Earlier this year, SANS created the most in-depth incident response training scenario that spans multiple systems in FOR508: Advanced Forensic Analysis and Incident Response. We discussed the entire scenario in a blog titled: "Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results"
One of the biggest complaints that many have in the DFIR community is the lack of realistic data to learn from. Starting a year ago, I planned to change that through creating a realistic scenario based on experiences from the entire cadre of instructors at SANS and additional experts who reviewed and advised the attack "script". We created an incredibly rich and realistic attack scenario across multiple windows-based systems in enterprise environment. The attack scenario was created for the newFOR508: Advanced Forensics and Incident Response course. Our main goal was to place the student in the middle of a real attack that they have to response to.
The purpose is to give attendees of the newFOR508real filesystem and memory images that they will examine in class to detect, identify, and forensicate APT-based activities across these systems in class. The goal is to give students who attend the course "real world" data to analyze. The goal was to create attack data to use in our courses at SANS so our students could have a direct feel for what it is like to investigate advanced adversaries.
As a part of that exercise, the main spearphishing attack was the result of a Java Applet attack. It can be clearly seen in this super timeline created as a part of the course. We find the exact pivot point in the timeline using memory analysis - both Redline from MANDIANT and Volatility in the SIFT Workstation.
Over the past few weeks, many capabilities have been created to parse the JAVA based malware specifically in the IDX files that can be seen as a part of this attack.
IDX Format Links:
- ForensicsWiki Java by Joachim Metz (thanks to Corey Harrell for pointing this out)
- Java IDX Format by Mark Woan