「Global Cybersecurity Camp 2018」申込用紙 氏 名: 氏名ふりがな: 性別: □男 □女 (該当する□を■にして下さい) 生年月日: 西暦     年   月   日生まれ 年齢:    才 学校名: 学部学科・学年: 郵便番号:〒   -     住所: 電話番号(昼間に連絡できる電話番号): E-mailアドレス(必ず書いてください): Global Cybersecurity Camp 2018 の開催を、何で知りましたか?  (該当する□を■にして下さい) □公式ホームページ  □チラシ  □twitter  □Facebook  □先生からの紹介  □友人からの紹介 □サイボウズLive(セキュリティ・キャンプ修了生のみ選択可)  □その他(  セキュリティ・キャンプ(セキュリティ&プログラミングキャンプ)に参加した年と 2015-8年以外は参加したクラスをお答えください。 参加年: 参加したクラス(2015-8年参加者は除く): ◎質問事項 ※回答は質問事項の後の【Answer/回答】欄にご記入ください。 ======================================================================== 0. Pre-Conditions - Setup a Windows 10 VM. - If you don't have any Windows licenses, there is an evaluation edition of Windows. https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise - Use VirtualBox or VMware Workstation Pro/Fusion for virtualization. If you don't have any VMware licenses, there is an evaluation edition of VMware. https://www.vmware.com/jp/products/workstation-pro/workstation-pro-evaluation.html https://www.vmware.com/jp/products/fusion/fusion-evaluation.html https://www.virtualbox.org/wiki/Downloads - Download pseudo-malware from the page only for Security Camper and extract it in the VM. See "Global Cybersecurity Camp 2018" in the CybozuLive Group for Security Camper. - IMPORTANT!!! Don't send the malware to external services such as VirusTotal and Hybrid Analysis. - It's not real malware. - Password of the zip file is "infected". 1. Questions 1.1. Basics Answer the following questions in English. Q1-1. There are HKCU and HKLM as root keys in Windows registry. What is HKCU? And what is HKLM? What is the difference between both of them? Q1-2. There are three important WMI System Classes below. - __FilterToConsumerBinding - __EventFilter - __EventConsumer What are the purpose of the classes? Q1-3. Enumerate the names of the default registered "__EventConsumer" instances in the Windows 10 VM, using python-cim. 1.2. Pseudo-malware 1 Pre-instructions (1) Take a snapshot for your VM (2) Create an empty file to "C:\ProgramData\gcc_taro.txt" on the VM. (3) Execute "pseudo_malware1.exe". Then, answer the following questions in English. Q2-1. Where is the malware located on registry for persistence? Persistence means auto-start mechanisms. Note that you need to write the answer starting with HKLM or HKCU. For example, it should be like "HKLM\Microsoft\Windows\CurrentVersion\Run". Q2-2. Where is the malware located on your file system? For example, it should be like "C:\Windows\temp\xxxx.exe". Q2-3. How do you know the answers above? Please tell us your approaches in detail. After answering questions, revert the VM to the snapshot that you took previously. 1.3. Pseudo-malware 2 Pre-instructions (1) Create an empty file to "C:\ProgramData\gcc_taro.txt" on the VM. (2) Execute "pseudo_malware2.exe" by right-clicking and choosing "Run as Administrator". Then, answer the following questions in English. Q3-1. What mechanisms does the malware use for persistence? Q3-2. Where is the malware located on your file system? For example, it should be like "C:\Windows\temp\xxxx.exe". Q3-3. This malware creates WMI instances. What is the purpose of them? Q3-4. How do you know the answers above? Please tell us your approaches in detail. After answering questions, revert the VM to the snapshot that you took previously. 2. Advice for Auto-start location analysis If you performed a real incident response case, you need to identify malware in a PC. Autoruns can show us registered application lists on various auto-start locations at the same time. You can use Autoruns by downloading Sysinternals suite from the URL below. https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite It can analyze both online and offline systems. Autoruns offline analysis do not analyze Scheduled Tasks and WMI. Even if you perform online analysis, sometimes it overlooks some entries. Therefore, you should check them manually in that case using such as the techniques below. For scheduled tasks, see task folders directly. Use python-cim for checking WMI entries. https://github.com/fireeye/flare-wmi/tree/master/python-cim In order to use python-cim, use python3 and install python-cim with pip command. You don't need QT5 and pyqt in this case. You just use pip command for installation. After the installation, download the sample script below and use it for WMI persistence analysis. https://raw.githubusercontent.com/fireeye/flare-wmi/master/python-cim/samples/dump_class_instance.py You should fix a bug of this script on line 68. - print(dump_instance(instance, encoding='ascii', encoding_errors='ignore')) + print(dump_instance(instance)) And you can use it like this. dump_class_instance.py win7 C:\Windows\System32\wbem\Repository "root\subscription" "__EventFilter" dump_class_instance.py win7 C:\Windows\System32\wbem\Repository "root\subscription" "CommandLineEventConsumer" dump_class_instance.py win7 C:\Windows\System32\wbem\Repository "root\subscription" "ActiveScriptEventConsumer" dump_class_instance.py win7 C:\Windows\System32\wbem\Repository "root\subscription" "__FilterToConsumerBinding" ======================================================================== 【Answer/回答】 ※回答は英語でも日本語でも構いません。 ※本書に記載の「個人情報の取り扱いについて」に同意された場合のみお申込みください。 ※Emailでの申し込みの場合は、メール本文に必要事項をご記入いただいても構いません。 ■個人情報の取り扱いについて 一般社団法人セキュリティ・キャンプ協議会(以下、当会)は、「Global Cybersecurity Camp 2018」のお申込みにおいて、個人情報保護の重要性を認識し、ご提供いただく個人情報を慎重に取り扱い、プライバシーの保護に努めております。当会では申込者の個人情報を以下の目的に利用し、他の目的では利用しません。また当会、IPA以外の第三者には一切開示しません。 (1) 申込者からのイベントの申込み手続きを受付け、イベントを運営するため  (2) 当会に関わるイベント情報などを提供するため 当会に対して個人情報を与えるか否かは、申込者がご判断ください。 個人情報をご提供いただけない場合には、イベントへの参加申込をお受けすることができなくなりますのでご了承ください。 本告知に関する個人情報管理責任者  一般社団法人セキュリティ・キャンプ協議会 会長 西本 逸郎   E-Mail:info@security-camp.or.jp