DOCSLIB.ORG

Joe Sandbox Cloud Basic

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Joe Sandbox Cloud Basic ID: 34930 Sample Name: sample1.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 21:46:35 Date: 23/10/2017 Version: 20.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Signature Overview 6 AV Detection: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 Software Vulnerabilities: 7 Networking: 7 Persistence and Installation Behavior: 7 Data Obfuscation: 7 Spreading: 7 System Summary: 7 HIPS / PFW / Operating System Protection Evasion: 8 Anti Debugging: 8 Malware Analysis System Evasion: 8 Hooking and other Techniques for Hiding and Protection: 8 Language, Device and Operating System Detection: 8 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Domains 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshot 10 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 13 Contacted Domains 13 Contacted IPs 13 Static File Info 13 General 13 File Icon 14 Static OLE Info 14 General 14 OLE File "sample1.doc" 14 Indicators 14 Summary 14 Document Summary 14 Copyright Joe Security LLC 2017 Page 2 of 28 Streams with VBA 15 VBA File Name: Module1.bas, Stream Size: 3467 15 General 15 VBA Code Keywords 15 VBA Code 16 VBA File Name: ThisDocument.cls, Stream Size: 12841 16 General 16 VBA Code Keywords 16 VBA Code 20 Streams 20 Stream Path: \x1CompObj, File Type: data, Stream Size: 114 20 General 20 Stream Path: \x5DocumentSummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096 20 General 20 Stream Path: \x5SummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096 20 General 20 Stream Path: 1Table, File Type: data, Stream Size: 6579 20 General 20 Stream Path: Data, File Type: data, Stream Size: 108224 21 General 21 Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 409 21 General 21 Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 65 21 General 21 Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5497 21 General 21 Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 569 22 General 22 Stream Path: WordDocument, File Type: data, Stream Size: 4096 22 General 22 Network Behavior 22 TCP Packets 22 HTTP Request Dependency Graph 22 HTTP Packets 22 Code Manipulations 23 Statistics 23 Behavior 23 System Behavior 23 Analysis Process: WINWORD.EXE PID: 3100 Parent PID: 2840 23 General 23 File Activities 24 File Created 24 Registry Activities 24 Key Created 24 Analysis Process: cmd.exe PID: 3168 Parent PID: 3100 24 General 24 Analysis Process: powershell.exe PID: 3204 Parent PID: 3168 24 General 25 File Activities 25 File Created 25 File Deleted 25 Registry Activities 25 Analysis Process: reg.exe PID: 3276 Parent PID: 3168 25 General 25 Analysis Process: eventvwr.exe PID: 3284 Parent PID: 3168 25 General 25 File Activities 26 Analysis Process: mmc.exe PID: 3304 Parent PID: 3284 26 General 26 File Activities 26 File Created 26 File Written 27 Registry Activities 27 Analysis Process: PING.EXE PID: 3384 Parent PID: 3168 27 General 27 File Activities 28 Disassembly 28 Code Analysis 28 Copyright Joe Security LLC 2017 Page 3 of 28 Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 34930 Start time: 21:46:35 Joe Sandbox Product: CloudBasic Start date: 23.10.2017 Overall analysis duration: 0h 4m 26s Hypervisor based Inspection enabled: false Report type: light Sample file name: sample1.doc Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Run name: without instrumentation Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: MAL Classification: mal92.evad.expl.troj.winDOC@13/10@0/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Found application associated with file extension: .doc Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 13 Close Viewer Warnings: Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, mmc.exe Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2017 Page 4 of 28 Strategy Score Range Reporting Detection Threshold 92 0 - 100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Copyright Joe Security LLC 2017 Page 5 of 28 Ransomware Evader Spreading mmaallliiiccciiioouusss malicious sssuusssppiiiccciiioouusss Exploiter suspicious Phishing cccllleeaann clean Spyware Banker Adware Trojan / Bot Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Signature Overview • AV Detection • Key, Mouse, Clipboard, Microphone and Screen Capturing • Software Vulnerabilities • Networking • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection Copyright Joe Security LLC 2017 Page 6 of 28 Click to jump to signature section AV Detection: Antivirus detection for submitted file Key, Mouse, Clipboard, Microphone and Screen Capturing: Creates a window with clipboard capturing capabilities Software Vulnerabilities: Potential document exploit detected (performs HTTP gets) Potential document exploit detected (unknown TCP traffic) Document exploit detected (process start blacklist hit) Networking: Downloads files Downloads files from webservers via HTTP Tries to download non-existing http data (HTTP/1.1 404 Not Found) Urls found in memory or binary data HTTP GET or POST without a user agent Uses ping.exe to check the status of other devices and networks Persistence and Installation Behavior: Tries to download and execute files (via powershell) Data Obfuscation: Powershell starts a process from the temp directory Suspicious powershell command line found Spreading: Enumerates the file system System Summary: Checks whether correct version of .NET is installed Executable creates window controls seldom found in malware Found graphical window changes (likely an installer) Copyright Joe Security LLC 2017 Page 7 of 28 Uses Microsoft Silverlight Checks if Microsoft Office is installed Uses new MSVCR Dlls Binary contains paths to debug symbols Binary contains paths to development resources Classification label Creates files inside the user directory Creates temporary files Document contains an OLE Word Document stream indicating a Microsoft Word file Document contains summary information with irregular field values Found command line output Parts of this applications are using the .NET runtime (Probably coded in C#) Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Uses an in-process (OLE) Automation server Creates mutexes Document contains embedded VBA macros Enables security privileges Uses reg.exe to modify the Windows registry Document contains an embedded VBA macro which executes code when the document is opened / closed Document contains an embedded VBA macro which may execute processes Document contains an embedded VBA macro with suspicious strings HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) Bypasses PowerShell execution policy Anti Debugging: Creates guard pages, often used to prevent reverse engineering and debugging Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Enables debug privileges Malware Analysis System Evasion: Queries a list of all running processes Contains long sleeps (>= 3 min) Enumerates the file system May sleep (evasive loops) to hinder dynamic analysis Uses ping.exe to sleep Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Document contains OLE streams with high entropy indicating encrypted embedded content System process connects to network (likely due to code injection or exploit) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Queries the installation date
Load more

Recommended publications
  • Attack Tactics 7! the Logs You Are Looking For
    Attack Tactics 7! The Logs You Are Looking For © Black Hills Information Security @BHInfoSecurity Brought To You By! © Black Hills Information Security| @BHInfoSecurity Brought To You By! Just type “‘Demo,<script>alert(document.cookie);</script> or ‘ 1=1;--” into the Questions box DEMO will work fine too…. © Black Hills Information Security| @BHInfoSecurity Brought To You By! https://www.blackhat.com/us-19/training/schedule/index.html#a-guide-to- active-defense-cyber-deception-and-hacking-back-14124 © Black Hills Information Security| @BHInfoSecurity © Black Hills Information Security| @BHInfoSecurity Problem Statement © Black Hills Information Security @BHInfoSecurity JPcert to the rescue… Sort of.. © Black Hills Information Security @BHInfoSecurity A helpful diagram Forensics Testing Defense © Black Hills Information Security @BHInfoSecurity Executive Problem Statement Basic Questions: ● Are our tools working? ● What can we detect? ● How can we test this? ● What are our gaps? ● What existing tools can fill them? ● What do we have to buy? ● Can we buy ourselves out of this problem? © Black Hills Information Security @BHInfoSecurity TryingA helpful to diagramtie it all together Forensics Testing Defense © Black Hills Information Security @BHInfoSecurity Adventures in (just enabling proper) Windows Event Logging Important Event IDs ● 4624 and 4634 (Logon / Logoff) ● 4662 (ACL’d object access - Audit req.) ● 4688 (process launch and usage) ● 4698 and 4702 (tasks + XML) ● 4740 and 4625 (Acct Lockout + Src IP) ● 5152, 5154, 5156, 5157 (FW
    [Show full text]
  • Teradici Remote Workstation Card Agent for Windows
    Teradici PCoIP Remote Workstation Card Agent for Windows Documentation Teradici PCoIP Remote Workstation Card Agent for Windows Documentation This documentation is intended for administrators who are installing the Remote Workstation Card Agent for Windows as part of a Teradici Remote Workstation Card system. It assumes thorough knowledge of conventions and networking concepts, including firewall configuration. Although many agent features and settings can be configured using the Windows user interface, some administrative tasks require use of Windows command line tools. Users should be familiar with both cmd and PowerShell. About the PCoIP Remote Workstation Card Agent for Windows The PCoIP Remote Workstation Card Agent for Windows introduces Teradici brokering to a Teradici Remote Workstation Card deployment, allowing the desktop to be managed by Teradici Cloud Access Manager or by third-party brokers like Leostream. A complete PCoIP Remote Workstation Card deployment includes these components: • A physical host machine, which provides the desktop to remote clients. See System Requirements for more information. • A PCoIP Remote Workstation Card installed on the host machine. • The PCoIP Remote Workstation Card software for Windows installed on the host machine. • The Remote Workstation Card Agent for Windows installed on the host machine. About PCoIP Licensing When the Remote Workstation Card Agent for Windows is installed, the Remote Workstation Card can be licensed using a Remote Workstation Card license. With this flexibility, you can
    [Show full text]
  • Caverns Measureless to Man: Interdisciplinary Planetary Science & Technology Analog Research Underwater Laser Scanner Survey (Quintana Roo, Mexico)
    Caverns Measureless to Man: Interdisciplinary Planetary Science & Technology Analog Research Underwater Laser Scanner Survey (Quintana Roo, Mexico) by Stephen Alexander Daire A Thesis Presented to the Faculty of the USC Graduate School University of Southern California In Partial Fulfillment of the Requirements for the Degree Master of Science (Geographic Information Science and Technology) May 2019 Copyright © 2019 by Stephen Daire “History is just a 25,000-year dash from the trees to the starship; and while it’s going on its wild and woolly but it’s only like that, and then you’re in the starship.” – Terence McKenna. Table of Contents List of Figures ................................................................................................................................ iv List of Tables ................................................................................................................................. xi Acknowledgements ....................................................................................................................... xii List of Abbreviations ................................................................................................................... xiii Abstract ........................................................................................................................................ xvi Chapter 1 Planetary Sciences, Cave Survey, & Human Evolution................................................. 1 1.1. Topic & Area of Interest: Exploration & Survey ....................................................................12
    [Show full text]
  • Accessdata Forensic Bootcamp
    Windows Forensics—Vista Forensic Toolkit, FTK Imager and Registry Viewer Advanced • One-day Instructor-led Workshop his one-day AccessData® workshop follows up on the AccessData T Windows® Forensic Training by covering the Microsoft® Windows Vista operating system. It provides the knowledge and skills necessary to use AccessData tools to conduct forensic investigations on Vista systems. Participants learn where and how to locate Vista system artifacts using AccessData Forensic Toolkit® (FTK®), FTK Imager, Registry Viewer®, and Password Recovery Toolkit® (PRTK®). During this one-day workshop, participants will review the following: GUID Partition Tables (GPT): Students will use FTK Imager to navigate the new GPT formatted drive partitioning scheme. File Structure Changes: Students will learn the mechanics of reparse and mount points in the Windows Vista file structure. BitLocker Full Volume Encryption (FVE): Students will use FTK Imager and Windows Vista technology to decrypt and acquire a sector-by-sector image of an FVE drive. Windows Vista feature changes such as: - Recycle Bin - Structure and Content Changes - Thumbcache - Reparse Points - Link and Spool Files - Vista File Structure - Windows Event Logs - Vista Registry Entries, PSSP, and IntelliForms data - Updated SuperFetch Structure - New Locations for Old Windows Artifacts - Enhanced Thumbs.db Functionality - Device Identification and Protection - Vista security model The class includes multiple hands-on labs that allow students to apply what they have learned in each module.
    [Show full text]
  • Red Teaming for Blue Teamers: a Practical Approach Using Open Source Tools
    SESSION ID: LAB4-W10 Red Teaming for Blue Teamers: A Practical Approach Using Open Source Tools Travis Smith Manager, Security Content and Research Tripwire, Inc @MrTrav #RSAC #RSAC Agenda 14:00-14:10 – Access Learning Lab Virtual Environment 14:10-15:00 – Run Through Red Team Activities 15:00-16:00 – Run Through Blue Team Activities #RSAC Accessing the Lab https://tripwire.me/vhX X will be you’re specific student number on your desk Password: rsalearninglab OS Credentials: rsa/learninglab OS Hostname: host-X OS IP Address: 10.0.0.X 3 #RSAC Log Into SkyTap https://tripwire.me/vh1 rsalearninglab #RSAC Launch Victim Host Console Username: rsa Password: learninglab #RSAC #RSAC Today’s Red Team Toolset #RSAC Today’s Blue Team Toolset Elastic Stack Windows Sysmon Kibana Beats Elasticsearch @SwiftOnSecurity #RSAC Disable Windows Defender* Start Menu > Settings > Update & Security Click Windows Security on left side menu Click Virus & threat protection Click Manage settings Turn Off: – Real-time protection – Cloud-delivered protection #RSAC Red Team Exercise #1 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md #RSAC Red Team Exercise #1 Launch Event Viewer, confirm it launches #RSAC Red Team Exercise #1 Run atomic command – reg add hkcu\software\classes\mscfile\shell\open\command /ve /d ”C:\Windows\System32\cmd.exe” /f #RSAC Red Team Exercise #1 Launch Event Viewer, confirm CMD.exe launches Launch other executables from here: • notepad • calc • whoami • ping #RSAC Red Team Exercise #2 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1015/T1015.md
    [Show full text]
  • Feasibility of Using a Low‑Cost Head‑Mounted Augmented Reality Device in the Operating Room Pieter L
    Editor: OPEN ACCESS Pieter L. Kubben, MD, PhD Maastricht University Medical SNI: Computational For entire Editorial Board visit : Center, Maastricht, http://www.surgicalneurologyint.com The Netherlands Technical Note Feasibility of using a low‑cost head‑mounted augmented reality device in the operating room Pieter L. Kubben1,2, Remir S. N. Sinlae3 1Departments of Neurosurgery, 2Medical Information Technology, Maastricht University Medical Center, Maastricht, 3Faculty of Health, Medicine and Life Sciences, Maastricht University, Maastricht, The Netherlands E‑mail: *Pieter L. Kubben ‑ [email protected]; Remir S. N. Sinlae ‑ [email protected] *Corresponding author Received: 07 July 18 Accepted: 13 December 18 Published: 28 February 19 Abstract Background: Augmented reality (AR) has great potential for improving image‑guided neurosurgical procedures, but until recently, hardware was mostly custom‑made and difficult to distribute. Currently, commercially available low‑cost AR devices offer great potential for neurosurgery, but reports on technical feasibility are lacking. The goal of this pilot study is to evaluate the feasibility of using a low‑cost commercially available head‑mounted holographic AR device (the Microsoft Hololens) in the operating room. The Hololens is operated by performing specific hand gestures, which are recognized by the built‑in camera of the device. This would allow the neurosurgeon to control the device “touch free” even while wearing a sterile surgical outfit. Methods: The Hololens was tested in an operating room under two lighting conditions (general background theatre lighting only; and general background theatre lighting and operating lights) and wearing different surgical gloves (both bright and dark). All required hand gestures were performed, and voice recognition was evaluated against background noise consisting of two nurses talking at conversational speech level.
    [Show full text]
  • LIFENET® AED Event Viewer
    LIFENET ® AED Event Viewer User guide Contents Overview ..................................................................................................................2 What is LIFENET AED Event Viewer? ..........................................................................................2 How does it work? ..........................................................................................................................2 What can I do with it? ....................................................................................................................2 Before you start ....................................................................................................2 Use cases .........................................................................................................................................2 IT requirements ..............................................................................................................................2 Getting started ........................................................................................................2 Starting LIFENET AED Event Viewer ...........................................................................................2 Calibrating the screen .....................................................................................................................3 Working with LIFENET AED Event Viewer ........................................................3 Receiving cases ...............................................................................................................................3
    [Show full text]
  • 3D Models Specifications for Terraexplorer®
    3D Models Specifications for TerraExplorer® www.SkylineGlobe.co m All specifications are subject to change without notice -1- Table of Contents CHAPTER 1. SUPPORTED FORMATS ............................................................................... 3 CHAPTER 2. DIRECTX CONVERTERS .............................................................................. 7 CHAPTER 3. OPENFLIGHT CONVERTERS ........................................................................ 8 CHAPTER 4. MODEL BUILDING GUIDELINES ................................................................. 9 CHAPTER 5. EXPORT SETTINGS ................................................................................... 13 CHAPTER 6. STREAMING 3D MODELS USING POINT FEATURE LAYER .......................... 20 CHAPTER 7. SUMMARY ................................................................................................ 21 Last update: June 2009 The purpose of this document is to describe the 3D model formats that are available for use in TerraExplorer ® suite. It discusses the available functionality, conversion methods from different formats, and recommendations for efficient model creation for real-time rendering. All specifications are subject to change without notice -2- CHAPTER 1. SUPPORTED FORMATS TerraExplorer supports the import of the following 3D model file formats: . DirectX (*.X) . OpenFlight (*.FLT) . Google SketchUp 6 (*.KML, *.KMZ, *.DAE) Skyline internal formats: . Compressed DirectX (*.XPC) . Compressed DirectX with Level Of Details (*.XPL) . Compressed
    [Show full text]
  • Event Log Explorer Help
    Welcome to Event Log Explorer Help This help system is a place to find information about Event Log Explorer. Introduction Concept Event Log Explorer basics License agreement © 2005-2018 FSPro Labs. All rights reserved. Introduction Event Log Explorer is a software for viewing, monitoring and analyzing events recorded in Security, System, Application and other logs of Microsoft Windows operating systems. It extends standard Event Viewer monitoring functionality and brings new features. Main features of Event Log Explorer: Multiple-document or tabbed-document user interface depending on user preferences Favorites computers and their logs are grouped into a tree Viewing event logs and event logs files Merging different event logs into one view Archiving event logs Event descriptions and binary data are in the log window Event list can be sorted by any column and in any direction Advanced filtering by any criteria including event description text Quick Filter feature allows you to filter event log in a couple of mouse clicks Log loading options to pre-filter event logs Switching between disk and memory for temporary data storing Fast search by any criteria Fast navigation with bookmarks Compatibility with well-known event knowledgebases Sending event logs to printer Export log to different formats Multiple-document or tabbed-document user interface depending on user preferences Event Log Explorer provides you with 2 user interface types. Multiple- document interface (MDI) allows you to open unlimited number of event logs and place them all inside the main window of Event Log Explorer. Tabbed-document interface (TDI) allows you to open unlimited number of event logs and features the best way of navigation between logs.
    [Show full text]
  • INFORMATION TECHNOLOGY CONCEPTS-OPEN - REGIONAL 2019 Page 1 of 8
    INFORMATION TECHNOLOGY CONCEPTS-OPEN - REGIONAL 2019 Page 1 of 8 INFORMATION TECHNOLOGY CONCEPTS (391) —OPEN EVENT— REGIONAL – 2019 DO NOT WRITE ON TEST BOOKLET TOTAL POINTS _________ (100 points) Failure to adhere to any of the following rules will result in disqualification: 1. Contestant must hand in this test booklet and all printouts. Failure to do so will result in disqualification. 2. No equipment, supplies, or materials other than those specified for this event are allowed in the testing area. No previous BPA tests and/or sample tests or facsimile (handwritten, photocopied, or keyed) are allowed in the testing area. 3. Electronic devices will be monitored according to ACT standards. No more than sixty (60) minutes testing time Property of Business Professionals of America. May be reproduced only for use in the Business Professionals of America Workplace Skills Assessment Program competition. INFORMATION TECHNOLOGY CONCEPTS-OPEN - REGIONAL 2019 Page 2 of 8 MULTIPLE CHOICE Identify the choice that best completes the statement or answers the question. Mark A if the statement is true. Mark B if the statement is false. 1. Which of the following appears on the right side of any Windows 8 screen when you move your pointer to a right corner? A. Live tile B. Memory Manager C. Charms bar D. System tray 2. Which element of the Windows 7 GUI gives windows a glassy appearance, but also consumes more hardware resources? A. Control panel B. Aero user interface C. Charms interface D. Logic interface 3. The top of a top-down hierarchical structure of subdirectories is called which of the following? A.
    [Show full text]
  • Event Logs What Are Event Logs?
    Event Logs What are event logs? Windows keeps track of almost everything that happens in the operating system Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." Examples of events are log ons, log offs, connections to wireless access points, improper shut downs of the computer, installations of programs, etc Windows Event Logs ● What is actually recorded in the event log is dependent on the applications involved and the system settings ● Security event logging is disabled by default on most freshly installed windows sysstems. ● If they exists, event logs cad be incredibly useful, they would provided both local and network context that is difficult to replicate with other artifacts. Event Log Analysis ● What Happened?: Event ID ->Event Category->Description ● Date/Time?: Time Stamp ● Users involved?: User Account->Description ● Systems Involved?:Hostname->IP Address ● Resources Accessed?: Files->Folders->Printers->Services Event Analysis Cont. ● What Happened? ○ Even logs are designed to provide very specific information about activities that occurred on the system. ○ Items like Event IDs and Event Categories help to find relevant events ○ Event Description can provide more information of its nature ● Date/Time? ○ Timestamps are key in event logs. ○ The provide a temporal context of the events ○ Can also help narrow an investigators focus. Event Log Analysis Cont. ● Users Involved? ○ Everything done within Windows is done using the context of an account ○ We can: ■ Identify references to specific users ■ Information about the Windows OS activities via special accounts like System and NetworkService.
    [Show full text]
  • 3D Graphics for Virtual Desktops Smackdown
    3D Graphics for Virtual Desktops Smackdown 3D Graphics for Virtual Desktops Smackdown Author(s): Shawn Bass, Benny Tritsch and Ruben Spruijt Version: 1.11 Date: May 2014 Page i CONTENTS 1. Introduction ........................................................................ 1 1.1 Objectives .......................................................................... 1 1.2 Intended Audience .............................................................. 1 1.3 Vendor Involvement ............................................................ 2 1.4 Feedback ............................................................................ 2 1.5 Contact .............................................................................. 2 2. About ................................................................................. 4 2.1 About PQR .......................................................................... 4 2.2 Acknowledgements ............................................................. 4 3. Team Remoting Graphics Experts - TeamRGE ....................... 6 4. Quotes ............................................................................... 7 5. Tomorrow’s Workspace ....................................................... 9 5.1 Vendor Matrix, who delivers what ...................................... 18 6. Desktop Virtualization 101 ................................................. 24 6.1 Server Hosted Desktop Virtualization directions ................... 24 6.2 VDcry?! ...........................................................................
    [Show full text]