SANS Digital Forensics and Incident Response Blog: Category - Malware Analysis

15 Apr 2018

Inhibiting Malicious Macros by Blocking Risky API Calls

0 comments Posted by Adam Kramer
Filed under Advanced Persistent Threat, Cyber Kill Chain, Malicious Scripts, Malware Analysis

Microsoft Office Macros have been the bane of security analysts' lives since the late 1990s. Their flexibility and functionality make them ideal for malware authors to use as a primary stage payload delivery mechanism, and to datethe challenge they pose remains unsolved. Many organisations refrain from blocking them completely due to the impact it … Continue reading Inhibiting Malicious Macros by Blocking Risky API Calls

13 Apr 2018

Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

0 comments Posted by sansdfir
Filed under Advanced Persistent Threat, Computer Forensics, Computer Forensics and IR Summit, Cyber Threat Intelligence, DFIR Scholarship, DFIR Summit, Drive Encryption, Forensic4Cast Awards, Incident Response, iOS, Lethal Forensicator Coins, Malware Analysis, Memory Analysis, Mobile Device Forensics, Network Forensics, Network Forensics, Registry Analysis, REMnux, Reverse Engineering, SIFT Workstation, smartphone, Specials, Threat Hunting, Threat Hunting & Incident Response Summit, Timeline Analysis, Training, USB Device Analysis, Windows Memory Forensics

The SANSDFIR Summit and Training 2018is turning 11!The 2018 event marks 11 years since SANS started what is todaythedigital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS … Continue reading Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year


Tags: Coin Slayer, Computer Forensic Training, DFIR course coins, DFIR Management, dfir netwars, DFIRSummit 2018, Incident Response, mac forensics, Memory Forensics, mobile forensics, Network Forensics, Reverse engineering Malware, Threat Hunting, Windows Forensics Analysis
16 Dec 2017

Automated Hunting of Software Update Supply Chain Attacks

0 comments Posted by Adam Kramer
Filed under Advanced Persistent Threat, Malware Analysis, Network Forensics, Threat Hunting

Software that automatically updates itself presents an attack surface, which can be leveraged en masse through the compromise of the vendor's infrastructure. This has been seen multiple times during 2017, with high profile examples includingNotPetya and CCleaner. Most large organisations have built robust perimeter defences for incoming and outgoing traffic, but this threat vector … Continue reading Automated Hunting of Software Update Supply Chain Attacks

27 Nov 2017

Acquiring a Memory Dump from Fleeting Malware

2 comments Posted by Adam Kramer
Filed under Computer Forensics, Evidence Acquisition, Incident Response, Malware Analysis, Memory Analysis, Threat Hunting

Introduction The acquisition of process memory during behavioural analysis of malware can provide quick and detailed insight. Examples of where it can be really useful include packed malware, which may be in a more accessible state while running, and malware, which receives live configuration updates from the internet and stores them in memory. Unfortunately the … Continue reading Acquiring a Memory Dump from Fleeting Malware

24 Oct 2017

Uncovering Targeted Web-Based Malware Through Shapeshifting

0 comments Posted by Adam Kramer
Filed under Advanced Persistent Threat, Computer Forensics, Evidence Acquisition, Malware Analysis, Network Forensics

Targeted Web-Based Malware? Malware authors are frequently observed leveraging server side scripting on their infrastructure to evade detection and better target their attacks. This includes both exploit kits and servers hosting secondary stage payloads, all of which can easily be set up to alter their responses based on the footprint of the visitor. This could … Continue reading Uncovering Targeted Web-Based Malware Through Shapeshifting

Categories
Recent Posts
Archives
Links
Latest Blog Posts

Inhibiting Malicious Macros by Blocking Risky API Calls
April 15, 2018 - 4:21 PM

Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training th [...]
April 13, 2018 - 4:51 PM

SANS Threat Hunting and Incident Response Summit 2018 Call for Speakers - D [...]
January 29, 2018 - 4:02 PM

Latest Tweets @sansforensics

Webcast Rewind: Getting Started with #SIFT Workstation with [...]
August 15, 2018 - 1:20 AM

Strengthen your resume on your own time by registering for # [...]
August 14, 2018 - 11:25 PM

Get two days on in depth summit presentations PLUS advanced [...]
August 14, 2018 - 10:45 PM

Latest Papers

Evidence of Data Exfiltration via Containerised Applications on Virtual Private Servers
By Seth Enoka

Using Image Excerpts to Jumpstart Windows Forensic Analysis
By John Brown

Windows 10 as a Forensic Platform
By Ferenc Kovacs

"This course is filling in the blanks in my knowledge of how some things work. It is nice to know what the tools are doing."
- Douglas Couch, Purdue University

"Rob Lee is a master of the subject matter. The material is presented in a way that is understandable. Rob is also charismatic enough to make the course enjoyable."
- Erik Ketlet, JP Morgan Chase

"A great course on timeline, registry, and restore point forensics. SANS is continuing to be the leader on teaching new techniques happening with forensics."
- Brad Garnett, Gibson County Sherrif's Dept.