Malware Analysis Script - Based on "Know your processes or die trying"

I am trying to build a script to automate the excellent work done on the sysforensics.org blog and also based on the "know good find evil" SANS poster.

The script can be run on a remote machine where the user has admin privileges. I have used wmi. Save the script as a .bat file and pass it the computer name to run it against.

echo ********SUSPICIOUS SMSS*******
wmic /node:%1 process where 'name="smss.exe" and parentprocessid!="4"' get executablepath,processid,parentprocessid 2>nul
 
::echo Check for wininit running with non zero sessionid - There should not be any!
echo ********SUSPICIOUS WININIT*******
wmic /node:%1 process where 'name="wininit.exe" and sessionid!="0"' get executablepath,processid,parentprocessid 2>nul
 

echo ********SUSPICIOUS SERVICES.EXE*******
::echo Check for services.exe running with non zero sessionid - There should not be any!
wmic /node:%1 process where 'name="services.exe" and sessionid!="0"' get executablepath,processid,parentprocessid 2>nul
 
::wmic process where 'name="services.exe" and sessionid="0"' get executablepath,processid,parentprocessid
 
echo ********SUSPICIOUS SVCHOST.EXE*******
::echo Check for svchost.exe not running under C:\WINDOWS\system32\svchost.exe  - There should not be any!
wmic /node:%1 process list full | findstr "ExecutablePath" | findstr "svchost" | findstr /i /v ExecutablePath=C:\WINDOWS\system32\svchost 2>nul
 

 
echo ********Is ParentProcessID of svchost same as the processid of Services.exe*******
for /F "tokens=2" %%i in ('tasklist /S %1 /NH /FI "imagename eq services.exe"') do SET ppid=%%i
wmic /node:%1 process where "ExecutablePath like '%%svchost%%' and parentprocessid!=%ppid%" get ParentProcessID 2>nul

I will update this as I find time to test and build upon this.

Security Awareness

I think security awareness programs can be made effective if the following options are included and the security team has the bandwidth (time and money) to execute them -

 

Visual Awareness

 

The simplest and yet very effective awareness option to cover a single security topic each month via newsletters, posters and small articles not more than 3-4 lines. An example would be a "Do you know" paragraph in departmental newsletters or reports.

 

Interactive Awareness Sessions

 

To make the awareness sessions interactive and engage the employees, the Security Team can utilyse the following two approaches – 

Team Meeting Presentation: Attend team meetings (1-2 per year for each team) for roughly 8-10 minutes to present a security topic and have interactive session to raise awareness. This can be tailored to topics that teams are interested in.
Phishing Campaigns: Run a phishing campaigns across different teams to see effectiveness of the training imparted.

Computer Based Targeted Training

 

SANS has excellent CBTs for targeted training for different user groups. The following are from the SANS website and target different user groups -
 

Engineers – SANS “STH.Engineer” focuses on security behaviours for individuals who interact with, operate, or support Industrial Control Systems. This computer-based training solution provides an introduction to ICS, details types of ICS attacks, covers basic system and network defence approaches, and reviews ICS governance and policy best practices.

Developers – SANS “STH.Developer” educates everyone involved in the software development process including developers, architects, managers, testers, business owners, and partners. This reduces the chance that our organization will become a victim of today's data security threats and ensure our team can properly build defensible applications from the start.

All IT staff – SANS “End.User” training covers different aspects of security using the SANS 20 critical controls. Awareness of these controls will help the all the teams and especially the Infrastructure teams to make security conscious decisions.

But the most effective approach is to engage the teams for the day to day processes and also while resolving pentest or audit items. Instead of just asking to fix the issues highlighted, working with the teams, explaining them the impact of the issue and also showing them how to check if the issue is fixed will raise a more awareness and also build ties between the security team and the other IT teams.