Memory attacks are a new buzzword in #InfoSec. The question is: “How can we best detect and respond to them?
Volatility, a free, open-source memory analysis tool, allows you to investigate memory dumps from your machines to determine whether or not you are the victim of a memory attack. Combined with Carbon Black, the leading Next-Generation Endpoint Detection and Response product, Volatility is now part of an amazing power couple.
We want to set you up for success in detecting an in-memory attack. In this memory space attacks whitepaper, we’ve developed two watchlists for you to utilize within your environment.
A starting point to build a watchlist with a high number of “Open Process / Thread events” could be to look for all processes that aren’t signed by Microsoft and have more than 20 crossproc events. You could run this query, tune it to your environment until it returns zero legitimate processes and then turn it into a watchlist to alert you in the future:
crossproc_count:[20 TO *] -digsig_publisher:”Microsoft Corporation”
Remote thread events (i.e., process injection) generally have far fewer legitimate uses. Even a single instance of this occurring in a process that wouldn’t normally exhibit the behavior can often be a high-confidence indicator of suspicious activity.
On a typical Windows system you may see legitimate injection events from processes such as svchost.exe and csrss.exe, but once we filter these out, anything that’s left warrants further investigation.
The following could be a good starting point for a watchlist you could tune to your environment to alert on unexpected process injection:
crossproc_type:”remotethread” -process_name:svchost.exe -process_name:csrss.exe”
Now that we have our watchlists in place, we wait. (I hope this experience for you is like seeing a lunar eclipse—pretty rare.) The great thing is that you do not have to watch a pot boil. Set up an email alert or output any alert that Carbon Black sees around these watchlists to your log aggregating solution.
Ok, so you’ve received the alert. Now what?
Pull the Memory Dump
With Carbon Black, you have the capability to remote into your systems live, and pull a memory dump to a location on your local machine.
Transfer the dump into Volatility using the imageinfo command.
(Note, you should rename your memdump file to a .dmp extension.)
Lastly, run a pslist on the current memory dump to see exactly what is running on the machine. You also can check out any network connections in either Volatility or within Carbon Black for any process. With Carbon Black’s recent Damballa integration, we can even geo-locate the IP address that could be attacking you right now in case you are in a Ray Donovan kind of mood.
Now that I have my pslist, it’s time to do some investigating.
First thing, check out processes such as lsass and ensure they are not the parent process (PPID) to anything on this list. If you see that happen, use Carbon Black to search for that parent/child process.
Next, check out the thread counts (no, not your sheets). What did you see causing a large opening of threads from in Carbon Black? If you see that process here, you can see what its children are, and make sure they are legitimate.
This investigation takes about 10 minutes. By working with Carbon Black and free open-source tools such as Volatility, you have the capability to respond quickly and use the two solutions as a soundboard for one another for threats that may be lurking in your environment.
So how can you take Volatility a step further? And, for some, how do I even begin to use it? For starters, check out this memory forensics cheat sheet to get your memory hunt on.