Posted in Security

Catatan Threat Intelligence Researcher

1. Phase Overview 
    * Hunting 
        - virustotal.com 
        - Underground hacking forums 
        - DeepWeb hidden sites (via TOR)
        - Incident response 
        - Honeypots 
    * Feauture extraction(static)
        - Timestamp: data when the binary was created 
        - Digital certificate signing the malware 
            Either self-signed-certificate, legit, but expired / stolen (Stuxnet)
        - Exif metadata (Author, Languange, Mime Type)
        - Import table hash(imphash)
        - Sequence of identical bytes in the same order (ssdeep)
        - Strings: C2 IP, Mutex, PDB path, custom message 
    * Beavior Extraction (Dynamic)
        - Normally detected by running the sample in a sandbox 
        - Or by dumping the sample from memory 
        - Capturing malicious events 
            - Creating a file in suspicious location(AppData)
            - Injecting into other processes 
            - Download/execute from internet 
            - keystrokes interception 
            - anti-vm, anti-debugging checks 
            - delay techniques : sleep calls, junk loops, 
            - Persistence: Registry, service, schedule task 
        - Malicous events 
            - Desktop locked(ransomware)
            - Multiple files overwrite (file infector)
            - Dumping hashes from memory (hacktool)
        - Passive DNS (DNSDB)
    * Clustering and correlation & threat actor attribution 
        - Clustering: nodes 
            Timestamp, imphash, ssdeep, digital certs 
    * Tracking 
        - Passive DNS 
        - Internet port scan : finding new C2's proactively 
        - Lookups: Yara & snort scans 
        - OSINT: email addresses 
2. Hunting 
    * Virus total intelligence 
    https://www.virustotal.com/?signin=true&next=/intelligence/
    darkode
    Deep web / invisible web / hidden web 
    hidden wiki 
    
    * Honeypot 
    * OSINT 
        - Information gathered from publicly available sources 
        - Search for documents in specific domains 
        - Samples based on Email address, usernames, IP's from internet 
        - OSINT framework metagoofil kali 
    * Open source intelligence (OSINT) : 
        + Maltego 
        + shodan 
        + metagoofil 
        + https://www.exploit-db.com/google-hacking-database/
        + FOCA
        + EXIF data viewers
        + Social Engineer Toolkit
        + http://www.peekyou.com/
        + http://www.lullar.com/
        + http://archive.org/web/web.php
        + http://www.sec.gov/edgar.shtml
        + http://www.yougetsignal.com/
        + Passive Recon 2016
        + http://www.toolswatch.org/    
        + OSINT The harvester 
3. Features Extraction 
    * Hash / file integrity 
        - cannot revert the hash to get original content 
    * Imphash 
        - Import table: DLLs being used by the windows binary 
        - Mandiant creates a hash based on API names and their specific order 
        - Defines the bahavior of the malware 
        - Not applicable to packed files 
        - Can be used to find (hunt) similar malware 
    * Strings 
        - Low-cost simple check 
        - Can help to easily hunt for similar files 
        - Consider unicode strings 
        - No technical knowledge required 
        - PDB, API names, Mutex, custom error messages can help 
        - Yara can help to hunt based on strings! 
    * Lab extracting VBA Macros with Didier Stevens Tools 
        #ls 353462625626
        #vi 353462625626 -> MIME-version: 5.0 / Email versi 5 
        #emldump.py 353462625626
        #emldump.py -s 3 -d 353462625626 > ActiveMime 
         vi ActiveMime
        #hexdump -C A ActiveMime | less 
        #emldump.py -s 3 -d 353462625626 | oledump.py 
        #emldump.py -s 3 -d 353462625626 | oledump.py -s 20 -v > yfdjvsadf 
        #vi yfdjvsadf 
        #emldump.py -s 3 -d 353462625626 | oledump.py -s a -v > all_macros 
        #vi all_macros
    * Lab 2-C2 IP Pivoting 
        #emldump.py -s 3 -d 353462625626 | oledump.py -s a -d > all_content 
        #vi all_content 
4. Behavior Extraction 
    Based on Sandbox scans 
        Cuckoo sandbox 
    Unique Mutex: Groove:PathMutex 
    GetCursorPos API:Sandbox evasion technique 
    Detects suspicious mouse fast movement 
    Done by comparing two coordinates at close period of time 
    Really fast movement could be a sign of code running in sandbox 
    Anti-Sandbox: NtDelayExecution 
    Sandbox will time out and stop analyzing malware 
    Behaviour Detected : Malicious mutex, anti-sandbox 
    * Process Infector, Keylogger & Passive DNS 
        * PRocess Infector 
            - WriteProcessMEmory API:Inject code into processes 
            - NTSetContextThead: Points to entry point 
            - NtResumeThread: Resume execution remotely 
        * Keylogger
            - Common behaviour in ransomeware 
            - Hook identifier 2: keyboard 
            - Hook identifier 2: Mouse 
        * Passive DNS 
            DNSDB is a must-have resource for threat intelligence 
5. Clustering and Correlation
    * Clustering: Nodes 
        - Timestamp, imphash, ssdeep, digital certs 
        - Properies : part of group properties 
        - Correlation: Graph DB : 
            NoSql database, Collection of nodes and edges 
    * Graph DB     
        - Designed to store edges and properties for those edges 
        - Edges = Binaries / malicious program 
        - Properties: Features & Behaviors 
        - GraphDB solution to exploit the information 
        - Maltego 
        - Apache TinkerPop 
        - Neo4J 
6. Tracking 
    * Passive DNS & Internet Port Scan 
        - DNSDB Tracking 
        - Port 2007 : DarkComet RAT 
          Port 8025 : Reverse Shell Loader 
          Port 3098 : Keylogger repository 
    * OSINT (open source intelligence)
7. Taking Down 
    - Sinkhole : Technique to redirect a malicious C2 to researcher's analysis server 
    - Sinkhole Approaches : 
        - Take over C2 Domain 
            Change DNS configuration, Doable, MITM 
8. Attribution 
    TTPs : Tacktics, Techniquem and procedures 
        - Spear phishing, water hole attacks 
        - Zero days: Stuxnet, Duqu 
        - APT X5

Author:

Teman yang baik, teman yang memaksa anda untuk terus berkembang...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s