SANS Digital Forensics and Incident Response Blog: Category - Windows IR

New Advanced Persistent Threat Based - FOR508 Released in On-Demand

It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems. You are compromised by the APT. Most organizations are left speechless as 90% of all intrusions are … Continue reading New Advanced Persistent Threat Based - FOR508 Released in On-Demand


Four Focus Areas of Malware Analysis

Malware analysis and the forensic artifacts involved are made up of four areas of focus. The four areas of focus are behavior, code, memory, and intelligence analysis. Each has its own techniques which will be covered briefly. An analyst is in the middle of a case and finds an executable artifact. In searching the hash … Continue reading Four Focus Areas of Malware Analysis


Looking at Mutex Objects for Malware Discovery and Indicators of Compromise

Mutex (a.k.a. mutant) objects, which are frequently used by legitimate software, can also help defenders discover the presence of malicious programs on the system. Incident responders can examine the infected host or reverse-engineer malware to identify mutex names used by the specimen, which will allow them to define the signs of the infection (a.k.a. indicators of compromise). Let's take a look at how mutex objects are used and what tools are available to identify them on a system. Continue reading Looking at Mutex Objects for Malware Discovery and Indicators of Compromise


The APT is already in your network. Time to go hunting — Learn how in new training course SANS FOR508

The Advanced Persistent Threat is already in your network. Time to go hunting. It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems including 10.3.58.7. You are … Continue reading The APT is already in your network. Time to go hunting — Learn how in new training course SANS FOR508


How to Extract Flash Objects From Malicious MS Office Documents

Authors of malicious Microsoft Office document can execute code on the victim's system using several techniques, including VB macros and exploits. Another approach, which has been growing in popularity, involves embedded Flash programs in the Office document. These Flash programs can download or directly incorporate additional malicious code without the victim's knowledge. This note demonstrates several steps for extracting malicious Flash objects from Microsoft Office document files, so you can analyze them. We take a brief look at using strings, Pyew, hachoir-subfile, xxxswf.py and extract_swf.py tools for this purpose. Continue reading How to Extract Flash Objects From Malicious MS Office Documents