Grey Box Testing: How I Passed the GIAC GREM Exam Without Taking the Course

Elias Augusto
Cross posted from my Medium under @eaugusto

I want to preface this article by saying that if you’re like me, new to malware analysis and on a budget, studying without access to course materials may not be the best option for you. The best way to pursue the SANS GREM certification without a source of funding for the course is to apply for the SANS Work Study program for the FOR610 course. In exchange for assisting the course instructor, you will be allowed to evaluate the course and attempt the certification exam. You will also be provided copies of the books and course materials, which cannot be acquired any other way due to SANS policy on sharing of course materials. The total cost of this program is actually lower than what I paid out of pocket for just the exam.

https://www.sans.org/work-study/

To participate in the Work Study program, however, your application must be accepted, and you must be able to attend a SANS conference for 6 days. I did not pursue this option because the SANS conferences in my area conflicted with other important items on my schedule. I also did not think it appropriate to ask my employer to cover the cost of the course, as it was not directly related to my project role. For these reasons, SANS training was out of the question.

Now that I’ve established why I did what I did, let’s get into the “how”.

What I Needed to learn

Straight from the SANS website, for the GREM I needed:

  • Windows assembly concepts for reverse engineering — What you do in IDA Pro, why you need assembly and C knowledge
  • Common characteristics of Windows Malware — API functions, threads, structures
  • In-depth analysis of malicious and protected executables — What you do in IDA Pro after some practice
  • Malicious document analysis — Attackers put scripts in files
  • Malicious web browser script analysis —Attackers put scripts on the internet, command and control traffic flows over the wire
  • Memory forensics — Volatility

The Importance of Assembly Language and C

Before I get into the different resources I used to prepare to the exam, I want to note that it’s vital to have at least a shaky grasp on x86 assembly. You really can’t reverse engineer a portable executable or shellcode without it. This really isn’t as bad as it seems, assembly at it’s core is just arithmetic that makes computers do things. All you need to know to begin learning binary reverse engineering is the x86 registers, variable types (word, dword, int, char, etc.), stack basics, and some program flow instructions. Here’s a resource I found helpful for learning the basics:

https://www.tutorialspoint.com/assembly_programming/

A working knowledge of C is important, but you’ll know most of what you need if you know how to program in a C like language such as Java. The only new concepts you’ll need for malware reverse engineering are pointers, memory allocation, and the heap. I learned what I needed through these two resources:

https://www.tutorialspoint.com/cprogramming/index.htm

Reverse Engineering “Reverse Engineering”

I decided to title this article “Grey Box Testing” because looking back, I realized that that was basically what I did to study for this exam. As someone who was new to malware analysis, I knew little of what to expect. Throughout my preparation for the exam, I referred to these sources of information:

I’ll break these items down into sections to show what I learned from each source.

Book Recommendations

Picking useful books is very important to GREM success, as you’re allowed to take an armful of them into GIAC exams as references. Most GREM certification holders will gladly share a list of the (non-SANS) books that they used to prepare with people wondering where to start studying for the exam. My first step was looking at the recommended reading lists of as many GREM alumni I could find. The books I found most consistently recommended were:

  • “Practical Malware Analysis”— A fantastic guide to behavioral analysis, reverse engineering, and defeating anti-analysis. This book is non-negotiable, you won’t find a source that doesn’t recommend it. In addition to the information, it comes with very helpful labs to reinforce your knowledge.
  • “The Malware Analyst’s Cookbook” — A guide to a large variety of malware analysis tools. The labs and scripts are very outdated, but the tool overviews were very useful. I used the sections on memory forensics, browser script malware, and malicious document analysis to prepare for my exam.
  • “The Art of Memory Forensics” — It’s helpful to have this not necessarily as a primary resource, but as a supplementary resource to the “Malware Analyt’s Cookbook” section on memory forensics. Many of the Volatility plugins you’ll need aren’t covered in much detail, and information from the MAC should be cross-referenced with information from this book. This book also covers a lot of windows internals that are useful for the exam.
  • “Windows Internals 6 or 7” — I personally think that these books are overkill. If you’re familiar with Windows from a security standpoint, the prior books are all you need to understand Windows Internals. I would never recommend taking these books with you into the exam or even indexing it. All relevant information is already in the “Art of Memory Forensics” or on the MSDN website.
  • “The IDA Pro Book” — I don’t think anybody will tell you to take this book into the exam, but whether or not you utilize it at all is really a question of how you learn tools. I learned IDA Pro using PMA and some fiddling in my free time, so I didn’t end up needing it. If you learn tools best by reading long books with few images or illustrations, this is the perfect book for you.

