Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DFIR with Sysinternals
Search
dvirus
August 16, 2017
Technology
0
380
DFIR with Sysinternals
Basic malware analysis with sysinternals suite
dvirus
August 16, 2017
Tweet
Share
More Decks by dvirus
See All by dvirus
Taller Análisis Básico de Malware
dvirus
0
170
Captura y Análisis de paquetes de Red
dvirus
0
1.9k
Guía TCPDump
dvirus
0
100
Netcat
dvirus
0
76
Introducción al Análisis Forense Digital
dvirus
1
610
Taller Suricata IDS | Habemus Hacking
dvirus
0
490
SecZone 2012 - Introducing VUSF - VoIP & Unified Communications Security Framework
dvirus
1
86
Iniciativas y Comunidades para la educación en Internet
dvirus
0
52
VoIP Malware
dvirus
0
120
Other Decks in Technology
See All in Technology
First-Principles-of-Scrum
hiranabe
3
1.4k
「リリースファースト」の実感を届けるには 〜停滞するチームに変化を起こすアプローチ〜 #RSGT2026
kintotechdev
0
600
製造業から学んだ「本質を守り現場に合わせるアジャイル実践」
kamitokusari
0
350
自己管理型チームと個人のセルフマネジメント 〜モチベーション編〜
kakehashi
PRO
5
2k
Everything As Code
yosuke_ai
0
490
Oracle Cloud Infrastructure:2025年12月度サービス・アップデート
oracle4engineer
PRO
0
190
1万人を変え日本を変える!!多層構造型ふりかえりの大規模組織変革 / 20260108 Kazuki Mori
shift_evolve
PRO
5
820
#22 CA × atmaCup 3rd 1st Place Solution
yumizu
1
130
I tried making a solo advent calendar!
zzzzico
0
130
re:Invent2025 セッションレポ ~Spec-driven development with Kiro~
nrinetcom
PRO
2
170
Redshift認可、アップデートでどう変わった?
handy
1
130
チームで安全にClaude Codeを利用するためのプラクティス / team-claude-code-practices
tomoki10
6
2.6k
Featured
See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
269
13k
Product Roadmaps are Hard
iamctodd
PRO
55
12k
AI Search: Where Are We & What Can We Do About It?
aleyda
0
6.8k
Fashionably flexible responsive web design (full day workshop)
malarkey
408
66k
Documentation Writing (for coders)
carmenintech
77
5.2k
The Hidden Cost of Media on the Web [PixelPalooza 2025]
tammyeverts
2
130
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
0
110
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
34k
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
Design in an AI World
tapps
0
110
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
2
78
The World Runs on Bad Software
bkeepers
PRO
72
12k
Transcript
Incident Response with Sysinternals WannaCry Edition @ShieldNow
About Me @dvirus Daniel Rodríguez Chief Information Security Officer -
O4IT
Agenda • Incident Response • Malware Analysis • Setting Up
the Virtual Lab • Basic Static Analysis • Basic Dynamic Analysis • WannaCry Demo
Incident Response
Malware Analysis
Setting Up Your Virtual Lab https://dvirus.training/lessons/configuracion-de-laboratorio/
OS: Windows 7 Service Pack 1 Architecture: Intel 32bit Network:
Internal networking RAM: 2 GB + Tools: • OllyDbg • 7zip • Putty • WinDbg • IDA Free • PEiD • PEview • Wireshark • RawCap • Wget • Notepad++ • UPX • Sysinternals Suite • API Monitor • Unxutils Setting Up Your Virtual Lab
Basic Static Analysis Examines malware without actually running it.
Get Basic information Sigcheck sigcheck -h c:\samples\bad.exe Verified: Unsigned Link
date: 11:46 AM 10/18/2011 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: 32-bit MD5: B94AF4A4D4AF6EAC81FC135ABDA1C40C SHA1: D6356B2C6F8D29F8626062B5AEFB13B7FC744D54 PESHA1: F7D5B7F203BA3D4696EAC5030A8F51EB480C6DF1 PE256: EFFB2D5EC241003C529105DEA9959C3A98DBAE189B96B0A5A6CEF316294B59ED SHA256: 6AC06DFA543DCA43327D55A61D0AAED25F3C90CCE791E0555E3E306D47107859 IMP: 4DC1143E47A9A737805F66B3B75560BE sigcheck -e -u *
Collect Strings Strings strings.exe c:\samples\bad.exe strings.exe c:\samples\bad.exe | more strings.exe
c:\samples\bad.exe | findstr /i TextToSearchFor
Basic Dynamic Analysis Running the malware and observing its behavior
on the system
Process Examination Process Explorer Shows you information about which handles
and DLLs processes have opened or loaded
Process Examination Process Monitor Shows real-time file system, Registry and
process/thread activity.
Activity Examination Sysmon System Monitor (Sysmon) is a Windows system
service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
Hands On Sysinternals - WannaCry
WannaCry
Recursos • Malware Hunting with the Sysinternals Tools - Mark
Russinovich RSA Conference 2015 • Sysmon - DFIR https://github.com/MHaggis/sysmon-dfir • WannaCry – Lecciones aprendidas https://shieldnow.co/2017/05/13/wannacry-lecciones-aprendidas/ • https://dvirus.training/courses/analisis-de-malware-101/ • https://dvirus.training/windows-sysinternals/
Incident Response with Sysinternals WannaCry Edition @ShieldNow - @dvirus
dvirus
hiranabe
kintotechdev
kamitokusari
kakehashi
yosuke_ai
oracle4engineer
shift_evolve
yumizu
zzzzico
nrinetcom
handy
tomoki10
scottboms
iamctodd
aleyda
malarkey
carmenintech
tammyeverts
baasie
eileencodes
chriscoyier
tapps
cargoodrich
bkeepers
