Join our #Slack Channel! Email us at firstname.lastname@example.org or or DM us on Twitter @brakesec
- Libsyn Feed - http://www.brakeingdownir.libsyn.com/
Join us for our inaugural podcast, our guests will be:
- Dave Cowan - Forensic Lunch Podcast and G-C Partners
- Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering
Brian and I will kick off this new podcast, and the topic of the day will be:
"What is this new podcast all about, what will it cover?
Incident Response, Malware Discovery, and Basic Malware Analysis, Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR"
- Introduce our Guests
- Tyler Hudak
- Dave Cowan
401k fraud - loans taken out using breach data
NC School - Emotet - Emotet malware compromised Rockingham County Schools servers after employees opened phishing emails - isn’t this why are doing this Podcast? Because people need to know they can clean this stuff up
Rockingham County School Board Vice Chair Bob Wyatt confirmed the cost of $314,000 for the repairs. The money, he said, will come out of the unrestricted fund
2-month, $314,000 service contract
The contract will staff 10 Level 3 and 4 engineers a total of 1,200 total onsite man hours. The company will also provide virus mitigation services, including a plan of attack and onsite imaging for approximately 12 servers and 3,000 client systems
Approximately 20 physical and virtual servers will be need to be rebuilt by hand
The cleanup is expected to take less than 30 days
Despite the approval of the contract, some questions did arise from board members who were curious as to why the board did not offer to take outside bids for the $314,000 project
Emotet details and artifacts
Delivered via an Office Document
Please disable your macros !!!! Allow by exception
Uses PowerShell to fetch payload - Word calls PS = BAD
Checks to see if it is being evaluated in a Sandbox
Directories created for checks
Creates a service for persistence
Some create a Scheduled Task too (Services Update)
Files dropped in
IP’s - detect from your firewall
Brad Duncan’s Malware Traffic Analysys
BDIR Pick - Shameful self promotion - LOG-MD…
Dave’s Picks - Tri-Force, of course.. It is his tool
Tyler’s Pickl - Lazy Office Analyzer
Topic of the DAY
What is this new podcast all about? Incident Response, Detection and Response, Active Defense, Threat Hunting, Malware Discovery, Basic Malware Analysis
The process by which you respond to an incident (legal sense)?
Do we agree on the diagram above?
Does IR include preparation for an attack?
What is Active Defense?
Your definition will vary
Threat Hunting - where do Hunters fit into all of this?
BDIR Podcast Sponsor:
This Podcast Sponsored by: