![]() This is where various data sources such as proxy, dns, firewall, process auditing (e.g. If you don’t get lucky, however, you might need to investigate to figure out where the malware came from and how it got delivered. ![]() ![]() Maybe it was an executable dropped by a malicious word document phish with the subject line xxx from e-mail address yyy, or it was a payload from a remote execution campaign, or it was an implant dropped from a backdoor or webshell. Occasionally, you might get lucky and get information on how the sample was obtained. We’ll go ahead and walk through how to answer each of these questions. Most of the time, getting these answers won’t require executing the malware, but you may use a variety of tools, scripts, or third party resources. Linux ELF, shared object (SO), windows PE executable (exe), shared library (.dll), etc.), what functionality does it import? Is it cryptographically signed? Does it define a PDB path? What are the file hashes for this file?. ![]()
0 Comments
Leave a Reply. |