Friday, November 15, 2019

Results from the 2019 Volatility Contests are in!

We would like to begin by thanking the participants in this year’s contests! This was one of the hardest years for our panel of judges since it had so many outstanding submissions. In the Plugin Contest, there were 11 submissions, which included over 30 new plugins across 3 operating systems. It was also great to see repeat contestants in both the Plugin Contest and the Analysis Contest, and submissions from community members around the globe. Despite the contest going into its 8th year, it’s inspiring to see all the exciting innovation still happening in the field of memory forensics. 

Independent open source projects and communities only remain viable because of contributors who are willing to sacrifice their time and resources. Please show your appreciation for the contestants’ contributions by following them on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches. Looking forward, we are excited to announce that next year’s contest will focus on Volatility 3!


We would also like to thank Volexity for being a sustaining sponsor of the Volatility Foundation and, in particular, for sponsoring this year’s contests.


Placements and Prizes for the 2019 Volatility Plugin Contest:
1st place and $1500 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:

Antoine Brodin for FreeBSD Support

2nd place and $750 USD cash goes to:

Blaine Stancill for Windows 10 Memory Compression

3rd place and $250 USD cash goes to:

Shusei Tomonaga for MalConfScan

4th place and Volatility swag goes to:

Shachaf Atun for Winobj and Tokenimp

5th place and Volatility swag goes to:

Fabio Pagani for Linux kallsyms

Placements and Prizes for the 2019 Volatility Analysis Contest:
1st place and $1500 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:

TEAM. HSLFL (South Korea) for “Memory Analysis in Data Leakage Cases”


Here is a detailed summary of the submissions. If you have feedback for the participants, we're sure they'd love to hear your thoughts!

Analysis Contest

1st: Memory Analysis in Data Leakage Cases by TEAM. HSLFL (South Korea)

This analysis report, written by TEAM. HSLFL (Hope Seyoung Lee Find Love) from South Korea, focuses on exploring how memory analysis with Volatility can be used during data breach investigations. In particular, they present three scenarios involving a remote administration tool (QuasarRAT), FTP, and cloud storage (Google Drive). The simulated scenarios involved two systems, an attacker machine, and a victim machine. The report authors leveraged memory analysis to find suspicious commands, processes, and network activity. They also used memory analysis techniques to extract memory-resident strings and executables. Finally, they demonstrated how numerous types of memory-resident files, including prefetch, hosts, FTP logs, and browser history, could be extracted and post-processed to reveal valuable insights about the attackers’ activities. The submission includes the analysis report and memory samples from each of the three targeted Windows 7 systems.

Related References:
https://github.com/volatilityfoundation/community/tree/master/Team_HSLFL
https://drive.google.com/open?id=1zibtCsFDQg1esf-dgQH40o0O4BUL8B-Y

Plugin Contest

1st: Antoine Brodin: FreeBSD Support

This submission provides a very complete toolkit for performing memory analysis on modern FreeBSD systems. In addition to adding support to Volatility 2.6.1 for a new operating system and writing 13 new plugins, the author has also written a memory acquisition tool for FreeBSD and integrated full profile support. One of the factors that judges consider is the “analysis curve” or the difference in analytical capabilities with and without the author’s work. Prior to this submission, investigations would either not be able to capture RAM or they’d be limited to strings and grep. They now can leverage the full power of Volatility! Amazing and useful!

Related References:
https://people.freebsd.org/~antoine/2019-vpc/volatility.diff
https://github.com/volatilityfoundation/volatility/tree/freebsd_support
http://distcache.FreeBSD.org/local-distfiles/antoine/2019-vpc/FreeBSD-12.1-PRERELEASE-GENERIC-amd64.lime https://people.freebsd.org/~antoine/2019-vpc/FreeBSD-12.1-PRERELEASE-GENERIC-amd64.zip

2nd: Blaine Stancill (FireEye): Windows 10 Memory Compression

This submission enabled the automatic incorporation of the compressed stores created by Windows 10 to implement in-memory paging. By incorporating analysis of these stores in a new Volatility address space, compressed pages are transparently decompressed as plugins access them. The clever use of inheritance and caching by the authors minimizes the performance impact of the decompression routines and makes the benefits far outweigh the impact. Aleksander Østerud pioneered some of these capabilities in last year’s plugin contest, and it is exciting to see Blaine and the FireEye team dive deeper into what we consider one of the most drastic changes to memory analysis that any OS vendor has made in the past couple years.

