All right, so let's jump right into the next part here, which is going to be a continuation of the investigation in moving into containment a little bit here. Again, I'm purposely producing this in a way that the lines are blurred because that's really how it actually plays out you don't get to a point in the investigation. Say, all right, we're done investigating now we're going to just do containment. You could be still doing some investigation law containment going on. Let's look and see where we move from here. You know we found that there's definitely something going on, something's hiding processes, hiding sockets from windows itself, we can't see it. We've established that so we know that something's there we're passed detection. Let's go ahead and move into investigation or more into investigation, and start digging into containment a little bit. All right, so right here is where we left off and we'd establish a few things, but we still don't know what these things are yet. We don't know what hxdef is. We don't know what nc.exe is. We don't know what rcmd.exe. If we go over and look on the network, on the device, only one of those things are we able to see, which is essentially rcmd.exe. Because if we look on the machine itself at running processes, which is what the bottom is here. We can see rcmd, but we can't see hxdef, nor can we see nc. Let's see if we can figure out any connections here. I'm going to go back to the infected machine, and I'm going to go to the same directory that it appears to be in. I want to see if I can run that rcmd.exe. As a matter of fact, I'm going to just open another complete other prompt here. I'm going to go to desktop. Then from that desktop view I'm going to do a side-by-side with this rcmd that we see to be running out of the Win32 directory that it runs. Now from that rcmd.exe which I suspect is just a copy of cmd.exe. I'm going to browse to the same directory, which is documents in settings administrator. All right, so we're starting there because that's where our tools and stuff are at. Let's just do a few basic things. First of all, I'm going to do a DIR. Since we noted this infection tends be hiding stuff. If I look over here, I see some things and if I look over here, wait a minute, I see some things that I don't see on this side. Namely, there is a folder name hxdef and we can't see that on this side. It seems as if our command may be a way to see this stuff and maybe the attackers currently running that to actually look at things. Now I'm going to go ahead and go into that folder and see what's there. Since it's hidden, there must be something there. We look in there, we can see some text files and some other stuff. I'll go ahead and look at this INI file and then that's where I can see what the rcmd is. I can see where it's column the nc.exe thing that we found running there. I can also see there's a port 300 stuff. A lot of these things I can see in this configuration file and also looks like down here, the service name is HXD service 100. I suspect if that's the service name we could probably stop it if we have the right permissions telling this, doing the net stop stop services, we might be able to stop that service and figure out some more things there. Let's go ahead and continue to look and see what else we can find out. We'll go back over to our investigator machine. We know that probably in nc.exe is what's got that socket open based on the fact that we see it. We also still have this hxdef thing that we don't know what it is. Let's go ahead and run through a few more volatility plug-ins. All right, we can just full screen this now, let's look at net scan. Actually that profile doesn't support that. So if we look at command scan, we can see there's really nothing major going on there. Let's go ahead and look at shell bags, see if anything is in there, and this is stuff we learnt about a little bit earlier, and just have to let it build. Definitely some, we can take our time and go through that and you'll see, some of that HAX deaf stuff in there because we don't really know what that HAX deaf thing is. Like we're not really sure exactly what's going on with it. But we will, if you look through this, you'll definitely find some references in there. Let's look at consoles. So we can try to see if we can see any commands, other commands that may have been entered. We see a few. Nothing that's going to really help us lot other than the fact that we can definitely see that our command on.exe there. If you look at its history, look at its original title, what is it? The original title is command.exe. So it really is or it appears to be just a copy of command.exe. That's pretty much on the command side there. That's all we can see. Now, some other things that we can look at is event logs. So let's see what happens, let's see if we can DHAP the event logs. We're going to output them, and we'll put them in a directory that would have here. Let's actually make one. Thought I had an output directory here. So it's parsing event logs from memory and writing into a file for us that we can then look at the event logs, and see if anything shows up there. So if we go look in that directory, which is output, we can see those events there. So let's look at the security one and we can see the entire logs there. So some things we might be looking for is like, the use of anti authority system. We can see that, that definitely happened, where that system account was being used to do stuff. So that might be of some concern to us as well. Pretty much, you might even give somebody the task of doing nothing but for the next two days, parsing these event logs for everything that you could possibly imagine. Like you parsing them to see, if there's anything in there that is significant or of interest, to what it is you're looking for here. Some other things we might look at is, we might trust sock scan or sockets. Because now we want to see what's actually open as well, not just connections. We can definitely see some here, some listening sockets and some other stuff going on there. We might also look at connections. They're still that 300 one there that we got and we're still letting that go. Now, one of the things I showed you when we were first getting introduced volatility is there is a strings come in and this is just a Linux from it. I could technically known as strings against the raw file, and it just looks like that. But now that we know some things like we know about hxdef100, so I could actually grep for that and we can definitely see a lot of references to it there, which may be a problem. We can also look at nc.exe, and now we see where the port 300 came in. We're breaking this thing down. We learning everything about it and immensely we'd do learn it like we said. When we look on the infected machine, we look at this, we see that that is the service name that's actually used to stop that one piece of malware. If we stop that, I bet you we can now see in C and we'd also be able to see the ports that's hidden and all that good stuff because this is really taken the shape of its probably a rootkit, like we're starting to get to that point, the word, that's what it looks like we're getting to. The last thing I'm going to do here is going back and borrowing from somebody other stuff that we did. I'm going to go ahead and drop those two processes that we're not sure about, which is nc and hexdef100, so let's go back to our PS3. Though that's going to be Pid 1632 and Pid 1848, so let's go ahead and drop those. We'll put them in that same output director. I want to get the pid. We want exe, we want hxdef first as the parent. That's 1632, got it, and now we want to carve out the nc.exe, which is pid 1848. We got both those, and at that point, we can simply take those things like we showed you earlier. We could put them in a sandbox and see what they are and just let him run and keep reversing it. But we can also just go ahead and get some immediate proof, verification that it's bad. We've not took these extracted files and we ran it against any AV product, like if we went and downloaded clam or macafee or Symantec or any of the ones that's popular, they would all tell you that it's bad now that we've extracted it out of memory. I'm just simulate that again just by going to virus total because I don't feel like downloading and installing anything. Again, just a reminder, if you're working on a real case, a real incident, don't put malware that you pull off customers devices upon VirusTotal. Because again, that malware could have collected proprietary confidential information from that network and you may have inadvertently posted it on VirusTotal. Don't make yourself be that person that does that. We're going to go into our directory here. We're in a lab breach case and we're output. That's not the one. We're going to do, let's do 1632 first, which is the hxdef, and sure enough, everybody's like bad, rootkit. Hacker defender, rootkit. Of course there's a few that always miss it, but verification is banned. This is information you can give to the customer. Again, you're scanning this offline, I'm just doing it online here just for ease and convenience. Then we go to 1848 there. Of course everything's going to say it's bad as well, saying it's a back door application; Win32, NetCat hacking tool, all that good stuff. They all say it's bad, and we generally agree with it. I don't know what it just did there, but it said it's bad. Now we got our verification that is bad, it shouldn't be there. We've got a whole another set of proof, and not only that, we know exactly what it looks like. We have a nice idea of its behavior, what signs it shows, and all that good stuff. Now we have a way to go containments. We go into containment, we're scanning, we're looking at other places on network, we're looking for that port, or we're looking for other behaviors where if we connect to that port, we get command shells and stuff like that. Because here's the thing, if we try to connect to that port, what we're saying is because we know that it's got that port 300 open, we can actually validate to the customer like look, not only is it there if we telnet to port 300, we do get a command shell. Not only that, the permission we end up with is a system. We can validate that this is a real thing that's going on there. We know now that if there's any device on the network, because here's what you get when you scan that port with nmap, with diversion probe, it comes back and tells you that it's a backdoor. Anywhere in the network you scan for any port, and the version probe comes back and tells you command on the exit backdoor, you can start assuming that that's probably that malware. Hopefully, you don't have legitimate services on your network that listen and give a command shell without any authentication or anything. We could use this, this of our containment strategies right here. We know what the behaviors, we know what the scan result's going to look like if it's on the machine. We're just do a scan. We're going to do this all day, we're going to scan the whole enterprise. I'm pretending this is a domain, wholedangnet.net port, whatever, for port 1-65535, let's just scan all of them. We can do that like this, or we can just do dash P dash, that's the same thing. It's got a scan for every port on every device, and then we're going to do it SV, and we're looking for in that output, we'll output it to a file called owned or something like that. What's going to happen is when that scan is done, which might take it a long time, like a week or so if it's a big network. If you want to just scan based on port 300, if you think that all of them are going to be listening on that port, we can just do this, and it might take it a couple of hours. You could do that as well. Then any device it comes back with a positive backdoor command shell banner, with nmap, then you know that those devices are compromised as well. Then we can start moving to eradication. Now we're at containment, we know what it looks like, we know everything about it, we know how it behaves. Now we can contain it because we can go and find where else it is and then isolate those devices or those segments. That puts us cleanly all the way in the containment where we've got that done. Now the next skill session we're going to be jumping in to eradication, and validation and that type of thing. Thanks for watching. Hope you got something out of this. Looking forward to seeing you in the next one in this series.
