Incident Response and Malware investigations via SecCheck
Before pausing from reading email for a few hours, I'd like to take a moment to redirect your attention to a little advertised and even more infrequently used Incident Response and investigative feature hosted here on the ISC SANS portal. That feature is SecCheck, developed by MyNetWatchman, and offered to the Storm Center to assist in investigating suspicious and potentially malicious activity on hosts running the Windows family of operating systems.
The Storm Center deployment of SecCheck is hosted at http://isc.sans.org/seccheck/ and does require the use of Internet Explorer. IE is required for this execution as our deployment is implemented in the form of an ActiveX DLL that executes in the context of your browser to analyze and deliver IR run-time reporting for the currently running workstation session. Execution of the tool will result in the report being displayed on your workstation as well as being posted back to the Storm Center host for our review, and enables the handlers to assist you more directly.
Among the run-time details that are reported include:
There are additional developments available at http://www.mynetwatchman.com including standalone SecCheck binaries that offer additional features.
William Salusky
Handler on Duty!
The Storm Center deployment of SecCheck is hosted at http://isc.sans.org/seccheck/ and does require the use of Internet Explorer. IE is required for this execution as our deployment is implemented in the form of an ActiveX DLL that executes in the context of your browser to analyze and deliver IR run-time reporting for the currently running workstation session. Execution of the tool will result in the report being displayed on your workstation as well as being posted back to the Storm Center host for our review, and enables the handlers to assist you more directly.
Among the run-time details that are reported include:
- running process list (why am I running something called caseyvideo.exe?)
- running service enumeration (hmmm, that service executing from c:\winnt\lssass.exe looks interesting)
- network connection snapshot (identify both services and established connectivity mapped to processes)
- autostart registry hive dumps (malware has to restart itself somehow, this will show you where)
- Installed BHO listing (Often Spyware and Hijackers jump right out)
- Module dump (You can identify library injection techniques here)
There are additional developments available at http://www.mynetwatchman.com including standalone SecCheck binaries that offer additional features.
William Salusky
Handler on Duty!
Keywords:
0 comment(s)
×
Diary Archives
Comments