SOC Analyst Skills - 4 "Must Have" Tools for Triaging and Analyzing Malware

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

This is really tools to quickly assess an issue, IOCs, visibility. I dont cover SIEM because they are all involved, difficult to simulate in a lab-type format for tutorial, and not as fast as these tools.

In the spirit of reddit and wanting to share, not force click through, the tools that I demonstrate and give pros/cons for are:

any.run
virustotal
oledump
pdf-parser

Have a great week. Hope you are well.

👍︎︎ 2 👤︎︎ u/HeyGuyGuyGuy 📅︎︎ Jun 15 2020 🗫︎ replies

That's a nice introduction to basic analysis work, my only advice is that relying completely on automated tools won't benefit you much as an analyst\researcher.

When we hire people for advanced hunting or blue\red team services, we don't look for a candidate that knows anyrun, we want a candidate that understands and thinks about malware, operating systems, software, networking, that really understands the techniques and concepts adversaries use.

having some PT experience can be very valuable as well.

👍︎︎ 1 👤︎︎ u/Cyber-Ray 📅︎︎ Jun 15 2020 🗫︎ replies

Captions

in this week's episode i'm going to show you some quick and super effective tips on how you can do you know basic triage analysis to determine if uh you know something is turning into a malicious incident or some type of malicious incident specifically around phishing emails and malicious attachments and executables that you might find on your network coming up hey everybody welcome to the show now it's not uncommon for you know end users to forward you phishing emails and say i don't know if this is legit or not and you've got to do the analysis and sometimes it's quite obvious that it's a fish but sometimes it's not sometimes there's an attachment and you have to analyze it or a dropper drops a file on a system and maybe you don't have advanced endpoint detection and response tools that can do the analysis for you and you have to do some quick triage to understand if this is malicious or not and if it is what what kind of malicious maybe you could pull out some indicators of compromise and begin quickly responding now there's some tools and techniques that are super common within within the industry and if you just don't know about it um you you know that's why i want to tell you about them because everybody uses them and you really should know about them now really quick i do want to take a minute here and thank you for returning if you're a regular subscriber to the channel i've really enjoyed this journey with you if you're new here just allow me to introduce myself my name is jerry ozier and this is simply cyber a youtube channel designed for helping cyber security professionals take their career further faster if you like what you're hearing hit the subscribe button bells for notifications drop a comment maybe a like you know that you know the deal on youtube anyways i'm going to hop behind the computer and we're going to uh kind of walk through use cases of using these tools and how to properly use the tools and and get gather information out of it and i guarantee you when you're done watching this video you're going to start using these tools if you're not already as soon as you you know get to work all right let's go so the very first tool that i want to share with you is awesome and i feel like it's relatively new but it's called any dot run and you can see it's it's a website any dot run but it is a basically interactive malware detonation web-based solution effectively it builds up a vm and you can either access a url you can you know double-click on an executable you can run macros like whatever you want you can basically destroy the vm that they build you and infect it three ways from sunday and there's no quiet there's no risk no risk to you you don't have to run malware on your own system or in your own little vm farm or whatever like it's it's awesome so uh i want you to be aware of this now i will tell you that it's completely free which is awesome but what that cost is is that anything that you analyze in any dot run becomes public space so if you have a sensitive document or you have you know anything that's internal or sensitive or intellectual property or anything like that um for your company for a client you cannot or you can but i would advise strongly against running it on the free version of this because it you know like it's going to get out so just be aware of that but i want to show you how awesome this solution is so let's hunt that you click right through it i do have a free account i've already established i've probably logged in which doesn't matter really because you're still going to see how it works but they've got you know little change logs things they have apis if you want to hook into that these are the most recent ones as i just mentioned this is like free people who are using the free version but you can see that they've got by kind of categories so based on who's using it what what the kind of heat map is of things that any dot run is seeing so i do want to show you um you know basically how how it looks how it works so you just hit new task you pick the vm you want windows 7 8 uh windows 10 whatever which you know 32 or 62 bit we'll we'll use a windows 7 but you can either you know put in a url of a site that might be suspicious or you're unsure of right so end user gets a phishing email uh there's a link in it maybe they clicked on it you know what whatever however you know suspicious urls come in or you get a file like there's a dropper you find or a thumb drive or something or someone sends an email with an attachment and people aren't sure if they should run it because they don't recognize the sender whatever your situation is this is where you drop it right so just for the sake of discussion we're going to pick a url i'm going to go to url house just to get one this is a great little resource okay so i want a executable here we go these are all offline right now see so we can't that's not really a good example okay online okay here we go so online and it installs a remote access trojan so let's copy that go back to our any dot run so user got this in an email or you saw it in your sim um or whatever right so let's see what it does now you can sit back it builds your vm it looks completely legit to the malware and wait wait do you see how powerful this is this is so cool and such an unbelievably free resource it's so here we go so here's our vm right let me make my little screen smaller you could see it shows you the process tree of it executing and as it spawns new processes you can also see this is great can like network connections it makes or dns requests it makes look at this so this malware launched a windows service you know it's got some awareness that nj rat was detected like it gives you this great data and information it shows you the connections that went to this ip address so now you could throw this ip into your uh your sim or you know or or you know i guess if your firewall was pushing logs to your sim you could look there too but um the point is you could see if other people in your organization had accessed this ip and pulled stuff down if you had like a infection or an incident going on just to kind of you know manage uh the the the exposure of the instance now so it takes one minute we've run it we've confirmed that it's malware we know exactly what to look for um we've got the indicators of compromise here including like um you know hashes that we can look for we got the md5 obviously ipconnection as i mentioned you can easily put it to your clipboard now check this out this is awesome so let's just say that you had this malware on your network uh end user got compromise whatever and you've got to report it any dot run runs this awesome report that shows you all like the key information that you would want a little bit of a detail on what nj rat is when you ran it um like the behavior of the malware itself and what what what happened like file details it's just there's probably screenshots yeah there we go look at it it's got the uh process of how what happened so tj.exe then ran windowsservices.exe i mean it's just this is so great look at the registry keys that were involved oh so good so this is just a great resource i mean that was probably like two or three minutes and i've got a full report and analysis on what this malware did you can't beat that for free okay so that that's the first one and probably you know easily the best one but you can't always you know you don't always have the time to do this or you're just looking for a quick little look up the next one i want to share with you is virustotal now virustotal is a classic um you know seminal tool of any really sex ops analyst but cyber security professional in general very very unassuming website uh you can either draw drag and drop a file uh right up in here or choose it whatever and then or you can put a url so again it's just like any dot run right where you have a random file that you want to analyze you have a url that you're not sure about again i want to point out that this will become public records so you can't really put sensitive information up there but again let's just use that url house tj.exe one we used and we'll throw it into virustotal and see so this takes all of a second and it gives you like a sense of is this malicious or is this not malicious right quickly because in in reality you're triaging and you're just trying to you know understand what the situation is and what's the level of severity that you need to think about so virustotal quickly you know not all engines detected as malicious but some did and that would be an indicator that there's an issue gives you a little bit of a an issue that downloaded a windows executable pe file format gives you the url um well i guess that uh ip address actually was in the um the submission itself but you get the point virus total is super fast super easy it's pretty much like a go-to first stop if you're just trying to like weigh how much this thing is like is this a big deal or is this a small deal i also want to point out um they've done a lot of great stuff i haven't played too much with whatever intelligence and hunting is but virustotal has an api that you can hook into so if you want to build some some tools yourself python tools if you're into python and uh you know the api key is free you can't you can't hammer the system and i think that they do that a to manage not be in dos but really so you can't um abuse it from like a commercial perspective but anyways great tool look into it i feel like you could start off with just you know the beginning of the the files and the urls and then if you really wanted to like get fancy and you know spruce it up or whatever you could use the apis and stuff okay so the next tool i want to show you like those two tools are excellent and great but it kind of makes like whatever you're analyzing public knowledge so sometimes you need to do kind of in-house static analysis so um one really great tool if you're dealing with a office attachment microsoft office attachment usually excel or word where they're going to embed macros to do malicious stuff ole dump is just an excellent excellent tool for doing that it's didier stevens and i'll include the link in the show notes below but ole dump is super effective and super awesome so i went to my buddy josh droshine's um github page where he actually hosts a ton of malware um you know it's it's all you know um hashed and it's not really protected with a a password or anything like that but just if you do go here uh be cautious obviously ever if whenever as a disclaimer whenever you're messing with malware if you aren't careful you can totally uh compromise yourself which was really really bad um or you can you can blow up your vm which is cool because that's kind of what it's designed for but just if you're doing dynamic analysis on malware please be careful obviously so we're going to look at this agent tesla excel document that josh has captured and done some analysis on he's provided some information here you can see these are actually screenshots from i'm pretty sure any dot run as as we already saw so it looks like josh uses that too which is cool um anyways so i've got my little cali box with ole dump on it um this is the cali box that we built in a previous episode uh up in aws i've been loving using this kali box it's kind of funny because it's an attack platform and i use it for forensics and defensive measures and stuff like that but anyways let's let's use ole dump here so you can see how it works uh okay so we're running ole dump on the um the agent tesla what what's the file name um zero two f okay so it's really not uncommon um actually that doesn't correspond with what i was thinking so yeah it's it's really not uncommon to use the hash for the file name of malware although i find it confusing because the hash of this and the hash of this are the same so i'm not sure what josh was using for the hash either this executable or this excel file probably executable because he uses dot bin but anyways it doesn't matter so we're going to run oily dump and what le dump does is it looks at the structure of the excel file in this case and it pulls out all the different elements of it now you can see these capital ms indicate macro so there is our two macros now not to say macros are not okay to have but you know if you already thought it might be malware so you can use the dash s which is stream and then these are the stream indexes so stream four and dash v which decompresses it um makes it something useful to read okay so stream four i mean there's this workbook open which is a you know basically a function call so like when the workbook when they open the excel document run this function which is this obfuscated um garbage right here which likely probably points to um the other macro knowing that this is malware so uh let's look at stream five see what see what's in there okay so i mean right off the top we're not going to analyze this as part of this video but i mean obfuscation is classic classic uh malware author uh behavior so they don't want you really know what they're doing um from a trio sock analyst triage perspective like i don't know what this is done but i know it's malware so if if the end user hadn't clicked on it or anything like that and we were just analyzing it definitely malware definitely definitely definitely now you can go ahead if if they did run it or whatever you could do analysis on this in order to better understand what exactly happened um what i would do since this is malware at this point i mean i would just probably feed this up into any dot run it makes the malware analysis uh window of time so short than having to screw around with like de-obfuscating this and you know fussing around like it's definitely cool um it's definitely malware and it's a good tool but now at this point we know that this isn't sensitive information we know that this is an intellectual property we know that this is malware so what that let's see what it does right um so that's ole dump and a great tool now the final tool that i want to share with you um again attachments are kind of not the most prevalent vehicle for delivery malware nowadays but certainly still up there as a popular method so it's either office docs or it's pdfs i wanted to share one other tool with you called pdf parser let's see yeah so i downloaded a malicious pdf from um well it's actually zip one here but from malware bazaar so again if you are looking to the tricky thing with doing malware analysis and practicing and stuff is is that there's no like icar uh vulnerability malware like you know defanged malware like in order to really work with malware you have to work with malware which means you expose yourself to some risk right but if you take the precautions and you're careful about you're not just reckless you should be fine right so malware bazaar is an awesome resource for going and getting malware so if you actually wanted to um study a particular type of malware uh or whatever that's what you can do i've gone ahead and already filtered on agent tesla because i knew we were going to be looking at it and i pulled down one that i think i looked for uh pdf right yeah so pdf you know i i think this is the one i picked fd73 right fd73 yeah so this is the one i picked but you get the point the point is i downloaded um malicious pdf so the tool that i wanted to show you is pdf parser and this is i also think of didier stevens uh tool which is pretty cool but um you basically just run it in and it runs across the different kind of objects or streams within the pdf and there's there's some interesting um you know i'll link to this um lenny zeltzer site where you know analyze the malicious documents cheat sheet and there's a whole um there's a whole you know pdf version of this document so you can print it out and or or save it but like you know it's kind of cool right risky pdf formats open action aaa whatever so like these are the tools uh i bet your pdf parser's in here somewhere uh oh there it is right there so um anyways you get the point so you can look for these things and knowing that this is malware i'm just going to go ahead and find where where it is but by running pdf parser you can quickly look inside from a static perspective and really limit the amount of risk that you're taking on okay so here here's an indicator right here right so there's a uh uniform resource um indicator identifier anyways um where it's a tumblr.com uh you know resource basically that redirects to some prankworkpk.com um and passes it you know whatever an argument um across the um url request um including this which is probably you know designating some malware or something like that i almost all right hopefully you know maybe some of those tools you already knew some of those tools you didn't know and now you do some of them you did and you didn't know the functionality fully so i hope you got some value out of this let me know in the comments below if there's you know go-to tools that you're using all the time for doing similar type of triage analysis an indicator of a compromise identification put it in the comments because maybe there's tools that i don't know about that you do that i would like to add to my r so i mean in addition to doing youtube videos i am a fully corporate cyber security professional who's doing this daily so you know if there's tools out there i want to know about them just as much as you do so until next week thank you and stay secure

Info

Channel: Gerald Auger - Simply Cyber

Views: 11,973

Rating: 4.9803281 out of 5

Keywords: cybersecurity, cyber security, ciso, cyber for beginners, blue team, security operations, entry level cybersecurity, simplycyber, simply cyber, cybersecurity careers, careers in cybersecurity, malware, malware research, soc training, virustotal, any.run, oledump, tutorial, how-to, SOC Anlayst, soc analyst training, cybersecurity tools, malware analysis, cybersecurity for beginners, security analyst, cyber security training for beginners, soc analyst career, soc analyst basics

Id: x0mGxucyZmk

Channel Id: undefined

Length: 20min 27sec (1227 seconds)

Published: Mon Jun 15 2020