TOPIC: WHAT IS THIS NEW PODCAST ALL ABOUT, WHAT WILL IT COVER?
OUR GUEST WILL BE:
Dave Cowan - Forensic Lunch Podcast and G-C Partners
Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering
Brian and I will kick off this new podcast, and the topic of the day will be:
"What is this new podcast all about, what will it cover?
Incident Response, Malware Discovery, and Basic Malware Analysis, Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR"
Show Notes:
Introductions
Introduce our Guests
Tyler Hudak
Dave Cowan
News-worthy:
401k fraud - loans taken out using breach data
NC School - Emotet - Emotet malware compromised Rockingham County Schools servers after employees opened phishing emails - isn’t this why are doing this Podcast? Because people need to know they can clean this stuff up
Rockingham County School Board Vice Chair Bob Wyatt confirmed the cost of $314,000 for the repairs. The money, he said, will come out of the unrestricted fund
2-month, $314,000 service contract
The contract will staff 10 Level 3 and 4 engineers a total of 1,200 total onsite man hours. The company will also provide virus mitigation services, including a plan of attack and onsite imaging for approximately 12 servers and 3,000 client systems
Approximately 20 physical and virtual servers will be need to be rebuilt by hand
The cleanup is expected to take less than 30 days
Despite the approval of the contract, some questions did arise from board members who were curious as to why the board did not offer to take outside bids for the $314,000 project
Emotet details and artifacts
Artifacts:
Delivered via an Office Document
Please disable your macros !!!! Allow by exception
Uses PowerShell to fetch payload - Word calls PS = BAD
Checks to see if it is being evaluated in a Sandbox
Directories created for checks
C:\a
C:\123
Creates a service for persistence
Some create a Scheduled Task too (Services Update)
Startup folder
Files dropped in
C:\Windows\
C:\windows\system32\
C:\Windows\Syswow64\
C:\Users\<user name>\AppData\Local\Temp\
C:\Users\<user name>\AppData\Local\Random\
C:\usersd\<user name>\AppData\Roaming\Microsoft\Windows
IP’s - detect from your firewall
Site-worthy:
BDIR Pick
Tyler’s Pick
Brad Duncan’s Malware Traffic Analysys
Dave’s Pick
Phill’s - This week in Forensics as well
Tools-worthy:
BDIR Pick - Shameful self promotion - LOG-MD…
Dave’s Picks - Tri-Force, of course.. It is his tool
File system events parser - MAC OS
Tyler’s Pickl - Lazy Office Analyzer
Topic of the DAY
What is this new podcast all about? Incident Response, Detection and Response, Active Defense, Threat Hunting, Malware Discovery, Basic Malware Analysis
Define IR
The process by which you respond to an incident (legal sense)?
Do we agree on the diagram above?
Define Discovery
Define Analysis
Define Forensics
Does IR include preparation for an attack?
What is Active Defense?
Your definition will vary
Threat Hunting - where do Hunters fit into all of this?
JP.Cert paper
BDIR Podcast Sponsor:
LOG-MD.Com
This Podcast Sponsored by: