PSDecode

Endpoint Incident Response using - PSDecode

PSDecode is a powershell script module for decoding powershell obfuscated scripts. This tool removes layered obfuscated techniques like strings concatenating and string replacement.

From Malware Analysis perspective adversaries frequently employ encoding and obfuscation techniques to camouflage their downloader scripts, aiming to evade detection and hinder analysis by security professionals. By encoding and obfuscating their scripts, adversaries can make it difficult for security solutions to identify and analyze the malicious intent embedded within the code.

Adversaries encode and obfuscate their downloader scripts to enhance their chances of successful infiltration, impede analysis, and protect their techniques. As defenders, it is crucial to know advanced techniques and tools capable of overcoming these obfuscation methods to effectively detect, analyze, and mitigate emerging threats.

To use PSDecode, create a directory named “PSDecode” under “WindowsPowerShell/v1.0”

See Image for reference.

Phishing IR Approach

Phishing Incident Detection and Response:
Identifying Email and Document Existence using Memory Forensics

Lab Goal

    • Identify Email Subject
    • Identify Document Name
    • Identify Timestamps
    • Identify Sender Name
    • Identify Launched Programs
    • List Available Detection Method

Because employees are the most vulnerable targets for an organization, giving attackers the ability to compromise their targets by preying on human weakness like emotions. For this reason, adversaries plan their assaults intelligently by using phishing attacks.

In this demo, we will tackle about different approach on how to detect and respond to a phishing incident using a memory forensics tool.

Scenario: What if due to fear of getting sanctioned by the organization, an employee trashed a possible phishing email after he/she clicked and downloaded the potential suspicious attachment.

Now, as the analyst we are tasked to perform Incident Response and Digital Forensics on the machine and find some useful evidence of email existence.

LinuxBrowserHistory

How to Extract Browser History in Linux Systems

Linux tools used in this demo.

    • cat
    • netcat
    • ls
    •  

Lab Requirements

    •  

In this demo, we will be extracting firefox browser history.

Scenario: You are tasked to perform live forensics on a Linux-based system to gather its browser history.

Firefox browser history can be found at: ~/.Mozilla/firefox/<dir>/places.sqlite

In this step, we run “cat” command and pipe to “>” operator to save it to disk.

Command: cat ~/.mozilla/firefox/*/places.sqlite > browser_history.txt

In this case, we use “*” so it will search to all available directory for “places.sqlite” rather than manually searching each directory.

Since we will be using a Windows box to analyze our file, we will be using “netcat” for both Linux and Windows system to perform the transfer.

To do this, we can run netcat command from out Linux Box.

Command: netcat -w 2 <listener_windowsIP> <port> < browser_hist.txt

This put out Linux box to an idle mode waiting for the netcat listener.

Next, we setup our netcat listener from our Windows machine.

Command: ncat -l 4444 > browser_history.txt

After successful execution, we can now confirm our file when we open it to our text editor tool “notepad”.

In this step, we will be using bstrings.exe from EZ tools to do the work for us.

To do this, open cmd prompt and Run As Admin and run the following commands:

    • bstrings.exe -f browser_history.txt -p
    • bstrings.exe -f browser_history –lr url3986 > browser_history_after.txt 

Learn and Download bstrings here: https://eyehatemalwares.com/incident-response/eztools/bstrings/

Why bstrings? Examining raw data from our dumped file “places.sqlite” takes a lot of work if we do it manually.

In this step, we can finally compare both raw browser_history.txt and browser_history_after.txt

In this case, we can see that the strings that doesn’t match the regex URL pattern from bstrings.exe are removed and only presented us only the URL format.