Security Incidents mailing list archives
RE: Simple Windows incident response methodology
From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 11 Jun 2004 07:30:47 -0700 (PDT)
1) I'd also like to hear from people who have more extensive experience with NT rootkits - will the methodology I gave find most of them? What are exceptions? What tools *should* be used in that instance?
I did some testing with AFX Rootkit 2003 for my book, and I'm planning more extensive tests on other available rootkits in the near future. From my experience, no, your methodology will not detect the presence of rootkits. What you should have is multiple disparate tools to collect information (pslist AND tlist AND handle AND listdlls AND openports, etc) from a system, and then do some sort of anomoly-based detection (ie, w/ AFX, the PID for the 'hidden' process was visible in one tool, and not another). I think the biggest thing is that while your methodology is very good for most things, it's all about data collection...nothing is really mentioned with regards to analysis.
2) I'd also like to hear from people on expanding out the "analysis" phase - for example, comparing results from fport to netstat,
That's easy. Perl. Parse the output files, dumping the contents into data structures. When comparing the process lists retrieved by pslist and WMI, I dump everything into hashes of hashes, w/ the PIDs as the primary keys.
how do you examine listdll output and know if there are kernel hooks that shouldn't be there, etc. I know how to do it informally but haven't written it down.
Well, the first step is to write it down. This one is kind of fun, too, b/c it's easy. Create a flat file containing "known good" entries from "clean" systems. Use these as the exceptions. Write a script that pulls the module information from the Explorer.exe process (for example), and parse out the exceptions while suppressing the known goods.
Current thread:
- RE: [ok] Simple Windows incident response methodology Lachniet, Mark (Jun 10)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology sunzi (Jun 14)
- Re: Simple Windows incident response methodology Matthew Pope (Jun 15)
- RE: Simple Windows incident response methodology sunzi (Jun 14)
- <Possible follow-ups>
- RE: [ok] Simple Windows incident response methodology Max (Jun 15)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 11)