SlideShare uma empresa Scribd logo

Automating Anti-Virus Scanning With MantaRay

Transferir como PPTX, PDF
D
Doug Koster

Automating Anti-Virus Scanning and RCA with MantaRay

Dados e análise
1 de 48
Automating Anti-Virus Scanning With MantaRay – 2016 Doug Koster 1
 MantaRay –  Set of Python modules that automate a number of open source forensic tools  Written and designed by forensic analysts (KISS)  Allows examiner to select multiple tools, set options for each, click go and walk away  Designed to work with SIFT 3.0  Code is on Github:  → https://github.com/mantarayforensics What is MantaRay? 2
1.Creating a Super Timeline 2.Running Bulk_Extractor 3.Extracting Registry Hives & running RegRipper 4.Extracting EXIF Data 5.Carving Unallocated space 6.Scanning for high entropy files 7.Review RAM using Volatility 8.Extract GPS data from JPEGs and create .KML file 9.Extract Jumplist data 10.Extract NTFS system files 11.Process user selected .plist files 12.Perform Static Malware Analysis (SIFT + REMnux) 13.Anti-Virus Scanning (NEW) Triage Steps Automated by MantaRay 3
 Batch processing option  Hard drive images only  Will recurse through a directory and process all disk images  Code updated to run Regripper 2.8  Code updated to run volatility 2.4  Code updated to run Plaso 1.4  Still have ability to use v. 0.65 of Log2Timeline  Google Analytics parsing (thanks to Mari DeGrazia)  Static Malware Analysis module (if SIFT is merged with REMNUX)  → https://digital-forensics.sans.org/blog/2015/06/13/how-to- install-sift-workstation-and-remnux-on-the-same-forensics- system Updates since 2013 4
 The Problem → we have evidence we need to scan for malware (often times lots of evidence) but our forensic machines are on stand alone networks  Possible Solutions  Make a copy of evidence and connect it an Internet facing system  Use the AV Scanning software installed on your local system  Buy a stand alone copy of commercial solution  KISS method – use mantaray New Anti-Virus Plug-in 5
 Low Cost  Code is free, just pay for the AV licenses  I used home use licenses for demo....for non-home use you would need to buy licenses  Easily Extensible  AV Scanner information is held in configuration file  If you add a new AV scanner to your SIFT VM just update the configuration file  Modular  Code can easily be modified  New modules can be written to perform post-processing of AV Scanner output Benefits of KISS Solution 6
Basic Configuration File 7 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # #####ENTER SCANNER INFO HERE######################### Clamscan, clamscan -r -i, NONE ########################################################
Sample run against a directory 8
Select Directory as Evidence Type 9
Select Output Directory 10
Select AV Scanner to Run 11
Select Directory to Process 12
Select Debug Mode 13
Select Configuration File 14
Output with Clam AV Results 15 /home/sansforensics/Documents/malware_samples/level2_zipped.zip: Win.Trojan.Zbot-26018 FOUND /home/sansforensics/Documents/malware_samples/level2/suco.exe_level2_dir.evil: Win.Trojan.Zbot-26018 FOUND /home/sansforensics/Documents/malware_samples/suco.exe.evil: Win.Trojan.Zbot-26018 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 4421317 Engine version: 0.98.7 Scanned directories: 2 Scanned files: 15 Infected files: 3 Data scanned: 0.75 MB Data read: 0.93 MB (ratio 0.81:1) Time: 7.186 sec (0 m 7 s) l Clamscan recursed through the entire folder structure and found the malware in the root of the folder, in a subfolder, and inside a zip file in a sub-folder.
Adding Another Scanner - Avast 16 l  Download (home edition is for home use only) from: http://avast- linux-home-edition.en.uptodown.com/ubuntu/download  run sudo dpkg -i agaisnt .deb file downloaded  get license code from http://www.avast.com/i_kat_207.php?lang=ENG  paste in license code during install when prompted  Update virus signatures → sudo avast-update  Enter the following line: sysctl -w kernel.shmmax=128000000 at the bottom of /etc/sysctl.conf  Update → sudo avast -update
Update Configuration File 17 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # ##################ENTER SCANNER INFO HERE ############# Clamscan, clamscan -r -i, NONE Avast, avast -n -c, NONE #######################################################
Results from Avast 18 /home/sansforensics/Documents/malware_samples/Lab01-01.dll.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab06-01.exe.evil [OK] Archived /home/sansforensics/Documents/malware_samples/level2_zipped.zip/level2/suco.exe_level2_dir.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/level2_zipped.zip [OK] /home/sansforensics/Documents/malware_samples/not_infected.txt [OK] /home/sansforensics/Documents/malware_samples/Lab07_01.exe.evil [infected by: Win32:Trojan-gen] /home/sansforensics/Documents/malware_samples/Lab07-03.dll.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab01 01.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/level2/suco.exe_level2_dir.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/Lab09-03.exe.evil [OK] /home/sansforensics/Documents/malware_samples/Lab07-02.exe.evil [OK] /home/sansforensics/Documents/malware_samples/Lab03-04.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab07-03.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/suco.exe.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/Lab09-02.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab09-01.exe.evil [infected by: Win32:Malware-gen]
Tweaking output 19 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # ##################ENTER SCANNER INFO HERE ############# Clamscan, clamscan -r -i, NONE Avast, avast -n -c, | grep "infected by" #######################################################
Cleaner Output 20 /home/sansforensics/Documents/malware_samples/Lab01-01.dll.evil [infected by: Win32:Malware-gen] Archived /home/sansforensics/Documents/malware_samples/level2_zipped.zip/level2/suco.exe_level2_dir.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/Lab07_01.exe.evil [infected by: Win32:Trojan-gen] /home/sansforensics/Documents/malware_samples/Lab07-03.dll.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab01 01.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/level2/suco.exe_level2_dir.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/Lab03-04.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab07-03.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/suco.exe.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/Lab09-02.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab09-01.exe.evil [infected by: Win32:Malware-gen]
Adding F-Protect 21  Adding F-Protect:  Download (home edition is for home use only) from: http://www.f- prot.com/download/home_user/download_fplinux.html  Unzip .gzip file to /opt/  run the 'install-f-prot.pl' perl script
Update Configuration File 22 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # ##################ENTER SCANNER INFO HERE ############# Clamscan, clamscan -r -i, NONE Avast, avast -n -c, | grep "infected by" F-Protect, fpscan -v 1 -r, | grep "[Found" #######################################################
Cleaned Up Results from F-Protect 23 F-PROT Antivirus CLS version 6.7.10.6267, 32bit (built: 2012-03-27T12-34-14) FRISK Software International (C) Copyright 1989-2011 Engine version: 4.6.5.141 Arguments: -v 1 -r /home/sansforensics/Documents/malware_samples Virus signatures: 201606111333 (/opt/f-prot/antivir.def) [Found trojan] <W32/Trojan2.MIDQ (exact, not disinfectable)> /home/sansforensics/Documents/malware_samples/level2_zipped.zip->level2/suco.exe_level2_dir.evil [Contains infected objects] /home/sansforensics/Documents/malware_samples/level2_zipped.zip [Found trojan] <W32/Trojan2.MIDQ (exact)> /home/sansforensics/Documents/malware_samples/level2/suco.exe_level2_dir.evil [Found trojan] <W32/Trojan2.MIDQ (exact)> /home/sansforensics/Documents/malware_samples/suco.exe.evil Results: Files: 15 Skipped files: 0 MBR/boot sectors checked: 0 Objects scanned: 16 Infected objects: 3 Infected files: 3 Files with errors: 0 Disinfected: 0 Running time: 00:00
Adding Bit-Defender 24  Download bitdefender -> http://download.bitdefender.com/SMB/Workstation_Security_and _Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/C urrent/EN_FR_BR_RO/Linux/  Select -> BitDefender-Antivirus-Scanner-7.7-1-linux-amd64.deb.run  Install .run file  Get license File -> http://www.bitdefender.com/site/Products/ScannerLicense/  Run Bit-Defender GUI and enter your key  To update → sudo bdscan --update
Update Configuration File 25 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # ##################ENTER SCANNER INFO HERE ############# Clamscan, clamscan -r -i, NONE Avast, avast -n -c, | grep "infected by" F-Protect, fpscan -v 1 -r, | grep "[Found" BitDefender, bdscan –no-warnings –no-list –action-ignore, NONE #######################################################
Adding AVG 26  wget http://download.avgfree.com/filedir/inst/avg2013flx-r3118- a6926.i386.deb   sudo dpkg -i avg2013flx-r3118-a6926.i386.deb   sudo avgupdate  To update → sudo avgupdate
Update Configuration File 27 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # ##################ENTER SCANNER INFO HERE ############# Clamscan, clamscan -r -i, NONE Avast, avast -n -c, | grep "infected by" F-Protect, fpscan -v 1 -r, | grep "[Found" BitDefender, bdscan –no-warnings –no-list –action-ignore, NONE AVG, avgscan -w -P -H –ignerrors, | grep “Trojan horse” #######################################################
 Download MantaRay to your SIFT VM from Github  Unzip MantaRay inside VM (I used /usr/share as the root folder)  Command line to run Mantaray → /usr/share/mantaray/Tools/Python/python3 Manta_Ray_Master_GUI.py Root Cause Analysis Demo 28
Enter Case Information 29
Select Evidence Type 30
Select Batch mode (for bit-stream images only) 31
Select Output Folder 32
Select Modules 33
Select Evidence Item to Process 34
Set Debug-Mode 35
Select Configuration file 36
Processing Starts 37
Step 1: Review AV Scan Results 38  All 5 Scanners alerted on the following file  Users/CEIC-Hacker/AppData/Roaming/Naym/suco.exe
Step 2: Static Malware Analysis 39  Extract suco.exe from evidence  Use MantaRay FileName Search module  Autopsy v4.0  Other tool of choice  Run MantaRay Static Malware Analysis plugin against folder containing suco.exe (need remnux)  Provides output from the following:  Mastiff  PE Scanner  PE Dump  PE Frame  PESTR  READPE  SIGNSRCH
Step 2: Static Malware Analysis 40  Output from PESCANNER: Meta-data ==================================================================== Size : 127562 bytes Type : PE32 executable (GUI) Intel 80386, for MS Windows Architecture : 32 Bits binary MD5 : 7b95049f8963abf70e2d98857e7178c5 SHA1 : 0b608dccc301df197f9968c383e9b0a6e8bf60d4 ssdeep : 3072:l6PYV6NtBFXqBNKUFv3+oaSqr4NZ5YNpbNy2KChiCWaTQTe:lFsTBdqGUh3+jSU hy3aIe imphash : 994868cc529d722b89689c6b1dd44cb9 Date : 0x48B27E26 [Mon Aug 25 09:40:54 2008 UTC] Language : RUSSIAN CRC: (Claimed) : 0x2be25, (Actual): 0x2dcc2 [SUSPICIOUS] Entry Point : 0x4010f7 .data 0/4 [SUSPICIOUS]
Step 2: Static Malware Analysis 41  Output from VirusTotal for Hash → 7b95049f8963abf70e2d98857e7178c5: SHA256: 25ecf8b98eb0cfcf83a02c2b55382c8a62110589d6bf9c00916118d46d439366 File name: suco.exe Detection ratio: 43 / 47 Analysis date: 2013-05-20 19:22:18 UTC ( 3 years, 1 month ago ) HOUSTON WE HAVE A PROBLEM!!!!
Step 3: TimeLine Analysis 42  So we now know we have a malicious file on our evidence  Timeline analysis will give us more information 
Step 3: TimeLine Analysis www.mantarayforensics.com 43    Date Type L2T_Function File Name Notes 5/4/2013 07:11.19 macb UserAssist Key Aol.exe Shows user execution. File is deleted / overwritten. Probable dropper 5/4/2013 07:11.19 macb Suco.exe Malicious file from AV scans 5/4/2013 07:11.20 macb NTUSER Key HKEY_USE R/Software/ Microsoft/Wi ndows/Curre ntVersion/Ru n Suco added as RunKey 5/4/2013 07:11.20 macb [Microsoft-Windows- Windows Firewall With Advanced Security/Firewall] Security.evtx Windows Firewall modified
Step 4: Confirm Run Key Mod 44 From MantaRay RegRipper Results: Last Modified Time: 2013-05-04 11:22:53.560560 Filename: 377-128-1_Partition_1048576_OVERT_CEIC-Hacker_NTUSER.DAT MD5 SUM: bb462d742bfd0fd9d2793010c3681c27 user_run v.20140115 (NTUSER.DAT) [Autostart] Get autostart key contents from NTUSER.DAT hive SoftwareMicrosoftWindowsCurrentVersionRun LastWrite Time Sat May 4 11:11:20 2013 (UTC) uTorrent: "C:UsersCEIC-HackerAppDataRoaminguTorrentuTorrent.exe" /MINIMIZED {5ECAABF9-0619-7EAC-19E2-4A73BEBEFF9A}: C:UsersCEIC- HackerAppDataRoamingNaymsuco.exe SearchProtect: C:UsersCEIC-HackerAppDataRoamingSearchProtectbincltmng.exe
Step 5: Determine how file got on system 45  Timeline analysis shows no Internet Activity around the time that suco.exe first appeared on drive  Other likely means of infection…...USB drive?  Check RegRipper results for USB devices → SYSTEM/usb.txt   VID_0E0F&PID_0002 [Fri May 3 23:14:17 2013] S/N: 6&b25d31b&0&2 [Sat May 4 11:22:21 2013] Device Parameters LastWrite: [Fri May 3 23:16:39 2013] LogConf LastWrite : [Fri May 3 23:14:17 2013] Properties LastWrite : [Fri May 3 23:16:08 2013] InstallDate : Fri May 3 23:16:09 2013 UTC FirstInstallDate: Fri May 3 23:16:09 2013 UTC
Step 6: Next Steps 46  Search your environment for other instances of suco.exe by hash value  Look for data exfiltration from this system  Send suco.exe to your RE experts to determine exactly what it does  Re-Image this system to remove malware 
 Remove human interaction completely  Have MantaRay watching a folder for evidence to be dropped in and then start processing using default options  Add analytics into AV-Scanner script  Get count of how many scanners hit on each file  Grab filename from scanner output files  Extract filename from image  Using fls  Scan extracted files using MantaRay Static Malware Analysis plugin  47 On the to do list:
 My contact info: l dougkoster@hotmail.com l https://www.linkedin.com/pub/doug-koster/7/65a/8aa 48 Questions / Contact Info

