N 1H Kaspersky Academy 0 Monitoring APIs — Process Monitor Procmon lets you trace some of the called APIs, croated files, registry access and network activity. ‘Support for filters: for PID, process ‘name, function name, pathnames, ‘ime and many others. Export to XML and CSV EEPEPEREE EEEEEERYEYE EE KASPERSKYi Kaspersky Academy KASPERSKY Monitoring APIs — Process Monitor © _Ws-vory straightforward to create fiers in Procmon 1» Fiker> Filter (CtelsL) @ _Thetiter below intercepts allthe CreateFie() ‘operations done by SC4DB7EE.cxe {@ Remember, CrestoFio( function can be used for any file operations (create, read, write), not only for creating new fles. i Kaspersky Academy KASPeR\iert fone sa 7 — — Monitoring APIs — Process Monitor 4 Our intercepted AP! calls are marked in red. 1 Procmon also displays very important information about the parameters passed to the functions in a human-readable way. = also shows the success status of a function call. ‘= Multiple titers ean be specified together, for example, wo can s processes, modiiod fles and registry keys. the created LALLA NNT HMi Kaspersky Academy Monitoring APIs —- Process Monitor FSI Process Tree can be very useful. It shows [0 applications, that finished executing in gray. 1 Kaspersty Academy KASPERSKY oO Monitoring APIs — Process Monitor i [FasIe) Options . File, Registry, Network summary can be used in Sate fast dynamic analysis. pee Process Tree. cuter \ 1 ‘Process Activity Summary. FileSummaty. s Regstry Summary a Stack Summa. “i Network Summary Crois Reference Summanyie é Count Occuences.- etBi Kaspersky Academy KASPER)KYS Monitoring APIs —- Regshot See ee eee i alah Ccroates two “shots” at iferent points in time ‘and compares them : ‘Shows any registry keys and fles added, modified ‘or removed Cannot capture deleted files Alternative solution to CaptureBAT Captures al the changes - doesn't apply any fering = Con: nolse (Windows events) [ 1 Pro: doesn’t miss any modifications to the filo ‘system or registry Run as Administrator for complote results aAtot i oe ese mibeskton ae OKASPERSKY Kaspersky Academy FAKEDNS 18 Responds to DNS queries with a custom address. 1" Before using, configure DNS settings for your network adapter to point to the server Fake DNS is: listening on, = Configure address that Fake DNS will return. Alternatives with similar functionality: ApateDNS, fakedns.py (short, easily modifiable). +) (GH) Semematware may use hardcoded ie () (W) addresses (or hardcoded DNS servers!) i Kaspersky Academy KASPERSKY cyMonitoring Network - netcat Other functions: port GB _ Can do usod to observe ‘Swiss army knife of networking scanning, fle transfer, chat communication over ‘server, remote access shell unknown protocols. om CUS ENS CRUEL ES aes COLL) Eee Une) CLK eae T ee SCL CP ee etree eee RTL CED BET /index.php? id=S4hN43bdmnds34fdsUS HTTP/1.1 med nt @, rcud 63i Kaspersky Academy Monitoring Network 2 ~ irc Alot of malware samples attempt to transform the victim computer Into atlegimate "bot" IRC (Internet Relay Chat) Is stil one of their main communication protocol. Infected machines joln an IRC channel, often password protected. A “bot herder” can command all the bots via IRC private messages. ‘To analyze an IRC bot we need an IRC server in our virtual network: 1+ birod ~ easy to use and configure, no Install needed, light-weight; 1 rceLeont ~ configure listening ports. {An IRC client would allow us to observe the IRC channel activity ‘and possibly observe commands Issued by the herdor(s). a KVIrc ~ free portable IRC client. Kaspersky Academy @ Redirects traffic to localhost (including traffic destined for a hard-coded IP address) ‘and emulates a lt of services, including HTTP{S), SMTP, DNS, ICMP. Dump packets in the form of Wireshark supported packet capture. 15 Can “capture” packets on localhost (not usually possible on Windows with Wireshark’). '» Acapture is actually reconstructed from ‘sendiroey calls, ‘Support for creating extensions (Python ‘rips to imitate unknown protocols ‘Similar alternative if the analysis machine sunning Linux: inetsim, KASPERSKY KASPERSKYKaspersky Academy Monitoring Network - Wireshark 1» Wireshark is the best application for passive tapping of network traffic on Ethernet network. ‘2 Itcan capture traffic from the network interface. 1 Itean process previously captured trafic (pcap files). 1 Ithas many filters and a user-riendly GUL 14 Supports capture filters and display titers. KASPER{KYS Kaspersky Academy KASPERSKY oO Monitoring Network - Wireshark 1» It can display the content of various protocols of the OS! model, and also IP addresses and packet sizes. 1 Ithas support for creating dissectors for custom protocols, on top of already existent ones. len bl eerese tatu bee 40.88.20.9 Heb 1072 Ghee segment of a reassenteg p00) ftsiernes faisans fsi'aite ren Go son9 Soa tac seoctoe aches & trane 172: 60 bytes on wire (440 BES), 60 bytes capture 2 eitrat Gover leateSsaocts (ebete tata: soon enpers 50 bycee = Hagt! atate" ea 5535) Factor! 2 (oo wind sealing woes) rfaation dissed BUS $8 35 55 5 35 53 60 Ob 8 ba 28 32 OF 08 93 98 cate 259 _laame ME HRS ARE G6" Beret ins allt?