Using Live Discover and Live Response for an Active Incident
During an active malware incident, our tool of choice remains Live Discover (information gathering) and Live Response (taking action). You can refer to our Community Page for a wealth of useful queries that can be modified according to your needs.
A few select queries that incident responders generally use are the following:
- If for example there is malware detection on 17 July at 10:55 AM, and you wish to know all system activities such as file read or write at that time, you can use Live Discover Query: ALL system activity for N seconds from a date/time. You can also use Process that created a file under Files to understand which process created the file in question.
- If you suspect a device to have been compromised remotely, the remote authentication attempts under User activity and Authentication gives you a neat report.
- Malware generally registers itself as a service hence the Services installed on the device under Devices will give you this information.
- Malware often creates a scheduled task to main persistence across reboots. You can use Scheduled Tasks to attain this information from suspected machines.
We also have the following collection of Sophos created tools and documentation:
|Source of Infection Tool (SOI)
Used to identify where persistent malware originates. This can be either a network location or a local process.
|Sophos Bootable Anti-Virus (SBAV)
Used to detect and disinfect fully compromised computers using an independent operating system
|Sophos Virus Removal Tool (SVRT)
Used to clean up malware in standalone situations, often used when other anti-virus vendor products are installed
|Sophos Diagnostic Utility (SDU)
Collects system information and log files for all Sophos products that are installed.
In addition to the above, we have curated a small list of essential tools that often assist us in hunting for threats on an allegedly compromised machine.
|Malware can hide, but it has to RUN and preferably survive multiple reboots. That's where this tool comes in handy. It helps us quickly identify those key areas in the Windows Operating System from where a piece of malware can automatically execute when a machine is rebooted or a user logs on.
|Windows Event IDs
|Lists the Event IDs generated by Windows which are helpful during investigations around RDP Attacks or common malware investigations.
|Simply put, it's a Task Manager on steroids. ProcExp shows us detailed information about running processes including their command-line arguments. The area where it specializes in is the information about which handles and DLLs processes have opened or loaded.
|This tool helps us answer, "Which XYZ process spawned the ABC process?" or "Which XYZ process was responsible for a malicious outbound TCP connection?". Simply put, Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity.
|GitHub [Open Source]
|RegRipper is an open-source forensic software application that helps in extracting, parsing, and analyzing the Windows Registry Hive. It is NOT meant to be looking-around the Registry, instead, it's meant for forensic analysis only. It inputs the Registry Hive and churns out a Timeline of Registry Modification which is easier for an examiner to look and understand.
|GitHub [Open Source]
|Kansa is a set of PowerShell scripts that enables you to gather some specific data from remote machines. It's a PowerShell based Incident-Response Framework. For example, you can use this framework to gather Autoruns Log from several machines automatically using a single command!
|GitHub [Open Source]
|WMI has been abused by malware authors in more than one instance. Stuxnet was a nice example. Recently, we saw WMI based CryptoJacking worms which solely lived off the WMI database. WMI Explorer helps us to browse and view WMI namespaces, classes, instances, and properly from a single window.
|Wireshark is a free and open-source packet analyzer. It helps us capture network packets in real-time on a host machine which can be later used to investigate certain communication leading us to the infected machines spreading malware across a network.
|An application to detect and remove Root-Kits.
|Sysmon performs system activity deep monitoring, and log high-confidence indicators of advanced attacks. Sysmon is using a device driver and a service that is running in the background and loads very early in the boot process."
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Set the links to open in a new tab
[edited by: NOAH at 10:39 AM (GMT -7) on 1 Oct 2020]