Adversarial Analysis — Pt1
And some personal thoughts 😎
This post is part one of a two-part series:
- Adversarial Analysis; and
- Gap analysis, Attack Patterns, Mitigations and Courses of Action.
Let’s go…
At the heart of adversarial actions are network artefacts, these artefacts bring information into and/or exfiltrating information of your network or systems (well, kinda it’s doing both in regards to TCP 🤪).
I started my career in packets and I will probably retire in packets, but that’s beside the point! In this post, I will explain how we understand malicious traffic flows, extract the techniques leveraged and then use these artefacts to implement courses of action (COA), that degrade attacks, deny attacks, deceive the adversary and defend our systems.
Clause — This is an analysis of a known threat (post analysis), unknown threats require more analysis and reverse engineering to create rules, analysis functions, deny or detection actions on! — TBA post 🕵
This post also includes display of various tools that you may have or have not seen!
Setup
I downloaded a random PCAP from a sandbox site with no information about the potential malicious behaviour because this is what happens in real-world cases. I wanted to find out how and why + defend against any malicious behaviour identified within the network flow.
Configuration
I used the below Wireshark display filters to remove the noise and get down to the malicious stuff! TLDR; we will use Tshark, Bro (Zeek), EKFiddle, CapTipper and Suricata in the latter parts of this investigation🕵.
((((((((((((!(ssdp)) && !(browser)) && !(stp)) && !(nbns)) && !(llmnr)) && !(dhcpv6)) && !(arp))) && !(ssl.record.version == 0x0301)) && !(igmp)) && !(mdns)) && !(icmpv6)) && !(dns.qry.name == "teredo.ipv6.microsoft.com")The following colouring rules to quickly identify potential 👹 stuff!
frame matches "404 Not Found" \\404 dark purple
(http.request.method == "POST") \\POST orange
(http.request.method == "GET") \\GET orangeInvestigation
After we have enabled the above filters we can visualise the traffic quite clearly (details in the image below). Initially, the traffic doesn’t look malicious but a deeper look starts to detail some interesting artefacts!
The interesting session: DNS > highlandfamily > GET >301 > DNS www.highlandfamily > DNS stemcellenhancementresearch.com > GET > 404.
Still nothing that exciting except! the 301 from highlandfamily.com/kjd makes the application (in this case malware) request the subdomain www.highlandfamily.com and the root domain stemcellenchancementresearch.com which is unusually interesting.
This above analysis (image) leads me to believe that the malware has a list of C2 domains its trying to contact (due to the short unique time frame of the DNS requests, the domains contacted, the GET requests and other information); if the first isn’t reachable or gets a 301/404 etc it tries the next, so on so forth.
EKFiddle
The next step! Lets either confirm or deny our hypothesis with EKFiddle and write a regex to detect this stuff in future!
The above image depicts the PCAP being imported into EKFiddle and a singular 301 and 404 response. After investigating all the information, I have determined that the traffic is malicious but, the unique details are unknown variables (the GET and redirects don’t contain any malicious method indicators). At this point, I would suggest that the URI formatting would be our best bet for a definition (to identify and find past/current/future malicious actions).
I was hoping there was a loader, or stager downloaded that we could analyse, but to my disapointment there was not!
We won’t be searching IOC’s we are just analysing the techniques
Docker
Lets quickly check if anyone has written a rule about this malware before I run up my trusty docker image and crack out Suricata and Bro (Zeek)!
docker run --rm -ti -v /root/tmp:/tmp/ followthewhiterabbit/pcapFYI — This docker image will auto-update ET rules on every launch!
Suricata
We run the following commands to check the PCAP against Emerging Threats (ET) rules!
suricata -c /etc/suricata/rules/suricata-1.3-open.yaml -r “$1” && clear && cat /var/log/suricata/fast.log
As we can see, we have an indication that this malicious traffic is related to Nemucod! But we don’t know how the rule is being fired yet.😤
bro -r “$1” /etc/bro/site/file-extraction/scripts/plugins/extract-all-files.bro
If there were any files that could be of use we would use bro to extract it…. (detailed above) but.. bummer no interesting files!😭
Back to fiddle!
