Windows IR made easier and faster presented at BSidesNola 2017

by Michael Gough,

Summary : Windows systems are still king of the desktop and server operating systems, thus the #1 target of hackers, malware, ransomware, and phishing attacks. Hunting for malicious activity is something we all must get better at or the hackers will win; hell, the hackers are already winning. Learning what to look for is hard enough with all the ways Windows can get infected and hide malicious payloads. Worse, there are few tools to help us effectively hunt, short of buying expensive enterprise solutions which many, if not most organizations find hard to afford. Doing it quickly is also difficult and we need to get faster at it.
So how do we find the head of the snake slithering inside our Windows systems fast? Traditional forensics methods are too slow to keep up with active attacks and are generally a collection of scripts authored by many different individuals. What artifacts do we look for and focus on to find the infection or determine whether or not a system is clean? In dealing with commodity to advanced malware we came up with an approach that speeds up Windows Incident Response and improves our security program in the process. How does someone sift through over 1000 persistence locations, hidden payloads, other malicious artifacts, IP/WhoIs and get netflow data from inside Windows in minutes? This talk will show you how.