ECIH 2021

1. #############
2. # ECIH 2021 #
3. #############
4.  
5.  
6.  
7.  
8. #########################################
9. ############################## # Day 1: Incident Response Fundamentals # ##############################
10. #########################################
11.  
12.  
13. Task 1: Slides we will cover
14. ----------------------------
15. - Here is a good set of slides for getting started with Incident Response:
16. https://www.slideshare.net/BhupeshkumarNanhe/incident-response-process-129018068
17.  
18.  
19. Task 2: Get a feel for the difficulty level of the questions:
20. -------------------------------------------------------------
21. Let's get a look at some of the questions for this exam:
22. https://www.examtopics.com/exams/eccouncil/212-89/
23.  
24.  
25. Task 3: Get familiar with Linux
26. -------------------------------
27. https://linuxsurvival.com/
28.  
29. Task 4: Do some malware analysis on the lab server
30. ---------------------------------------------------
31. site: https://app.shellngn.com/
32. user: joseph.mccray@gmail.com
33. pass: P@ssw0rd123!@#123
34.  
35.  
36. NOTE: Ask me for the correct password
37.  
38.  
39. ###########################
40. ############################## # Day 1: Malware Analysis # ##############################
41. ###########################
42.  
43.  
44.  
45. ################
46. # The Scenario #
47. ################
48. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts). The fastest thing you can do is perform static analysis.
49.  
50.  
51.  
52. ####################
53. # Malware Analysis #
54. ####################
55.  
56.  
57.  
58. - After logging please open a terminal window and type the following commands:
59. ---------------------------Type This-----------------------------------
60.  
61. cd ~/students/
62.  
63. mkdir yourname
64.  
65. cd yourname
66.  
67. mkdir malware_analysis
68.  
69. cd malware_analysis
70. -----------------------------------------------------------------------
71.  
72. - This is actual Malware (remember to run it in a VM - the password to extract it is 'infected':
73.  
74. ---------------------------Type This-----------------------------------
75. cd ~/students/yourname/malware_analysis
76.  
77. cp ~/static_analysis/wannacry.exe .
78.  
79. file wannacry.exe
80.  
81. cp wannacry.exe malware.pdf
82.  
83. file malware.pdf
84.  
85. cp malware.pdf malware.exe
86.  
87. hexdump -n 2 -C malware.exe
88. -----------------------------------------------------------------------
89.  
90.  
91. ***What is '4d 5a' or 'MZ'***
92. Open up a web browser and go to this reference link below. See if you can figure out what '4d 5a' or 'MZ'
93.  
94. Reference:
95. http://www.garykessler.net/library/file_sigs.html
96.  
97.  
98.  
99.  
100. ---------------------------Type This-----------------------------------
101. cd ~/students/yourname/malware_analysis
102.  
103. objdump -x wannacry.exe | less
104. q
105.  
106. strings wannacry.exe
107.  
108.  
109. strings wannacry.exe | grep -i dll
110.  
111. strings wannacry.exe | grep -i library
112.  
113. strings wannacry.exe | grep -i reg
114.  
115. strings wannacry.exe | grep -i hkey
116.  
117. strings wannacry.exe | grep -i hku
118.  
119. strings wannacry.exe | grep -i crypto
120. ---------------------------------------------------
121.  
122.  
123.  
124. ################################
125. # Good references for WannaCry #
126. ################################
127.  
128. References:
129.  
130. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
131. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
132. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
133.  
134.  
135.  
136.  
137.