The SANS FOR610 Syllabus

This one is pretty simple. The SANS GREM exam is the exam associated with the SANS FOR610 course, so it’s safe to assume that what you learn in the course is what you will apply on the exam. While I didn’t have access to the course, I did have access to the syllabus on the SANS website, an overview of both the topics and tools that the course covered. The FOR610 syllabus was more useful for tools than topics, though this is not true of all SANS DFIR courses. Some seem to list few tools but have a breakdown of every topic. I think it depends on how technical vs. theory based a course is.

The list of tools on the syllabus may not be comprehensive, but it’s the only list you’ll get. Familiarize yourself with every tool on the list, what they look like, how they work, and what they do. I usually start at a tool’s github page and go from there. “The Malware Analyst’s Cookbook” and Lenny Zeltser’s website both have great tool references.

Want to narrow down what you need to know for the exam? If a topic seems a bit broad or a tool too important for the syllabus not to mention, it’s probably not in the course or on the exam.

Lenny Zeltser’s Infosec Cheat Sheets

Lenny Zeltser, one of the SANS FOR610 instructors who helped write both the course and the exam, publishes cheat sheets for topics like reverse engineering malicious code and analyzing malicious documents. These just happen to be some of the same topics referenced in both the FOR610 syllabus and on the GREM webpage. It may be a good idea to study and take notes on the contents of these cheat sheets.

A cheat sheet that may really help you with the “Practical Malware Analysis” labs and x86 assembly calling conventions:

Next Steps: Labs, Special Topics, and Proper Indexing

I recommend following along with the labs in “Practical Malware Analysis” and the memory forensics section of “The Malware Analyst’s Cookbook” as you read through these books. Do a lab a night, a lab every two nights, whatever works best for you. Practice time is flexible, but practice is not optional. Practice is the best way to reinforce understanding of the material, especially when you’re dealing with a lot of tools. The best way to learn tools is to use them. For malicious document forensics, it may be useful to take some Didier Stevens online workshops, as he wrote many of the tools mentioned in the FOR610 syllabus under this section.

http://didierstevenslabs.com/products.html

Between doing all of the labs and indexing, I needed to take a brain break. I decided to pursue a topic that would help me with the exam, but would also take me away from exhausting exam preparation: basic exploit and shellcode writing. I came back refreshed and more motivated than ever after three weeks on this preparation vacation. I recommend finding a fun topic that touches assembly and reverse engineering to learn if you’re feeling exhausted or demotivated.

After you’ve gone over all of the books you’ll be using, done some labs, and taken a brain break, it’s time to prepare for your first practice exam. A lot of people recommend not using an index for your practice exam, but I think that creating an index before attempting a practice exam is essential. Partially because practice exams can be used to tell you where the holes in your index lie, partially because indexing is the best way to review all of the information you learned over what may have been months of studying.

What is an Index?

Along with your reference books, you’re allowed to take notes into the practice exam. Traditionally, most people take an index of all of the books they’ve read into the exam. Indexes are usually created as spreadsheets with filtered columns. I recommend color coding your index. An index should include all important topics, page numbers for each topic, and notes for each topic. My index also included the FOR610 domain I assumed every topic belonged to. In my notes, I highlighted important things such as Windows API functions, structures, and Volatility plugins. Page numbers should also be tabbed in the books you’ll be bringing into the exam. I color coded my tabs to match the index, which was a big help when I needed to look something up fast.

An example index entry. Note that this topic is not necessarily exam related, and was picked at random from “Practical Malware Analysis” for demonstration purposes.

With this exam there will be a lot of topics covered in online resources but none of your books. I like to add notes on these topics to the index with a blank page number. It’s tidier than creating a separate notes sheets for each topic not located in a book.

Note that your index will probably be very different than mine, as you will find a style that suits you best. Never use another person’s index, as this is both a violation of the SANS guidelines and useless as a study aid because it was not made by you. For this same reason, it is usually recommended that those who took the course and have SANS books that include premade indexes create their own instead of using these indexes. Never copy any information into the index directly from a website or word for word from a book. You can do this in a separate notes sheet if you want, but not in your index. This is not a rules violation, just a good rule of thumb. Everything in your index should be in your own words, by your own hand. The act of creating the index is vital to exam preparation.

Any index you create before the first practice exam is going to have holes, especially if you didn’t take the course. Don’t be afraid of going into your first practice exam with a 20 or 30 page index. I came in with a 25 page index, but my index the night before the real exam was over 40 pages long.

Practice Exams

Before I start: ONLY purchase OFFICIAL practice exam attempts from the GIAC website, http://www.giac.org. NEVER use any other source for practice exams. This is prohibited under the GIAC exam guidelines and considered cheating. These unofficial practice exams use stolen, outdated exam questions and are not to be considered a study resource. Purchase official practice exam attempts here:

https://www.giac.org/exams/preparation#practice

Now that that’s out of the way, I recommend that you take a practice exam before purchasing the test. The test comes with two practice exams, but by the time you’re there you’ve spent $2,000 and have no idea whether you’re ready for the exam. Your first practice exam is a great way to find out how far away you are from being able to purchase the exam. If you pass it, I recommend purchasing the exam as soon as possible. If not, it will tell you the areas that you are weak in so that you can focus on these before purchasing the exam.

The first and subsequent practice tests are also a great way to fill in holes in your index. As I mentioned earlier, the FOR610 syllabus is not comprehensive, and practice exams are the only way to find tools and topics that you need to study more. Avoid just writing what you remember about the answers into your index. This is a great way to pass future practice tests, as they all share a question bank. It is also a great way to fail the real exam. This is also why I do not recommend taking more than three practice exams, diminishing returns will give you a false sense of security. Instead, use what you got wrong as a jumping off point for further research. Practice tests are also a great way to figure out how well you need to know each topic.

Practice exams will also get you familiar with how the GIAC exams work. I was new to GIAC and familiar with CompTIA, so I was not prepared for the idea that many questions would have many correct answers and one “good” answer. I also had to learn when to “skip” questions. You have a limited number of questions that you can skip and come back to later, and if you answer a question and submit it you will not be able to return to it. Reading the questions very carefully seems like a cliche, but it was a legitimate skill that I had to develop to prepare for the exam. I really do appreciate that with GIAC, there’s no substitute at any stage for study, practice, and applied effort.

Before scheduling the real exam, know that the practice exam is easier than the real exam, so you should be getting a score of 5–10 points higher than you need to. This actually varies between the different GIAC exams. I’ve seen many who took other SANS DFIR exams say that their practice exams were harder than their exam.

The GIAC Exam “Application”

When you’re purchasing your GREM exam, you will have to fill out an application and wait two days for approval before you can schedule or access your free practice exams. I don’t think anyone’s really gone into what to put on this, but I wouldn’t stress about it. I doubt they put too much weight into what your qualifications are, but they probably care about how you studied and what you’re bringing into the exam. When you’re filling out the application, be honest. Don’t be afraid to mention non-SANS certifications you already have, courses you’ve taken with them or others, your current position, the books you used to prepare for the exam, and what your index is based off of. You’ll probably be approved within a day or so.

Exam Regrets

My biggest regret is probably putting everything related to network-related behavioral analysis and script based malware till the last second. I was unprepared for this section, and though I passed the exam with an 81.3%, my score in these sections would have been much higher if I had done more practice instead of just reading related to this topic. I put too much emphasis on executable analysis even after figuring out that this was my weakest area. My recommendation is to focus on the weakest areas that you see in your practice tests before anything else.

My Next Steps

Memory forensics, network-related behavioral analysis, and kernel mode debugging are three things that I would like to learn more about. I decided to hit all of these in one go by analyzing rootkits. I’ll be posting an article soon on how to set up a lab to analyze Win32 rootkits, and another one where I analyze a kernel mode rootkit sample (probably Cutwail, subject to change) using behavioral analysis tools, network tools like INetSim, the kernel mode debugger WinDBG, and Volatility plugins for rootkit memory forensics.

I should also probably analyze some more document based javascript and VB macro samples to ensure that my understanding of the techniques used to analyze these types of malware is solid.

32 Bit Windows Kernel Mode Rootkit Lab Setup with INetSim

Elias Augusto
Cross posted from Medium under @eaugusto

Preface

I decided to make this article after struggling to set up simulated networking on my own malware analysis lab due to outdated guides. I realized that an updated guide may help some people. This guide is also related to an upcoming series where I demonstrate static analysis, dynamic analysis, and memory analysis of kernel mode rootkits.

This guide requires:

  • VirtualBox on a Windows host (7, 8.1, 10, the host is not relevant to this guide)
  • A REMnux Virtual Machine (found here)
  • A Windows 7 Professional 32 bit iso image, pre-Service Pack 1 (you need to acquire this yourself)

This guide covers the following topics:

  • Creating a Windows 7 x86 VM and installing Flare VM
  • Preparing a Windows 7 VM for kernel mode debugging, skip if not interested in rootkit analysis
  • Configuring INetSim and Burp Suite on a REMnux virtual machine
  • Configuring the Windows victim to redirect traffic to INetSim and Burp Suite

This guide does not cover the memory dumping, anti-anti-debugging, or import reconstruction software that I will be using in future tutorials. I will not be covering importing the REMnux virtual machine into VirtualBox, as I trust you can figure that out. This guide assumes you already have WinDBG installed. If you need to set up WinDBG on a Windows 10 host, please see my previous guide. Please note that I set up the pipe on the Virtual Machine instead of in WinDBG for reasons I outline in the linked guide. Some of what is covered there is covered here in terms of guest setup.

I will not be covering the installation of the VirtualBox Guest CD on the victim because it is not recommended. I do it anyway because I’m willing to put up with a lot of patching to avoid that tiny screen.

Windows 7 Victim Setup

As I mentioned previously, it is very important that your Windows 7 ISO is both pre-SP1 and 32 bit. 32 bit malware runs differently on 64 bit systems.

When creating a Windows virtual machine, there are a few considerations.

First of all, you need to give it enough ram to run properly. I like to give mine around 3GB.

You’ll want to create a virtual hard disk with 45–50GB of RAM, as you will be installing Flare VM, a large malware analysis toolset.

After this, you can select your Windows 7 ISO and install your VM. Note that it must have access to the internet for the first part of this guide.

Once you have this installed, there are a few things you’ll want to do to prepare your system for Flare VM.

Flare VM needs to reboot the VM periodically during installation, so you need to turn off login procedures. Type “netplwiz” into run to bring up the user menu.

Deselect the box that says, “Users must enter a user name and password to use this computer,” ensuring that you type in the correct password. Windows will give you no indication that it is wrong, you’ll just get an error at the next login.

Now it’s time to put Windows in a vulnerable state. You must disable Windows Defender.

Disable the firewall.

And disable checking for updates.

Now it’s time to install Flare VM. To download the install script, you must first activate https support Internet Explorer. This is done under “Internet Options > Advanced > Security”. Just enable SSL and TLS setting.

Downloading from github is difficult with older versions of internet explorer, but copying raw files to the system is still viable. Flare VM will install Google Chrome, but for now you must access the raw ps1 file through this link:

https://raw.githubusercontent.com/fireeye/flare-vm/master/install.ps1

Copy the entire script to Notepad and save it as “install.ps1” in your Documents folder.

After this, you must open Powershell as an administrator and move to the Documents folder. To disable the restrictions on Powershell scripts, type “Set-ExecutionPolicy Unrestricted”.

You can then install Flare VM with “.\install.ps1”. This will take several hours, and requires a restart after completion.

Preparing Windows for Kernel Debugging

There are three things you need to do to prepare Windows 7 for kernel debugging and kernel mode rootkits: Dropping driver protections, enabling debug mode, and creating a pipe for your host to connect to with WinDBG.

Windows 7 protects against unsigned drivers, which is no good unless you’re looking at advanced kernel mode rootkits that can bypass this protection. Fortunately, you can turn off this feature by running the command “bcdedit /set nointegritychecks on” in an admin command prompt.

You can enable debug mode with the following commands:

bcdedit /debug on

bcdedit /dbgsettings serial debugport:1 baudrate:115200

After this, you must shut down your virtual machine.

Note: I do not cover disabling trusted installer here, because if you’re dealing with old school kernel mode rootkits that attempt to overwrite protected drivers, your best bet is probably analyzing the user-mode portion to determine what drivers it will attempt to overwrite and removing trusted installer protections from those specific drivers ahead of time. I’ll have to do this when I analyze Cutwail in a later tutorial

Before you turn it back on, go into settings, into “Serial Ports”, and create a custom “Host Pipe” on COM1, make sure it isn’t connecting to an existing socket, and put in your own socket, “\\.\pipe\MalDBG”.

