View

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.72


3.4.1 Memory Analysis - Redline

Hierarchical Processes View

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.73


3.4.1 Memory Analysis - Redline

Processes > Handles

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.74


3.4.1 Memory Analysis - Redline

Processes > Memory Sections

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.75


3.4.1 Memory Analysis - Redline

Processes > Strings

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.76


3.4.1 Memory Analysis - Redline

Processes > Ports

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.77


3.4.1 Memory Analysis - Redline

Again, Redline is good to get a quick look at a machine’s


memory. This process is known as triaging. When you
triage, you’re getting a 30,000 foot view of what is going on.

If something is detected as malicious by Redline, then you


can take a closer examination with a more advanced tool,
such as Volatility.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.78


3.4.1.1 Redline Video #1

Check out the video on Redline


– Create Standard Collector!

To ACCESS your video, go to


the course in your members
area and click the resources
drop-down in the appropriate
module line.

Note that all videos are only


available in Full or Elite
Editions of the course.
To upgrade, click LINK.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.79
3.4.1.2 Redline Video #2

Check out the video on Redline


– Basic Usage!

To ACCESS your video, go to


the course in your members
area and click the resources
drop-down in the appropriate
module line.

Note that all videos are only


available in Full or Elite
Editions of the course.
To upgrade, click LINK.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.80
3.4.1.3 Redline Video #3

Check out the video on Redline


– Create Analysis File!

To ACCESS your video, go to


the course in your members
area and click the resources
drop-down in the appropriate
module line.

Note that all videos are only


available in Full or Elite
Editions of the course.
To upgrade, click LINK.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.81
3.4.1.4 Redline Video #4

Check out the video on Redline –


Detecting Code Injection!

To ACCESS your video, go to the


course in your members area
and click the resources drop-
down in the appropriate module
line.

Note that all videos are only


available in Full or Elite
Editions of the course.
To upgrade, click LINK.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.82


3.4.2 Memory Analysis - Volatility

“The Volatility Framework is a completely open collection of


tools, implemented in Python under the GNU General Public
License, for the extraction of digital artifacts from volatile
memory (RAM) samples. The extraction techniques are
performed completely independent of the system being
investigated but offer visibility into the runtime state
of the system.” – Volatility on GitHub

https://github.com/volatilityfoundation/volatility THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.83


3.4.2 Memory Analysis - Volatility

Volatility is not as user friendly as Redline, but is definitely


an excellent tool that is worth learning and getting
comfortable with. Volatility will be able to detect malicious
activity that Redline might miss.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.84


3.4.2 Memory Analysis - Volatility

Volatility is available for Windows, Linux, and Mac OS and is


written purely in Python. In order to perform an analysis in
Volatility, we need to specify three parameters:
• Memory dump file
• OS Profile
• Plugin (also called Module)

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.85


3.4.2 Memory Analysis - Volatility

An Operating System profile is required because each


version of an Operating System has different definition and
implementation of memory objects, so this tells Volatility
how to treat the memory image in order to find data
structures in it.

By default, Volatility comes with all existing Windows


profiles from Windows XP to Windows 10.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.86
3.4.2 Memory Analysis - Volatility

The plugin is the payload of the command. It tells Volatility


what we are looking for in the memory image.

Currently, Volatility supports over 200 plugins by default,


and the analyst has the opportunity to extend Volatility’s
capabilities by developing custom plugins. Some of the
plugins are show on the next slide.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.87


3.4.2 Memory Analysis - Volatility

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.88


3.4.2 Memory Analysis - Volatility

As mentioned, before starting the analysis, Volatility


requires the OS version to be specified as a command line
argument.

Often times, as an analyst, you would know that, but in the


cases you don't, a helpful plugin is "imageinfo", which
identifies (to its best capabilities) the OS version from the
memory dump itself as shown on the next slide.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.89
3.4.2 Memory Analysis - Volatility

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.90


3.4.2 Memory Analysis - Volatility

When the plugin finishes executing, Volatility presents us


back with a list of potential OS profiles, sorted by the most
likely one.

In this example, the profile is "Win10x64_17134". Armed


with the profile, we can continue and begin the analysis.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.91


3.4.2 Memory Analysis - Volatility

One of the basic functions of Volatility is to list processes


running on the system with the plugin "pslist”. In order to
locate processes with "pslist", Volatility is locating the
doubly-linked list that keeps track of the processes in
memory, and displays them back to the user. This is the
equivalent of the processes list in task manager on a
running Windows system

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.92


3.4.2 Memory Analysis - Volatility

Note that the output may include information on processes


that have already terminated, which includes their exit time.
This can be particularly useful in cases where a process,
such as cmd.exe, is used to start a malicious executable
and exits afterwards.

An example of this plugin is shown on the next slide.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.93


3.4.2 Memory Analysis - Volatility

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.94


3.4.2 Memory Analysis - Volatility

Malware, specifically rootkits, often tries to hide its existence by


unlinking itself from this list (amongst other techniques), in
which case the process will not be shown in the output by pslist.

Fortunately, in memory, we can locate processes by other means,


such as searching through the memory dump and finding data
structures that match that of an "_EPROCESS", the representative
structure of a process in memory. By doing so, we can identify
even hidden processes. For this purpose, we have at our disposal
the plugin "psscan".
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.95
3.4.2 Memory Analysis - Volatility

"Psscan" scans the entire memory dump and reports on any


identified objects that have the structure of an _EPROCESS.

In some cases, this plugin may return false positives, and


also processes that have finished execution some time ago
(in some occasions, even from a previous reboot).

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.96


3.4.2 Memory Analysis - Volatility

Yet another, and even more powerful plugin that we may


utilize to identify hidden processes, is "psxview", which uses
multiple techniques for finding processes in memory. It
then reports the output in a single view by displaying
whether or not a certain process exists for each of the
detection techniques.

The next slide shows the output of "psxview“.


THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.97
3.4.2 Memory Analysis - Volatility

Note that “THP.exe” was


hidden from “pslist” among
others.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.98


3.4.2 Memory Analysis - Volatility

In the hunt for malicious processes, often times we attempt to


identify anomalies, such as whether a process has been started
by an expected Parent Process. For this purpose, we can utilize
"pstree" in Volatility, whose output is a dot-aligned listing as
shown on the next slide. With this view, we can identify obvious
anomalies, such as if the parent process of svchost.exe is not
services.exe. Another example would be if notepad.exe is
starting PowerShell.

Note that this plugin will not include hidden processes in its
output!
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.99
3.4.2 Memory Analysis - Volatility

Output of “pstree”:

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.100


3.4.2 Memory Analysis - Volatility

Volatility's "netscan" plugin traverses memory and identifies


all memory structures that represent a network connection.
Similar to "psscan", you may find false positives in its
output. However, it may also display connections which are
no longer active that are still preserved in memory.

The next thing that we'll look at is code injection. At this


point, we assume that the reader is familiar with the basic
structure of a Portable Executable (PE) file. If not, you can
refer to this link and read more about it.
https://resources.infosecinstitute.com/2-malware-researchers-handbook- THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.101
demystifying-pe-file/#gref
3.4.2 Memory Analysis - Volatility

In general, executable code resides in the ".text" section of


a PE file, both when it’s located on disk and also when
loaded into memory. With a few exceptions, this is where
executable code should reside.

An Injected code will not show in the text section, as it will


be placed on the "heap" of a process. Let's look at the
concept of DLL Injection.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.102
3.4.2 Memory Analysis - Volatility

DLL Injection is the process of inserting code into a running


process. The code inserted is in the form of a Dynamic Link
Library (DLL), mainly because DLLs are meant to be loaded
as needed at run time. Although, this does not mean that
injection of other types of assembly is not possible, such as
executables or simply handwritten shellcode.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.103


3.4.2 Memory Analysis - Volatility

Injecting into SYSTEM process or process from another


context (eg. process of another user) requires certain
privileges (more specifically, SeDebugPrivilege, which is
required to debug and adjust the memory of another
process).

This is usually achieved through administrative rights on


the machine.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.104
3.4.2 Memory Analysis - Volatility

Although there are multiple varieties of code injection


techniques, the most generic one is a 4-step process where
the Win32 API is used to provide the necessary
functionality. The steps are:
1. Attach to the victim process
2. Allocate memory within the victim process
3. Copy the DLL or the DLL Path into the allocated memory
4. Instruct the process to Execute the DLL
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.105
3.4.2 Memory Analysis - Volatility

Each of these steps is associated with one or more Win32


API function calls.

During step 3, the malware author has the option to either


inject the path of the DLL on disk and load then execute it,
or inject the DLL itself, if the allocated memory in the victim
process is large enough.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.106


3.4.2 Memory Analysis - Volatility

A drawback in the steps performed during the injection for


malware authors, is that the DLL that is being injected may
need to be located on disk and could potentially be caught
by Antivirus software. Through static analysis, it may be
possible to identify injection capability by just observing the
import headers of a PE file (if it is not obfuscated in some
way). Unlike a Simple DLL Injection, the power of Reflective
DLL Injection comes in that it is able to inject to and
execute directly from memory.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.107
3.4.2 Memory Analysis - Volatility

Reflective Injection is a special technique of code injection,


where code is injected and loaded from memory, directly in
the process itself. This type of injection is often used to
further expand the capabilities of a functionality limited
stager, by delivering additional modules only when needed.
The library loading itself is not registered in any way with
the host system, and as a result, it is largely undetectable at
both a system and process level.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.108


3.4.2 Memory Analysis - Volatility

Techniques of detecting code injections have been around


for a while.

One of the most famous is scanning through private


memory regions (the heap of a process) and identifying
those that have the executable bit set (RWE or RX), and/or
have no memory mapped file present on disk (unmapped
binary file).
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.109
3.4.2 Memory Analysis - Volatility

An unmapped process binary is an indication of process


hollowing.

A detailed explanation and research on process hollowing


is available here.

https://cysinfo.com/detecting-deceptive-hollowing-techniques/ THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.110


3.4.2 Memory Analysis - Volatility

The detective techniques mentioned so far are employed by


Volatility’s malfind plugin for detecting code injection.

Among other details, in malfind's output we can see:


• Process name and PID where injection was detected
• Offset address of where the injection was detected
• Hex, ASCII, and Disassembly view of the injected area

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.111


3.4.2 Memory Analysis - Volatility

Injected areas that begin with the "MZ" file header are
especially interesting to us – denoting a Windows
executable file (which is the case on the picture on the next
slide). Of course, the injected area may contain
shellcode, which lacks the “MZ” header, and which requires
that the analyst further investigate to understand its
behavior and purpose.

Note: malfind's output may contain false positives.


THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.112
3.4.2 Memory Analysis - Volatility

Partial output of “malfind” – “MZ” header detected.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.113


3.4.2 Memory Analysis - Volatility

The following resource contains additional descriptions of


other injection techniques and their respective detection.

https://www.endgame.com/blog/technical-blog/ten-process-injection- THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.114


techniques-technical-survey-common-and-trending-process
3.4.2 Memory Analysis - Volatility

Volatility has a plugin "yarascan" which allows you to


search for strings, patterns, and also compound rules. As
stated on its wiki page, this plugin can help you locate any
sequence of bytes (like assembly instructions with wild
cards), regular expressions, ANSI strings, or Unicode strings
in user mode or kernel memory.

You can also use a YARA rules file as an argument instead


of specifying the rule(s) on the command line.
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference- THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.115
Mal#yarascan
3.4.2 Memory Analysis - Volatility

In some instances, you may be hunting for very


sophisticated pieces of malware (rootkits) where you have
to dig into system objects such as drivers, mutexes, and
hooked functions.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.116


3.4.2 Memory Analysis - Volatility

The following plugins are extremely helpful in this area:


• idt • modscan
• ssdt • driverirp
• apihooks • driverscan
• modules

An example and walkthrough of rootkit detection is


available here.

https://eforensicsmag.com/finding-advanced-malware-using-volatility/ THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.117


3.4.2 Memory Analysis - Volatility

If any of the hunting activities identified a threat, Volatility


provides a wide range of modules that will help you extract
or rather, carve out of the memory dump all of the
malicious object(s) (process, driver, ...) for further analysis.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.118


3.4.2 Memory Analysis - Volatility

Further details on how to use Volatility are available on its


Wiki page, here.

Lastly, if you want to play with some memory samples and


perfect your Volatility knowledge, you can download them
from here.

https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.119


https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
3.4.2.1 Hera Lab
Put what you’ve learned to
practice with the Hunting in
Memory lab!

To ACCESS your lab, go to the


course in your members area
and click the labs drop-down in
the appropriate module line,
then click the manual icon.

All labs are only available


in Full or Elite Editions of
the course. To upgrade, *NOTE: some courses contain several labs and manuals, please make sure to click the file icon as it may
click LINK. be a zip that contains multiple lab manuals.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.120


3.4.3 Live System Memory Hunting

Unfortunately, getting a memory dump (from all your


systems) and performing analysis on it is rather
impractical. It is too time consuming, and therefore the
hunts are performed on a subset of hosts only.

Another obstacle is the memory size – on average, the size


is 16GB from workstations and commonly 64 GB (or more)
on servers.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.121
3.4.3 Live System Memory Hunting

Recently, some tools have emerged that attempt to scale


memory hunting, primarily focusing on detecting injected
code on the live machine without the need of obtaining
memory dumps. The tools we’ll look into are:
• GetInjectedThread.ps1
• Memhunter
• Captain
https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
https://github.com/marcosd4h/memhunter
https://github.com/y3n11/Captain

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.122


3.4.3.1 Live System Memory Hunting - Get-
InjectedThread

Get-InjectedThread is defined by the author as a tool that


can detect:
• Classic Injection
• Reflective DLL Injection
• Memory Module (similar technique to RDI)

The original presentation of the tool is available here.

https://www.sans.org/cyber-security-summit/archives/file/summit-archive- THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.123


1492714038.pdf
3.4.3.1 Live System Memory Hunting - Get-
InjectedThread

Running the script on


a compromised host
returns confirmation
of the injection and
additional information
about the process and
thread detected.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.124


3.4.3.2 Live System Memory Hunting - Memhunter

Memhunter is a standalone binary that, upon execution,


deploys itself as a Windows service.

Once installed, it feeds data to memory inspection scanners


that use detection heuristics to locate potential attacks.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.125


3.4.3.2 Live System Memory Hunting - Memhunter

A working PoC video of the tool is available here.


https://www.youtube.com/watch?v=t_fR1sCENkc THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.126
3.4.3.3 Live System Memory Hunting - Captain

Captain is an endpoint monitoring tool that is designed to


spot malicious events through API hooking.

Captain, among others, is cable of detecting :


• Code Injection
• Memory dump creation (e.g. dump of LSASS)
• Fileless malware
• Execution of Office macros
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.127
3.4.3.3 Live System Memory Hunting - Captain

Captain requires its 4 components to operate:


• Monitor.ps1 – Monitors for process creations and
injects Captain.dll in new processes
• Injector.exe – Used for the injection of Captain.dll
• Captain.dll – Hooks Windows API functions and outputs
events
• Behan.py – analyzes the events captured by Captain.dll
(based on provided signatures for alerting)
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.128
3.4.4 Hera Lab

Put what you’ve learned to practice


with the Hunting for Process
Injection & Proactive API Monitoring
lab!

To ACCESS your lab, go to the


course in your members area and
click the labs drop-down in the
appropriate module line, then click
the manual icon.

All labs are only available


in Full or Elite Editions of
the course. To upgrade,
click LINK. *NOTE: some courses contain several labs and manuals, please make sure to click the file icon as it may
be a zip that contains multiple lab manuals.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.129


3.4.5 Hera Lab
Put what you’ve learned to
practice with the Advanced
Endpoint Hunting lab!

To ACCESS your lab, go to the


course in your members area
and click the labs drop-down in
the appropriate module line,
then click the manual icon.

All labs are only available


in Full or Elite Editions of
the course. To upgrade, *NOTE: some courses contain several labs and manuals, please make sure to click the file icon as it may
click LINK. be a zip that contains multiple lab manuals.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.130


3.5

Malware Analysis

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.131


3.5 Malware Analysis

Even though malware analysis is beyond the scope of this


course, it’s still worth a mention.

