SlideShare a Scribd company logo

Hunt Fileless Malware with SysInternals Tools & Digital Forensics

O
Olha Pasko

The document discusses hunting for fileless malware using SysInternals tools and digital forensics techniques. It defines fileless malware as malicious code that infects a computer's dynamic memory rather than files. It then provides examples of hunting fileless malware by checking the boot chain for anomalous processes, gathering detailed information on suspicious processes, and analyzing RAM dumps to obtain indicators of compromise and behavioral details that can be confirmed with file system artifacts.

Software
1 of 33
Download to read offline
Hunting Fileless Malware [ SysInternals tools & Digital Forensics techniques ]
>whoami Olha Pasko, [ Chief Security Analyst, RMRF ] [ Co-founder, mentor & speaker, community WIA in Kyiv ]
>agenda 1. Fileless malware definition 2. Hunting fileless malware with SysInternals tools 3. Hunting fileless malware with Digital Forensics techniques
Fileless Malware Definition
Fileless Malware ● Fileless malware is a new type of malicious code which infects a host computer’s dynamic memory (RAM). ● As usual, fileless malware is combined with abusing such system tools as powershell, wmi, windows sdk, etc.
Fileless Malware Example
Fileless Malware. Example 1. Endpoint 2. C2C
Fileless Malware Hunting [ SysInternals Tools ]
OS Windows ● Processes
OS Windows ● Threads
OS Windows ● Handlers ● Resources
OS Windows [ 10 ] ● Boot chain
Boot Chain. Anomaly Detection ● System Anomalies in process’s behavior: ● System doesn’t have a parent (origin process run in kernel-mode) ● PID for System isn’t equal 4 ● if there are several copies of System
Boot Chain. Anomaly Detection ● SMSS Anomalies in process’s behavior: ● parent process isn’t System ● process directory isn’t %system%system32 ● procexp64.exe/procexp.exe shows parent process for winlogon, wininit or csrss
Boot Chain. Anomaly Detection ● CSRSS Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 Normal process’s behavior: ● one separate instance for each session ● first instance for System: Session0 ● second instance for user: Session1
Boot Chain. Anomaly Detection ● Wininit Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 ● SMSS isn’t a parent for wininit Normal process’s behavior: ● process is running from NT AUTHORITYSYSTEM ● process directory is %system%system32 ● creates Winsta0 and 2 desktops (Winlogon and Default) for Session0 ● creates Services.exe, Lsass.exe, Lsm.exe ● SMSS is a parent process ● creates %windir%temp ● process started under Session0
Boot Chain. Anomaly Detection ● Winlogon Anomalies in process’s behavior: ● fields such as Shell and Userinit are different than on image upper ● process directory isn’t %system%system32 ● procexp64.exe/procexp.exe shows parent process for winlogon ● process isn’t running from NT AUTHORITYSystem
Boot Chain. Anomaly Detection ● Explorer Anomalies in process’s behavior: ● process has TCP/IP connections ● process directory isn’t Windows
Boot Chain. Anomaly Detection ● Services Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 ● parent process isn’t Wininit.exe
Boot Chain. Anomaly Detection ● Svchost Anomalies in process’s behavior: ● process is running as non SYSTEM user, Local Service or Network Service ● process directory isn’t %system%system32 ● parent process isn’t services.exe ● process doesn’t use tag -k [name]
Boot Chain. Anomaly Detection ● LSASS Anomalies in process behavior: ● process is running as non SYSTEM user ● process directory isn’t %systemroot%system32 ● parent process isn’t wininit.exe ● processes with similar but a bit different name: lasss, lssaa, lsas Normal process behavior: ● process is running as NT AuthoritySYSTEM user ● directory is %systemroot%system32lsass.exe ● parent process is wininit.exe ● only one processes with name lsass.exe ● lsass.exe doesn’t has a child process ● lsass.exe is started under Session0
Boot Chain. Anomaly Detection ● LSM Normal process behavior: ● process is running as NT AuthoritySYSTEM user ● directory is %systemroot%system32 ● parent process is wininit.exe ● lsm is a terminal state manager on local host ● lsm.exe doesn’t has a child process ● lsm.exe is started under Session0 Anomalies in process behavior: ● process is running as non SYSTEM user ● process directory isn’t %systemroot%system32 ● parent process isn’t wininit.exe ● lsm has a child process
Threat Hunting > Don’t block detected threat: at the first you need to learn it
Threat Hunting. SysInternals 1 2 ● obtain Boot Chain [ tools as SysInternals or Digital Forensics RAM dump analysis techniques ] ● check Boot Chain for anomaly in process’s behavioral ● get suspicious processes ● gather more detailed information about suspicious processes ○ start directory ○ command line ○ parent process ○ start from what user name ○ network activities ○ procexp/procexp64 ○ listdlls/listdlls64 ○ pipelist/pipelist64 ○ strings/strings64 ○ netstat -anb / TCPview
3 Threat Hunting. SysInternals ● check gathered suspicious markers for malicious activities [ you can use public sandboxes which present detailed dynamic analysis, for example: reverse.it ] ● obtain Indicator of Compromised and malware behavioral
● Example:
Reverse.it vs VirusTotal
Fileless Malware Hunting [ Digital Forensics Techniques ]
Hunting with DF 1. RAM dump acquisition ( tool: DumpIt.exe) 2. RAM dump hash check ( tool: certutil ) 3. RAM dump analysis & anomaly detection 4. IOCs obtain and confirm with FileSystem artifacts 5. Reporting
1 2
3
Threat Hunting. DF techniques. IOCs example
RECOMMENDATIONS

