The Art of Post Infection Response and Mitigation

so hi my name is Kayla I'm here to give a talk on potential instant response in relation to Albert reaches specifically we'll be talking about single injection or Anna punched out today this is more or less people truth here so people are my age started to help me by my name is Kayla some people in some circles coming tale tend to be not late at night and help me to like it a little awhile let me see your memory this media trust needed trust and might have nothing to do one another operator to separate been to the spectrum they thought that verification has to sell verification things like that I analyzed it matter one of the only not remember people at

my work so I am the father of the Carolina cops you know you come in Carolina and you Lisa guns came here may local shoot guns so saw I get there Friday before Kerala you shoot like four hours and we never get her back east region you're stuck with guns up all the Penguins interested and I mean very might not just where everyone I gonna be very like that started out as a black where's my weed great I don't call it a great guy there's only hipsters very medicine I'm gonna [ __ ] missed you so I'm also your huckleberry anyone's ever worked at the startup before Kennedy's was our promoter would call idolator's lots help me I was your huckleberry but

if you show up unless you know it's kind of Halle Berry so yeah please indulge in both those huckleberries so into the great we're going to get into the great area which is posed in veterans parks this is basically from your getting infection level to the animals level which spacing between the nodebots power i'll people get breached notices that make is just inform at a NHE to go so we're going to get into a little bit number breach response methodologies good back hopefully most of you have to practice in my grade doble old lady now I am told so my gorgeous some tools that are used for me and methods pine beetles which is something about the good thing about

even at 80 companies definitely into their entered into their life they then just run sister knows gonna be straight there's a lot other tools out there he's much better Danish system console screen foot heating boom a little past that movie you've actually so such a great area today one I've competed on this is robust so I'm going to say because you're balancing recovering and get back to operations versus preserving evidence or other security like things that you would want to Austin injury and yeah that's definitely one major point a lot of people just maybe go away just as possible call Navy Tony might have some removals or something but you're actually giving them their state of your samples from

your own deferences Oh but yeah the good recovery is on major backer you want to get you know stephenie's are back to work he's the hired one so we're going to be able to else but but the major thing is over land and Mars it's may be published an utter fool years ago seeing a con artists today it's not a I'm there been a lot of work in artists it's not gonna stop those buyers nowadays the anti purchase doesn't work for it any word what it is is a breach detection mechanism Porter network or even out of reach it's not going to stop it no you know this is incoming you know you better do

something it's good like it up very screwed potentially generically when you're screwed and by Daenerys on the infections a QC generic in the deflection you so are they going to respond to that or gonna respond to very generically sending is not persistence techniques you're not going to know there's an infection if you don't know there's an infection it is not up to you to scream how are they going to argue with us they have no idea why their Google results getting redirected every time they do people search they came up with a neat little trick basically data copied URL paste it in the bathroom and just go like that but you know the Mars is actually inside the browser okay

to it redirecting anything or is we're gonna rip it up will just redirect never crap systems techniques trip the lottery three Mountain persistence that it's going to persist there's nothing you can do about it try to crack it with mister installed it came out with a screw-up in code and what happened but that's not good it's no not only very amazing word works with me so cryptolocker treason in your face persistence technique whereas it's hard to attack maybe on your network for months and it doesn't want you to notice there you probably won't notice the point where most organizations balls word human some thoughts unfortunately soul Adams goes you're in training I mean people in this room

actually dealt with an executable networks people literally had someone say that this is persepolis just do something with it yeah sometimes less sometimes there's more but it's hard just know what to do when they executable if boss continue so what the hell happened you'll find out what are you gonna do employee the fire so no don't do that are those beautiful tool but I'll get into that a little bit here but if you have what your organs Oh security confidence inside optical or you know you have someone it we're just having teachers working what's that do for that and say hey you know we don't and just bubbling in their eyes well no Dave likes opera or not and stoke that

fire another part and that's get on the first part of b-sides Haskell but it doesn't require college education matters very dynamic changes from day to day so there's no book we can read on the latex matter email is all on the internet so take advantage of it you know Google to your heart's content about our just don't hit my googly avoid people in just three sort of our responses they're just screwed together blade I figured I've really dropped food money today

and then response so if you maybe firstly use the second one we did walked outside some positive like group is already knowledgeable about not where breach response keep in mind there's internet response either socks measure someone on their notice malware if you'd be some types of situations I've come across are there later scratching their heads versus because the results haven't ever even smell it like a small department to just test is good so the first response I'm going to get over to do behavior it's probably the most familiar a everyone's familiar with really you didn't into machine or machine images and then Steven HR backward dream I was a quick recovery but if you basically yourself about that

I laminated evidence for the person that put it battler on Eugene or highly leveraged machine with over important whatever for the first this resides on kind of discreet you know cable that connects betrayed property as it is good recovery if you're going to do this office I call it lazy and become boot when you come across another kind of network you can actually happen ated fully organic infections that computer was the birds back in history browse for whatever is infected you have that work in infection if you played with him out looking for you know out there you can't just run police malware like it checks for a lot of things so you can't just run it

expected to do the same thing it's doing my finger TX play it properly they could be being where hopefully your own business machines or something that's displayed it's it's really good that happen anyway to top that infected machine even if your BOTS great it does require that you have that images play with them again image into an old Dell and play me to see what you can find out about it see wherever his eyes if you've analyzed all the file locations start honoring their network look for those locations across the network because if you run Network one thing or something like that more likely there's nothing window did that so ii men throw all of you ladies

talk bottle do not scream about is a WDM and you can dig up enough to just and provided it kind of stands for wives sometimes stands for college boom because you're so taken back by a good amount it's been an effective punts and you don't care it is you know how many one as a resource your company that's going to buy this up or you're literally driving the making the window the point of your screens or be made about it with a fake web document or something and you're still getting work i'm skin is so many times this the range that maybe do this hawk basically is I've seen this on the Laurie networks seen this one

hospital network seen this on a small medical office ever he's insane but they don't care and I'm not sure they are very cuz they don't know but not numbers like in the news they should here to be still a problem so what am I saying my name someone has asked me to get our number back get on my 5x pupils with x games are violent old like what how does this been going on what is wrong with you deeply just not area um trim the blogger asking people literally descent that computer side and boom I'm into doing and just working and I'm cute yeah eighty what about the lockers oh you don't still next to our step we

just don't running for I I guess that's a good way to keep devil code actual training battle bit that's not so yeah why I tell me these people at some point response is brilliant removal an analysis and when I say analysis I don't mean reverse engineering first thing is finding it's highly interesting but if you just we're gonna are many your time our job to start reversing things your boss five you reversing things it's gonna ask how you're doing for time is you're not actually giving good that back any proper having a proper toilet happily briefs happen you're sitting there mutters playing and having fun but it's not the same thing as actual behavior analysis find out what happened network

well I know they're artifacts and see you find other effective so first thing you should do is in the end member know so I understand with memory now ladies a lot of lots of something deep games so if you have an office in Seattle and your extra carpet the majority gusta seven or something is in Florida this a memory note unless you have a really fast next which other than when I if you're probably going to start complaining transferring behaves one word together the facts especially over like some point or join you something like that VPN with a happy sight STP that's even gonna be slow I mean even take kids how many part movies that they owe to if

you are and remote switch ways you different ways to approach so if you open up process workers will get into and you see or using to make memory that's suspicious maybe you should felt that processes memory individually it's better than nothing maybe that may not be actually not an analyst if you're the pata - he'll be buying you a bottle of wine afterwards because you've got that organic memory know at least the process level so get on you can easily second thing is something a lot of people take a new account and this is particularly harmful if you're worried about someone exfiltrating data so the first thing I knew basically other than um memory is

part of our hourly machine on the same subnet you're going to get a lot of traffic I mean it's a full memory you can filter marketer that doesn't lessen the size of P Kappa bought it did you get that P paddle give it really 3060 minutes look through that pain tap for that IP for that ineffective no see how much traffic see where it's going you see what it's going another and basically it bent actually uh high school trading bottles you can run something like foremost against it or off-road and actually car models I'll go P Kappa so you can actually see that up close in terms of you know running marks are against machine don't network how do

you gauge whether or not to allow a bit but basically they cost benefit of allowing that machine to run live from extra thirty or sixty minutes versus putting it in a VM and running it that way in a sandbox where it's not actually being able to reach out to anything determine whether or not you know okay this is the time we're going to let it run live for a little while longer at the risk of maybe infecting other regimes for it put it into BM in sandbox of where we might not get all the same information about the instructions being set back to it or something like that well so there's a lot of Namibian work

maybe giving off this may increase encryption if it detects the risk for doing this my name is very little that has been infected it's been infected for at least an hour already if you're on a corporate network more badly you have the bathroom you'd a potential trade price to be paid for past Internet let me run for 3060 minutes isn't going to do really anything for you except get a treat so you can analyze a lot of forensic investigators when they show up on scene the first thing they actually do digital forensic investigators don't unplug the machine don't unplug the network people there's a lot of net worth it actually has cops of those are liars

I've encountered executables dated if you actually tried to like remove a DLL from birth buddy to do disable the network part irritating completely out of system devices in this case if you happen targeted attack and they are expert rating data and you pull the plug right middle of that x85 they're gonna stay between them on and the way they're saying to the executable we're running on there but this isn't gonna hurt it's just good to have especially if they are taken down by not a lot of it I can see where you say it isn't Little Miss people either populated forensic investigators specifically will tell you do you know what the never especially because my racket is going to be

listening to see hey Liza network connection doubt was power love that's suspicious activity I mean extreme lack what happened may ask what about coming TCP will recover a little bit of a bleep so if you're running in with your packet capture machine with your your T splitter on the Ethernet cables so I'm just unplugging and plugging it back in is the mount work and I detect that cool if it's in the mid file and it's brutal yet I'm gonna be taking over to get here hopefully do the CEO and I'm just ignoring office which means it's not good for the organization has to get at mine it's actually suited for your own self awareness of malware so more your

posted stuff this gets into marks over trade more with malware more you look for more places you find it in the more places you on the next malware that Elizabeth like laces on system they look like the recycle bin directories windows directories stuff like that alternative down there especially so people folders especially so it's nothing beneficial to your organization to get this because you actually to yourself there you go you encounter new piece of malware that just came out this morning and it's doing different things in every other piece of malware you've ever seen you throw something on this piece I made 10 bucks in my reward you know maybe one alpha subunit on automated sandbox and

Martin is not in the replacement angles I'm not gonna say that this sandbox can have it I mean heap using the service and boxing filling a kid with a Mac sitting next to own sandbox basically so obviously what was the value you have a good you set off that maybe it's worth you know mimics for the tank top right it uses some work whatever you have all these images state are real images on the funding give all software installed basically the same patch levels and hopefully you only have at least one of her adopted home if you have more money if you needed it I'm sorry but you don't eat more than one version so it's a

boxing watch a Bible you want to find out soon that you leave their own pockets a box of hundred objects gives you back a the report or some sort of the end basically you can render out looking out but it's going to tell you where that see this on the system it's going to help you what allows drop with the allows us talking to who's going to show you all windows API calls it's making it's going to give you a lot even we can do something missing boxes they're going to give you a peek at movies welcome so you're gonna have a whole system itself you're gonna have a P Kappa you're not going to organic keypad and

then you kept up the Sam Boston Market and it can I flee or late find out what the difference is in the traffic based on those two pieces back to your question so while it is improving it initial packet capture if you have it's a box environment you got that set up that sandbox Department review some of this don't a lot sometimes he launching um I just I was reading something earlier it's a timing thing commanders indicators it's a timing thing those indicators that it's working the VM yeah yeah so in Kufa box of courses the premiere unfortunately VMware virtualization I understand a lot working government you've got to have something differently license been there done that

ha be more some super mountain offices because everyone looks for innovation channel just very nice attack doesn't matter talking about you state your being worthwhile you're gonna go virtualization hit like VirtualBox my opinion or something other didn't be on we're gonna be happy to be a worker you're still gonna get analysis play its p.m. we're see they're gonna let me stay dissolve or not making mal one really it's give them etiquette expert realization of a key in that market principles like it when web secretary is okay so it pops the baby window up you know tricks cancer information will be spilled out of us is gonna bother something like that if you run that on a

physical machine and you make it look like a colorpoint which make it look like a cream on statistic seems highly prone to get your body just be able to run very well on that physical machine you can take the same exact that let's save everything just almost down to the hardware running the me animal and the window will pop up or it connected they would not be so can I do verified you said it pwe yes it set up to through the wall because you're trying to be analyzed the sample I think the forget actually not detected or asking about just growing everything under p.m. and you're actually less likely to get infection effectors oh

this is honey p.m. this is a VM yeah I mean whoa that's a great idea but I don't know anyone that's going to do that we're talking about right 30 workers do so becoming a big big leagues I heard from that stop maybe start radar but look for a shin jail yeah but may have Hoynes response teams and mental country's daily there well this is about people so yeah it would be nice to run them just it against tax think you've ever wondered about marketing piece for you're gonna work every day about if you did about the users in the fact that they can even grieve great passwords they're calling you about talking something yesterday

you picked up about my pians like woman calls about burning food and you got to stay about with you we're gonna be dealing with in relation to the prototype stage one city maybe some more causes tremendous day by virtualizing I mean if you can do it do it another day you have to run on your network and improve motor with this and all views on you've ever heard of communities begin to decrease watch you restart your system it's not talking in you can actually make area to serve positive change on someone's Bachmann's or something another time you reboot this machine and you can temporarily it literally goes back original state it was in now there's not rather than

specifically pockets I've seen also model really doctor Megan's I've actually seen executed state like eliminating the password so that would lend the malware due to our mother was proponents the same way it looks params so and like you make that there's a lot of to grow know it's one of the digital machine to be map analysis do you make one it just able to the machine partition rather than run or onyx but a lot of school districts run box because easy for him to get a virus actually reboot it's still error they commit you but it's at least kept it from getting too much checking your people were solving if you don't have a sock we're

going to respond speed it was basically you may have a contract with injury response company but does anyone know method work environments when you're designing up this Mondragon you have eight one not specific specific and they deal with Mallory's make sure to ask these questions in to give a feeling on interest on track because you may be surprised who ends up on the other end are responding instance so there are four response inclusion is a problem never reproduce human briefs as well as positives never bridges obviously the point of this is your organization doesn't have one sentence in place the same time our occurs a couple of Starbucks top here something like and you think one sends a lot of

organizations back on the second statement policy is not about policy I mean send an email out look Mountain response I think Dartmouth is what we're going to do in a stage one we've done punishing stage two and our party cannot be captured good about this stuff and I've even gone as far as building just as a mini response just so they could respond so they wouldn't bother us but they do [ __ ] out of us stay one preaches network regions if it's never reached find out how to get infected single node this whole it's not hard to tell what in convective maybe his positives are given the partner Bank her doctor's office and this was a targeted attack to dig into

the organization like no one knew these visits so your total this for $30 dang analyze and your copy me maybe in a PF or that we're talking and that's something specifically your company maybe that you're stupid some of it is the biggest search engine on planted what you can't do though is a

really good example of this is Mets employee better be smells good built a framework check out no one's ever heard of a couple red painters got sick of their payloads plate literally it was getting picked up by their you know well that basically uses all his pipe on rapper and every single executable or generates in the spirit of every single executable with generates that is unknown barcode and open the small checker is abilities that doesn't so you get people to target attack give them the hash get good luck you will have that here somewhere else for something else but you know about Luke didn't have too much work but it check out work as well really a team I used about me or

pseudo red ink events I used it actually to test appliances that had ABS decays in them where they wanted to test the machine learning and stop at the other end but they didn't how many samples or goodbye he came all the sudden I scripted like five thousand just SMTP them out basically there's earth their little baby Pacific that's exactly what you want to see how it would be baby is play with gum river will be so methods run maybe defenses appliances of your pruner the filter and baby no filters is common-sense stuff and there's no way I'm going to get an infection how to get her out something like my dream or supplement you never clients it's going

to filter all this stuff well business people on walk through the front door organization paint your receptionist any black truck stains kebab kebab he works for CEO John this is for maybe every month and the CD or something out yet this is for Josh to see TMO I gotta run to lunch I have another vision you know you make sure you get this with any luck so plug it in or just like from the parking lot and is as good as brute forcing those different passwords to bring these duties so the Pens methods plate how common sense about to you know even if you have all this stuff you're still crisp we're going to get an outreach somewhere

someday don't plan on not being breached don't plan on ball and it's a good plan to give a reached 39 celibacy also by your endeavor like I was saying how many versions of jobs appear under network that I understand people run legacy about vegetables people pendant on top like we shouldn't have eight versions of it you shouldn't have done embargo five install up your machine on any machine it's running like it's a software that you need to talk to you see of it because you need to upgrade what anybody's for that software everyone so this latest game yeah there's nothing like a grape on top of it how many of you actually need Flash installed on

