CoRIIN

Corin

The CECyF (French Expert Center against Cybercrime) organised on 19 January the first Conference on Incident Response and Digital Investigation (CoRIIN). It was held in Lille the day before the FIC, and welcomed around one hundred participants for a day.

Eric Freyssinet opened the conference with a welcome address outlining the objectives of CECyF, particularly building bridges between the various professions involved in cybercrime: law enforcement, academics, forensic experts, private sector actors, etc. He elaborated on his desire to see training programs developed in the field of incident response and invited anyone wishing to participate in conferences on this topic to contact CECyF before giving the floor to the speakers.

Presentation of the PRIS requirements framework

Yann Tourdot and Arnaud Pilon, ANSSI

The conference begins with a presentation of ANSSI's roadmap concerning trusted service providers. The organization aims to define a framework covering four areas related to IT security incidents: prevention (audit), detection, response, and remediation.

The roadmap stipulates that a set of requirements be defined for each area. This is already the case for prevention with the PASSI program, which currently includes four certified providers, including Intrinsec. The PRIS and PDIS programs, covering response and detection respectively, are scheduled to enter the pilot phase in 2015; the set of requirements for remediation has not yet been defined.

The rest of the presentation focuses on the PRIS, initially developed from ANSSI's feedback on large-scale incidents, followed by a call for comments.

The framework aims to break down activities to match market profiles: reverse engineering of binaries, analysis of compromised systems, network analysis, and managing this type of mission. Recognizing that each analyst has their own working methods, the focus will be on defining best practices to follow rather than a list of tools to use.

The framework defines the notion of initial posture (if the attacker is active in the system), the environment to be put in place to ensure the confidentiality of the investigation data and the iterative approach to be followed from understanding the incident to defining remediation measures.

The speakers concluded their presentation by reminding service providers that they can contact ANSSI at any time to participate in drafting specifications or to refer to its expertise. to the security products and services buying guide.

CERTitude: or how to simplify IOC search campaigns

Vincent Nguyen and Jean Marsault, Solucom

The speakers present the CERTitude tool, developed internally at Solucom to search for Indicators of Compromise (IOC) and assess the extent of a compromised perimeter.

The initial specifications were to ensure compatibility with as many systems as possible (Windows for now), have a low impact on the IS, leave a minimum of traces on the analyzed workstations, support scaling, be modular, have good ergonomics and ensure the confidentiality of the information processed.

The tool relies on a management console and sets of data collection scripts that connect to the elements within the scope of the analysis. Analysis of these elements can be performed either directly on the equipment or after they have been retrieved from the management console if confidentiality of the IOCs (Indicators of Interest) is desired. The detected IOCs include registry entries, files, processes, services, Prefetch data, connections, and other network information.

The speakers then give a live demonstration of the tool. The management console has a web interface that allows users to define the scope to be evaluated, the indicators to be used (specified in OpenIOC format), and to view the results as a graph. Access to each node allows users to quickly view the identified indicators and assign a confidence level to the result.

The tool is still under development, with version 1.0 planned for summer 2015. It is open-source and freely accessible on its Github repository.

Description & Detection of malware with exotic Command & Control elements

Paul Rascagnères (G Data) and Eric Leblond (Stamus Networks)

The speakers presented the possibilities of using an Intrusion Detection System (IDS) – in this case, Suricata – to detect workstations infected with malware communicating with a Command and Control (C&C) server. The principle is simple: by definition, a communication protocol must transmit information in a specific format. By discovering patterns in these formats (e.g., after analyzing a sample), they can be converted into IDS rules.

The presentation uses concrete examples of malware analyzed by the speakers. These include C&C attacks on HTTP, HTTPS, DNS, and even Windows named pipes for internal communication between infected machines.

The translation of identified patterns into detection rules ranges from the trivial, in the case of protocols natively managed by the IDS, to the more complex, using binary data directly extracted from the streams in other cases. It is also sometimes necessary to use third-party components, such as a proxy to decrypt HTTPS before it is processed by the IDS. The final points to consider for this type of analysis are the placement of the detection probes and the volume of traffic analyzed: it is necessary to cover a sufficient number of points in the information system to perform a relevant traffic analysis, and the rules must be sufficiently optimized so as not to disrupt the proper functioning of the information system.

In conclusion, attackers are skilled but not yet performing miracles. It is possible to react quickly and implement detection rules as part of incident response. However, this requires being proactive in attack detection.

Mimikatz and Windows memory

Benjamin Delpy

The author of the tool beloved by penetration testers and loathed by CISOs (according to him) is here to present mimikatz's in-memory interaction capabilities. He argues that Windows stores a lot of information in memory and that it's possible to extract a great deal of it, provided you have the right privileges, and also to modify the behavior of an Active Directory environment by manipulating the right data.

For information extraction, it is not essential to work directly on a system. It is perfectly possible to create process images (minidumps) via a tool from the SysInternals suite, the Windows API or PowerShell scripts. But why stop there, when you can create... fulldumps of the complete memory of a workstation? Again, with help Microsoft tools or DumpIt from MoonSols… or in roundabout ways: hibernation files, snapshot of VMs, etc.

Once the memory is accessible, it can be retrieved…

The LM and NTLM fingerprints
The passwords in plain text (well, reversibly encrypted)
Kerberos keys and tickets: TGT (represents the user) and TGS (allows access to a resource)

We're not going back over the possibilities of doing Pass-the-Hash using LM/NTLM fingerprints. Kerberos keys allow you to obtain a TGT from the Kerberos server, which is then used to obtain TGSs. It is also possible to directly use a TGT to obtain TGSs, or conversely, to use TGSs to obtain specific privileges.

The conference then focused on mimikatz's more recent features:

addsid alters the sIDHistory field to add a SID to an account, which grants it the privileges of the latter and remains discreet: the manipulated account does not appear as a member of the groups associated with the privileges of the SID.
skeleton replicates the behavior of the Skeleton Key malware, by patching Active Directory to add a password that will be accepted to authenticate with any user account.
The DLL mimilib can be registered as a password change provider or manager, and save user-entered passwords to output files.

In conclusion, the sheer volume of information stored in the memory of systems within an Active Directory environment means that an attacker who manages to gain elevated privileges on a small number of elements has a high probability of gaining even greater privileges through a chain reaction, ultimately compromising the entire domain. Hence the importance of knowing how to answer the question, "Who has elevated privileges and on which elements of the information system?"... and ensuring that their number is kept to a minimum.

DNS investigation: pitfalls and solutions

Stéphane Bortzmeyer, AFNIC

The purpose of the conference is to briefly present the organization around DNS in order to clarify which relevant elements are to be considered in a digital investigation report.

In short:

Domain names have several components (e.g., foo.bar.tld). Every TLD (Top Level Domain) is the responsibility of an organization, but the management of subdomains can be delegated to third parties. The delegation boundary is not precisely defined; there is no simple solution for determining component ownership.
Generally, three parties are involved in managing a domain name: the registrant, the registrar, and the registry. DNS servers can be managed by the registrant, the registrar, or a third-party hosting provider.
A register can be thin or thick. Thick registers store clients' social information in an internal database, while thin registers delegate the storage of this information to registrars.

The large number of stakeholders involved necessitates precision regarding the data sources consulted. Furthermore, as data can change rapidly over time, it is essential to systematically timestamp the information presented.

Some private actors also maintain databases Passive DNS and can be requested as part of investigations. The principle is simple: it involves collecting information related to any domain name and tracking changes made to the records.

Internet Explorer 10 and 11: a new data format for new challenges

Jean Philippe Noat and Bruno Valentin, Uriel Expert

The conference focuses on the collection and processing of data stored by the latest versions of Internet Explorer.

It's essential to know how to process information, but also where to find it. Up until Internet Explorer 9, information was stored in the index.dat file and the Content.IE5 folder. Furthermore, with the introduction of User Account Control (UAC) in Vista, browser instances became processes with low integrity and stored certain information in specific locations on the hard drive and in the registry. The speakers also emphasized that, starting with Windows 8, each application has its own package, so multiple traces must be followed.

Versions 10 and 11 contain the data in WebCacheV*.dat and some .edb files. Note that the .dat file is not constantly updated; a buffer is maintained in a separate file. To obtain all the information, the esentutl tool integrated into Windows can be used to consolidate the database. The tool BrowsingHistoryView can then be used to extract information.

FastResponder: an open-source tool for detecting and understanding large-scale breaches

Sébastien Larinier, Sekoia

The speaker presents FastResponder, a tool developed internally at Sekoia. Recognizing that "traditional" investigation – namely shutting down, copying and analyzing a compromised machine – is not suitable for all contexts, the tool was designed with a simple objective: to be able to quickly acquire and analyze data.

The principle of this concept of fast forensics is to focus on IOCs. Thus, the tool collects all of the artifacts described by SANS in FOR408 training, It also extracts the MBR and MFT, calculates the MD5/SHA-1 hashes of system files and searches for YARA signatures.

The implementation was done in Python, following a modular architecture to simplify the addition of artifact definitions. The distributed version is compiled into a single Windows executable for ease of use. The artifacts to be analyzed are selected from collection profiles specified via the command line or through a configuration file. Flat (CSV) files are generated as output for analysis.

The project is still under development. The inclusion of new data to be collected is planned: RAM, DNS cache, browser history, etc. The goal is also to minimize reliance on Windows APIs in order to bypass potential malware concealment features that position... hooks on certain functions of Windows libraries.

The sources are freely accessible on the project's GitHub repository.

Fence

Following the conferences, Eric Freyssinet returned to the stage to thank all the speakers, participants, and EuraTechnologies, the event's host. He announced that there would certainly be a second edition of CoRIIN, possibly spanning two days. The next event was scheduled for Lille in 2016. Unlike Botconf, there are no plans yet to change the venue for each iteration of the conference.

The materials from some conferences are available on the CECyF website.

Professions

challenges

challenges

Risks

Who are we ?

Our commitments

Recruitment

Partners

Events

Blog

Corin

Corin

Articles by category

Subscribe to our newsletter

Credential stuffing

Pentest: Types of penetration tests, methods and implementation

Phishing: How to protect yourself from it in 2026?

MSI packages and local privilege escalation in 2025

Campaigns targeting the aerospace industry in Russia

Hide the threat – GPO lateral movement

Professions

challenges

challenges

Risks

Who are we ?

Our commitments

Recruitment

Partners

Events

Blog