Perseus Demo Walkthrough

You are here:
< Back

 


Thank you for installing Perseus!

 

Already familiar with Perseus but want to see the new features? Skip to a ransomware investigation conducted using the new Recollection dashboard.

 

This document is designed to quickly familiarize you with the capabilities of Perseus. You’ll learn how Perseus can help you save time investigating incidents in your own environment. Suggested actions to explore Perseus are provided in bold. They’re accompanied by explanations of these actions and how they fit into a typical incident response workflow. Please don’t hesitate to reach out to us at support@PerseusSec.com if you have any questions or comments. Once you’re ready to use Perseus to help you investigate incidents in your own environment, you can download the free production version of Perseus here: https://PerseusSec.com/download-wizard

 

Please Note: The data included in the Perseus Demo comes from a real case study. It doesn’t contain the full Perseus data from every host but a small subset that highlights some key capabilities of Perseus. To protect the privacy of the organization participating in the case study, some data and functionality is not available in the Perseus Demo.

 


Identify Persistent Malware In Seconds

Perseus allows you to determine in seconds whether persistent threats are present on a host you are investigating. Take for instance a common situation during incident response: A network perimeter security product tool generates an alert that indicates suspicious traffic originated from a host. Let’s investigate two of these alerts using Perseus to quickly determine which incident involved persistent malware.

 

REDACTED-31315

We receive an alert from our network perimeter security tool that there’s suspicious traffic on REDACTED-31315 on July 15th. We can use Perseus to quickly determine if any persistent malware was associated with this incident. Go to the “Hosts Overview” dashboard, and search for host REDACTED-31315.

 

 

Click on the “Host” field to see the activity on host REDACTED-31315.

 

As you can see, the Red Arrow indicates a negative reputation for the Url Search Hook at the bottom of the list. Hover over the “Rep” field for the Url Search Hook for a summary of the VirusTotal report for the binary launched by the entry.

 

You can see half of the engines detect it as a malicious which indicates it’s very likely malware. If you would like to see the full VirusTotal report, click on the Red Arrow. You can also click on the “Entry Name” or “Entry Launches” fields to launch a Google search for that data. For instance, even a quick glance at the Google search results from clicking on “{3c35ad63-af1d-4e21-b484-b6651a8efcf9}” further supports that the entry is malicious. Perseus allows you to quickly identify persistent malware, even malware using uncommon persistence methods.

 

REDACTED-29429

We receive an alert from our network perimeter security tool that there’s suspicious traffic on REDACTED-29429 on July 21st. We can use Perseus to quickly determine if any persistent malware was associated with this incident. Go to the “Hosts Overview” dashboard, and search for host REDACTED-29429.

 

 

Click on the “Host” field to see the activity on host REDACTED-29429.

 

Perseus indicates there are no unauthorized modifications present on the host. This allows you to immediately determine there’s no persistent malware present so you don’t waste time searching for indicators of persistence that don’t exist. This is particularly useful when alerts are false positives or when alerts are associated with a broken multi-stage attack attempt. You can incorporate this information into your decisions of which incidents deserve immediate attention – prioritizing incidents with persistent threats often makes sense as those attacks are active.

 


Conduct Efficient and Thorough Investigations

Open the Recollection dashboard.

Here we see a server that suffered a ransomware infection on Christmas Eve. While restoring data is a priority, this real-life incident highlights why it’s crucial to conduct thorough investigations. The Recollection dashboard gives you a new way to conduct timeline-based investigations.

 

The malware used in the incident employed anti-forensic techniques on disk – irretrievably wiping Windows event logs and securely deleting its malicious files in an unrecoverable manner. Making matters worse, there were no security products present that could provide forensic data around the time of the incident. But without an agent or relying on any third-party security tools, Perseus was able to process the registry data to build a timeline of what took place.

 

Using the slider, we can select what time interval we want to view events from.

 

As you move the slider, you’ll notice the Registry, File System, and Forensic data are updated in the treeview (Please Note: For the demo, the Registry and File System data is limited for privacy purposes). This gives you an immediate visual way to see how much forensically-relevant activity took place during a given time interval.

At the top of the page, you see buttons for every type of forensic data collected by Perseus which includes persistence data, evidence of execution, file and folder access artifacts, USB and network connections, user activity, and various other useful registry and file system modifications.

When there’s a magnifying glass icon inside a button, it indicates that there’s at least one event of that type in the time interval you’ve selected. For instance when you open the Recollection dashboard, you’ll notice that there are Connection events.

Drag the slider past July 16th, 2019. You’ll notice the magnifying glass disappears indicating no USB devices were inserted or new network connections were made on the server after July 16th. These visual indicators allow you to quickly determine whether any forensically-relevant events of a given type took place during your selected time interval.

Because we know the incident took place on December 24th, let’s narrow our search to within a month of that by moving the left handle of the slider to November 24th. If you want more fine-grained control over the slider within that month, you can zoom in on it using the Zoom In button.

You’ll notice a very large number of ShimCache events. It can be useful to look only at binaries that have executed for the first time during this time interval so we can see what’s new. We can do this by clicking this button to the right of the slider.

