Memory forensics demo: SolarWinds breach and Sunburst malware
The SolarWinds hack is one of the biggest cybersecurity incidents in recent years. By gaining access to SolarWinds’ network, attackers were able to access the company’s development environment and implant malicious code within updates to SolarWinds’ Orion network monitoring solution. With these malicious updates, the attackers inserted backdoors into the networks of thousands of SolarWinds’ customers, setting the stage for follow-on attacks.
The investigation of the SolarWinds hack was a case study in incident response and teamwork. FireEyes initially discovered and disclosed the incident, and multiple other companies built on their discovery, identifying additional malware variants and infection vectors used alongside the original malware. The reports published by these organizations have created a treasure trove of data for those organizations wishing to learn if they are affected by the hack, and, if so, the scope and impact of the compromise.
Learn Digital Forensics
Malware detection through memory analysis
Infosec’s principal security researcher Keatron Evans provided a walkthrough on breach detection for companies potentially impacted by the SolarWinds breach on the Cyber Work podcast. He demonstrated a process for identifying indicators of compromise (IoCs) in the memory of a potentially compromised machine.
Step 1: Grab a memory dump
When performing a forensic investigation, it is always best to work from a copy of the memory from the target computer. When a machine is online, the state of its memory is constantly changing. This means that IoCs within the computer’s memory could be removed by the malware or naturally overwritten. A memory dump provides a static snapshot of the computer’s memory to analyze for suspicious artifacts.
In his demo, Keatron used RAM capture from magnet forensics to perform his memory dump. This grabs a copy of the volatile memory on the system and saves it to a file on disk for analysis.
Step 2: Extract readable strings
Malware and any executable is a mix of program code and data. In some cases, the data contained within these programs are human-readable strings. These strings can be unique to a particular malware variant, making them a useful and easy-to-find IoC.
Linux offers a built-in command called strings that extracts any printable strings from a file. Running this against the memory dump file from the previous step will likely produce a massive list of results because it looks for anything printable in the computer’s memory.
To make these results manageable, it’s possible to use grep to filter the list for certain strings. FireEye has published a list of Snort rules that can be used to detect the Sunburst malware used in the SolarWinds hack.
These rules can also be used to filter string results. For example, searching for the word deft using the command strings <memory_dump_filename> | grep deft will match results for the domain deftsecurity.com from FireEyes’ list. If there are any hits from the list of detection rules provided by FireEyes, then the system in question may have been infected by the Sunburst malware.
Step 3: Examine processes
Going deeper than looking at printable strings within the memory dump requires tools designed for forensic memory analysis. One of the best available tools for this is Volatility, which is an open-source tool.
With Volatility, it is possible to run several different terminal commands against a memory sample. A good starting place when looking for malware IoCs is to take a look at the processes running on the infected machine. This can be accomplished with the command volatility -f <memory_dump_file> --profile=<profile_type> pslist.
The result of this is identical to the result of running pslist on a live Windows machine. Looking at the list, it may be possible to identify anomalous processes that could point to a malware infection. For example, Keatron highlighted a couple of suspicious processes in his demo that could be linked to a Sunburst infection.
After identifying an anomalous process, it’s time to dig deeper. A couple of options for the next steps include:
- Looking for child processes: using the pstree command in Volatility, it is possible to see which processes are the parent and children of a particular process. This can help with identifying the infection vector and the effects of the infection.
- Dumping processes: using a process id (pid) from pslist or pstree, it is possible to dump a process from Volatility with the procdump command. This creates a fully functional binary that could be run in a sandbox or reverse engineered using a disassembler.
Step 4: Look at connection data
In addition to looking at processes, it can also be helpful to look at the connections that an infected computer has open. The current connection state of a system is also included in the snapshot of a memory dump.
The netscan command in Volatility produces a list of network connections similar to using netstat on a live system. Any suspicious connections can also lead to the identification of malware infections on the system. In the case of the SolarWinds hack, many victims were infected with multiple types of malware in a variety of different ways, so being thorough during a forensic investigation is important to ensure you’ve discovered the full scope of a potential infection.
Learn Digital Forensics
Detecting SolarWinds infections with memory analysis
The Sunburst malware spread in the SolarWinds hack is a subtle and prolific malware sample. In a Cyber Work Podcast episode, Keatron shows how to identify Sunburst infections with memory analysis.
Sources:
Memory forensics demo: SolarWinds breach and Sunburst malware, Infosec Cyber Work Podcast
Sunburst Countermeasures, FireEye
Release Downloads, Volatility Foundation
In this Series
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email forensics: Web-based clients
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Network Forensics Concepts
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
- Computer Forensics: Mobile Device Hardware and Operating System Forensics
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics