The purpose of this document is not to fully describe the threats or actors of the case studies mentioned. The purpose is to see the synergy between the different profiles of an incident response team (forensic analyst, reverser, threat intelligence analyst) and the importance of efficient tools and quality Indicator Of Compromise (IOC). This document explains what FastIR Collector is and details all the case studies mentioned during the talk. During this talk, they took several well-known malware cases (such as Uroburos or Babar) to explain: - the malware s behavior - how FastIR Collector could be used to detect them. The 29 th of October 2015, during the Hackito Ergo Sum conference, Paul Rascagnères and Sébastien Larinier from the CERT SEKOIA did a talk called Complex malware & forensics investigation. To help in this task, the team developed an open-source tool called FastIR Collector. During these interventions, the incident response team needs to identify compromised systems by performing forensics investigations. CONTEXT For years, the CERT SEKOIA helped many customers handle cybersecurity incidents. 9 Figure 7: Uroburos persistence mechanism viewed by Autoruns Figure 8: Named pipes used by Uroburos Figure 9: Filecatcher content for ComRAT Figure 10: Library injection by ComRAT Figure 11: Agent.BTZ yara rules Figure 12: Enable yara support for FastIR Collector Figure 13: Filecatcher CSV content for ComRAT with yara Figure 14: Persistence mechanism for Babar Figure 15: Babar process Figure 16: Process injection for Babar Figure 17: Persistence mechanism for Casper Figure 18: Poweliks in registry Figure 19: regedit use with Poweliks registry key Figure 20: Clean MBR extracted by FastIR Collector Figure 21: Compromise MBR extracted by FastIR Collector Copyright 2015 SEKOIA TLP : WHITE 4/18ĥ 1.
9 Figure 6: Uroburos persistence mechanism viewed by the Microsoft registry editor. 8 Figure 5: Persistence mechanism of Uroburos. 8 Figure 4: Filecatcher CSV content for Uroburos. 7 Figure 3: Filecatcher content for Uroburos. 6 Figure 2: FastIR Collector configuration file.
#Digital logbook iguard app download driver
CONTEXT FASTIR COLLECTOR CASE STUDIES UROBUROS/TURLA/SNAKE MALWARE DESCRIPTION FASTIR COLLECTOR USE AND ANALYSIS DRIVER IDENTIFICATION PERSISTENCE IDENTIFICATION NAMED PIPES IDENTIFICATION VIRTUAL FILE SYSTEMS COMRAT MALWARE DESCRIPTION FASTIR COLLECTOR USE AND ANALYSIS MALWARE IDENTIFICATION PERSISTENCE IDENTIFICATION LIBRARY INJECTION YARA RULES: FROM AGENT.BTZ TO COMRAT BABAR MALWARE DESCRIPTION FASTIR COLLECTOR USE AND ANALYSIS MALWARE IDENTIFICATION PERSISTENCE IDENTIFICATION PROCESS & INJECTION IDENTIFICATION CASPER MALWARE DESCRIPTION FASTIR COLLECTOR USE AND ANALYSIS MALWARE IDENTIFICATION POWELIKS MALWARE DESCRIPTION FASTIR COLLECTOR USE AND ANALYSIS MALWARE IDENTIFICATION HDROOT Copyright 2015 SEKOIA TLP : WHITE 2/18ģ MALWARE DESCRIPTION FASTIR COLLECTOR USE AND ANALYSIS CONCLUSION Copyright 2015 SEKOIA TLP : WHITE 3/18Ĥ TABLE OF IMAGES Figure 1: FastIR Collector screenshot. It opens channels for data-based performance ranking, continual learning from best practices, and accurate benchmarking.1 FastIR Collector on advanced threats How SEKOIA s open source collector can help you detect advanced theats V 1.4 Author: Paul Rascagnères TLP: WHITE Copyright 2015 SEKOIA TLP : WHITE 1/18Ģ TABLE OF CONTENTS 1. In terms of a differentiated - or even premium - offering, this ladders up to better staffing, contract negotiations, and improved efficiency across the board. In terms of reduced costs, data from the Digital Logbook can help you objectively identify where you are losing revenue unnecessarily, including which tasks are a burden on your operations, where collaboration needs to be improved, and where utilization of your assets can be better. But clear view of data enables you to win defensively through being competitive on price, and offensively through offering a differentiated solution.
Vessels and fleets today offer little in the way of differentiation, leading to competition on price and pressure on margins.
0 kommentar(er)
