Security
Reader small image

You're reading from  Effective Threat Investigation for SOC Analysts

Product typeBook
Published inAug 2023
PublisherPackt
ISBN-139781837634781
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Mostafa Yahia
Mostafa Yahia
author image
Mostafa Yahia

Mostafa Yahia is a skilled and motivated threat investigator and hunter with a wealth of experience investigating and hunting down various cyber threats. He is a proven leader in building and leading cybersecurity-managed services such as SOC and threat-hunting services. Mostafa holds a bachelor's degree in computer science, which he earned in 2016, and has furthered his education by earning multiple industry-recognized certifications, including GCFA, GCIH, CCNA, and IBM QRadar. In addition to his professional work, Mostafa also shares his knowledge through free courses and lessons on his YouTube channel. Currently, he serves as the senior lead for cyber defence services in an MSSP company, overseeing SOC, TH, DFIR, and CA services.
Read more about Mostafa Yahia

Right arrow

Malware Sandboxing – Building a Malware Sandbox

Due to the increase in malware spreading through various channels such as USBs, phishing emails, and other attacks and methods that target both individuals and enterprise environments, SOC analysts need to establish an on-premises sandbox to analyze suspicious files. In this guide, you will learn about the static and dynamic malware analysis tools and techniques used to identify and analyze malicious files.

The objective of this chapter is to guide you in building an on-premises sandbox, enabling you to perform static analysis on files with tools such as YARA, pestudio, and Exeinfo and dynamic malware analysis on files by using tools such as FakeNet, Process Monitor, Regshot, and Autoruns.

In this chapter, we’re going to cover the following main topics:

  • Introducing the sandbox technology
  • Required tools for analysis
  • Preparing the guest Virtual Machine (VM)
  • Analysis tools in action
  • Hands-on demo...

Introducing the sandbox technology

In cybersecurity, sandbox technology is an isolated test environment that looks like end user operating systems to safely execute and analyze suspicious files and investigate their behavior. A sandbox is also useful if you are dealing with zero-day malware.

Sandbox types

There are two types of sandboxes that are usually used in malware analysis by SOC analysts:

  • Cloud sandboxes: These are virtual environments that are hosted in the cloud and allow analysts to test and analyze malware and suspicious file behavior. Cloud sandbox examples are ANY.RUN Sandbox (https://app.any.run/), and the Hybrid Analysis sandbox (https://www.hybrid-analysis.com/).
  • On-premises sandboxes: Also known as in-house sandboxes, these are a type of sandbox that is installed and run locally within an organization’s own infrastructure. This sandbox is not accessible from outside the organization’s network, providing an additional layer of security...

Required tools for analysis

After acquiring and preparing the required hardware and software to build your private sandbox, let us introduce the required tools to analyze the suspected files in the sandbox. The tools are divided into two types:

  • Static analysis tools
  • Dynamic analysis tools

Static analysis tools

Static analysis tools are the tools that will be used to collect and analyze information about the suspected file without execution. The static analysis tools that we will install on our private sandbox are as follows:

  • YARA: YARA is a tool aimed at (but not limited to) helping malware researchers identify and classify malware samples. We will use the YARA tool to scan the suspected files for certain malware characters to identify the malware category and family if detected. Examples of malware categories are ransomware, Trojans, and InfoStealer, and examples of malware families are Redline, Ryuk, and Zeus. To download the YARA tool, follow this link...

Preparing the guest VM

Are you ready to get started with preparing your sandbox guest for secure analysis of suspicious files? In this section, we’ll cover everything you need to know to get started, including the following key topics:

  • Guest VM preparation steps
  • Tips for evading the sandbox’s detection efforts

Important note

Please be advised that the malware samples you will be handling are extremely dangerous, and it is crucial that you always exercise caution. To ensure your safety and the safety of your organization, please apply the following instructions carefully.

Guest preparation steps

To prepare the sandbox guest VM, you should follow the following steps:

  1. Create a new Windows VM using either VMware or Virtual Box.
  2. Download all the tools mentioned in the Required tools for analysis section.
  3. Set up a host-only network and isolate the guest VM by preventing dragging or dropping or copying and paste from or to the machine...

Analysis tools in action

By the time you’ve reached this section, you should have downloaded the required tools and prepared your guest sandbox environment, so now you’re ready to start analyzing your first malware sample. The analysis process will be divided into two phases:

  • The static analysis phase
  • The dynamic analysis phase

Static analysis phase

In this phase, we aim to scan the suspected file and determine the type of malware by utilizing the YARA tool and extracting valuable information using straightforward tools such as the Exeinfo and PEstudio tools. So, let’s deep-dive into the steps of this exciting phase of the analysis.

Run the compute hash tool on the suspicious file to collect the file hash and then investigate the file hash reputation on threat intelligence platforms such as VirusTotal and IBM X-Force.

Run YARA rules against the suspected malware file to scan it and identify its malware category and family, if applicable...

Hands-on demo lab

In this section, we will conduct a hands-on demo lab to provide a better understanding of how to analyze real malware by using the previously mentioned tools that exist in our in-house sandbox. The malicious file analyzed in this section is named Kenora.exe. To investigate that suspicious file, we will do the following:

  1. Scan the file using YARA.
  2. Conduct static analysis.
  3. Conduct dynamic analysis.

Scanning the file using YARA

The first step we will take to investigate the suspicious file is to use the YARA tool to run the YARA rules on the file. To do this, we will use the command prompt (CMD) to execute the YARA rule, which is located at D:\YARA\yara64.exe. Also, we will use the downloaded YARA rules repository, located at D:\YARA\rules-YARA, to run against the suspected file, Kenora.exe, which is located at D:\Malware\Kenora.exe. The final command is as follows:

d:\YARA\yara64.exe -w d:\YARA\rules-YARA\index.yar  d:\Malware\Kenora...

Summary

By the end of this chapter, you should be able to build an on-premises sandbox and have learned how to perform static analysis on files with tools such as YARA, pestudio, and Exeinfo, as well as dynamic malware analysis using tools such as FakeNet, ProcMon, Regshot, and Autoruns.

Now, the journey has reached its end. Throughout this journey, we have gained valuable insights into the techniques employed by modern threat actors, as well as acquired the skills to effectively detect and investigate them by leveraging logs from various sources such as email security, Windows, proxies, firewalls, WAFs, and other security controls. I highly recommend taking this book as a comprehensive guideline to aid you in investigating cyber threats. I hope you found this book useful for investigating cyber threats and fighting cyber criminals. Thank you for your time and see you on another journey.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 20 of 22
Next Chapter
You have been reading a chapter from
Effective Threat Investigation for SOC Analysts
Published in: Aug 2023Publisher: PacktISBN-13: 9781837634781
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Mostafa Yahia

Mostafa Yahia is a skilled and motivated threat investigator and hunter with a wealth of experience investigating and hunting down various cyber threats. He is a proven leader in building and leading cybersecurity-managed services such as SOC and threat-hunting services. Mostafa holds a bachelor's degree in computer science, which he earned in 2016, and has furthered his education by earning multiple industry-recognized certifications, including GCFA, GCIH, CCNA, and IBM QRadar. In addition to his professional work, Mostafa also shares his knowledge through free courses and lessons on his YouTube channel. Currently, he serves as the senior lead for cyber defence services in an MSSP company, overseeing SOC, TH, DFIR, and CA services.
Read more about Mostafa Yahia

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages