1. Malware Incident Response
Erdal Ozkaya Raymond Comvalius
CISO Infrastructure Architect
Emt Holding NEXTXPERT

2. Module Agenda First response at a malware attack Recognizing malware
Identifying Malware processes
Locating malware files
Removing persistence
Tracing malware
More on tooling

3. Don’t rely on antivirus
This was once effective
Still recognizes the usual suspects
Easy to bypass?
“Symantec's senior vice president for information security estimates antivirus now catches just 45% of cyberattacks.”
The Wall Street Journal, May 4, 2014

4. Incident response: Malware
Disconnect from network
Identify malicious processes and drivers
Terminate identified processes
Identify and delete malware autostarts
Delete malware files
Reboot and repeat

5. What to look for Processes that: Have no icon
Have no description or company name
Unsigned Microsoft images
Live in Windows directory or user profile
Include strange URLs in their strings
Have open TCP/IP endpoints
Hosts for suspicious DLLs or Services

6. Process Explorer Process View Highlights VirusTotal Integration
DLL View
Strings

7. Identifying malicious processes
All (most) Microsoft software is digitally signed
Verify all signatures
Verification will connect to the Internet to check Certificate Revocation Lists (CRLs)
Submit to VirusTotal

8. Scan for malicious executables
Tool: sigcheck
sigcheck –e – vs –vr –u –s c:\
-e scan for executables
-v for VirusTotal
-u for unsigned images
Popular locations are %appdata% and %windir%

9. Terminating Processes
Don’t just kill the process
- Watchdogs often restarts the process
Instead suspend the process
May cause system hang for Svchost processes
Record the full path to each exe and DLL
Then kill the processes
- Watch for new appearances

10. Remove Persistance MSConfig is not the best tool
Task Manager is also not your best option
Use AutoRuns from SysInternals

11. Using AutoRuns Filter the list Do not show entries from Microsoft
Verify signatures
Check VirusTotal
Be careful to submit to VirusTotal
Do not delete the malicious entry but disable

12. Tracing Malware Tool: Process Monitor Event Classes File System
Registry
Process
Network
Profiling

13. System Monitor (Sysmon)
Background system monitoring
Records to the Windows event log
Enables tracing of historic activity
Installs as a service/driver

14. Tech Ready 15
4/21/2018
Demo
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Other SysInternal Forensic Tools
Disk2vhd
TcpView

16. Other Forensic Tools SysInternals PowerShell NirSoft MyLastSearch
WebBrowserPassView
IECookieViewer

17. Summary Be prepared for a malware attack
Make sure you know the tools and strategy
Implement Sysmon
Learn PowerShell!

18. TechNet Virtual Labs
Deep technical content and free product evaluations
Hands-on deep technical labs
Free, online, technical courses
At the TechNet Evaluation Center you can download free, trial versions of Microsoft software, with no feature limits. Dozens of trials are available – all at no cost.
Try Windows Server 2012 R2 for up to 180 days. Download the Windows 8.1 Enterprise 90-day evaluation. Or try Microsoft Azure at no-cost for up to 90 days.
Microsoft Hands On Labs offer virtual environments that will take you through guided, technically deep product learning experience.
Learn at your own pace in labs that you can complete in 90 minutes or less. There is no complex setup or installation is required to use TechNet Virtual Labs.
Microsoft Virtual Academy provides free online training on the IT scenarios that are important to your company and your career.
Learn at your own pace and boost your IT skills with over 100 courses across more than 15 Microsoft technologies including Windows Server, Windows 8, Microsoft Azure, Office 365, virtualization, Windows Phone, and more.
Download Microsoft software trials today.
Find Hand On Labs.
Take a free online course.
Technet.microsoft.com/evalcenter
Technet.microsoft.com/virtuallabs
microsoftvirtualacademy.com

19. 4/21/2018 9:32 PM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. Icons