Automating Security Investigations – Torrent Investigation

Across the company, you will find several users using BitTorrent, uTorrent or other P2P clients and downloading copyright materials which is a huge risk to the company. Other than this it also brings a lot of other risks like downloading trojans, bots, malware which could cause data leaks. Although, in several organizations this is categorized as policy violation, users ignore such policies and continue to download them. In a previous Security Investigation Series – Episode 1, the details about investigating such incidents have been clearly documented. I have decided to take this to the next level. During my routine investigations I have identified several tasks done by an Operator that beg to be automated. This is where I decided to build a custom script to do this. If the routine tasks are automated, the Operations Analyst can concentrate on other Complex Analysis and Tasks. Before beginning on a script for automation, we need to ensure that all the details required are collected. For Torrent Investigation related cases, let us see what is required:

  • An Alert in the SIEM tool indicating the presence of Torrent Traffic in Network
  • Verify if the Alert is genuine or False positive. Verification typically involves checking the user machine.
  • Once verified, required artifacts need to be collected for further analysis. Further analysis is required to validate whether the machine is compromised because of Torrent use. This is vital because several attackers use Torrent Software to serve as Entry points into the Victim machine and from there on plan their subsequent attacks.
  • If the machine is compromised, trigger a forensic process
  • If the machine is not compromised, trigger a remediation process
  • The process trigger can either be a Ticket Created Automatically or an Email/Report/Alert.
  • Any other custom actions as per the Enterprise specificity

Now that we have the tasks to be automated, let us start on working what the Script/Tool input and output will be.

Input for the Script/Tool:

  • The IP Address of the machine suspected for torrent behavior. This can actually be a list of IP addresses so that it saves time. Gather of IP addresses can be done in SIEM using Active Lists (ArcSight), Lookup Tables (Symantec SSIM), Query Tables (SIEM Solutions) etc that track only the IP address of the Client Machine doing Torrent.
  • Additional Port, Protocol Information, Destination IP etc will also help to gather detailed information.
  • Credentials to Connect to the machine. Typically, Security Teams have administrator level access or some privileged level of access to perform security investigations in the Enterprise

Output for the Script/Tool: This tool can be made to collect different types of artifacts to ascertain that the IP in question is violating policy. These artifacts can be any or more of the following:

  • NETSTAT information to the pertaining destination ip and port numbers. Based on this information it is easy to identify the service, the PID etc for the connection itself.
  • Task list information based on the PID to find out the service name. This data along with NETSTAT will exactly point out the Torrent program being used by the Client machine.
  • The tool also can perform inventory of the entire hard drive to retrieve a list of saved torrents filenames along with the attributes.
  • The tool can then zip all the data collected and place it in a shared folder or server location.
  • Additionally, the tool can also be made to take an “ACTION” once the investigation is complete. The ACTION can be any one of these
    1. Just a user email sent to warn the user of the policy violation and remediation steps.
    2. Create a Support Ticket in a Ticketing system so that the respective Security Operations team can take appropriate action on the case
    3. Trigger a remediation on the machine automatically. I know this is the most intrusive but “Hey, it’s an option too right??”
  • Some intelligence can also be added into the tool. For example, the tool can store the IP it processed in its own small DB to make sure, it dosent contact that IP again for a limited period (say like 3 days, depending on how strict you want the remediation process to kick in). This way the noise generated due to repeated IPs will not be there.

How the Tool is constructed? – The tool can be constructed in any Programming language. Typically, based on the in-house skill set, the language can be chosen so that the support and update of the codes become easier. As mentioned earlier, based on the requirements our function definitions would be formed. Below, I would like to show samples of how this tool can be written in C#. I will be using some Remote Command Execution tools like PSTools, XCMD etc to be the backend jobs.

  • The most important part of the Tool is the “Data Collection” part. In my code, I call this the “Worker Function”. This worker function is the one that collects all the artifacts from the remote IP address. Threading is enabled so that multiple IP addresses can be tackled in a single go. Multiple IP input can be through a Static IP list or a Dynamic IP List populated natively by a SIEM or custom population using scripts of Web API.
  • The below screen shot shows the variable declarations required for the Worker Function.
  • Before running the worker function, we need to check if we already processed the given IP address. As mentioned earlier, this is important to reduce the noise:
  • If the IP is not available, we will go ahead and Retrieve the remote host-name, logged-in username and the logged-in domain name.
  • With the above details, We can now cross-verify to make sure that not just the given IP address was already processed, but also the user logged into that IP is also not processed. Since your environment might be with dynamic address, it is possible that a user could be in different IP addresses at different times. So cross-verification is always best to make sure, we don’t dig the same hole.
  • Once we know the given IP is new, start to collect the required artifacts. Here we are collecting:
    1. Tasklist – to get the torrent name & path along with PID. In C# I execute the function:
    2. Netstat – get all the active connections/ports open/communication protocol used. This will be done by Executing a local shell command like the following:
      xcmd \\{IP} “netstat -anob”
    3. Registry Entries – firewall registry entries/winlogon & Run registry entries, etc can also be collected by Executing a local shell command like the following:
      reg query “\\{ip}\HKLM\System\\ControlSet001\\Services\\SharedAccess\ Parameters\
    4. Torrent files – Collect all the torrent files names in the hard drive (forensic purposes)
    5. Define Actions – Once done, we can make the tool do a lot of ACTIONS as discussed earlier in the post.

Hope this post helps the SOC analysts, Operators and Managers in automating SOC tasks and processes that are routine and time consuming. I have seen over the years that Automation can greatly help in a high volume Security Investigations environment so that more valuable time can be spent on Qualitative Threat Detection.

Save as PDF

One thought on “Automating Security Investigations – Torrent Investigation”

  1. Glad to see that people are starting to automate the mundane portions of IR collection and triage. What is described above is precisely why we built Carbon Black ( Carbon Black is a host-based sensor that records 5 things *as they’re occurring* versus after the fact so you can be certain that you didn’t miss a network connection, registry write, file modification, dropper malware, etc. The five things (all of which are referenced above) are: a record of file modifications (1), registry modifications (2), network connections (3), and execution (4) as well as a copy the binary that backs the execution (5). We also retain the relationship among all events. Thus, with a single record, you can get to all related events and not have to scour through the entire hard drive and guess which files are related to your current investigation.

    We also have an API for the incoming and historical data so you can trigger on events as they come in, just as the author (and so many IR professionals) desires.

    What a great article. Here’s to hoping we all get better at automating IR!

Leave a Reply to Michael Viscuso Cancel reply