Antivirus trigger scenario for incident response

Hi,

I am working on validating the incident response (IR) process. And to trigger the process via Antivirus alert (Critical/High), I am looking for an "open source" script (i.e. potentially non-malicious or the one that act as malicious without harming a system by performing various activities since this should be demonstrated on the end-user production system). I have taken sometime to research on the possible ways to trigger the IR process. However, none of the available "open source" solution looks suitable to trigger Antivirus alert (Critical/High).

Specs:
Symantec Endpoint Protection (SEP)
Windows 7 Enterprise Edition

Following can be a good example of what I am looking for. But again it should trigger AV alert (Critical/High) without getting blocked immediately (i.e. instead of known malicious event, it should be something that can be detected but quarantine with Critical/High alert). Potentially, stage of non-malicious activities but it looks malicious to the Antivirus program.
http://blog.didierstevens.com/2015/08/28/test-file-pdf-with-embedded-doc-dropping-eicar/
http://blog.didierstevens.com/2015/09/21/pdf-doc-vbas-videos/ (Can be good?)

Already looked at other resources:
http://www.eicar.org/86-0-Intended-use.html
http://www.wicar.org/test-malware.html
http://www.testmypcsecurity.com/securitytests/all_tests.html
https://www.raymond.cc/blog/test-the-effectiveness-of-your-antivirus-firewall-and-hips-software/
http://www.ikarussecurity.com/support/virus-info/test-viruses/
http://www.surfright.nl/en/downloads/
https://www.sophos.com/en-us/support/knowledgebase/10027.aspx
https://www.zemana.com/Antilogger/LeakTest/KeyLogger
http://www.matousec.com/projects/proactive-security-challenge-64/
http://www.matousec.com/info/articles/introduction-firewall-leak-testing.php
http://www.matousec.com/downloads/windows-personal-firewall-analysis/

Hope to get some positive responses.

Thanks.
rivaltimesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
malware and exploit pcaps - they are old ones and known signature is available so SEP should alert.
http://contagiodump.blogspot.de/2013/04/collection-of-pcap-files-from-malware.html
Will need to replay the pcap against target machine though so you want to check "pcapteller"
https://www.encripto.no/nb/2015/08/pcapteller-customizing-and-replaying-network-traffic/
I also suggest using of USB drive (autorun type) where you purposedly allow autorun. Probably the best is to use metasploit instead https://samsclass.info/124/proj14/p8-av.htm
asavenerCommented:
Use the EICAR test string using a batch file.

I've attached a couple of sample batch files.
eicar_creator.zip
rivaltimesAuthor Commented:
@btan: Thanks for your suggestions but I am looking for the "non-malicious" script that may look suspicious to AV and trigger an alert (Critical/High) in order to initiate the IR process. If the malicious file signatures (i.e. for malware or exploit PCAPs) are already present within AV engine then it may get blocked immediately at the time of detection and thus no IR process would be initiated.


@asavener: Thanks for the suggestion. Have you tested if the SEP alert is Critical/High? I have tried several known variations with EICAR string as mentioned in my initial post.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

btanExec ConsultantCommented:
Thinking aloud and hands-on - Maybe can use notepad.exe as the base sample and edit it using resource hacker e.g.
We have found three different types of criteria are most suitable for YARA signature development: strings, resources, and function bytes.

