Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DFIR with Sysinternals
Search
dvirus
August 16, 2017
Technology
0
380
DFIR with Sysinternals
Basic malware analysis with sysinternals suite
dvirus
August 16, 2017
Tweet
Share
More Decks by dvirus
See All by dvirus
Taller Análisis Básico de Malware
dvirus
0
170
Captura y Análisis de paquetes de Red
dvirus
0
1.9k
Guía TCPDump
dvirus
0
110
Netcat
dvirus
0
76
Introducción al Análisis Forense Digital
dvirus
1
620
Taller Suricata IDS | Habemus Hacking
dvirus
0
490
SecZone 2012 - Introducing VUSF - VoIP & Unified Communications Security Framework
dvirus
1
90
Iniciativas y Comunidades para la educación en Internet
dvirus
0
53
VoIP Malware
dvirus
0
120
Other Decks in Technology
See All in Technology
自動テストが巻き起こした開発プロセス・チームの変化 / Impact of Automated Testing on Development Cycles and Team Dynamics
codmoninc
3
1.2k
EMからVPoEを経てCTOへ:マネジメントキャリアパスにおける葛藤と成長
kakehashi
PRO
9
1.2k
Claude Codeの進化と各機能の活かし方
oikon48
17
7.7k
類似画像検索モデルの開発ノウハウ
lycorptech_jp
PRO
4
1k
AWS DevOps Agent vs SRE俺 / AWS DevOps Agent vs me, the SRE
sms_tech
2
280
モブプログラミング再入門 ー 基本から見直す、AI時代のチーム開発の選択肢 ー / A Re-introduction of Mob Programming
takaking22
1
300
ブラックボックス観測に基づくAI支援のプロトコルのリバースエンジニアリングと再現 ~AIを用いたリバースエンジニアリング~ @ SECCON 14 電脳会議 / Reverse Engineering and Reproduction of an AI-Assisted Protocol Based on Black-Box Observation @ SECCON 14 DENNO-KAIGI
chibiegg
0
150
IBM Bobを使って、PostgreSQLのToDoアプリをDb2へ変換してみよう/202603_Dojo_Bob
mayumihirano
0
180
Abuse report だけじゃない。AWS から緊急連絡が来る状況とは?昨今の攻撃や被害の事例の紹介と備えておきたい考え方について
kazzpapa3
1
130
製造業ドメインにおける LLMプロダクト構築: 複雑な文脈へのアプローチ
caddi_eng
1
510
Sansan Engineering Unit 紹介資料
sansan33
PRO
1
4k
Kaggleの経験が実務にどう活きているか / kaggle_findy
sansan_randd
6
980
Featured
See All Featured
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
110
Unlocking the hidden potential of vector embeddings in international SEO
frankvandijk
0
190
Into the Great Unknown - MozCon
thekraken
40
2.3k
エンジニアに許された特別な時間の終わり
watany
106
240k
What's in a price? How to price your products and services
michaelherold
247
13k
Accessibility Awareness
sabderemane
0
73
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.1k
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
aleyda
1
1.8k
Prompt Engineering for Job Search
mfonobong
0
180
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.9k
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
130
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
122
21k
Transcript
Incident Response with Sysinternals WannaCry Edition @ShieldNow
About Me @dvirus Daniel Rodríguez Chief Information Security Officer -
O4IT
Agenda • Incident Response • Malware Analysis • Setting Up
the Virtual Lab • Basic Static Analysis • Basic Dynamic Analysis • WannaCry Demo
Incident Response
Malware Analysis
Setting Up Your Virtual Lab https://dvirus.training/lessons/configuracion-de-laboratorio/
OS: Windows 7 Service Pack 1 Architecture: Intel 32bit Network:
Internal networking RAM: 2 GB + Tools: • OllyDbg • 7zip • Putty • WinDbg • IDA Free • PEiD • PEview • Wireshark • RawCap • Wget • Notepad++ • UPX • Sysinternals Suite • API Monitor • Unxutils Setting Up Your Virtual Lab
Basic Static Analysis Examines malware without actually running it.
Get Basic information Sigcheck sigcheck -h c:\samples\bad.exe Verified: Unsigned Link
date: 11:46 AM 10/18/2011 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: 32-bit MD5: B94AF4A4D4AF6EAC81FC135ABDA1C40C SHA1: D6356B2C6F8D29F8626062B5AEFB13B7FC744D54 PESHA1: F7D5B7F203BA3D4696EAC5030A8F51EB480C6DF1 PE256: EFFB2D5EC241003C529105DEA9959C3A98DBAE189B96B0A5A6CEF316294B59ED SHA256: 6AC06DFA543DCA43327D55A61D0AAED25F3C90CCE791E0555E3E306D47107859 IMP: 4DC1143E47A9A737805F66B3B75560BE sigcheck -e -u *
Collect Strings Strings strings.exe c:\samples\bad.exe strings.exe c:\samples\bad.exe | more strings.exe
c:\samples\bad.exe | findstr /i TextToSearchFor
Basic Dynamic Analysis Running the malware and observing its behavior
on the system
Process Examination Process Explorer Shows you information about which handles
and DLLs processes have opened or loaded
Process Examination Process Monitor Shows real-time file system, Registry and
process/thread activity.
Activity Examination Sysmon System Monitor (Sysmon) is a Windows system
service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
Hands On Sysinternals - WannaCry
WannaCry
Recursos • Malware Hunting with the Sysinternals Tools - Mark
Russinovich RSA Conference 2015 • Sysmon - DFIR https://github.com/MHaggis/sysmon-dfir • WannaCry – Lecciones aprendidas https://shieldnow.co/2017/05/13/wannacry-lecciones-aprendidas/ • https://dvirus.training/courses/analisis-de-malware-101/ • https://dvirus.training/windows-sysinternals/
Incident Response with Sysinternals WannaCry Edition @ShieldNow - @dvirus
dvirus
codmoninc
kakehashi
oikon48
lycorptech_jp
sms_tech
takaking22
chibiegg
mayumihirano
kazzpapa3
caddi_eng
sansan33
sansan_randd
techseoconnect
frankvandijk
thekraken
watany
michaelherold
sabderemane
charlesmeaden
aleyda
mfonobong
reverentgeek
pwiseman
panda_program
