Investigate and fight cyberattacks with SIFT Workstation

 

Digital forensics and incident response (DFIR) has hit a tipping point. No longer just for law enforcement solving cybercrimes, DFIR tools and practices are a necessary component of any organization’s cybersecurity. After all, attacks are increasing daily and getting more sophisticated – exposing millions of people’s personal data, hijacking systems around the world and shutting down numerous sites.

SANS has a smorgasbord of DFIR training, and we also offer a free Linux distribution for DFIR work. Our SANS Investigative Forensic Toolkit (SIFT) Workstation is a powerful collection of tools for examining forensic artifacts related to file system, registry, memory, and network investigations. It is also available bundled as a virtual machine (VM), and includes everything one needs to conduct any in-depth forensic investigation or response investigation.

Capture9The SIFT Workstation was developed by an international team of forensics experts, including entrepreneur, consultant and SANS Fellow Rob Lee, and is available to the digital forensics and incident response community as a public service. Just because it’s freely available and originally designed for training, though, doesn’t mean it can’t stand up to field investigations. The SIFT Workstation incorporates powerful, cutting-edge open-source tools that are frequently updated, vetted by the open source community and able to match any modern DFIR tool suite. Don’t just take our word for it. Thousands of individuals download SIFT yearly, and it’s used by tens of thousands of people all over the world, including those at multiple Fortune 500 companies. And recently, HackRead named SIFT Workstation in a list of the top 7 cyber forensic tools preferred by specialists and investigators around the world.

SIFT got its start in 2007, during the time SANS instructors were developing virtual machines (VMs) for use in the classroom. In its earliest iterations, it was available online as a download, but was hard-coded and static so whenever there were updates, users had to download a new version. By 2014, SIFT Workstation could be downloaded as an application series and was later updated to a very robust package based on Ubuntu. It can also be installed on Windows, if there is an Ubuntu subsystem running on the system.

In November 2017, SANS unveiled a new version of SIFT Workstation that allows for much more functionality, is much more stable, and is comprised of specific tools such as the Package Manager. This time the package supports rolling updates, and uses SALT, a Python-based configuration management platform, rather than a bootstrap executable and configuration tool.

The new version can work with more than 200 tools and plug-ins from third-parties, and newly added memory analysis functionality enables the SIFT Workstation to leverage data from other sources. New automation and configuration functions mean the user only has to type one command to download and configure SIFT. Because SIFT is scriptable, users can string together commands and create automated analysis, customizing the system to the needs of their investigation.

Download SIFT Workstation today, and get started on your own DFIR initatives. And look into our FOR508: Advanced Incident Response and Threat Hunting course for hands-on learning with SIFT, and how to detect breaches, identify compromised and affected systems, determine damage, contain incidents, and more.

Gamble? Not with your future

 

1300x250_Reno-Tahoe-2019_No-EB

By Lee Whitfield

Honestly, I’ve never been big into gambling. The closest I’ve come is buying a lottery ticket when I was 18. While I understand the excitement, the science, and compulsion, it has just never been a huge draw for me personally.

There are many things that fall into the category of gambling. You can choose to back your favorite sports team by putting your money where your mouth is. You may not have a lot of faith in your team and bet against them, and still call yourself a fan? You may attend a regular gathering of friends and play cards together.

Gambling presents an inherent risk, hence the excitement. You run the odds in your head and determine if there’s a chance you’ll win. If the right combination of probability and odds come up, you pony up and hope for the best. However, there’s always a chance that something goes wrong and you walk away with a loss instead of a win.

You may not be familiar with Steve Richards. Why would you? He’s a roofer from the UK. Richards had a penchant for sports betting and accurately predicted the correct scores for twelve different rugby games. He bet £10 at some crazy odds and walked away with £38,970. Now, roofers in the UK probably don’t make that much in a year so this was an extraordinary win for him but instead of taking that money and doing something useful, he “reinvested” by placing a £30,000 on another Rugby game one week later. He lost. A year’s wages gone in an instant.

So why am I talking about gambling? Well, it is the start of a new year. New opportunities, new goals, new budgets. The likelihood is that you have some amount of money allocated to you for training purposes in 2019 and you have a to ask yourself a question. How do you spend that money wisely and not gamble it away on less-than-stellar instruction?

As you may know, I recently started teaching for SANS. I’ve had the pleasure of teaching in Boston, London and Denver. My next class is in Reno, Nevada – the gambling state. It starts on February 25. Here I will be teaching the FOR500: Windows Forensic Analysis class. In six days you’ll learn the skills needed to conduct investigations into a variety of cases and, to top it off, you’ll put the skills to the test with the forensic challenge that I helped to create. The FOR500 class is updated throughout the year so you’ll be learning about the latest and greatest artifacts to help you become a lethal forensicator, take down the bad guys, impress your bosses, and get that raise that you deserve.

As an added bonus, I’ll also be giving a brand new @Night talk entitled “Ready, Fire, Aim.” You won’t want to miss it.

So don’t gamble away your future, make the safe bet and come join me in Reno in February. Come to the class, hang out with me, learn some stuff, and play some slots. Who knows, you might walk away with more than the best training money can buy.

More information about the SANS Reno event
Register for the class

 

Go Big with Bootcamp for Advanced Memory Forensics and Threat Detection

 

Many experienced security analysts end up repeating the same investigative playbook for similar types of cases day after day. They become technical experts but siloed into a single lane of investigative scenario, whether it be intellectual property theft, malware or intrusion investigations. With the rapid evolution of fileless malware and sophisticated anti-forensics mechanisms, security analysts need access to current system state that can be derived solely from memory analysis. Learning bleeding edge analysis skills such as memory interrogation can be a touch challenge requiring determined and extraordinary work. The relaunched bootcamp SANS FOR526 Advanced Memory Forensics and Threat Detection is the class that will get you and your team to this next level – it’s time for bootcamp!

Malware is more sophisticated, and its ability to evade detection growing. Cryptojacking – software programs and malware that hijack another’s computer without their knowledge to mine cryptocurrency – is one such example. Recently, researchers discovered a new cryptocurrency mining malware that employs multiple evasion techniques, including one that poses as an installer file for the Windows operating system so it seems less suspicious. And illicit cryptocurrency mining operations have increased dramatically over the past year, according to a recent Cyber Threat Alliance report, rising by as much as 459 percent in 2018.

The more complex, advanced malware and anti-analysis and evasion techniques pose great challenges to today’s security practitioners, as the endpoint detection methods and technologies, we rely upon to protect our enterprise fail. For this reason, we at SANS have decided to go big with a revised FOR526 course – with an additional boot camp – that teaches you how to isolate malicious activity using memory analysis to counter these evasions and allows you to determine the capability and intent of the intrusion for successful scoping and containment.

To move to proactive hunting, teams must have the skills to identify the activity for which there is no signature. The FOR526 course delivers this expertise with an intensive hands-on focus, allowing security practitioners to build on the knowledge advanced security professionals already have.

The two creators of FOR526, Alissa Torres and Jake Williams, understand the unique challenges of memory forensics and the complex types of cases examiners are up against today. Both forensics practitioners themselves, they know examiners need deeper technical expertise beyond just running a tool so they can perform memory analysis to understand the evidence, and that means offering students labs inspired by real-world investigations in which memory forensics saved the day. As Williams notes, “memory offers a very dense and target-rich search space for evidence of value. Memory-only malware? Malicious insiders using private browsing to eliminate disk evidence? Anti-forensics techniques? They all get stuck in memory.”

Williams and Torres have added a boot camp consisting of additional content and memory forensics challenges to make the course even more relevant for present-day memory forensics investigations and threat detection. The NEW FOR526: Advanced Memory Forensics and Threat Detection BootCamp brings you extended mid-week SANS NetWars challenges, more in-depth technical content and advanced threat detection scenarios to take senior incident responder professionals to the next level.

Slider_CTIAt this month’s Cyber Threat Intelligence Summit in Arlington, Virginia, Torres will run FOR526: Advanced Memory Forensics & Threat Detection January 23 – 28. The summit is a week-long conference and educational event with in-depth talks and interactive discussions, as well as community-building events, networking opportunities and hands-on, immersive courses designed to give you world-class training.

Learn more about the course new format and content by attending Alissa Torres webcast January 14th at 1:00 pm EST.

Register for the webcast: http://www.sans.org/u/Mi2

Next FOR526 course runs: http://www.sans.org/u/MhX

DFIR Summit 2019 Call for Presentations (CFP) Now Open

 

 

350x200_No-Date_DFIR-2018 (1)The 2019 DFIR Summit CFP is now open through 5 pm CST on Monday, March 4th.

The 12th annual SANS Digital Forensics & Incident Response (DFIR) Summit is the most comprehensive DFIR event of the year, bringing together an influential group of experts, immersion-style training, and industry networking opportunities in one place.

Summit talks will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response. All talks should be technical and specific and provide actionable takeaways.

The DFIR Summit offers speakers the opportunity to present their latest tools, findings, and methodologies to their DFIR industry peers. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

We are looking for proposed presentations on topics including, but not limited to:

  • Case studies in Digital Forensics, Incident Response, or Media Exploitation that solve a unique problem or case study
  • New forensic or analysis tools and techniques
  • Discussions of new artifacts related to Cloud, Smartphones, Windows, and Mac platforms, malware reverse engineering, or network communications
  • Improving the status quo of the DFIR industry by sharing novel approaches
  • Challenges to existing assumptions and methodologies that might change the industry
  • New analytic techniques that can extract and analyze data more rapidly and/or at a larger scale

Benefits of Speaking

  • Promotion of your speaking session and company recognition via the DFIR Summit website and all printed material
  • Visibility via the DFIR post-Summit on the SANS DFIR Website
  • Full conference badge to attend all Summit sessions
  • Speakers can bring 1 additional attendee for free to attend the summit
  • Private speakers-only networking lunches
  • Speakers-only networking reception on the evening before Summit
  • Continued presence and thought leadership in the community via the SANS DFIR YouTube channel

Who Should Submit

Diversity of thought is critical to any organization’s success, and SANS Summits encourage participation by everyone regardless of age, culture, ethnicity, sexual orientation, or gender identification. Whatever your background, whoever you are, we encourage you to respond to a CFP. We welcome people who are newer to the field or who have not yet done any public speaking, and we can provide mentoring and guidance to help you develop an impactful presentation.

Most talks will be 35 minutes of content + 5 minutes of Q&A. However, we are always interested in exploring new formats, especially for interactive learning.

Deadline:
Monday, March 4, 2019 | 5 pm CST

CFP Submissions must be made via our online form.

SANS FOR585 Q&A: Smartphone Forensics – Questions answered

 

 

Learning doesn’t stop when you leave the SANS classroom. Instructors Domenica “Lee” Crognale, Heather Mahalik and Terrance Maguire answer some of the most common questions from FOR585 Smartphone Forensics course students in these short videos:

1) Using Hashcat to Crack an Encrypted iTunes Backup: Acquiring a locked iOS can be difficult so an iTunes backup may be the best evidence to examine. The iTunes backup files might be encrypted so this mini webcast outlines how to use HashCat to crack the encrypted iTunes backup files.

Capture1

 

 

 

 

 

 

 

2) An Overview of Third Party App Examination: There are millions of applications (Apps) that can be used on a smartphone. This mini webcast outlines an approach to examining these applications.

Capture2

 

 

 

 

 

 

 

3) Why Every Examiner Needs a Test Device?: In a perfect world, we would always be examining rooted Androids and jailbroken iOS devices, but unfortunately, full access to the file system is becoming a thing of the past. This mini webcast highlights the importance of populating test devices with user data so you can better speak to the artifacts that you ARE able to access on your next examination.

Capture3

 

 

 

 

 

 

 

 

4)What if Nothing Supports Android Pie (v9)? The latest versions of Android are not commonly supported for acquisition by our tools. What can you do? Use ADB and interact with the live device. This mini webcast will teach you how to use ADB to extract information from Android devices and will discuss the traces some tools leave behind and why that trace is required if you want to obtain data.

 

Capture4

 

 

 

 

 

 

 

5) iOS Malware – Where to Begin: It’s notably more difficult to pinpoint malware on your non-jailbroken iOS device without access to the application packages. This mini webcast outlines some of the best practices in analyzing the files you can access to provide indications of suspicious activity and the applications and services that are likely responsible.

 

Capture5

 

 

 

 

 

 

 

 

6) Two Major Plists: This mini webcast will discuss how to determine if iMessage is disabled on an iPhone and how to determine if an iCloud restore occurred. Simple questions like this can make a difference in your investigation. We will discuss the file locations, which acquisition methods provide access to the files of interest and most importantly, how to parse the data.

 

 

Capture6

 

 

 

 

 

 

 

About SANS FOR585: Smartphone Forensics Course

This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 27 hands-on labs, a forensic challenge, and a bonus take-home case that allow students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools. More information: http://sans.org/FOR585 | Next course runs: sans.org/u/Mht

More Resources:

mobile posterFOR585 Mobile Forensics Poster: Use this poster as a cheat-sheet to help you remember how to handle smartphones, where to obtain actionable intelligence, and how to recover and analyze data on the latest smartphones and tablets. This poster was created by FOR585 Advanced Smartphone Forensics course authors & Certified Instructors Heather Mahalik, Cindy Murphy and Domenica “Lee” Crognale with support from the SANS DFIR Faculty. Download it here

Heather Mahalik’s blog: https://smarterforensics.com/blog/

 

The new version of SOF-ELK is here. Download, turn on, and get going on forensics analysis.

 

Sof-Elk (Horizontal)

We are excited to announce the release of an all-new version of the free SOF-ELK®, or Security Operation and Forensics ELK virtual machine. Now based on the new version of the Elastic Stack, SOF-ELK is a complete rebuild that is faster and more effortless than its predecessors, making forensic and security data analysis easier than ever.

 

Since its introduction about five years ago, there have been more than 10,000 downloads of SOF-ELK around the world by computer forensic investigators and information security operations personnel in the government, law enforcement and commercial sectors. The SOF-ELK platform is a customized build of the open source ELK stack, consisting of the Elasticsearch storage and search engine, Logstash ingestion and enrichment component, and the Kibana dashboard frontend.

 

SOF-ELK was always designed to help minimize the typically long and involved setup process the ELK stack requires by delivering a pre-built virtual appliance that can be downloaded in a ready-to-use state. It can consume various source data types (numerous log types as well as NetFlow), parses out the most critical data fields, and presents it on several stock dashboards. Users can also build custom data visualizations that suit their own investigative or operational requirements (and because of the fully open source nature of the project, can choose to contribute those custom builds back to the primary code repository). Learn more about the SOF-ELK distribution.

 

The new version of SOF-ELK has been rebuilt from the ground up to take advantage of the new version of the Elastic Stack software and uses all of the Elastic Stack’s components. This required a total rebuild of all dashboards and supporting scripts. Simply download this distribution, turn it on, feed it some data and begin analysis. It’s that easy.

 

The SANS team has performed extensive testing of this distribution of the SOF-ELK platform. The new version’s most immediate benefits are its speed and refreshed browser interface. This is faster and easier to use and can visualize massive amounts of data through the dashboards. We also expect faster development cycles. Here are some more changes in the new SOF-ELK:

 

  • Supports the latest updates on the kernel and all CentOS packages.
  • Includes new parsers from upstream and community contributions.
  • Rebuilt and revalidated all Logstash parsers against latest syntax
  • Better handles dynamic (boot-time) memory allocation for Elasticsearch.
  • Rebuilt all Kibana dashboards to handle updated index mappings and field names
  • IPv6 addresses can now be handled as IPs instead of strings
  • Features many under-the hood changes that will make our roadmap much smoother in the future

The SOF-ELK platform was initially developed for SANS FOR572, Advanced Network Forensics and Analysis, and is now used in SANS SEC555, SIEM with Tactical Analysis. Additional course integrations are being actively worked at this time and considered for future versions. However, SOF-ELK was always designed as a free resource for the digital forensic and broader information security communities at large – a ready-to-use appliance that teams can use without having to invest the many hours into deploying, configuring, and maintaining an Elastic Stack instance. We hope you check out the latest version of the SOF-ELK distribution.SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, incident Response, and Security Operations

____________________________________________________________________________________

JOIN THIS WEBCAST TO FIND OUT MORE: 
SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, Incident Response, and Security Operations

  • When: Tuesday, March 5th, 2019 at 1:00 PM EST 
  • Conducted by Phil Hagen
  • Register now

Overview

There is no shortage of digital evidence, with many DFIR and Security Operations teams handling terabytes of log and network data per week. This amount of data presents unique challenges, and many tools are simply inadequate at such a large scale. Commercial platforms that are up to the task are often far out of budgetary reach for small- and medium-sized organizations.

The Elastic Stack, a big data storage and analysis platform, has become increasingly popular due to its scalability and open-source components. Countless investigative and security teams have incorporated Elastic into their toolkits, often realizing the significant level of effort required to customize and manage such a powerful tool. To overcome some of these hurdles, the SOF-ELK platform was created. SOF-ELK aims to be an appliance-like virtual machine that is preconfigured to ingest and parse several hundred different types of log entries, as well as NetFlow data. The intent is to provide analysts and investigators with a tool that leverages the power of the Elastic Stack with minimal setup time and effort. Originally a part of the SANS FOR572, Advanced Network Forensics & Threat Hunting course, SOF-ELK has been incorporated into additional SANS courses and is released as a free and open-source platform for the overall security community.

In this webcast, we will explore SOF-ELKs use cases, types of log data currently supported, as well as how to load data from live or archived sources. We will also show the various dashboards supplied with the VM and show how new features can be activated through the projects GitHub repository.

Shortcuts for Understanding Malicious Scripts

You are being exposed to malicious scripts in one form or another every day, whether it be in email, malicious documents, or malicious websites. Many malicious scripts at first glance appear to be impossible to understand. However, with a few tips and some simple utility scripts, you can deobfuscate them in just a few minutes.

Capture3SANS Instructor Evan Dygert conducted a webcast on October 3rd, 2018. This webcast teaches you how to cut through the obfuscation techniques the script authors use and not spend a lot of time doing it. Evan also demonstrates how to quickly deobfuscate a variety of malicious scripts.

The samples of the scripts he provided during the webcast can be downloaded here: https://dfir.to/MaliciousScripts. Please note the password for the samples.zip folder is: “infected”

 

 

Capture4We hope that the techniques presented in this webcast help you to begin deobfuscating potentially malicious JavaScript.  This topic is explored in depth in the SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course.  This class offers an excellent opportunity to understand the unique and insightful perspective that malware analysis can bring to your investigations.

 

 

 

New CheatSheets you might be interested in:

Tips for Reverse-Engineering Malicious Code – This cheat sheet outlines tips for reversing malicious Windows executables via static and dynamic code analysis with the help of a debugger and a disassembler. Download Here

REMnux Usage Tips for Malware Analysis on Linux – This cheat sheet outlines the tools and commands for analyzing malicious software on the REMnux Linux distribution Download Here

Cheat Sheet for Analyzing Malicious Documents – This cheat sheet presents tips for analyzing and reverse-engineering malware. It outlines the steps for performing behavioral and code-level analysis of malicious software. Download Here

Malware Analysis and Reverse-Engineering Cheat Sheet – This cheat sheet outlines tips and tools for analyzing malicious documents, such as Microsoft Office, RTF and Adobe Acrobat (PDF) files Download Here

—————————————————————————————————————————–

For opportunities to take the FOR610 course, consider upcoming runs and modalities: 

US & International live training : Live events offered throughout the US, EMEA & APAC regions.

 DFIR Summits :  Two days of industry expert talks plus DFIR training events

Simulcast :   Live events from anywhere in the world.

OnDemand  : Learn at your own pace, anytime, anywhere.

1500x500_OLT-Nov15-Dec5

 

 

 

 

 

 

DFIR Resources: Digital Forensic Blog | Twitter | Facebook | Google+ | Community Listservice | DFIR Newsletter

How to build an Android application testing toolbox

 

Mobile devices hold a trove a data that could be crucial to criminal cases, and they also can play a key role in accident reconstructions, IP theft investigations and more. It’s not just investigators who care about examining a mobile device – so do those interested in application research and data, and enterprises who rely on smartphones and tablets to perform work tasks, engage with customers and deliver new services.

Capture3 Effectively accessing and testing smartphones requires an optimal application toolbox, and the chops to use it. Listen to this webinar that details how to build your Android application testing toolbox to ensure you’re set up to successfully access and examine the information you need from Android mobile phones.

SANS instructor Domenica Crognale, who is one of the course co-authors of SANS FOR585: Advanced Smart Phone Forensics, and who teaches the course as well, details why testing of mobile phone applications is critical – especially given the fact that Android apps change weekly and even daily. It is becoming more common for application developers to restrict very important user artifacts from being accessed from these Android devices. This most often includes the SQLite databases, which likely contain the information that examiners are after. It’s not just commercially available applications you have to consider. Often, custom-built apps aren’t parsed by commercial tools, so you’ll need to know how to access and parse any data stored on the device.

During the webinar, Domenica talks about the importance of rooting Android devices as well as ways to access and parse the data. She explains how to do this using utilities that exist on the SIFT workstation or that can be downloaded for free from the SANS website.

This webcast explores topics such as:

  • Choosing the best test device
    During a forensics acquisition, many tools will apply a soft root onto the phone that is then removed once the data is obtained. But a full physical acquisition is not always necessary for application testing. Ideally, we want a test phone that is always rooted, whether or not the device loses power, because the root basically unlocks access to the core of the device’s operating system so you can access, add, remove or tweak anything inside the phone.
  • Rooting your Android
    During the webinar, Domenica walks through a demo of a root, how to locate the root and share information on free and publicly-available root tools.
  • Utilizing File Browsers for quick file/folder access
    Sometimes a file browser is all you really need to get to the data you’re after. Domenica shares her favorite third-party applications for accessing the file system.
  • Examining application directories of interest
    Once you have access to the files you need, utilize tools available on the SIFT workstation to view the contents of SQLite databases.

Listen to the recording, “Building your Android application testing toolbox” webcast now.  And check out our FOR585: Advanced Smartphone Forensics, a week-long course that teaches you how to find key evidence on a smartphone, how to recover deleted mobile device data that forensic tools miss, advanced acquisition terminology and free techniques to gain access to data on smartphones, how to handle locked or encrypted devices, applications, and containers, and much more

650x125_CDI-2018_No-EBDomenica will be teaching FOR585: Advanced Smartphone Forensics at SANS Cyber Defense Initiative  Dec 11-18.  Register to attend live here: sans.org/u/JGl  or to  try it from home via Simulcast register here: sans.org/u/JGq

For additional course runs log in here

1500x500_OLT-Nov15-Dec5

Inhibiting Malicious Macros by Blocking Risky API Calls

 

Microsoft Office Macros have been the bane of security analysts’ lives since the late 1990s. Their flexibility and functionality make them ideal for malware authors to use as a primary stage payload delivery mechanism, and to date the challenge they pose remains unsolved. Many organisations refrain from blocking them completely due to the impact it would cause to their users, and instead rely on a combination of detection and mitigation technology to compensate for the risk they pose.

I have long thought that it would be ideal if Microsoft were able to implement granular controls via group policy over which activities macros were permitted to perform, for example allowing the blocking of process execution or network activity. In the interim, I have been experimenting with alternative methods to limit which functions a macro can call, either by redefining or patching the high risk API calls to prevent their intended outcome.

Below we can see a very basic example of what a malicious macro might look like. The fact that the subroutine is named “AutoOpen” means that it will be run as soon as the document is opened (and if required, macros are enabled).  The command “Shell” at the beginning of the line instructs Word to execute the process as specified in the parameter, so in this case the macro will launch the Windows calculator.

 

SS4

 

Option 1 – Using global templates to override built-in functions

Shell is the function built into VBA which is used to launch new processes, and as such, can often be found in malicious macros. Malware authors leveraging macros as a primary stage payload typically want to either download or drop a file, and then execute it. Alternatively, they could decide to execute an existing process on the system, such as powershell, with parameters which will take actions against their intended target. Common to both of these methods is the requirement for something to be run, and this is where Shell comes in. If we were able to somehow disable the Shell function, then we might be able to prevent the malicious macro from succeeding in it’s goal.

The first experiment involved redefining the Shell function, with the hope that the newly defined function would override the built-in one. We can achieve this by placing the code in the global template which is named normal.dotm or within an add-in (which is effectively a template that is loaded every time Word is opened), either way, our code will become part of the malicious macros execution.

Below we can see the redefined function used as part of this experiment. This was saved within normal.dotm (the global template), with the intention that when Shell was called, rather than calling the system function to launch the process, our redefined function would be called, resulting in a popup warning the user that the activity had been blocked.

 

ss_normal_dot_macro

 

Then, using the one line test macro that attempts to execute ‘cmd.exe /c calc.exe’, we can see that the redefined function worked well and blocked the execution of the process. Unfortunately, it only seemed to work when the malicious code was placed within the document and not when it was within a seperate module. The reason for this is unknown and warrants further research, as if solved, this would be the easiest way to achieve our goal.

 

SS1

 

Option 2 – Patching associated API in VBE7.dll to alter behaviour

For a more surgical approach we can look at API hooking the dll which is leveraged when macro code is executed. Looking through the dlls, which are loaded into Word at runtime, we can observe that VBE7.dll includes a large number of exports that appear related to the execution of macro code. Below we can see a snapshot from the list of exports with one in particular highlighted, rtcShell, that warranted further investigation.

 

ss_vbe_exports

 

Digging into this function we can see that it’s nothing more than a small wrapper around the CreateProcess Windows API call. The particular code block which executes the process is listed below. Looking at the parameters being passed to the API,  we can see that the EBX register is being used to hold a pointer to the name of the process to be executed.

 

ss_ida_prepatch

 

At this point, if we want to alter the way the process is launched we can patch the instructions to alter the process creation flags, which is one of the parameters passed to the CreateProcess API. Alternatively, we could completely patch out the API call to prevent the execution from occurring.

In this case we are going to leverage the CREATE_SUSPENDED process creation flag to allow the process to launch, but immediately be frozen into a suspended state, preventing the code from running.

 

ss_msdn_createsuspended

 

The patch sets the ECX register to 4, which is the numeric value of CREATE_SUSPENDED, and then this is pushed as the creation flags parameter to the CreateProcess API call, resulting in the process being instructed to launch in a suspended state.

 

ss_ida_postpatch

 

Following this patch, a test macro that was designed to launch powershell was executed, and as we can see from the process explorer window, it was placed into a suspended state, thus mitigating any impact and allowing an opportunity for endpoint protection sensors to scan and identify any threatening behaviour.

 

ss_taskmanager

 

These are just proof of concepts, and would require more research and work before they were used in a production environment. I still believe that the ideal state would be for Microsoft to implement more granular security controls against macros, allowing organisations to continue using them, but at the same time empowering them with the ability to limit their capabilities depending on individual risk appetites.

 

Any comments or feedback would be very welcome!

 

-Adam (Twitter: @CyberKramer)

Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.

kaplan

Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!

 

8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!