your network I mean he absolutely needed work from marketing you crazy stuff I didn't think so he's going to go out if you remove flash from your number because Jason again what you can while he's coming or something there is a female by but you seem otherwise get a little critical see you soon bad things about it buddy / it's not a good thing it's hot lingers do not know oh you can eat flash moderator if you want involved it just [ __ ] blast it's it seems penis plated when it's number one another good like here next word maybe hit a use Friday you need to actually want that specifically not just level machine if

you think bottling QuickBooks most other software you running either doesn't mean honoree things that have got to be vectors specifically you guys someone needs all those legacy merchants a job you know absolutely go to network setup or network god muttering so specifically for those nodes there's beautiful ways you can do it stand there all day I have to talk about that a little bit two holes of the trade and basically this is these are some tools that I use when I found it oh this situation so these aren't going to be tools that are going to remove the malware there's no a lot of mold these are mountain dirty pools these are girl the machine would be next how

they're gonna find this was it hooked into so the first point like hot bodies process Explorer Isis internals this is should be like ten years now it's not it will never be Windows is about cease to exist thank goodness but as you can see here I'm basically creating more process felt or this individual possible and this was another effective machine I just picked to be box get service of process you can do memory go this mother speaking about earlier it's easy to do o memory dollars tons and tons he tilts out there but in video prosecutor don't do how especially with the animals that handi-vac that's going to stuff another thing about possible where is

you get emergency laws in handles so baby remember dear access when first came out it was embedding itself into a lot of schools painting Bob structure reports near access was like couple holders with schema letters and that symbol and then there couple partner back soon we started searching and you can't just search the whole system for any you're going to come back when you make your club learning a computer so if you guys are looking for the axonal and you see I go to three installed on whatever problems for that is firebox on the reason I'm using the @ symbol in this example because the xm-10 access was the key Tomas marking up deeply it

was hooked into the system so we did a search for this and bottom surfaces thought exe here's what's an SMS how do you see everything if you shut down here's no like it was gonna blow extremely specifically because when they your bliss screens it dumps memory out so when you reboot there's no chance you get it what was it the memory at that point out that's that's the term our technique I was speaking about and who the services of the excuse running every service honey box so you at least know to pin it you can find this at any file so if you find a pop name in a number of your retreated come do a search on it you'll be surprised

ones have been to be these products would not this is giving the properties for each process so when you feature about this is not news brief assistant general surgery version came out see recently you know this is demonic little box down here you can submit another ash differential it checks the Hat for you so it's not sending explorer.exe some separate elements to Google basically it's checking the episode Microsoft and all their wisdom I'm not sure if they're responsible that feature probably odd but it's a really neat feature this is basically process properties on steroids you can look at the straightest you look at expiry the performance this piece it atomic rings about one thing I find

really interesting on this is these strings so strings and malware from strings gets an extra for whatever suits gonna print out all the agree to black Springs in that bottle right again executable it's gonna be much cheaper dishes to an extended experience will actually show you mostly hydrolysis colonies windows drinks watch their routers that keen need their signatures he asked us traitors low-level it's probably a big thing any words used to be way to cannot retain one inning but nowadays would find weird things in there like I read streams on thanks of people would have reside the picture it was quoting both pitching it was or equal anybody like it just over an hour and I like cetera it's

a whole bunch of it over again I wanna play there was a were clicking off a little arm and it was called that because it's good wrote this love this bollywood actress in India and all through this Martin is just like I love you need you here don't think she got the word bro but yeah so that reduces no we can find a direct reading that if used to create an hour will be fully honest dated I'll actually boggling and so these directors gonna compete like you lastly a logic to their directory structures sometimes but I found malware worms like it winks or you're all about releases level trainees nothing as important as it used to be

but it's still high you're gonna start trying to reverse it it's in first out it's really good so second focal bead is nothing there's a ton of memory down facilities out there I like this one all done that's it his common dirty it'll dumpy good luck turns green so there's like pop this is a lot of our mainstay not even the process word where any internal tools in my team so when I first got about response team Thursday simples and they're like here this is what Hughes and I started by making these tools egg there's just not not there twenty work I'd like to get really beat the system I like really see what's going on like find out how to stop

something it literally had a piece of malware upon machine go keep restarting himself getting funded shutting down one problem we were having was there was matter that was aware of some of the pools procced Explorer and tdsskiller Timur there's like a quarter bottle they're tools they were specifically listed in the work and we were to shut them down and remove execute applies this is Windows you look on it again it's like sorry you know how great excuse anymore who's like all things these bowls specifically what begins as helped me to be able to think there's parish so we started providing tools they you know really deep in its system we start being basically where they were listening and

with this small about to show you exactly know what I read their kernel-level college basically listening on and you can delete it and then you could record comes again I said the permissions again but there wasn't told up we were using it was only x86 and it was blue screen excuse me more boxes forget the name is the reason I thought it was everyone

some people were debating whether it was eating the last Republican his point but he was starting to build up its pursuit before bit boxes the boxes and all these filters blue screen and [ __ ] these extra boxes so please correct me h 0 it's probably never recover recently so this total it's completely manger this tiny loops baton man in China this is really skeptical when it's a really great another little sketchy so this will specifically runs there's a very busy person which is why bother the directory is not only just an index there's no nominal gauge is just an index listing and third zone approvers and apparently and pervades I just wanted to make some money or the pro

version a free version and there's an SDK txt and one of the versions actually has fire on your easily where if you will set whatever bottom toolbar which this being coddled England China know like it's got a body once because it's kind of it and if this was a beer introducing and I ain't break it's kind of going it's the green a little bit maybe he's just so you get Mallard where she so nice we're looking at come bottles and as you can see my house you can literally look in the room 0 you look pregnant or in green look really pretty on this is on this whole leg isn't anything on the system this let go

but really you can kill anything that this the option is perfect this is sort of each rich application that I'm surprised no one else a lot of you right all right now me too we started using this a lot as you can see the process is book reading they have permissions for and obviously this is PC hundreds because like interesting one that says it's just a really cool it in a pinch if you do need to get to stomp out examination importance is one of the best beaches and the hotter it's not your products free this is a rebirth but we got 94 the pro version is part of reversing or maybe Madrid this is

literally go through every single to this house can give you a whole examination reporter of every day so your pinch you need format she need about yelling at you whatever is going on just to get data from this and it will print out every single thing in all these tabs and this pouch I can actually open this up but it's really really really beautiful now it diskette you told by to the sketchy means you go find these tools you need to treat every single word of the piece powder Puma get yo literally everything have to pop the bot do that with pay these 25 I mean uppity system terminals you don't worry about it so

if Microsoft my baby baby baby that was if you're worried about that are you working at school hopefully deviating from remaining I trust Chinese software little boarded removing everybody one thing about the school is I remain water targeted and calls calls up title truth the broker who calls up like revived under Chinese IVs woman to die the three-person popped up like one or two look it's just get to fold but it works great how can you can that day there's easy place tonight I mean what I did really was for us to use this on like customer networks and stuff you cannot that it's going to set off three years filters for something so what you do is you can just not all

those IDs out in those bottle you should be looking in the most about anyways because dinner copper tricks you know they ordered things through the hose bottle in some cases I've seen like forty different major websites or didn't feel like a website he just threw the host spot so you're looking there anyways I just made a little bad Wow I'll just echo whose all these IDs and null phenomenal that backwards you know okay and removing them or not it doesn't matter those IDs a block on that person's here at all actually so you our entries you actually better human by it you know nobody knew this I caught one of my team members using this

before we were done testing it first thing I did was throw through my sandbox from our second thing I do is run and look at it myself so other great points bonus piece of software that is it's all box case so if you can see it up upper left corner every time anybody in office speeds its name basically to avoid her artwork it's going to be shut down because all really good tools eventually get blacklisted by mother office so it's all off its case it drops to drop it when you run it well if you change the configuration it actually drops can be false you said thing again with your other places well really quickly if I can do

this sorry

hey I'm not with the networks or not they worried but as you can see it's not so one thing I'd like to point is there are so many pieces to muffler that hide themselves in really weird places on the system they you can't get you with peanut bumper explored on a TV like you just think it's them they're like maybe these shortcuts stuff like that stuff like this that's what music support on the ATV it looks at those shortcuts like all the shortcut state when did someone have to make to be compatible with Windows XP scrap get lots of those shortcuts a directories so you can actually known with them and because we're very popular having faces from

allergies but this doesn't give a [ __ ] this goes right any mom oh no he doesn't go right in pardon me it's not the screen so if you might attributes and on top of that this is the particle moves so there's there's various things you can do it has delete or replace so delete and lock the top of the drink into your bathroom out system basically and every time you believe this executable copy papi he's coming back what are you gonna do put a directory knick-knacks cute in latex beginner like that it's a little trick but this is the same thing but I feel and I pretty sure [Music] sorry about that usually is in front

didn't stop reading and everyone's abuse so the PCPD you it is basically will not that's that you should use it it's good way to tell it boxes and infected to be believed first thing you should do fire you guess we're gonna buy a good part of the botnet I call it the Christmas back because you need connections coming in or grief or maybe disconnect already if there's a there's a word on here it's gonna look like Christmas if there's a pure botnet if your pure body no you're gonna see [ __ ] from the money this list is gonna be grow long and they're gonna be connecting disconnecting changing your great so initially I mean there's a bunch of

little tools that you learned it I'm going to run this purchase when see what's going on doesn't look like you're but it doesn't look like work and change my code completely so little things like this really really really yeah anyways other tools you should look into and some things will recognize from just security in general but they can be use for malware analysis volatility hockey's deep memory presence and the best memory forensics great word unpainted you know how great is Kali to play powerball shuffle you know we're running generator on the payloads find out why they're not effective I started talking into that the county can also speak be necessary to install so it is built for never introduction a

performing it against Mallory school system generals team are actually really good utility if anyone noticed when TSS hilary's bought that ellaby from fever fevers of grief nobody has it to Bob dollars immediately looks for rootkits and it lets you payment system moving services it's not as feature-rich as PC but it's not my website itself it just the name that's the dude Africa system cuckoo look what this setup once you have it set up stand watching you market black clerk if anything just installed is [ __ ] my kinds of sharks response and response disco in Reverse Malorie that all totally belly once you tell these you need a really neat person's energy mom play with Billy helix is a forensic

response distribution little digital forensic responders use lot and tools under for a mundane stuff like that even generating these models that I was using helix I was trying to get any top each of s applause did Felix didn't I'm not gonna installing on my harddrive and remove it every time soon I thought about that is another new forensic this Revit house so the progress it's a lot what we traditionally do it's because it's a lot of people just got sick of the forensic history of scanner and build this plus it has a negative you know first time that we've seen very important actually there's a lot of gay stuff on here parts of you see very

important not I'm going to remember pretty to check it out it may be more likable it's not sketchy though certain difference so the reason it is more money legal and not sketch is because it has a mini burger and when I see Minnie its XP stripped out is like it literally run top of W model then you can actually track them with a lot it also has a nice distribution part of Linux that you can do to for imaging and stuff like that it has a second later format on the first boot screen basically that you can just do that the Automator we're minute I've never actually thought I would know it works but it's neat to

have three smattering of hearts and I see is one of the best on here is because it's only house much bigger because finds everything becomes like opera like network consult from it Wireless a large it comes to the burden is your cell phone it comes with just I think there's a part of version amount of legs on there but don't move to disk and run now twice if you're running need from your bootable this drove please scan right here right now it's good that was still me that nobody but her PCP I so it is 519 days we even counter develop my laptop and we were having to basically have there was the first day

to so brain smart and people didn't know what to do there was only the one where it exerted screaming didn't hear about people didn't know how to get around that it's coming up and safer so with a remote office how are you gonna get to that I was able to whittle this ISO down 219 bags I fully customized it to where I opened the wim file and maybe so as soon as you go to it and it was XP not Linux is there's dishonorables from XP version I open it and I made a the body initiate Network Sousa food and background was literally instructions on how to on TV and TV roles on the desktop and just a

bunch of different like little response instructions on what to do business and you know fire we were able to send this under ninety make like so to Allah rather than transfer to bother make so anything it's a good kind of get more response by this job so you can just manually it becomes with like and something is your version of ghost is if you look at the website it lists everything is on that York and everything is on there is incentive for Mac you can strip it out who swear I did so triggers font CD everyone should know about heart Excel Microsoft not sure how they feel about XP but yeah any questions on it as well well oh good I'm

gonna keep talking so yeah here's an example so here's an example of engagement Wow really you can't see I just rub it on yo it's not gonna work anyways no dude really

anyway it's all so if you have any questions or anything come out we're eating people that don't have any SCADA networks worth putting the best packets isn't policies and please hit me up in the room you have Balter words for me on twitter our responder words as well all your friends but I hope everyone got something out I caught today I hope you all can stop resisting the face de demain this stuff and thank you very much [Applause]