Documente Academic
Documente Profesional
Documente Cultură
training/
Sintoma:
1 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Diagnóstico:
2 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Solución
bb0954e8352373b76c730e8dc7a772a7021204af
qwingraph.exe
dfb44ee088a469e9446aa767ef5408c00d6dfe0b
qwingraph.zip
3 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
4 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
5 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Preparación:
Herramientas
6 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Montaje:
ewfinfo ForensicImage.E01
7 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
8 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
11 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
mkdir Files_Decrypted
Montamos la unidad
rm -rf Files_Decrypted/
rm -rf decrypted_volume/
crudo (RAW) en ese caso no hay que ejecutar los primeros pasos y
se inicia desde la identificación del offset.
Referencias:
13 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Escenario:
Folio-854500047700.zip
< https://dvirus.training/wp-content/uploads/2020/01/Folio-
854500047700.zip> El archivo está comprimido, para descomprimir
utilizar la contraseña “infected”
Análisis
14 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
15 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
En linux contamos con una herramienta que hace este análisis de los
números mágicos y es la herramienta file.
file Folio-854500047700.bin
16 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
17 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Introducción a pev
instalación:
pehash
pehash Folio-854500047700.bin
ssdeep
18 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
ssdeep -pb *
Import Hash
19 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
valores.
strings Folio-854500047700.bin
20 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Identificación de Packers
https://dvirus.training/wp-content/uploads/2020/01/userdb.txt <
https://dvirus.training/wp-content/uploads/2020/01/userdb.txt>
22 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
En otra entrada, hablaremos con más detalle sobre los packers y los
metodos de desempaquetado.
Otras Propiedades.
pescan -v Folio-854500047700.bin
23 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Mecanismos de protección
pesec Folio-854500047700.bin
peframe
24 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Instalación
25 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
virustotal.
peframe Folio-854500047700.bin
26 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
27 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
28 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
peframe Folio-854500047700.bin -i
29 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Conclusiones:
30 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
La presencia de packers
Funciones criptográficas usadas por el binario
DLL’ s importadas y APIs
Valores de entropía
La fecha de creación del binario
Identificación de mecanismos de protección.
31 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
32 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
33 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
-o: el offset
-f: el tipo de sistema de archivos
-d: la carpeta en la cual se almacenarán los resultados (si no existe,
hay que crearla)
-sha1 genera un hash SHA-1 de cada archivo
34 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Recuperación de Archivos
35 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Referencias:
man sorter
FORENSICS < HTTPS://DVIRUS.TRAINING/CATEGORY/FORENSICS/>
Introducción
37 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Preparación
file Case01.raw
38 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
sha1sum Case01.raw
Análisis
mmls Case01.raw
39 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
40 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
41 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
42 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
-b archivo de entrada
44 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
45 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
acceso, creación)
mactime -b lista_inodos
46 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Recuperación de Archivos
47 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
file /home/dvirus/DFIR/calc_219264.exe
48 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Rerefencias:
49 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
50 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Preparación:
Oledump
wget http://didierstevens.com/files/software
/oledump_V0_0_43.zip
Detección
51 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
Análisis
52 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
file email.msg
53 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
msgconvert email.msg
ls -l email.*
54 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
55 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx <
https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx>
https://www.iptrackeronline.com/email-header-analysis.php <
https://www.iptrackeronline.com/email-header-analysis.php>
56 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
57 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
58 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
base64 -d encoded.text
Análisis de Adjuntos
59 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
oledump.py email.msg
60 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
/plugin_vba_dco.py
62 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
63 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
64 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
65 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
66 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
sha256sum *.vba
Contención
Direcciones IP
Nombres de dominio
Cuentas de correo
Hash del archivo word
Hash de los archivos VBA
Acciones a desarrollar:
67 of 68 1/25/20, 3:45 PM
D-Virus | DFIR – Incident Response | Network Fo... https://dvirus.training/
dominios de riesgo.
En los firewalls y proxies, bloqueo de URLs maliciosas para
evitar el acceso o descarga de archivos.
Referencias
https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html <
https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html>
68 of 68 1/25/20, 3:45 PM