- #Alienvault threat exchange install#
- #Alienvault threat exchange download#
- #Alienvault threat exchange windows#
Running the above IPs though these checks, we observe that a seemingly legitimate MS Windows box is actually communicating with an IP in Russia:
OTX performs several checks, and the results indicate that the IP addresses we discovered in the above investigation have, indeed, been associated with malware:įurther searches in OTX also provide basic information about the IP addresses, such as country, BGP AS number, as so on. Using OTX data, we can check the IPs that the programs above are communicating with. This is a common problem encountered when an investigator is not familiar with the environment.Īt this point in our investigation, OTX comes in for the win. The process is definitely acting in a strange manner however, there is still a possibility that these IPs are legitimate. We can now match the connections being made to the program with their PID (those are the red lines drawn on the figure above) enabling us to identify that "winlogin.exe" and “regsvr32.exe” are anomalous.Īt this stage, the question as to whether the process is malicious has still not been completely determined. To investigate further, we next run netstat -nao to find other anomalous established connections: We immediately notice something odd about the top connection.why would the login process be making a remote connection to an HTTPS server that isn’t in our domain?Ĥ. We opened “Process explorer” in Sysinternals and checked out the TCP/IP connections that the “Winlogon.exe” program is making.
#Alienvault threat exchange install#
Tip: Install Wireshark on the PC under investigation and filter for DNS to know exactly when a request was made.ģ. In this case, "Winlogon.exe" popped up as soon as the random DNS request was made. This is done by adding a new filter with the following parameters:Īdding the filter above will restrict the program to displaying only DNS requests.
#Alienvault threat exchange download#
Next, we download “Process monitor” (procmon.exe) from Windows Sysinternals and monitor all DNS connections. So we first disable the "DNSClient" windows service so that all DNS lookups will be performed directly by the requesting program allowing us to trace them.Ģ. This interferes with the investigation since all DNS requests will appear to come from this service (typically “svchost.exe”) rather than the actual program. This service basically caches the DNS requests where possible otherwise it will make DNS requests on behalf of other programs. Windows by default comes with a “DNSClient” service. This was a real scenario)īelow we follow the steps that the analyst took to determine this:ġ.
An analyst is tasked with determining if the client is infected and is risky enough to be shut down and wiped. Scenario: DNS logs show some anomalous and apparently random requests being made by a particular client - requests which never resolve to an IP. In this article, we explore how malware can be detected on an old Windows XP client (believe it or not… they still exist on legacy networks) and how OTX data clinches the case in determining if the anomalous behaviour is malicious or not. For example, AlienVault’s Open Threat Exchange (OTX) is a fantastic tool to help you determine if some observed behaviour is malicious or not. Oftentimes, we overlook the value that crowd-sourced threat intelligence brings to a security team’s arsenal.
0 kommentar(er)
