Memory Forensics with Vshot and Remnux (process objects, network artifacts and attacker activity,3)

This is the third post on memory analysis and I will quickly go throug the followin plugins from the Vshot script.

  • dlllist
  • getsids
  • svcscan
  • consoles
  • shimcache
  • userassist
  • cmdscan
  • connections
  • connscan
  • netscan

If at this point you have founded as supicious process you can dig deeper into it analyzing its objects. It is recommended that by now you have a list of potential suspicious processes that you can analyze more in detail. In any case you can simply skim through all the processes in memory and analyze their objects one by one to spot anomalies but this will be a time consuming process.

The plugin that list all the dll’s in a process is dlllist it also provides the path and command line to star the process,  let’s have a quick look at its output.

dllist

This sample is taken from a system infected with Stuxnet, the process services.exe was injected with a suspicious dll. In many cases the plugin output is not that straight and analyzing the name and functionality of the dll’s loaded by the process can unconver inconsistencies and malicious behaviour.

Other example of dlllist output,

dlllist2

In this example we can clearly see that there is a path missing in the process object which is a sign of unlinked dll – process injection.

The next output is for the plugin getsids. This plugin shows the security identifiers for each process allowing us to investigate the user permissions. Most system processes use well known system accounts and SID to perform their tasks. System processes with user SID’s should automaticall flag up the process if you have not pin point a suspicious process. This plugin also allows to identify potentially compromise account involved in lateral movement in cases where the intrusion is beyond the machine being investigated.

 

Let’s see some examples,

getsids

A system process such as svchost is suspicious and indicates that the account compromised is Jgarcia.

Next plugin is svcscan this plugin is aimed at detecting rogue services in the machine, often attackers create or hijack existing services to gain persistence after a reboot.

Odd services, binary paths and start method should be scrutinized to detect persistence. This plugin also allows to understand what are the services running in the machine and the actions of the attacker did so the output of this plugin needs to be carefully analyzed.

svcscan

Consoles and Cmdscan are two very useful plugins that provide context to the investigation. These 2 plugins carve out command line history from csrss.exe (Win XP) and conhost.exe (Win7).

consoles

We can clear see the command history and the execution of the ipconfig command. In a real world scenario we will be able to understand the actions the attacker carried out in the machine, the commands and additional tools he deployed and what he is after in the network.

The plugins connections and connscan are aimed at detecting network artifacts, connscan in this case brute force the dump looking for these artifacts in memory like psscan does. From Windows Vista onwards the plugin to use is netscan which is also included in the scan. Different Windows versions changed the structured of these aritfacts in memory and a new plugin was developed.

Below you can see the output of connscan,

connscan

Some times rogue process identification is easier if we start by analyzing network artifacts. It shows remote IP address and PID indicating potential rogue process.

In many cases we have to understand what is normal and not normal in the environment. Internal IP’s can show evidence of the attackers way into the sytems and the footprint in the network, external IP’s can clearly provide evidence of non legitimate connections to external systems.

Below and example of the netscan plugin, this plugin covers connections, connscan, sockets and sockscan from Windows Vista onwards.

netscan

The next 2 plugins provide insight into the user activity in the machine,

  • Shimcache
  • Userassist

These plugins can be very helpful to determine the exact actions the attacker did in the machine as well as his objectives. Let’s have a quick look at the output and how to interpret them.

shimcache

The Shimcache plugin parses memory looking for the shimcache registry keys which are part of the application compatibility database. I am not getting into the nitty gritty of this artifact, you have an excellent article written here,

https://t.co/V91h91s7fb

When you are analyzing the output of this plugin do not rely too much in the timestamps as they can be easily time-stomped. Instead look at the programs that were executed, names, and disk location. Many times this will indicate where in disk that suspicious executable is and why was executed and for what purpose.

The Userassist plugin provides also insight into the programs that were  ran by the user. You can find more detailed information in the lonk below,

https://forensicartifacts.com/2010/07/userassist/

userassist

In the example above we can see how cmd.exe was executed 9 times and last time was 5/5/2009 at 15:56:24 as you can see this is a very valuable artifact to understand what happened in the machine you are analyzing.

At this point, you should have a pretty clear picture of what you are dealing with in the machine you are investigating. All the plugins used by Vshot are very well chosen and offer a good view to quickly investigate a threat.

In the next and last post I will reference some other plugins used by the script to detect more targeted attacks using code injection and rootkits.

ref:

https://www.amazon.co.uk/Art-Memory-Forensics-Detecting-Malware/dp/1118825098/ref=sr_1_1?s=books&ie=UTF8&qid=1486903088&sr=1-1&keywords=memory+forensics

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s