One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 793596 |
| Date de publication | 2018-09-05 13:00:00 (vue: 2018-09-05 15:09:38) |
| Titre | Malware Analysis for Threat Hunting |
| Texte |
If you're not into Wireshark, procmon and Windows Sysinternals you might be in the wrong place :)
Malware analysis allows the analyst to see what actions are taken and allows us to use those actions to build a profile that can be used to detect and block further infections and find related infections. We run the malware in labs to determine how they act, we give them different inputs to see how the behavior changes, we run them through debuggers to disable safeties and checks that it might have against analysis, and we may even use a disassembler to more fully understand the paths that the malware may take. Using these techniques, the malware analyst builds a list of indicators that can be used to detect and block the malware that they are examining, build information about who may be targeting their network, and even what the malware may be gathering. I’m going to narrow my focus to behavior analysis and give some examples of what can be done with threat hunting and this technique.
Behavioral Analysis for Malware
Behavioral analysis is the step of running the malware under controlled conditions where you can observe the actions that the malware takes. By running the malware in a completely isolated environment we can tell what the malware would do if it was unable to communicate. With behavioral analysis, you take everything a step at a time. When it is completely isolated does it try to scan for a network? If yes, then go ahead, add it to one, and see what happens. After that does it start looking for? Give it to it. The main goal of this type of analysis is to see what the malware does in a step-by-step process, allowing you to map its different actions and have a better overall picture of the malware before you start examining it in debuggers or through disassembly. I would say that this is one of the more fun parts of the analysis process.
Basic Lab Environment for Malware Analysis
Your basic lab environment should contain:
VMware/Virtualbox with the following computers:
Windows with Wireshark, Process Monitor, and procDOT installed.
REMnux (has everything preinstalled that you will need)
Make sure that your VMs are set to host only networking and that your windows machine has your REMnux box as the default gateway by setting a static IP address. This ensures that the first hop will be to REMnux and will allow the traffic control that we would want.
Tools for Malware Behavioral Analysis
There are several tools that you want to use to gather the most information that you can:
Wireshark: This tool isused to gather network traffic on a given interface. The follow option will allow you to view pages and traffic, and it even allows you to recreate and save files that were transferred while the packet capture was running. https://www.wireshark.org/
Process Monitor: (procmon) This tool is used to record the full activity of a computer for the time that it is monitoring. This is extremely useful for detailing actions taken |
| Envoyé | Oui |
| Condensat | > analysis assets border:0;margin:0;padding:0; com/i/googleplus20 feedblitz hunting malware png style= threat |
| Tags | Malware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.