Phishing IR Approach

Phishing Incident Detection and Response:
Identifying Email and Document Existence using Memory Forensics

Lab Goal

    • Identify Email Subject
    • Identify Document Name
    • Identify Timestamps
    • Identify Sender Name
    • Identify Launched Programs
    • List Available Detection Method

Because employees are the most vulnerable targets for an organization, giving attackers the ability to compromise their targets by preying on human weakness like emotions. For this reason, adversaries plan their assaults intelligently by using phishing attacks.

In this demo, we will tackle about different approach on how to detect and respond to a phishing incident using a memory forensics tool.

Scenario: What if due to fear of getting sanctioned by the organization, an employee trashed a possible phishing email after he/she clicked and downloaded the potential suspicious attachment.

Now, as the analyst we are tasked to perform Incident Response and Digital Forensics on the machine and find some useful evidence of email existence.

LinuxBrowserHistory

How to Extract Browser History in Linux Systems

Linux tools used in this demo.

    • cat
    • netcat
    • ls
    •  

Lab Requirements

    •  

In this demo, we will be extracting firefox browser history.

Scenario: You are tasked to perform live forensics on a Linux-based system to gather its browser history.

Firefox browser history can be found at: ~/.Mozilla/firefox/<dir>/places.sqlite

In this step, we run “cat” command and pipe to “>” operator to save it to disk.

Command: cat ~/.mozilla/firefox/*/places.sqlite > browser_history.txt

In this case, we use “*” so it will search to all available directory for “places.sqlite” rather than manually searching each directory.

Since we will be using a Windows box to analyze our file, we will be using “netcat” for both Linux and Windows system to perform the transfer.

To do this, we can run netcat command from out Linux Box.

Command: netcat -w 2 <listener_windowsIP> <port> < browser_hist.txt

This put out Linux box to an idle mode waiting for the netcat listener.

Next, we setup our netcat listener from our Windows machine.

Command: ncat -l 4444 > browser_history.txt

After successful execution, we can now confirm our file when we open it to our text editor tool “notepad”.

In this step, we will be using bstrings.exe from EZ tools to do the work for us.

To do this, open cmd prompt and Run As Admin and run the following commands:

    • bstrings.exe -f browser_history.txt -p
    • bstrings.exe -f browser_history –lr url3986 > browser_history_after.txt 

Learn and Download bstrings here: https://www.eyehatemalwares.com/incident-response/eztools/bstrings/

Why bstrings? Examining raw data from our dumped file “places.sqlite” takes a lot of work if we do it manually.

In this step, we can finally compare both raw browser_history.txt and browser_history_after.txt

In this case, we can see that the strings that doesn’t match the regex URL pattern from bstrings.exe are removed and only presented us only the URL format.

Browser history can reveal artifacts that can help the analyst during investigation, it can reveal information such as C2C server and also, this approach doesn’t limit to Firefox browser only, as an Analyst we can leverage this approach to investigate other browser’s history.

Persistence AppINIT

Malware Persistence: DLL injection via AppInit_DLLs Registry

Tools Used

    •  

Lab Requirements

    • Windows System (x86 or x64)
    • Tools
    • malware.dll (renamed legitimate .dll file)
    •  

One of the goal of the malware is to be able to achieve persistence inside the compromise system and one of the technique being implemented by these authors is to manipulate registry value.

In this demo, we will discuss how malware can persist on the system using AppInit_Dlls registry key.

Scenario: Your security solution detected that one of your organization’s endpoint is reaching a non-whitelisted domain/IP. By performing initial investigation, the user failed to report that she clicked and downloaded a email attachment few days ago.

CLI Packet Analysis

How to Perform CLI-Based Packet Analysis

Linux commands used in this demo.

    •  

Lab Requirements

    •  

Because employees are the most vulnerable targets for an organization, giving attackers the ability to compromise their targets by preying on human weakness like emotions. For this reason, adversaries plan their assaults intelligently by using phishing attacks.

In this demo, we will tackle about how to analyze a packet sample using tshark.

Scenario: You are tasked to examine the network log of an endpoint that may have fallen victim to a phishing attack.

To do this, run the tshark command below.

tshark -t ad -r 2021-08-19-traffic-analysis-exercise.pcap -Y ‘http.user_agent contains “curl” and http.request.method == GET’

In this case, our script returns all GET method from our .pcap file and we now have interesting output such as network traffic communication: 10.8.19.101 -> 185.244.41.29 HTTP 140 GET/ooiwy.pdf HTTP/1.1

#tip: filtering “curl” is good for identifying XSS

See Image #1 below for reference.