Related References:
https://github.com/fireeye/win10_volatility 
https://www.fireeye.com/blog/threat-research/2019/07/finding-evil-in-windows-ten-compressed-memory-part-one.html
https://www.fireeye.com/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-two.html
https://www.fireeye.com/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-three.html
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/finding-evil-in-windows-10-compressed-memory-wp.pdf
https://twitter.com/MalwareMechanic

3rd: Shusei Tomonaga (JPCERT): MalConfScan

This suite of plugins dumps configuration data, decoded strings or DGA domains from over 25 common malware families and red team tool kits. The plugins can be launched individually or in batch mode by the main entry point, malconfscan. Most configurations are identified with yara signatures (which, too, can be leveraged outside of the framework, if desired) and then parsed out of process memory, using freely available decompression libraries (i.e., aPLib), custom decoding functions, or encryption algorithms – using keys hard-coded within the malware or dynamically referenced from elsewhere in the memory sample. The authors also provide a Cuckoo Sandbox integration, which can save analysts a significant amount of time. We'd love to see the broader community submit merge requests to this project and help upkeep the (already extensive) library of decoders.

The authors also thought one step ahead and developed a generic malware string extractor (malstrscan plugin) that works independently of specific malware families. By default, the string extractor searches for injected code regions (similar to how malfind works), disassembles the code, and follows pointers/references to strings. In "full" mode, it extracts strings from bordering memory regions that were possibly allocated contiguously, but that might not appears as injected on their own (for example, if they're RW and not RWX).

Related References:
https://github.com/JPCERTCC/MalConfScan
https://blogs.jpcert.or.jp/en/2019/08/malconfscan.html
https://twitter.com/shu_tom
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo

4th: Shachaf Atun (KSL Group): Winobj and Tokenimp

The winobj and tokenimp plugins introduce some powerful new capabilities. As always, plugins built to satisfy a particular deficiency (amongst existing plugins) during investigations are pretty much guaranteed to be valuable. In this case, the authors wanted to determine which processes elevated via UAC or UAC bypasses, and to hunt instances of token impersonation. Tools such as Mimikatz, Tokenvator, and Invoke-TokenManipulation were used for testing, and pointers were provided in the documentation to threat groups and malware variants that leverage the same techniques. We were impressed by this plugin because it also required analyzing a fair amount of undocumented data structures and flags. The winobj plugin allows extracting artifacts from the object directories. One of the documented use cases is detecting attacks against KnownDlls, which has been exploited heavily in the past. It also provides a valuable alternate method for finding drivers, devices, file systems, mutexes, symbolic links, and various other artifacts relevant to forensics. Allowing interactive browsing of object name spaces was also a nice touch.

Related References:
https://github.com/kslgroup/WinObj
https://github.com/kslgroup/TokenImp-Token_Impersonation_Detection
https://github.com/kslgroup/WinObj/blob/master/WinObj%20documentation.pdf
https://github.com/kslgroup/TokenImp-Token_Impersonation_Detection/blob/master/TokenImp%20documentation.pdf

5th: Fabio Pagani: Linux Kallsyms

This submission provided several new capabilities to Volatility. First, new algorithms for enumerating processes in kernel memory were discussed and implemented as Volatility plugins. What is particularly interesting about these new methods is that they were derived from an automated system that can determine where and how data structures are accessed during runtime and then translate these accesses to memory forensic capabilities. The second part of the submission involved automatically finding and reconstructing the full set of kernel symbols from a memory sample. This also had an interesting twist in that it used the Unicorn emulation engine to perform the decompression of the symbol sets instead of code implemented in Volatility. The use of emulation allowed for the exact algorithm from the kernel to be used.

Related References:
http://s3.eurecom.fr/~pagabuc/
https://twitter.com/pagabuc
https://github.com/volatilityfoundation/community/tree/master/FabioPagani


The following submissions appear in the order they were received. As previously mentioned, these developers deserve huge props. We look forward to seeing future work by these authors!


Cesare Pizzi (Sorint.Lab): Powershell

Powershell has become increasingly common as a malicious payload in real malware samples. The goal of this plugin is to assist analysts in finding Powershell processes and narrowing down the amount of related data to focus on for subsequent analysis. The submitted plugin accomplishes this by first using a yara rule, rather than relying on a filename, for finding Powershell processes in memory. Additionally, the plugin provides an advanced scanning option that filters the VADs of found Powershell processes, looking for ones that may contain Powershell-related commands or scripts.

Related References:
https://twitter.com/red5heep
https://github.com/volatilityfoundation/community/tree/master/CesarePizzi

Or Chechik and Inon Weber: Ropfind

The ropfind and linux_ropfind plugins find evidence of return oriented programming, or ROP, and stack pivoting in a memory sample. The plugins scan thread stacks for evidence of ROP gadgets and small memory allocations for evidence of stack pivoting. There are a number of checks performed to reduce the number of false positives reported. The plugins additionally provide a means for whitelisting gadgets based on opcodes and make them more specific by whitelisting based on specific symbols.

Related References:
https://github.com/orchechik/ropfind
https://twitter.com/orchechik
https://twitter.com/InonWeber

Rolf Govers and Max de Bruijn (Fox IT): Windows Toast Notifications

The ToastPlugin is the first Volatility plugin to extract Windows notification artifacts. In particular, the plugin focuses on a particular type of notification called toast notifications. Toast notifications allow an application to relate relevant information and timely events to users that may require actions. A toast notification can contain text, images, and custom actions. For example, this could include information about connected devices, calendar events, friend requests, or email/messaging notifications. As a result, they can provide investigators with valuable insights into historical user activity and context about how the system was being used. The ToastPlugin searches though memory samples for the toast XML structures. It also lays the groundwork for a lot of future work related to Windows notifications.

Related References:
https://blogs.msdn.microsoft.com/tiles_and_toasts/2015/07/08/toast-notification-and-action-center-overview-for-windows-10/
https://twitter.com/Rolf_Govers
https://twitter.com/Maxdebruijn
https://github.com/volatilityfoundation/community/tree/master/WindowsToastNotifications

Elmar Nabigaev: VMware Tools

Virtualization platforms have become exceedingly common and typically provide capabilities to perform various actions on a guest operating system from the host. VMware's vmtools is one example and this plugin can help analysts by finding recently executed commands run on a guest through vmtools. These include operations such as copying files to and from the guest, listing files, running processes, etc. This plugin can also capture credentials an attacker may have used on the guest OS when executing a command.

Related References:
https://twitter.com/tlp_red
https://github.com/volatilityfoundation/community/tree/master/ElmarNabigaev

Angelo Mirabella: Linux Coredump

linux_coredump is a new Volatility 2.6.1 plugin that extracts detailed information about individual processes and generates a core dump file for the process. The resulting core file can be loaded into GDB or other debuggers that support the core file format. This plugin is particularly useful for situations where an analyst wants to dig into the details of a particular process found in a Linux memory dump and needs to leverage capabilities provided by debuggers but not memory analysis tools.

Related References:
https://github.com/Angelomirabella/linux_coredump

Ryan D. Maggio, Raphaela Mettig, Sweta Ghimire (LSU): Shemu

shemu (shell + emulator) allows for the emulation of in-memory code directly inside volshell. With current Volatility capabilities, analysts who wish to perform reverse engineering inside of volshell must instead use the dis() function, which simply provides static disassembly listing. Automated emulation of code provides for much deeper, accurate, and efficient analysis of memory resident code and will be a great feature for users of the framework.

Related References:
https://twitter.com/4kb0mb https://twitter.com/rmettig_
https://twitter.com/ryandmaggio
https://github.com/volatilityfoundation/community/tree/master/Shemulator


Here are a few additional resources regarding previous contests and community-driven plugins.


Volatility Foundation Contest Home Page: http://www.volatilityfoundation.org/contest

Volatility 2018 Plugin Contest Results: https://www.volatilityfoundation.org/2018
Volatility 2017 Plugin Contest Results: http://www.volatilityfoundation.org/2017
Volatility 2016 Plugin Contest Results: http://www.volatilityfoundation.org/2016
Volatility 2015 Plugin Contest Results: http://www.volatilityfoundation.org/2015
Volatility 2014 Plugin Contest Results: http://www.volatilityfoundation.org/2014-cjpn
Volatility 2013 Plugin Contest Results: http://www.volatilityfoundation.org/2013-c19yz

Volatility Community GitHub Repository: https://github.com/volatilityfoundation/community

No comments:

Post a Comment