Let's do one last thing to triple check our findings. Well nicely done! Still though, proof is in the pudding I guess. The svchost processes are both spawned from our very own WinHost.exe. Well I wasn't going to do it but just for completeness, (Thanks Eric) lets do our Pslist anyway and grep for our Winhost.exe pid 2268.Īnd there you have it. Still though, not quite satisfied and I've only just dipped my toes in the water. So at this point, I feel fairly confident that I have what I am looking for given the MZ header, the Vad Tag, and once again everything I already know and love about PoSeidon. Also of note is the shared VAD at 0x400000. I can see the obvious WinHost.exe with the 2268 Pid and two separate svchost.exe processes, Pids 18. In this example, I am using Rekall to quickly run malfind and then piping that to a grep command looking for MZ headers. Let's first have some fun with Malfind, chock full of false positives and VAD tags. Why doesn't this guy start with a Pslist and grep for WinHost? You're right, I could totally do that but that is not a PoSeidon Adventure and this would be a very short blog post. In this case I will forego the aforementioned steps and instead shoot to kill. I will typically start with these first and spit them out to a file to grep through later, however I have a very specific piece of malware that I am after and I already read Eric's blog. Psxview – Another plugin that can help detect hidden processes.Malfind – Uses VAD (Virtual Address Descriptor) tags and page permissions to detect injected code.Pstree – Another list of running processes but in a tree view.Pslist – This will get a list of running processes.As I said, I have a memory image and nothing else, so the list in my head before I dig deeper is: Every IR person has their own set of ways in which they start out, but the first few steps after acquisition are generally some form of triage. Last but not least I have a memory image that was acquired using WinPmem v 2.0.1.įirst thing's first! On any new case there is a little bit of triage that has to happen. In the following examples I'm giving, I will be using a SIFT box with the following: Trustwave would likely make me put a disclaimer on future posts if that were to happen. I want to make sure that if you're trying this at home you don't hurt yourself or someone else in frustration. Nothing is worse than a blogger that doesn't list out the tool versions they are using in the examples they give. So now that you have read up on it, you did didn't you?.We are ready to go! Should be easy enough, given all that we know about PoSeidon and if you find you need a refresher, there is a great article that our own Eric Merritt has written up on the topic here: In this particular case I have been handed a memory dump and tasked with determining if PoSeidon was running on the system. Exfiltration can vary from dump files on disk encrypted or not or the malware will send it out over port 80 or 443. These malware families come in all shapes, sizes and names but they are always running in memory and are waiting for Track data to flow through whereby it captures it and exfiltrates it. To be more specific, I deal with a lot of Track 2 memory scrapers. This checks for (just) an IP address, not many checks though, an Incident Responder I get the unique opportunity to see a lot of malware and in most cases that I investigate, the malware is of the card number stealing type. In Matching IPv4 Addresses - Regular Expressions Cookbook by O'Reilly you have some examples. When you use grep -P as suggested in another answer, you change the parsing engine. Keep in mind that regular expressions have many flavors and results may vary, depending on the engine being used. Your expression \d \.\d \.\d \.\d would match any four groups of digits separated by a dot, if \d matched a digit on its own. You can try to do it, to a certain level of accuracy: Note that regular expressions are not really meant for parsing things like IPv4 addresses.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |