Anomalies Detection: Windows OS - Part 1 describes in detail about determining malicious processes/anomalies running in Windows OS systems. PPT focuses on how to differentiate Rogue processes from legitimate ones, Identifying unknown services, Code injection and Rootkits detection and mitigation, Unusual OS artifacts that would arise suspicion, Anomalies detection using Network activity and in determining evidence of persistence.
Part 2 of this series explains about malware detection checklist to ease investigators in identifying malwares.
Contents:
To view the presentation slides please click here.
Part 2 of this series explains about malware detection checklist to ease investigators in identifying malwares.
Contents:
•
Rogue Processes identification
•
Common methods to identify malwares hidden in
plain sight:
•
Common methods to identify Code Injection/
Rootkits
•
Windows Sysinternals: Process Explorer
•
Windows Sysinternals: Sigcheck
•
AnalyzePESig
•
Mandiant Redline
•
Unknown Services
•
Background about Services hosted in Windows OS
•
Steps for investigating unknown services
•
SC Command
•
Common Services & Normal Behavior
•
Code Injection and Rootkit Behavior
•
Rootkits and Anomalies
•
Kaspersky TDSSKiller
•
GMER Rootkit
•
RootkitRevealer
•
Unusual OS artifacts
•
Prefetch files
•
Shimcache files
•
UserAssist Utility
•
Schtasks.exe
•
PSExec
•
PsLoggedOn
•
ProcDump
•
Wmic
•
MountPoints2 Forensics
•
Suspicious Network activity
•
Evidence of Persistence
•
Autoruns
•
References
