Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Modern Incident Response Tools and Techniques John “Four” Flynn - GWU

Obligatory Overview Slide Rootkits What they are How they work Discovery techniques Detecting Rootkits FRISK/IR Best tool ever made No upwardly sloping charts

Rootkits Definition Post exploitation Hide actions on the host Why is this a threat? Difficult to detect Difficult to remove

A Little History Binary modification Tripwire Rootkit techniques

Rootkits Privilege Levels – Ring 0,3 Intel supports 4 levels, why not use them? Kernel Mode vs. User Mode Kernel mode means full write access to ALL of memory

User Mode Rootkits Win32 API vs. Native API PE file format Import Table Hooking

Obtaining Ring 0 Exploiting the Kernel Symantec FW DNS mishandling vuln Old and patched but illustrative Device Drivers Other Kernel Overflows/Exploits

Kernel Mode Techniques System Dispatch Table Hooking Process Unlinking Remove pointer to EPROCESS structure Process still gets CPU time! DKOM – (FU) Hoglund’s 2 bit patch Sky is truly the limit

Detecting Rootkits Execution Path Analysis See where the PE Import Pointers go Walk the dispatch table and follow pointers API Diff Compare Results from Win32 vs. Native API Kernel Data Structure Analysis Process Table Kernel Dispatcher Thread Table

I Lied: Upward Sloping Chart

A losing battle? Intrinsic Problem: Full Memory Write Access = Infinite possiblities Live response vs offline analysis Offline Analysis will catch all of these threats Offline analysis is expensive So is doing incident response worth it?

Incident Response in Higher-Ed Small number of security staff Relatively high number of incidents due to “open network” policies Distributed support network Massive number of endpoints Sound Familiar?

The Solution: FRISK/IR Flexible HTML template-driven output system Secure uploading of results to a central location Robust plugin architecture Forensically Sound and Automated Open Source, Perl Based, Clean Design Perform Response on Critical Systems Quickly

FRISK: Secure Uploads HARD problem Assume credentials can be stolen Authenticated SSL Upload communication with a CGI script View data with a different set of credentials

FRISK - Plugins Perl Based OS Aware Can call 3 rd party binary or perform operations directly in perl Hope to start a nessus-style update system

FRISK/IR Forensically Sound Never touches disk on local system Can be run from read-only media (CD-ROM) Plugin System Easy to write and add new plugins Full Perl! Automatic Update… (soon)

Rootkit detection VICE: Execution Path Analysis RootkitRevealer: Win32 API vs Raw Reads(reg/fs) Klister – Lists Threads used by Kernel Dispatcher Blacklight Rkdetector Strider Ghostbuster - offline vs. online diff FHS – Find Hidden Service Unhackme Others…

Conclusions While live response is imperfect, it is often our first and most important line of defense Thanks for your attention! Please help me make FRISK even better!

References/Links “Step into the Ring 0” Barnaby Jack – Eeye Greg Hoglund – Exploiting Software James Butler – Misc Papers Holy Father – Papers on hxdef etc