Another Monday, some more learning must be done!
Today we move on to the FlareVM: Arsenal of Tools room of THM!
In this room we will cover the following topics –
Arsenal of Tools, Commonly Used Tools for Investigation: Overview, Analyzing Malicious Files! (this last one as you may have guessed is the practical section of the module).
Arsenal of Tools covered in the room –
Reverse Engineering & Debugging:
- Ghidra – NSA-developed open-source reverse engineering suite.
- x64dbg – Open-source debugger for binaries in x64 and x32 formats.
- OllyDbg – Debugger for reverse engineering at the assembly level.
- Radare2 – A sophisticated open-source platform for reverse engineering.
- Binary Ninja – A tool for disassembling and decompiling binaries.
- PEiD – Packer, cryptor, and compiler detection tool.
Disassemblers & Decompilers:
- CFF Explorer – A PE editor designed to analyze and edit Portable Executable (PE) files.
- Hopper Disassembler – A Debugger, disassembler, and decompiler.
- RetDec – Open-source decompiler for machine code.
Static & Dynamic Analysis:
- Process Hacker – Sophisticated memory editor and process watcher.
- PEview – A portable executable (PE) file viewer for analysis.
- Dependency Walker – A tool for displaying an executable’s DLL dependencies.
- DIE (Detect It Easy) – A packer, compiler, and cryptor detection tool.
Forensics & Incident Response:
Volatility – RAM dump analysis framework for memory forensics. Rekall – Framework for memory forensics in incident response. FTK Imager – Disc image acquisition and analysis tools for forensic use
File Analysis:
- FileInsight – A program for looking through and editing binary files.
- Hex Fiend – Hex editor that is light and quick.
- HxD – Binary file viewing and editing with a hex editor.
Commonly Used Tools for Investigation: Overview:
| Tool | Investigative Value |
| Procmon | A helpful tool for tracking system activity, especially regarding malware research, troubleshooting, and forensic investigations. |
| Process Explorer | Allows you to see the Process of the Parent-child relationship, DLLs loaded, and its path. |
| HxD | Malicious files can be examined or altered via hex editing. |
| Wireshark | Observing and investigating network traffic to look for unusual activity. |
| CFF Explorer | Can generate file hashes for integrity verification, authenticate the source of system files, and validate their validity. |
| PEStudio | Static analysis or studying executable file properties without running the files. |
| FLOSS | Extracts and de-obfuscates all strings from malware programs using advanced static analysis techniques. |
The task then asks a series of questions to check the information that has been relayed within this section, such as – By using the Process Explorer (procexp) tool, under what process can we find smss.exe?
Using the tool PEStudio to open the file cryptominer.binin the Desktop\Sample folder, what is the sha256 value of the file?
Using the tool CFF Explorer to open the file possible_medusa.txt in the Desktop\Sample folder, what is the MD5 of the file?
Analyzing Malicious Files!
A suspicious windows.exe file was downloaded by a user on 09/24/2024 at 3:43 AM. This download was flagged as a potential threat. The monitoring team has sent you an email requesting to perform an analysis of it. They have sent you the file, which is now in the C:\Users\Administrator\Desktop\Sample folder.
We can see from the below image that the file is from Russia and the file regedit.exe has been masked to see legitimate which I don’t think it is!
We check the functions section and find that the set_UseShellExecute has been deemed as blacklisted and is shown to have malcious intent.
We use FLOSS to get an overview of the file strings within .\windows.exe (the text file was massive so I have left that out)!
Next, we look at ‘cobaltstrike.exe’.
We see that it’s calling back to and obsecure IP address.
Overall, a good room with good questions and gives the user a good exposure to these tools (most of which I have never used)!
The last section shown above is the process of how someone would utalise these tools to check files for the key indicators of malware!
Next, we move on to the Security Principles module!
There is a lot of reading in this module and alot of topics which are covered (hopefully many I already know!)
I will list these and give an overview at the end of the module as there is no standard ‘practical’ sections within this room.
The objective of this room is to:
- Explain the security functions: Confidentiality, Integrity and Availability (CIA).
- Present the opposite of the security triad, CIA: Disclosure, Alteration, and Destruction/Denial (DAD).
- Introduce the fundamental concepts of security models, such as the Bell-LaPadula model.
- Explain security principles such as Defence-in-Depth, Zero Trust, and Trust but Verify.
- Introduce ISO/IEC 19249.
- Explain the difference between Vulnerability, Threat, and Risk.
Overall, simple room but effective when relating to these key principals which everyone should know within cyber security!
Now we have reached the final room of Cyber Security 101 – Training Impact on Teams!
Very quick room and goes over training costs for a team ROI and various other things regarding team building!
Until next time & don’t sleepwalk through life!
Saw bolıñız