SlideShare a Scribd company logo

DR FAT

Download as PPTX, PDF
John Laycock
John Laycock

Deductive Reasoning File Analysis Techniques presented at BSidesDC October 2015.

Internet
1 of 79
© Fidelis Cybersecurity. All rights reserved. Deductive Reasoning: File Analysis Techniques BsidesDC October 2015
Product Demo Get comfortable: Over the next 2 hours we will take a step by step walk in great detail through the entire Fidelis Cybersecurity product line. You can expect: 1. Graphs on the current APT threatscape 2. Diagrams of best deployment practices 3. Kill Chain optimization of your current infrastructure for synergy 4. Pricing and Availability.
Product Demo
Introduction John Laycock: • B.S. Mechanical Engineering from Northern Illinois University • Cognitech/Ocean Systems Forensic Video Analyst • Government Contractor DC3 – DCFL Forensic Examiner/DCISE/NCIJTF • General Dynamics/Fidelis Commercial Forensics Team • Fidelis Threat Research Team John Laycock Systems, Threat Research Email: john.laycock@fidelissecurity.com
Introduction Chris Rogers • Army Intel Sigint / Humint • Government Contractor • Department of State • NIPC • US CERT • DC3 Forensic Examiner / Intrusions • Bank of America Chris Rogers Senior Analyst, Threat Research Email: Chris.Rogers@fidelissecurity.com
Deductive Reasoning “There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can't unravel the thousand and first.” -Sir Arthur Conan Doyle The Sign of Four
Deductive Reasoning “There is a strong family resemblance about malicious files, and if you have all the details of a thousand at your finger ends, it is odd if you can't infer the thousand and first.” -Sir Arthur Conan Doyle The Sign of Four
Disclaimer This is an introductory level talk to folks that do not necessarily do malware analysis on a daily basis. Many of the things you are about to see are not what would be considered forensically sound. These are quick, down and dirty tools to help you evaluate if a file is malicious. Many of the concepts we will be showing you are from a high level view. You can refer to some of the references in the appendix to drill down into these concepts in more detail. TL:DR This is an intro to a deep topic. We’re showing some basic concepts that may or may not be forensically sound.
What is Malware? s Malware? Variety of evil logic.  Crimeware  BOTNET  Randsomware  Hijackers  Keyloggers  Adware  Spyware  Scumware  Rootkits  Trojans  Worms  Viri  Backdoors
What isn’t Malware? Malware It is not magic.
The specific what… specific what Computers are just tools that translate binary instructions into cool stuff like cat pictures and movies to the latest Zombie FPS. Bad guys and shady marketers take full advantage of the user friendly nature to deploy their collection of bits to your computer.
What’s the vector victor? • Downloader • Exploit Kit • E-mail • Web • Portable Media
How is this still a thing? • User Friendlyitus • Compatabilibuddy • Legacy Code
Pwned! End results are generally the same. System is pwned and attacker profits in some way.
Application in Security & IR If it looks like malware and smells like malware… it’s probably not the dancing cat screen saver that was advertised.
Application in Security & IR MAC Times - General Rules of thumb - How to debunk “Timestomping” or The secret hidden times
Application in Security & IR NTFS Master File Table (MFT) - Information about every file on an NTFS volume is stored in the Master File Table. Information such as Modified, Access, Created (MAC) times for the file are stored here.
Application in Security & IR NTFS MAC Times On the surface, all appears well. Let’s take a closer look…
Application in Security & IR The MFT is found under the root directory of the volume and can be hidden as a system file. You can use a tool like FTK Imager Lite to copy this file out for analysis. NTFS MAC Times
Application in Security & IR NTFS MAC Times Using MFTDump, you can export a csv of the $MFT and use Excel to sort through the MAC times looking for anomalies. In this case the Standard Info create time field does not match the File Name create time field this is evidence of time stomping.