Recomendados

44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion TechniquesFestival Software Livre
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
App armor structure
App armor structureApp armor structure
App armor structureLongbeo Longnhat
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 

Recomendados

44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion TechniquesFestival Software Livre
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
App armor structure
App armor structureApp armor structure
App armor structureLongbeo Longnhat
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseESUG
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyPharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyESUG
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgradenullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgraden|u - The Open Security Community
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFRI, Inc.
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
Linux Virus
Linux VirusLinux Virus
Linux VirusAkhil Kadangode
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Security Conference
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoretKarel Javůrek
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1Mohammad Mafi
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 

Mais conteúdo relacionado

Mais procurados

Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseESUG
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyPharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyESUG
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFRI, Inc.
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Security Conference
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoretKarel Javůrek
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 

Mais procurados (20)

Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Cross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher caseCross-platform development with Pharo - The PharoLauncher case
Cross-platform development with Pharo - The PharoLauncher case
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotelyPharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
Pharo IoT: Using Pharo to playing with GPIOs and sensors on IoT devices remotely
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgradenullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Linux Virus
Linux VirusLinux Virus
Linux Virus
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keys
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 

Semelhante a Automating Anti-Virus Scanning With MantaRay

Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Prizm Installation Guide
Prizm Installation GuidePrizm Installation Guide
Prizm Installation Guidevjvarenya
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Akmal Hisyam
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareJoxean Koret
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Softwarerahmanprojectd
 
PRESENTATION of CEH Tools.pptx
PRESENTATION of CEH Tools.pptxPRESENTATION of CEH Tools.pptx
PRESENTATION of CEH Tools.pptxAadityaSaxena12
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemBikrant Gautam
 
SnortReport Presentation
SnortReport PresentationSnortReport Presentation
SnortReport Presentationwebhostingguy
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014biicode
 
Pet Pen Testing Tools: Zenmap & Nmap
Pet Pen Testing Tools: Zenmap & NmapPet Pen Testing Tools: Zenmap & Nmap
Pet Pen Testing Tools: Zenmap & NmapMatt Vieyra
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
20210906-Nessus-FundamentalInfoSec.ppsx
20210906-Nessus-FundamentalInfoSec.ppsx20210906-Nessus-FundamentalInfoSec.ppsx
20210906-Nessus-FundamentalInfoSec.ppsxSuman Garai
 
