License to Kill: Malware Hunting with the Sysinternals Tools

0:02:00 About this Talk 0:02:46 Sysinternals Antivirus - Don't use it!!!! 0:03:25 Malware Cleaning Steps 0:07:20 What are you looking for? 0:08:53 What About Task Manager? 0:09:14 Process Explorer 0:09:59 sysinternals tools 0:10:45 Process Explorer - Process View 0:13:23 Process Explorer - Refresh Highlighting 0:14:21 Process Explorer - Tooltips 0:15:13 Process Explorer - New Features 0:15:43 Process Explorer - Detailed Process Information 0:17:14 Image Verification 0:19:07 Sigcheck and ListDlls 0:20:27 Process Explorer - Strings 0:21:17 Process Explorer - The DLL View 0:21:45 listdlls 0:22:05 Terminating Malicious Processes 0:23:44 Cleaning Autostarts 0:24:03 msconfig in Windows 8 0:24:31 Autoruns 0:27:09 Autroruns - Alternate Profiles and Offline Scanning 0:27:46 Autroruns - New Features 0:28:08 Autrorunsc 0:28:38 Deleting Autostarts 0:28:55 Tracing Malware Activity - Process Monitor 0:30:20 Process Monitor - Filtering 0:31:07 Process Monitor - category is write 0:31:43 Process Monitor - The Process Tree 0:32:19 Real World Analysis and Cleaning 0:32:35 Cleaning Winwebsec Scareware 0:41:13 The Case of the Fake Antivirus 0:42:55 scarewarez 0:42:55 Analyzing and Lockscreen.CT 0:44:45 lockscreen.ct 0:46:45 SAFE MODE with no Shell!!!! 0:48:01 The Case of the Runaway GPU 0:50:51 bitcoin miner malware - Vicenor 0:53:54 The Case of the Unexplained FTP Connections 1:04:58 Conclusion - Analyzing and Cleaning Flame 1:06:13 Stuxnet 1:09:47 Flame 1:13:50 Summary - The Future of Malware 1:15:20 Trojan Horse - A Novel

agvulpine nailed it and I quote because this would be a major tedium-avoider! : "Want to help us terminate malware processes? Allow us to select multiple processes in Process Explorer, and terminate all of them with one single Delete key press. Currently we have to manually terminate dozens of processes one-by-one, and often times they're multiple processes working in tandem."

I like your tools and love this talk. I have re-watched it a few times. I know the talk is very old. I still would like to point out that the study conducted by Google did not permit internet access for the AV scanners used in the test, which of course plummets the detection rate a lot, not only from the missing cloud features but also because lots of malware relies on Internet to show malicious behaviour. Extracting from that the general statement that AVs detect only 40% of malware is quite a stretch.

Want to help us terminate malware processes? Allow us to select multiple processes in Process Explorer, and terminate all of them with one single Delete key press. Currently we have to manually terminate dozens of processes one-by-one, and often times they're multiple processes working in tandem.

10:10 as a person with autism I can say this is one of the most satisfying things I have ever seen on YouTube. Definitely the kind of things I usually do but I have never seen anyone else do until now.

I'm a big fan of your work Mark. Now even more I saw you also like DaftPunk.

This was made when Windows 7 was a thing... It would be nice to have an update, with newer tools...

Mr Mark , Is there any book or site give more practical to use the tools.

Great great talk! loved it!

Can you make a webshell hunting tool forensic compromise seeking tool.

Thank you very much. Really helpfull upload.

Who's here from the TryHackMe Sysinternals room? Awesome conference by the way!

Woooooow! Just 2 minutes in and I already like the guy.. where have you been all my life😂

wow this guys good

Is not this exact recorded lecture about 5-7 years old now?

Oh my old friend bitcoin if i knew what I know now.

How to cloning Aplikasi in explorer..?? pleasee...

Great presentation

Yeah no I are the man aren't you...u just know it all ...well done brother...u carry on sitting there ending processes

What do you think about McAfee? I have LOTS of things to say about it, but nothing nice, since IT'S malware TOO~