The simplest usage of YARA is to encode strings that appear in malicious files. The usefulness of matching strings, however, is highly dependent on which strings are chosen. For example, selecting strings that represent unique configuration items, or commands for a remote access tool, are likely to be indicative of, and specific to, a particular malware family. Conversely, strings in a malicious file that result from the way the file was created (such as version information stored by the Microsoft MSVC++ compiler) are generally poor candidates for YARA signatures.
https://insights.sei.cmu.edu/sei_blog/2012/11/writing-effective-yara-signatures-to-identify-malware.html

Then if that editing is workable and can still run the exe, the severity level,we can based on SEP criteria which is risk based type driven. Need to identify existing sample that is already under those mentioned level and see if the IoC can be incorporated into the sample, may not be trivial though...
http://www.symantec.com/security_response/severityassessment.jsp
http://www.symantec.com/connect/forums/risk-types
asavenerCommented:
You're wanting to test heuristic and/or behavior-based detection instead of signature-based detection?
Rich RumbleSecurity SamuraiCommented:
Take the teeth out of the viri by renaming them to something you machine won't execute, esp files with NO extension. Go to Malwr.com and download samples from there, VirusTotal too allows you to DL samples from there. Search for "tag:ransomeware" and you'll find something to work with. It's really hard to find HIGH/Extreme alert items on symantec's site at all.
-rich
rivaltimesAuthor Commented:
@btan: Thanks will look into it. Hopefully, something should work out along those lines.

@asavener: Yes, something along that line. So that the alert should be triggered as "High" based on the suspicion.

@richrumble: I can't take risk of using the real-world malware samples. Technically, if you remove the extension from a malware file which doesn't have signatures defined within SEP or any other AV, it will fail the detection in the first place. Assuming that AV should analyze it heuristically instead, it should be able to execute as any other normal executable file. Unless the entry point has been initiated for the execution, AV will never be able to pick it up as "suspicious" file. Additionally, I am looking for the "open source" solution to back the evidence of non-malicious file.
Rich RumbleSecurity SamuraiCommented:
We use SEP with some clients, I dl samples all the time, it picks them up executed or not when it has a definition. Running them doesn't make the virus show up any different, but it does take different actions, like cleaning up registry keys and files/folders, other than that the alert is the same.
If AV didn't trigger based on having the wrong extension or no extension don't you think virus writers would have an even easier time than they do already? :)
SEP won't trigger HIGH on on heuristics or unknown reputation, contact support at Symantec and they will tell you the same. The closest SEP has to "behavior" is it's heuristics and reputation detection. I was using a new GREP (called sift.exe) program and SEP alerted based on not knowing where the file came from, not because it made some system calls that were questionable, that was reputation. If you want SEP to trigger on a non-malicious file heuristically, use one that wipes the temp files, but it has to be a file it's never seen before.

You can do this, use the code snippet here: http://stackoverflow.com/questions/400140/how-do-i-automatically-delete-tempfiles-in-c copy and past that source code here
http://www.tutorialspoint.com/compile_csharp_online.php
(click compile, then click the arrow's that point up/down next to "new project", highlight the main.exe, click File ->download file) and SEP will trigger on that file (when executed) and it's harmless. Or find other code that does the same thing, compile it and SEP will trigger on that.
Yet, you can compile code that copies the LSASS.exe process from memory and SEP let's it right on by, go figure. There are ton's of tools will trigger on that aren't malicious if YOU are using them, you can download most tools from : http://ntsecurity.nu/toolbox/ and trigger SEP.

You can work a mock incident using Eicar, have the SOC pretend it's high, we do this all the time in our table tops. Our organization treats P2P software as high when it's not rated at all by SEP 99% of the time.
If you want a "quick and dirty" solution, use SandBoxIE, execute that main.exe program (you compiled) there and it doesn't actually touch the system files at all, main.exe thinks it did, but it doesn't and SEP will still trigger on it. Use SandBoxIE for any of this to add a layer of security. You can also download reaaaaaalllly old virus's from the old vx-heavens viri, these are too old to work because the holes do not exist in the OS anymore: http://vxheaven.org/.
-rich

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
I also chanced on SANS this sharing of sample which may set another challenge for AV effectiveness as the supposed "clean" file is embedded with exe....this also brings about other means of having legit exe being binded or embedded within the actual obfuscated malice . fyi https://isc.sans.edu/forums/diary/Ransomware+Entropy+Your+Turn/20321/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.