This short and sweet blog post will cover some recent additions to my Malware Hunting repo.
A good part of my (spare) time over the past few months has been devoted to constantly building upon my BSides Wellington talk, which – because I like to practice what I preach (and only preach what I truly believe in) – has also involved rolling out a good deal of the content of the talk to my workplace network… the defensive measures that is, not the malware. All I can say is Bro + Critical Stack Intel Client + ELK = badass!
New to the repo are two items:
- Volatility auto-deploy script. One of the final challenges of the CHCon CTF was a forensics challenge, and a portion of my BSides talk also delves into using the YaraScan function of Volatility to illustrate the versatility of Yara. I found that only a small portion of Volatility functions in version 2.4 actually worked in analysing the dump of a fully updated Windows 10 box, which version 2.6 looked to address. Because I have a habit of regularly stripping down and rebuilding my boxes on different hosts, I like to be able to automate otherwise time consuming installs. Enter this script, which automates the install of Volatility 2.6.
- Hardened VM build notes. More than anything this is just a record of what I need to do to rebuild my analysis VM’s. Up until recently my VM’s were hand crafted, using PowerShell to automate a small portion of the setup process. Setting them up took the best part of an evening once in a while, so in a bid to improve on this I went about combining VMCloak and FLARE VM – and the result was magical. Super painless, and for the most part wound up leaving me with the same toolset as I was already using – with the exception of IDA Free instead of IDA Pro, but that’s a very small amount of work to replace. VMCloak takes a wee bit to get your head around exactly how it works, particularly if you wish to retain the ability to modify your templates at a later date. Hopefully my documentation clears that up.
Following my BSides talk I’ll be extending the VM build documentation to include details on the wider analysis environment, including Security Onion, Graylog and Sysmon.