Using sysinternals

# Using sysinternals https://www.youtube.com/watch?v=A_TPZxuTzBU ![image](https://hackmd.io/_uploads/By7MQVJMA.png =x200) ![image](https://hackmd.io/_uploads/r1Holr1GA.png =x200) ``` sigcheck -s -e -u * ``` ![image](https://hackmd.io/_uploads/HyYec8JfC.png =x200) ![image](https://hackmd.io/_uploads/BJ3RQPJfR.png) ![image](https://hackmd.io/_uploads/ByV7UDkG0.png) Nếu mà autorun không phát hiện được malware, thì check processmon, malware put on run once key ![image](https://hackmd.io/_uploads/ryCzFwkG0.png) Để phát hiện ra loại malware này thì capture startup và shutdown. Sau đó so sánh. Xem con malware làm gì khi startup và shutdown. Để clean thì reboot lại machine trước khi nó shutdown. ![image](https://hackmd.io/_uploads/SJQtkd1G0.png) Nếu mà bị malware block tool. Nếu bị block màn hình ấn window+Ctrl+D để mở desktop mới. Overview https://medium.com/@jcm3/sysinternals-tryhackme-walkthrough-4f1e99374c75 ## Malware in service https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/ https://darkdefender.medium.com/can-you-check-if-my-computers-been-hacked-f18e8f971aed * Internet History https://www.inversecos.com/2022/10/recovering-cleared-browser-history.html https://odintheprotector.github.io/2024/01/28/tetctf2024-writeup.html * Registry https://www.sans.org/tools/registry-explorer/ Service Recently Open Files https://labs.jumpsec.com/no-logs-no-problem-incident-response-without-windows-event-logs/ https://sec.vnpt.vn/2022/06/windows-forensic-malware-persistence/ # Lab Sysmon https://medium.com/@huseyin.eksi/important-sysmon-events-to-follow-a59464081dd0 How to get started with Microsoft Sysinternals' Sysmon advanced event logging https://www.youtube.com/watch?v=B7Lf-IWVa5I Regshot: take a snapshot of your registry and then compare it https://github.com/winsiderss/systeminformer https://github.com/marcosd4h/memhunter https://github.com/marcosd4h/sysmonx https://drive.google.com/drive/folders/1F4toqiJoc0OerAqmaKWMBLp2zHGI1Toz Finding Malware with Sysinternals Process Explorer: https://www.youtube.com/watch?v=y2bNLCWHFNs Tool: pr0c3xp64.exe: https://www.pconlife.com/download/otherfile/449839/2f37765933e6cdb8fa1bbba97f23c3ce/ Press CTRL+D to show dll Everything: https://everything.softonic.vn/ Autoruns: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns Lastactivityview: https://taimienphi.vn/download-lastactivityview-9700/taive https://www.bleepingcomputer.com/download/getservices/ https://www.pconlife.com/viewfileinfo/checkinjectx64-exe/ PEiD can be used to identify whether a file is packed https://medium.com/ce-malware-analysis/practical-malware-analysis-lab-solutions-static-analysis-4f892cbae9d PC hunter https://juggernaut-sec.com/scheduled-tasks/ accesschk: enumerate the permissions on the folder and file of interest Accesschk, we could start by searching if we have write permissions on any files or folders in C: Lab 1 ![image](https://hackmd.io/_uploads/SJaARo9ZA.png) Lab 2 inject dll ![image](https://hackmd.io/_uploads/Byci0ocb0.png) Lab 3 shedule tasks ![image](https://hackmd.io/_uploads/rky02scZ0.png) Lab 4 command in Schedul tasks ![image](https://hackmd.io/_uploads/r1kmRnkzA.png) Jump to entry and check command ![image](https://hackmd.io/_uploads/BJMV0hkGR.png) ![image](https://hackmd.io/_uploads/B1UBR3JGR.png) ![image](https://hackmd.io/_uploads/HJK8A3Jz0.png) Lab 5 ![image](https://hackmd.io/_uploads/ByMHNpeM0.png) UserInitMprLogonScript là một khóa registry được sử dụng để chỉ định các tập lệnh (scripts) hoặc chương trình được thực thi khi một người dùng đăng nhập vào hệ thống. Nếu chạy nhiều mimikatz sẽ quen cụm từ "sekurlsa:logonpasswd" Lab 10 Trong thư mục tmp ![image](https://hackmd.io/_uploads/rJLJRufGC.png) Sau khi chạy thì thay đổi ![image](https://hackmd.io/_uploads/By7l0dfMC.png) Bài viết tương tự: https://medium.com/ce-malware-analysis/battery-powered-trojan-part-1-3788e03f106f ## Malware analyse 1. Upload the file to VirusTotal and view the reports. 2. Examine the PE Header 3. Scan the file for any strings 4. Is there any indication that the file is malicious? https://medium.com/ce-malware-analysis/battery-powered-trojan-part-1-3788e03f106f https://medium.com/ce-malware-analysis/battery-powered-trojan-part-2-f256d4fe60a PE Studio is the categorization and classification for libraries, imports, exports, and strings. Here, it tells us info on what the imported functions do, and whether or not they are likely malicious https://medium.com/ce-malware-analysis/battery-powered-trojan-part-3-abda2cb83256 IDA explain and use msf connect trojan. Use procmon để quan sát một process cụ thể. https://medium.com/ce-malware-analysis/lab-3-basic-dynamic-analysis-46303171da9a ApateDNS: check DNS request. iNetSim log: get log from all action # App monitor Detect Hackers & Malware on your Computer (literally for free) https://www.youtube.com/watch?v=R3fFzYXKn3c&t=242s Clean ANY malware or virus off ANY Windows computer with one FREE and SIMPLE program https://www.youtube.com/watch?v=9hWwY8Lo4ag How to Remove ANY Virus from Windows in ONE STEP https://www.youtube.com/watch?v=Rf1Y5o9FogA