Sometimes I’ll get questions via different routes…webinars or podcasts, via social media, DM, or even email. Getting questions is good, because it keeps me aware that I’m in somewhat of a bubble, given the work I do and the environment in which I do it. Given the nature of “social” media (hint: it’s rarely “social”), it’s tough to draw a bead on where you are at any given moment, so questions can be invaluable.
Here’s an interesting question I got from Brian Carrier during a webinar he invited me to…
If you have the entire Registry and limited time, what do you do?
The Cyber Triage LinkedIn post has 9 pages, and as you can see from the first one, my answer to the above question is:
I cheat.
For me, it’s pretty simple. Beginning with the second slide from that LinkedIn post, I explain what I mean by “I cheat“. I have my parsing tools (which I’ve shared), and I enrich or “decorate” the output based on what I’ve seen on previous engagements, or gathered from write-ups and information shared online.
For example, this recent blog post references a write up that describes how Valley RAT stores configuration information and plugins with a specific Registry path. Rather than parsing the entire Registry and looking through that massive amount of information, hoping that I’ll remember the Registry path mentioned, I write a plugin that searches for it specifically, and alerts me if it’s found. That way, not only do I not have to remember a ton of paths, keys and values, I now have a documented plugin with a publish (and update) date, links/URLs pointing to online references, etc. As many who use RegRipper are aware, I’ve including Analysis Notes in plugins, describing what to look for, and how the output of the plugin can be used.
In addition, almost 2 1/2 yrs ago, I got Yara running via RegRipper, as well, significantly expanding the capabilities of both tool sets. So, in a way, I’m “cheating” by leveraging a unique capability.
Read the original article: