Anti Incident Response - SANS Computer Forensics

More documents

Recommendations

Info

30 Anti-Incident Response Practices • Chose busy servers as internal hop-points – Event logs cycle within minutes to hours – Network activity not out of place • Chose enormous file servers as a data staging areas © 2012 CrowdStrike, Inc. All rights reserved.
31 Anti-Incident Response Practices • Obscure the source of malware transmission • Example: – Login via RDP – Paste .eml file text into notepad and save – Open .eml on victim host (outlook express) – Save attachment • Example: – Lines of an input file for DOS debug inserted into a database – Dumped and executed with commandline tools already on the host © 2012 CrowdStrike, Inc. All rights reserved.
Page 1 and 2: ANTI-INCIDENT RESPONSE Nick Harbour
Page 3 and 4: 3 © 2012 CrowdStrike, Inc. All rig
Page 5 and 6: 5 Anti-Live Response • Avoiding d
Page 7 and 8: 7 Process Injection • Make good p
Page 9 and 10: 9 Windows Process Injection • Inj
Page 11 and 12: 11 Unix Process Injection Mechanism
Page 13 and 14: 13 Getting Around the Syscall Probl
Page 15 and 16: 15 Anti-Forensics • Avoiding Dete
Page 17 and 18: 17 Service Replacement • Replace
Page 19 and 20: 19 DLL Search Order (Safe Search mo
Page 21 and 22: 21 Special Case Vulnerable DLLs •
Page 23 and 24: 23 Fxsst.dll • An optional DLL wh
Page 25 and 26: 25 Fxsst.dll © 2012 CrowdStrike, I
Page 27 and 28: 27 Anti-Incident Response Practices
Page 29: 29 Anti-Incident Response Practices
Page 33 and 34: 33 Anti-Incident Response Practices
Page 35 and 36: 35 Packers • The more extreme the
Page 37 and 38: 37 Packer Detection Woes • Who sa
Page 39 and 40: 39 Hiding in Plain Sight • Use st
Page 41: © 2012 CrowdStrike, Inc. All right

Anti Incident Response - SANS Computer Forensics

Create successful ePaper yourself

Delete template?

Save as template?