Responder Reporting PAW v1x 258.32 KiB
Download
Report
Transcript Responder Reporting PAW v1x 258.32 KiB
Primary Intelligence Categories
Goal: Give a macro view of the
malware and system compromise
related data to an analyst. These
categories should be autopopulated where appropriate.
Categories with hits should be
highlighted using red font. We
want the areas of interest to be
readily apparent.
Expanded Tree
Propagation
Goal: Identify modules with the
ability to self-propagate.
Impersonation –
Network shares – Does it use SMB?
Exploitation – Shellcode present in
strings?
Autorun Strings – Autorun.inf?
Custom String Search Results
Goal: Identify associated processes
and modules for strings that a user
provides a text file for prior to
memory importation.
Disable Security Software
Goal: Identify any modules that
disable security software.
Firewall Killer – Strings or API calls
associated with this activity.
AV Killer - Strings or API calls
associated with this activity.
Reboot Survival
Goal: Identify any modules that
makes filesystem or registry
modificaitons.
Registry Modification –
RegCreateKey, RegSetValue. List of
predefined registry keys that are
commonly edited could be
provided by the user like
baserules.txt???
File Creation - Identify file
creations via strings and/or API
calls.
Network Communications
Goal: Identify system wide suspicious
network communications.
SMTP/FTP/P2P/IRC Related Strings –
IP Address Based HTTP Connections – IP
Address based HTTP communications.
Listening Ephemeral Ports - Established TCP
connections on ports > 1024.
Established External Connections – Network
connections to non-RFC1918 addresses.
Perform open source intelligence?
Rootkit Techniques
Goal: Identify rootkit-like activity.
Get Greg’s input…..
Suspicious Processes
Goal: Identify any process with suspicious
characteristics as detailed below.
Orphaned Processes – Does the process have a
PPID that is still active. (add this:Did cmd.exe
spawn lsass.exe?)
Suspicious Paths – Is a process started from
temp/tmp/desktop?