Explore practical incident response techniques for heterogeneous environments in this BSides Detroit 2018 conference talk. Delve into the challenges of mass-triage in modern cybersecurity and learn about innovative tools like RIFT (Retrieve Interesting Files Tool) and FRAC (Forensic Response Acquisition). Discover the process of building Advanced Indicators of Compromise (AIOCs) through malware analysis, using Trojan.Bisonal as an example. Gain insights into YARA rules and their application in creating AIOCs. Examine the capabilities of ClamAV for malware detection, including custom rule creation, remote scanning, and forensic applications. Understand how to generate ClamAV signatures using IDA with CASC and explore the future direction of incident response methodologies.
Overview
Syllabus
Intro
The mass-triage problem in 2018
Traditional IOCs application
RIFT (Retrieve Interesting Files Tool)
FRAC (Forensic Response Acquisition): The Output
Malware analysis process to build AIOCs
Example: Poisonivy
AIOCs formalization process
Trojan.Bisonal resulting AIOC description
Trojan.Bisonal traffic
Bisonal Behavior
YARA RULES toward AIOCs
Clam AV: Intro
YARA Rules, AICs and ClamAV
Using ClamAV to Scan for Badness
Using ClamAV: Results Custom Rules - ClamAV
Using ClamAV: Results Custom Rules - Yara
Sigtool: ClamAV command line
Sigtool: Command explained
Generating ClamAV Signatures with IDA with CASC
Remote ClamAV scan with Psexec
Remote ClamAV scan with FRAC
ClamAV Bisonal - logic signature
ClamAV and Forensics
Where are we heading
