Taking Registry Analysis to the Next Level - SANS Computer ...

More documents

Recommendations

Info

Testing VM GRR RegistryDecoder RegRipper Found 2 RunOnce keys: 1 in LocalService and 1 in NetworkService Found 1 Run keys: 1 in Local Service, 1 in NetworkService, and 2 in System RunOnce keys are listed under the Run key plugin Found 4 Run keys: 2 in Default and 2 for System No plugin detects RunOnce keys Found 3 Run keys: 1 in Default and 2 in System 2 BHO 3 BHO, but 2 were repeated NSTR in Services NSTR in Services NSTR in WinLogon NSTR in WinLogon
Jean NPS GRR RegistryDecoder RegRipper N/A 2 Run Keys for user Jean, 2 Run Keys for the system 2 Run Keys for user Jean, 2 Run Keys for the system NSTR in Services NSTR in Services NSTR in WinLogon NSTR in WinLogon 1 BHO 1 BHO
Page 1 and 2: Taking Registry Analysis to the Nex
Page 3 and 4: Malware Related Keys Run, RunOnce
Page 5 and 6: Malware Related Keys, cont. Applica
Page 7 and 8: Then how do you know they're useful
Page 9 and 10: Trawling the Symantec Site
Page 11 and 12: Trawling the Symantec Site - HKCU N
Page 13 and 14: Trawling the Symantec Site - HKLM
Page 15 and 16: Keys to Keep Keep Downgrade Add •
Page 17 and 18: RegRipper • PERL program with EXE
Page 19 and 20: Registry Decoder - Plugins
Page 21 and 22: GRR - Look at a Registry Entry
Page 23: How do They Rate? Compare and contr
Page 27 and 28: Tool Recap GRR Registry Decoder Reg
Page 29 and 30: Analysis at Scale
Page 31 and 32: Acknowledgments NPS and Simson Garf

Taking Registry Analysis to the Next Level - SANS Computer ...

Create successful ePaper yourself

Delete template?

Save as template?