When I've instructed people on IR I have run them through a live response scenario where the scenario is fairly obvious (I provide a friendly popup). My favorite thing to do to folks is transposition of letters in commonly associated programs and services. Apparently attackers still like doing this. Can you spot the fake? What are the inconsistencies between the two? Which one is real?
Finally..why does this work? Read this paper if you're interested.
Service Name: Event Log
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Path to Executable:
C:\windows\system32\services.exe
Logon:
LocalSystem
Service Name: Events Log
Description: Enables event logs messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Path to Executable:
C:\WINDOWS\system32\drivers\csrss.exe -k NetworkService
Logon as:
.\Administrator
skip to main |
skip to sidebar
This blog was created to support some of the work I'm doing and to contribute to the forensic community. I'll be blogging about the science of forensics, incident response, methodologies, relating real world investigations to digital ones and some other tidbits.
Skydrive
Access my skydrive for memory dumps.
HERE
Email Address
hogfly at gmail dot com
Most visited sites
- A day in the life of an Information Security Investigator
- Attack Research
- Binary Intelligence
- CFED
- Computer Forensics, Malware Analysis & Digital Investigations
- CyberSpeak Podcast
- Dancho Danchev
- Dark Visitor
- E-Evidence
- Evil Bytes
- ExForensis
- F-response
- FireEye Malware Intelligence Lab
- Forensic Focus
- NIST SP-800 series
- Offensive Computing
- TaoSecurity
- TED - Ideas Worth Spreading
- Volatility
- Windows Incident Response
Currently reading - recommend a book by email
- Cyber War
- Decoding the Virtual Dragon
- Mind of War
- On War
Visitor map
0 comments:
Post a Comment