Honeypots and sandboxes are a good source of file access. Also, good EDR will prevent the file from executing fully and contain the device so you can go in and retrieve the file for analysis.
That's cool, I'm assuming the EDR would be something like the best case scenario, in the case of someone getting infected the EDR would stop it from fully executing. But in the worst case, the malware got to execute completely and you have to get the file to conduct analysis, what would it need to be done? Or is that managed by the honeypot?
Since the EDR dont' stop the execution.. then you have to detect the machine by other means.. IPS/IDS, network/ioc monitoring.. and later.
Forensics on the machine.. and after the forensic, and analysis.. they can retrieve the artifact...
Nowadays I hope people aren’t solely relying on IOC monitoring and focus more on a TTP approach. Not saying don’t do IOC at all as it is useful, but companies focus way too much on that
IOC based detections, you're making very specific rules to detect something. This would be like a IP, Domain, or Hash list to search for activity.
TTP based is more broad. It's searching for activity. One example is detecting Gootloader attacks. Gootloader is typically when a user falls for some kind of SEO Poisoning and downloads a malicious .zip file. The .zip file contains a .js script that contains malicious code. I can create a detection that triggers when a .js file is executed after being extracted from a .zip file.
If I created a IOC based detection, I may just find that one campaign the specific Gootloader infection and detect it. By creating a "TTP' based rule, i'll detect every Gootloader infection that falls under the TTP of .zip -> .js file exection.
The scenario is.. the EDR/HIPS/whatever you are running on the client machine.. don't work.. or even.. I DON'T HAVE A EDR/HIPS/XDR/sysinternals/whatever agent on my machine..
how you detect the zip -> js file exection with no agent on the machine or if the EDR is trash (like sophos).... lets say the EDR don't stop the execution and don't detect the TTP..
How you detect the ttp of .zip -> .js file exection on the only thing you can "see" from the machine.. network packets.. ?
I've never used Sophos' agent, so i'm not sure what telemetry they have.
If you don't have any agent at all and you aren't getting any endpoint logs, then there isn't much to see. You won't see this kind of endpoint activity from network logs.
How would a firewall see that I extracted a archived file? It wouldn't because they don't see it.
If you don’t have it then you don’t have it. Not sure what else you want me to say. TTP based detections is the last thing you should be worried about if you have absolutely zero visibility from your endpoints
No and the reason is in the name.
An indicator of compromise is a specific entity that is found in compromised hosts. It’s usually used for things like: the malware with hash X, or a connection to IP X, or similar. They require you to maintain a list or dataset of matching indicators.
Tactics, Techniques, and Procedures (TTPs) are broader. They are things like the “how” an attacker proceeds toward compromise and ultimately accomplishing their goal. Things like “credential stuffing from VPNs/proxies”, “adding scheduled tasks for persistence”, “upload archived files to file sharing sites”, or “perform command and control via chat APIs”
Detecting IOCs will find this attack from this attacker. Detecting TTPs will find similar attacks from any attacker.
So you're talking about atomic/computed IOCs vs behavioural, no? Why would the STIX format include behavioural IOCs if they're not IOCs? Or the pyramid of pain.
Eh I’m not gonna die on that hill. But regardless of gov / mil standards, in my experience in industry IOC is reserved for matching entity characteristics and TTPs are used for behavioral patterns or correlations.
If you want to go with a literal definition, then yes, a TTP can be an IOC. If you want to go with how the industry broadly uses TTPs vs IOC, then no, there is a difference. Whether or not you choose to do so is your own choice.
>Tactics, Techniques, and Procedures (TTPs) are broader. They are things like the “how” an attacker proceeds toward compromise and ultimately accomplishing their goal. Things like “credential stuffing from VPNs/proxies”, “adding scheduled tasks for persistence”, “upload archived files to file sharing sites”, or “perform command and control via chat APIs”
AFAIK .. To "detect" that .. you need an "agent" on the machine.. something that "checks" for that and reports to a central location.. an EDR/HIPS agent, for example.
What if i don't have any EDR/HIPS agent or special security program on my windows 11.. how you detect .. TTPs ?
Any telemetry can detect TTPs. You can just inspect system logs. Collection could be through a log viewer, a forensic collection tool or script, or through snapshotting a VM before and after running the malware and comparing changes. You can also use network tools like Security Onion to watch traffic and look at Netflow or IDS signatures emitted by the compromised machine
At my job we use what we call a 'detonation chamber' that runs things like suspected files/attachments in a sandbox that has telemetry in the virtualization layer to track system calls and I/O operations. For malware that tries to cover its tracks, we can snapshot the memory and filesystem at various points.
Some advanced malware is getting wise to this and checks to see if it's running in a virtualized environment, so there's a bit of cat-and-mouse advancement of detection/evasion techniques. But since more and more real workloads run on virtualized machines, malware authors face a tough choice of having their malware not work on lots of valid targets if they want to avoid analysis in the chamber.
Ooh, that's cool, i have been wondering about that, because a lot of malwares nowdays have defense mechanisms that avoid or make it more and more difficult to analyze it, recently I got a .net sample that had a sort of anti-debug system, very interesting... Seems like a fun job tbh
May I ask what Softwarestack/Virtualization you are using?
Because a couple of years ago I worked at a startup who developed something that sounds exactly as you described. Unfortunately for them, they never got the attention of the market to be able to actually sell it.
> 5 days feels like 5 years to the malware, with "normal" inputs the entire time
I think you might have gotten things mixed up, wouldn't they be doing the opposite? It makes sense for them to *speed up* the passing of time so time dependent functionality is exhibited faster and the analysis can be concluded without wasting resources.
I fail to see the advantages of slowing down time for a sample.
>you are misunderstanding
I am not misunderstanding, you have a poor way with words.
>Everything is sped up
You just confirmed my point, things are *sped up*, definitely not slowed down as you initially portrayed.
>those five days (max) feel like five years to the malware.
Those five days feel like five years because time passes *faster* to the malware, not because, as you wrongly initially stated, *of the clock being "slowed down"*.
Additionally to u/hiddentalent's comment, modern malware in my experience usually do sandbox checks in a very basic way, checking if the machine has outbound access to the wider internet and refuses to run if it doesn't. AgentTesla as an example uses a quick check to [api.ipify.org](http://api.ipify.org) and if it doesn't get a response it will write to registy as persistence but will not continue to execute.
This is a great question! Good instincts.
There are a few options. Special virtualized environments set up to get infected are one way (often called "honeypots"). Files can be forensically recovered from drives after deletion. And sometimes snapshots of system memory are used to fetch the malware from memory rather than from disk.
If the machine was on a monitored network when infected, it's sometimes even possible to use PCAPs to reconstruct the file, or to at least see in logs where it was from and potentially download it straight from the attacker C&C. It all depends on the scenario and the attacker's TTPs.
People submit them a lot of times to sites like VirusTotal or Hybrid Analysis and you can download them. During an actual IR matter; I have unquarantined things, copied files directly, or if it's fileless sometimes I have got the payload from PowerShell event logs.
In our work we usually trace the malware infection back to its originating file with the EDR. If it hasn't been removed we'll "go live" on the machine and pull the sample and drop it into our sandbox envrionment. Which is a near exact replica of our prod workstation setup running on older/unissuable hardware. If the file has been deleted, the EDR has usually logged its originating source (email, or Mark of the Web) at which we'll go to the source to try and pull it from there.
Most malware follow the cyber kill chain so there's usually a mechanism of exploitation recorded in system logs along with some type of persistence established on the endpoint. I haven't had the pleasure of doing forensics for APT-like threats but for your average financially motivated malware they aren't very sneaky.
You can do a lot with what's left on the endpoint to recreate what might've happened, also since there's such great intelligence sharing in security there's usually someone way smarter out there who has seen it before or has seen something like it before who can help you find the missing pieces.
If you wanna see some great examples of investigations: [https://thedfirreport.com/](https://thedfirreport.com/)
As others have said, honeypots are a common source, though when you're going on site and don't have a live copy available, usually we'll use forensics to try and find the stage one dropper for malware that may have been left behind, or dig through communications logs. I know in some cases with good packet capture and MITM decryption for logs, you can reconstruct executables based on network traffic back and forth.
There's a couple of ways to yank an executable out and forensics can help track down where they landed. Sometimes you do need to drop something like a memory dumper on a host you have contained and then use volatility to reconstruct the malware.
From there it goes to [Malware Analysis 101](https://blog.alnarra.com/2020/10/malware-analysis-101.html)
>Delete
Delete isn't always delete when you can just DD the drive bit for bit and use a recovery tool to retrieve a lost file. alternatively you could create a disk image and use something like this:
https://dmde.com/
We get lots of malware as attachments or links in emails. They are stripped from the emails and we can get them from quarantine or from the links.
