Hello, welcome to the Tuesday, November 1st, 2016 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Yesterday I talked about volatility bot and how it can be used to automate the first phase of your malware analysis.

Now today we got Russ's approach to automating the initial instant response on Windows system.

One script that Russ introduces here is Snapshot.PS1.

It was actually written by Jason Fawson, who is the instructor for our Windows

class, and it comes as part of his class. It's really an extendable script that you can use

to add your own little tools and so to it. But what it does and what it intends to do is

sort of collect the most commonly requested artifacts from potentially compromised systems.

Of course, not everything that you want and need to do with incident response is in this one simple PowerShell script.

But as a first step, just to secure some evidence quickly, do some

initial triage. Scripts like this are certainly quite helpful. Domain name reputation lists

are certainly a hot topic and something that you can procure from various threat intelligent feats but the problem

with these feeds typically is that they operate in hindsight they first have to observe

these domains and then figure out that they're being used maliciously and then they

essentially blacklist those domains or assign them a certain risk score.

A new paper that was now presented at the ACM meeting does outline a technique where they actually

try to figure out if a domain will be used maliciously at the time at which it's registered. What they're doing is they're

essentially looking at a bunch of different data that's collected when the domain is registered,

for example, what name server will be used with it, with information, but also things that

kind of surprised me, like for example, the time of day.

Turns out that a lot of malicious domains are registered at a certain time of day, which I guess

...