Mastering Threat Hunting with Windows Sysinternals - Effective Tools for Malware Analysis


In doing threat hunting, in particular, there are several tools that can be used and one of them is windows sysinternals which is easy to use, and can even be connected to the internet virus total. Even though it is easy to use, a strong analysis is still needed to do this threat hunting, one of which is analyzing whether the findings are false positives or are actually malware infections.

If you want to test your computer/laptop, whether it is infected with malware or not, you can try these tools Windows SysinternalSysinternal windows tools themselves there are 70 tools if you download the Sysinternal Suite where in one file it already consists of many tools that you need, but here I only focus on 3 special tools that are often used such as :

Proses Explorer

The explorer process has colors that indicate each function that runs which can help to analyze the process.

Sumber : https://nasbench.medium.com/hunting-malware-with-windows-sysinternals-process-explorer-2baec974bec9

In the legend above, we can focus on "Service" and "Package Images" to check for anomalies where if there is no description and name of the company that released the running application, then it should be suspected.

Autoruns

Autoruns itself where we can check applications that have the autoruns function, because some viruses/malware have the autoruns function, therefore we must also check the function.



In this autoruns there is also a menu to check each process to virustotal and also the advantage of autoruns is that it will collect all applications that can run on their own without user interaction.

Proses Monitor



In this process monitor tool is actually not much different from the process explorer tool, it's just that in this tool there are advantages such as the life time (process tree) of the application on our device running, so we can know if there is malware infecting our device, how long it has been running.

0 Comments