Scribd Logo
Upload

Welcome to Scribd!

  • Antivirus Event Analysis CheatSheet 1.1

    Uploaded by

    Neo23x0
    3K views1 page
    Cheat sheet for targeted Antivirus event analysis

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cheat sheet for targeted Antivirus event analysis

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3K views1 page

    Antivirus Event Analysis CheatSheet 1.1

    Uploaded by

    Neo23x0
    Cheat sheet for targeted Antivirus event analysis

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    Antivirus Event Analysis - Cheat Sheet (Version 1.1, 26.04.

    2017)

    Attribute Less Relevant Relevant Highly Relevant


    Virus Type JS, HTML, Iframe, Keygen, Joke, Adware, Trojan, Backdoor, Agent, Malware HackTool (HTool), HKTL, PWCrack, Scan, SecurityTool,
    Clickjacking Clearlogs, PHP/BackDoor, ASP/BackDoor, JSP/BackDoor,
    Webshell, NetTool

    Location Temporary Internet Files AppData %SystemRoot% (e.g. C:\Windows) and subfolders
    Removable Drive (E:, F:, ) $Recycle.bin C:\ (non-recursive)
    User Temp (e.g. %UserProfile%\AppData\Local\Temp) C:\Temp
    C:\Windows\Temp
    \\Client\[A-Z]$ (client drive mounted into remote session)
    C:\PerfLogs
    Other dirs only writable for Administrators group

    User Context Standard User Administrator


    Service Account

    System File Server Workstation Domain Controller


    Email Server Other Server Type Print Server
    DMZ Server
    Jump Server

    Form Common Archive (ZIP) Not Archived / Extracted


    Uncommon Archive (RAR, 7z, encrypted Archive)

    Time Regular Work Hours Outside Regular Work Hours

    Virustotal Check "Probably harmless" note Comments > Negative user comments File Detail > Revoked certificate
    (Requires Hash / "Microsoft software catalogue" note Additional Information > Tags > CVE-* Additional Information > Many different file names
    Sample) FileVersionInfo properties > empty or non-existent Packers identified > Rare Packers like: Themida, Enigma,
    Additional Information > File names: *.virus ApLib, Tasm, ExeCryptor
    Additional Information > File names: hash value as file name
    Packers identified > Uncommon Packers like: PECompact,
    VMProtect, Telock, Petite, WinUnpack, ASProtect

    You might also like