This week I’m covering malware fast triage. It occurred to me that I should revisit this issue for a couple of different reasons. I remember covering this many years ago and I believe that’s why I haven’t thought about doing anything on it lately. However, it does go hand-in-hand with the Windows fast triage series that I am doing. Part of that strategy is to look for “common malware patterns.” In an effort to maximize what the listeners get from the episodes I figured this topic definitely needs to be revisited so that when I use that term, you are at least clear on what I mean by it and the method it represents.
This week is a continuation of the Windows fast triage miniseries. While other aspects of the triage miniseries had fairly contained artifacts to examine, new process triage presents a large and complex landscape to the analyst. I have already broken down a number of effective analysis methods to make this more manageable. This week I focus on key applications to look for during a review. These applications tend to be associated more with malicious activity, at least according to threat intelligence research, so being aware of them and recognizing the potential is important. I also spend some time talking about the nuances of CMD.
A while back I did an episode on “learning from the red team” which focused on methods blue team members can utilize to better understand attacks and the artifacts affected by those attacks. One of the advantages of this method that I did not mention in that episode was how to use open source vulnerability scanners for the same purpose. This week, will be part two and I will go over freely available resources and the method to help you gain better insight into forensic artifacts.