Static code analysis with sonar qube
Static code analysis with sonar qubeStatic code analysis with sonar qube
Static code analysis with sonar qubeHayi Nukman
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 

Semelhante a Automating Anti-Virus Scanning With MantaRay (20)

Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Prizm Installation Guide
Prizm Installation GuidePrizm Installation Guide
Prizm Installation Guide
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
PRESENTATION of CEH Tools.pptx
PRESENTATION of CEH Tools.pptxPRESENTATION of CEH Tools.pptx
PRESENTATION of CEH Tools.pptx
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
 
SnortReport Presentation
SnortReport PresentationSnortReport Presentation
SnortReport Presentation
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
 
Pet Pen Testing Tools: Zenmap & Nmap
Pet Pen Testing Tools: Zenmap & NmapPet Pen Testing Tools: Zenmap & Nmap
Pet Pen Testing Tools: Zenmap & Nmap
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
20210906-Nessus-FundamentalInfoSec.ppsx
20210906-Nessus-FundamentalInfoSec.ppsx20210906-Nessus-FundamentalInfoSec.ppsx
20210906-Nessus-FundamentalInfoSec.ppsx
 
Linux
LinuxLinux
Linux
 
Static code analysis with sonar qube
Static code analysis with sonar qubeStatic code analysis with sonar qube
Static code analysis with sonar qube
 
Aci dp
Aci dpAci dp
Aci dp
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 

Último

Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightDelhi Call girls
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxolyaivanovalion
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceDelhi Call girls
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...SUHANI PANDEY
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz1
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxBPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxMohammedJunaid861692
 
VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxolyaivanovalion
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxfirstjob4
 
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...amitlee9823
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxolyaivanovalion
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 

Último (20)

Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptx
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts ServiceCall Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptx
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptx
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signals
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
 
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxBPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
 
VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptx
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptx
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 

