{"id":1888,"date":"2021-10-07T06:59:00","date_gmt":"2021-10-07T06:59:00","guid":{"rendered":"\/cybersecurity-blog\/?p=1888"},"modified":"2023-08-17T07:36:19","modified_gmt":"2023-08-17T07:36:19","slug":"using-sandbox-for-incident-response","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/","title":{"rendered":"Using a Sandbox for Incident Response: Containment Strategy"},"content":{"rendered":"\n

Once a breach appears, your next thought can be to remove all suspicious files and forget about the problem. But it can actually make the situation worse as all valuable information will be gone. And you will definitely need it: to identify where the attack happened and work out a strategy to stop future breaches.
<\/p>\n\n\n\n

Do the research and retrieve data<\/h1>\n\n\n\n

When in a shift for your Incident Response<\/a> role, you could be notified by the SOC analysts team that for a couple of endpoints a connection to a known C2C server has been detected, and the IP address drives to Agent Tesla trojan<\/a>.
<\/p>\n\n\n\n

One of the first things you can do for giving more context to the alert escalated by the SOC team is to search the IOC matched against the Threat Intelligence sources you can rely on, and one of them is for sure public tasks<\/a> by ANY.RUN.
<\/p>\n\n\n\n

From the recent tasks<\/em> submission list, you can click on the filter symbol near the search textbox in the upper-right corner of the page:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And then type the IP address detected from the alert in the Context -> IP address<\/em> text box.
<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Then, all the samples that have been analyzed within the public access rights, and for which that IP address has been detected in the network communications, will be listed and you can explore them one by one.
<\/p>\n\n\n\n

While inspecting samples that are related to the IOC you are dealing with, you can leverage one of the best features of ANY.RUN<\/a> \u2013 the Process Graph<\/em> (you can find it in the upper right corner in the general pane), and you realize that the first action that this malware family does is gaining persistence through a scheduled task job as described in the ATT&CK MATRIX<\/a> as TA0003 Persistence<\/strong> – T1053 Scheduled Task\/Job<\/strong> – T1053.005 Scheduled Task<\/strong>.
<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

In this example we see that the malware add a Scheduled Task with the name \u201cUpdates\\VXEYaEBemoZ\u201d using the following command and a dropped XML as a definition:
<\/p>\n\n\n\n

“C:\\Windows\\System32\\schtasks.exe” \/Create \/TN “Updates\\VXEYaEBemoZ” \/XML “C:\\Users\\admin\\AppData\\Local\\Temp\\tmpF7CF.tmp”
<\/p>\n\n\n\n

What we can do now is to read the contents of the XML file used as a definition for the schedule, and retrieve, for example, the triggers and the command executed. For doing so, we can again leverage the power of ANY.RUN features, in this case, the files modification tracing. We can achieve the result by clicking on the file\u2019s icon in the pane  under the video history section where the analysis processing can be played back (note that the default focus is on HTTP requests):
<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Switching to files view we can see the list of all files created (usually by a dropper or by a downloader) during the sample execution, and of course also our scheduled task definition XML.
<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

We can now click on the Content<\/em> column (the rightmost) for the selected row, and a new window opens showing the content of the file, with a lot of pieces of information about the artifact itself and some shortcuts for doing a lookup in VirusTotal<\/em> or submitting the new file to a standalone dedicated analysis session.
<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Also, we have a preview in ASCII of the file, from which we are able to retrieve our information about the scheduled task.
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Since the trigger of the task is to be run at logon, we won\u2019t see it executed in the sandbox until the next user logon, that is not (actually) possible. Luckily, with the interactive capabilities of ANY.RUN, we can rerun the analysis, open the Scheduled Task management console and run it on demand.
<\/p>\n\n\n\n

Note: it is possible to do a logoff-logon cycle since this operation breaks the communication between the guest and the sandbox controller.<\/p>\n\n\n\n

Interact with the task safely <\/h1>\n\n\n\n

So, let\u2019s run the analysis again and interact with the Scheduled Task. From the details of the schtasks.exe process, we can see that the task is registered at about 37 seconds after the analysis start.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

So, the rerun should consider enough time for the task to be created and the operation to open the console and run it; a timeout of 120 seconds could be enough for the purpose, and this is an option we can choose from the submission form.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Once the analysis begins, on the right of the window there is the processes monitoring section, where processes appear as soon as they are created. Once we see the schtasks.exe popping out, the Scheduled Task has been created, and then we can open the console and run it manually.
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

After the manual execution, we can see that the persisted process executes the very same sample and behavior of the infecting parent.
<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

