SANS Digital Forensics and Incident Response Blog: Tag - Incident Response

SANS Digital Forensics and Incident Response Blog:

Examining Shellcode in a Debugger through Control of the Instruction Pointer

During the examination of malicious files, you might encounter shellcode that will be critical to your understanding of the adversary's intentions or capabilities. One way to examine this malicious code is to execute it using a debugger after setting up the runtime environment to allow the shellcode to achieve its full potential. In such circumstances, it's helpful to take control of the instruction pointer to direct the debugger towards the code you wish to examine.

The modern computer has been designed to make life easy for the standard user. It is actually quite difficult to say to the computer "Hey, I've found some shellcode embedded in a file, could you run it for me?", and for good reason! If you don't get it exactly right, the chances are you're going to end up crashing something.

Scenario walkthrough - Analysing embedded shellcode

I have devised a simplified scenario which will allow us to consider how to analyse shellcode embedded ...

Analyzing Shellcode Extracted from Malicious RTF Documents

During the analysis of malicious documents designed to exploit vulnerabilities in the programs which load them (thereby allowing the running of arbitrary code), it is often desirable to review any identified shellcode in a debugger. This allows an increased level of control and flexibility during the discovery of it's capabilities and how it implements the payload of the attack.

MalHost-Setup, part of the OfficeMalScanner suite allows the analyst to generate an executable which runs the shellcode embedded in malicious documents. To use this tool, we first need to determine the offset within the infected document, or extracted OLE file at which the shellcode begins, we then specify this offset as a parameter to MalHost-Setup when generating the executable. This executable can then be loaded into a debugger,


Running Malware Analysis Apps as Docker Containers

A new REMnux project initiative provides Docker images of Linux applications useful for malware analysis to offer investigators easier access to malware forensics tools. Docker is a platform for packaging, running and managing applications as "containers," as a lightweight alternative to full virtualization. Several application images are available as of this writing, and you can contribute your own as a way of experimenting with Docker and sharing with the community.

DFIR Monterey 2015 Network Forensics Challenge Released

DFIR Monterey 2015

Join us at DFIR Monterey 2015 - a Reverse Engineering Digital Forensics and Incident Response Education (REDFIRE) Event.

This unique Digital Forensics and Incident Response (DFIR) event brings our most popular forensics courses, instructors, and bonus seminars together in one place to offer one of SANS most comprehensive DFIR training experiences. This is a must-attend event for you and your team as our leading experts focus on building the DFIR skills that will take you to that next level.

Network Forensic Challenge

The objective of the ...

Kerberos in the Crosshairs: Golden Tickets, Silver Tickets, MITM, and More

It's been a rough year for Microsoft's Kerberos implementation. The culmination was last week when Microsoft announced critical vulnerability MS14-068. In short, this vulnerability allows any authenticated user to elevate their privileges to domain admin rights. The issues discussed in this article are not directly related this bug. Instead we'll focus on design and implementation weaknesses that can be exploited under certain conditions. MS14-068 is an outright bug which should be patched immediately. If you haven't patched it yet, I suggest you skip this article for now and work that issue right away. Then come back later for some more Kerberos fun!

Our red-team friends have been quite busy recently dissecting Kerberos and have uncovered some pretty concerning issues along the way. Issues, or attacks, such as the "Golden