Monday, May 12, 2008

Spot the fake

When I've instructed people on IR I have run them through a live response scenario where the scenario is fairly obvious (I provide a friendly popup). My favorite thing to do to folks is transposition of letters in commonly associated programs and services. Apparently attackers still like doing this. Can you spot the fake? What are the inconsistencies between the two? Which one is real?
Finally..why does this work? Read this paper if you're interested.


Service Name: Event Log

Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

Path to Executable:
C:\windows\system32\services.exe

Logon:
LocalSystem

Service Name: Events Log

Description: Enables event logs messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

Path to Executable:
C:\WINDOWS\system32\drivers\csrss.exe -k NetworkService

Logon as:
.\Administrator

0 comments: