# Hands on Threat Hunting Workshop
.footnote[By [Manindar Mohan](https://rejahrehim.com) and [Nash N Sultan](https://manieendar.me/)]
---

# [Manindar](https://rejahrehim.com)

## Sr Cyber Security Engineer at [Beagle Security](https://beaglesecurity.com)
 
# [Nash](https://manieendar.me)

## Sr Cyber Security Engineer at [Beagle Security](https://beaglesecurity.com)

---
name: Title
class: middle

## What is threat hunting?

Cyber threat hunting is an active information security strategy used by security analysts. It consists of searching iteratively through networks to detect indicators of compromise (IoCs); hacker tactics, techniques, and procedures (TTPs); and threats such as Advanced Persistent Threats (APTs) that are evading your existing security system.

---
name: Title
class: middle

## Threat hunting activities include:

- *Hunting for insider threats or outside attackers* : Cyber threat hunters can detect threats posed by insiders, like an employee, or outsiders, like a criminal organization.

- *Proactively hunting for known adversaries* : A known attacker is one who is listed in threat intelligence services, or whose code pattern is on the denylist of known malicious programs.

- *Searching for hidden threats to prevent the attack from happening* : Threat hunters analyze the computing environment by using constant monitoring. Using behavioral analysis, they can detect anomalies which could indicate a threat.

- *Executing the incident response plan* : When they detect a threat, hunters gather as much information as possible before executing the incident response plan to neutralize it. This is used to update the response plan and prevent similar attacks.

---
name: malwaredef
class: middle, center

# What is a Malware?

A program that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

---
name: malwarehistory
class: middle, center

# From pranks to nuclear sabotage

### A brief history of major malware outbreaks

- Creeper (1971) - Creeper was an experimental computer program written by Bob Thomas at BBN in 1971, it is considered as the first computer virus!

- Morris Worm (1988) - The first Computer virus which spread extensively in the wild.

- ILOVEYOU (2000) - It came via email however it sent itself to all contacts. It also overwrote office, image, and audio files. It infected over 50 million computers in less than 10 days!.

- ZueS (2007) - A Trojan horse malware package with a lot of capabilities like steal banking information by man-in-the-browser keystroke logging and form grabbing.

- Stuxnet (2010) - It targets SCADA systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran.

- WannaCry (2017) - Eternal Blue, NSA, The Shadow Brokers, Lazarus Group, Ransomeware, Boom!

---
name: malwaretypes
class: middle, center

# Different Types of Malwares

## Virus

Malware that is capable of copying itself and spreading to other computers.

## Trojan

Malware that disguises itself as a normal file or program to trick users into downloading and installing malware.

## Ransomware

Ransomware is a form of malware that essentially holds a computer system captive while demanding a ransom.

## Worm

They spread over computer networks by exploiting operating system vulnerabilities.

---
name: malwaretypes
class: middle, center

# Different Types of Malwares

## Rootkit

Malicious software designed to remotely access or control a computer without being detected by users or security programs.

## Spyware

Spyware is a type of malware that functions by spying on user activity without their knowledge.

## Keyloggers

Malicious software developed to monitor and record the keystrokes that the user enters through the keyboard

---
name: malwarelifecycle
class: middle, center

# The Malware Life Cycle

## Infection

Infection almost always has a social aspect, such as getting
users to click on a bad link in a phishing e-mail, luring them
to a social networking site, or sending them to a web page
with an infected image, for example.

## Persistance

Once a target machine is infected, the attacker needs to
ensure persistence (the resilience or survivability of the bot).

---
class: middle, center

## Communication

Communication is fundamental to a successful attack.
Malware must be able to communicate with other infected
systems or controllers to enable command and control, and
to extract stolen data from a target system or network.

## Command and control

Command and control rides on top of the communication plat-
form that is established but is really about making sure that the
malware or attack is controllable, manageable, and updateable.

