This week has been a bit busy with stuff so haven't made as much progress as hoped but I have found the honeypot approach so far may not get me what I was after. My intent was to find a way to gather more intel on ongoing attacks/exploits but also to collect new samples. So to that effect I'm working on setting up Cuckoo Sandbox and want to get it working and find ways to feed it as many samples as I can find in automated method.
I did spend a part of my week doing some additional testing with McAfee Antivirus in cohorts with a coworker. During an investigation doing some memory analysis I was seeing strings in memory related to bitcoin mining, exploit source code, known malicious domains, and all sorts of other bad stuff I wouldn't expect to see on a normal system.
To test we dumped the memory from a clean Windows 7 VM with no AV installed then installed McAfee's Enterprise AV 8.8 with the current DAT files and dumped the memory again saw the same artifacts.
After checking with a few peers some had heard of certain AV vendors loading this type of stuff into memory. I didn't find much else documented on the internet related to this and of course McAfee was not willing to share any info related to this but would only mention off the record other customers had complained of similar findings. So even though this is off-topic of honeypots I wanted to mention for other DFIR folks in the hopes of saving others time, panic, concern, etc that when doing memory analysis on a host with possibly any anti-virus, but for certain McAfee's, that you can expect to find some suspicious artifacts if you do a strings type search of the memory.
I plan on working on the Cuckoo Sandbox this weekend and will post some updates on how it goes.
No comments:
Post a Comment