Ordnerverwaltung für Bangeter 03-persistence_techniques_v40.pdf
Wähle die Ordner aus, zu welchen Du "Bangeter 03-persistence_techniques_v40.pdf" hinzufügen oder entfernen möchtest
0 Exakte Antworten
15 Text Antworten
0 Multiple Choice Antworten
Karte wurde gelöscht
Why does most malware have persistance mechanisms?
Perisitence mechanisms allow malware to survive a reboat.
The goal of persistence is to launch malware during boot, logon, etc...
Describe the persistence two mechanism of Patching?
Binary patching used to be called "virus"
Trojanized system binaries: add malicious code to executables or DLLs that are part of the OS, and which thus get loaded on system startup.
MBR patching: allows malware to start very early in the boot process, before anu security mechanism get loaded. (master boot record is modified to load malware) [new secure boot mechanisms allow BIOS to verify signature of boot loader]
How can you detect binary patching?
check hash of flies on system against DB of known good binaries
Check signature of files
Sigcheck form sys internals is a tool to perform signature checks can also be used to perfome a Virustotal lookup for unknown files.
Name 3 differnt mechanisms that can be abused in an OS in order to autostart malware.
These can be modified.
Logon items for users (e.g. Dropbox, Skype...)
What does the volatility command hivelist do?
hivelist: locates the virtual addresses of registry hives in memory and the full paths to the corresponding hive on disk.
What interesting information in regards to malware can be extracted from the registry?
Autostart / malware persistence
Data stored by malware in registry
Partial information on programs executed and the files accessed
Encrypted / obfuscated malware payloads
user related information
Credentials / passwords
What tool can be used for inspection autostart mechanisms on a live system?
Autoruns: this is a tool for inspecting autostart mechanisms on a live system
Autoruns is a kind of refernce of Windows autostart mechanisms
Unfortunately, autoruns does not work on memory images
What volatility command allows you to inspect subkeys?
printkey -K "key"
Displayes the subkeys, values, data and data types contained within a specified registry key.