Application in Security & IR File System Locations Malicious files can be found anywhere on your system. Sometimes they are visible and sometimes they like to hide. However, there are a number of commonly used directories that you can look through for anything that appears out of the ordinary.
Application in Security & IR File System Locations In this case the two irevil files are located under c:Windowssystem32.
Application in Security & IR File system locations Some common locations: C: C:Windows C:WindowsSystem32 C:Program Files<directory>* C:Program Files (x86)<directory>* C:Documents and Settings{username}Local SettingsTemp (XP) C:Users{Username}AppDataLocalTemp
Application in Security & IR Registry Getting malware onto a system is only the first step. The bad guys need to be able to restart their files if the system is rebooted. Persistence is the key to surviving a reboot. This can be accomplished by making entries in the registry.
Application in Security & IR Registry To review the registry on your system you can use Regedit. This shows irevil.exe is set to run on startup.
Application in Security & IR Finding Registry time stamps Use regedit to export the registry.
Application in Security & IR Finding Registry time stamps Save as a text file.
Application in Security & IR Finding Registry time stamps Open in notepad. Alternatively you can use FTK Imager to export the registry hive and use a tool like RegRipper.
Application in Security & IR Common Registry Keys
Application in Security & IR Common Registry Keys [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunO nceEx] [HKLMSoftwareMicrosoftWindowsCurrentVersionRun] [HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce ] [HKCUSoftwareMicrosoftWindowsCurrentVersionRun] Try using regedit to look through some of these registry locations:
Application in Security & IR Common Registry Keys [HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce ] Windows 7 64-bit [HKLMsoftwarewow6432nodemicrosoftwindowscurrentvers ionrun] Consider using a tool like Autorunsc.exe from Microsoft Sysinternals.
Application in Security & IR Prefetch The prefetch folder contains a list of commonly run programs on your system to help speed up loading times. These files are stored as .pf files in C:WindowsPrefetch. - Date/Time file first executed - Last time of execution - Number of times run
Application in Security & IR Task Scheduler This can be used to help persist malware on a system and to schedule it to run at various intervals. Look for schedlgu.txt commonly found in C:Windows C:WindowsTasks You can also look for HKLMSOFTWAREMicrosoftSchedulingAgent
Application in Security & IR Task Scheduler The ScheduLgU.txt file is essentially a log file showing lists of jobs scheduled and if they’ve run properly.
Application in Security & IR Task Scheduler This is the irevil.job file found under c:WindowsTasks.
Heuristics and Tools • DR Fat Toolkit Heuristics and Tools
Tools • DR Fat 1. The Internet 2. Hex Editor 3. Entropy Analyzer 4. Hashing Tool 5. Analyzer/PE Information Tool Heuristics and Tools
Tools • DR Fat The Internet Heuristics and Tools
Tools • DR Fat Heuristics and Tools 1. The Internet 2. Hex Editor 3. Entropy Analyzer 4. Hashing Tool 5. Analyzer/PE Information Tool
Tools • DR Fat Hex Editor Heuristics and Tools
Tools • DR Fat Heuristics and Tools 1. The Internet 2. Hex Editor 3. Entropy Analyzer 4. Hashing Tool 5. Analyzer/PE Information Tool
Tools • DR Fat Entropy Analyzer Heuristics and Tools
Tools • DR Fat Shannon Formula: Patterns and Stuff What The Freq?? 4.18 7.99 Heuristics and Tools
Tools • DR Fat Heuristics and Tools 1. The Internet 2. Hex Editor 3. Entropy Analyzer 4. Hashing Tool 5. Analyzer/PE Information Tool
Tools • DR Fat Hashing Tool CRC32: 968A8A16 MD5: 31e6002b21c489fbbdb0f88ddc02603e SHA1: 524584aa63b9cb95b72ab5ae64522a0d48d857b2 SHA256: a326d9b72e6905304de30fa02fd3a087506c99486f5094e8a5c7cc7a5f84e059 Ssdeep: 24576:v2UnOxz4461D69+Twrijj9Ig6sIw7ag38YaXag:v2cIZbuHqsd7agvaV Authentihash: 53e70adbf1277fe98a4bc7830a173327398b6196dfb9231b53275544e2980f30 Imphash: 884310b1928934402ea6fec1dbd3cf5e Heuristics and Tools
Tools • DR Fat Heuristics and Tools 1. The Internet 2. Hex Editor 3. Entropy Analyzer 4. Hashing Tool 5. Analyzer/PE Information Tool
Tools • DR Fat Analyzers Heuristics and Tools
Tools • DR Fat PE Information tool Heuristics and Tools
Heuristics and Tools Filenames
Heuristics and Tools Filenames • Svvvtxys.exe • Scvhost.exe • Explorerer.exe • БадФиле.exe • 邪恶的计划.exe
Heuristics and Tools Filenames Hash
Heuristics and Tools Hash Google VirusTotal TotalHash MD5: 31e6002b21c489fbbdb0f88ddc02603e
Heuristics and Tools Filenames Hash Type
Heuristics and Tools Type
Heuristics and Tools Filenames Hash Type Size
Heuristics and Tools Size PDFs <50k Word Docs > 2MB and only one page of text PPT >2MB and only two slides
Heuristics and Tools Filenames Hash Type Size Breakdown
Heuristics and Tools Breakdown
Heuristics and Tools Breakdown
Heuristics and Tools Filenames Hash Type Size Breakdown Time
Heuristics and Tools Time
Heuristics and Tools Filenames Hash Type Size Breakdown Time Meta
Heuristics and Tools Meta
Heuristics and Tools Filenames Hash Type Size Breakdown Time Meta Entropy
Stuff • DR Fat Heuristics and Tools Entropy
Stuff • DR Fat Heuristics and Tools Entropy
Stuff • DR Fat Heuristics and Tools Entropy
Stuff • DR Fat Heuristics and Tools Entropy
Stuff • DR Fat Heuristics and Tools Entropy
Stuff • DR Fat Heuristics and Tools Entropy
Heuristics and Tools Filenames Hash Type Size Breakdown Time Meta Entropy
Why dynamics sometimes aren’t 1. Virtual Detection 2. Sandbox Detection 3. Debugger Checking 4. Weird Dependencies 5. Time Checks 6. Missing Components 7. Unusual URL Response during execution
He Laterally just said that “Laterals work goodly, they is not for every play though.” -Unnamed ex-Giants receiver
Tales from the field • Not your average melting point. • A PNG in the butt.
The world beyond Windows 1. ELF hunting 2. Other stuff
In Conclusion Static indicators that we talked about are clues. • Some clues are key indicators • Some clues are circumstantial A final fitting Doyle/Holmes quote: “The more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling.”
Appendix The following are a series of links to references and tools we have found useful. Many are beyond the scope of a short talk but we have included them for future reference. 1. Sans Memory Forensics Poster http://digital- forensics.sans.org/media/Poster-2015-Memory-Forensics2.pdf 2. Sans Windows Forensic Analysis Poster http://digital- forensics.sans.org/media/poster-windows-forensics-2015.pdf 3. Fidelis Threat Advisories http://www.fidelissecurity.com/resources/threat- advisory 4. MFTDUMP v1.3.0http://malware-hunters.net/wp- content/downloads/MFTDump_V.1.3.0.zip 5. NTFS Documentationhttp://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pd f
Appendix 7. Sysinternals - Autorunsc http://technet.microsoft.com/en- us/sysinternals/bb963902 8. Many ways of malware persistence (that you were always afraid to ask) http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware- persistence-that.html 9. Common Autostart Locations - http://gladiator- antivirus.com/forum/index.php?showtopic=24610 10. FTK Imager Lite - http://accessdata.com/product-download/digital- forensics/ftk-imager-lite-version-3.1.1 11. Suspicious File Locations - http://www.malicious- streams.com/resources/articles/DGMW1_Suspicious_FS_Geography.ht ml 12. Windows Scheduler - http://what-when-how.com/windows-forensic- analysis/file-analysis-windows-forensic-analysis-part-4/ 13. Windows Prefetch - http://forensicswiki.org/wiki/Prefetch
Appendix 14. Notes on Linux/Xor.DDoS. http://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html 15. Time Stomping is for Suckers. http://thedigitalstandard.blogspot.com/2011/02/time-stomping-is-for- suckers.html

Recommended

Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) John Laycock
 
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...NoNameCon
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With GoogleZero Science Lab
 
Hacking databases
Hacking databasesHacking databases
Hacking databasessunil kumar
 

Recommended

Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) John Laycock
 
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...NoNameCon
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With GoogleZero Science Lab
 
Hacking databases
Hacking databasesHacking databases
Hacking databasessunil kumar
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Minseok(Jacky) Cha
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판Minseok(Jacky) Cha
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attacksecurityxploded
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecuritySophos Benelux
 
Sowbug: Cyber espionage group targets South American and Southeast Asian gove...
Sowbug: Cyber espionage group targets South American and Southeast Asian gove...Sowbug: Cyber espionage group targets South American and Southeast Asian gove...
Sowbug: Cyber espionage group targets South American and Southeast Asian gove...Symantec Security Response
 
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)PROIDEA
 
Yalda –Automated Bulk Intelligence Collection
Yalda –Automated Bulk Intelligence CollectionYalda –Automated Bulk Intelligence Collection
Yalda –Automated Bulk Intelligence CollectionGita Ziabari
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxviaForensics
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application codeSreenarayan A
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueDaniel Weiss
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Michelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalMichelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalM.K. Webster
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Travis
 

More Related Content

What's hot

MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Minseok(Jacky) Cha
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판Minseok(Jacky) Cha
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecuritySophos Benelux
 
Sowbug: Cyber espionage group targets South American and Southeast Asian gove...
Sowbug: Cyber espionage group targets South American and Southeast Asian gove...Sowbug: Cyber espionage group targets South American and Southeast Asian gove...
Sowbug: Cyber espionage group targets South American and Southeast Asian gove...Symantec Security Response
 
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)PROIDEA
 
Yalda –Automated Bulk Intelligence Collection
Yalda –Automated Bulk Intelligence CollectionYalda –Automated Bulk Intelligence Collection
Yalda –Automated Bulk Intelligence CollectionGita Ziabari
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxviaForensics
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application codeSreenarayan A
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueDaniel Weiss
 

What's hot (15)

MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attack
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen Security
 
Sowbug: Cyber espionage group targets South American and Southeast Asian gove...
Sowbug: Cyber espionage group targets South American and Southeast Asian gove...Sowbug: Cyber espionage group targets South American and Southeast Asian gove...
Sowbug: Cyber espionage group targets South American and Southeast Asian gove...
 
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
 
Yalda –Automated Bulk Intelligence Collection
Yalda –Automated Bulk Intelligence CollectionYalda –Automated Bulk Intelligence Collection
Yalda –Automated Bulk Intelligence Collection
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue Technique
 

Similar to DR FAT

SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Michelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalMichelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalM.K. Webster
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Travis
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Rahul Sasi
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 

Similar to DR FAT (20)

SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Michelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalMichelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research Final
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Assingment 5 - ENSA
Assingment 5 - ENSAAssingment 5 - ENSA
Assingment 5 - ENSA
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 

Recently uploaded

Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goahorny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goasexy call girls service in goa
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
SEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistSEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistKHM Anwar
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 

Recently uploaded (20)

Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goahorny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
SEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistSEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization Specialist
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 

DR FAT

  • 1. © Fidelis Cybersecurity. All rights reserved. Deductive Reasoning: File Analysis Techniques BsidesDC October 2015
  • 2. Product Demo Get comfortable: Over the next 2 hours we will take a step by step walk in great detail through the entire Fidelis Cybersecurity product line. You can expect: 1. Graphs on the current APT threatscape 2. Diagrams of best deployment practices 3. Kill Chain optimization of your current infrastructure for synergy 4. Pricing and Availability.
  • 4. Introduction John Laycock: • B.S. Mechanical Engineering from Northern Illinois University • Cognitech/Ocean Systems Forensic Video Analyst • Government Contractor DC3 – DCFL Forensic Examiner/DCISE/NCIJTF • General Dynamics/Fidelis Commercial Forensics Team • Fidelis Threat Research Team John Laycock Systems, Threat Research Email: john.laycock@fidelissecurity.com
  • 5. Introduction Chris Rogers • Army Intel Sigint / Humint • Government Contractor • Department of State • NIPC • US CERT • DC3 Forensic Examiner / Intrusions • Bank of America Chris Rogers Senior Analyst, Threat Research Email: Chris.Rogers@fidelissecurity.com
  • 6. Deductive Reasoning “There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can't unravel the thousand and first.” -Sir Arthur Conan Doyle The Sign of Four
  • 7. Deductive Reasoning “There is a strong family resemblance about malicious files, and if you have all the details of a thousand at your finger ends, it is odd if you can't infer the thousand and first.” -Sir Arthur Conan Doyle The Sign of Four
  • 8. Disclaimer This is an introductory level talk to folks that do not necessarily do malware analysis on a daily basis. Many of the things you are about to see are not what would be considered forensically sound. These are quick, down and dirty tools to help you evaluate if a file is malicious. Many of the concepts we will be showing you are from a high level view. You can refer to some of the references in the appendix to drill down into these concepts in more detail. TL:DR This is an intro to a deep topic. We’re showing some basic concepts that may or may not be forensically sound.
  • 9. What is Malware? s Malware? Variety of evil logic.  Crimeware  BOTNET  Randsomware  Hijackers  Keyloggers  Adware  Spyware  Scumware  Rootkits  Trojans  Worms  Viri  Backdoors
  • 10. What isn’t Malware? Malware It is not magic.
  • 11. The specific what… specific what Computers are just tools that translate binary instructions into cool stuff like cat pictures and movies to the latest Zombie FPS. Bad guys and shady marketers take full advantage of the user friendly nature to deploy their collection of bits to your computer.
  • 12. What’s the vector victor? • Downloader • Exploit Kit • E-mail • Web • Portable Media
  • 13. How is this still a thing? • User Friendlyitus • Compatabilibuddy • Legacy Code
  • 14. Pwned! End results are generally the same. System is pwned and attacker profits in some way.
  • 15. Application in Security & IR If it looks like malware and smells like malware… it’s probably not the dancing cat screen saver that was advertised.
  • 16. Application in Security & IR MAC Times - General Rules of thumb - How to debunk “Timestomping” or The secret hidden times
  • 17. Application in Security & IR NTFS Master File Table (MFT) - Information about every file on an NTFS volume is stored in the Master File Table. Information such as Modified, Access, Created (MAC) times for the file are stored here.
  • 18. Application in Security & IR NTFS MAC Times On the surface, all appears well. Let’s take a closer look…
  • 19. Application in Security & IR The MFT is found under the root directory of the volume and can be hidden as a system file. You can use a tool like FTK Imager Lite to copy this file out for analysis. NTFS MAC Times
  • 20. Application in Security & IR NTFS MAC Times Using MFTDump, you can export a csv of the $MFT and use Excel to sort through the MAC times looking for anomalies. In this case the Standard Info create time field does not match the File Name create time field this is evidence of time stomping.
  • 21. Application in Security & IR File System Locations Malicious files can be found anywhere on your system. Sometimes they are visible and sometimes they like to hide. However, there are a number of commonly used directories that you can look through for anything that appears out of the ordinary.
  • 22. Application in Security & IR File System Locations In this case the two irevil files are located under c:Windowssystem32.
  • 23. Application in Security & IR File system locations Some common locations: C: C:Windows C:WindowsSystem32 C:Program Files<directory>* C:Program Files (x86)<directory>* C:Documents and Settings{username}Local SettingsTemp (XP) C:Users{Username}AppDataLocalTemp
  • 24. Application in Security & IR Registry Getting malware onto a system is only the first step. The bad guys need to be able to restart their files if the system is rebooted. Persistence is the key to surviving a reboot. This can be accomplished by making entries in the registry.
  • 25. Application in Security & IR Registry To review the registry on your system you can use Regedit. This shows irevil.exe is set to run on startup.
  • 26. Application in Security & IR Finding Registry time stamps Use regedit to export the registry.
  • 27. Application in Security & IR Finding Registry time stamps Save as a text file.
  • 28. Application in Security & IR Finding Registry time stamps Open in notepad. Alternatively you can use FTK Imager to export the registry hive and use a tool like RegRipper.
  • 29. Application in Security & IR Common Registry Keys
  • 30. Application in Security & IR Common Registry Keys [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunO nceEx] [HKLMSoftwareMicrosoftWindowsCurrentVersionRun] [HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce ] [HKCUSoftwareMicrosoftWindowsCurrentVersionRun] Try using regedit to look through some of these registry locations:
  • 31. Application in Security & IR Common Registry Keys [HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce ] Windows 7 64-bit [HKLMsoftwarewow6432nodemicrosoftwindowscurrentvers ionrun] Consider using a tool like Autorunsc.exe from Microsoft Sysinternals.
  • 32. Application in Security & IR Prefetch The prefetch folder contains a list of commonly run programs on your system to help speed up loading times. These files are stored as .pf files in C:WindowsPrefetch. - Date/Time file first executed - Last time of execution - Number of times run
  • 33. Application in Security & IR Task Scheduler This can be used to help persist malware on a system and to schedule it to run at various intervals. Look for schedlgu.txt commonly found in C:Windows C:WindowsTasks You can also look for HKLMSOFTWAREMicrosoftSchedulingAgent
  • 34. Application in Security & IR Task Scheduler The ScheduLgU.txt file is essentially a log file showing lists of jobs scheduled and if they’ve run properly.
  • 35. Application in Security & IR Task Scheduler This is the irevil.job file found under c:WindowsTasks.
  • 36. Heuristics and Tools • DR Fat Toolkit Heuristics and Tools
  • 37. Tools • DR Fat 1. The Internet 2. Hex Editor 3. Entropy Analyzer 4. Hashing Tool 5. Analyzer/PE Information Tool Heuristics and Tools
  • 38. Tools • DR Fat The Internet Heuristics and Tools
  • 39. Tools • DR Fat Heuristics and Tools 1. The Internet 2. Hex Editor 3. Entropy Analyzer 4. Hashing Tool 5. Analyzer/PE Information Tool
  • 40. Tools • DR Fat Hex Editor Heuristics and Tools
  • 41. Tools • DR Fat Heuristics and Tools 1. The Internet 2. Hex Editor 3. Entropy Analyzer 4. Hashing Tool 5. Analyzer/PE Information Tool
  • 42. Tools • DR Fat Entropy Analyzer Heuristics and Tools
  • 43. Tools • DR Fat Shannon Formula: Patterns and Stuff What The Freq?? 4.18 7.99 Heuristics and Tools
  • 44. Tools • DR Fat Heuristics and Tools 1. The Internet 2. Hex Editor 3. Entropy Analyzer 4. Hashing Tool 5. Analyzer/PE Information Tool
  • 45. Tools • DR Fat Hashing Tool CRC32: 968A8A16 MD5: 31e6002b21c489fbbdb0f88ddc02603e SHA1: 524584aa63b9cb95b72ab5ae64522a0d48d857b2 SHA256: a326d9b72e6905304de30fa02fd3a087506c99486f5094e8a5c7cc7a5f84e059 Ssdeep: 24576:v2UnOxz4461D69+Twrijj9Ig6sIw7ag38YaXag:v2cIZbuHqsd7agvaV Authentihash: 53e70adbf1277fe98a4bc7830a173327398b6196dfb9231b53275544e2980f30 Imphash: 884310b1928934402ea6fec1dbd3cf5e Heuristics and Tools
  • 46. Tools • DR Fat Heuristics and Tools 1. The Internet 2. Hex Editor 3. Entropy Analyzer 4. Hashing Tool 5. Analyzer/PE Information Tool
  • 48. Tools • DR Fat PE Information tool Heuristics and Tools
  • 50. Heuristics and Tools Filenames • Svvvtxys.exe • Scvhost.exe • Explorerer.exe • БадФиле.exe • 邪恶的计划.exe
  • 56. Heuristics and Tools Size PDFs <50k Word Docs > 2MB and only one page of text PPT >2MB and only two slides
  • 65. Stuff • DR Fat Heuristics and Tools Entropy
  • 66. Stuff • DR Fat Heuristics and Tools Entropy
  • 67. Stuff • DR Fat Heuristics and Tools Entropy
  • 68. Stuff • DR Fat Heuristics and Tools Entropy
  • 69. Stuff • DR Fat Heuristics and Tools Entropy
  • 70. Stuff • DR Fat Heuristics and Tools Entropy
  • 72. Why dynamics sometimes aren’t 1. Virtual Detection 2. Sandbox Detection 3. Debugger Checking 4. Weird Dependencies 5. Time Checks 6. Missing Components 7. Unusual URL Response during execution
  • 73. He Laterally just said that “Laterals work goodly, they is not for every play though.” -Unnamed ex-Giants receiver
  • 74. Tales from the field • Not your average melting point. • A PNG in the butt.
  • 75. The world beyond Windows 1. ELF hunting 2. Other stuff
  • 76. In Conclusion Static indicators that we talked about are clues. • Some clues are key indicators • Some clues are circumstantial A final fitting Doyle/Holmes quote: “The more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling.”
  • 77. Appendix The following are a series of links to references and tools we have found useful. Many are beyond the scope of a short talk but we have included them for future reference. 1. Sans Memory Forensics Poster http://digital- forensics.sans.org/media/Poster-2015-Memory-Forensics2.pdf 2. Sans Windows Forensic Analysis Poster http://digital- forensics.sans.org/media/poster-windows-forensics-2015.pdf 3. Fidelis Threat Advisories http://www.fidelissecurity.com/resources/threat- advisory 4. MFTDUMP v1.3.0http://malware-hunters.net/wp- content/downloads/MFTDump_V.1.3.0.zip 5. NTFS Documentationhttp://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pd f
  • 78. Appendix 7. Sysinternals - Autorunsc http://technet.microsoft.com/en- us/sysinternals/bb963902 8. Many ways of malware persistence (that you were always afraid to ask) http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware- persistence-that.html 9. Common Autostart Locations - http://gladiator- antivirus.com/forum/index.php?showtopic=24610 10. FTK Imager Lite - http://accessdata.com/product-download/digital- forensics/ftk-imager-lite-version-3.1.1 11. Suspicious File Locations - http://www.malicious- streams.com/resources/articles/DGMW1_Suspicious_FS_Geography.ht ml 12. Windows Scheduler - http://what-when-how.com/windows-forensic- analysis/file-analysis-windows-forensic-analysis-part-4/ 13. Windows Prefetch - http://forensicswiki.org/wiki/Prefetch
  • 79. Appendix 14. Notes on Linux/Xor.DDoS. http://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html 15. Time Stomping is for Suckers. http://thedigitalstandard.blogspot.com/2011/02/time-stomping-is-for- suckers.html

