Demystifying Windows Malware Investigations w/ Patterson Cake

preview_player
Показать описание

🛝 🔗 Webcast Slides –

From multiplate layers of obfuscation to conditional behavior to sandbox avoidance, malware can indeed be complicated.

But ultimately, when a Windows malware event occurs, the most important questions are “if” and “how” it impacted your environment!

In this free one-hour Black Hills Information Security (BHIS) webcast, Patterson Cake - Incident Responder, will discuss a simplified approach and tactical tips for answering those questions when investigating malware events on your Windows endpoints.

///Chapters
0:00 Introduction
3:55 Agenda and schedule
5:12 Win-Mal Investigations
7:32 Malware analysis
11:20 Malware commonalities
12:40 Most common threats (recent)
18:13 Technical possibilities
20:24 Windows malware investigation - artifacts
22:19 Network communications (C2)*
25:01 Disk (“Writable”)*
26:59 Running process (memory)
27:35 Services
28:25 Scheduled tasks
29:05 Running processes [DIFF]
32:34 Windows malware investigation collection
36:04 Win-Mal Investigation - WORKFLOW
46:30 Sandbox Analysis [FINDINGS]
48:08 Win-Mal Investigations [FINDINGS]
49:33 WinMal Technical Possibilities…
53:32 Q&A
  1. Black Hills Information Security
Рекомендации по теме
Demystifying Windows Malware 1:19:12

Demystifying Windows Malware Investigations w/ Patterson Cake

QBOT Malware Investigation 0:40:23

QBOT Malware Investigation

Demystifying Modern Windows 0:31:23

Demystifying Modern Windows Rootkits

Windows Defender - 0:38:35

Windows Defender - Demystifying and Bypassing ASR by Understanding the AV's Signatures

DEF CON 31 0:39:04

DEF CON 31 - Defender Pretender When Windows Defender Updates Become a Security Risk -Bar, Attias

Malware-detection using Hardware 0:06:56

Malware-detection using Hardware Performance Counters

Breaking Dridex Malware 0:19:17

Breaking Dridex Malware

Webinar | Demystifying 1:12:45

Webinar | Demystifying EDR

Demystifying Azure Defender 0:56:46

Demystifying Azure Defender Once and for All | Azure Security Center webinar

Demystifying Cybersecurity Webinar: 0:32:10

Demystifying Cybersecurity Webinar: With Matthew Schmider

Dissecting Sakula Malware 0:53:26

Dissecting Sakula Malware

Windows Event and 0:36:38

Windows Event and Logging Demystified: IT Admin Edition

Emotet Malware (Network 0:41:03

Emotet Malware (Network Forensic with Brim Security)

Dark-Web Forensic Analysis 0:00:44

Dark-Web Forensic Analysis for law Enforcement Agencies #darkweb #investigation #forensics

Process Injection Explained: 0:22:28

Process Injection Explained: Windows OS Fundamentals for Cybersecurity | Part 1

AD Forensics with 0:45:46

AD Forensics with PowerShell McGlone

Infrastructure Chaining Using 0:07:56

Infrastructure Chaining Using Microsoft Defender Threat Intelligence

Veni, No Vidi, 0:42:01

Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors

Windows Kernel Vulnerability 0:56:09

Windows Kernel Vulnerability Research and Exploitation - Gilad Bakas

1st 3 Windows 0:05:48

1st 3 Windows IR Commands - BHIS Nuggets | John Strand

Decoding NOBELIUM: The 0:13:00

Decoding NOBELIUM: The hunt for a global threat (Episode 2)

VPN (Virtual Private 0:07:11

VPN (Virtual Private Network) Explained

Hybrid Identity Threat 0:02:00

Hybrid Identity Threat Investigation Experience

Wk 02 - 0:39:00

Wk 02 - Introduction to Security

Комментарии
Автор

Patterson's presentations are always top notch!

davidperez
Автор

Thanks for sharing I have never thought about using a comparison like this between a good machine and infected machine!

levireuss
Автор

I used to be astonished that Patterson cared so little about knowing, or perhaps his own not knowing, assembler or perhaps even raw machine code. Coming to terms with this error of mine taught me a bit about one of my weaknesses.
What Patterson's position represents, very sensibly and profitably, is that not many bad guys actually operate in assembler or close to the metal. A very great deal of stupidity, harm, and even conscious criminality, is carried out in unsophisticated ways. It could be the drunk just picking up something that's not nailed down on the way home after the bars close. It could be the guy (usually) operating at the level of the kid who gets passed up to the next grade with scores of 40 because the teacher says What the hell else are we to do with the poor dope? There are so many of these unsophisticates, causing so much total harm in all their dopey ways, that even the unsophisticated good guy can catch a lot of them, or prevent a lot of harm by taking precautions, or scare a lot of these mopes straight, that simple honesty is worthwhile even without brilliant tools in its hands.
My not having understood this is one of the errors of perfectionism, to be charitable, or of absolutism to not be. This is not to say that there is no good role for _some_ perfectionism, or even absolutism, in a good society operating well. We don't mind is a jeweller or a graphic artist is a perfectionist. There must be other examples -- but life is short and the Sun wiould die out before I finished typing.
For most of us it is best not to be that perfect jeweller. We'd starve. And the world would be a better place if no young boy spent more than a few months infatuated with Ayn Rand. Damn, but that's something to try to bring about. Most ex-Ayn-Randers are doing a reasonable job on this problem. One of the reasons we survive...
Last quick note: I admire you folks a good deal, respect you a whole lot, and Oh, my goodness, but I am grateful for what you do!

TheDavidlloydjones
Автор

On the topic of aggrandizing your adversary, the reality is that we don't strictly *know* our adversaries' capabilities, so assuming the worst case scenario and then working within your business constraints is a solid approach.

EasyMac