Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DFIR with Sysinternals

dvirus
August 16, 2017

DFIR with Sysinternals

Basic malware analysis with sysinternals suite

dvirus

August 16, 2017
Tweet

More Decks by dvirus

Other Decks in Technology

Transcript

  1. Agenda • Incident Response • Malware Analysis • Setting Up

    the Virtual Lab • Basic Static Analysis • Basic Dynamic Analysis • WannaCry Demo
  2. OS: Windows 7 Service Pack 1 Architecture: Intel 32bit Network:

    Internal networking RAM: 2 GB + Tools: • OllyDbg • 7zip • Putty • WinDbg • IDA Free • PEiD • PEview • Wireshark • RawCap • Wget • Notepad++ • UPX • Sysinternals Suite • API Monitor • Unxutils Setting Up Your Virtual Lab
  3. Get Basic information Sigcheck sigcheck -h c:\samples\bad.exe Verified: Unsigned Link

    date: 11:46 AM 10/18/2011 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: 32-bit MD5: B94AF4A4D4AF6EAC81FC135ABDA1C40C SHA1: D6356B2C6F8D29F8626062B5AEFB13B7FC744D54 PESHA1: F7D5B7F203BA3D4696EAC5030A8F51EB480C6DF1 PE256: EFFB2D5EC241003C529105DEA9959C3A98DBAE189B96B0A5A6CEF316294B59ED SHA256: 6AC06DFA543DCA43327D55A61D0AAED25F3C90CCE791E0555E3E306D47107859 IMP: 4DC1143E47A9A737805F66B3B75560BE sigcheck -e -u *
  4. Activity Examination Sysmon System Monitor (Sysmon) is a Windows system

    service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
  5. Recursos • Malware Hunting with the Sysinternals Tools - Mark

    Russinovich RSA Conference 2015 • Sysmon - DFIR https://github.com/MHaggis/sysmon-dfir • WannaCry – Lecciones aprendidas https://shieldnow.co/2017/05/13/wannacry-lecciones-aprendidas/ • https://dvirus.training/courses/analisis-de-malware-101/ • https://dvirus.training/windows-sysinternals/