Malware is nothing but a counterfeit process. Imagine trying to find counterfeit bills with only a cursory knowledge of what money looks like. Sure it’s green and has numbers on it, but that doesn’t make you a currency expert. Sadly, that’s the equivalent knowledge level of many infosec professionals when examining Windows systems during live response.
In order to find evil, you must first know what good looks like. In this session, we’ll spend some time getting to know what behavior is expected on Windows 10 systems so you can pull the signal out of the noise (and oh is there ever noise). The time you invest today will pay huge dividends during your next investigation.
This session is appropriate for both defenders and attackers (penetration testers). Incident responders will find great value in understanding baseline Windows 10 operation. What processes are expected? Are there normal scheduled tasks? What weird behavior should I expect on Windows 10 that wasn’t there in previous operating systems. Penetration testers frequently exploit the same weaknesses in their tests that have been used by attackers. Look carefully and you may find you’re not the only one on that box you just popped.
Jake Williams (@MalwareJake) is a co-founder of Rendition Infosec, TS//NF (Tactical Security//Network Forensics), and E-Guardian Global Services where he focuses on incident response, computer forensics, penetration testing, malware reverse engineering, and exploit development. Jake is a certified SANS Instructor and course author and trains thousands annually in information security topics. Prior to founding Rendition Infosec, Jake worked in various roles with the US DoD performing offensive and defensive cyber operations in classified environments. Jake regularly briefs Fortune 500 executives on information security topics and has a knack for translating complex technical topics into verbiage that anyone can understand.