TOPIC: WHAT IS THIS NEW PODCAST ALL ABOUT, WHAT WILL IT COVER?

OUR GUEST WILL BE:

Dave Cowan - Forensic Lunch Podcast and G-C Partners
Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering

Brian and I will kick off this new podcast, and the topic of the day will be:

"What is this new podcast all about, what will it cover?

Incident Response, Malware Discovery, and Basic Malware Analysis, Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR"

Show Notes:

Introductions
Introduce our Guests
- Tyler Hudak
- Dave Cowan

News-worthy:

401k fraud - loans taken out using breach data
NC School - Emotet - Emotet malware compromised Rockingham County Schools servers after employees opened phishing emails - isn’t this why are doing this Podcast? Because people need to know they can clean this stuff up
- http://www.greensboro.com/rockingham_now/news/email-virus-shuts-down-rockingham-county-schools-computer-servers/article_7513dbba-ec0b-11e7-8d14-bff0d0ddfcf5.html
- Rockingham County School Board Vice Chair Bob Wyatt confirmed the cost of $314,000 for the repairs. The money, he said, will come out of the unrestricted fund
- 2-month, $314,000 service contract
- The contract will staff 10 Level 3 and 4 engineers a total of 1,200 total onsite man hours. The company will also provide virus mitigation services, including a plan of attack and onsite imaging for approximately 12 servers and 3,000 client systems
- Approximately 20 physical and virtual servers will be need to be rebuilt by hand
- The cleanup is expected to take less than 30 days
- Despite the approval of the contract, some questions did arise from board members who were curious as to why the board did not offer to take outside bids for the $314,000 project
Emotet details and artifacts
Artifacts:
- Delivered via an Office Document
  - Please disable your macros !!!! Allow by exception
  - Uses PowerShell to fetch payload - Word calls PS = BAD
- Checks to see if it is being evaluated in a Sandbox
- Directories created for checks
  - C:\a
  - C:\123
- Creates a service for persistence
- Some create a Scheduled Task too (Services Update)
- Startup folder
- Files dropped in
  - C:\Windows\
  - C:\windows\system32\
  - C:\Windows\Syswow64\
  - C:\Users\<user name>\AppData\Local\Temp\
  - C:\Users\<user name>\AppData\Local\Random\
  - C:\usersd\<user name>\AppData\Roaming\Microsoft\Windows
- IP’s - detect from your firewall

Site-worthy:

BDIR Pick

https://thisweekin4n6.com

Tyler’s Pick

Brad Duncan’s Malware Traffic Analysys
- http://malware-traffic-analysis.net/

Dave’s Pick

Phill’s - This week in Forensics as well
https://www.dfir.training/
http://aboutdfir.com/

Tools-worthy:

BDIR Pick - Shameful self promotion - LOG-MD…
Dave’s Picks - Tri-Force, of course.. It is his tool
- https://www.gettriforce.com
- File system events parser - MAC OS
  - https://github.com/dlcowen/FSEventsParser
Tyler’s Pickl - Lazy Office Analyzer
- https://github.com/tehsyntx/loffice

Topic of the DAY

What is this new podcast all about? Incident Response, Detection and Response, Active Defense, Threat Hunting, Malware Discovery, Basic Malware Analysis

Define IR
1. The process by which you respond to an incident (legal sense)?
2. Do we agree on the diagram above?
  1. Define Discovery
  2. Define Analysis
  3. Define Forensics
3. Does IR include preparation for an attack?
What is Active Defense?
1. Your definition will vary
Threat Hunting - where do Hunters fit into all of this?
1. JP.Cert paper