Windows IR made easier and faster - Find the head of the snake using AutoRuns, Large Registry Keys, Logs, IP/WhoIs and Netflow presented at BSidesDenver 2017

by Michael Gough,

Summary : Windows systems are still king of the desktop and server operating systems, thus the #1 target of hackers, malware, ransomware, and phishing attacks. Hunting for malicious activity is something we all must get better at or the hackers will win; hell, the hackers are already winning. Learning what to look for is hard enough with all the ways Windows can get infected and hide malicious payloads. Worse, there are few tools to help us effectively hunt, short of buying expensive enterprise solutions which many, if not most organizations find hard to afford. Doing it quickly is also difficult and we need to get faster at it. So how do we find the head of the snake slithering inside our Windows systems fast? Traditional forensics methods are too slow to keep up with active attacks and are generally a collection of scripts authored by many different individuals. What artifacts do we look for and focus on to find the infection or determine whether or not a system is clean? In dealing with commodity to advanced malware we came up with an approach that speeds up Windows Incident Response and improves our security program in the process. How does someone sift through over 1000 persistence locations, hidden payloads, other malicious artifacts, IP/WhoIs and get netflow data from inside Windows in minutes? This talk will show you how. If you were able to discover a compromised system and document the malicious artifacts, the next obvious questions would be, “Did I lose any data, and if so how much?” Unknown to most of us and built into Windows 8.1 and 10 this question can be answered and this talk will show you how to discover if data has been lost, how much data was lost, and when the system was first compromised within the last two months.