![]() I search query the hash on VirusTotal, to see if this file has been checked before. I want to know the hash value of this file, so I use the sha256sum command in the terminal to look up its SHA256 hash. I close out the details window and click File > Export Objects > HTTP…, locate the file, and save it to my computer (I use a Kali Linux VM). I also need to gather as much information as possible about the file. This is considered an artifact and an indicator of compromise (IOC), and I include this in the incident report. doc, that appears harmless to the target end-user. However, a lot of malware infections happen through phishing or malspam, through which malware executables are obfuscated by a benign file, such as a. In this case, the file is explicitly YAS20.exe. Threat actors may not necessarily show the executable in plain sight. ![]() So far, this is the potential initial infection. In this case, the “MZ…This program cannot run in DOS mode” indicates that the file is a Windows executable (the MZ is the first couple bytes of the file, also known as the file signature). Since I’m already aware of the IP address range in the client’s network, I quickly determine the (potentially) infected host IP address, and switch over to WireShark for further investigation. Next, I examine the IDS alerts for the possible initial infection, and take note of the two IP addresses in this communication. The more information I have to begin with, the better. The first thing I do is take note of the LAN segment range (which is usually provided), so I’m aware of the known-good endpoints/IP addresses in the client’s network. I customized WireShark based on his suggestions, and find it extremely helpful in gathering relevant information. I’m working through the PCAP challenges provided by Brad at, which focuses on analyzing Windows-based malware-infected network traffic. And even though the incident may have happened weeks, months, or even years ago, I still treat the incident as though it happened today. Even though I’m not yet employed as a professional, I still tackle it with seriousness and urgency, as though it happened to my client’s network. Identification is the second step of the incident response process. ![]() It’s another day, and I am excited investigate another PCAP file on WireShark.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |