We have an incident with a local company computer. It has all the antimalware protections, Host IPS and Windows GPO that prevent people from executing nasty things, but still we notice something suspicious on the network and it seems to be used to exfiltrate information. What should we do to get clues about what is happening?
Memory forensics can help us here. We need to get a memory image first. This will be done using Mantech MDD tool (http://www.mantech.com/msma/mdd.asp):
we have the image, we need to use a tool that is able to get the artifacts inside it so we get evidence for our case. We will use the Volatility framework (https://www.volatilesystems.com/default/volatility). It's an open source tool made in Python that is able to dig into Windows XP memory images and gather information like the sockets created, the process list, the DLL list loaded by each process, the active connections for each process, the memory address for a process, the opened files for each process, active registry keys for each process. Let's see its usage typing "python volatility" :
Let's see the process list and try to find something odd. We need to type "python volatility pslist -f memory.dmp" :
Now we have something. PID 2316 seems to be a netcat. Let's see if it is currently performing any transfer by checking active connections on the host typing "python volatility connections -f memory.dmp" :
No transfer is currently being made. Could netcat be listening? Let's check for any created sockets by typing "python volatility sockscan -f memory.dmp" :
Now we have something!! Netcat seems to be listening on tcp (Protocol 6) port 1234. You can check protocol numbers here. Where is it writing? Let's check for opened files by typing "python volatility files -f memory.dmp" :
Seems to be it's waiting for an excel file ready to be taken out. I'll show more cases in future posts.
Manuel Humberto Santander Peláez is the Chief Information Security Officer of Empresas Públicas de Medellín E.S.P.. He currently holds GCFA, GCIA, GNET, GCFW, GCIH and GSEC.