Software analysis tools for threat hunting

If you are not interested in Wireshark, procmon, and Windows Sysinternals, you are probably in the wrong place.

Malware analysis allows analysts to see what actions were taken and allows us to use these actions to build a profile that can be used to detect and block further infections and find related infections. We run malware in the lab to determine how they behave, we give them different inputs to observe changes in behavior, we run them through debuggers to disable security measures, and to examine capabilities they may have with adversarial analysis, we It might even be possible to use a disassembler to get a more complete picture of the paths the malware might take. Using these tools and techniques, malware analysts build a list of indicators that can be used to detect and block the malware they are examining, build information about who might be targeting their network, and even what the malware might be collecting. I will focus my attention on behavioral analysis and give some examples of threat hunting and what this technique can do.

1. Behavioral Analysis of Malware

Behavioral analysis is the step of running malware under controlled conditions, where you can observe the actions taken by the malware. By running the malware in a completely isolated environment, we can see what it will do if it cannot communicate. With behavioral analysis, you can do everything step by step. When it's fully isolated, does it try to scan the network? If so, then go ahead and add it to 1 and see what happens. Will it start looking after that? Give it to it. The main goal of this type of analysis is to see what the malware does in a step-by-step process, allowing you to map its different actions and have a better comprehensive view before you start inspecting it in a debugger or through disassembly of malware. I would say this is one of the more interesting parts of the analysis.

2. Basic laboratory environment for malware analysis

Your basic laboratory environment should include:

VMware/Virtualbox configuration of the following computers:< /p>

Windows with Wireshark, Process Monitor and procDOT installed.

REMnux (comes with everything you need pre-installed)

Make sure your virtual machine is set up as a network host only, and that by setting a static IP address, your windows machine will REMnux box acts as default gateway. This ensures that the first hop will be REMnux and will allow the traffic control we want.

3. Malware Analysis Tools

There are several tools you would like to use to collect the most information, you can:

Wireshark: This tool uses Used to collect network traffic on a given interface. The following options will allow you to view pages and traffic, and it will even allow you to recreate and save files transmitted while the packet capture is running. /en-us/sysinternals/downloads/procmon

ProcDOT: This tool takes a CSV from Process Monitor and can show you the work done by a specific process as a flowchart. This makes it easier to explain what happened, and in what order. /

FakeDNS: This tool is a script included in REMnux that responds to all DNS requests with its own information and outputs the requested domain to the terminal. This is useful for determining what domain is being requested by each computer connected to it.

accept-all-ips: This tool is also a script included in REMnux. This will redirect all IP traffic to the REMnux host. Very dangerous if activated in a live environment, but useful for forcing transfers to analysis machines.

INetSim: This is a software suite that can simulate many common services/protocols on the web. This suite can even provide good executable files for malware samples if needed. sim.org/

4. Running malware through behavioral analysis

When you run malware, make sure to start procmon and Wireshark on the Windows host, always before you start the malware Before. This ensures you catch all malware activity. Once you are done with the malware, you will be able to save the procmon results and open them in procdDOT. This will give you a good idea of ??what the malware is doing. Make sure to check Wireshark and any unknown traffic. Once you can see it's doing nothing, you can reset your windows machine and start over. Yes, the reset is repeated with each operation, but you always want to start with a clean environment. Once you've determined what the malware is looking for, set up your REMnux system or clean environment to give it what it wants. You really want to repeat this until you can't figure out what it needs, or it stops asking for new things.

At this point you should have a good IP address, domain name, file, etc. The malware is looking for, or contacted.

Make sure your system is tuned to alert on these indicators that are discovered. You don't want to end up with a similar infection because you forgot to look for the information you just found. There are other types of analysis for the malware samples you have, but for this point, let’s focus on the next step and see where our list of indicators can help us.

5. Let’s use malware analysis to find threats

Once you determine what the malware is looking for, you have a good place to start looking for other threats. Look for other places on the web that might have a similar build (even if it happens to be all your workstations) and search for it. Similar activities can also be used to uncover threats, either by querying logs directly or by examining system logs through a SIEM. If you notice that malware is using a non-standard user agent when establishing a network connection, looking through your agent logs for that agent and similar agents can be a good way to find similar threats. The same goes for ports and domain names. Most of the time, if a tool works, users will stick with it. The same goes for malicious actors who deploy malware. If I take WordPress as an example, not that it's not the most secure platform, when a hack occurs there is usually a file that is added to an include folder and the malware can point directly to that file. Then it's a good idea to check for similar paths in the domain name where the firewall and proxy are showing traffic. This can often reveal different threats in your environment. Be thorough in this type of search. Just because you've blocked indicators and activity and triggered alerts now, doesn't mean another system won't be affected until you have those checks and blocks in place.

Make sure you have access to the logs of the computer where the malware was found. It would be better if you could get information about network traffic. Using these and what you know about the malware after reverse engineering, you should be able to determine whether the malware is allowing other malicious activity into the network. If so, the logs and network flows should give you some clues as to what else was allowed in, and whether it used your computer for any lateral movement.

Malware analysis and threat hunting are two concepts and techniques used to ensure our networks remain secure. When we tie these concepts together, we can more effectively determine the scope of the threat. Behavioral analysis is just one step in the malware analysis process and can help. More types of malware analysis and reverse engineering, providing information not available through behavioral analysis that you can use to further search for threats.