DFIR with Sysinternals

Transcript

1. Incident Response with Sysinternals WannaCry Edition @ShieldNow

2. About Me @dvirus Daniel Rodríguez Chief Information Security Officer -

   O4IT

3. Agenda • Incident Response • Malware Analysis • Setting Up

   the Virtual Lab • Basic Static Analysis • Basic Dynamic Analysis • WannaCry Demo

4. Incident Response

5. Malware Analysis

6. Setting Up Your Virtual Lab https://dvirus.training/lessons/configuracion-de-laboratorio/

7. OS: Windows 7 Service Pack 1 Architecture: Intel 32bit Network:

   Internal networking RAM: 2 GB + Tools: • OllyDbg • 7zip • Putty • WinDbg • IDA Free • PEiD • PEview • Wireshark • RawCap • Wget • Notepad++ • UPX • Sysinternals Suite • API Monitor • Unxutils Setting Up Your Virtual Lab

8. Basic Static Analysis Examines malware without actually running it.

9. Get Basic information Sigcheck sigcheck -h c:\samples\bad.exe Verified: Unsigned Link

   date: 11:46 AM 10/18/2011 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: 32-bit MD5: B94AF4A4D4AF6EAC81FC135ABDA1C40C SHA1: D6356B2C6F8D29F8626062B5AEFB13B7FC744D54 PESHA1: F7D5B7F203BA3D4696EAC5030A8F51EB480C6DF1 PE256: EFFB2D5EC241003C529105DEA9959C3A98DBAE189B96B0A5A6CEF316294B59ED SHA256: 6AC06DFA543DCA43327D55A61D0AAED25F3C90CCE791E0555E3E306D47107859 IMP: 4DC1143E47A9A737805F66B3B75560BE sigcheck -e -u *

10. Collect Strings Strings strings.exe c:\samples\bad.exe strings.exe c:\samples\bad.exe | more strings.exe

    c:\samples\bad.exe | findstr /i TextToSearchFor

11. Basic Dynamic Analysis Running the malware and observing its behavior

    on the system

12. Process Examination Process Explorer Shows you information about which handles

    and DLLs processes have opened or loaded

13. Process Examination Process Monitor Shows real-time file system, Registry and

    process/thread activity.

14. Activity Examination Sysmon System Monitor (Sysmon) is a Windows system

    service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.

15. Hands On Sysinternals - WannaCry

16. WannaCry

17. Recursos • Malware Hunting with the Sysinternals Tools - Mark

    Russinovich RSA Conference 2015 • Sysmon - DFIR https://github.com/MHaggis/sysmon-dfir • WannaCry – Lecciones aprendidas https://shieldnow.co/2017/05/13/wannacry-lecciones-aprendidas/ • https://dvirus.training/courses/analisis-de-malware-101/ • https://dvirus.training/windows-sysinternals/

18. Incident Response with Sysinternals WannaCry Edition @ShieldNow - @dvirus