PenTest: Threat Hunting and Malware Analysis Case Studies

This magazine is free to download, just register as a free user and enjoy your reading!

---

Dear PenTest Readers,

On the occasion of our latest “Malware Attack Types with Kill Chain Methodology” online course, we have a really special treat for you all! We’ve selected some super interesting case studies presented by the course instructor - Filipi Pires - in previous editions of PenTest, Hakin9, and eForensics magazines, and gathered them in one OPEN ACCESS EDITION! Yes, you read it right! :) Great real-life case studies are available to you for free from now on. Use the gift and make yourself a better Threat Hunter and Malware Analyst!

If you find them interesting - and we bet you will - don’t miss out and get your seat on the course by Filipi while there are still seats available! 

See the course here >>

 

---

Table of Contents

---

Secure Development Using an Open Source Tool

Following OWASP’s TOP 10 reference, Horusec comes to apply the Security By Design logic, running a scan of your code easily and delivering relevant information, such as vulnerable lines of code, points the file, the level of severity and then informs the best way to fix, helping to ensure multi-layered security to protect your organization from security breaches and attacks, Horusec is here to help you in the best way and with the utmost ease!

---

Zusy Malware using MSI

Regarding the test performed, the first objective was to simulate targeted attacks using known malware to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by signatures, NGAV and Machine Learning, downloading these artifacts directly on the victim's machine manually from daily batches provided by MalwareBazaar. The second objective consisted of analyzing the detection of those same malware (or those not detected yet) when the directories were changed; the idea here is to work with manipulation of samples (without execution).

---

Infection with Malware by Script Python NOT Detected by AV

Regarding the test performed, the first objective was to simulate targeted attacks using a Python script to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by signatures, NGAV and Machine Learning. Running this script, the idea is downloading these artifacts directly on the victim's machine. The second objective consisted in running this script, another Python script with daily malware, provided by MalwareBazaar by request using API access. On the day of this test, we downloaded more than 200 real malware (206 malware, exactly).

---

Hunting the Hunters - Detection and Efficiency Testing of Endpoint Security Sensors

The purpose of this document was to execute several efficiency and detection tests in our endpoint solution, provided by Sophos. This document presents the result of the defensive security analysis with an offensive mindset performed in the execution of 27 folders downloaded with Malwares by The Zoo repository in our environment.

---

Exploitation with Shell Reverse and Infection with PowerShell using VBS file

The first objective is to simulate targeted attacks using a Python script to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by Signatures, NGAV and Machine Learning. Running this script, the idea is to use the reverse shell technique to gain access to the victim's machine. After executing this attack, the second objective consists in performing the PowerShell Script to run this script, to download a VBS Malicious file on the victim's machine and execute itself, calling this malware provided through Malwares Bazaar by API request.

---

Make Test in Your Security Solution

The purpose of this document is to execute several efficiency and detection tests in our endpoint solution, provided by Cybereason. This document brings the result of the defensive security analysis with an offensive mindset performed in the execution of some techniques as a DLL Injection, Shell Injection using a payload created by msfvenom from the Metasploit platform in our test environment.

---

Bulk Extractor – Looking within it

Digital forensics investigations have grown more difficult as the capacity and diversity of devices containing digital evidence increases. Over the past few years, different technologies have been developed to provide cybersecurity, however, when you look at incident indicators from different sources, you see that the number of incidents within information technology grows every year. Therefore, there are several tools to assist in the analysis of files, records and data contained in a system, with the aim of detecting and analyzing the information that makes up these "structures". One of the options currently on the market is the Bulk Extractor.

---

Fail in Detection flow of AV, based “Malware Bazaar!”

Regarding the test performed, the first objective was to simulate targeted attacks using known malware to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by signatures, NGAV and Machine Learning, downloading these artifacts directly on the victim's machine. The second objective consisted of analyzing the detection of those same 185 malware (or those not detected yet) when they changed directories; the idea here is to work with manipulation of samples (without execution).

---

How to Treat False Positive with Threat Hunting

This report was based on one of the pillars for IOA (Indicator of Attack) research, multiple alarm events from the many different hosts for a single domain. To validate that the domain was really malicious and verify if there could be some APT underway in our environment, we performed a lot of research and analysis was carried out regarding the appropriate behaviors. With the final product, the front responsible for the product will have an instrument capable of guiding a process of mitigation and/or correction, as well as optimized improvement, based on the criticality of risks.

---