What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2013-02-23

Notes for Behavioral Analysis Process

Description:
  • Below are core steps in the behavioral analysis steps.

Steps:
  1. Activate monitoring tools
  2. Run malware in the virtual machine for a while
  3. Terminate the malicious tools
  4. Pause monitoring tools
  5. Observe logs for suspicious entries

Tools or Tactics:
  1. VMWare virtual machine, Sysinternals tool
  2. Process Monitor
    • Filtering Process Monitor Logs: Native Filter
    • Filtering Process Monitor Logs: Export to CSV and Filter in Excel
  3. Process Explorer
  4. Monitoring the Lab Network (network sniffer from linux)
    • Wireshark
    • tcpdump
    • When Windows failed to resolve the hostname using DNS, malware attempted to query the hostname using the NetBIOS (NBNS) protocol.
  5. Redirecting Network Traffic
    • Do not let the malware connect to the Internet
    • Redirect traffic to a lab machine
    • If malware uses a domain name:
      • Modify local hosts file
        -Windows: C:\WINDOWS\system32\drivers\etc\hosts
        - Linux: /etc/hosts
      • Bring up a lab DNS server
  6. Give the malware what it wants (IRC server or HTTP server)
  7. "Follow TCP Stream" in Wireshark to for IRC/HTTP session Details
  8. Analyze the behavior!

No comments:

Post a Comment