Now you have a pipe that you can access from the host for debugging purposes. Restart your Windows VM, shut it down again, and take a snapshot. It is time to configure networking on the REMnux VM.

Configuring REMnux for Traffic Analysis

Before you even start up the VM, you need to switch the network interface over to “Internal Network” and come up with a name for your internal network. You’ll be using the same one later in the victim network setup.

The reason you’re using INetSim is because all required software is pre-installed and there is no need for network access. This is also true of Kali Linux circa 2019 if you want to use a Kali VirtualBox image.

Start up the virtual machine and type “sudo nano /etc/network/interfaces” to configure the internal network to use a static IP. Copy what I have here into the config file.

Note: The interface name changes every few years with new VirtualBox versions, it used to be “ens0cap” or something. Either way, it’s eth0 now, but just go with whatever primary interface you see. After you do this, save the file and type “sudo ifdown eth0 and sudo ifup eth0”.

Run an “ifconfig” and ensure your IP and netmask match the ones on the screen.

If they match, open up the INetSim config with “sudo nano /etc/inetsim/inetsim.conf”. I actually do it with gedit because searching is easier, but if you want to use nano that’s fine.

In the “start service” section, uncomment dns, http, and https.

Now set the service bind address to “0.0.0.0”.

Set the dns default IP to the one from before.

Set the https bind port to “8443” instead of the https port 443, because you’ll need to intercept the traffic using Burp Suite and redirect it back to INetSim.

And set the http bind port to 880 for the same reason.

Save, exit, and restart INetSim with “sudo /etc/init.d/inetsim restart”.

Now that you’ve set up INetSim, it’s time to set up Burp Suite. You can launch it with the “burpsuite” command.

Once you’re in burpsuite, you’ll need to configure the proxy to view traffic on two new ports. This can be done by going to the “Proxy > Options” tab.

You should see one pre-existing listener on port 8080. Don’t mess with that, you’ll need it to download the SSL certificate for the victim machine.

To add the https port to the listener, click the “Add” button, bind to port 443, and select “All interfaces”.

Next, go to request handling, redirect to localhost:8443 (your INetSim https interface), and select “Support invisible proxying”.

Repeat this process for http on port 80, redirect to localhost:880.

Now you’ll need to export your certificate for transfer to the victim. Go to “localhost:8080” in the browser and click “CA Certificate” to download the certificate.

Note: Sometimes the Windows 7 VM is finicky about the type of USB drives it accepts. You may have to import the certificate file as an ISO.

You are now finished setting up your REMnux VM. Take a live snapshot and leave the VM open for the victim networking setup.

Networking the Windows 7 Victim

Your Windows 7 VM should be shut down. Before you power it up again, you’ll need to set it to use the same internal network as the REMnux VM.

When you power on the Windows 7 VM, navigate to the “Network and Sharing Center”, right click on “Local Area Connection”, and select “Properties”. In the dialogue box that pops up, disable IPv6. Then select “Internet Protocol Version 4” and click “Properties”.

Then set the IP, netmask, and DNS server to the following settings.

Select “Validate settings upon exit” before exiting. This will check if your Windows VM connects to INetSim. Then apply the changes and exit network setup. Ensure that the troubleshooter indicates you are networked to the REMnux VM before continuing.

Note: If your network connection succeeds but the troubleshooter indicates a DNS connection error, run a netstat in your REMnux system and ensure that DNS is up and listening on the correct port. This is a common cause of error, as DNS is off by default in the INetSim settings.

You can now check and make sure that http is working by putting any “http://” URL into Internet Explorer. You should see the INetSim notice.

Before you can check https, you’ll need to import the Burp root certificate into the “Trusted Root Certificate Authorities” folder by double clicking on downloaded certificate on the Windows 7 VM and walking through the certificate installer.

At this point, you should be able to run the same test you ran on https to check if the certificate has been correctly installed. Ensure that you do not get a certificate error when you attempt to access your test site.

Note: Certificate errors usually mean that you didn’t install the burp certificate in the correct store. Run the installer again and check if your certificate is trusted.

If you’ve done everything right, you should have a rootkit analysis lab with internal networking. Take snapshots of every virtual machine and shut them down, restoring to the snapshots. Good luck!