When you are doing an IR it is crucial that you find answer fast. You often have the client asking for daily updates as well as legal counsel asking you to find the answers ASAP. In this series of blog posts, we will look at some of the artifacts that indicate a system is compromised as well as showing how to use free tools to find evil.
Part 1: Running Processes and Network Activity
One of the first things I do when responding to a breach is to collect volatile data, beginning with processes that are running as well as network activity. For this blog series we will be examining a machine that was targeted with a malicious payload disguised as an XLSX document. The victim found a USB in the parking lot, plugged it into their machine and opened the document, hoping to view sensitive corporate financials.
To start out, we can examine the running processes on the machine and see if anything stands out to us. To gather this data, we ran the Windows tasklist -v command from an administrator command prompt
There are a few odd processes that stand out from that list. Confidential-Corp_Financials_2019.xslx.exe, Rubyw.exe and Cscript.exe. The command line arguments provided by the Tasklist -v output show that Ruby and Cscript are both executing very suspicious commands.
Rubyw.exe is calling a .rb file loaded from the users AppdData\Local\Temp directory and Cscript.exe is running a .vbs script from the same place. Those 2 things are very strong indicators that malware is running on the system.
Lets document these in our notes and look at the current network connections to see what processes have network connections.
Next up, we can correlate the suspicious process PID’s with the ones that show up in our network connections and see if we have any easy wins. To do this, I am using the output from the Tcpvcon tool from Sysinternals.
We can see that suspect rubyw.exe process calling out to 144.202.116.190 as well as a new randomly named process QazKsgobqDJtl.exe connecting to the same IP over non standard ports. Anytime we see activity like this, we have a very strong indicator that the machine is compromised.
As you can see, by collecting and examining just 2 pieces of data, running processes and network connections, we have 2 very good indicators that something evil is happening on this host.
But what if we didn’t identify any suspect processes? One of the things I like to do is take the IP addresses listed in the network output and do a bulk search against VirusTotal as well as a quick Geolocation lookup to see if anything stands out. If an IP is flagged in VirusTotal that is a quick indicator that something is now right. When doing a GeoIP lookup, I frequently check for connections to Europe (russia) or Asia (china) to see if anything stands out. I also look for connections to shared hosting services like Aws, Vultr, or Bluehost. Often times, adversaries will stand up temporary infrastructure on these services to stage their attacks from. I have chased several Iranian crews that would use the Choopa LLC (Vultr) servers for their attacks.
In part 2 of this series, we will look at doing “dead box” forensics on the machine and see if we can find answers fast.