SlideShare a Scribd company logo

Windows IR made easier and faster v1.0

Michael Gough
Michael Gough

Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow Malware Archaeology LOG-MD BSidesNOLA

Technology
1 of 36
Download to read offline
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow Michael Gough – Founder MalwareArchaeology.com IMFSecurity.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
The Challenge • Why can’t we be the ones to discover that a system is compromised ? • Before we receive a call from a 3rd party? • How do we take a system like that one – <insert one of your laptops here> • And determine if it is clean or compromised? MalwareArchaeology.com
How all this started • I worked for a gaming company that got pwned BAD by the Winnti group • We knew systems were infected, but how do you find what they placed and modified on the system? • In 2012 logging was not as good as it is now • In 2014 logging was MUCH better – Yay CMD Line Logging 8.1/2012 • So we had to find it the old fashioned way – Hash the files on a clean system (we built it) and compare it to a suspect system, we had lots of suspects… – RegShot GUI – Painful long analysis, almost forensics • Once we found the bad we had good tools to find it everywhere – Splunk and BigFix are AWESOME !!!!! MalwareArchaeology.com
The Pretty Blue Blinky Lights • We can’t all afford fancy $100k EDR endpoint solutions • Or fancy IR solutions – I LOVE BigFix for IR, or equivalent • We can’t all afford to call an IR Firm once an incident occurs – $350-$450/hr times X people MalwareArchaeology.com
So what are our options? • Anti-Virus • Next Gen Endpoint at $100k+ • Full Blown Forensics • IR Firm at $350-$450/hr • Detect and Respond yourself • Proactive Hunting yourself • Learning to do it ourselves should be our goal MalwareArchaeology.com
I think or know that one is infected • So how do we go about investigating it? • What kinds of things can we do to check a system? • We know certain things about systems – The malwarians behave a certain way – Many things are normal • So let’s use what’s normal to find their bad behavior MalwareArchaeology.com
Typical Malwarian Behavior • They generally compromise user space first – C:Users • And anywhere a standard user has rights – Whatever level a user is logged into, they have rights to add/modify/delete stuff • Then they go to Admin creds and space – They own the system now • And now east/west lateral movement is easy • And all that APT stuff the reports talk about MalwareArchaeology.com
So how do we catch them? • We need to focus more at Detection and Hunting • Automate it too! • Log management is the best option IMHO, but it can also be costly – There are cheaper solutions – Graylog, ELK, etc. – But free is not (human resource) free • Most of us have configuration management, we have to automate patching • Maybe we can use this? MalwareArchaeology.com
Command Line Rocks! • We all use it • So do many/most IR and Forensics tools • GUI’s are bad because we cannot automate a GUI • So command line rocks • We can automate command line • Which is why I recommend and use command line solutions and tools – If you don’t have the $$$$ solutions MalwareArchaeology.com
Command Line • We can use logon scripts, PowerShell, PSExec, etc. • Configuration Management like BigFix, Tanium, SCCM • Pick one, something, whatever you have • This allows you to automate command line tools MalwareArchaeology.com
Artifacts MalwareArchaeology.com
So what do we look for? • New files added to user space - C:Users • Files added in Admin space – Everywhere else • Persistence – Autorun locations • Registry Keys added or changed • Large Registry Keys – They hide stuff here • Logs of course, LOTS of good stuff here • Odd artifacts that Breach and Malware Analysis reports show that are ‘good to detect’ MalwareArchaeology.com
So what can we do quickly? • Lots of python scripts, projects, tools and options – Not really my thing, too many things to compile and tweak, I should not have to hack together my detection and hunting tool(s) suite • I wanted something that allowed me to focus on what I saw that worked – Well configured logs – Targeted reports by category – Large Registry Keys – Changes to Registry keys – Files added to places that seem odd – Other Interesting Artifacts MalwareArchaeology.com
Something New MalwareArchaeology.com
I came here to show you a new tool • It did not exist, so we created it – Turned a collection of my scripts into a tool • Built on everything I saw and experienced with Winnti over 3 years, which was a LOT • And Breach and Malware Analysis reports • Tips from colleagues at this very conference • And years of experience of course • And because we may not be able to afford $$$$ MalwareArchaeology.com
The Log and Malicious Discovery tool Logging: • ALL VERSIONS OF WINDOWS (Win 7 & up) • Audits your system log settings and produces a report, every time it runs • Also shows failed items on the console • Guides you to configure proper audit logging • Guides you to enable what is valuable • Compares auditing to many industry standards – CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
There are three versions • Free Edition • Professional Edition • Consulting Edition – Just a license difference to Pro MalwareArchaeology.com
All Versions • Collect 1-7 days of logs 7 days is about a 1GB Security Log LOG-MD does more than just harvest logs • Full filesystem Hash Baseline • Full filesystem compare to a Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery • List of Autoruns (coming next release) • List of Locked files (coming next release) • 3 Whitelist files to reduce normal noise and events MalwareArchaeology.com
Free Edition • Over 15 reports • Quick Start Guide • All reports are TXT or CSV for easy scripting and post processing with your favorite flavor of scripting • Scripts I created are what became LOG-MD Pro MalwareArchaeology.com
• Over 25 reports • Full User Manual • Collects Sysinternals Sysmon events • WhoIS resolution of IPs from Win FW/Sysmon – Owner, Network, Country, CIDR • Master-Digest to exclude hashes and files • 3 more Whitelisting files – File, Registry and AutoRuns MalwareArchaeology.com
• Interesting Artifacts report – Null byte in registry value, Sticky Keys, etc. – Adding more all the time • SRUM (netflow from/to a binary) – Win 8.1 and 10 only • AutoRuns compare feature to show only those Autoruns whose hashes are not in the Master Digest or Whitelisted parameters MalwareArchaeology.com
What is a Master-Digest? MalwareArchaeology.com
Master-Digest • A Hash Baseline (Hash_Baseline.txt) is a list of every file and hash on the C: drive • A Master Digest only lists the unique files and hashes, and they are sorted • Results in 33%+ less files to do compares against, so much faster • Speed for any disk reads is a good thing MalwareArchaeology.com
Master-Digest • You can append files and hashes to the Master Digest as you validate them as good • You can feed the Master Digest any set of SHA256 Hashes like; – Hashsets.com (Whitehat Forensics) – NSRL, etc. MalwareArchaeology.com
SRUM MalwareArchaeology.com
SRUM for IR and Malware Analysis • SRUM holds 60 days of data !!! • Updates (flushes cache to the database) in one hour intervals or on shutdown • How many bytes were written and read from the system by Application/Process MalwareArchaeology.com
• LOG-MD-Pro can harvest SRUM data LIVE or offline like traditional forensic tools • Great for answering the questions – Did we lose any data? – When were we first infected? MalwareArchaeology.com
AutoRuns MalwareArchaeology.com
Autoruns • We need to find the persistence • There are typically over 1000 autoruns • We need a way to filter down the known good • Master-Digest to the rescue !!! • Whitelist out binaries with parameters • The parameters are often where the bad stuff hides so whitelisting is the best option • So we let you whitelist out your known good MalwareArchaeology.com
Autoruns • 1257 autoruns • Subtract hashes in the Master-Digest • 171 autoruns with parameters remain • Subtract the whitelist • 2 remain and Splunk to show a normal entry • Easy to spot the malicious persistence MalwareArchaeology.com
Locked Files MalwareArchaeology.com
Locked Files • If a file is locked… • You can’t hash it • You can’t run Sigcheck or Strings or pick your favorite tool, you need to break the handle first • It sure would be nice to see a list of locked files • That are DIFFERENT from the norm MalwareArchaeology.com
Locked Files MalwareArchaeology.com
Resources LOG-MD.COM • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet(s)” – MalwareArchaeology.com • This presentation and others on SlideShare – Search for MalwareArchaeology or LOG-MD
Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog)

Recommended

The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 

Recommended

The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 

More Related Content

What's hot

EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 

What's hot (20)

EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 

Similar to Windows IR made easier and faster v1.0

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
BSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a BudgetBSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a Budgetdsplice
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs AlienVault
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 

Similar to Windows IR made easier and faster v1.0 (18)

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
BSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a BudgetBSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a Budget
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass Protocol
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Windows IR made easier and faster v1.0

  • 1. Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow Michael Gough – Founder MalwareArchaeology.com IMFSecurity.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 3. The Challenge • Why can’t we be the ones to discover that a system is compromised ? • Before we receive a call from a 3rd party? • How do we take a system like that one – <insert one of your laptops here> • And determine if it is clean or compromised? MalwareArchaeology.com
  • 4. How all this started • I worked for a gaming company that got pwned BAD by the Winnti group • We knew systems were infected, but how do you find what they placed and modified on the system? • In 2012 logging was not as good as it is now • In 2014 logging was MUCH better – Yay CMD Line Logging 8.1/2012 • So we had to find it the old fashioned way – Hash the files on a clean system (we built it) and compare it to a suspect system, we had lots of suspects… – RegShot GUI – Painful long analysis, almost forensics • Once we found the bad we had good tools to find it everywhere – Splunk and BigFix are AWESOME !!!!! MalwareArchaeology.com
  • 5. The Pretty Blue Blinky Lights • We can’t all afford fancy $100k EDR endpoint solutions • Or fancy IR solutions – I LOVE BigFix for IR, or equivalent • We can’t all afford to call an IR Firm once an incident occurs – $350-$450/hr times X people MalwareArchaeology.com
  • 6. So what are our options? • Anti-Virus • Next Gen Endpoint at $100k+ • Full Blown Forensics • IR Firm at $350-$450/hr • Detect and Respond yourself • Proactive Hunting yourself • Learning to do it ourselves should be our goal MalwareArchaeology.com
  • 7. I think or know that one is infected • So how do we go about investigating it? • What kinds of things can we do to check a system? • We know certain things about systems – The malwarians behave a certain way – Many things are normal • So let’s use what’s normal to find their bad behavior MalwareArchaeology.com
  • 8. Typical Malwarian Behavior • They generally compromise user space first – C:Users • And anywhere a standard user has rights – Whatever level a user is logged into, they have rights to add/modify/delete stuff • Then they go to Admin creds and space – They own the system now • And now east/west lateral movement is easy • And all that APT stuff the reports talk about MalwareArchaeology.com
  • 9. So how do we catch them? • We need to focus more at Detection and Hunting • Automate it too! • Log management is the best option IMHO, but it can also be costly – There are cheaper solutions – Graylog, ELK, etc. – But free is not (human resource) free • Most of us have configuration management, we have to automate patching • Maybe we can use this? MalwareArchaeology.com
  • 10. Command Line Rocks! • We all use it • So do many/most IR and Forensics tools • GUI’s are bad because we cannot automate a GUI • So command line rocks • We can automate command line • Which is why I recommend and use command line solutions and tools – If you don’t have the $$$$ solutions MalwareArchaeology.com
  • 11. Command Line • We can use logon scripts, PowerShell, PSExec, etc. • Configuration Management like BigFix, Tanium, SCCM • Pick one, something, whatever you have • This allows you to automate command line tools MalwareArchaeology.com
  • 13. So what do we look for? • New files added to user space - C:Users • Files added in Admin space – Everywhere else • Persistence – Autorun locations • Registry Keys added or changed • Large Registry Keys – They hide stuff here • Logs of course, LOTS of good stuff here • Odd artifacts that Breach and Malware Analysis reports show that are ‘good to detect’ MalwareArchaeology.com