So I have a shortcut that goes something like 🤑
site:doc.emergingthreats.net “Nemucod JS”
That landed me https://doc.emergingthreats.net/bin/view/Main/2024508
Very nice regex contained within [A-Za-z0–9]{5,9}\?+[A-Za-z0–9]{6,12}=[A-Za-z0–9]{6,12}$and tested it at https://regex101.com/ to be sure 😨; It worked a treat as we can see below, appended to customRegexes.txt
A random point, they have an RSS (below), so consume it!
For the lovely readers, I have created a simple docker image that you can run with one line and make your own snort/ET rules!
docker run -rm -ti -p 80:80 followthewhiterabbit/flowrulegen
Go to http://localhost #profit 😜
Tshark
The command line swiss army knife of ripping out the good stuff.
tshark -nr "$1" -Y "dns.resp.type ==1" -T fields -e ip.src -e dns.qry.name -e dns.a -E occurrence=a -E aggregator=, | sort -u |grep -Eo "(\b((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}\b | (?:(?:\d|[01]?\d\d|2[0-4]\d|25[0-5])\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d|\d)(?:\/\d{1,2})?)" |xclip -selection cWe use the above command to extract the DNS request inclusive of the request IP and the answer IP, sort it, grep out only domains and IPs then copy the output to our clipboard😜.
If you want also, we can copy the output of the above command into the cyber chef and clean it up a bit! The recipe is below.
This is just a clean sort regex for domains and IPs
https://gchq.github.io/CyberChef/#recipe=Regular_expression('User%20defined','(%5C%5Cb((?%3D%5Ba-z0-9-%5D%7B1,63%7D%5C%5C.)(xn--)?%5Ba-z0-9%5D%2B(-%5Ba-z0-9%5D%2B)*%5C%5C.)%2B%5Ba-z%5D%7B2,63%7D%5C%5Cb%20%7C%20(?:(?:%5C%5Cd%7C%5B01%5D?%5C%5Cd%5C%5Cd%7C2%5B0-4%5D%5C%5Cd%7C25%5B0-5%5D)%5C%5C.)%7B3%7D(?:25%5B0-5%5D%7C2%5B0-4%5D%5C%5Cd%7C%5B01%5D?%5C%5Cd%5C%5Cd%7C%5C%5Cd)(?:%5C%5C/%5C%5Cd%7B1,2%7D)?%20%7C%20(ftp%7Chttp%7Chttps):%5C%5C/%5C%5C/(%5C%5Cw%2B:%7B0,1%7D%5C%5Cw*@)?(%5C%5CS%2B)(:%5B0-9%5D%2B)?(%5C%5C/%7C%5C%5C/(%5B%5C%5Cw%23!:.?%2B%3D%26%25@!%5C%5C-%5C%5C/%5D))?)',false,false,false,false,false,false,'List%20matches')Unique('Line%20feed')Sort('Line%20feed',false,'Alphabetical%20(case%20sensitive)')CapTipper
If we wanted to go a little further and hash the requests or files we could use Captipper to do that. I use this tool all the time its great! Images below are self-explanatory; this is just another way to look at the pcap😊.
https://github.com/omriher/CapTipper
So at this point, we have found the techniques, created multiple rules to detect it now let’s look how interconnected the malicious domains/IPs are. For demonstration purposes, I have just pasted in the xcliped data into vtgraph (it’s pretty good) so we can quickly see how interconnected they are.
Usually, I use Maltego (or IBM I2 for anti-drug trafficking) for advanced investigations but in this case, it’s not needed.
https://www.virustotal.com/graph/
The information above clearly contains malicious data, but for the purposes of this post, it’s way too much to explain so just agree with me 🤗 haha.
So after all that, “so what?”
We need to make this intelligence actionable, applicable and most importantly degrade attacks, deny attacks, deceive the adversary and defend our systems and networks. This content will be in the second part of my blog series (detailed below), I explain turning this intelligence into actionable steps.
Gap analysis, Attack Patterns, Mitigations and Courses of Action Pt2.
Tools used in this post!
- Captipper https://github.com/omriher/CapTipper
- Wireshark https://www.wireshark.org/
- Fiddler https://www.telerik.com/fiddler
- EKFiddle https://github.com/malwareinfosec/EKFiddle
- Bro https://www.zeek.org/ (now called Zeek); and
- Tshark.
Always start at the end before you begin. Robert Kiyosaki
