How Did THAT Get There???
Didier posted recently regarding a VBA macro in Excel that allowed him to launch a command shell. This got me to thinking about something I'd read about in the Mandiant M-Trends report...specifically:
For starters, the attackers conduct reconnaissance to identify workers to target in spear-phishing attack...
From an analysis perspective, this can be something of a concern for a responder. One of the biggest analysis issues I've seen has been determining the original infection or compromise vector for an incident. Very often, the analyst can easily locate malware or new user accounts created on a compromised system, but these are often secondary or tertiary artifacts of the original compromise. While these artifacts do provide significant information (i.e., add context and provide a timeframe for the compromise), many times, the initial means of compromise will not be determined...at least, not in a manner that is supported by data.
One of the first steps to determine the initial infection vector may be to identify the malware (secondary artifacts) and determine how it propagates. If there are indications of web browser or email client use on the system...most often for workstations/laptops, but not unheard of on servers...then the initial attack vector may have been via a document-borne mechanism. In this case, the analyst would want to look for indications of documents in email attachment, browser cache, or temp directories. The analyst may be looking for PDF or MSWord documents, or Excel spreadsheets.
So once you locate the files in question, what tools are out there to parse them?
PDF
Didier's PDF Tools are pretty much the de facto standard
Word
cat_open_xml.pl
Excel
Strings. Seriously. Look for stuff you wouldn't see in a spreadsheet. In the case of Didier's cmd.dll...it's a DLL, so look for stuff that might appear in the Import Table..."CreateThread"?
Also, the analyst may want to look for indications of the user actually opening files, via RecentDocs key or application MRU keys.
So the point is that yes, something happened on the system, but how did it get there? More importantly, how do we prove it and not just speculate? Something like this may obviate or support the "Trojan Defense" claim...after all, if you find no indications of a doc-borne attack (spear phishing), then might that not be one way to obviate the claim?
For starters, the attackers conduct reconnaissance to identify workers to target in spear-phishing attack...
From an analysis perspective, this can be something of a concern for a responder. One of the biggest analysis issues I've seen has been determining the original infection or compromise vector for an incident. Very often, the analyst can easily locate malware or new user accounts created on a compromised system, but these are often secondary or tertiary artifacts of the original compromise. While these artifacts do provide significant information (i.e., add context and provide a timeframe for the compromise), many times, the initial means of compromise will not be determined...at least, not in a manner that is supported by data.
One of the first steps to determine the initial infection vector may be to identify the malware (secondary artifacts) and determine how it propagates. If there are indications of web browser or email client use on the system...most often for workstations/laptops, but not unheard of on servers...then the initial attack vector may have been via a document-borne mechanism. In this case, the analyst would want to look for indications of documents in email attachment, browser cache, or temp directories. The analyst may be looking for PDF or MSWord documents, or Excel spreadsheets.
So once you locate the files in question, what tools are out there to parse them?
Didier's PDF Tools are pretty much the de facto standard
Word
cat_open_xml.pl
Excel
Strings. Seriously. Look for stuff you wouldn't see in a spreadsheet. In the case of Didier's cmd.dll...it's a DLL, so look for stuff that might appear in the Import Table..."CreateThread"?
Also, the analyst may want to look for indications of the user actually opening files, via RecentDocs key or application MRU keys.