---
name: infectionmethods
class: middle, center

# Common Infection Methods used by Adversaries

## Social Engineering

The most common method for hackers to spread malwares is through social engineering. Hackers use carefully crafted methods to trick a victim into opening an attachment or clicking on a link that contains a malicious file.

Methods can be :

Email attachments

Malicious URLs

Malvertising

---
class: middle, center

## Network Protocols

An increasingly popular mechanism in which attackers are infecting victims is through network protocols

Examples are RDP, SMB etc

## Drive-by Downloads

Another entry path that attackers use to deliver ransomware is through what is known as drive-by downloads. These are malicious downloads that happen without a user’s knowledge when they visit a compromised website.

When you visit the infected website, the malicious content analyzes your device for specific vulnerabilities and automatically executes the malicious code in the background.

---

## USB drives and portable media

USB drives and portable computers are a common delivery vehicle for malwares. Connecting an infected device can lead to infecting the local machine and potentially spreading across the network.

In 2016, Australian police issued a warning to citizens about USB drives containing malicious software appearing in mailboxes. The USB drives masqueraded as a promotional Netflix application, then once opened deployed ransomware on to the unsuspecting user’s computer.

---
name: malwareanalysis
class: middle, center

# What is malware analysis?

Malware analysis is the study or process of determining the functionality, origin and potential impact of a malware.

---
name: analysistechniques
class: middle, center

# Malware analysis techniques

There are two fundamental approaches to malware analysis:

## Static Analysis

## Dynamic Analysis

---
class: middle, center

## Preparing the Lab

Before you can run malware to perform dynamic analysis, you must set up a safe environment.

Why you need a safe environment ?

So how we do it ?

---
name: staticanalysis
class: middle, center

---
name: staticanalysis
class: middle, center

## Creating the virtual machines
- Windows
- Linux  - Remnex

---
name: staticanalysis
class: middle, center

## Setup of the analysis machine: INetSim, Burp

```
sudo su
echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
apt update
apt install inetsim
```

```
bash ~/Downloads/burpsuite_free_linux_v1_7_23.sh
```

---
name: staticanalysis
class: middle, center

## Setting up an isolated virtual network

- We want to set up an isolated network containing our VMs.
- This network will not be able to access the Internet
- We want the analysis machine to act as a network gateway

---
name: staticanalysis
class: middle, center

## VirtualBox Internal Network

For those familiar with VirtualBox, an internal network differs from a host-only network in that an internal network cannot access the host machine at all.

---
name: staticanalysis
class: middle, center

## Analysis machine

Open the file `/etc/network/interfaces` as `root`, and add the following at the end

```
auto eth0
iface eth0 inet static
 address 10.0.0.1
 netmask 255.255.255.0

```

This will assign the machine the static IP 10.0.0.1 on our virtual network. We need to start it up using:

`sudo ifup eth0`

---
name: staticanalysis
class: middle, center

## Windows 7 victim machine

Right-click on the network icon in the taskbar (or go to `Start Menu` > `Control Panel` > `Network and Internet` > `Network and Sharing center`), click on `Local Area Connection 2` > `Properties`, select on I`nternet Protocol Version 4`, and click on the `Properties` button.

Assign the static IP `10.0.0.3`

---
name: staticanalysis
class: middle, center

### Check the Connection

`ping 10.0.0.1`

---
name: staticanalysis
class: middle, center

## Creating and restoring snapshots

Just select `Machine` > `Take Snapshot`.

You can name the snapshot Clean state.
It doesn’t hurt to do it for your analysis machine as well.

---
class: middle, center

---
name: staticanalysis
class: middle, center

## Fully-Automated Analysis

The easiest way to assess the nature of a suspicious file is to scan it using fully-automated tools.
Helps to handle large number of files.

- https://www.hybrid-analysis.com/
- https://sandbox.pikker.ee/

## Static Properties Analysis

An analyst interested in taking a closer look at the suspicious file might proceed by examining its static properties.
Looking at static properties can sometimes be sufficient for defining basic indicators of compromise.

---
name: Title
class: middle, center

# Static Analysis
---
name: Title
class: middle

## Static Analysis

- Static analysis is the process of analyzing malware/binary without executing it.

