Slides

1
2
3
4
5
6
7
8
Taken from SANS
9
FTK Imager, LiveKD, etc
FTK Imager, EnCase, Xways, dd, etc
10
MoonSols
http://www.team-cymru.org/Services/MHR/ Malware Hash Registry by Team
Cymru. Utilizes a DNS query interface to lookup MD5 or SHA-1 Hashes for
malware http://www.virustotal.com/buscaHash.html VirusTotal.com Online
hash lookup no api/automation yet like Team Cymru but does frequently have
hashes for current new malware
Pay particular attention to .exe and .dll files
11
FTK Imager, Mount Image Pro, P2 Explorer, etc
12
Mandiant – IOC Finder, IOC Editor, Red Curtain, etc
YARA project
Some of IOC characteristics: file is packed, located in \windows\system32\,
registry key is “Run” or “RunOnce”, etc
13
Mandiant Redline
Volatility with Malfind plugin
Unsigned found in high percentage of processes……not good.
File outside of normal directory (system32)……bad.
Process like dllhost running as admin……bad.
Process like iexplore.exe opening cmd.exe…….bad.
14
Malware likes to be persistent. It typically wants to survive a reboot.
Investigate scheduled tasks, windows services and the registry.
FTK, EnCase, Registry Viewer, Registry Decoder, Regripper, etc.
15
16
Packing is one way that malware slips past AV.
Mandiant Red Curtain, Density Scout, SysInternals Sigcheck, PEiD, etc
17
MZ for Mark Zbikowski
.dll have MZ header, others too.
18
UPX0, UPX1 confirm that UPX was used.
19
20
Mandiant Red Curtain
21
PEiD
22
Tasks: c:\windows\tasks\schedLgu.txt
Logon: 529 Failed Login, 528 Successful Login, etc
Account: 680/4776 Successful/Failed account authentication
675/4771 Pre-authentication failed (failed login)
23
Rogue 680/4776 account successfully authenticated
540/4624 successful network logon immediately following
Suspicious 7034 System crashed unexpectedly
7035 Service sent a Start/Stop control
7036 Service started or stopped
7040 Start type changed Boot/On Request/Disabled
Clearing 517
Logparser, Event log explorer, Log parser lizard
24
log2timeline
25
log2timeline
26
log2timeline
27
log2timeline
28
29
30
31
32