This document discusses tools from the Sysinternals suite that can be used for malware hunting and cleaning infected systems. It describes Process Explorer for investigating processes, Autoruns for identifying malware autostarts, and Process Monitor for tracing malware activity. The tools provide detailed system information that can help identify malicious processes, files, and registry entries associated with an infection. The document provides an overview of the key features of each tool and how they can be used together to analyze a compromised system and remove malware.
Sysinternals utilities : a brief introduction to Akshay koshti
A brief intro to all the tools available in the Sysinternals utilities and how to perform various tasks in the forensic domain from the same utilities.
This document provides an overview of privilege escalation techniques. It begins with an introduction to the speaker and defines vertical privilege escalation as moving from a lower privilege user to a higher privilege user. It then covers common privilege escalation vectors for both Linux and Windows systems, such as exploiting kernel vulnerabilities, weak passwords, sudo misconfigurations, vulnerable services, and file permission issues. Specific techniques discussed include dirty cow, password cracking, escaping restricted shells, abusing cron jobs and SUID files. The document emphasizes that credentials are often found in insecure configurations, backup files, logs and other unprotected locations.
Splunk Tutorial for Beginners - What is Splunk | EdurekaEdureka!
The document discusses Splunk, a software platform used for searching, analyzing, and visualizing machine-generated data. It provides an example use case of Domino's Pizza using Splunk to gain insights from data from various systems like mobile orders, website orders, and offline orders. This helped Domino's track the impact of various promotions, compare performance metrics, and analyze factors like payment methods. The document also outlines Splunk's components like forwarders, indexers, and search heads and how they allow users to index, store, search and visualize data.
Internet technology and software are inherently vulnerable due to flaws, weaknesses, and gaps in their design, implementation, and security protocols. Thousands of vulnerabilities exist in both software and hardware that can be exploited by hackers if not properly addressed. Common sources of vulnerabilities include design flaws, poor security management, incorrect implementation, vulnerabilities in operating systems, applications, protocols, and ports. Ensuring systems are properly configured, passwords are strong, and users are educated can help reduce vulnerabilities, but due to the complexity of software it is impossible to have fully secure systems.
This document discusses computer memory forensics. It explains that memory forensics involves acquiring volatile memory contents from RAM and preserving them for later forensic analysis. The document outlines the different types of forensic analysis that can be performed on memory contents, including storage, file system, application, and network analysis. It also discusses the challenges of memory forensics, such as anti-forensic techniques used by malware to hide processes, drivers, and other artifacts in memory.
Threat Hunting with Windows Event Forwarding & MITRE ATT&CK Framework
In this talk, you will gain an overview of using Windows Event Forwarding (WEF) for incident detection, with configuration and management workflows guidance. The talk will also provide an introduction to the MITRE ATT&CK Framework.
NIST 800-92 Log Management Guide in the Real WorldAnton Chuvakin
This presentation will introduce the first ever standard on log management - NIST 800 - 92 guide. It will then offer a guide walk through to highlight the critical areas of standardization. The majority of the remaining time will be spent on explaining how to use the guide in the real world if you are a security manager or a security pro.
This document provides an overview of various security analyst tools and services for tasks like malware analysis, threat hunting, and incident response. It lists tools for extracting strings from files, analyzing URLs, searching virus total, exploring malware samples, and monitoring resources like pastebin for indicators. The goal is to help analysts by providing starting points, examples, and screenshots for different analysis techniques.
Sysinternals utilities : a brief introduction to Akshay koshti
A brief intro to all the tools available in the Sysinternals utilities and how to perform various tasks in the forensic domain from the same utilities.
This document provides an overview of privilege escalation techniques. It begins with an introduction to the speaker and defines vertical privilege escalation as moving from a lower privilege user to a higher privilege user. It then covers common privilege escalation vectors for both Linux and Windows systems, such as exploiting kernel vulnerabilities, weak passwords, sudo misconfigurations, vulnerable services, and file permission issues. Specific techniques discussed include dirty cow, password cracking, escaping restricted shells, abusing cron jobs and SUID files. The document emphasizes that credentials are often found in insecure configurations, backup files, logs and other unprotected locations.
Splunk Tutorial for Beginners - What is Splunk | EdurekaEdureka!
The document discusses Splunk, a software platform used for searching, analyzing, and visualizing machine-generated data. It provides an example use case of Domino's Pizza using Splunk to gain insights from data from various systems like mobile orders, website orders, and offline orders. This helped Domino's track the impact of various promotions, compare performance metrics, and analyze factors like payment methods. The document also outlines Splunk's components like forwarders, indexers, and search heads and how they allow users to index, store, search and visualize data.
Internet technology and software are inherently vulnerable due to flaws, weaknesses, and gaps in their design, implementation, and security protocols. Thousands of vulnerabilities exist in both software and hardware that can be exploited by hackers if not properly addressed. Common sources of vulnerabilities include design flaws, poor security management, incorrect implementation, vulnerabilities in operating systems, applications, protocols, and ports. Ensuring systems are properly configured, passwords are strong, and users are educated can help reduce vulnerabilities, but due to the complexity of software it is impossible to have fully secure systems.
This document discusses computer memory forensics. It explains that memory forensics involves acquiring volatile memory contents from RAM and preserving them for later forensic analysis. The document outlines the different types of forensic analysis that can be performed on memory contents, including storage, file system, application, and network analysis. It also discusses the challenges of memory forensics, such as anti-forensic techniques used by malware to hide processes, drivers, and other artifacts in memory.
Threat Hunting with Windows Event Forwarding & MITRE ATT&CK Framework
In this talk, you will gain an overview of using Windows Event Forwarding (WEF) for incident detection, with configuration and management workflows guidance. The talk will also provide an introduction to the MITRE ATT&CK Framework.