At this point, we have a broad picture of what we need to search for identifying the spread of this specific malware family in our controlled network and can hunt for other clients that have been infected but for some reason, the detection has been bypassed; this could be done via performing remote triage sessions over our assets, for example with PowerShell:
<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

In conclusion, the features of ANY.RUN online sandbox and the wide range of intelligence gathered in the time with public submission could help Incident Response teams in being quicker with the triaging and containment, and at the same time, they allow to play with dangerous pieces of code in a controlled and traced environment.
<\/p>\n\n\n\n

Personal Notes:<\/h2>\n\n\n\n

Hash: 850c25e23cc582bad58318fb70772023c21b36fcb50966a36b659e7199f4cc70<\/p>\n\n\n\n

Sample: https:\/\/app.any.run\/tasks\/1c6adef6-0ac5-456c-b2e3-e8a559562cd3\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Once a breach appears, your next thought can be to remove all suspicious files and forget about the problem. But it can actually make the situation worse as all valuable information will be gone. And you will definitely need it: to identify where the attack happened and work out a strategy to stop future breaches. […]<\/p>\n","protected":false},"author":1,"featured_media":3750,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,8],"tags":[21,34],"class_list":["post-1888","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","category-malware-analysis","tag-incident-response","tag-malware-analysis"],"acf":[],"yoast_head":"\nUsing a Sandbox for Incident Response - ANY.RUN's Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"The containment strategy of incident response helps to identify where the attack happened and work out a plan to stop future breaches.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Paolo Luise\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/\"},\"author\":{\"name\":\"Paolo Luise\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Using a Sandbox for Incident Response: Containment Strategy\",\"datePublished\":\"2021-10-07T06:59:00+00:00\",\"dateModified\":\"2023-08-17T07:36:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/\"},\"wordCount\":955,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"Incident Response\",\"malware analysis\"],\"articleSection\":[\"Cybersecurity Lifehacks\",\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/\",\"name\":\"Using a Sandbox for Incident Response - ANY.RUN's Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2021-10-07T06:59:00+00:00\",\"dateModified\":\"2023-08-17T07:36:19+00:00\",\"description\":\"The containment strategy of incident response helps to identify where the attack happened and work out a plan to stop future breaches.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Using a Sandbox for Incident Response: Containment Strategy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN's Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Paolo Luise\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/paolo-luise.png\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/paolo-luise.png\",\"caption\":\"Paolo Luise\"},\"description\":\"My name is Paolo Luise, I live and work in Italy where I'm a proud father and employed as a Cyber Security Engineer. I'm focused on DFIR disciplines and experienced in Incident Response and Cyber Threat Intelligence analysis. I love to learn and join the challenges our job offers us on a daily basis.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/paolo-luise-38760b21\/\"],\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Using a Sandbox for Incident Response - ANY.RUN's Cybersecurity Blog","description":"The containment strategy of incident response helps to identify where the attack happened and work out a plan to stop future breaches.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/","twitter_misc":{"Written by":"Paolo Luise","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/"},"author":{"name":"Paolo Luise","@id":"https:\/\/any.run\/"},"headline":"Using a Sandbox for Incident Response: Containment Strategy","datePublished":"2021-10-07T06:59:00+00:00","dateModified":"2023-08-17T07:36:19+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/"},"wordCount":955,"commentCount":1,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["Incident Response","malware analysis"],"articleSection":["Cybersecurity Lifehacks","Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/","url":"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/","name":"Using a Sandbox for Incident Response - ANY.RUN's Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2021-10-07T06:59:00+00:00","dateModified":"2023-08-17T07:36:19+00:00","description":"The containment strategy of incident response helps to identify where the attack happened and work out a plan to stop future breaches.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/using-sandbox-for-incident-response\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Using a Sandbox for Incident Response: Containment Strategy"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN's Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Paolo Luise","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/paolo-luise.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/paolo-luise.png","caption":"Paolo Luise"},"description":"My name is Paolo Luise, I live and work in Italy where I'm a proud father and employed as a Cyber Security Engineer. I'm focused on DFIR disciplines and experienced in Incident Response and Cyber Threat Intelligence analysis. I love to learn and join the challenges our job offers us on a daily basis.","sameAs":["https:\/\/www.linkedin.com\/in\/paolo-luise-38760b21\/"],"url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/1888"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=1888"}],"version-history":[{"count":2,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/1888\/revisions"}],"predecessor-version":[{"id":5609,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/1888\/revisions\/5609"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/3750"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=1888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=1888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=1888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}