Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DFIR with Sysinternals
Search
dvirus
August 16, 2017
Technology
380
0
Share
DFIR with Sysinternals
Basic malware analysis with sysinternals suite
dvirus
August 16, 2017
More Decks by dvirus
See All by dvirus
Taller Análisis Básico de Malware
dvirus
0
170
Captura y Análisis de paquetes de Red
dvirus
0
1.9k
Guía TCPDump
dvirus
0
120
Netcat
dvirus
0
77
Introducción al Análisis Forense Digital
dvirus
1
660
Taller Suricata IDS | Habemus Hacking
dvirus
0
500
SecZone 2012 - Introducing VUSF - VoIP & Unified Communications Security Framework
dvirus
1
94
Iniciativas y Comunidades para la educación en Internet
dvirus
0
57
VoIP Malware
dvirus
0
120
Other Decks in Technology
See All in Technology
管理アカウント単一運用からAWS Organizationsに移行するの大変で滅
hiramax
0
260
Typiaで配信JSONの安全性を構造的に担保する(TSKaigi2026)
righttouch
PRO
1
180
サプライチェーン攻撃への備えについて考えている #湘なんか
stefafafan
3
2.4k
AI駆動開発でなんでもハンズオン環境をつくってみた
yoshimi0227
0
160
LLM時代のリファクタリング戦略_AIエージェントによる段階的・安全なTS移行方法
play_inc
0
210
Python開発環境にハーネス適用を検討する
yuuka51
1
540
CloudFront VPCオリジンとVPC Latticeサービスの内部ALBをマルチアカウントで一元利用しよう
duelist2020jp
5
240
AIAgentと取り組むKaggle
508shuto
2
610
ビジュアルプログラミングIoTLT vol.23
1ftseabass
PRO
0
140
Java正規表現エンジン(NFA)の仕組みと パフォーマンスを維持するための最適化手法
takeuchi_132917
0
120
自作エディターをOSSにして分かった、一人に刺さる開発が世界を動かす理由
shinyasaita
1
440
ポスター発表&デモと総括 / Poster Presentations & Demonstrations and Summary
ks91
PRO
0
140
Featured
See All Featured
Public Speaking Without Barfing On Your Shoes - THAT 2023
reverentgeek
1
400
SERP Conf. Vienna - Web Accessibility: Optimizing for Inclusivity and SEO
sarafernandez
2
1.5k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
1
330
The Limits of Empathy - UXLibs8
cassininazir
1
340
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.2k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.3k
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
2
1.5k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.7k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
370
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.2k
The Curse of the Amulet
leimatthew05
1
12k
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
Transcript
Incident Response with Sysinternals WannaCry Edition @ShieldNow
About Me @dvirus Daniel Rodríguez Chief Information Security Officer -
O4IT
Agenda • Incident Response • Malware Analysis • Setting Up
the Virtual Lab • Basic Static Analysis • Basic Dynamic Analysis • WannaCry Demo
Incident Response
Malware Analysis
Setting Up Your Virtual Lab https://dvirus.training/lessons/configuracion-de-laboratorio/
OS: Windows 7 Service Pack 1 Architecture: Intel 32bit Network:
Internal networking RAM: 2 GB + Tools: • OllyDbg • 7zip • Putty • WinDbg • IDA Free • PEiD • PEview • Wireshark • RawCap • Wget • Notepad++ • UPX • Sysinternals Suite • API Monitor • Unxutils Setting Up Your Virtual Lab
Basic Static Analysis Examines malware without actually running it.
Get Basic information Sigcheck sigcheck -h c:\samples\bad.exe Verified: Unsigned Link
date: 11:46 AM 10/18/2011 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: 32-bit MD5: B94AF4A4D4AF6EAC81FC135ABDA1C40C SHA1: D6356B2C6F8D29F8626062B5AEFB13B7FC744D54 PESHA1: F7D5B7F203BA3D4696EAC5030A8F51EB480C6DF1 PE256: EFFB2D5EC241003C529105DEA9959C3A98DBAE189B96B0A5A6CEF316294B59ED SHA256: 6AC06DFA543DCA43327D55A61D0AAED25F3C90CCE791E0555E3E306D47107859 IMP: 4DC1143E47A9A737805F66B3B75560BE sigcheck -e -u *
Collect Strings Strings strings.exe c:\samples\bad.exe strings.exe c:\samples\bad.exe | more strings.exe
c:\samples\bad.exe | findstr /i TextToSearchFor
Basic Dynamic Analysis Running the malware and observing its behavior
on the system
Process Examination Process Explorer Shows you information about which handles
and DLLs processes have opened or loaded
Process Examination Process Monitor Shows real-time file system, Registry and
process/thread activity.
Activity Examination Sysmon System Monitor (Sysmon) is a Windows system
service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
Hands On Sysinternals - WannaCry
WannaCry
Recursos • Malware Hunting with the Sysinternals Tools - Mark
Russinovich RSA Conference 2015 • Sysmon - DFIR https://github.com/MHaggis/sysmon-dfir • WannaCry – Lecciones aprendidas https://shieldnow.co/2017/05/13/wannacry-lecciones-aprendidas/ • https://dvirus.training/courses/analisis-de-malware-101/ • https://dvirus.training/windows-sysinternals/
Incident Response with Sysinternals WannaCry Edition @ShieldNow - @dvirus
dvirus
hiramax
righttouch
stefafafan
yoshimi0227
play_inc
yuuka51
duelist2020jp
508shuto
1ftseabass
takeuchi_132917
shinyasaita
ks91
reverentgeek
sarafernandez
apolaine
cassininazir
ipullrank
tammyeverts
aleyda
thoeni
baasie
danielanewman
leimatthew05
hatefulcrawdad