NIST 800-92 Log Management Guide in the Real WorldAnton Chuvakin
This presentation will introduce the first ever standard on log management - NIST 800 - 92 guide. It will then offer a guide walk through to highlight the critical areas of standardization. The majority of the remaining time will be spent on explaining how to use the guide in the real world if you are a security manager or a security pro.
This document provides an overview of various security analyst tools and services for tasks like malware analysis, threat hunting, and incident response. It lists tools for extracting strings from files, analyzing URLs, searching virus total, exploring malware samples, and monitoring resources like pastebin for indicators. The goal is to help analysts by providing starting points, examples, and screenshots for different analysis techniques.
Best Practices for Configuring Your OSSIM InstallationAlienVault
Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities
This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 7 of 10
This Webinar focuses on SEIM Log Analysis
• Logging Sources & Servers
• What is a SIEM?
• Advantages of a SIEM?
• Using SIEM
• Detection of outbound sensitive information
• Data Collection
• Aggrefation, Normalization and Enrichment
• Reporting and Forensics
• Challenges in log management
The document discusses the Windows registry, which is a central database that contains settings for Windows, programs, hardware, and users. It contains keys like HKCR, HKCU, HKLM, and HKU that store information about file associations, the current user profile, system-wide settings, and user profiles. Important forensic information can be extracted from the registry, including the system configuration, devices, user names, web browsing activity, and recent files. This is demonstrated through reports generated using the RegRipper tool on registry hives like SYSTEM, SAM, and NTUSER.DAT.
Lecture 9 and 10 comp forensics 09 10-18 file systemAlchemist095
This document discusses various topics related to computer forensics, including data acquisition, digital evidence storage formats, acquisition methods, using acquisition tools, validating data acquisition, RAID acquisition methods, remote network acquisition tools, processing crime scenes, and analyzing evidence. It provides details on different types of data acquisition, such as static and live acquisition. It also describes best practices for securing evidence, gathering evidence, and analyzing evidence as part of a computer forensics investigation.
Virtualizing SAP implementations can significantly reduce hardware costs, increase server utilization rates, and ease the burden of system upgrades and platform migrations. Virtualization allows organizations to streamline testing environments, accelerate upgrade planning, and meet availability and performance SLAs. It enables dynamic, on-demand provisioning of resources to build a more flexible and cost-effective IT infrastructure.
This document provides an overview and agenda for a Splunk lunch and learn session. It discusses what Splunk is, its key capabilities including searching, alerting, and reporting on machine data, and its universal indexing approach. The document also outlines deployment options and includes a demonstration. It explains how Splunk eliminates finger pointing across IT silos by enabling users to search and investigate issues more quickly. It also discusses how Splunk supports proactive monitoring, operational visibility, and real-time business insights.
The document discusses various topics relating to ethics and information technology including definitions of ethics, computer ethics, and issues like privacy, property, and access. It also covers computer viruses, types of computer crimes, hacking, software piracy, and ethical dilemmas. Computer viruses are defined as programs designed to spread and interfere with computers. Types of computer crimes include those targeting information, medium of attack, tools used, and motives like economic or psychological gain. Hacking and software piracy are also defined and their advantages and disadvantages discussed. Ethical dilemmas concern areas like privacy, information accuracy, access, and intellectual property rights.
The document defines and provides an overview of different roles involved in detection and response, including threat intelligence analysts, threat researchers, detection engineers, investigators, and incident handlers. It describes the key activities and responsibilities of each role, as well as the typical inputs and outputs. It also provides examples of how these roles may be organized and staffed in a financial company's security operations center.
This presentation was discussed in a Webinar with MetricStream in September 2016. It is applicable for small, medium and large businesses when considering information and cyber security risk.
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURENurul Haszeli Ahmad
Software vulnerabilities are regard as the most critical vulnerabilities due to its impact and availability as compared to hardware and network vulnerabilities. Throughout the years from the first appearance of software vulnerabilities in late 80s until today, there are many identified and classified software vulnerabilities such as the well-known buffer overflow, scripting and SQL command. We studied on those known software vulnerabilities, compared the criticality, impact and significant of the vulnerabilities, and further predicted the trend of the vulnerabilities and proposed the focus area based on the comparative studies. The result shows that C overflow vulnerabilities will continue to persist despite losing its dominance in terms of numbers of availability and exploitation. However, the impact of exploiting the C overflow vulnerabilities is still regard as the most critical as compare to others. Therefore, C overflow vulnerabilities will prevail again and continues its domination as it did for the past two decades.
Linux is well-suited for forensic investigations due to its free and open-source tools, flexible environment, and ability to access low-level interfaces. However, its tools are more complicated to use than commercial packages and typically lack technical support. Linux distributions use a directory tree with essential directories like /bin, /etc, /home, and /var. Important commands provide information on processes, network connections, and disk usage. The Linux boot process involves the BIOS, boot loader, kernel initialization, and starting of processes at designated run levels.
VAPT defines a wide range of security testing services to ascertain and address cyber security exposures. It includes vulnerability testing through perimeter scans for missing patches or custom exploits to bypass perimeters, as well as penetration testing by simulating real-world attacks to provide a point-in-time assessment of vulnerabilities and threats to a network infrastructure. Customers can inquire more about these security testing and analysis services by contacting the company.
Présentation de la suite ELK dans un contexte SIEM et zoom sur Wazuh (OSSEC) , IDS open source
Venez découvrir comment être proactif face aux problèmes de cyber sécurité en analysant les données fournies par vos équipements et applications critiques.
The Presentation is about the Basic Introduction to Cybersecurity that talks about introduction and what is security means. Also the presentation talks about CIA Triad i.e confidentiality, integrity and availability
More often than not, company executives ask the wrong questions about software security. This session will discuss techniques for changing the conversation about software security in order to encourage executives to ask the right questions – and provide answers that show progress towards meaningful objectives. Caroline will discuss a progression of software security capabilities and the metrics that correspond to different levels of maturity. She’ll discuss an approach for developing key metrics for your unique software security program and walk through a detailed example.
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
Keyloggers and spyware are programs that can monitor users' computer activity without their consent. Keyloggers record keyboard input like passwords, while spyware tracks web browsing and transmits the collected information. There are hardware and software versions of keyloggers, with hardware versions like devices plugged into keyboards and replacement keyboards containing the monitoring programs. Spyware comes in various forms like tracking cookies, browser hijacking, and keyloggers that observe online habits for advertising or other purposes. Both keyloggers and spyware can invade users' privacy and security without their knowledge.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
POTASSIUM is a penetration testing as a service (PTaaS) that uses live migration techniques to clone virtual machines from a production system, capturing their full disk, memory, and network state. This cloned system is isolated to allow thorough testing without risk of damage. POTASSIUM aims to provide valid, safe, and scalable penetration testing through automated and isolated testing modes while minimizing performance impacts on the production system. An evaluation showed POTASSIUM could detect vulnerabilities with up to 100 VMs and had minimal performance overhead during consistent checkpointing compared to non-consistent checkpointing.
This document discusses various tools and techniques for performing basic dynamic malware analysis, including sandboxes, Process Monitor, Process Explorer, and Regshot. It explains how sandboxes like GFI Sandbox can provide initial analysis of malware but have limitations. Process Monitor and Process Explorer allow monitoring processes, registry changes, and other activity in real-time. Regshot facilitates comparing registry snapshots before and after malware is run.
This document provides an introduction to malware analysis through a presentation. It discusses key concepts like Zeus malware, behavioral analysis through tools like NetworkMiner and Wireshark, reverse engineering malware using tools like OllyDbg, and submitting samples to VirusTotal for analysis. The presentation emphasizes setting up an analysis workstation, analyzing malware behavior on networks and systems, reverse engineering code to understand malware functionality, and using virtual environments and tools safely to explore malware without risking real systems. It provides examples of real malware like Zeus to illustrate analysis concepts and techniques.
Best Practices for Configuring Your OSSIM InstallationAlienVault
Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities
This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 7 of 10
This Webinar focuses on SEIM Log Analysis
• Logging Sources & Servers
• What is a SIEM?
• Advantages of a SIEM?
• Using SIEM
• Detection of outbound sensitive information
• Data Collection
• Aggrefation, Normalization and Enrichment
• Reporting and Forensics
• Challenges in log management
The document discusses the Windows registry, which is a central database that contains settings for Windows, programs, hardware, and users. It contains keys like HKCR, HKCU, HKLM, and HKU that store information about file associations, the current user profile, system-wide settings, and user profiles. Important forensic information can be extracted from the registry, including the system configuration, devices, user names, web browsing activity, and recent files. This is demonstrated through reports generated using the RegRipper tool on registry hives like SYSTEM, SAM, and NTUSER.DAT.
Lecture 9 and 10 comp forensics 09 10-18 file systemAlchemist095
This document discusses various topics related to computer forensics, including data acquisition, digital evidence storage formats, acquisition methods, using acquisition tools, validating data acquisition, RAID acquisition methods, remote network acquisition tools, processing crime scenes, and analyzing evidence. It provides details on different types of data acquisition, such as static and live acquisition. It also describes best practices for securing evidence, gathering evidence, and analyzing evidence as part of a computer forensics investigation.
Virtualizing SAP implementations can significantly reduce hardware costs, increase server utilization rates, and ease the burden of system upgrades and platform migrations. Virtualization allows organizations to streamline testing environments, accelerate upgrade planning, and meet availability and performance SLAs. It enables dynamic, on-demand provisioning of resources to build a more flexible and cost-effective IT infrastructure.
This document provides an overview and agenda for a Splunk lunch and learn session. It discusses what Splunk is, its key capabilities including searching, alerting, and reporting on machine data, and its universal indexing approach. The document also outlines deployment options and includes a demonstration. It explains how Splunk eliminates finger pointing across IT silos by enabling users to search and investigate issues more quickly. It also discusses how Splunk supports proactive monitoring, operational visibility, and real-time business insights.
The document discusses various topics relating to ethics and information technology including definitions of ethics, computer ethics, and issues like privacy, property, and access. It also covers computer viruses, types of computer crimes, hacking, software piracy, and ethical dilemmas. Computer viruses are defined as programs designed to spread and interfere with computers. Types of computer crimes include those targeting information, medium of attack, tools used, and motives like economic or psychological gain. Hacking and software piracy are also defined and their advantages and disadvantages discussed. Ethical dilemmas concern areas like privacy, information accuracy, access, and intellectual property rights.
The document defines and provides an overview of different roles involved in detection and response, including threat intelligence analysts, threat researchers, detection engineers, investigators, and incident handlers. It describes the key activities and responsibilities of each role, as well as the typical inputs and outputs. It also provides examples of how these roles may be organized and staffed in a financial company's security operations center.
This presentation was discussed in a Webinar with MetricStream in September 2016. It is applicable for small, medium and large businesses when considering information and cyber security risk.
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURENurul Haszeli Ahmad
Software vulnerabilities are regard as the most critical vulnerabilities due to its impact and availability as compared to hardware and network vulnerabilities. Throughout the years from the first appearance of software vulnerabilities in late 80s until today, there are many identified and classified software vulnerabilities such as the well-known buffer overflow, scripting and SQL command. We studied on those known software vulnerabilities, compared the criticality, impact and significant of the vulnerabilities, and further predicted the trend of the vulnerabilities and proposed the focus area based on the comparative studies. The result shows that C overflow vulnerabilities will continue to persist despite losing its dominance in terms of numbers of availability and exploitation. However, the impact of exploiting the C overflow vulnerabilities is still regard as the most critical as compare to others. Therefore, C overflow vulnerabilities will prevail again and continues its domination as it did for the past two decades.
Linux is well-suited for forensic investigations due to its free and open-source tools, flexible environment, and ability to access low-level interfaces. However, its tools are more complicated to use than commercial packages and typically lack technical support. Linux distributions use a directory tree with essential directories like /bin, /etc, /home, and /var. Important commands provide information on processes, network connections, and disk usage. The Linux boot process involves the BIOS, boot loader, kernel initialization, and starting of processes at designated run levels.
VAPT defines a wide range of security testing services to ascertain and address cyber security exposures. It includes vulnerability testing through perimeter scans for missing patches or custom exploits to bypass perimeters, as well as penetration testing by simulating real-world attacks to provide a point-in-time assessment of vulnerabilities and threats to a network infrastructure. Customers can inquire more about these security testing and analysis services by contacting the company.
Présentation de la suite ELK dans un contexte SIEM et zoom sur Wazuh (OSSEC) , IDS open source
Venez découvrir comment être proactif face aux problèmes de cyber sécurité en analysant les données fournies par vos équipements et applications critiques.
The Presentation is about the Basic Introduction to Cybersecurity that talks about introduction and what is security means. Also the presentation talks about CIA Triad i.e confidentiality, integrity and availability
More often than not, company executives ask the wrong questions about software security. This session will discuss techniques for changing the conversation about software security in order to encourage executives to ask the right questions – and provide answers that show progress towards meaningful objectives. Caroline will discuss a progression of software security capabilities and the metrics that correspond to different levels of maturity. She’ll discuss an approach for developing key metrics for your unique software security program and walk through a detailed example.
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
Keyloggers and spyware are programs that can monitor users' computer activity without their consent. Keyloggers record keyboard input like passwords, while spyware tracks web browsing and transmits the collected information. There are hardware and software versions of keyloggers, with hardware versions like devices plugged into keyboards and replacement keyboards containing the monitoring programs. Spyware comes in various forms like tracking cookies, browser hijacking, and keyloggers that observe online habits for advertising or other purposes. Both keyloggers and spyware can invade users' privacy and security without their knowledge.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
POTASSIUM is a penetration testing as a service (PTaaS) that uses live migration techniques to clone virtual machines from a production system, capturing their full disk, memory, and network state. This cloned system is isolated to allow thorough testing without risk of damage. POTASSIUM aims to provide valid, safe, and scalable penetration testing through automated and isolated testing modes while minimizing performance impacts on the production system. An evaluation showed POTASSIUM could detect vulnerabilities with up to 100 VMs and had minimal performance overhead during consistent checkpointing compared to non-consistent checkpointing.
This document discusses various tools and techniques for performing basic dynamic malware analysis, including sandboxes, Process Monitor, Process Explorer, and Regshot. It explains how sandboxes like GFI Sandbox can provide initial analysis of malware but have limitations. Process Monitor and Process Explorer allow monitoring processes, registry changes, and other activity in real-time. Regshot facilitates comparing registry snapshots before and after malware is run.
This document provides an introduction to malware analysis through a presentation. It discusses key concepts like Zeus malware, behavioral analysis through tools like NetworkMiner and Wireshark, reverse engineering malware using tools like OllyDbg, and submitting samples to VirusTotal for analysis. The presentation emphasizes setting up an analysis workstation, analyzing malware behavior on networks and systems, reverse engineering code to understand malware functionality, and using virtual environments and tools safely to explore malware without risking real systems. It provides examples of real malware like Zeus to illustrate analysis concepts and techniques.
The document describes a procedure for using batch scripting and common tools to identify intrusions on a Microsoft Windows system. The script generates trending data by checking for unusual processes, services, accounts, files and connections. It analyzes the operating system version, registry entries, scheduled tasks, event logs and more. The final summary is a sample batch script that automates running various commands to collect security-related data and output it to log files for administrator review.
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
This document provides an overview of reversing and malware analysis training. It discusses the purpose of malware analysis, different analysis techniques including static analysis, dynamic analysis and memory analysis. It provides examples of tools used for each technique like strings, PEview, and Volatility. The document demonstrates these concepts on a Zeus bot sample, showing its network activity, process and registry behavior through monitoring tools. Memory analysis with Volatility reveals hidden processes and network connections. The training aims to understand a malware's behavior and interaction with the system.
The document discusses malware analysis techniques including static analysis, dynamic analysis, and memory analysis. Static analysis involves examining a file without executing it to determine things like file type and cryptographic hash. Dynamic analysis involves executing malware in a controlled environment to observe its behavior, such as file system, process, registry, and network activity. Memory analysis examines a computer's RAM to find artifacts and reveal hidden processes, network connections, and registry modifications. The document provides examples of analyzing a Zeus bot sample using these techniques.
Atrium Discovery software operates by using credential slaves to log into hosts on a Windows network using supplied credentials and delegate discovery. It stores directly discovered data in a datastore and uses a reasoning platform to apply patterns to the data to infer additional information like the presence of hosts, applications, and business applications. Patterns can be updated monthly and customized by the user. All information is indexed and searchable through interactive dashboards, reports, and search tools.
The document provides information about an advanced malware analysis training program. It begins with disclaimers about the content being provided "as is" and acknowledges those who supported the training. Biographical information is given about the trainer, Monnappa K A. An overview of memory forensics and the volatility framework is provided, along with examples of commands and plugins. The document outlines two malware analysis case studies demonstrating how volatility could be used to investigate memory dumps and detect malicious activity and rootkits.
Advanced Threats in the Enterprise: Finding an Evil in the HaystackEMC
This white paper describes the current advanced threat landscape, shortcomings of anti-virus, and how RSA ECAT fills the gap and helps organizations detect advanced malware.
Reversing & malware analysis training part 9 advanced malware analysisAbdulrahman Bassam
The document discusses a training program on reverse engineering and malware analysis. It provides an overview of static analysis, dynamic analysis and memory analysis techniques. It also includes a demonstration of analyzing a Zeus bot sample using these techniques. The demonstration shows taking the cryptographic hash, determining imports, submitting to VirusTotal, monitoring process, registry and network activity while executing in a sandbox, analyzing the memory dump with Volatility and more.
This document provides guidance on analyzing malicious software through a multi-stage process including automated analysis, behavioral analysis, and static and dynamic code analysis. It outlines tips and tools for each stage, with the goal of understanding a malware sample's capabilities and origins to strengthen an organization's security. Key stages involve examining static properties, behavioral interactions, and reversing code using tools like Ghidra and x64dbg.
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
This document describes Monnappa K A, a member of Cysinfo who works as an information security investigator at Cisco. It then provides information on malware analysis sandboxes and describes how Monnappa uses an automated analysis system written in Python to safely execute malware in a virtual machine, monitor its behavior, and generate reports including memory dumps and artifacts for further analysis. The system aims to determine a malware's purpose, interactions, and identifiable patterns through static, dynamic, and memory forensics techniques.
Applied machine learning defeating modern malicious documentsPriyanka Aash
A common tactic adopted by attackers for initial exploitation is the use of malicious code embedded in Microsoft Office documents. This attack vector is not new, but attackers are still having success. This session will dive into the details of these techniques, introduce some machine learning approaches to analyze and detect these attempts, and explore the output in Elasticsearch and Kibana.
(Source : RSA Conference USA 2017)
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst PROIDEA
This document summarizes a presentation about security operations centers (SOCs) and incident response. It discusses what a SOC is and its functions like log correlation and indicator of compromise (IOC) analysis. It provides examples of how the security information and event management (SIEM) tool Splunk can be used to detect threats and incidents. Specific incident examples related to systems, networks, operating systems, databases and applications are outlined. Additional resources on topics like incident handling, forensics, log analysis and useful online tools are also listed. The document concludes with information about the (ISC)2 certification body and its Poland chapter.
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
Hacking involves exploiting vulnerabilities in computer systems or networks to gain unauthorized access. There are different types of hackers, including white hat hackers who perform ethical hacking to test security, black hat hackers who perform hacking with malicious intent, and grey hat hackers who may sometimes hack ethically and sometimes not. Ethical hacking involves testing one's own systems for vulnerabilities without causing harm. Vulnerability assessments and penetration tests are common ethical hacking techniques that involve scanning for vulnerabilities and attempting to exploit them in a controlled way. Popular tools used for ethical hacking include Kali Linux, Nmap, Metasploit, and John the Ripper.
Similar to Malware hunting with the sysinternals tools (20)
This document provides descriptions of different facial expressions and the emotions they convey. It presents photos of faces showing various expressions, such as happiness, sadness, fear, anger, surprise, disgust, contempt, pride, amusement, interest, desire, compassion, shame, embarrassment, pain, flirtatiousness, politeness, and asks the reader to identify the emotion being expressed. For each photo, it then explains the facial features and muscle movements involved in displaying that particular emotion. The purpose is to help people learn to recognize emotions from facial cues alone.
7. WAPDA Medical Attendance Rule 1979.DOCAli Asad Sahu
This document outlines the Pakistan WAPDA Employees Medical Attendance Rules from 1979. Some key points:
- It provides medical facilities to WAPDA employees, government servants on deputation to WAPDA, and their families at WAPDA hospitals and dispensaries.
- Employees in grades 1-15 can opt for cash medical allowance or free medical facilities. Those who take the allowance can still access some services like outdoor treatment in emergencies.
- It defines terms like authorized medical attendant, family, hospital, medical attendance, patient, and treatment. Family includes spouse, children up to age 25, parents, and unmarried daughters.
- Employees must carry identity cards for medical access
8. WAPDA Provision of Article Limbs to Disable person 1978.DOCAli Asad Sahu
This document outlines the rules for providing artificial limbs and other assistive devices to disabled Pakistan WAPDA employees. Some key points:
- A medical board determines the percentage of disability and required assistive devices. Approved institutions like AFIRM Rawalpindi then provide the artificial limbs.
- Transportation costs are covered to bring disabled employees to evaluation centers in Rawalpindi or Lahore based on their employment grade. An attendant may also travel with them.
- The Director of Welfare maintains records of disabled employees. Annual checkups of devices can be arranged. Replacements or repairs are also provided through the same process.
The document outlines the Pakistan WAPDA Rules regulating the grant of advances for the construction or purchase of houses or plots. Some key points:
- The rules apply to regular WAPDA employees with 5+ years of service, government servants on deputation to WAPDA, and electricity department employees transferred to WAPDA.
- Advances can be used to construct or purchase a house or plot for personal occupation in Pakistan. Advances are issued in installments and documentation is required to prove funds were used as intended.
- The amount of advance cannot exceed 36 months of pay or the estimated cost of construction/purchase. Houses must be mortgaged to WAPDA as security. Outstanding balances
This document outlines the Pakistan WAPDA Travelling Allowance Rules from 1982. Some key points:
- It defines various terms related to travel allowances such as controlling officer, family, pay, etc.
- It specifies the different types of travel allowances - daily allowance, mileage allowance, conveyance allowance, and actual cost of travel.
- Daily allowance rates are provided for different grades of employees, with special rates for certain localities. Hotel room reimbursement is allowed up to a certain percentage of the daily allowance amount.
- Mileage allowance rates by road are given for personal vehicles, motorcycles, bicycles, and public transport. Conditions for use of different modes of transport are
This document summarizes rules and notifications related to the delegation of disciplinary powers to WAPDA for employees transferred from provincial electricity and irrigation departments.
Key points:
1. Notifications were issued by Punjab and Sindh governments delegating powers under provincial civil servants rules to specified authorities in WAPDA to discipline transferred employees.
2. Schedules list the positions and authorities for imposing penalties and hearing appeals as specified in provincial civil servants rules.
3. The rules and notifications delegate disciplinary powers to WAPDA for employees who were transferred en bloc from provincial departments to ensure proper authority and process for any disciplinary actions.
9. WAPDA Treatment of Chonically Sick Person Rules 1967.DOCAli Asad Sahu
This document outlines rules for the treatment of chronically ill employees of the Pakistan Water and Power Development Authority (WAPDA). It establishes that WAPDA will provide treatment for employees suffering from long-term illnesses, including tuberculosis, in government hospitals. A medical board will examine employees suspected of having conditions that prevent them from working and recommend treatment plans. Employees with tuberculosis may be granted leave to receive treatment, and can resume work if their condition is arrested, with ongoing monitoring.
10. WAPDA Rules Advances of M Car, Cycles , Scotr, Cycles 1962.DOCAli Asad Sahu
This document outlines the rules regulating the grant of advances for employees of the Pakistan Water and Power Development Authority (WAPDA) to purchase motor vehicles. Some key points:
- Advances can be provided to employees who need motor vehicles like cars, motorcycles, or bicycles to perform their official duties that require much travel or transport.
- The maximum advance amounts are Rs. 10,000 for bicycles, Rs. 100,000 for motorcycles/scooters, and Rs. 1,000,000 for cars.
- Employees must take out insurance on the vehicle and sign documents mortgaging the vehicle to WAPDA until the advance is repaid through monthly payroll deductions.
The document outlines rules established by the Pakistan Water and Power Development Authority (WAPDA) regarding employees' dates of birth. Key points:
- Rule 5 establishes that an employee's date of birth recorded at hiring is final, and can only be altered for clerical errors with approval. Disputes are decided by various WAPDA executives depending on the employee's position.
- Rule 4 describes how an assumed date of birth is determined if an employee only knows their year or approximate age at hiring.
- The rules apply to all WAPDA employees and determine valid documents for confirming dates of birth. Amendments over time expanded which WAPDA officials can make final decisions on birth date disputes.
This document outlines the Pakistan WAPDA Leave Rules for WAPDA Employees from 1982. Some key points:
- It establishes the rules for earning, accumulating, and granting different types of leave for regular WAPDA employees, including leave on full pay, half pay, leave not due, special leave, and maternity leave.
- Authorities competent to grant leave are outlined in Appendix I. Maximum periods for different types of leave that can be granted at one time are specified, such as 120 days without a medical certificate or 180 days with a medical certificate.
- Leave is earned at the rate of 4 days for every calendar month of duty rendered. There is no maximum limit on accumulated leave. Te
This document outlines the Pakistan WAPDA Employees (Efficiency and Discipline) Rules of 1978 which establish procedures for ensuring employee efficiency and discipline within the Pakistan Water and Power Development Authority (WAPDA). Some key points:
- The rules define misconduct, penalties (minor like censure, major like dismissal), and grounds for imposing penalties for issues like inefficiency, corruption, or subversive activities.
- The process for disciplinary action is described, including options to proceed with an inquiry officer or committee or explanation letter. Employees can respond and request a hearing.
- Suspension procedures during an inquiry are covered, requiring approval every 3 months. Inquiries require framing charges and allowing employee defense
5. WAPDA Guide Line for enforcing the responsibility for losses 1982.DOCAli Asad Sahu
This document provides guidelines for enforcing responsibility for losses sustained by the Pakistan Water and Power Development Authority (WAPDA) through fraud or negligence of individuals. It outlines general principles for holding employees responsible for losses caused by their actions or inactions. It also provides instructions for cases requiring criminal prosecution in courts as well as for conducting internal departmental inquiries into cases of fraud, embezzlement, or other offenses involving employees. Departmental inquiries are to be initiated promptly regardless of any parallel police or judicial investigations. The goal is to maintain integrity in the civil service, not pursue criminal punishment.
This document outlines the Pakistan WAPDA Employees (Restriction on Marriages with Foreign Nationals) Rules from 1965. It defines key terms and establishes that WAPDA employees are prohibited from marrying foreign nationals unless they obtain prior permission from the authority. The rules were later amended in 2011 to allow employees to marry foreign nationals of any country recognized by the federal government with permission. It shares communications sent to remind employees to comply with these marriage rules and restrictions.
This document contains the Pakistan WAPDA Employees (Conduct) Rules from 1978 with amendments up to 2019. It outlines 20 rules that govern the conduct of WAPDA employees, including rules around gifts, foreign awards, public demonstrations, private trade or employment, insolvency, communicating official information, approaching elected officials, managing publications, radio/TV appearances, and more. The rules are intended to ensure employees act properly and do not engage in acts that could compromise their position or duties.
This document outlines the Pakistan WAPDA Employees (Retirement) Rules of 1979 and subsequent amendments. The rules define key terms, state that employees will retire after 20 years of service or at age 60, and allow for compulsory retirement in the public interest after 25 years or at age 55. It also establishes procedures for reviewing employee cases and obtaining necessary approvals from reviewing, approving and final authorities prior to retirement. Appeals processes are provided and certain categories of retired employees are waived from providing satisfactory service certificates.
Dpe from ad (com) to dd(com) bps 17 to 18 for pepco officers rules past papersAli Asad Sahu
Pakistan can play a role in diffusing tensions between Iran and USA by acting as a mediator and using its influence with both countries to encourage dialogue and diplomacy over escalation. Regarding Kashmir, the UN can help resolve the issue by facilitating a plebiscite in Kashmir to allow Kashmiris to determine their own future, as mandated in several UN resolutions. WAPDA rules allow various types of leave for employees in different situations to balance work responsibilities with personal needs as per established procedures.
Circular debt in Pakistan's energy sector has reached approximately 1.4 trillion PKR. It refers to the cash shortfall faced by the Central Power Purchasing Agency to pay power supply companies. This causes issues throughout the energy supply chain from generators to fuel suppliers. The primary causes are poor governance among entities, delays in tariff determination, and incomplete payments from the government. Secondary causes include high transmission losses, an unfavorable generation mix, and court decisions delaying payments. All stakeholders including private consumers, regulators, the government and DISCOs share some blame.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
2. #RSAC
“When combining the results from all four AV engines, less
than 40% of the binaries were detected.”
Source:
CAMP: Content-Agnostic Malware Protection
Proceedings of 20th Annual Network & Distributed
System Security Symposium
https://www.cs.jhu.edu/~moheeb/aburajab-ndss-13.pdf
5. #RSAC
About this Talk
Learn about Sysinternals tools and techniques for analyzing and cleaning
malware
Professional antimalware analysis requires years of deep training
But even for professionals, Sysinternals tools can prove useful
Analyzing:
Understanding the impact of malware
Can be used to understand malware operation
Generates road map for cleaning infestations
Cleaning:
Removing an infestation of a compromised system
Attempting a clean can also reveal more information about malware’s operation
6. #RSAC
Malware Cleaning Steps
Disconnect from network
Identify malicious processes and drivers
Terminate identified processes
Identify and delete malware autostarts
Delete malware files
Reboot and repeat
8. #RSAC
What Are You Looking For?
Investigate processes that…
…have no icon
…have no description or company name
…unsigned Microsoft images
…live in Windows directory or user profile
…are packed
…include strange URLs in their strings
…have open TCP/IP endpoints
…host suspicious DLLs or services
9. #RSAC
What About Task Manager?
Task Manager provides little information about images that are
running
10. #RSAC
Process Explorer
Process Explorer is “Super Task Manager”
Has lots of general troubleshooting capabilities:
DLL versioning problems
Handle leaks and locked files
Performance troubleshooting
Hung processes
We’re going to focus on its malware cleaning capabilities
11. #RSAC
The Process View
The process tree shows parent-child relationships
Icon, description, and company name are pulled from
image version information
Most malware doesn’t have version information
What about malware pretending to be from Microsoft?
We’ll deal with that shortly…
Use the Window Finder (in the toolbar) to associate a
window with its owning process
Use the Search Online menu entry to lookup unknown
processes
But malware often uses totally random or pseudo-random names
12. #RSAC
Refresh Highlighting
Refresh highlighting highlights changes
Red: process exited
Green: new process
Change duration (default 1 second) in Options
Press space bar to pause and F5 to refresh
Cause display to scroll to make new processes visible with Show New
Processes option
We’ll see how to spot short-lived processes later…
13. #RSAC
Process-type Highlights
Blue processes are running in the same security context as Process
Explorer
Pink processes host Windows services
Purple highlighting indicates an image is “packed”
Packed can mean compressed or encrypted
Malware commonly uses packing (e.g. UPX) to make antivirus signature
matching more difficult
Packing and encryption also hide strings from view
There are a few other colors, but they’re not important for malware
hunting
14. #RSAC
Tooltips
Process tooltips show the full path to the process image
Malware more often hides behind Svchost, Rundll32, Dllhost and
WMIPrsve
Tooltip for Rundll32 processes shows hosted DLL
Dllhost tooltip shows hosted COM server
WMI provider tooltip shows WMI servers
Tooltip for service processes shows hosted services
15. #RSAC
Detailed Process Information
Double-click on a process to see
more information
Pages relevant to malware
analysis:
Image: signing status, start time,
version, autostart location
TCP/IP: open endpoints
Strings: printable strings in main
executable
16. #RSAC
Image Verification
All (well, most) Microsoft code is digitally signed
Hash of file is signed with Microsoft’s private key
Signature is checked by decrypting signed hash with the public key
You can selectively check for signatures with the Verify button on the
process image tab
Select the Verify Image Signatures option to check all
Add the Verified Signer column to see all
Note that verification will connect to the Internet to check Certificate
Revocation List (CRL) servers
17. #RSAC
VirusTotal Integration
VirusTotal.com is Antivirus-as-a-
Service (AaaS)
You can have Process Explorer
check file hashes
Check all displayed files with Options->Check VirusTotal
Results reported in VirusTotal column as well as DLL and
process properties
Uploads hashes
Reports results as positive detection rate or “Unknown”
You can submit unknown files for
scanning
Options->Submit Unknown Executables submits all portable
executable (PE) images < 32 MB in size
Can submit on-demand with context menu or properties dialog
18. #RSAC
Sigcheck
Scan the system for suspicious executable images
Use –v to check VirusTotal:
-v to submit hashes (-vs to submit files for scanning)
-vr to open the VirusTotal report
Look for same characteristics as suspicious processes
Be especially wary of items in the Windows directory and the Users<username>Appdata
directories
Investigate all unsigned images
Examine images with high entropy (> 7)
sigcheck -e –vs -vr -u -s c:
19. #RSAC
The DLL View
Malware can hide as a DLL inside a legitimate process
We’ve already seen this with Rundll32 and Svchost
Typically loads via an autostart
Can load through “dll injection”
Packing highlight shows in DLL view as well
Open the DLL view by clicking on the DLL icon in the
toolbar
Shows more than just loaded DLLs
Includes .EXE and any “memory mapped files”
Can search for a DLL with the Find dialog
DLL strings are also viewable on the DLL properties
20. #RSAC
Terminating Malicious Processes
Don’t kill the processes
Malware processes are often restarted by watchdogs
Instead, suspend them
Note that this might cause a system hang for Svchost processes
Record the full path to each malicious EXE and DLL
After they are all asleep then kill them
Watch for restarts with new names…
23. #RSAC
Autoruns
Shows every place in the system that can be configured to run
something at boot & logon
Standard Run keys and Startup folders
Shell, userinit
Services and drivers
Tasks
Winlogon notifications
Explorer and IE addins (toolbars, Browser Helper Objects, …)
More and ever growing…
Each startup category has its own tab and all items display on the
Everything tab
Startup name, image description, company and path
24. #RSAC
Identifying Malware Autostarts
Zoom-in on add-ons (including malware) by selecting these filter
options:
Verify Code Signatures
Hide Microsoft Entries
Select an item to see more in the lower window
Online search unknown images
Double-click on an item to look at where its configured in the Registry or
file system
Has other features:
Can also show empty locations (informational only)
Includes compare functionality
Includes equivalent command-line version, Autorunsc.exe
25. #RSAC
Alternate Profiles and Offline Scanning
If a specific account is infected, you can use Autoruns from another:
If the system can’t be cleaned online, Autoruns can be used offline:
26. #RSAC
New: Autoruns v13
Dynamic filtering
More detailed progress updates
Full scan save-to-file
File compare deleted/new
VirusTotal Integration
You can have Autoruns check
VirusTotal for hashes
Option to submit files
for scanning
27. #RSAC
Deleting Autostarts
Delete suspicious autostarts
You can disable them if you’re not sure
After you’re done do a full refresh
If they come back, run Process Monitor to see who’s putting them
back
You might have misidentified a malware process
It might be a hidden, system, or legitimate process
29. #RSAC
Tracing Malware
Tracing activity can reveal the system impact of malware
Tracing shows initial infection, before cloaking is applied
Can reveal the internals of “buddy system” and other infection-protection
mechanisms
Process Monitor makes tracing easy
A simple filter can identify all system modifications
Investigating stacks can distinguish legitimate activity from malicious
activity
It will often show you the cause for error messages
It many times tells you what is causing sluggish performance
When in doubt, run Process Monitor!
30. #RSAC
Event Classes
File system (Filemon)
Includes I/O command input and output details
Registry (Regmon)
Includes all data
Process
Process create and exit
Thread create and exit
Image loads, including drivers
Network
ETW network tracing
Profiling
Thread stack snapshots
31. #RSAC
Event Properties
Event details
Duration, process, thread,
details, etc.
Process information
Command line
User
Session and logon session
Image information
Start time
Thread stack at time of event
32. #RSAC
Filtering
To filter on a value, right-click on the line and select the attribute
from the Include, Exclude or Highlight submenus
When you set a highlight
filter you can move
through highlighted event
properties
33. #RSAC
Advanced Filters
Multiple-filter behavior:
Values from different attributes are AND’d
Values for the same attribute are OR’d
Use Edit Filter context menu for quick configuration
More complex filtering is available in the Filter dialog
Outlook-style rule definition
You can save and restore
filters
Filter for watching malware
impact:
“Category is Write”
34. #RSAC
The Process Tree
Tools->Process Tree
Shows all processes that have been
seen in the trace (including parents)
Can toggle on and off terminated
processes
The process tree provides an easy
way to see process relationships
Short-lived processes
Command lines
User names
36. #RSAC
System Monitor (Sysmon)
Background system monitoring utility
Record system events to the Windows event log
Can be used for system anomaly detection
Forensics can trace intruder activity across the network
Written for use in Microsoft corporate network
To understand attacker behavior and tools
Significant contributions by Thomas Garnier
Public version has reduced functionality
Installs as service/driver
No reboot required
Captures events from early in
the boot process
37. #RSAC
Sysmon Events
Process create (new: process terminate process):
Image file and image file hash
Command line
Parent image and command line
GUID for process ID-independent tracking
Driver load and unload:
Image file and image file hash
Network connections:
Process name
IP addresses and ports
Host and port names
File create timestamp change
Process responsible
Original and new timestamp
New: CreateRemoteThread
Source process
Target process
38. #RSAC
Sysmon Configuration
Supports filters on the command-line
Processes to include or exclude
Process network activity
Hash types to collect
Configuration file offers full filtering
Include/exclude on any event type
Conditionals on any event field
Default:
Process create and terminate, file timestamp change
40. #RSAC
The Case of the Unwanted Software
Mom complained about two symptoms:
Her IE home page was hijacked
She got toast from a backup program
41. #RSAC
The Case of the Unwanted Software (Cont)
I went after the backup toast first
Launched Process Explorer and used window finder to identify
offending process:
42. #RSAC
The Case of the Unwanted Software (Cont)
Launched Autoruns and disabled related processes:
43. #RSAC
The Case of the Unwanted Software (Cont)
To find home page hijack, first looked at home page setting
Saw that it was Bing:
But IE launched a different page, so captured an IE startup trace with
Procmon…
44. #RSAC
The Case of the Unwanted Software: Solved
Looked at IE command line and saw parameter:
Opened IE shortcut link and deleted command line: problem solved
50. #RSAC
The Future of Malware
We’ve seen the trends:
Malware that pretends to be from Microsoft or other legitimate companies
Malware protected by sophisticated rootkits
Malware that has stolen certificates
Cleaning is going to get much, much harder
Targeted and polymorphic malware won’t get AV/AS signatures
Malware can directly manipulate Windows structures to cause misdirection
All standard tools will be directly attacked by malware
There will be more un-cleanable malware
You can’t know you’re infected unless you find a symptom
51. #RSAC
The Sysinternals Administrator’s
Reference
The official guide to the Sysinternals tools
Covers every tool, every feature, with tips
Written by Mark Russinovich and
Aaron Margosis
Full chapters on the major tools:
Process Explorer
Process Monitor
Autoruns
Other chapters by tool group
Security, process, AD, desktop, …
52. #RSAC
My Cyberthrillers:
Zero Day: cyberterrorism
Trojan Horse: state-sponsored cyberwarfare
Rogue Code: financial cybercrime and insider
threats
www.russinovich.com