Triage Practical – Malware Event – Prefetch $MFT IDS
Sunday, November 22, 2015
Another Monday morning as you stroll into work. Every Monday morning you have a set routine and this morning was no different. You were hoping to sit down into your chair, drink some coffee, and work your way through the emails that came in over the weekend. This morning things were different. As soon as you entered the office, your ISO had a mandatory meeting going on and they were waiting for you to arrive. As you entered the meeting the ISO announces “each week it seems like another company is breached. The latest headline about Company XYZ should be our wake up call. The breach could had been prevented but it wasn’t since their security people were not monitoring their security products and they never saw the alerts telling them they had a problem.” At this point you started to see where this was going; no one at your company pays any attention to all those alerts from the various security products deployed in your environment. Right on cue the ISO continued “what happened at Company XYZ can easily happen here. We don't have people looking at the alerts being generated by our security products and even if we had the bodies to do this we have no processes in place outlining how this can be accomplished.” As you sipped your coffee you came close to spitting it out after you heard what came next. The ISO continued “I directed junior security guy to look at the IDS alerts that came in over the weekend. He said something very suspicious occurred early Saturday morning on August 15, 2015.” Then the ISO looked directly at you “I need you to look into whatever this activity is and report back what you find.” “Also, make sure you document the process you use since we are going to use it as a playbook for these types of security incidents going forward.”
The above scenario outlines the activity leading up to the current malware security event. Below are some of the initial questions you need to answer and report back to the ISO.
* Is this a confirmed malware security event or was the junior analyst mistaken?
* What type of malware is involved?
* What potential risk does the malware pose to your organization?
* Based on the available information, what do you think occurred on the system to cause the malware event in the first place?
In an organization’s network you have a wealth of information available to you for you to use while triaging a security incident. Despite this, to successfully triage an incident only a subset of the data is needed. In this instance, you are provided with the following artifacts below for you to use during your triage. Please keep in mind, you may not even need all of these.
* IDS alerts for the timeframe in question (you need to replay the provide pcap to generate the IDS alerts. pcap is not provided for you to use during triage and was only made available to enable you to generate the IDS alerts in question)
* Prefetch files from the system in question (inside the Prefetch.ad1 file)
* File system metadata from the system in question (the Master File Table is provided for this practical)
The below items have also been provided to assist you working through the triage process.
* The jIIr-Practical-Tips.pdf document shows how to replay the packet capture in Security Onion and how to mount the ad1 file with FTK Imager.
* The file hash list from the system in question. This is being provided since you do not access to the system nor a forensic image. This can help you confirm the security event and any suspicious files you may find.
The 2015-11-22_Malware-Event Prefetch MFT IDS practical files can be downloaded from here
The 2015-11-22_Malware-Event Prefetch MFT IDS triage write-up is outlined in the post Triage Practical Solution – Malware Event – Prefetch $MFT IDS
For background information about the jIIr practicals please refer to the Adding an Event Triage Drop to the Community Bucket article
Triage Scenario
The above scenario outlines the activity leading up to the current malware security event. Below are some of the initial questions you need to answer and report back to the ISO.
* Is this a confirmed malware security event or was the junior analyst mistaken?
* What type of malware is involved?
* What potential risk does the malware pose to your organization?
* Based on the available information, what do you think occurred on the system to cause the malware event in the first place?
Information Available
In an organization’s network you have a wealth of information available to you for you to use while triaging a security incident. Despite this, to successfully triage an incident only a subset of the data is needed. In this instance, you are provided with the following artifacts below for you to use during your triage. Please keep in mind, you may not even need all of these.
* IDS alerts for the timeframe in question (you need to replay the provide pcap to generate the IDS alerts. pcap is not provided for you to use during triage and was only made available to enable you to generate the IDS alerts in question)
* Prefetch files from the system in question (inside the Prefetch.ad1 file)
* File system metadata from the system in question (the Master File Table is provided for this practical)
Supporting References
The below items have also been provided to assist you working through the triage process.
* The jIIr-Practical-Tips.pdf document shows how to replay the packet capture in Security Onion and how to mount the ad1 file with FTK Imager.
* The file hash list from the system in question. This is being provided since you do not access to the system nor a forensic image. This can help you confirm the security event and any suspicious files you may find.
The 2015-11-22_Malware-Event Prefetch MFT IDS practical files can be downloaded from here
The 2015-11-22_Malware-Event Prefetch MFT IDS triage write-up is outlined in the post Triage Practical Solution – Malware Event – Prefetch $MFT IDS
For background information about the jIIr practicals please refer to the Adding an Event Triage Drop to the Community Bucket article
Hi Corey,
Looks like a fun challenge. Did you intend to include the MFT in the zip file download? I only see the file hash list, tips PDF, PCAP, and prefetch file.
@Matt,
The $MFT is in there. On your system make sure you uncheck the default setting "Hide Protected Operating System Files) in the folder options. If this option is left then you won't see the $MFT when you unzip the archive
@Corey,
As I'm writing up my analysis for this practical, I had a suggestion for further practicals.
Would it be possible to include a hash listing of the provided evidence files?
Maintaining and verifying the integrity of evidence should be included in any investigative process. This would also allow us to verify that the evidence is exactly as you saw it so we get the same results.
Hi Mr.Harrell, I really enjoyed doing this challenge. Hope you continue posting more as it would be very beneficial to beginners like me. I have posted my writeup here. http://anirudhrata.blogspot.in/2015/12/jiir-triage-practical-event-prefetch-writeup.html
Nice job Corey, when can we expect the next addition?
@Nick,
In future practicals I'll include the hashes for the files to make it easier to confirm the files downloaded correctly.
@anon,
It takes time to do the write-ups for the approach I take to triage the malware event. There will be a time of two to three weeks before I post the solution. With this said, the solution was posted this evening.