- The objective is to extract useful information from the malware, this will help us get an idea of the type of malware and what the malware can do. This information is useful for future analysis as it will allows us to efficiently analyze the sample going forward.

---

## Static analysis - approach

- Identifying the file type - Target OS, architecture and format (dll, exe)

- Identifying the malware - Generating a hash of the malware, this will give the malware a unique identifier. Using the hash to see if anyone else has analyzed the malware.

- Strings - Strings give us an idea/glimpse of what the malware can do.

- Packing & Obfuscation - Obfuscation & packing are techniques used to prevent detection. Unpacking or deobfuscating can reveal additional information.

- PE headers - The PE header reveals a lot of information on the malware functionality.

---
name: Title
class: middle

## Identifying the file type

- Identifying the file type is extremely important as it helps us identify the target OS and the corresponding architecture.

- An example of a Windows executable file is the PE (Portable Executable).

- A PE could be in the form of; .exe, .dll etc.

- To accurately identify a file type we need to analyze the file signature. This is to avoid false positives caused by the use of double extensions.

- The file signature exists on the file header.

- The file signature for PE files are represented by hexadecimal values of 4D 5A or MZ in the first 2 bytes (0-1).

- PE programs also have the notice “This program cannot be run in DOS mode”

- The PE header begins at hex 50 45.

---
name: Title
class: middle

## Malware hashing

- Malware hashing is the process of generating cryptographic hashes for the file content of the target malware. We are hashing the malware file.

- The hashing algorithms used in malware identification are:

- MD5
    - SHA-1
    - SHA-256

- The hashing process gives us a unique digest known as a fingerprint.

- This means we can create unique fingerprints for malware samples.

---
name: Title
class: middle

## Why should you hash?

- For accurate identification of malware samples, rather than using file names for malware. Hashes are unique.

- Hashes are used to identify malware on malware analysis sites. (Virus Total).

- A PE could be in the form of; .exe, .dll etc.

- Hashes can be used to search for any previous etections or for checking online if the sample has been analyzed by other researchers.

---
name: Title
class: middle

## Strings analysis

- This is the process of extracting readable characters and words from the malware.

- Strings can give us valuable information about the malware functionality.

- Malware will usually contain useful strings and other random strings, also known as garbage strings.

- Strings are in ASCII and Unicode format.

- The types of strings we are looking for are:

- File names
    - URLs
    - IP Addresses
    - Registry Keys
---
name: Title
class: middle

## Packers

- A packer is a tool that is used to compress the content of the malware.

- Attackers will use packers to obfuscate the content of the malware, this makes it difficult to analyze strings.

- Packers compress an executable and when executed the packed executable will be decompressed. This allows us to analyze the original unpacked executable.

---
name: Title
class: middle

## PE header

### Why is the PE header important?

- It contains all of the important and necessary information required by the OS to execute the executable.

- It contains information that specifies where the executable needs to be loaded in to memory.

- It contains the libraries that the executable requires to be loaded (dll).

- It contains information that specifies where the execution begins.

---
name: Title
class: middle

## PE Header Structure

---
name: Title
class: middle

## PE Header Structure

---
name: Title
class: middle

## PE Sections

---
name: Title
class: middle

## Analyzing The PE Header

- The PE header contains the information the OS requires to run the executable.

- In static analysis, we are looking for information about the executable, that can give us a glimpse of its functionality and origin.

### What information are we interested in?

- Compiler Stamp - When and where the malware was compiled.

- Subsystem - What subsystem is being used?

- Sections - Is the executable packed and are there any inconsistent permissions.

- Libraries & Imports - What libraries and imports are being used, and what information do they give us about the functionality of the malware.

---
name: Title
class: middle

## Examining The Resources Section (.rsrc)

- The resources section contains all the necessary files and information that are used/required by the executable. For example: icons, dialogs

### Why is it important?

- Attackers can utilize the resources section to store more malicious files and data like payloads, droppers, configuration info etc.

- The resource section is also useful as it may contain information about the origin of the malware.

---
name: dynamicanalysis
class: middle, center

# Dynamic Malware Analysis

The basic dynamic analysis techniques involve running the malware and observing its behavior on the system in order to remove the infection, produce effective signatures, or both.

Advanced dynamic analysis uses a debugger to examine the internal state of a running malicious executable.

---

# Let's begin

---
class: middle, center

## Diffing

Take a snapshot of a clean system state and a snapshot of a compromised system state.

By diffing the artifacts can be observed easily, although we can miss evidence that is created during malware activities and erased purposely by malware

Tools - regshot, autoruns

---
class: middle, center

## System Monitoring

From a clean system state, record every individual change on system and network traffic that appear after execution of made by the suspicious file

Tools - procmon, TCPView, Process Explorer, WinObj, strace, systrace, netstat

---
class: middle, center

## Network Monitoring

Malware often beacons out and eventually communicates with a command-and-control server.

### Packet Sniffing

Tools - wireshark

### Faking a Network

Tools - ApateDNS, INetSim, netcat

---
name: networkhandson
class: middle, center

# Hands-on

## Setting up INetSim and Burp

First, create your own copy of INetSim .conf and data directory

```
mkdir malware-analysis
cp /etc/inetsim/inetsim.conf malware-analysis
sudo cp -r /var/lib/inetsim malware-analysis
sudo chmod -R 777 data
cd malware-analysis
```

---
class: middle, center

Change the following line at the file `inetsim.conf`

```
#service_bind_address   10.0.0.1 
```
to

```
service_bind_address   0.0.0.0
```

---
class: middle, center

we have to disable systemd-resolved, which is a local DNS server shipped by default with Ubuntu and will conflict with INetSim’s DNS server.

```
sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop
```
--

By default, INetSim’s DNS server will resolve all the domain names to 127.0.0.1. We want any domain name to resolve to 10.0.0.1 (the analysis machine IP) instead; uncomment the following line:

```
#dns_default_ip    10.0.0.1
```
---
class: middle, center

Set up the https-binding-port for burp. Replace the following line

```
#https_bind_port 443
```

```
#https_bind_port 8443
```
---
class: middle, center

let’s run INetSim!

```
sudo inetsim --data data --conf inetsim.conf
```

<img src="http://threat.pug.gs/images/fulls/vm7.png" alt="INetSim Running"/>
---
class: middle, center

## Setting up BurpSuite for SSL interception

To be able to analyze the SSL traffic, we also need to run Burp. We’ll run it as a transparent proxy in front of INetSim. When a victim machine will initiate a SSL connection, it will first go to Burp, which will then proxy it to INetSim.

Make sure that you run Burp as root.

---
class: middle, center

Create a project -> Proxy -> Options -> Edit Default Interface

```
Binding tab
    Bind to port: 443
    Bind to address: all interfaces
Request handling tab:
    Redirect to host: localhost
    Redirect to port: 8443
    Check Support invisible proxying
```
---
class: middle, center

## Installing Burp Certificates

In Burp, add a new proxy listener on port 8080, listening on all interfaces (tab Proxy > Options > button Add):

Then, from the victim machine, browse to http://10.0.0.1:8080.
		
Click on CA Certificate in the top-right corner to download Burp’s CA certificate.

---
class: middle, center

On the Windows 7 victim machine: open the file, click Install certificate >Next > Place all certificates in the following store: Trusted Root Certification Authorities > Next
---

Run

```
sudo update-ca-certificates
```

Firefox by default doesn’t use the system’s certificate store. If you want the SSL connection to work properly in Firefox as well, go to the Firefox settings into Advanced > Certificates > Import. Choose burp.crt, check Trust this CA to identify websites

<img src="http://threat.pug.gs/images/fulls/sslok.png" alt="SSL Success!"/>
---
class: middle, center

## Demonstration

Network Analysis of Malware

---
name: thanks
class: middle, center

# Thanks

</h1>