Can be hard (no consistency). Are they different by accident or from malicous intent. Baseline reference (what the settings should be). Configs have only one place to set thing. Attacker motivation:
- Get access
- Avoid detection
- Make the response harder
- Make malware to work
Getting Access
- has the remote access been enabled?
- file sharing enabled?
- config to launch different progs?
Avoiding detection
Common anti-forensic techniques.
prevent detection (disable firewalls, anti-virus). Rootkits are in malware section.
- have any prevention tools been disabled?
- installed mal certificates to trick prevention tools?
- have many detection tools been disabled?
Read more about the above techniques: Wipe the drive! Stealthy Malware Persistence - Part 1 and Wipe the drive! Stealthy Malware Persistence - Part 2.
Response
Response harder (disable endpoint visibility, accounts (or reduce privs), reduce or disable logs, backups, volume shadow)
- Were any accs disabled?
- Visibility tools disabled?
- Settings to record less data
- audit settings changed?
- logs cleared
- Backup disabled?
Malware Assist
Changes needed by malware? Change exe path, lib path, hosts file.
ðĢ On a Windows machine. Registry, Congif files (app specific or OS).
ðĢ On a macOS machine. Plists
Escalation
Reference
[1] Practical Malware Analysis, M. Silkorski, A. Honig
[2] SANS cheatsheet on malware analysis
[3] SANS tips on malware analysis