Recommended

How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
How I become Go GDE
How I become Go GDEHow I become Go GDE
How I become Go GDEEvan Lin
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunkjamesmbower
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Embedded Rust on IoT devices
Embedded Rust on IoT devicesEmbedded Rust on IoT devices
Embedded Rust on IoT devicesLars Gregori
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 

Recommended

How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
How I become Go GDE
How I become Go GDEHow I become Go GDE
How I become Go GDEEvan Lin
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunkjamesmbower
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Embedded Rust on IoT devices
Embedded Rust on IoT devicesEmbedded Rust on IoT devices
Embedded Rust on IoT devicesLars Gregori
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacksBalaji Rajasekaran
 
Build Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDBBuild Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDBScyllaDB
 
Software Engineering - chp1- software dev methodologies
Software Engineering - chp1- software dev methodologiesSoftware Engineering - chp1- software dev methodologies
Software Engineering - chp1- software dev methodologiesLilia Sfaxi
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Linux Hardening
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and ThenSATOSHI TAGOMORI
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansiblesriram_rajan
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Rust Primer
Rust PrimerRust Primer
Rust PrimerKnoldus Inc.
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log DecoderSusam Pal
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 

More Related Content

What's hot

Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Build Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDBBuild Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDBScyllaDB
 
Software Engineering - chp1- software dev methodologies
Software Engineering - chp1- software dev methodologiesSoftware Engineering - chp1- software dev methodologies
Software Engineering - chp1- software dev methodologiesLilia Sfaxi
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and ThenSATOSHI TAGOMORI
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansiblesriram_rajan
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log DecoderSusam Pal
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 

What's hot (20)

Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
 
Build Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDBBuild Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDB
 
Software Engineering - chp1- software dev methodologies
Software Engineering - chp1- software dev methodologiesSoftware Engineering - chp1- software dev methodologies
Software Engineering - chp1- software dev methodologies
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and Then
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansible
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Rust Primer
Rust PrimerRust Primer
Rust Primer
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log Decoder
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
 

Similar to Hunt Fileless Malware with SysInternals Tools & Digital Forensics

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorSam Bowne
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdfIGedeArieYogantaraSu
 
Leveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxLeveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxChristian Bassey
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Bibek Sharma
 
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...NETWAYS
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 

Similar to Hunt Fileless Malware with SysInternals Tools & Digital Forensics (20)

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware Behavior
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 2 -Kelas C - Kelompok 3.pdf
 
Leveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxLeveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptx
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?
 
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
OSMC 2008 | Advanced Windows monitoring and NSClient++ with Nagios by Michael...
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 

Recently uploaded

Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 

Recently uploaded (20)

Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 

Hunt Fileless Malware with SysInternals Tools & Digital Forensics

  • 1. Hunting Fileless Malware [ SysInternals tools & Digital Forensics techniques ]
  • 2. >whoami Olha Pasko, [ Chief Security Analyst, RMRF ] [ Co-founder, mentor & speaker, community WIA in Kyiv ]
  • 3. >agenda 1. Fileless malware definition 2. Hunting fileless malware with SysInternals tools 3. Hunting fileless malware with Digital Forensics techniques
  • 5. Fileless Malware ● Fileless malware is a new type of malicious code which infects a host computer’s dynamic memory (RAM). ● As usual, fileless malware is combined with abusing such system tools as powershell, wmi, windows sdk, etc.
  • 8. Fileless Malware Hunting [ SysInternals Tools ]
  • 12. OS Windows [ 10 ] ● Boot chain
  • 13. Boot Chain. Anomaly Detection ● System Anomalies in process’s behavior: ● System doesn’t have a parent (origin process run in kernel-mode) ● PID for System isn’t equal 4 ● if there are several copies of System
  • 14. Boot Chain. Anomaly Detection ● SMSS Anomalies in process’s behavior: ● parent process isn’t System ● process directory isn’t %system%system32 ● procexp64.exe/procexp.exe shows parent process for winlogon, wininit or csrss
  • 15. Boot Chain. Anomaly Detection ● CSRSS Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 Normal process’s behavior: ● one separate instance for each session ● first instance for System: Session0 ● second instance for user: Session1
  • 16. Boot Chain. Anomaly Detection ● Wininit Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 ● SMSS isn’t a parent for wininit Normal process’s behavior: ● process is running from NT AUTHORITYSYSTEM ● process directory is %system%system32 ● creates Winsta0 and 2 desktops (Winlogon and Default) for Session0 ● creates Services.exe, Lsass.exe, Lsm.exe ● SMSS is a parent process ● creates %windir%temp ● process started under Session0
  • 17. Boot Chain. Anomaly Detection ● Winlogon Anomalies in process’s behavior: ● fields such as Shell and Userinit are different than on image upper ● process directory isn’t %system%system32 ● procexp64.exe/procexp.exe shows parent process for winlogon ● process isn’t running from NT AUTHORITYSystem
  • 18. Boot Chain. Anomaly Detection ● Explorer Anomalies in process’s behavior: ● process has TCP/IP connections ● process directory isn’t Windows
  • 19. Boot Chain. Anomaly Detection ● Services Anomalies in process’s behavior: ● process is running as non SYSTEM user ● process directory isn’t %system%system32 ● parent process isn’t Wininit.exe
  • 20. Boot Chain. Anomaly Detection ● Svchost Anomalies in process’s behavior: ● process is running as non SYSTEM user, Local Service or Network Service ● process directory isn’t %system%system32 ● parent process isn’t services.exe ● process doesn’t use tag -k [name]
  • 21. Boot Chain. Anomaly Detection ● LSASS Anomalies in process behavior: ● process is running as non SYSTEM user ● process directory isn’t %systemroot%system32 ● parent process isn’t wininit.exe ● processes with similar but a bit different name: lasss, lssaa, lsas Normal process behavior: ● process is running as NT AuthoritySYSTEM user ● directory is %systemroot%system32lsass.exe ● parent process is wininit.exe ● only one processes with name lsass.exe ● lsass.exe doesn’t has a child process ● lsass.exe is started under Session0
  • 22. Boot Chain. Anomaly Detection ● LSM Normal process behavior: ● process is running as NT AuthoritySYSTEM user ● directory is %systemroot%system32 ● parent process is wininit.exe ● lsm is a terminal state manager on local host ● lsm.exe doesn’t has a child process ● lsm.exe is started under Session0 Anomalies in process behavior: ● process is running as non SYSTEM user ● process directory isn’t %systemroot%system32 ● parent process isn’t wininit.exe ● lsm has a child process
  • 23. Threat Hunting > Don’t block detected threat: at the first you need to learn it
  • 24. Threat Hunting. SysInternals 1 2 ● obtain Boot Chain [ tools as SysInternals or Digital Forensics RAM dump analysis techniques ] ● check Boot Chain for anomaly in process’s behavioral ● get suspicious processes ● gather more detailed information about suspicious processes ○ start directory ○ command line ○ parent process ○ start from what user name ○ network activities ○ procexp/procexp64 ○ listdlls/listdlls64 ○ pipelist/pipelist64 ○ strings/strings64 ○ netstat -anb / TCPview
  • 25. 3 Threat Hunting. SysInternals ● check gathered suspicious markers for malicious activities [ you can use public sandboxes which present detailed dynamic analysis, for example: reverse.it ] ● obtain Indicator of Compromised and malware behavioral
  • 28. Fileless Malware Hunting [ Digital Forensics Techniques ]
  • 29. Hunting with DF 1. RAM dump acquisition ( tool: DumpIt.exe) 2. RAM dump hash check ( tool: certutil ) 3. RAM dump analysis & anomaly detection 4. IOCs obtain and confirm with FileSystem artifacts 5. Reporting
  • 30. 1 2
  • 31. 3
  • 32. Threat Hunting. DF techniques. IOCs example