Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DFIR with Sysinternals
Search
dvirus
August 16, 2017
Technology
0
330
DFIR with Sysinternals
Basic malware analysis with sysinternals suite
dvirus
August 16, 2017
Tweet
Share
More Decks by dvirus
See All by dvirus
Taller Análisis Básico de Malware
dvirus
0
140
Captura y Análisis de paquetes de Red
dvirus
0
1.8k
Guía TCPDump
dvirus
0
66
Netcat
dvirus
0
63
Introducción al Análisis Forense Digital
dvirus
1
370
Taller Suricata IDS | Habemus Hacking
dvirus
0
400
SecZone 2012 - Introducing VUSF - VoIP & Unified Communications Security Framework
dvirus
1
74
Iniciativas y Comunidades para la educación en Internet
dvirus
0
45
VoIP Malware
dvirus
0
100
Other Decks in Technology
See All in Technology
XRミーティング 2024-03-20
1ftseabass
PRO
0
100
Vos logs méritent mieux que la config par défaut
lyrixx
2
350
既存プロセスからの脱却と変化に適応するために必要なこと
cybozuinsideout
PRO
2
170
2023 Japan AWS Jr.Championsに選出されての振り返りとこれから
hiropy877
1
130
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
7
100k
技育祭2024春 LT Finatextホールディングス
kevinrobot34
1
160
オブジェクト指向CSSが叶えたかったことと、CSSのいま / The aims of Object-oriented CSS and the current state of CSS usage
shinkufencer
11
3.6k
AWS アーキテクチャクイズ
yuu26
2
700
Cloud Friendly(?) Jenkins. How we failed to make Jenkins cloud native and what we learned?
onenashev
PRO
0
110
エバンジェリスト活動を7年やってきて見えてきた、コミュニティとエバンジェリストの関係
soracom
PRO
1
200
データ品質をコード化! LINEヤフーのMLOpsを最適化する "ACP Data Quality" の紹介
lycorptech_jp
PRO
2
200
技術広報として2023年度に頑張ったこと / What we did well in FY2023 as a DevRel
pauli
5
470
Featured
See All Featured
Designing the Hi-DPI Web
ddemaree
275
33k
Raft: Consensus for Rubyists
vanstee
130
6.2k
The World Runs on Bad Software
bkeepers
PRO
60
6.6k
Agile that works and the tools we love
rasmusluckow
323
20k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.2k
Building Effective Engineering Teams - LeadDev
addyosmani
25
1.8k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
8
8.2k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k
The Brand Is Dead. Long Live the Brand.
mthomps
48
22k
Automating Front-end Workflow
addyosmani
1353
200k
Code Review Best Practice
trishagee
54
15k
Adopting Sorbet at Scale
ufuk
66
8.5k
Transcript
Incident Response with Sysinternals WannaCry Edition @ShieldNow
About Me @dvirus Daniel Rodríguez Chief Information Security Officer -
O4IT
Agenda • Incident Response • Malware Analysis • Setting Up
the Virtual Lab • Basic Static Analysis • Basic Dynamic Analysis • WannaCry Demo
Incident Response
Malware Analysis
Setting Up Your Virtual Lab https://dvirus.training/lessons/configuracion-de-laboratorio/
OS: Windows 7 Service Pack 1 Architecture: Intel 32bit Network:
Internal networking RAM: 2 GB + Tools: • OllyDbg • 7zip • Putty • WinDbg • IDA Free • PEiD • PEview • Wireshark • RawCap • Wget • Notepad++ • UPX • Sysinternals Suite • API Monitor • Unxutils Setting Up Your Virtual Lab
Basic Static Analysis Examines malware without actually running it.
Get Basic information Sigcheck sigcheck -h c:\samples\bad.exe Verified: Unsigned Link
date: 11:46 AM 10/18/2011 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: 32-bit MD5: B94AF4A4D4AF6EAC81FC135ABDA1C40C SHA1: D6356B2C6F8D29F8626062B5AEFB13B7FC744D54 PESHA1: F7D5B7F203BA3D4696EAC5030A8F51EB480C6DF1 PE256: EFFB2D5EC241003C529105DEA9959C3A98DBAE189B96B0A5A6CEF316294B59ED SHA256: 6AC06DFA543DCA43327D55A61D0AAED25F3C90CCE791E0555E3E306D47107859 IMP: 4DC1143E47A9A737805F66B3B75560BE sigcheck -e -u *
Collect Strings Strings strings.exe c:\samples\bad.exe strings.exe c:\samples\bad.exe | more strings.exe
c:\samples\bad.exe | findstr /i TextToSearchFor
Basic Dynamic Analysis Running the malware and observing its behavior
on the system
Process Examination Process Explorer Shows you information about which handles
and DLLs processes have opened or loaded
Process Examination Process Monitor Shows real-time file system, Registry and
process/thread activity.
Activity Examination Sysmon System Monitor (Sysmon) is a Windows system
service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
Hands On Sysinternals - WannaCry
WannaCry
Recursos • Malware Hunting with the Sysinternals Tools - Mark
Russinovich RSA Conference 2015 • Sysmon - DFIR https://github.com/MHaggis/sysmon-dfir • WannaCry – Lecciones aprendidas https://shieldnow.co/2017/05/13/wannacry-lecciones-aprendidas/ • https://dvirus.training/courses/analisis-de-malware-101/ • https://dvirus.training/windows-sysinternals/
Incident Response with Sysinternals WannaCry Edition @ShieldNow - @dvirus