Triage Practical – Malware Event – Proxy Logs Prefetch $MFT IDS

Wednesday, January 6, 2016 Posted by Corey Harrell 0 comments
The ISO was thrilled and excited about the possibilities after you successfully triaged the previous suspicious network activity. They got a glimpse of the visibility one attains through security monitoring and the information one can get leveraging incident response. As you sit at your desk drinking a Mountain Dew you don’t have time to reflect on the days when your security team was like an ostrich with its head buried in the sand. You are slowly working on improving and formalizing your organization’s security monitoring and detection capabilities as you detect and respond to security events. In the background you hear the junior security guy say “we got another one.” You already know he is referring to a malware infection so you say to him “Grab a screenshot of the alerts and send it to me in an email.” As you wait for the email to arrive you start to wonder is it wrong to get excited and look forward to an alert that means your organization may have a problem. You brushed the thought aside as the email arrives and you see the screenshot below (dates and times have been censored). You put down the Mountain Dew and put your hands to the keyword as you start putting your malware triage process to the test.




Triage Scenario


The above scenario outlines the activity leading up to the current malware security event. Below are some of the initial questions you need to answer and report back to the ISO.

        - Is this a confirmed malware security event or was the junior analyst mistaken?
        - What do you think occurred on the system to cause the malware event in the first place?
        - What type of malware is involved and what capabilities does it have?
        - What potential risk does the malware pose to your organization?
        - What recommendation(s) do you make to the security team to strengthen its security program to reduce similar incidents occurring in the future?


Information Available


In an organization’s network you have a wealth of information available to you for you to use while triaging a security incident. Despite this, to successfully triage an incident only a subset of the data is needed. In this instance, you are provided with the following artifacts below for you to use during your triage. Please keep in mind, you may not even need all of these.

        - IDS alerts for the timeframe in question (you need to replay the provide pcap to generate the IDS alerts. pcap is not provided for you to use during triage and was only made available to enable you to generate the IDS alerts in question)
        - Parsed index.dat files to simulate proxy web logs (the parsed index.dat information was modified to remove items not typically found in a web server’s proxy logs)
        - Prefetch files from the system in question (inside the Prefetch.ad1 file)
        - Filesystem metadata from the system in question (the Master File Table is provided for this practical)


Supporting References


The below items have also been provided to assist you working through the triage process.

        - The jIIr-Practical-Tips.pdf document shows how to: update the IDS signatures in Security Onion, replay the packet capture in Security Onion, and mount the ad1 file with FTK Imager.

        - The file hash list from the system in question. This is being provided since you do not access to the system nor a forensic image. This can help you confirm the security event and any suspicious files you may find.

        - The file hashes of the practical files for verification purposes



The 2016-01-06_Malware-Event Web Logs Prefetch MFT IDS practical files can be downloaded here

The 2016-01-06_Malware-Event Web Logs Prefetch MFT IDS triage write-up is outlined in the post Triage Practical Solution – Malware Event – Proxy Logs Prefetch $MFT IDS 


For background information about the jIIr practical’s please refer to Adding an Event Triage Drop to the Community Bucket article
Labels: , , ,