Malware analysis is needed when a binary needs to be


analyzed further. We know that malware, whether it’s
packed, encrypted, etc., is in clear-text in memory, but in
order to further understand the malware, analysis is
needed.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.132
3.5 Malware Analysis

If your security team doesn’t have a dedicated malware


analyst, then as a threat hunter, this is a skill to have. Even
if it’s basic malware analysis skills, it will be helpful.

A threat hunter is similar to a spec ops operator. No matter


what he/she encounters, he/she is trained and has the skill
to complete the task. Whether it is inspecting network
traffic, hunting for malicious files in various operating
systems, performing incident response, memory analysis,
etc., they are ready.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.133
3.5.1 Hera Lab
Put what you’ve learned to
practice with the Hunting in
Malware Part 1 lab!

To ACCESS your lab, go to the


course in your members area
and click the labs drop-down in
the appropriate module line,
then click the manual icon.

All labs are only available


in Full or Elite Editions of
the course. To upgrade, *NOTE: some courses contain several labs and manuals, please make sure to click the file icon as it may
click LINK. be a zip that contains multiple lab manuals.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.134


3.5.2 Hera Lab
Put what you’ve learned to
practice with the Hunting in
Malware Part 2 lab!

To ACCESS your lab, go to the


course in your members area
and click the labs drop-down in
the appropriate module line,
then click the manual icon.

All labs are only available


in Full or Elite Editions of
the course. To upgrade, *NOTE: some courses contain several labs and manuals, please make sure to click the file icon as it may
click LINK. be a zip that contains multiple lab manuals.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.135


3.5.3 Hera Lab
Put what you’ve learned to
practice with the Hunting Empire
lab!

To ACCESS your lab, go to the


course in your members area
and click the labs drop-down in
the appropriate module line,
then click the manual icon.

All labs are only available


in Full or Elite Editions of
the course. To upgrade, *NOTE: some courses contain several labs and manuals, please make sure to click the file icon as it may
click LINK. be a zip that contains multiple lab manuals.

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.136


Conclusion

This concludes this module on Hunting Malware.

We have covered:
✓ Various detection tools
✓ Various detection techniques
✓ Memory analysis tools
✓ The importance of malware analysis

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.137


References

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.138


References
PE Capture v1.2
http://www.novirusthanks.org/products/pe-capture/

PE Capture Service v1.2


http://www.novirusthanks.org/products/pe-capture-service/

RandomCode
https://github.com/abhisek/RandomCode/tree/master/Malware/Process

Meterpreter_Payload_Detection
https://github.com/DamonMohammadbagher/Meterpreter_Payload_Detection

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.139


References
reflective-injection-detection
https://github.com/papadp/reflective-injection-detection

PowerShellArsenal
https://github.com/mattifestation/PowerShellArsenal

NtQueryInformationThread function
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684283(v=vs.85).aspx

Get-InjectedThread.ps1
https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.140


References
ssdeep - Fuzzy hashing program
https://ssdeep-project.github.io/ssdeep/index.html

Identifying Almost Identical Files Using Context Triggered Piecewise Hashing


http://dfrws.org/sites/default/files/session-files/paper-
identifying_almost_identical_files_using_context_triggered_piecewise_hashing.pdf

[How To] Fuzzy Hashing with SSDEEP (similarity matching)


https://dfir.science/2017/07/How-To-Fuzzy-Hashing-with-SSDEEP-(similarity-matching).html

ssdeep
https://github.com/ssdeep-project/ssdeep

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.141


References
VirusTotal += imphash
http://blog.virustotal.com/2014/02/virustotal-imphash.html

Tracking Malware with Import Hashing


https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-
hashing.html

ImpHash-Generator
https://github.com/Neo23x0/ImpHash-Generator

Caching Out: The Value of Shimcache for Investigators


https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.142


References
ShimCacheParser
https://github.com/mandiant/ShimCacheParser

Evolving Analytics for Execution Trace Data


https://www.fireeye.com/blog/threat-research/2017/04/appcompatprocessor.html

appcompatprocessor
https://github.com/mbevilacqua/appcompatprocessor

Reflective DLL Injection Detection through Memhunter


https://www.youtube.com/watch?v=t_fR1sCENkc

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.143


References
Hunting In Memory
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492714038.pdf

FTK Imager
https://accessdata.com/product-download/ftk-imager-version-4-2-0

Comae Stardust
https://my.comae.com/

MAGNET RAM Capture


https://www.magnetforensics.com/resources/magnet-ram-capture/

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.144


References
Redline
https://www.fireeye.com/services/freeware/redline.html

volatility
https://github.com/volatilityfoundation/volatility

Captain
https://github.com/y3n11/Captain

memhunter
https://github.com/marcosd4h/memhunter

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.145


References
Volatility – Memory Samples
https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples

Volatility Usage
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage

Malware Researcher’s Handbook (Demystifying PE File)


https://resources.infosecinstitute.com/2-malware-researchers-handbook-demystifying-pe-
file/#gref

DETECTING DECEPTIVE PROCESS HOLLOWING TECHNIQUES


USING HOLLOWFIND VOLATILITY PLUGIN
https://cysinfo.com/detecting-deceptive-hollowing-techniques/
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.146
References
Ten process injection techniques: A technical survey of common
and trending process injection techniques
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-
survey-common-and-trending-process

yarascan
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#yarascan

Finding Advanced Malware Using Volatility


https://eforensicsmag.com/finding-advanced-malware-using-volatility/

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.147


Videos
Here’s a list of all videos in this module. To ACCESS your video, go to the
course in your members area and click the resources drop-down in the
appropriate module line.

Note that all videos are only available in Full or Elite Editions of the course.
To upgrade, click LINK.

Redline – Created Standard Collector

Redline – Basic Usage

Redline – Create Analysis File

Redline – Detecting Code Injection


THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.148
Labs
Hunting in Memory
Lab 7.1: The organization you work for is asking you to perform memory threat hunting on a
randomly selected machine. As a hunting exercise to keep you sharp, the IT Security manager
tasked you specifically with looking for anomalous connections and memory injections.
Lab 7.2: The organization you work for is also asking you to perform memory threat hunting
on a Linux machine. As a hunting exercise to keep you sharp, the IT Security manager tasked
you specifically with looking for the existence of Linux rootkits.

Hunting for Process Injection & Proactive API Monitoring


Attackers love hiding/injecting malicious code into processes. In this lab, you will learn how
to hunt for various process injection techniques and how to leverage userland API monitoring
for more effective hunts.

*Labs are only available in Full or Elite Editions of the course. To ACCESS your labs, go to the course
in your members area and click the labs drop-down in the appropriate module line. To UPGRADE to
gain access, click LINK.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.149
Labs
Advanced Endpoint Hunting
Inside THP you will find two (2) distinct labs on advanced hacking techniques hunting at the
endpoint level. Specifically, you will learn how to hunt for process doppelganging, AMSI
bypasses, parent PID spoofing, reflective DLL injection, module stomping etc.

Hunting Malware Part 1


Your manager, Tony, wants you to keep an eye on the machine for the administrative
assistant to the CFO. Email logs show that there has been a spike in spam emails attempting
to reach her email address. Even though she has completed the security awareness class,
Tony doesn’t want to take any chances. Tony hands you a Mandiant Analysis File to load into
Redline and see if there is anything suspicious that is running, or was running, on her
machine. After analysis, Tony, requires you to get a recent Mandiant Analysis File to analyze.

*Labs are only available in Full or Elite Editions of the course. To ACCESS your labs, go to the course
in your members area and click the labs drop-down in the appropriate module line. To UPGRADE to
gain access, click LINK.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.150
Labs
Hunting Malware Part 2
Your manager, Tony, received 2 memory files from another facility within the ISAC. These 2
memory files were from actual incidents that took place within their facility a few years ago.
Tony wants you to analyze them to see if you are able to analyze them for any signs of code
injection and/or a rootkit to prepare you to detect APT attacks.

Hunting Empire
Your manager, Tony, wants to make sure that you can detect the widely used attacking tool,
Empire. A hunting exercise has been scheduled, where you are tasked with detecting
Empire’s presence on an endpoint.

*Labs are only available in Full or Elite Editions of the course. To ACCESS your labs, go to the course
in your members area and click the labs drop-down in the appropriate module line. To UPGRADE to
gain access, click LINK.
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.151

You might also like