tag:blogger.com,1999:blog-4767199732858434539.post5876110644818410262..comments2022-07-06T06:27:02.834-07:00Comments on c-APT-ure: Using Redline for Live Response - Part 1TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4767199732858434539.post-10558716648111453952014-08-25T15:37:35.531-07:002014-08-25T15:37:35.531-07:00Harlan,
thanks for the challenge :-) (see my twe...Harlan,<br /><br />thanks for the challenge :-) (see my tweets: https://twitter.com/c_APT_ure/status/504030994085978113 )<br /><br />I only need to "tell" the IOC which ones of about 600 different artifacts I'm looking for. The parsing of those ~600 artifacts is implemented in the Redline Collector package (mAgent -- similar to the commercial MIR agent).<br /><br />The IOC schema certainly has some limitations, but you can still search for strings in files, registry keys and memory. Searching for binary patterns is a bit harder (I think not possible). But hey that's what YARA was made for.<br /><br />I prepared lots of screenshots tonight to update my blog post(s) soon again.<br /><br />Btw, I created several IOCs to detect different persistence methods, those are my favorites.<br /><br />Cheers,<br />Tom<br />TomUhttps://www.blogger.com/profile/16795133222461988201noreply@blogger.comtag:blogger.com,1999:blog-4767199732858434539.post-61120475767388907302014-08-25T09:45:36.510-07:002014-08-25T09:45:36.510-07:00Tom,
Thanks for the reply.
> To investigate I...Tom,<br /><br />Thanks for the reply.<br /><br />> To investigate IDX files I would write an IOC:<br /><br />Can you write an IOC to parse binary data?<br /><br />My admittedly extremely limited experience with IOCs, through the forensicartifacts.com web site, as well as other experiences, has shown the use of the schema to be somewhat limited. I remember asking an IOC author once why they hadn't included the malware persistence mechanism in the IOC, and the response was that the value name was randomly generated. However, the value _data_ was consistent, in the that path stated with "C:\ProgramData", or something similar.<br /><br />Again, I'm not suggesting that the IOC schema is limited, because I don't know. I'm saying that the way I've seen the schema used, for writing IOCs in real world environments, has been somewhat limited.<br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4767199732858434539.post-13435942787190764552014-08-25T08:14:01.740-07:002014-08-25T08:14:01.740-07:00Harlan,
thanks for your comments.
"I'm n...Harlan,<br />thanks for your comments.<br /><br />"I'm not familiar with RedLine..." --> that's why I'm writing some blog posts about Redline to show its usefulness to DFIR practitioners. Besides traditional memory forensics, it's also very useful for doing Live Response / triage and incident detection.<br /><br />Redline is featured on the SANS DFIR Fall 2012 poster ("Finding Unknown Malware") and in SANS FOR508 course for memory analysis (alternative to Volatility). How to use it for Live Response is not convered (or has it changed since last year?).<br /><br />To investigate IDX files I would write an IOC:<br />- list files with path "C:\Users\***\AppData\LocalLow\Sun\Java\Deployment\cache\" of type (extension) IDX<br />- search these files for strings "http" or "." (or anything else you want to see)<br /><br />I need to test / check if this returns all strings within the IDX files or not. To acquire the full file you would need to use another tool (e.g. Mandiant's commercial MIR tool allows this, and some cheaper or free tools likely too, e.g. FGET et.al.)<br /><br />Doing a collection of the filesystem with strings of files can take a long time and create huge XML files (well still small compared to a disk image). Restricting the files with strings to a narrow path should help keep the performance better.<br /><br />I will try to incorporate this into one of my next blog posts.<br /><br />Cheers,<br />Tom<br />TomUhttps://www.blogger.com/profile/16795133222461988201noreply@blogger.comtag:blogger.com,1999:blog-4767199732858434539.post-56587765538860572492014-08-25T06:01:26.599-07:002014-08-25T06:01:26.599-07:00I'm not familiar with RedLine, but it would se...I'm not familiar with RedLine, but it would seem from your post that it's RedLine that "knows about" different artifacts.<br /><br />I think that an example of this is the fact that while this post shows an infection via an exploit kit, there's nothing that seems to point out the value of the Java deployment cache index (*.idx) files, and their contents. It would seem that this isn't something programmed into RedLine, and therefore seems to be missed.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4767199732858434539.post-64343720775282270802014-08-06T13:32:15.309-07:002014-08-06T13:32:15.309-07:00Hi Jan, thanks for the feedback, glad to hear ther...Hi Jan, thanks for the feedback, glad to hear there is some interest in this. I try to work on the follow-up post(s) as soon as I find some time. Maybe I'll publish some drafts while writing it and solicit some feedback.<br />Cheers, TomTomUhttps://www.blogger.com/profile/16795133222461988201noreply@blogger.comtag:blogger.com,1999:blog-4767199732858434539.post-55732191897473906392014-08-05T02:36:26.989-07:002014-08-05T02:36:26.989-07:00Please do a follow-up on this article on how to ru...Please do a follow-up on this article on how to run Redline collector remote. I have tried and had issues with running it from a mapped network drive so it would be very interesting to see how you go about it. Best regards, Jan.Anonymousnoreply@blogger.com