Automating Anti-Virus Scanning With MantaRay

  • 1. Automating Anti-Virus Scanning With MantaRay – 2016 Doug Koster 1
  • 2.  MantaRay –  Set of Python modules that automate a number of open source forensic tools  Written and designed by forensic analysts (KISS)  Allows examiner to select multiple tools, set options for each, click go and walk away  Designed to work with SIFT 3.0  Code is on Github:  → https://github.com/mantarayforensics What is MantaRay? 2
  • 3. 1.Creating a Super Timeline 2.Running Bulk_Extractor 3.Extracting Registry Hives & running RegRipper 4.Extracting EXIF Data 5.Carving Unallocated space 6.Scanning for high entropy files 7.Review RAM using Volatility 8.Extract GPS data from JPEGs and create .KML file 9.Extract Jumplist data 10.Extract NTFS system files 11.Process user selected .plist files 12.Perform Static Malware Analysis (SIFT + REMnux) 13.Anti-Virus Scanning (NEW) Triage Steps Automated by MantaRay 3
  • 4.  Batch processing option  Hard drive images only  Will recurse through a directory and process all disk images  Code updated to run Regripper 2.8  Code updated to run volatility 2.4  Code updated to run Plaso 1.4  Still have ability to use v. 0.65 of Log2Timeline  Google Analytics parsing (thanks to Mari DeGrazia)  Static Malware Analysis module (if SIFT is merged with REMNUX)  → https://digital-forensics.sans.org/blog/2015/06/13/how-to- install-sift-workstation-and-remnux-on-the-same-forensics- system Updates since 2013 4
  • 5.  The Problem → we have evidence we need to scan for malware (often times lots of evidence) but our forensic machines are on stand alone networks  Possible Solutions  Make a copy of evidence and connect it an Internet facing system  Use the AV Scanning software installed on your local system  Buy a stand alone copy of commercial solution  KISS method – use mantaray New Anti-Virus Plug-in 5
  • 6.  Low Cost  Code is free, just pay for the AV licenses  I used home use licenses for demo....for non-home use you would need to buy licenses  Easily Extensible  AV Scanner information is held in configuration file  If you add a new AV scanner to your SIFT VM just update the configuration file  Modular  Code can easily be modified  New modules can be written to perform post-processing of AV Scanner output Benefits of KISS Solution 6
  • 7. Basic Configuration File 7 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # #####ENTER SCANNER INFO HERE######################### Clamscan, clamscan -r -i, NONE ########################################################
  • 8. Sample run against a directory 8
  • 9. Select Directory as Evidence Type 9
  • 11. Select AV Scanner to Run 11
  • 12. Select Directory to Process 12
  • 15. Output with Clam AV Results 15 /home/sansforensics/Documents/malware_samples/level2_zipped.zip: Win.Trojan.Zbot-26018 FOUND /home/sansforensics/Documents/malware_samples/level2/suco.exe_level2_dir.evil: Win.Trojan.Zbot-26018 FOUND /home/sansforensics/Documents/malware_samples/suco.exe.evil: Win.Trojan.Zbot-26018 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 4421317 Engine version: 0.98.7 Scanned directories: 2 Scanned files: 15 Infected files: 3 Data scanned: 0.75 MB Data read: 0.93 MB (ratio 0.81:1) Time: 7.186 sec (0 m 7 s) l Clamscan recursed through the entire folder structure and found the malware in the root of the folder, in a subfolder, and inside a zip file in a sub-folder.
  • 16. Adding Another Scanner - Avast 16 l  Download (home edition is for home use only) from: http://avast- linux-home-edition.en.uptodown.com/ubuntu/download  run sudo dpkg -i agaisnt .deb file downloaded  get license code from http://www.avast.com/i_kat_207.php?lang=ENG  paste in license code during install when prompted  Update virus signatures → sudo avast-update  Enter the following line: sysctl -w kernel.shmmax=128000000 at the bottom of /etc/sysctl.conf  Update → sudo avast -update
  • 17. Update Configuration File 17 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # ##################ENTER SCANNER INFO HERE ############# Clamscan, clamscan -r -i, NONE Avast, avast -n -c, NONE #######################################################
  • 18. Results from Avast 18 /home/sansforensics/Documents/malware_samples/Lab01-01.dll.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab06-01.exe.evil [OK] Archived /home/sansforensics/Documents/malware_samples/level2_zipped.zip/level2/suco.exe_level2_dir.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/level2_zipped.zip [OK] /home/sansforensics/Documents/malware_samples/not_infected.txt [OK] /home/sansforensics/Documents/malware_samples/Lab07_01.exe.evil [infected by: Win32:Trojan-gen] /home/sansforensics/Documents/malware_samples/Lab07-03.dll.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab01 01.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/level2/suco.exe_level2_dir.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/Lab09-03.exe.evil [OK] /home/sansforensics/Documents/malware_samples/Lab07-02.exe.evil [OK] /home/sansforensics/Documents/malware_samples/Lab03-04.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab07-03.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/suco.exe.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/Lab09-02.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab09-01.exe.evil [infected by: Win32:Malware-gen]
  • 19. Tweaking output 19 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # ##################ENTER SCANNER INFO HERE ############# Clamscan, clamscan -r -i, NONE Avast, avast -n -c, | grep "infected by" #######################################################
  • 20. Cleaner Output 20 /home/sansforensics/Documents/malware_samples/Lab01-01.dll.evil [infected by: Win32:Malware-gen] Archived /home/sansforensics/Documents/malware_samples/level2_zipped.zip/level2/suco.exe_level2_dir.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/Lab07_01.exe.evil [infected by: Win32:Trojan-gen] /home/sansforensics/Documents/malware_samples/Lab07-03.dll.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab01 01.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/level2/suco.exe_level2_dir.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/Lab03-04.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab07-03.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/suco.exe.evil [infected by: Win32:MalOb-IJ [Cryp]] /home/sansforensics/Documents/malware_samples/Lab09-02.exe.evil [infected by: Win32:Malware-gen] /home/sansforensics/Documents/malware_samples/Lab09-01.exe.evil [infected by: Win32:Malware-gen]
  • 21. Adding F-Protect 21  Adding F-Protect:  Download (home edition is for home use only) from: http://www.f- prot.com/download/home_user/download_fplinux.html  Unzip .gzip file to /opt/  run the 'install-f-prot.pl' perl script
  • 22. Update Configuration File 22 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # ##################ENTER SCANNER INFO HERE ############# Clamscan, clamscan -r -i, NONE Avast, avast -n -c, | grep "infected by" F-Protect, fpscan -v 1 -r, | grep "[Found" #######################################################
  • 23. Cleaned Up Results from F-Protect 23 F-PROT Antivirus CLS version 6.7.10.6267, 32bit (built: 2012-03-27T12-34-14) FRISK Software International (C) Copyright 1989-2011 Engine version: 4.6.5.141 Arguments: -v 1 -r /home/sansforensics/Documents/malware_samples Virus signatures: 201606111333 (/opt/f-prot/antivir.def) [Found trojan] <W32/Trojan2.MIDQ (exact, not disinfectable)> /home/sansforensics/Documents/malware_samples/level2_zipped.zip->level2/suco.exe_level2_dir.evil [Contains infected objects] /home/sansforensics/Documents/malware_samples/level2_zipped.zip [Found trojan] <W32/Trojan2.MIDQ (exact)> /home/sansforensics/Documents/malware_samples/level2/suco.exe_level2_dir.evil [Found trojan] <W32/Trojan2.MIDQ (exact)> /home/sansforensics/Documents/malware_samples/suco.exe.evil Results: Files: 15 Skipped files: 0 MBR/boot sectors checked: 0 Objects scanned: 16 Infected objects: 3 Infected files: 3 Files with errors: 0 Disinfected: 0 Running time: 00:00
  • 24. Adding Bit-Defender 24  Download bitdefender -> http://download.bitdefender.com/SMB/Workstation_Security_and _Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/C urrent/EN_FR_BR_RO/Linux/  Select -> BitDefender-Antivirus-Scanner-7.7-1-linux-amd64.deb.run  Install .run file  Get license File -> http://www.bitdefender.com/site/Products/ScannerLicense/  Run Bit-Defender GUI and enter your key  To update → sudo bdscan --update
  • 25. Update Configuration File 25 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # ##################ENTER SCANNER INFO HERE ############# Clamscan, clamscan -r -i, NONE Avast, avast -n -c, | grep "infected by" F-Protect, fpscan -v 1 -r, | grep "[Found" BitDefender, bdscan –no-warnings –no-list –action-ignore, NONE #######################################################
  • 26. Adding AVG 26  wget http://download.avgfree.com/filedir/inst/avg2013flx-r3118- a6926.i386.deb   sudo dpkg -i avg2013flx-r3118-a6926.i386.deb   sudo avgupdate  To update → sudo avgupdate
  • 27. Update Configuration File 27 #av_scanner_mr.py configuration file # #SAMPLE LINE #AV Scanner Name,command line to run this scanner recursively against a folder, post processing commands (if none please enter NONE) # # ##################ENTER SCANNER INFO HERE ############# Clamscan, clamscan -r -i, NONE Avast, avast -n -c, | grep "infected by" F-Protect, fpscan -v 1 -r, | grep "[Found" BitDefender, bdscan –no-warnings –no-list –action-ignore, NONE AVG, avgscan -w -P -H –ignerrors, | grep “Trojan horse” #######################################################
  • 28.  Download MantaRay to your SIFT VM from Github  Unzip MantaRay inside VM (I used /usr/share as the root folder)  Command line to run Mantaray → /usr/share/mantaray/Tools/Python/python3 Manta_Ray_Master_GUI.py Root Cause Analysis Demo 28
  • 31. Select Batch mode (for bit-stream images only) 31
  • 34. Select Evidence Item to Process 34
  • 38. Step 1: Review AV Scan Results 38  All 5 Scanners alerted on the following file  Users/CEIC-Hacker/AppData/Roaming/Naym/suco.exe
  • 39. Step 2: Static Malware Analysis 39  Extract suco.exe from evidence  Use MantaRay FileName Search module  Autopsy v4.0  Other tool of choice  Run MantaRay Static Malware Analysis plugin against folder containing suco.exe (need remnux)  Provides output from the following:  Mastiff  PE Scanner  PE Dump  PE Frame  PESTR  READPE  SIGNSRCH
  • 40. Step 2: Static Malware Analysis 40  Output from PESCANNER: Meta-data ==================================================================== Size : 127562 bytes Type : PE32 executable (GUI) Intel 80386, for MS Windows Architecture : 32 Bits binary MD5 : 7b95049f8963abf70e2d98857e7178c5 SHA1 : 0b608dccc301df197f9968c383e9b0a6e8bf60d4 ssdeep : 3072:l6PYV6NtBFXqBNKUFv3+oaSqr4NZ5YNpbNy2KChiCWaTQTe:lFsTBdqGUh3+jSU hy3aIe imphash : 994868cc529d722b89689c6b1dd44cb9 Date : 0x48B27E26 [Mon Aug 25 09:40:54 2008 UTC] Language : RUSSIAN CRC: (Claimed) : 0x2be25, (Actual): 0x2dcc2 [SUSPICIOUS] Entry Point : 0x4010f7 .data 0/4 [SUSPICIOUS]
  • 41. Step 2: Static Malware Analysis 41  Output from VirusTotal for Hash → 7b95049f8963abf70e2d98857e7178c5: SHA256: 25ecf8b98eb0cfcf83a02c2b55382c8a62110589d6bf9c00916118d46d439366 File name: suco.exe Detection ratio: 43 / 47 Analysis date: 2013-05-20 19:22:18 UTC ( 3 years, 1 month ago ) HOUSTON WE HAVE A PROBLEM!!!!
  • 42. Step 3: TimeLine Analysis 42  So we now know we have a malicious file on our evidence  Timeline analysis will give us more information 
  • 43. Step 3: TimeLine Analysis www.mantarayforensics.com 43    Date Type L2T_Function File Name Notes 5/4/2013 07:11.19 macb UserAssist Key Aol.exe Shows user execution. File is deleted / overwritten. Probable dropper 5/4/2013 07:11.19 macb Suco.exe Malicious file from AV scans 5/4/2013 07:11.20 macb NTUSER Key HKEY_USE R/Software/ Microsoft/Wi ndows/Curre ntVersion/Ru n Suco added as RunKey 5/4/2013 07:11.20 macb [Microsoft-Windows- Windows Firewall With Advanced Security/Firewall] Security.evtx Windows Firewall modified
  • 44. Step 4: Confirm Run Key Mod 44 From MantaRay RegRipper Results: Last Modified Time: 2013-05-04 11:22:53.560560 Filename: 377-128-1_Partition_1048576_OVERT_CEIC-Hacker_NTUSER.DAT MD5 SUM: bb462d742bfd0fd9d2793010c3681c27 user_run v.20140115 (NTUSER.DAT) [Autostart] Get autostart key contents from NTUSER.DAT hive SoftwareMicrosoftWindowsCurrentVersionRun LastWrite Time Sat May 4 11:11:20 2013 (UTC) uTorrent: "C:UsersCEIC-HackerAppDataRoaminguTorrentuTorrent.exe" /MINIMIZED {5ECAABF9-0619-7EAC-19E2-4A73BEBEFF9A}: C:UsersCEIC- HackerAppDataRoamingNaymsuco.exe SearchProtect: C:UsersCEIC-HackerAppDataRoamingSearchProtectbincltmng.exe
  • 45. Step 5: Determine how file got on system 45  Timeline analysis shows no Internet Activity around the time that suco.exe first appeared on drive  Other likely means of infection…...USB drive?  Check RegRipper results for USB devices → SYSTEM/usb.txt   VID_0E0F&PID_0002 [Fri May 3 23:14:17 2013] S/N: 6&b25d31b&0&2 [Sat May 4 11:22:21 2013] Device Parameters LastWrite: [Fri May 3 23:16:39 2013] LogConf LastWrite : [Fri May 3 23:14:17 2013] Properties LastWrite : [Fri May 3 23:16:08 2013] InstallDate : Fri May 3 23:16:09 2013 UTC FirstInstallDate: Fri May 3 23:16:09 2013 UTC
  • 46. Step 6: Next Steps 46  Search your environment for other instances of suco.exe by hash value  Look for data exfiltration from this system  Send suco.exe to your RE experts to determine exactly what it does  Re-Image this system to remove malware 
  • 47.  Remove human interaction completely  Have MantaRay watching a folder for evidence to be dropped in and then start processing using default options  Add analytics into AV-Scanner script  Get count of how many scanners hit on each file  Grab filename from scanner output files  Extract filename from image  Using fls  Scan extracted files using MantaRay Static Malware Analysis plugin  47 On the to do list:
  • 48.  My contact info: l dougkoster@hotmail.com l https://www.linkedin.com/pub/doug-koster/7/65a/8aa 48 Questions / Contact Info