Editor's Notes

  1. So it’s a difficult problem, with no easy answer. There’s no “silver bullet”. And throwing a pile of boxes and a ton of money at the problem is not going to make it go away.
  2. ----- Meeting Notes (10/16/15 16:21) ----- Sir Arthur Conan Doyle through his chartacter Sherlock Holmes stated that if you have seen 1,000 crime scenes the 1001st should not surprise you.
  3. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  4. This is where you enter the picture. From the “My computer is acting funny” to Microsoft calling you up because your computer is pinging their server.
  5. Keeping with our theme of malware standing out, keep in mind that on the surface things aren’t always what they appear. You need to dig down beneath the surface to see what is really happening.
  6. We’ll start with MAC times, many of your may be familiar with this term, for those of you that are not, MAC stands for Modified Accessed Created and refers to time attributes for a given file. A great indication of malicious intent is if a file has had it’s MAC times deliberately changed to an earlier or later date. This can be done to mislead folks looking for signs of an intrusion around a specific time frame. For example if a network log shows that a system was accessed on November 2, it would make sense to look for files created or modified around that time frame on the system. However with various time stomping tools out there, malware writers can change the time stamps to a different date.
  7. How does a user go about this? Well when you’re talking about NTFS, it uses a file table called the Master File Table (MFT). The MFT contains various information about the files on the system. Such as the MAC times, file location on the disk etc. In the case of the MAC times, there’s actually two sets of time stamps. The SI (Standard Information) and FN (File Name) times.
  8. The times we see from the operating system are the SI times. In this case for this file, irevil.dll we see that the file was created on November 12, 2005 and was last accessed on November 2, 2014. On the surface all seems legitimate. Lets dig a little deeper.
  9. We can use a tool from Access Data called FTK Imager to help us browse the files on the system. We can also use FTK Imager to actually create an image of the system if we need to later on. (Note: you will find several links to the tools and concepts we will be talking about in an appendix at the back of this presentation.) For now, we are interested in taking a closer look at the MFT, so we will export that file out. You’ll also find a backup of the MFT in the same location called the MFTMirr. For now, lets just concentrate on the MFT file.
  10. There are lots of ways we can do this, one quick down and dirty way is to use a tool called MFTDump. We can export out the contents of the MFT into an csv file for analysis, using Excel. If you dabble in Excel a lot you know that you can create filters very easily. In this case I created one to show me where the SI times and the FN times don’t match up. On this system there are two files where we see that has happened and we now have two files that we may want to take a closer look, Chris will highlight some of those techniques in a little bit.
  11. Malware authors like to run their files from pretty specific locations. It used to be pretty simple to look through 2-3 directories for any weird looking files. Now it can be in dozens of different locations. Things to look for are files with strange sounding names, maybe foreign Chinese/Cyrillic characters. Let’s take a look at some examples.
  12. In this case irevil should obviously stick out like a sore thumb. In reality it may not be quite so obvious. You can see that these files are located in the C:\Windows\System32 directory.
  13. These are some common locations, I’ve put some links in at the end of the slides that can give you many more directories to look in.
  14. In addition to file time stamps and file system locations, malware authors will commonly use the registry to help them. It’s one thing to get their file onto a system, but its another to make sure it keeps running, especially after a reboot. An easy way to go about that is to make an entry in the registry to start the file on the system startup.
  15. Prefetch is another area you can check to see if a file has been executed on your system. It’s commonly used by Windows to help speed up loading times. It can also be review to look for evidence of a file being executed on the system. It will create a .pf file in C:\Windows\Prefetch. There are prefetch parsers that you can find online that will allow you to parse the pf file and find out additional information like date time that it was first executed, last time it was executed and the number of times that it was run.
  16. It is important to be able to gather all information at your disposal. Your sleuth kit should include but not be limited to the following items as each one can provide different clues to the nature of the file in question.
  17. We life in the information age and believe it or not the internet is a tool for good as well as evil. Just don’t rely on it as the only determining source of information. Svchost.exe is not always bad… and be sure you are querying information from a clean system. Use your phone or something. Also uploading files means loss of control. Anubis/Virus Total are great services but if you upload a weird file that was a crashed version of nana’s secret baked bean recipe it now belongs to the internets. Also don’t quote me but… internet law dictates that for every cutesy cat video or picture uploaded there must exist a malware related post. Some pages have great content and some are stuffed with fluff. http://blog.didierstevens.com/programs/virustotal-tools/
