Malware Detection Checklist

Malware Detection Checklist
The following is a sample checklist that you can use as part of your malware detection process.  All of the tasks listed in this checklist are taken from chapter 6, “Malware Detection”, of Windows Forensic Analysis 3/e.  Please feel free to use this checklist, or modify it to suite your needs.

TaskFindings/Notes
Check for installed AV
Review available Logs (MRT, Defender, McAfee, Application Event Logs, etc.)
Scan mounted image with AV
Scan for packed files
Digital Signatures (Sigcheck.exe)
WFP Check (wfpchck.pl)
ADS check (lads.exe)
PE file “compile time check”
MBR check (mbr.pl)
Registry Analysis – autostart & artifact locations, modifications to firewall settings, etc. (RegRipper)
Registry Analysis – System hive, enum\Root\Legacy_* subkeys (RegRipper)
Check for web activity/history in LocalService/Default User profiles
Check System Event Log; Event ID 7035 with user SID
Check Scheduled Tasks, Scheduled Task Log (SchedLgU.txt)
User %Temp% dir: PE files, with .exe or .tmp extensions; Java .jar files/JavaFX key, updates to jusched.log, etc.)
MFT checks (mft.pl)

0 意見: