LEVEL UP
SOC LEVEL 2
Incident Responder & Deep Analyst investigasi mendalam, forensik digital, malware analysis, dan threat intelligence.
L2 Deep Analysis
BAB 6 DEEP ANALYSIS & FORENSICS
06
Peran & Mindset SOC L2 Analyst
Perbedaan L1 vs L2
| Aspek | L1 Triage Analyst | L2 Incident Responder |
|---|---|---|
| Fokus | Monitoring, triage, klasifikasi alert | Investigasi mendalam, root cause analysis |
| Skill Utama | Log reading, alert triage, SOP/playbook | Forensics, malware analysis, threat intel, containment |
| Aksi | Validasi & eskalasi | Contain, eradicate, recover, hunt |
| Tools Tambahan | SIEM, EDR (read-only), TI lookup | Volatility, FTK/Autopsy, IDA/Ghidra, YARA, sandbox |
| Output | Tiket dengan temuan awal | Full incident report, IOC feeds, rule improvements |
| Keputusan | TP/FP, eskalasi atau close | Scope of compromise, containment strategy, remediation plan |
Mindset L2
- Think like an attacker: Pahami TTPs untuk memprediksi langkah selanjutnya
- Evidence-first: Setiap klaim harus didukung bukti dari log/artifact
- Timeline reconstruction: Selalu bangun timeline kronologis insiden
- Scope assessment: Seberapa luas kompromi? Bukan hanya satu host cek lateral movement
- Communication: L2 harus bisa menjelaskan temuan teknis ke non-teknis stakeholder
Malware Analysis
Tiga Level Analisis Malware
| Level | Nama | Teknik | Tools |
|---|---|---|---|
| 1 | Static Analysis (Basic) | Analisis tanpa menjalankan malware hash, strings, file metadata, PE headers, imports | PEStudio, PEiD, strings, file, YARA, ssdeep |
| 2 | Dynamic Analysis (Behavioral) | Jalankan malware di sandbox observe file, registry, network, process activity | Any.run, Hybrid Analysis, Cuckoo, Process Monitor, Wireshark |
| 3 | Advanced Static (Code Analysis) | Disassembly/decompilation analisis kode assembly, logic, C2 protocol | IDA Pro, Ghidra, x64dbg, dnSpy, Binary Ninja |
Untuk L2: Kamu diharapkan menguasai Level 1 dan 2.
Level 3 (reverse engineering mendalam) biasanya dilakukan L3/malware
analyst khusus, tapi memahami dasarnya sangat membantu.
Static Analysis Langkah Dasar
# 1. Hitung hash untuk identifikasi
sha256sum suspicious.exe
md5sum suspicious.exe
# 2. Cek file type (mungkin extension dipalsukan)
file suspicious.exe
# Output: PE32 executable (GUI) Intel 80386, for MS Windows
# 3. Extract strings cari URL, IP, domain, registry key,
command
strings suspicious.exe | grep -iE
"http|https|\.com|\.exe|cmd|powershell|reg|HKLM"
# 4. Fuzzy hash (ssdeep) cari varian malware yang mirip
ssdeep -b suspicious.exe
# 5. Cek PE header imports, sections, entropy
# High entropy (>7) pada section → kemungkinan
packed/encrypted
# Import: VirtualAlloc, WriteProcessMemory → process
injection
# Import: InternetOpenUrl, URLDownloadToFile → C2
communication
Suspicious Windows API Imports
| API | Indikasi |
|---|---|
VirtualAlloc / VirtualProtect |
Memory allocation code injection, unpacking |
WriteProcessMemory / CreateRemoteThread |
Process injection |
CreateService / RegSetValueEx |
Persistence (service/registry) |
InternetOpenUrl / HttpSendRequest |
C2 communication |
CryptEncrypt / CryptDecrypt |
Encryption (ransomware/data hiding) |
IsDebuggerPresent / CheckRemoteDebuggerPresent
|
Anti-analysis / anti-debugging |
GetTickCount / Sleep |
Sandbox evasion (timing check) |
FindFirstFile / FindNextFile |
File enumeration (ransomware, data collection) |
Dynamic Analysis Sandbox Observation
// Yang harus diobservasi saat run di sandbox:
Process Activity:
- Child processes yang di-spawn (cmd.exe, powershell.exe,
rundll32.exe) - Process injection ke proses legitimate (svchost,
explorer)
File System:
- File yang dibuat/dimodifikasi (payload drop, ransom note) - Lokasi:
%Temp%, %AppData%, C:\ProgramData (common drop locations)
Registry:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run → persistence -
HKLM\SYSTEM\CurrentControlSet\Services → service persistence
Network:
- DNS queries ke domain C2 - HTTP/HTTPS POST ke C2 (beacon/check-in) -
Data exfiltration traffic
Anti-Analysis:
- Cek VM (VMware tools, VBox guest additions) - Cek debugger -
Sleep/delay sebelum payload aktif
Memory Forensics
Memory forensics menganalisis RAM dump untuk menemukan bukti yang tidak ada di disk proses tersembunyi, injected code, network connections, encryption keys, dan malware fileless. Tool utama: Volatility 3.
Volatility 3 Plugin Penting
# 1. Identifikasi OS dari memory dump
vol3 -f memdump.raw windows.info
# 2. List semua proses (termasuk hidden)
vol3 -f memdump.raw windows.pslist
# Proses aktif
vol3 -f memdump.raw windows.psscan
# Scan semua proses (termasuk terminated/hidden)
vol3 -f memdump.raw windows.pstree
# Parent-child relationship
# 3. Network connections
vol3 -f memdump.raw windows.netscan
# Koneksi aktif dan listening
vol3 -f memdump.raw windows.netstat
# Network stats
# 4. Cek DLL dan injected code
vol3 -f memdump.raw windows.dlllist --pid
1234
# DLL loaded
vol3 -f memdump.raw windows.malfind
# Cari injected code (RWX memory)
# 5. Registry & persistence
vol3 -f memdump.raw
windows.registry.hivelist
# List registry hives
vol3 -f memdump.raw
windows.registry.printkey --key
"Software\Microsoft\Windows\CurrentVersion\Run"
# 6. Command line & handles
vol3 -f memdump.raw windows.cmdline
# Command line arguments tiap proses
vol3 -f memdump.raw windows.handles --pid
1234
# File/registry handles
# 7. Dump proses mencurigakan untuk analisis lebih lanjut
vol3 -f memdump.raw windows.dumpfiles
--pid 1234
vol3 -f memdump.raw windows.memmap --pid
1234 --dump
Red Flags di Memory Analysis
| Temuan | Artinya |
|---|---|
Process svchost.exe tanpa parent
services.exe
|
Malware menyamar sebagai svchost |
malfind mendeteksi RWX (Read-Write-Execute) memory
|
Injected code proses legitimate mengandung kode asing |
Process dengan path di luar System32/SysWOW64
|
Process menyamar (contoh: svchost.exe di Desktop) |
| Hidden process (ada di psscan tapi tidak di pslist) | Rootkit hiding proses sengaja disembunyikan |
| Network connection dari proses yang seharusnya tidak network | Contoh: notepad.exe membuat koneksi keluar → compromised |
Disk Forensics
Prinsip Forensik Digital
- Preservation: Jangan ubah evidence buat forensic image/copy dulu
- Chain of Custody: Dokumentasi siapa menghandle apa, kapan
- Hash Verification: Hash image sebelum dan sesudah harus sama
- Write Blocker: Gunakan write blocker saat mengakses disk asli
Artifact Windows yang Penting
| Artifact | Lokasi | Informasi |
|---|---|---|
| Prefetch | C:\Windows\Prefetch\ |
Program yang pernah dieksekusi + timestamps (terakhir 8 kali run) |
| Amcache | C:\Windows\appcompat\Programs\Amcache.hve |
Execution history + hash file yang dieksekusi |
| ShimCache |
Registry:
SYSTEM\CurrentControlSet\Control\Session
Manager\AppCompatCache
|
File yang di-accessed/executed |
| USN Journal | $Extend\$UsnJrnl |
Record semua perubahan file (create, modify, delete, rename) |
| $MFT | Root NTFS volume | Master File Table metadata semua file termasuk yang dihapus |
| Jump Lists |
%AppData%\Microsoft\Windows\Recent\AutomaticDestinations
|
File yang baru diakses per aplikasi |
| Browser History | Varies per browser | URL visited, downloads, search queries, cookies |
| Event Logs | C:\Windows\System32\winevt\Logs\ |
Security, System, Application, PowerShell logs |
| LNK Files | %AppData%\Microsoft\Windows\Recent\ |
Shortcut files berisi path asli, MAC timestamps, volume serial |
Tools Forensik
| Tool | Tipe | Fungsi |
|---|---|---|
| Autopsy | Open Source | Full disk forensics suite timeline, keyword search, file carving |
| FTK Imager | Free | Forensic imaging, mounting evidence, preview |
| KAPE | Free | Rapid artifact collection & parsing |
| Eric Zimmerman Tools | Free | Parsers: MFTECmd, PECmd (Prefetch), RECmd (Registry), dll |
| Velociraptor | Open Source | Remote forensics & hunting collect artifacts dari endpoint live |
Network Forensics
Network forensics menganalisis traffic capture (PCAP) secara mendalam untuk merekonstruksi aktivitas attacker, mengekstrak file yang ditransfer, dan mengidentifikasi C2 communication patterns.
Analisis PCAP Mendalam
# Wireshark Advanced Filters
# Cari HTTP file download (executable):
http.response &&
http.content_type contains
"application"
# Cari DNS query ke domain dengan entropy tinggi (DGA):
dns.qry.name matches
"[a-z0-9]{15,}\."
# Export HTTP objects: File → Export Objects → HTTP
# Ini mengekstrak semua file yang ditransfer via HTTP
# Tshark CLI Extract unique DNS queries:
tshark -r capture.pcap -T fields -e
dns.qry.name -Y "dns.flags.response==0" | sort -u
# Zeek (Bro) Generate structured logs dari PCAP:
zeek -r capture.pcap
# Output: conn.log, dns.log, http.log, files.log, ssl.log
# Zeek logs jauh lebih mudah dianalisis daripada raw PCAP
C2 Beacon Detection Patterns
| Pattern | Indikator | Tool Deteksi |
|---|---|---|
| Regular interval beaconing | Koneksi ke IP/domain yang sama setiap N detik/menit | RITA, Zeek + frequency analysis |
| JA3/JA3S fingerprint | TLS client/server fingerprint yang cocok dengan known C2 | Zeek ja3.log, JA3er |
| Long connections | Koneksi single yang berlangsung sangat lama | Zeek conn.log (duration field) |
| Data size anomaly | Banyak data keluar ke satu destination | Zeek conn.log (orig_bytes vs resp_bytes) |
| Certificate anomaly | Self-signed cert, cert dengan subject/issuer generic | Zeek ssl.log, x509.log |