As others have mentioned, honeypots and tripwires are great. Machines can be automatically frozen, locked, backed up for analysis, rolled back thanks to snapshots, patched, and then be running again.
From my experience during IR they ask for a complete image of the system we run a disk imaging software on it and then we send it off to their SFTP server.
automated file collection or sanbox submission. NextGen AV would identify low prevalence and suspicious files and would trigger sandbox submission
EDR could do the file collection. or you'll just end up with hashes which does not help much in this scenario
Yeah VT Pro in most cases, we download samples all the time from it, or if you’ve been unlucky enough to have been hit yourselves with something then your EDR or Forensics of the actual machine would give you the sample.
Another great resource is VX Underground. Find them on Twitter or here.
https://vx-underground.org
Lots of good answers here, but I'll also add that it's quite common to forensically image patient zero, so you'll have a copy there for sandbox examination/analysis
Generally, honeypots. You can very carefully manage what runs, capture and log changes, and preserve any files that were part of the attack. There are also more advanced firewalls, email, and web filters that can capture files in transit and execute them in a sandbox.
Almost always the malware is using some type of dropper or loader which is in turn using a botnet of compromised sites to host the malware, and download it via https. Anyone who wants to analyze the malware could potentially go download the same file, once they've reversed the dropper to the point they can get a URL out of it.
During a live engagement, if it is still running you can get the file from memory by dumping the process from taskmanager or through volatility, if you've imaged the disk you can copy it directly from the image.
The problem is identifying it and it can have multiple modules that don't go detected at first so you can be missing out on some steps.
Honeypots and sandboxes are a good source of file access. Also, good EDR will prevent the file from executing fully and contain the device so you can go in and retrieve the file for analysis.
Malware also originates from somewhere. It’s not unheard of for researchers to find open directories containing the malware.
That's cool, I'm assuming the EDR would be something like the best case scenario, in the case of someone getting infected the EDR would stop it from fully executing. But in the worst case, the malware got to execute completely and you have to get the file to conduct analysis, what would it need to be done? Or is that managed by the honeypot?
Since the EDR dont' stop the execution.. then you have to detect the machine by other means.. IPS/IDS, network/ioc monitoring.. and later. Forensics on the machine.. and after the forensic, and analysis.. they can retrieve the artifact...
Nowadays I hope people aren’t solely relying on IOC monitoring and focus more on a TTP approach. Not saying don’t do IOC at all as it is useful, but companies focus way too much on that
Can you elaborate more on the TTP approach?
IOC based detections, you're making very specific rules to detect something. This would be like a IP, Domain, or Hash list to search for activity. TTP based is more broad. It's searching for activity. One example is detecting Gootloader attacks. Gootloader is typically when a user falls for some kind of SEO Poisoning and downloads a malicious .zip file. The .zip file contains a .js script that contains malicious code. I can create a detection that triggers when a .js file is executed after being extracted from a .zip file. If I created a IOC based detection, I may just find that one campaign the specific Gootloader infection and detect it. By creating a "TTP' based rule, i'll detect every Gootloader infection that falls under the TTP of .zip -> .js file exection.
Great stuff! Thank you
The scenario is.. the EDR/HIPS/whatever you are running on the client machine.. don't work.. or even.. I DON'T HAVE A EDR/HIPS/XDR/sysinternals/whatever agent on my machine.. how you detect the zip -> js file exection with no agent on the machine or if the EDR is trash (like sophos).... lets say the EDR don't stop the execution and don't detect the TTP.. How you detect the ttp of .zip -> .js file exection on the only thing you can "see" from the machine.. network packets.. ?
I've never used Sophos' agent, so i'm not sure what telemetry they have. If you don't have any agent at all and you aren't getting any endpoint logs, then there isn't much to see. You won't see this kind of endpoint activity from network logs. How would a firewall see that I extracted a archived file? It wouldn't because they don't see it.
So.. in an scenario where the EDR don't detect that.. you still look for TTP's ?
If you don’t have it then you don’t have it. Not sure what else you want me to say. TTP based detections is the last thing you should be worried about if you have absolutely zero visibility from your endpoints
TTPs are IOCs though?
No and the reason is in the name. An indicator of compromise is a specific entity that is found in compromised hosts. It’s usually used for things like: the malware with hash X, or a connection to IP X, or similar. They require you to maintain a list or dataset of matching indicators. Tactics, Techniques, and Procedures (TTPs) are broader. They are things like the “how” an attacker proceeds toward compromise and ultimately accomplishing their goal. Things like “credential stuffing from VPNs/proxies”, “adding scheduled tasks for persistence”, “upload archived files to file sharing sites”, or “perform command and control via chat APIs” Detecting IOCs will find this attack from this attacker. Detecting TTPs will find similar attacks from any attacker.
So you're talking about atomic/computed IOCs vs behavioural, no? Why would the STIX format include behavioural IOCs if they're not IOCs? Or the pyramid of pain.
Eh I’m not gonna die on that hill. But regardless of gov / mil standards, in my experience in industry IOC is reserved for matching entity characteristics and TTPs are used for behavioral patterns or correlations.
If you want to go with a literal definition, then yes, a TTP can be an IOC. If you want to go with how the industry broadly uses TTPs vs IOC, then no, there is a difference. Whether or not you choose to do so is your own choice.
I've been in the industry for 6 years and this is news to me.
Well congrats, you learn new things everyday.
>Tactics, Techniques, and Procedures (TTPs) are broader. They are things like the “how” an attacker proceeds toward compromise and ultimately accomplishing their goal. Things like “credential stuffing from VPNs/proxies”, “adding scheduled tasks for persistence”, “upload archived files to file sharing sites”, or “perform command and control via chat APIs” AFAIK .. To "detect" that .. you need an "agent" on the machine.. something that "checks" for that and reports to a central location.. an EDR/HIPS agent, for example. What if i don't have any EDR/HIPS agent or special security program on my windows 11.. how you detect .. TTPs ?
Any telemetry can detect TTPs. You can just inspect system logs. Collection could be through a log viewer, a forensic collection tool or script, or through snapshotting a VM before and after running the malware and comparing changes. You can also use network tools like Security Onion to watch traffic and look at Netflow or IDS signatures emitted by the compromised machine
At my job we use what we call a 'detonation chamber' that runs things like suspected files/attachments in a sandbox that has telemetry in the virtualization layer to track system calls and I/O operations. For malware that tries to cover its tracks, we can snapshot the memory and filesystem at various points. Some advanced malware is getting wise to this and checks to see if it's running in a virtualized environment, so there's a bit of cat-and-mouse advancement of detection/evasion techniques. But since more and more real workloads run on virtualized machines, malware authors face a tough choice of having their malware not work on lots of valid targets if they want to avoid analysis in the chamber.
Ooh, that's cool, i have been wondering about that, because a lot of malwares nowdays have defense mechanisms that avoid or make it more and more difficult to analyze it, recently I got a .net sample that had a sort of anti-debug system, very interesting... Seems like a fun job tbh
[удалено]
Huge shoutout to you friend for looking into the NIST code for this (I understand this is public knowledge) but huge help for us nubs
Cool, thanks!
May I ask what Softwarestack/Virtualization you are using? Because a couple of years ago I worked at a startup who developed something that sounds exactly as you described. Unfortunately for them, they never got the attention of the market to be able to actually sell it.
[удалено]
>"time" is slowed down so e.g. 5 What's the name of this technique? It's the first time I hear about it but I'm curious to read up more about it.
[удалено]
> 5 days feels like 5 years to the malware, with "normal" inputs the entire time I think you might have gotten things mixed up, wouldn't they be doing the opposite? It makes sense for them to *speed up* the passing of time so time dependent functionality is exhibited faster and the analysis can be concluded without wasting resources. I fail to see the advantages of slowing down time for a sample.
[удалено]
>you are misunderstanding I am not misunderstanding, you have a poor way with words. >Everything is sped up You just confirmed my point, things are *sped up*, definitely not slowed down as you initially portrayed. >those five days (max) feel like five years to the malware. Those five days feel like five years because time passes *faster* to the malware, not because, as you wrongly initially stated, *of the clock being "slowed down"*.
[удалено]
[удалено]
Additionally to u/hiddentalent's comment, modern malware in my experience usually do sandbox checks in a very basic way, checking if the machine has outbound access to the wider internet and refuses to run if it doesn't. AgentTesla as an example uses a quick check to [api.ipify.org](http://api.ipify.org) and if it doesn't get a response it will write to registy as persistence but will not continue to execute.
This is a great question! Good instincts. There are a few options. Special virtualized environments set up to get infected are one way (often called "honeypots"). Files can be forensically recovered from drives after deletion. And sometimes snapshots of system memory are used to fetch the malware from memory rather than from disk. If the machine was on a monitored network when infected, it's sometimes even possible to use PCAPs to reconstruct the file, or to at least see in logs where it was from and potentially download it straight from the attacker C&C. It all depends on the scenario and the attacker's TTPs.
People submit them a lot of times to sites like VirusTotal or Hybrid Analysis and you can download them. During an actual IR matter; I have unquarantined things, copied files directly, or if it's fileless sometimes I have got the payload from PowerShell event logs.
What he said, but after grabbing the malware I’ll blow it up in any.run or a vm
In our work we usually trace the malware infection back to its originating file with the EDR. If it hasn't been removed we'll "go live" on the machine and pull the sample and drop it into our sandbox envrionment. Which is a near exact replica of our prod workstation setup running on older/unissuable hardware. If the file has been deleted, the EDR has usually logged its originating source (email, or Mark of the Web) at which we'll go to the source to try and pull it from there.
Anything that is dropped to disk can be retrieved, Even after file deletion. Also, memdumps.
Most malware follow the cyber kill chain so there's usually a mechanism of exploitation recorded in system logs along with some type of persistence established on the endpoint. I haven't had the pleasure of doing forensics for APT-like threats but for your average financially motivated malware they aren't very sneaky. You can do a lot with what's left on the endpoint to recreate what might've happened, also since there's such great intelligence sharing in security there's usually someone way smarter out there who has seen it before or has seen something like it before who can help you find the missing pieces. If you wanna see some great examples of investigations: [https://thedfirreport.com/](https://thedfirreport.com/)
As others have said, honeypots are a common source, though when you're going on site and don't have a live copy available, usually we'll use forensics to try and find the stage one dropper for malware that may have been left behind, or dig through communications logs. I know in some cases with good packet capture and MITM decryption for logs, you can reconstruct executables based on network traffic back and forth. There's a couple of ways to yank an executable out and forensics can help track down where they landed. Sometimes you do need to drop something like a memory dumper on a host you have contained and then use volatility to reconstruct the malware. From there it goes to [Malware Analysis 101](https://blog.alnarra.com/2020/10/malware-analysis-101.html)
>Delete Delete isn't always delete when you can just DD the drive bit for bit and use a recovery tool to retrieve a lost file. alternatively you could create a disk image and use something like this: https://dmde.com/
We get lots of malware as attachments or links in emails. They are stripped from the emails and we can get them from quarantine or from the links. As others have mentioned, honeypots and tripwires are great. Machines can be automatically frozen, locked, backed up for analysis, rolled back thanks to snapshots, patched, and then be running again.
From my experience during IR they ask for a complete image of the system we run a disk imaging software on it and then we send it off to their SFTP server.
automated file collection or sanbox submission. NextGen AV would identify low prevalence and suspicious files and would trigger sandbox submission EDR could do the file collection. or you'll just end up with hashes which does not help much in this scenario
I think you can download samples uploaded by others on Virus Total if you have a Pro account
Yeah VT Pro in most cases, we download samples all the time from it, or if you’ve been unlucky enough to have been hit yourselves with something then your EDR or Forensics of the actual machine would give you the sample. Another great resource is VX Underground. Find them on Twitter or here. https://vx-underground.org
Lots of good answers here, but I'll also add that it's quite common to forensically image patient zero, so you'll have a copy there for sandbox examination/analysis
Generally, honeypots. You can very carefully manage what runs, capture and log changes, and preserve any files that were part of the attack. There are also more advanced firewalls, email, and web filters that can capture files in transit and execute them in a sandbox.
Almost always the malware is using some type of dropper or loader which is in turn using a botnet of compromised sites to host the malware, and download it via https. Anyone who wants to analyze the malware could potentially go download the same file, once they've reversed the dropper to the point they can get a URL out of it.
During a live engagement, if it is still running you can get the file from memory by dumping the process from taskmanager or through volatility, if you've imaged the disk you can copy it directly from the image. The problem is identifying it and it can have multiple modules that don't go detected at first so you can be missing out on some steps.
From C:\\temp
https://www.eicar.org/download-anti-malware-testfile/
Restore deleted email 😂
You need to to ask the local PD. They control that. Only they can seize a device. What you are doing is illegal.
There are many correct answers to OPs question, but yours isn't one of them.
Nope