  18. Ever wonder what those binary instructions look like… well hex editors are useful to see the the hexadecimal translation. This system is useful because it represents every byte (8 bits) as two consecutive hexadecimal digits. It is much easier for humans to read hex than binary. 4D 5A = MZ
  19. Shannon entropy was introduced by Claude E. Shannon in his 1948 paper "A Mathematical Theory of Communication“ and further in his “Communication Theory of Secrecy Systems” https://www.cryptool.org/en/
  20. Great formula but the bottom line is that Data compressors and encryptors tend to produce very high entropy results. Or high entropy could mean someone's trying to hide something https://www.cryptool.org/en/
  21. http://implbits.com/products/hashtab/# http://portableapps.com/apps/utilities/winmd5sum_portable CRC32: 8 Char and pretty weak computationally MD5: 32 Char (Standard Hash) Sha1: 40 Char Sha256: 64 Sha384: 96 Sha512: 128 SSDeep: aka Captain Fuzzy: can be used to compare files format is block size:hash:hash Authenithash: Windows Authenticode used for integrity Imphash: used to find compiler/builder commonalities Each one of these algorithmic hashes has a place and purpose, although some get picked on by serious math nerds and the Monday morning quarter-geeks they all still have value and rule of thumb is the more digits the more accurate/secure.
  22. PEStudio: https://www.winitor.com/ Yara
  23. PEStudio: https://www.winitor.com/ Yara
  24. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  25. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  26. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  27. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  28. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  29. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  30. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  31. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  32. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  33. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  34. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  35. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  36. In general is the file too old >2yrs or too new last three days or even future date times This example shows an old date time so in theory we should be able to find the actual object and compare or if it shows up on the FS in 2015 and Doc Brown isn’t involved there probably is a story there.
  37. Another Holmes quote is, the more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling.
  38. Another Holmes quote is, the more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling.
  39. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  40. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  41. #1 Responding to an alert once: Name was messed, high entropy, known suspect location, creation time matched. No one classified it laterally, sandbox failed. Took in depth RE to discover that during entrenchment malware used system name as key field during melt, upon every run queried system name and went down different fork if diff. #2 Another time we discovered some sporadic beacon traffic. Finding the binary on the system was easy but the entrenchment wasn’t. We finally discovered that it was tied to the users roaming profile under the png rendering in internet explorer. So only when the user a) used IE and b) went to a site with a png on it did the beacon take place.
  42. Ex: VT has hash but it registers 0/56 with no real data does not mean it’s a good file.
  43. #1 Responding to an alert once: Name was messed, high entropy, known suspect location, creation time matched. No one classified it laterally, sandbox failed. Took in depth RE to discover that during entrenchment malware used system name as key field during melt, upon every run queried system name and went down different fork if diff. #2 Another time we discovered some sporadic beacon traffic. Finding the binary on the system was easy but the entrenchment wasn’t. We finally discovered that it was tied to the users roaming profile under the png rendering in internet explorer. So only when the user a) used IE and b) went to a site with a png on it did the beacon take place.
  44. Many organizations have fallen victim to these advanced threats, including some very large organizations with sophisticated security teams and technologies who you would expect should be able to defend themselves against any kind of security threat. The list of organizations that have suffered massive data breaches is a testament to the fact that the nature of the threats that companies are facing today has fundamentally changed. You’re no longer defending yourself against loosely organized groups of opportunistic hackers using recycled attacks to exploit known vulnerabilities. Today you’re up against highly skilled adversaries who have the ability to create customized or even “zero day” attacks that target your organization, exploit your vulnerabilities, and steal your data.
  45. Another Holmes quote is, the more bizarre a thing the less mysterious it proves to be. It is your commonplace, featureless crimes which are really puzzling Key indicators: Known Mutexes, muticies, mutex patterns….. Kxgryzz.exe found in a users appdata directory Circumstantial: Just because the glove does not fit exactly doesn’t necessarily mean