Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DFIR with Sysinternals
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
dvirus
August 16, 2017
Technology
0
380
DFIR with Sysinternals
Basic malware analysis with sysinternals suite
dvirus
August 16, 2017
Tweet
Share
More Decks by dvirus
See All by dvirus
Taller Análisis Básico de Malware
dvirus
0
170
Captura y Análisis de paquetes de Red
dvirus
0
1.9k
Guía TCPDump
dvirus
0
110
Netcat
dvirus
0
76
Introducción al Análisis Forense Digital
dvirus
1
620
Taller Suricata IDS | Habemus Hacking
dvirus
0
490
SecZone 2012 - Introducing VUSF - VoIP & Unified Communications Security Framework
dvirus
1
89
Iniciativas y Comunidades para la educación en Internet
dvirus
0
53
VoIP Malware
dvirus
0
120
Other Decks in Technology
See All in Technology
Introduction to Bill One Development Engineer
sansan33
PRO
0
360
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
tatsukoni
0
210
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
riku_423
2
540
学生・新卒・ジュニアから目指すSRE
hiroyaonoe
2
590
こんなところでも(地味に)活躍するImage Modeさんを知ってるかい?- Image Mode for OpenShift -
tsukaman
0
120
Webhook best practices for rock solid and resilient deployments
glaforge
1
280
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
sansantech
PRO
3
2.3k
Introduction to Sansan for Engineers / エンジニア向け会社紹介
sansan33
PRO
6
68k
データ民主化のための LLM 活用状況と課題紹介(IVRy の場合)
wxyzzz
2
700
Codex 5.3 と Opus 4.6 にコーポレートサイトを作らせてみた / Codex 5.3 vs Opus 4.6
ama_ch
0
130
Kiro IDEのドキュメントを全部読んだので地味だけどちょっと嬉しい機能を紹介する
khmoryz
0
180
セキュリティについて学ぶ会 / 2026 01 25 Takamatsu WordPress Meetup
rocketmartue
1
300
Featured
See All Featured
BBQ
matthewcrist
89
10k
Public Speaking Without Barfing On Your Shoes - THAT 2023
reverentgeek
1
300
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
231
22k
Applied NLP in the Age of Generative AI
inesmontani
PRO
4
2k
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
5.2k
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
200
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
380
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.1k
Visual Storytelling: How to be a Superhuman Communicator
reverentgeek
2
430
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
220
How to audit for AI Accessibility on your Front & Back End
davetheseo
0
180
Building Adaptive Systems
keathley
44
2.9k
Transcript
Incident Response with Sysinternals WannaCry Edition @ShieldNow
About Me @dvirus Daniel Rodríguez Chief Information Security Officer -
O4IT
Agenda • Incident Response • Malware Analysis • Setting Up
the Virtual Lab • Basic Static Analysis • Basic Dynamic Analysis • WannaCry Demo
Incident Response
Malware Analysis
Setting Up Your Virtual Lab https://dvirus.training/lessons/configuracion-de-laboratorio/
OS: Windows 7 Service Pack 1 Architecture: Intel 32bit Network:
Internal networking RAM: 2 GB + Tools: • OllyDbg • 7zip • Putty • WinDbg • IDA Free • PEiD • PEview • Wireshark • RawCap • Wget • Notepad++ • UPX • Sysinternals Suite • API Monitor • Unxutils Setting Up Your Virtual Lab
Basic Static Analysis Examines malware without actually running it.
Get Basic information Sigcheck sigcheck -h c:\samples\bad.exe Verified: Unsigned Link
date: 11:46 AM 10/18/2011 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: 32-bit MD5: B94AF4A4D4AF6EAC81FC135ABDA1C40C SHA1: D6356B2C6F8D29F8626062B5AEFB13B7FC744D54 PESHA1: F7D5B7F203BA3D4696EAC5030A8F51EB480C6DF1 PE256: EFFB2D5EC241003C529105DEA9959C3A98DBAE189B96B0A5A6CEF316294B59ED SHA256: 6AC06DFA543DCA43327D55A61D0AAED25F3C90CCE791E0555E3E306D47107859 IMP: 4DC1143E47A9A737805F66B3B75560BE sigcheck -e -u *
Collect Strings Strings strings.exe c:\samples\bad.exe strings.exe c:\samples\bad.exe | more strings.exe
c:\samples\bad.exe | findstr /i TextToSearchFor
Basic Dynamic Analysis Running the malware and observing its behavior
on the system
Process Examination Process Explorer Shows you information about which handles
and DLLs processes have opened or loaded
Process Examination Process Monitor Shows real-time file system, Registry and
process/thread activity.
Activity Examination Sysmon System Monitor (Sysmon) is a Windows system
service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
Hands On Sysinternals - WannaCry
WannaCry
Recursos • Malware Hunting with the Sysinternals Tools - Mark
Russinovich RSA Conference 2015 • Sysmon - DFIR https://github.com/MHaggis/sysmon-dfir • WannaCry – Lecciones aprendidas https://shieldnow.co/2017/05/13/wannacry-lecciones-aprendidas/ • https://dvirus.training/courses/analisis-de-malware-101/ • https://dvirus.training/windows-sysinternals/
Incident Response with Sysinternals WannaCry Edition @ShieldNow - @dvirus
dvirus
sansan33
tatsukoni
riku_423
hiroyaonoe
tsukaman
glaforge
sansantech
wxyzzz
ama_ch
khmoryz
rocketmartue
matthewcrist
reverentgeek
danielanewman
inesmontani
aleyda
tamaranovitovic
marktimemedia
baasie
davetheseo
keathley
