Lernkarten

Karten 15 Karten
Lernende 0 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 19.06.2019 / 19.06.2019
Lizenzierung Keine Angabe
Weblink
Einbinden
0 Exakte Antworten 15 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen

Why does most malware have persistance mechanisms?

Perisitence mechanisms allow malware to survive a reboat.

The goal of persistence is to launch malware during boot, logon, etc...

Fenster schliessen

Describe the persistence two mechanism of Patching?

Binary patching used to be called "virus"

Trojanized system binaries: add malicious code to executables or DLLs that are part of the OS, and which thus get loaded on system startup.

MBR patching: allows malware to start very early in the boot process, before anu security mechanism get loaded. (master boot record is modified to load malware) [new secure boot mechanisms allow BIOS to verify signature of boot loader]

Fenster schliessen

How can you detect binary patching?

  • check hash of flies on system against DB of known good binaries
  • Check signature of files

 

Sigcheck form sys internals is a tool to perform signature checks can also be used to perfome a Virustotal lookup for unknown files.

Fenster schliessen

Name 3 differnt mechanisms that can be abused in an OS in order to autostart malware.

These can be modified.

  • Logon items for users (e.g. Dropbox, Skype...)
  • Services
  • Scheduled tasks
Fenster schliessen

What does the volatility command hivelist do?

hivelist: locates the virtual addresses of registry hives in memory and the full paths to the corresponding hive on disk.

Fenster schliessen

What interesting information in regards to malware can be extracted from the registry?

  • Autostart / malware persistence
  • Data stored by malware in registry
  • Partial information on programs executed and the files accessed
  • Encrypted / obfuscated malware payloads

Aditional infromation

  • user related information
  • Hardware configs
  • Credentials / passwords
Fenster schliessen

What tool can be used for inspection autostart mechanisms on a live system?

Autoruns: this is a tool for inspecting autostart mechanisms on a live system

  • Autoruns is a kind of refernce of Windows autostart mechanisms
  • Unfortunately, autoruns does not work on memory images
Fenster schliessen

What volatility command allows you to inspect subkeys?

printkey -K "key"

Displayes the subkeys, values, data and data types contained within a specified registry key.