In addition to the suspiciously-named files executed on the system, a few other things may stand out to you. For instance if you’re familiar with Shellbags, you might notice an unusually low number of new Shellbags were created for User1 within the one-month interval you’ve selected (Please Note: Forensic data for only a single user is shown in this demo. Data from other users was omitted for privacy reasons). Similarly, there was very little Recent Docs activity in this timeframe. Alt+Click on the File Access button to see only the file access events during this time interval.

You can see that all of the events took place on December 24th. The lack of activity before the 24th would seem to indicate the user account is infrequently used on the system. Click on the Activity button to also see user login activity, scroll down in the table to find the “User Login” event, and hover over that field to see the total logins recorded in the SAM registry hive.

The fact that there were only 3 total logins for User1 confirms the suspicion that this account was infrequently used. When asked, the owner indicated that this was an account only used during initial setup of the server and should not have been logged in on the 24th. The fact that it was logged into on December 24th suggests the credentials to the account were compromised. The failed login only a second before the successful one is consistent with a brute force attack. The owner confirmed this account had a weak password that would be vulnerable to a brute force attack, and a review of network logs shows RDP traffic around that time.

 

To continue the investigation, we can Shift+Alt+Click on the File Access button to re-enable all event types. If you review the events that took place near December 24th in the table, you’ll find a number of suspicious entries. Some have polymorphic names, but others are recognizable. Note the User Assist entry on 12/24/19 00:48:22 that indicates mimikatz.exe was run.

 

If you aren’t familiar with mimikatz already, click on the “D:\x64\mimikatz.exe” field in the table to launch a Google search. Mimikatz is used by attackers to steal credentials from a system. And you’ll notice shortly after it was executed, a “mimikatz.log” was opened on the system indicating an attacker actively looked at the results of the tool.

 

If you scroll down a bit further in the table, you’ll find “C:\Users\User1\Desktop\pscan24.exe” was executed on the system. For those unfamiliar with it, clicking on the field a Google search reveals it’s a port scanner.

 

Piecing this all together, we can determine from our investigation that it’s not enough to simply restore data to this server. Even though no persistence was established, the server would remain vulnerable to further attack if the compromised user account is not disabled or its password changed to a strong one. The use of a port scanner paired with additional credentials obtained through the use of mimikatz strongly indicates the possibility of lateral movement in the network. To fully recover from this incident, it was necessary to conduct investigations on the other systems this server was connected to in order to ensure they were not compromised as well.

 

The Recollection dashboard gives you a new way to conduct timeline-based investigations so you can make these types of determinations quickly and accurately.

 


See Organization-Specific Context

Sometimes legitimate software is used maliciously to carry out an attack. It’s important that an analyst be able to identify malicious use of legitimate software. Perseus can provide valuable organization-specific context to help you make this determination. Let’s explore an example of this. Go to the “Unauthorized Modifications” dashboard, and filter by Reputation “Good”.

You’ll see two entries associated with legitimate remote access products: Zoho Assist and Bomgar.

 

 

Hover over the “UReg” Icon for the Bomgar entry. This will show you that Bomgar is common in the organization participating in our case study. Please Note: These organization-approved products are typically whitelisted using the “Allow” button. Once whitelisted, they won’t appear on the dashboard so that it’s easier for an analyst to identify malicious activity. This Bomgar entry was intentionally omitted from the whitelist for the demo.

 

 

Hover over the “UReg” Icon for the Zoho entry. This will show you that Zoho is uncommon in the organization participating in our case study.

 

Perseus makes it easy and fast for you, even without any organization-specific knowledge, to identify what is common and what is anomalous in an organization. You’re able to quickly determine that the Zoho activity may require a closer look. Click on the “Time” field of the Zoho entry to see additional context associated with that entry.

 

 

As you can see, there were a few other modifications around the time of the Zoho entry. All of them have files that VirusTotal has no reports for. All of these factors combined are suspicious enough to warrant additional investigation of the host. Perseus allows you to quickly identify which incidents actually deserve your focus.

 


Detect Threats Missed By Other Security Technologies

Malware is often designed to bypass the most common security technologies deployed by an organization. Organizations are especially vulnerable when new threats are released that aren’t detected by antivirus definitions or existing IOCs. But because unknown malware almost always relies on known persistence mechanisms, Perseus can help identify persistent infections in your environment that are missed by other security products. Let’s take a look at activity in our environment that there’s no existing reputation data for. Go to the “Unauthorized Modifications” dashboard, and filter by Reputation “Unknown”.

You’ll see a number of entries that VirusTotal has no reports or reputation data for. Click on the “Host” field for host REDACTED-30417 to see only the events on host REDACTED-30417.

You’re able to quickly determine that there are a number of polymorphic entries present on this computer that are highly suspicious and very likely malicious in nature. Even though there were no antivirus or network perimeter security tool alerts associated with this malware at the time of infection, Perseus allowed analysts to detect this threat so they could address it before it became a more serious incident.

 


Hunt for Threats, Whitelist Approved Software, And More

 

Explore the unique “Universal Registry” dashboard to actively hunt for anomalies. Use the “Allow” button to see how Perseus can further reduce noise by whitelisting software that’s approved in your environment. Use the “Clean” button to see how Perseus can allow an analyst to initiate automated remediation of malicious modifications. And once you’re ready to use Perseus to help you investigate incidents in your own environment, you can download the free production version of Perseus here: https://PerseusSec.com/download-wizard