SHOW:
|
|
- or go back to the newest paste.
| 1 | ############# | |
| 2 | - | # CySA 2021 # |
| 2 | + | # ECIH 2021 # |
| 3 | ############# | |
| 4 | ||
| 5 | ||
| 6 | ||
| 7 | ||
| 8 | - | ################################################ |
| 8 | + | ######################################### |
| 9 | - | ############################## # Day 1: Linux Fundamentals & Mawlare Analysis # ############################## |
| 9 | + | ############################## # Day 1: Incident Response Fundamentals # ############################## |
| 10 | - | ################################################ |
| 10 | + | ######################################### |
| 11 | ||
| 12 | ||
| 13 | - | Task 1: Linux Basics |
| 13 | + | Task 1: Slides we will cover |
| 14 | - | -------------------- |
| 14 | + | ---------------------------- |
| 15 | - | - Here is a good tutorial that you should complete before doing the labs below: |
| 15 | + | - Here is a good set of slides for getting started with Incident Response: |
| 16 | - | http://linuxsurvival.com/linux-tutorial-introduction/ |
| 16 | + | https://www.slideshare.net/BhupeshkumarNanhe/incident-response-process-129018068 |
| 17 | ||
| 18 | ||
| 19 | Task 2: Get a feel for the difficulty level of the questions: | |
| 20 | - | Slides we will cover |
| 20 | + | ------------------------------------------------------------- |
| 21 | - | -------------------- |
| 21 | + | Let's get a look at some of the questions for this exam: |
| 22 | - | - Here is a good set of slides for getting started with Linux: |
| 22 | + | https://www.examtopics.com/exams/eccouncil/212-89/ |
| 23 | - | http://www.slideshare.net/olafusimichael/linux-training-24086319 |
| 23 | + | |
| 24 | ||
| 25 | Task 3: Get familiar with Linux | |
| 26 | ------------------------------- | |
| 27 | https://linuxsurvival.com/ | |
| 28 | - | Task 2: More Linux Basics |
| 28 | + | |
| 29 | - | ------------------------- |
| 29 | + | Task 4: Do some malware analysis on the lab server |
| 30 | --------------------------------------------------- | |
| 31 | site: https://app.shellngn.com/ | |
| 32 | user: joseph.mccray@gmail.com | |
| 33 | pass: P@ssw0rd123!@#123 | |
| 34 | ||
| 35 | ||
| 36 | NOTE: Ask me for the correct password | |
| 37 | ||
| 38 | ||
| 39 | ########################### | |
| 40 | ############################## # Day 1: Malware Analysis # ############################## | |
| 41 | ########################### | |
| 42 | ||
| 43 | ||
| 44 | ||
| 45 | ################ | |
| 46 | # The Scenario # | |
| 47 | ################ | |
| 48 | You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts). The fastest thing you can do is perform static analysis. | |
| 49 | ||
| 50 | ||
| 51 | ||
| 52 | #################### | |
| 53 | # Malware Analysis # | |
| 54 | #################### | |
| 55 | ||
| 56 | ||
| 57 | ||
| 58 | - After logging please open a terminal window and type the following commands: | |
| 59 | ---------------------------Type This----------------------------------- | |
| 60 | ||
| 61 | cd ~/students/ | |
| 62 | ||
| 63 | mkdir yourname | |
| 64 | ||
| 65 | cd yourname | |
| 66 | ||
| 67 | mkdir malware_analysis | |
| 68 | ||
| 69 | cd malware_analysis | |
| 70 | ----------------------------------------------------------------------- | |
| 71 | ||
| 72 | - This is actual Malware (remember to run it in a VM - the password to extract it is 'infected': | |
| 73 | ||
| 74 | ---------------------------Type This----------------------------------- | |
| 75 | cd ~/students/yourname/malware_analysis | |
| 76 | ||
| 77 | cp ~/static_analysis/wannacry.exe . | |
| 78 | ||
| 79 | file wannacry.exe | |
| 80 | ||
| 81 | cp wannacry.exe malware.pdf | |
| 82 | ||
| 83 | file malware.pdf | |
| 84 | ||
| 85 | cp malware.pdf malware.exe | |
| 86 | ||
| 87 | hexdump -n 2 -C malware.exe | |
| 88 | ----------------------------------------------------------------------- | |
| 89 | ||
| 90 | ||
| 91 | ***What is '4d 5a' or 'MZ'*** | |
| 92 | Open up a web browser and go to this reference link below. See if you can figure out what '4d 5a' or 'MZ' | |
| 93 | ||
| 94 | Reference: | |
| 95 | http://www.garykessler.net/library/file_sigs.html | |
| 96 | ||
| 97 | ||
| 98 | ||
| 99 | ||
| 100 | ---------------------------Type This----------------------------------- | |
| 101 | cd ~/students/yourname/malware_analysis | |
| 102 | ||
| 103 | objdump -x wannacry.exe | less | |
| 104 | q | |
| 105 | ||
| 106 | strings wannacry.exe | |
| 107 | ||
| 108 | ||
| 109 | strings wannacry.exe | grep -i dll | |
| 110 | ||
| 111 | strings wannacry.exe | grep -i library | |
| 112 | ||
| 113 | strings wannacry.exe | grep -i reg | |
| 114 | ||
| 115 | strings wannacry.exe | grep -i hkey | |
| 116 | ||
| 117 | strings wannacry.exe | grep -i hku | |
| 118 | ||
| 119 | strings wannacry.exe | grep -i crypto | |
| 120 | --------------------------------------------------- | |
| 121 | ||
| 122 | ||
| 123 | ||
| 124 | ################################ | |
| 125 | # Good references for WannaCry # | |
| 126 | ################################ | |
| 127 | ||
| 128 | References: | |
| 129 | ||
| 130 | https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 | |
| 131 | https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/ | |
| 132 | https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html | |
| 133 | ||
| 134 | ||
| 135 | ||
| 136 | ||
| 137 |
