Conducting Investigations
A brief guide to making decisions on a daily basis for teams in charge of app reviews, app research, and adding app trust in computer systems.
Initial Information Gathering About an Event
Let's say that you are a Security Administrator tasked with adding and removing apps from your organization's Trust List. One day, you see that one of your users is trying to use a program to check their email messages.
By clicking on the selected app, you can now see more information, such as whether the program in question is signed by a code-signing certificate or not, along with many other details.
We want to know more about this program, so we clicked the "i" button to expand the app menu.
Next, you are presented with information about the code signing certificate of the program, the name of the signing organization, and who issued this certificate, in this case, "Microsoft Marketplace CA G 024."
App's Policy History
Now, we are presented with three buttons: "Show Policy History," "Show CERT History," and "Show Policy History for CERT."
The "Show Policy History" button will take you to another page.
In this case, we do not have information available. This feature is essentially to know if we already have a policy related to this program added to your Trust List.
The "Show CERT History" button will help you know if a certain app or program has been historically signed or if at some point the app that was signed is no longer signed, which can sometimes be suspicious.
We are presented with only one result, which means that the program in question has always been seen as signed. If you see the same program with the columns "CERT ID," "CERT Name," and "CERT Issuer" empty, it means that the program seen in one of your subgroups is no longer signed.
The "Show Policy History for CERT" button will help you know what policies related to this program have been added throughout your organization or organizations, depending on your access level.
In this case, we do not have information available. This feature will show you, for example, if John, one of your administrators, added a block policy for this specific app, or if Mary, another of your administrators, added trust for one of your departments. Note that you can also search for CERT Thumbprints of other apps by entering it in the first textbox.
App History for an Event
This section, "Show this App's History for," can help you gather more information about its history on its current computer, within the entire subgroup, or across all the groups you manage.
We have only one instance of HXTSR.exe on this computer.
Click "This Group" to find out if someone else in the group is running the same program.
In this case, we see that only this computer in the group is running this app. If more than one computer is running this program, you will be able to see the different computers and the users using this program.
Click the app to see several options.
After you click the app, you will be presented with a variety of options to choose from, including archiving the app without taking any action, stopping the app on its current computer, or stopping it on all systems within the subgroup (this is known as a "Soft Block," and it won't stop the program forever; after a certain amount of time, the program will work as normal).
If you want a program to not run at all, you can also add a "Hard Block," found in each app menu shown with the red lock.
By clicking "All Groups I Manage," you will be presented with all the instances of this program according to your access level.
Using Google Search Menu
Now, let's see if we can find information about this app using its fingerprints! Click the Google icon, and you will see search options such as SHA-1, SHA256, Filename, CERT, CERT Name, and the Issuer (Note: If the program is not signed, you will not see the CERT, CERT Name, and the Issuer).
Click "SHA-1"
There are websites that study malware indicators of compromise (IOC) and publish reports including their SHA-1 and SHA256 fingerprints, so other people can compare a file hash they found in their network with the hashes published on the web.
This kind of information can help you a lot in addition to all the information you already have and will help you make a decision.
We see that we do not have results of SHA-1 fingerprints published by anyone on the internet.
Click "SHA-256"
We see that we have results. This means that one website has studied this program based on its SHA-256 fingerprint. We can gather more information about the file we are investigating, what it does in an isolated environment, and also see if there are any indicators of compromise (IOC) detected.
Click "Filename"
After clicking "Filename," we will perform a search to see if the name of the file is found anywhere. If there are people who have used the app or experienced any issues with it, you might be able to see it.
Click "CERT" to see if the CERT thumbprint has been posted anywhere.
We did not find the thumbprint posted anywhere.
Looking for a CERT thumbprint can be very useful because sometimes certificates get stolen and can be used to sign malicious software to evade detection.
Thanks to the research done and published by other security professionals and researchers, Certificate Authorities can find and revoke those certificates. They may disclose the thumbprints so security vendors can implement a global block to prevent a certain certificate from being used.
Click "CERT Name" if you want to know more about the company that signed this program.
The company that signed this program is called "Microsoft Corporation," which is a well-known enterprise. You can discover a lot of things based on the CERT name.
Click "Issuer" if you want to see more information about who the issuer of this code-signing certificate is.
We see that the issuer of this certificate is the Microsoft Marketplace. This is important because you want to ensure that a well-known Certification Authority is issuing the certificate. It is not good practice for a company to issue their own self-signed certificates unless it is used for testing purposes only and not for production environments. A third party has to certify the process.
Coming back to the dashboard, you can check where the program is located using the scroll navigation. You can see the Username, the File Name, the Group where it is located, and the Parent app, which is the program that initiated the program you are reviewing. In this case, HXTSR.exe was initiated by svchost.exe.
Using VirusTotal for Our Research
Now, let's check what VirusTotal has to say about this app. Click this button to be transported to a different page.
We are now in VirusTotal, and we see that out of 74 security vendors, none detected suspicious behavior in this app.
Now, let's check the "Details" tab. After you click, scroll down to see more.
The "History" section will tell you when the program or file in question was created, when it was first submitted to VirusTotal, when the last submission was made, and when the last analysis was done.
The "Names" section serves as a resource to know the different names this program has had in the past throughout submissions from other members of the security community.
This section, "Signature Info," will give you details about its code-signing certificate, if there is one. If you see an app with an expired certificate, it is still acceptable if it expired recently, like two or three years ago. However, if the certificate is older than five years, you should consider updating to a newer version of the software being used. Remember that stolen certificates can be used to evade detection in certain scenarios.
Click on the "Relations" tab to see which files are related to the file being studied.
The "Relations" tab represents the files stored in the program or file being studied.
The Graph Summary is a brief representation of the program's relations and communications with other files and domain names. To see more information, you can click the "More" button and "Explore in Threat Graph" at the top menu near the "Reanalyze" button. (Note: You might need a VirusTotal account to access the Graph.)
Click the "Behavior" tab to see how the program being studied behaves inside a sandbox.
Click on "Community" to see if other people have posted anything about this specific program.
This is how an app looks when it has not been checked in VirusTotal through our menu. You can see the interrogation mark "?" in the image below.
If you hover over the interrogation question mark, you will see the VirusTotal logo appear. You can analyze all of your blocked apps or monitor mode list either individually, one by one, or you can choose to scan all of them at once with the VirusTotal button at the top of the menu (more on how to do that in the next step).
This is the VirusTotal button that will allow you to launch a scan of your entire list.
After you click the VirusTotal button at the top of the menu, your apps on the list will be checked. If any apps have an issue, you will see a number such as the one in the image below. This number represents the number of security vendors that flagged this specific file.
If you hover over the number one, you will see a brief description of when it was last checked, including the date and time.
Note: Sometimes you will encounter false positives from security vendors when the number is one or sometimes two. However, do not ignore a program with a "1" or a "2"; it may very well be malware that has not yet been detected by other vendors. The solution, or at least what I like to do, is to check if the sandbox study shows unusual actions, if it is related to a lot of known malware, or if it is making unusual communications to IP addresses in other countries or domains.
To deal with false positives, back up the results with information on how the program behaves. Is the program doing something it should not? Is it accessing places that a normal program would not? It all depends on the context of what the program is used for.
When you see that this number increases drastically, say from 2 to 9 in a matter of hours, or from 2 to 20 in a matter of days, this usually means that something bad is happening, and you should investigate further.
Right-click the red number button to access the VirusTotal Options menu, which will allow you to check this file again.
Click "Recheck on VirusTotal"
Using JoeSandbox for Our Research
Let's check the JoeSandbox website to see if this app has any record of sandbox activity and indicators of compromise.
We do not have results available, which means that the app has not been studied in a sandbox. If the app is submitted for analysis, you and the entire security community will be able to see and read a report about it.
This is how it looks when the file you want to study on JoeSandbox exists and was submitted in the past by members of the security community. Click on "Full Report" to see the complete analysis.
This graph registers the activity of a file performing any kind of activity. In this case, we are looking at ransomware being analyzed. If the arrows stay in the green area, it usually means that there is no suspicious activity. However, when the arrows pass through the orange circle (Suspicious Activity) and reach the red circle (Malicious Activity), you should consider taking a closer look and investigating further.
This shows the detection meter and indicates if the malware or ransomware sample is identified. In this case, it was identified as "Wannacry."
General information about the file.
The "Signatures" section tells you about which rules were triggered during analysis. In this case, we see Snort, communication being done through HTTP, and detections through Yara.
In this section, "Process Tree," we can see the processes that were created by the program that started execution, in this case: loaddll32.exe.
In this section, thanks to the MITRE ATT&CK Matrix, we can see more about what a file does at the time of execution based on the Matrix. For example, we can see if the program is trying to use encrypted channels or attempting to scan for antivirus software installed in the system.
In this section, we are provided with a map revealing the communication being done by this malicious file.
Using Hybrid Analysis (Falcon Sandbox) for Our Research
Let's check Hybrid Analysis to see if there are any records of sandbox activity.
We are transported to a different page and presented with no results. If the program had been uploaded in the past, you would be able to see in-depth details about its activity.
This is how Hybrid Analysis looks when you find results of a file being studied. In this situation, we are faced with Wannacry Ransomware.
We are given more information about the tags and a threat score. Additionally, you have the option to refresh the analysis and re-run it to see if anything has changed by clicking the "Click to Refresh" button.
We see antivirus results from the sandbox study that identified the file as "Malicious."
If you want to see more about the behavior of the sample, you can click the little red square with a number. It represents the number of malicious patterns that were registered during analysis.
You will be transported to a different page where you can take a more in-depth look at the patterns of malicious activity that were observed.
Malicious indicators are being detected.
Suspicious indicators are being detected.
Dealing with Legitimate Remote Control Programs
Communication is key. As people work from home, you often cannot compare the security in their homes to the security mechanisms they have at their office. Remote control programs are widely used and might be in your network too. As the security administrator managing trusted apps and CERTs, if you suddenly see a remote control program, it is a good idea to verify if the person connecting is who they say they are. For example, you can send an email asking if they were using that remote software. If they were not, you can block it. If they confirm that they need that software for their support team, you can add it to their Trust List. If you see suspicious activity, let them know.
Final Conclusion
After being provided with all of this information, you now have more data to make an informed decision. You can add trust, apply a block, or archive a program based on the information available.