Time
1 hour 21 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Transcription

00:00
Hello. My name's David. Welcome to analyzing attacks. What process does Redline cover for us to remember that?
00:11
Yes. Live memory analysis.
00:16
We ran. Well, what's let them set that? We created a on it file right on and then loaded it into a home. She and ran it against a piece of Mauer. There'll be downloaded from our analysis dot net,
00:33
and we talked about some cautions
00:36
loving that Mauer on. And now we have loaded our analysis session,
00:41
which we pulled from here. Remember, we went through some troubleshooting steps purposely getting it out of our Burton receding back. Now, granted, you'll probably be using an external hard drive to pull these off and put them here. But if you're gonna be doing lamb work things like that, then you need to understand that
01:00
there is a troubleshooting process will work through and different methods that you use in order to solve its problems in the world. You're gonna have to do that.
01:10
So as we loaded our analysis session of it, you can see red line loaded force and created some interesting little entries over here Force and also some files here.
01:23
So let's say down here to bottom. I want to search my day with set of indicators Compliment. So if we have those, we could live there, is up here and then searched through this memory capture because it didn't do a 1,000,000 capture. Remember of that file system? Um, actually came across.
01:45
Here's our dot dat file, which is memory acquisition. So let's split up there.
01:53
You can see looking for persistence See a lot of the issued a mover looking for But right here is I remember Capture, actually.
02:01
So
02:04
it did pull out the memory force,
02:07
which would just be what we would search for indicators compromise we could review when history data. If we were interested in that,
02:14
I we had some other kind of information's. And yes, we're something along those lines that we could do a kind line type search. Knowing when it was infected could lead us to finding others indicators of the evil badness that we wouldn't want you looking for
02:32
fire. I Mandiant Meyer. I has a routine point protection platform. So
02:38
if you were utilizing it in conjunction combined the two together and here it's very top. We have my system information, but John was running a window. Seven.
02:47
Um, machine gives us theon primary I P address right here. Now come here and click Investigate. It breaks down on the floor. So they pun what my time zone is, uh, back address with community.
03:05
How big was my memory? He gigabytes
03:08
What was available? 6.9. Let's see what drives were available. How long's up? Um tells us some operating system information down here,
03:20
um, user information my name be it was logged in
03:24
and even some bios information. So we can take this information, actually, and put it into our forensic report or incident report as well. So if we click over here, you can see it breaks it down for so we can look at are now looking actors.
03:40
A lot of information there we can review process. It's in the variety of different ways. Let's check. Strange strings is usually kind of important.
03:51
We don't have any streams. Problem of force,
03:53
which we should have had. Let's go here
03:58
and check out our reports so we could do listening ports
04:01
and
04:03
sorry, it's not letting very fast.
04:08
There we go. There's are listening ports. Plus, as you can see, it tells us with ports are open and listening.
04:14
I guess listening not necessarily open on. And what process is attached to the particular post? The anit. You remember e l E c or Illich waas? The name of the mala.
04:30
They back. We have Process Explorer, but we ran the mouth and this was the process that start.
04:35
So you can already now begin to pull out some indicators you can give to poor numbers that were set to listen by these particular pieces of malware.
04:48
Now you can copy this out. Hagit s. So let's say this is important for me.
04:55
That one included a report saying here
04:58
sees you could see you could start building out your report here as well.
05:04
Let's see, it's jump back the string distant case. Yes. String finally loaded, which is good for us Strings find old school, but they are still used of what? Andi, you can actually do. Ah, quick review
05:21
of different strings that would have been running on that system.
05:26
And as you can see, remember the locker principle.
05:31
Every
05:33
gotcha, Liza traits basically. So you can see I'm running. My lab ran lined out. This would have been from a USB drive. This file path will be different, of course. But, hey, it's there in memory because it is running.
05:46
Then you can see a lot of different things over here that are tagged down throughout. So we wanted to do a string search. We could very easily do that as we get through this process. So we're gonna do a little jumping down here now. As you can see, it begins toe, do the search indexer.
06:04
Now we're getting into the actual pools on the system itself.
06:08
So there's my bm pools knowing that I'm running of the M machine.
06:13
You can see those tools well,
06:15
well out here. We did check the registry file so we can see we pulled out some registry keys that were resident in memory as well.
06:25
A lot of different things in here that could be of interest to us.
06:30
The shell 32 got dll, which to me, would be extremely interesting.
06:41
C a ll that good information. Now we're just taking a broader review. This If you were doing an actual analysis of this mall where you're gonna go through this
06:51
methodical on and search through to see what all that. You can find this check persistency
06:58
if we get anything. Lending and persistence. Well, there we go. There are a lot of persistent
07:06
keys and files are registered here. Especially you could go across the competency. What persistence type this house registry. Its path, the file path. Rather trend street file when it was modified. And see a lot of these are more older.
07:24
If I wanted to search these, I would change. Appeared click the top to sort by when it was modified. And you can see walking down through this world. All these items would have modified. And
07:39
ah, lot of these are back on seven. Teeing up. 2009
07:44
Coming up now, Here we are in our day and age. So
07:48
we're at 7 20 with a trusted installer. Just kind of curious, because I didn't install anything today, So that would be something that I wouldn't want to explore. See, some of the tools that I have running on that system is Well, stop, Which is interesting.
08:05
Uh, let's see. Browser. You are l history.
08:09
So as you can see, even looking at this, I don't have anything real invasion because I wasn't family and think today. But you can see all these different tools that I downloaded over over past, which is actually pulls from the hard drive exam that we did now looking
08:28
at a memory catcher
08:30
that could come in handy because it's something that you may want now. So let's jump back up here to our hair, Will, Herr article processes that gives you the process name and then what it spawned. So, as you can see, you can work your way down through this.
08:46
They're searching nectar CRS as C and D.
08:50
There's always something to be checking. Now that's red line. So you know that you ran red line on the system and here we go with E. I always want to spell that out, because could you like RDX? See, this is what we ran as part of our infection system
09:09
again. If I wanted to copy this or why it was process based market for future reference, I could easily do that. Now, here's another one,
09:18
which is very, very interesting. If we check it,
09:22
you see where it came from. Her dotty XY is actually the name of the file I executed conceives from the dry. That's mount where Artifacts Todd Step. But it spawned this, which was running on my system at the same time. Very, very interesting stuff and a time of stuff have work. Anything here
09:43
is that if you do have indicators of compromise, you dropped it in here. The Indians red line will actually mark the bad ones. 40 on That makes it much easier to search through. It actually point you in the right direction. And with that file, if we downloaded, it does actually come with a word document. Tech stocks
10:03
with the indicators on allies.
10:05
So my counsel to you from here on out, ISS play around with red line and start utilizing there's indicators, compromised enhancers or jobs. I hope you learned a little bit about Red Line. How to use it, how to operate it out. Experiment with it
10:20
again. You have any questions? I most cyber baby one Everybody would be having talked to you.
10:26
Have a great day

Analyzing Attacks for Incident Handlers

In Analyzing Attacks for Incident Handlers, David Biser explains memory analysis and how to use it to uncover information about a computer. He demonstrates this process of analyzing an attack using labs such as a Redline lab and a VM and Malware lab to conduct an analysis on a computer.

Instructed By

Instructor Profile Image
David Biser
Incident Response Engineer at Iron Mountain
Instructor