  • 14. So what can we do quickly? • Lots of python scripts, projects, tools and options – Not really my thing, too many things to compile and tweak, I should not have to hack together my detection and hunting tool(s) suite • I wanted something that allowed me to focus on what I saw that worked – Well configured logs – Targeted reports by category – Large Registry Keys – Changes to Registry keys – Files added to places that seem odd – Other Interesting Artifacts MalwareArchaeology.com
  • 16. I came here to show you a new tool • It did not exist, so we created it – Turned a collection of my scripts into a tool • Built on everything I saw and experienced with Winnti over 3 years, which was a LOT • And Breach and Malware Analysis reports • Tips from colleagues at this very conference • And years of experience of course • And because we may not be able to afford $$$$ MalwareArchaeology.com
  • 17. The Log and Malicious Discovery tool Logging: • ALL VERSIONS OF WINDOWS (Win 7 & up) • Audits your system log settings and produces a report, every time it runs • Also shows failed items on the console • Guides you to configure proper audit logging • Guides you to enable what is valuable • Compares auditing to many industry standards – CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
  • 18. There are three versions • Free Edition • Professional Edition • Consulting Edition – Just a license difference to Pro MalwareArchaeology.com
  • 19. All Versions • Collect 1-7 days of logs 7 days is about a 1GB Security Log LOG-MD does more than just harvest logs • Full filesystem Hash Baseline • Full filesystem compare to a Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery • List of Autoruns (coming next release) • List of Locked files (coming next release) • 3 Whitelist files to reduce normal noise and events MalwareArchaeology.com
  • 20. Free Edition • Over 15 reports • Quick Start Guide • All reports are TXT or CSV for easy scripting and post processing with your favorite flavor of scripting • Scripts I created are what became LOG-MD Pro MalwareArchaeology.com
  • 21. • Over 25 reports • Full User Manual • Collects Sysinternals Sysmon events • WhoIS resolution of IPs from Win FW/Sysmon – Owner, Network, Country, CIDR • Master-Digest to exclude hashes and files • 3 more Whitelisting files – File, Registry and AutoRuns MalwareArchaeology.com
  • 22. • Interesting Artifacts report – Null byte in registry value, Sticky Keys, etc. – Adding more all the time • SRUM (netflow from/to a binary) – Win 8.1 and 10 only • AutoRuns compare feature to show only those Autoruns whose hashes are not in the Master Digest or Whitelisted parameters MalwareArchaeology.com
  • 24. Master-Digest • A Hash Baseline (Hash_Baseline.txt) is a list of every file and hash on the C: drive • A Master Digest only lists the unique files and hashes, and they are sorted • Results in 33%+ less files to do compares against, so much faster • Speed for any disk reads is a good thing MalwareArchaeology.com
  • 25. Master-Digest • You can append files and hashes to the Master Digest as you validate them as good • You can feed the Master Digest any set of SHA256 Hashes like; – Hashsets.com (Whitehat Forensics) – NSRL, etc. MalwareArchaeology.com
  • 27. SRUM for IR and Malware Analysis • SRUM holds 60 days of data !!! • Updates (flushes cache to the database) in one hour intervals or on shutdown • How many bytes were written and read from the system by Application/Process MalwareArchaeology.com
  • 28. • LOG-MD-Pro can harvest SRUM data LIVE or offline like traditional forensic tools • Great for answering the questions – Did we lose any data? – When were we first infected? MalwareArchaeology.com
  • 30. Autoruns • We need to find the persistence • There are typically over 1000 autoruns • We need a way to filter down the known good • Master-Digest to the rescue !!! • Whitelist out binaries with parameters • The parameters are often where the bad stuff hides so whitelisting is the best option • So we let you whitelist out your known good MalwareArchaeology.com
  • 31. Autoruns • 1257 autoruns • Subtract hashes in the Master-Digest • 171 autoruns with parameters remain • Subtract the whitelist • 2 remain and Splunk to show a normal entry • Easy to spot the malicious persistence MalwareArchaeology.com
  • 33. Locked Files • If a file is locked… • You can’t hash it • You can’t run Sigcheck or Strings or pick your favorite tool, you need to break the handle first • It sure would be nice to see a list of locked files • That are DIFFERENT from the norm MalwareArchaeology.com
  • 35. Resources LOG-MD.COM • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet(s)” – MalwareArchaeology.com • This presentation and others on SlideShare – Search for MalwareArchaeology or LOG-MD
  • 36. Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog)