Disk Flashcards

Question 1

Q

How should you run Kape?

Answer

A

from a USB drive, it’s self contained

Question 2

Q

provides the ability to forensically extract files from a mounted drive, including hidden or locked system files. (Free)

Question 3

Q

Average breakout time in 2017

Question 4

Q

Primary purpose of IR

Answer

A

Cyber threat intelligence. What is happening? Otherwise, they will come back. Qualifying what the adversary wants and does will stop future attacks.

Primary output of the exercise.

Question 5

Q

What is the containment phase of IR?

Answer

A

Preventing additional adversary actions while monitoring activity. Active defense.

Not pulling the plug while creating cyber threat intelligence.

Question 6

Q

Manual and automated scanning looking for evil

Question 7

Q

Why is baselining important to hunting?

Answer

A

Have to be able to establish what “normal” looks like before you can see what abnormal is.

Question 8

Q

How does threat intelligence get to the SOC?

Answer

A

Generated by HFS/NFS/CFS as part of Hunt/Incident detection, signatures created are put into intelligence as a product, fed back to the SOC.

Question 9

Q

Proper threat intelligence team will arm a hunt team with:

Answer

A

Where to look, based on APT type activity
What to look for: signatures. Reg keys, malware footprints, IP/domains, hashes, utilities used, TTPs…
Likelihood of attack

Question 10

Q

Hunt teams should have, at a minimum

Answer

A

Trusted visibility into endpoints and networks across the org. (Ability to use powershell or an EDR tool to sweep the entire enterprise)

Question 11

Q

Remediation should, at minimum:

Answer

A

Deny adversary access to the environment
Eliminate the ability for the adversary to impact remediation efforts
Remove presence of adversary from the environment
Degrade the future ability of adversary to return

Question 12

Q

Atomic Indicators

Answer

A

Pieces of data that are indicators of adversary activity all on their own, such as emails, IPs, strings from C2 channnels, FQDN, etc.

Question 13

Q

Computed Indicators

Answer

A

Hashes of malicious files, data included decoded C2 protocols, some IDS signatures

Question 14

Q

Behavior indicators

Answer

A

A profile of behaviors. Bad guy likes to tunnel traffic through think tanks, use macros for word documents, targets these types of targets, and uses these types of specific computed and atomic indicators. Like a CrowdStrike profile.

Question 15

Q

How many stages is the MITRE tactic categories, and where was it derived from?

Answer

A

10 stages, derived from the 7 stage Kill Chain.

Control, Maintain, and Execute are broken out from the latter stages of the Kill Chain.

Question 16

Q

What is STIX?

Answer

A

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX is open source and free allowing those interested to contribute and ask questions freely.

Question 17

Q

The equivalent of narrowing down a human suspect through identifying characteristics, but for adversaries

Question 18

Q

Open sourced community driven standard format for IoC’s

Question 19

Q

Tool aimed at (but not limited to) helping Malware researchers identify and classify malware samples. Create descriptions of malware families based on textual or binary patterns>

Question 20

Q

What is a YARA rule?

Answer

A

A description of strings/boolean values that help determine a Malware variant.

Question 21

Q

Tools for making IoC rules

Answer

A

YARA, STIX, OpenIOC

Question 22

Q

Mandiant tool for standardizing IOC’s

Question 23

Q

an antivirus signature that you can control, basically

Question 24

Q

Free tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.

Answer

A

FE Redline

Question 25

Q

Finding fileless malware should start with

Answer

A

….looking for the evidence of its execution when it RUNS.

Question 26

Q

Malware that is not active but is dormant is harder to find because

Answer

A

We can’t detect the malware in memory

Question 27

Q

How should you structure finding evil, from broad too specific?

Answer

A

Automated enterprise wide sweeps that can be signature based should start early, and then using targeted EDR data and triage data should be spent only on narrowed hosts that are suspicious, as they are time consuming. More manual processes should be used sparingly.

Question 28

Q

Mechanisms for detecting compromise of systems w/o malware on them

Answer

A

Program execution, File opening, File knowledge, event logs, browser usage

Question 29

Q

where malware hides, and names

Answer

A

Like to name it svchost, explorer.exe, win.,exe; app data folders (where outlook and explorer drop stuff)

Likes to hide in temp folders, windows folders, and internet files, system volume files….

They’ll often pack it, run it through python or after converting it to text, etc….obfuscating it

Question 30

Q

Best way to combat processes masquerading as legit

Answer

A

whitelisting

Question 31

Q

Malware uses services such as ______ to hide in plain sight

Answer

A

frequent compilation, packing, and armoring. It will mimic known good services and normal windows services.

Question 32

Q

Most frequent hallmarks of malware evasion

Answer

A

Probably create a new service (scheduler @ cmd)
replace an existing service, like the wireless zero config service
register as an outrun process in memory
process injection

Question 33

Q

To obtain a commercial software certification (to conduct code signing) you usually need ____ at a minimum, but often ______

Answer

A

Passport/phone bill (something to prove identity)

a Dun and Broadstreet rating (Level of financial standing/stability); shows that your org is a stable business.

Question 34

Q

Examples of code-signing certs being manipulated

Answer

A

Stuxnet
opera browser manipulation that allowed access to private keys
adobe key signing cert stolen

Question 35

Q

When did MSFT start doing code signing, and on what code?

Answer

A

Server 2008, Drivers

Question 36

Q

Drivers give you access to what level of the O/S?

Question 37

Q

When did MSFT start enforcing code signing for executables?

Answer

A

On servers: Server 2016
Workstations: windows 10

You have to turn on executable signing!

Question 38

Q

difference between corporate and business code signing cert

Answer

A

For corporate, you need to have a Dun financial rating (Dun and Broadstreet) Shows you have a stable business.

Question 39

Q

% of malware that’s signed

Answer

A

around 3.5%; higher % for nation state attacks

Question 40

Q

Downside to signed malware

Answer

A

If you revoke the signing cert (add it to the CRL) it would put a beacon on any version of that code in the wild. Makes rapid re-development/redeployment of code hard

Question 41

Q

How to downselect code that’s signed for investigations

Answer

A

You can usually ignore code signed by well known sources such as MSFT, google, apple, etc.

Question 42

Q

Finding evil in process starts with

Answer

A

Identifying normal processes and their locations. (Lsass.exe, taskhostw.exe, winlogon) Cross check that it lives in the correct directory/location. (such as %SystemRoot%\System32\smss.exe)

Question 43

Q

What is sigcheck?

Answer

A

Checks for signed code, upload to VT

Question 44

Q

What is density scout?

Answer

A

Checks for possible obfuscation and packing of a file. File will receive a score; this score can be used to identify whether a set of files is worth investigation.

Question 45

Q

What is pescan?

Answer

A

command line tool to scan portable executable (PE) files to identify how they were constructed. Various metadata is displayed, identifying items such as:

Compile timestamp
MACB timestamp
File size and type of executable
Target OS and whether binary is 32 or 64 bit
Linker version used
Entry point address and desired image base address
Whether an X509 certificate was used and who the author is
Whether there is a checksum present and does it match the binary
Optional analysis of the PE internals to generate an abormality score which compares the internal construction to the standard operating system files. Higher scores equate to larger differences.
Optional MD5 and/or SHA1 hashes of the file can be generated as part of the scan.

Question 46

Q

Built in windows command to query service configurations

Question 47

Q

Places to look for evidence of program execution

Answer

A

Prefetch, Shimcache, userassist registry keys, and jump lists.

Question 48

Q

Places to look for evidence of program execution

Answer

A

Prefetch, Shimcache, userassist registry keys, and jump lists.

Question 49

Q

Indications of odd behavior from seemingly normal OS artifacts could include

Answer

A

cmd.exe exeuction
Sysinternals tools usage (psexec, procdump, psloggedon)
at.exe or schtasks.exe execution (Persistence)
wmic.exe, Powershell.exe, or winrm.vbs execution
net.exe use, used for mapping drives or lateral movement
reg.exe or sc.exe (addition of run keys or services)
mount points2 registry key: records shares such as C$, Temp$, etc
.job files in C:\Windows\Tasks: odd application tasks executed

Question 50

Q

Where would you see an adversary adding new run keys or services?

Answer

A

Use of reg.exe or sc.exe

Question 51

Q

Where are some MSFT native tools an adversary might use for persistence or lateral movement?

Answer

A

Sysinternals tools (psexec, procdump, psloggedon) or net.exe (network)

Question 52

Q

When looking for malicious processes, some anomalous characteristics might include?

Answer

A

starting with wrong parent process
image executable in wrong path
misspelled processes
incorrect sid (starting from wrong account)
Processes with unusual boot times
Unusual command line parameters
packed executables

Question 53

Q

How does density scout work?

Answer

A

tries to compress a file; parts of the file that are obfuscated or encrypted won’t compress. Finds parts of files that have high frequency letters (usually encrypted) content or high entropy. (randomly generated)

You can usually compress standard EXEs very well (50%+) anything less than 10% compression represents concern.

Question 54

Q

What Is temporal analysis?

Answer

A

fancy term for “time lining”

Question 55

Q

How to use google post density scout to further check executables with low compression rates?

Answer

A

Look to see how common they are. Google/VT; put the full path into google. (If there’s zero hits, or even a recommendation, it will have a hit)

Question 56

Q

Technique that obfuscates or encrypts data or software and encapsulates it into a file along with a program to perform decryption/deobfuscation

Answer

A

packing. a “packed executable” is a piece of software with an unpacking program.

Question 57

Q

PEscan looks for what?

Answer

A

Code anomalies. Will present why it thinks the executable is weird, in the notes, and providing a rating. Compile data can be interesting….as is the CPU type. (32-bit code is unusual)

Question 58

Q

Where does 32 bit programs run from?

Answer

A

Syswow64, if they’re standard windows processes

Question 59

Q

Where do 64 bit programs run from?

Answer

A

System32==

Question 60

Q

Verifies that images are digitally signed, provided the root certificate store is updated.

Question 61

Q

Checks VT detections while verifying code signing

Question 62

Q

Two hives that autoruns most often usually live in, and when are they usually executed?

Answer

A

NTUSER and Software; executed when a user logs on

Question 63

Q

How does an adversary manipulate the userinit registry key?

Answer

A

This key (in the Software hive) is used by Winlogon to execute explorer.exe and userinit.exe, at startup.

Question 64

Q

Greatest hits for places to stick persistence mechanisms (WADSSS)

Answer

A

W-MI Event Consumers
A-utostart locations
A: GPO, MS-Office add-ins, BIOS.
D-LL's (DLL hijacking)
S-ervice creation/replacement
S-ervice failure/recovery
S-cheduled taskss

Answer 53

A

AEPs. Autostart Execution Points. Things that start with the O/S. Frequently abused.

Answer 54

A

%AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Answer 55

A

RegRipper

Answer 56

A

%AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup; shortcuts in here will link and execute to representative binaries

Answer 57

A

They replace unused services with malware, or modify an auto-start to include a new binary, or manipulate service recovery features (like dr. Watson)

Answer 58

A

They replace unused services with malware, or modify an auto-start to include a new binary, or manipulate service recovery features (like dr. Watson)

Answer 59

A

Putting a DLL with the same name in the directory of a core DLL, so it launches ahead of the existing DLL.

Traditionally, search-order hijacking attacks
utilize an executable file’s DLL search path to load
spoofed DLLs through the known DLLs record.

Answer 60

A

Inserting a DLL into a place where it would normally exist, but doesn’t. List of “known” DLLs for all the windows variants kept at KnownDLLs, and will include DLLS not found in that version. IE, for Windows 2016 R2 server, inserting a DLL that would normally be there but isn’t turned on/used for that build; when windows sees that DLL exists at startup, it will launch it.

Great example is replacing the FaxDLL (fxsst.dll) in the system32 folder.

Answer 61

A

Getting a new version of a legit-DLL loaded into the system. Part of the dynamic update features of Windows, just like a Web 2.0 AJAX style query.

DLL side-loading, in contrast to search order hijacking, utilizes the WinSxSn assembly to load the malicious DLL from the SxS listing, which is located in the following registry key:

%TEMP%\RarSFX%\%ALLUSERS PROFILE%\SXS\ or
%TEMP%\RarSFX%\%ALLUSERS PROFILE%\WinSxS\

Answer 62

A

Easy means to collect and analyze services on a system. Similar to SC. Will also collect currently scheduled jobs.

Answer 63

A

both at.exe and schtasks.exe

Answer 64

A

Create an event filter, that “triggers” based on an event occuring (for example, run every 20 seconds)
Once triggered, an event consumer is added to the system with a script and/or executable to run (run this PS script to beacon to a backdoor)
Finally, tie the event and consumer together as a “binding” and enter it in the WMI repository

Answer 65

A

MOF file (managed object format)

Answer 66

A

Stuxnet

A zero day (print spooler service) was exploited to deliver an EXE and an MOF file. The MOF file was auto-compiled by the system, creating a WMI event and consumer that immediately executed the malicious executable.

Answer 67

A

Powershell:

Get-wmi-object

Answer 68

A

autorunsc.exe; goes through and analyzes, like sigcheck,. (doesn’t do dll hijacking or service failure)

Answer 69

A

Something to be concerned about. IEX is the “Invoke Expression” cmdlet, which takes the argument of a script and executes it. Often used to download the malicious script, which then gets passed in to PS. Evades many A/V tools.

Answer 70

A

Something to be concerned about. IEX is the “Invoke Expression” cmdlet, the underlying .net command is
“Net-Object.System.Net.WebClient) which takes the argument of a script and executes it. Often used to download the malicious script, which then gets passed in to PS. Evades many A/V tools.

Answer 71

A

A download cradle is a single line command for download and code execution. … A download cradle can also be part of a persistence mechanism, tooling or execution at other attack stages when an attacker attempts to download capability or run fileless

Answer 72

A

WMI + WMIC

Answer 73

A

Non-interactively. (Network logons)

Answer 74

A

Doesn’t do historical well; mostly live, in place. (The LR functionality is FE using Redline for the historical)

Answer 75

A

If you do, you’re likely using something less secure. (PSEXEC) It’s no more dangerous than RDP/RPC. Powershell remoting is MUCH more secure.

Answer 76

A

.NET framework objects, which mean the objects carry multiple aspects or properties of the command. (Cmdlets)

Answer 77

A

By encapsulating it in objects, which can be passed to other cmdlets for additional processing. One cmdlet might make an array of objects for computers, files, network objects, the next might groom out the files, next might perform actions on those files.

Answer 78

A

how Powershell abstracts collections of items into containers. For example, “Get-ChildItem HKLM:Software” would abstract all the registry keys in that hive to an object.

Answer 79

A

PSSession: ps for secure remoting

Answer 80

A

Invoke-Command (E I X)

Sends commands without an interactive session being established.

Answer 81

A

It doesn’t cache credentials; only vulnerability is to things like ticket attacks

Answer 82

A

invoke-command, then use a -scriptblock parameter, or -filpath to have it run from a local file.

Doesn’t need to set an array to loop through data.

Answer 83

A

The former uses the resources of the target to execute the commands, the latter relies on the processes/power of the invoker.

Answer 84

A

It caches the credentials so that it can pass them to a 3rd party/system that requires it; similar to SSO.

Creds aren’t cached otherwise, so Mimikatz/Incognito can’t steal them.

Answer 85

A

Organized collection of scripts andl modules and scripts into a framework for IR purposes. Much of it PS, but can execute anything. Uses PS for remoting.

Answer 86

A

your account must have admin privs on the remote host
windows remoting (WinRM) enabled.

Answer 87

A

./Modules folder

Answer 88

A

./Analysis

All of the ways that it will crunch that data produced by the Modules in Kansa are listed in individual Analysis scripts. You can enable and disable ones you want it to run at the end of a pull, or run them ad-hoc.

Answer 89

A

If it’s been around a long time, it’s less likely to be used as C2 unless the adversary is just holding it for a long time. (Infoblox will block recently registered domains tho, so smart bad guys will hold them past that time)

Answer 90

A

It’s the stackable feature of Kansa. If you see 30 hosts that have a specific run key, it will provide a “counter” for that occurrence across the environment.

Frequency analysis scripts.

Answer 91

A

Put the binaries you want to run in the .\Modules\bin and when executing, push with -pushbin. Remove them after with -rmbin

Must add the tool as a BINARY DEPENDENCY #BINDEP in the collector script. Even commented, it will run

Answer 92

A

Get-RekalPsList.ps1

Answer 93

A

Windows Management Instrumentation. Deeply invasive control of the underlying Windows architecture, meant for administrative tasks in a large environment

Answer 94

A

It exists for uses in every stage of the kill chain
It’s largely only in memory
Windows native, minimal logging of actively
evades whitelists
scripts can be obfuscated when run through it
encrypted
runs over standard PScom/WinRM pipes

Answer 95

A

List user accounts, groups, netuse lists, list of fixes and patches installed, etc

Answer 96

A

Powershell has history and logging. WMI is often the underlying commands being run, and usually silently.

There’s no automatic logging for WMIC commands by default

Answer 97

A

Powershell Empire has multiple WMI tools for finding services running in the wrong directories or with elevated privs, that could be manipulated. Also looks for services that have a space and aren’t quoted, where you could inject other services.

Answer 98

A

WMI Process Call Create: used by NotPetya and BadRabbit uses to execute code remotely

Answer 99

A

It’s the valid app that calls DLLs; if you want to run a malicious DLL, you could invoke this manually to call another DLL, thus skipping some whitelist controls.

Answer 100

A

Creation of Event Consumer Backdoors. (Embedded in WMI database) is there an event/trigger condition (MOF file) that doesn’t belong?

Answer 101

A

Use PowerShell or mofcomp.exe

Answer 102

A

Direct RCE for systems accessible via WMI Process Call Create.

Also uses Remote shares accessible via NetEnum/Netadd to spread its payload

Answer 103

A

Enable Event logs (will fill up your logs QUICK)
Sysmon has its OWN event log (better)
Use PowerShell to discover suspicious events
Commercial EDR tools (Carbon Block, Tanium, HX) (best)

Answer 104

A

Looking at:

event filters (Trigger)
EventConsumer (Script or executable to run)
FilterToConsumerBinding (binding, storage, persistence)

Answer 105

A

WMI explorer tool (wmie2)
Mandiant WMI-Flare tool (Offline parsing)
Mandiant PyWMIPersistenceFinder
WMI forensics scripts

Answer 106

A

ActiveScriptEventConsumer - execute a predefined script
CommandLineEventConsumer - Launch an arbitrary process (more common: launch a download cradle)

Focus on consumers!

Answer 107

A

Think of it as text file representing the WMI definitions and instances.

Used for rebuilding and recovering the WMI database. Found in WMI repository.

Answer 108

A

Can use it to create WMI objects from anywhere; doesn’t NEED to reside in the WMI repo or even on the same computer. (-N to add remote machine names)

Can use it to rebuild WMI from another machine with arbitrary events/consumers. In this scenario, the residue isn’t even on disk, but in memory.

Answer 109

A

You can send a MOF file to the Print Spooler, which will compile it and import it into the WMI repo. (Was just a windows service, not an exploit)

Anything you wrote in there was written in as an admin account to the backend.

Answer 110

A

mofcomp -N \machinename\root\subscription test.mof

have to delete the #PRAGMA from the first line of the file

Answer 111

A

No. Can write directly into it using .NET code (like PS)

Answer 112

A

HKLM registry, WBEM auto recover key

Answer 113

A

Consumer portion
look for wmipvrse (especially on non-servers)
Look for wmipvrse’s parent process. (Should be svchost!)
Look for wmipvrse spawning things like cmd/ps

Active script portion
Look for scrcons.exe
RARELY SEEN!

Answer 114

A

Looking for WMIC call create
/node: 
invoke-wmimethod or invoke-CimMethod (PS)
wmiprvse with unusual parent
wmipvrse with unusual children (like PS)
scrcons.exe running
PS with encoded commands

Answer 115

A

4624 (Logons)
4720 (Account Creation)
4776 (Local account authentication)
4672 (Privileged account usage)

Answer 116

A

Windows 8: Protected processes can only load signed code and can only be attached to other protected processes.

Answer 117

A

It’s not on by default, and Mimikatz gets around it via a signed driver.

Answer 118

A

Update to restricted admin: protects any account (not just admin) during RDP sessions.

Answer 119

A

Credential protections, via KB2871997. (Backport to Windows 7)

Answer 120

A

It’s hardware heavy; works with virtualized sandboxes. Has a lot of work to do for exceptions.

Answer 121

A

Kerberos
and
NTLM (for using local accounts, network logon w/SMB vs domain creds

Answer 122

A

an identity and an authenticator (secret)

Answer 123

A

cached creds for users (ie, Joe on computer a has logged in via NTLM on another box, and his creds are cached there)

Helpdesk account (pushed to every box for local admin work)

Administrator account (if it hasn’t been randomized as part of build, with sysprep)

Answer 124

A

They’re encrypted and salted, so have to be offline cracked, unless you’re passing the hash. If you do crack them, you have the password, so you don’t need to pass the hash.

Answer 125

A

Stored cached credential
NTLM Hash
Token
Ticket

Answer 126

A

The threat actor has access to a box, find a LOGGED IN system user, accesses the stored credential in the form of the NTLM hash, and then accesses another machine that has that account cached; when it asks the first box for the cred, the hash is passed over. Requires a logged on user, another machine that has that same user cached, and access to the hash.

Answer 127

A

Starting at 8,1, any priv account is not allowed to do a network logon over NTLM, with the exception of the default administrator account.

(Why you dont clone computers)

Answer 128

A

It must be for a user that is LOGGED ON, or the process is still running

Answer 129

A

Monitor admin accounts/boxes
Stop remote interactive sessions w/Admin accounts
Properly terminate RDP
Windows 10 (cred guard, tspkg, domain protected users group)

Answer 130

A

…from LSASS to a hypervisor controlled isolated process.

Answer 131

A

SeImpersonate or Delegate. (or admin privileges necessary to add those permissions)

Answer 132

A

Delegate tokens

Can be used w/PSExec to map remote admin shares

Answer 133

A

Impersonate tokens. (SeImpersonate)

Answer 134

A

Extract the token
Reuse it to manage group membership or add users
Escalate local privileges

Answer 135

A

Console logons, RDP, using “Run As” on the machine.

Answer 136

A

“restricted admin” prevents tokens from being available on the machine during remote admin sessions (which should be avoided, anyway)

Remove delegation of high value accounts in AD

Use group policy to set time values for sessions, after which it disconnects (to prevent improperly terminated RDP sessions

Answer 137

A

SECURITY\Cache reg key

Answer 138

A

caches the last 10 logon hashes. (25 for 2008+)

Answer 139

A

indefinitely, even after a reboot.

Answer 140

A

extract hashes off-line, to be cracked

Answer 141

A

Creates a standard admin, same RID, which can be used in credential theft/lateral movement very easily

Answer 142

A

Minimize amount of cached accounts

Use Protected Users group

Answer 143

A

0-1 (NSA)

<4 (DoD)

Answer 144

A

through Get-Lsasecret.ps1, can dump and decrypt the LSA secrets. These secrets, if they’re privileged incorrectly, can let a service account be used to exploit escalation of privilege. (looking for overprivileged service accounts)

Can be combined with ticket requests (kerberoasting); offline the ticket, crack it, and use it with the service account.

Answer 145

A

Nishang Powershell framework (pulling encrypted service account details from LSA)

Kerberoasting to marry that account with a ticket for its use

Answer 146

A

dont employ services or schedule tasks requiring domain administrative trusts
reduce number of services that require domain accounts
Group managed services, through “Group Managed ServiceAccounts”

Answer 147

A

Stolen from memory

kerberos ticket w/o an expiration date, and has domain admin.

Answer 148

A

request tickets for service accounts: they send you the ticket for a service account, you roast it(crack it) and then reuse it

Answer 149

A

Expires when the krbtgt is rotated. Changing other credentials is meaningless

Answer 150

A

Server 2008R2

Introduces frequent password changes and long passwords

Answer 151

A

If you dump a privileged ticket, you can export it from the system, dump it into Mimikatz (or other utilities) and then import it into another system, where it will be cached and available

Answer 152

A

ANY user can request a ticket from a DC for ANY service

The ticket returned for the service has a non-salted hash for the account that runs the service.

This password can be easily cracked offline

Answer 153

A

If an attacker loses access, ANY user-level access to a domain joined system will provide a mechanism to re-use the golden ticket to get priv access again using Pass the Ticket.
Works even if a full password reset is conducted for all enterprise accounts
Attack can be constructed with access to either the NTDS.dit or memory. (attacker must have Admin access on a DC to get this)

Answer 154

A

“Silver ticket”

Answer 155

A

they’re excellent backdoors: auth occurs without requiring comms with the DC. Attacks a computer account password.

Answer 156

A

After gaining access to a DC, a tool like Mimikatz can “patch” LSASS to enable a backdoor password for any valid domain user.

It’s a SECONDARY password for the account; even if they change the primary, the secondary remains available.Easy and persistent backdoor for access.

Answer 157

A

Credential guard/Remote credential guard
Long and complex passwords on service accounts
Audit service accounts
Regularly change the KRBTGT password (no more than yearly

Answer 158

A

Gains access to all the user and computer account hashes, which are encrypted. (though the encryption is easy to break)

Easiest way to get to a users personal access/drives/phones/computers,

Answer 159

A

use Volume Shadow Copy service.

Answer 160

A

\Windows\NTDS

Can be ripped by:
ntdsutil
NTDSXtract
ntdsdump
VSSAdmin
PS
Metasploit

Answer 161

A

Often, using admin credentials are noisy: if you have the NTDS.dit, you can natively log in as a user and see what they see, have access to their browser, OneDrive, phone, etc. Less noisy.

Answer 162

A

The total number of times an application has been executed, the original path of the execution, and the last time of execution. (up to the last 8 times)

telemetry for execution

Answer 163

A

It provides an extra bonus 9th “evidence of execution” for the application in question.

Answer 164

A

_.pf

ON WORKSTATIONS, in Stored in \Windows\Prefetch (not a server service)

Up to 128 files on

Answer 165

A

Meant to give a process an extra bit of juice when it executes, next time will launch quicker/more efficiently. (On old hard drives, it would co-locate executables in close digital space so the hard drive didn’t have to scan to it)

Answer 166

A

IN windows 7, they started disabling prefetch for SSDs, but realized it was still providing efficiencies.

Answer 167

A

the prefetch file for sdelete has the target of what was deleted. Doesn’t include registry keys, but file/filehandles.

Answer 168

A

If there’s a huge recent amount of “living off the land” type tools, like netstat/net-use from command line, that might indicate that someone is in your space.

Answer 169

A

the .pf file.

Answer 170

A

Overwritten with the most recent runs of the file, or erased if the application hasn’t been used in a long time. (After which it gets re-created for a new run, with a new timestamp)

Answer 171

A

that an application ATTEMPTED to execute, not that it did so successfully.

Answer 172

A

It changes the hash value, because it’s been executed from a new location. (useful info!)

Answer 173

A

Pulls information on a directory or a single application for prefetch, including volume information, files and directories referenced, and all execution time info.

Answer 174

A

-f is for a single application, -d is a directory of applications

Answer 175

A

the directory path that the executable is in, and the command line options of the programs

Answer 176

A

it will launch a 32 bit version of the calc app. A 32 bit process can’t have a 64 bit child process.

Answer 177

A

Because bad guys write a lot of malware in 32 bit, and a lot of child processes are launched in 32 bit as well, which is unusual for system activity

Answer 178

A

Trigger

Action

Host it runs on

Answer 179

A

Sdelete has a -z option, to zero-ize unallocated spac.e

Answer 180

A

Volume shadow copy (provided they didn’t turn VS off/on again or memory (volatility can pull prefetch)

pecmd can use a -vss option to also look in volume shadow copy at run

Answer 181

A

Designed to detect program compatability challenges. (Apps should be able to run in any version of Windows, but that’s hard)

Answer 182

A

All the application files, AS they’re run, that have been checked for compatibility/shimmed

Answer 183

A

the last modification time of the executable
the full path of the exe

(not when it was shimmed, when it was executed)

Also, when explorer browses the folder with the executable, and it’s shown in the gui (weird) You hav etc see it with your eyeballs

Answer 184

A

a new version of psexsvc is pushed to that machine. The NEW version gets shimmed every single time, even though it’s overwriting the same file. (good to know)

Answer 185

A

an entry in the shimcache, because it’s shimmed again

Answer 186

A

shimcache

Answer 187

A

On shutdown. Prior to that, shimcache entries exist only in memoruy

Answer 188

A

a Flag in the registry flag that means that confirms the application was executed; if the flag is empty, it likely wasn’t.

Answer 189

A

the temporal order. What executables ran in what order, starting most recently to most distant, historically.

Answer 190

A

Programs installed, programs executed

Answer 191

A

amcache.hve (registry) at C:\Windows\appcompat\programs\amcache.hve

and

Within that hive, a Root\File{Volume GUID} which tells you where the executable was run from, volume wise.

Answer 192

A

Each key represents a numerical value, which each represents another executable. Key # is a combo of the MFT entry and a sequence number. (written in hex) Parsers can break that out.

Answer 193

A

a SHA-1 hash for it.

Answer 194

A

indicates client is receiving a remote WMI command

Answer 195

A

Shellbags (using shellbags explorer) and opening the userclass.dat file (found in the user’s home directory)

E\C\users\AppData\Local\Microsoft\Windows\userclasss.dat

Answer 196

A

%systemroot%\System32\config (older)

%systemroot%\System32\winevt/logs (modern)

Answer 197

A

The System Event log

Answer 198

A

Forwarded events log

Answer 199

A

150+ Application, Security, System are only 3.

Answer 200

A

Defender
Firewall
Task Scheduler

Answer 201

A

Only system (LSASS); third party apps don’t log to this log facility

Answer 202

A

Auth attenmpts
User behavior/actions
File/folder/share
Security Settings modifications
LSASS process
Processes (manually?)

Answer 203

A

Logon event: user logon (where the logons are tracked at): You going through TSA and showing ticket/ID
Account logon event: Authentication event (board the plane) Security checkpoints! (Where did you authenticate)

Answer 204

A

an account logon event, or “authentication event”

Answer 205

A

4624 and 4625, successful vs. failed logon

Answer 206

A

4648 (logon using explicit creds)

Answer 207

A

4672 (VIP in the room!)

Answer 208

A

You’ll need the pairing of a Successful logon (4624) and 4672 (superuser/priv account logon)

Answer 209

A

They aren’t reliably recorded (as 4634, logoffs) so look for 4647.

Answer 210

A

malicious activity is used to access a system. Backdoor, exploited service, or similar.

Answer 211

A

HOW the user logs into the system (IE, 7 is RDP, VNC/Console is 2, cached ares to logon is 11, etc)

Answer 212

A

3; network logon

Answer 213

A

MSFT tries to reduce the traffic to the DC and sometimes defaults to cached creds, even when the DC is online.

Answer 214

A

Use the Logon ID value; creates “parenthesis” on the front and back end of a session

Answer 215

A

interactive

Answer 216

A

$: Account is used when communicating with AD and accessing network resources

Answer 217

A

Assigned to processes or services that need network access

Answer 218

A

Enumerate the privileges coming with you.

Answer 219

A

Not just a member of an admin group, but the additional privileges assignment (as part of event id 4672) that indicates that after the logon, special creds were assigned that COULD BE IMPERSONATED IN TOKEN ATTACKS

Answer 220

A

4672, where things like SeTakeOwnership, SeDebug, and SeImpersonate are admin-equivalent.

Answer 221

A

they indicate account creation happened, which can be an easy true positive.

Answer 222

A

In auxiliary logs Remote Desktop-Services-RDPCoreTSZ and TerminalServices-RdpClint

Answer 223

A

The RDP client/server connection will document the source IP, so if you don’t want it to show your actual IP, you have to chain RDP; jump from host to host.

Answer 224

A

Windows-TerminalServices-RDPClient\Operational

one of the only places that you get discrete source logging (where did the RDP session connect to)

Answer 225

A

When a user is logged on locally, NTLM style, ro a workstation or group

Answer 226

A

The third party authorization of creds provided during that logon session. (Authentication vs logon)

Checks for user credential against the DC would be an account logon type.

Answer 227

A

4776: Root account authenticated from workstation (account logon)
4624 Successful account logon
In that logon, the type of logon is network

Answer 228

A

4788/4799, groups were enumerated

Answer 229

A

Look for the enumeration of group membership (not turned on by default)

Answer 230

A

Tolerant of log corruption
filtering
free

Answer 231

A

Network share event logs

5140/5145. Have to be turned on!

Answer 232

A

they are often recorded on the originating system, versus the target system. (A logon attempt was made using explicit creds….or, RunAs)

Occasionally recorded on both, such as when RDP connections use different crds..

Answer 233

A

Task Scheduler, Security, and Tasks folder (Windows\System32\Tasks
Locally, remotely and in the “tasks” folder, where the registration/creation of tasks is put.

Answer 234

A

sc.exe /remote system name, etc

service control

Answer 235

A

new service installed (4697) goes in the security log

Answer 236

A

Mimikatz and Dandersprintz, post eternalblue

Answer 237

A

Event log forwarding
Logging “heartbeats”
log gap analysis

Answer 238

A

They still exist in memory
Gaps in the records
You need admin rights

Answer 239

A

Map network share (net use)

RDP

Answer 240

A

Jumplists (AppData\Roaming\MSFT\Windows\Recent\Automatic\Destinations) –> mstc-appid shows all the Remote Desktop times/destinations

Prefetch files (on disk, not memory)

Bitmap cache (RDP puzzles!) cache##.bmc, cache###.bin in user directory, terminal server client/cache

Answer 241

A

Event logs, Registry, and file system

Looking for mstc.exe (MSFT terminal server client) execution

Answer 242

A

Default.rdp

Answer 243

A

Regripper “rdphint”

RDP key found in
NTUSER\Software\MSFT\Terminal Server Client\Servers

Answer 244

A

4624, Logon Type 10

Will also produce a 4778/4779 event, with the ip source, system name, logon user name

Answer 245

A

rdpclip. exe

tstheme. exe

Answer 246

A

any interactive login is conducted

Answer 247

A

net. exe
net1. exe

Can be found in
event logs (Security, smbclient)
registry (mount points, shell bags, shimcche, bam/dam, amcache)
FileSystem (prefetch, user profile artifacts)

Answer 248

A

NTuser\Software\MSFT\Windows\CurrentVersion\Explorer\

MountPoints2

Answer 249

A

Because you need the privilege to be able to connect to an admin share, thus, 4672, privileged user breakdown

Answer 250

A

PsExec
Windows Remote management tools
PowerShell/WMIC
Exploiting a vuln
Application deployment software

Answer 251

A

Windows admin shares

Answer 252

A

The Sysinternals\PsExec\EulaAccepted key (NTUser.dat)

Answer 253

A

Any increase in the amount of Eula’s accepted, which should always remain relatively static. (Same amount of users)

Answer 254

A

Being on the receiving end (destination) of a psexec connection.

Answer 255

A

wmiprvse.exe

scrcons. exe
mofcomp. exe

Answer 256

A

System32\wbem\repository

Answer 257

A

wsmprovhost.exe

Answer 258

A

PS 5 and beyond

Answer 259

A

GPO, SCCM, Cloud control panels.

Answer 260

A

A running diatribe of processes that were executed, and who the parent process was - includes full command line processes (both cmd and Powershell.exe)

Answer 261

A

HUGE amount of data, same as what’s in prefetch

Answer 262

A

Windows event logs: adds process information section

Answer 263

A

turn on process tracking, with CLI auditing. Will include the full script that was executed

Answer 264

A

Have the malicious script call script blocks, and have the necessary evil in a file in temp or wherever

Answer 265

A

Powershell script block logging, Powershell remoting logging

Answer 266

A

downgrade Powershell to pre-PS5, where it was introduced. Downgrade attacks are very popular!

Answer 267

A

WinRM connections, which is the primary protocol for Powershell Remoting

Answer 268

A

the transcript log. Records to the users documents folder by default. Only records input/output to the PS terminal

Answer 269

A

Invoke-Obfuscation tool and Revoke-Obfuscation tool

Answer 270

A

PS saves it’s history in PSReadline ConsoleHost_history.txt

Stored at
%AppData%\Roaming\MSFT\Windows\PowerShell\PSReadline

Records last 4096 commands typed in PS console

Answer 271

A

Set it to disabled in PS, or just remove the PsReadline Module

Do it by Set-PSReadlineOption -HistorySaveStyleSavenothing

Remove-Module-Name PsReadine

Answer 272

A

WMI-Activity log; look for EID 5861, new permanent customers.

You must be able to “whitelist” typical WMI activity in the environment

Answer 273

A

It doesn’t track processes or command lines, without that being turned on, and then it is tracked in security logs

Answer 274

A

Anti-Malware Scanning Engine; something that antivirus vendors can hook into for visibility. Windows 10+

Answer 275

A

Zimmerman’s event log extraction tool
evt log explorer (command line version)
evtwalk/evtxtract carving tool

with Powershell, grab it remotely or locally: Get-WinEvent

Answer 276

A

Sysmon! Easy configuration, filtering

requires a LOT of tuning.

Answer 277

A

Can be used to create a WMI event for persistence (Creates WMI filters)

Answer 278

A

Ultimate Windows Security

EventID a good second option.

Answer 279

A

Invoke-Obfuscation and Revoke-Obfuscation

Answer 280

A

The “magic” option, which will try to do a first few passes on scripts to see what they’re supposed to be used for/attempting to accomplish.

Answer 281

A

The transcript logs are trivial to manipulate on a box (unencrypted in the users documents folder)

Powershell remoting limits the sharing of the logs over the network due to problems w/network authentication “double hopping”

Best to have it set as an automated forwarding (UF, filebeat, etc)

Answer 282

A

PSReadline Console Host history. Stored in each user’s profile

No process tracking or script output

Answer 283

A

Look for New WMI Event Consumer Creation

Answer 284

A

Look for evil DLL extending WMI capabilities

Look for uncommon words, software terms (Eval, activexobject, .vbs or .ps1 scripts, etc)

Answer 285

A

Exporting tools will often partially corrupt log files

stored in binary form, so they need to be converted

Answer 286

A

Creates a new log output dir, Windows-Sysmon/Operational

Answer 287

A

F-Response

Answer 288

A

Triage program: Collects files, and processes the files across its program set. Fasty, flexible, collects locked system files/shadow copies.

Answer 289

A

the list of files for it to collect

Answer 290

A

CLI artifacts
Network Activity
Process tracking/tracing
DLL injection
Rootkit insertion

Answer 291

A

Because much of the modern attack ecology is memory resident

Answer 292

A

You can hide executables on disk, obfuscated, but you can’t hide them from the processor. They have to be uncloaked to

Answer 293

A

Dump all the executables, drivers, dll’s from memory analysis, and run antivirus/clamav at it.

Cant hide the raw in memory!

Answer 294

A

Memory samples; stuff injected into processes, or obfuscated, will be easier to find in memory. (Harder on live host)

Answer 295

A

It’s tied to specific profiles and variations of operating systems.

Answer 296

A

F-response (and SIFT)
Winpmem (Velociraptor)
Dumpit (CLI from USB)
Belkasoft 
Magnetforensics

Answer 297

A

Hibernate file (hiberfi.sys)
Swapfile.sys
Pagefile.sys
Windows Memory Dump (%WINDIR%\Memory.dmp)

Answer 298

A

On VMWare, you can just grab the .vmem file
On Hyper-V, you have to attach a process (like Winpmem or F-response) and pull memory like you would any other running system

Answer 299

A

A fully compressed copy of memory (RAM) at the moment of hibernation.

Some tools can uncompress it. (Volatility) Some can just process it natively.

Answer 300

A

Hibernating isn’t a normal thing:

only occurs from loss of power/power about to drain out of device
or for shutdown/fastboot.
When installing new files/programs (recovery functions)

Answer 301

A

Every new major update changes it’s memory profile, for tools, making them less effective.

Things like artifact formats (prefetch, shim cache) change!

Also, hibernation file formats and use changes. (It’s not used as frequently any more)

Answer 302

A

Windows 10 feature. It protects the kernel and user mode components, which often block the insertion of the driver necessary to do the memory acquisition

Answer 303

A

Data is zeroed after return from hibernation

Hibernate files only keep smaller (and less interesting) files for Hibernate, HybridSleep. (40% of total memory space) BUT they’re kept more often! Stored in case of power loss.

Fast Startup mode only holds for reboots, about 20% of memory.

Answer 304

A

Trick question! Nowhere. It’s not backed up in VSS.

Answer 305

A

Kernel Processor Control Region (KPCR)
Kernel Debugger Data Block (KDBG)
Directory Table Base (DTB)

Answer 306

A

Things like image location, with a file path, or a specific O/S profile (Win10, update 6, etc)

Answer 307

A

Volatility plugin -imageinfo

Answer 308

A

telling it what O/S and build number/service pack the memory sample is from

Answer 309

A

kdbgscan plugin

Answer 310

A

Pslists, pecan, filescan, and hiveliest don’t return sane results or gibberish

Answer 311

A

imagecopy plugin

Answer 312

A

EPROCESS blocks, which show the file links (forward and backward) to parent and child processes

Answer 313

A

Name - Spelled correctly, legit process
Path - Running from correct dir
Parent process - what you’d expect
command line - arguments and switches make sense
Start time: was it started at boot, near attack?
SID - do the SIDs make sense? Are system/user account SIDs launching correct processes?

Answer 314

A

malprocfind - automatically identify suspicious system processes

processbl - compare processes and loaded DLLs with a baseline (a known good image for comparison)

Answer 315

A

processbl ; run against a baseline image

Answer 316

A

Use the psscan plugin

Rootkit detection
may have crashed or not cleanly exited

Answer 317

A

Use PStree: see commands being sent by the parent web process.

Answer 318

A

It only looks at common system processes: items like cars, wnnlogon, services, lass, etc.

Answer 319

A

processbl
servicebl
driverbl

Can be run to tell you what the “diff” between the image is, or, what matches. (The latter can be useful for showing the same driver, but with different paths, etc)

Answer 320

A

Windows Process Objects

Answer 321

A

Pointers to a resource
Directories and Registry keys access by a process
Mutex/Semaphores (access to objects)
Events

Answer 322

A

memory sections of a process object (volatility)

Answer 323

A

handles (Prints the list of open handles)

Answer 324

A

in volatility, use dullest to display the loaded dlls and command lines

Answer 325

A

use dlllist to identify a specific DLL (and its base offset) and then use dlldump to extract it.

Answer 326

A

Give us the running user of the process, and the relative authority given to the overall process.

use getsids plugin to see token info, which shows you the account Sid AND the group info

Answer 327

A

S-1-5-32-544

Answer 328

A

S-1-5-32-545

Guests:
S-1-5-32-546

Answer 329

A

Nouns.

Files, Objects, Keys, etc.

Answer 330

A

there’s hundreds or thousands per process

-t (gripping the file) can limit it to File or Registry Keys for quick wins

Answer 331

A

Type of process structure: it’s a governor.

Processes will use it often as a flag so that if you run a second copy of the process, it won’t launch. (Wont need to instantiate another version of it) Malware uses it to prevent multiple infections/dos’ing yourself.

Make great IoC!

Answer 332

A

use a mutex flag

Carbon Black and Falcon, etc will look for these. When intel produces it as an IoC for malware, can load it as a yara signature

Answer 333

A

Make a yara signature and sweep for that flag, as it’s usually a solid IoC that the malware was installed on the host

Answer 334

A

Scan for service records, with associated info on processes and drivers.

Can look for windows services that are used as a persistence mechanism: Auto starts, etc. Can also find services that malware stopped. (Like antivirus services being stopped)

the verbose option will identify the DLLs used by services.

Answer 335

A

Things that aren’t web browsers that are connecting on 80,443,8080

Eliminate product updates.

Focus especially on anything RDP or DNS to unusual names

Answer 336

A

Using network sockets for a process that are opened. use iexplore/edge opening sockets to a weird port

Answer 337

A

Look for 4444 or 5555, or straights (4567) because those tend to mean something/suspicious

Answer 338

A

workstations don’t fully establish RPC connections to communicate natively in AD environments!

Answer 339

A

Evidence of port redirection. (Netcat shoveling, etc)

Answer 340

A

both active and terminated connections - pay attention to the process.

Answer 341

A

Something, on the system, that is causing the code injection. (Aircraft carrier during pearl harbor analogy; for planes to get there, they had to have been carried somewhere. Must be an aircraft carrier somewhere)

spearfish code; initial access.

Answer 342

A

Camoflagues code
Access memory/permissions of target system
Process migration
Evade A/V and Allowlisting
Facilitates complex attacks (Rootkit)

Answer 343

A

Simple code injection: easy for A/V, EDR; hard for manual

Complex code injection: harder for A/V/EDR find, much easier to find manually

Answer 344

A

Simple code injection: Writing into existing DLLs or code

Reflective DLL injection: Loading code independent of host processes. (For example, meterpreter uses it’s own loader) Powershell can do this, too.

Process hollowing: starts a suspended service, carves out a section for new code, and then starts service. Much of the code (like DLLs, handles, etc are from original process, making it harder to see)

Answer 345

A

Process Hollowing

Answer 346

A

Simple Code injection (DLL injection)

They create space in the DLL, on disk, and write in new code.

Answer 347

A

When it gets loaded from the volume it lives on into memory, and is checked.

Answer 348

A

Its easy to see DLLs that aren’t loaded from file, or loaded from a standard location. DLLs loaded in unusually way are glaring beacons of weirdness.

For example, DLLs loaded down from memory dont have a source file on disk!

Answer 349

A

ldrmodules

Malfind

Answer 350

A

Detect unlinked DLLs and non-memory mapped files

Checks the “DLL manifest” of the PEB (Process Execution Block) and finds DLLs that were removed from the manifest, or unlinked.

Look for DLLs with no “MappedPath” info

Answer 351

A

Finds hidden and injected code, and will dump affected memory sections

Answer 352

A

That it was not loaded using the Windows API, or loaded in some unusual way. (Often indicative of a DLL injection attack)

Answer 353

A

They will flag as “false” for InInit, because they’re executable.

Answer 354

A

Process injection

Can find duplicate examples of dlls that should only have 1 version of it, which is glaring

In memory, the lack of a mapped path from where the DLL was loaded combined with it not being on the PEB (manifest) is a red alarm light

Answer 355

A

the memory section it’s present in. (Will be mapped to the Process Execution Block, PEB, for legit DLLs)

Answer 356

A

When you can get arbitrary code execution (injection into a process) without using the Windows LoadLibrary code.

Manage to get code into a process/DLL w/out using Windows process.

Metasploit, Cobalt Strike, Pulsar, etc

Answer 357

A

Manual memory analysis! Because most security tools are looking at manipulation of the Windows loader API, these techniques when successful are harder to see, but glaring in manual memory review. (malfind)

Answer 358

A

Memory, every process, and looking in “mapped Path, page execution read/write” which is a section that and looks for anything that’s marked as being executable

Then, looks for a section on disk mapped to that executable.

Answer 359

A

reflective types of code injection techniques

Answer 360

A

The VAD tree MappedPath section that Malfind looks at

Answer 361

A

Malfind: –dump-dir=

Answer 362

A

the “MZ” Header is usually indicative of code.

MZ is indeed the characteristic signature of a .exe file:

The DOS MZ executable format is the executable file format used for .EXE files in DOS.

The file can be identified by the ASCII string “MZ” (hexadecimal: 4D 5A) at the beginning of the file (the “magic number”). “MZ” are the initials of Mark Zbikowski, one of leading developers of MS-DOS.

Answer 363

A

Malfind only shows a preview of the first 64 bytes; can start with nonsense, then have a jump/redirect later to the code.

By manipulating the file with memory reads, so that the first two bits aren’t the standard MZ header, but that it jumps to it under conditions. Advanced stuff.

Answer 364

A

Take a piece of bread
PB on bread
Jelly on PB
Take a piece of bread and put it on the jelly

Code in assembly often has the same instruction as the one below, can see a discernible sequence.

Answer 365

A

USe –dump-dir options that outputs the entire contents, vs. just the 64 byte header.

Can also just scan the files, or set up yara scans.

Answer 366

A

Hollowfind and threadmap

Answer 367

A

modscan: finds modules via pool tag scanning
apihooks: Finds DLL function hooks
psxview: finds hidden processes via cross-view tech
ssd: displays system service descriptor table entries

Answer 368

A

Has to be signed code, so it can get into ring 0 process

Answer 369

A

ssdt module of volatility

Answer 370

A

grep out entries with ntoskrnl and wn32k, which are normal mods.

Answer 371

A

Hide Rootkits by removing them from the EPROCESS double linked list. (Forward link, backward link)

Answer 372

A

psxview; checks the splits and psscan output against what’s running a thread.

Answer 373

A

modscan/modules plugin of volatility

Answer 374

A

driverbl plugin to volatility; like servicbl, lets you compare it against a known good baseline image

Answer 375

A

the Windows API, which can be “hooked”

Find these hooks with the apihooks module of volatility

Answer 376

A

unlinking and identifying api hooking

Answer 377

A

dlldump
moddump
procdump
memdump
cmdscan
dumpfiles
filescan

Answer 378

A

dumpfiles

Answer 379

A

memdump, or vaddump. (Will dump memory sections owned by a process to a file or group of files)

Answer 380

A

can do strings/unicode extraction; can pull useful commands out of the sample (using grep on the extracted filename)

Answer 381

A

Use cmdscan and consoles plugins, and run strings/greps against that output. (Better resideue of command_history and console_information)

Answer 382

A

Recall and GRR/Velociraptor (Free EDR tools)

Answer 383

A

bstrings - handles regex, too

Answer 384

A

FileSystem data
Windows Artifact Data
Registry keys

Answer 385

A

An event, malicious or otherwise, in which you can see a group of threat actor activity just by “temporal” analysis

Answer 386

A

Fls or MFTEcmd

Answer 387

A

Plaso (log2timeline)

Contains filesystem artifacts, artifact timestamps, registry timestamps, and works on all O/S variants

Answer 388

A

m - Data content change time (modified)
a - Data last access time (accessed)
c - metadata change time (MFT changed)
b - metadata creation time (Created)

Answer 389

A

The specific timestamp that was modified:

Modified
Accessed
Changed
Birthed (created)

Answer 390

A

a master timeline with relevant data from all the individual images

Answer 391

A

Allocated files (Normal files)
Deleted files (Files deleted normally, but still have structures; file path name, permissions, timestamps)
Unallocated inodes (Orphan files, with no structure.

Answer 392

A

Mactime tool (perl script)

Answer 393

A

Manually set the Standard Information attributes
Copy the file to another folder
Manually set the Standard Information attributes (some will change during the move)

Answer 394

A

Manually setting timestamps (using file copy operations) to change the times, cover up when it was actually done

Answer 395

A

The log2timeline binary, which extracts timelines
pinfolds: displays storage metadata
sort - sorts and processes output

Answer 396

A

Uses Log2Timeline, but pulls relevant forensic data from ALL the places

LNK
Jumplists
All Browsers webhistory
Registry )shellbags, mountpoints. services, autoruns; terminal server. task scheduler, etc etc)
Prefetch
Shimcache
Winfirewall
and many more

Answer 397

A

everything. Cache, cookies, history, etc, from all browsers

Answer 398

A

mactime parser

Answer 399

A

Mount point
Image
Kape output directory
partition
etc

Answer 400

A

When it detects, it will ask if it wants to extract them in the timeline.

Have to be careful, it slows down analysis a lot.

Answer 401

A

Can use a filter file, or just use specific parsers (just MFT, or just specific registry key, or trigger if it finds certain things)

Answer 402

A

Use pipe for OR, also the .+ will recurse something in the directory. Lets you set wildcards and conditions for directories.

EX: /(Users|Docs and Settings)/.+/NTUSER{.}.DAT

Answer 403

A

Uses 99% of the standard use cases for extractions. Conditions found in cape. Looks for see idic things in memory, registry, LNK, Jump lists, prefetch, specific Event Logs, MFT entries, ec.

Answer 404

A

in the –parsers command line switch, do a -

log timeline.py –parsers parsers “win7, -winevt”

Answer 405

A

pinfo.py and psort.py

Answer 406

A

Takes a plaso dump and tells you what’s in it, and how big it is.

Shows you what parsers have been run and what’s inside each file, how many events

Answer 407

A

Shortcut files.

Answer 408

A

Sorted the data output from Plaso. Can use it to “date bound” the results. Can also change the output type. (CSV vs. xlsx.

Can also sort it into a specific timezone, ie EST/PST

Answer 409

A

Mount the remote system drive
Extract with log2timeline.py (with parsers we care about)
Filter the timeline w/psort to the range of time you’re interested in.

Answer 410

A

Mount the remote disk w/f-response
create timeline w/ standard windows filters, with log2timeline
gather the filesystem data, with MFTECmd.exe and create a body file
parse the body file with the maytime parsers (log2timeline)
sort the data for the date range you’re interested in

Answer 411

A

Red for evidence of execution
Gray for event logs of interest
Yellow: web history
Blue: USB usage
Black for deleted items
Light green: file opening
dark green: folder opening

Answer 412

A

Modified, accessed, (MFT record) changed, birthed.

Answer 413

A

Timestomping
File Deletion (Delete)
FreeSpace Wiping
Data Encryption (.rar)
Fileless malware

Answer 414

A

Registry anti-forensics techniques

Answer 415

A

SSDs and Disks will cleanup via optimization or drive “trimming” which wipes out unallocated storage areas, which zeroize deleted files. Around weekly, or less depending on how long it’s been.

Expect 72 hrs.

Answer 416

A

outside of 72 hrs, residue will likely exist in the volume shadow if at all

Answer 417

A

Registry key, as a download cradle type abbreviated script

Answer 418

A

It’s a database. It acts like a mini-file system; when the key is deleted, it will exist as unallocated space forever. It leaves permanent forensic residue, indefinitely.

Anything that is a filesystem works this way, without defragging/disk cleanup.

Answer 419

A

When it’s COMPACTED. Compaction removes deleted files, which would cover forensic residue, but create it’s own record of being compacted.

Answer 420

A

Ineffectual. They will clean out your files, but not delete them forensically; in fact they point out specifically what was deleted

Answer 421

A

Use registry explorer (or regcmd, the Zimmerman tool) and search for anything that has Base64 in values above a specific length, like 400 characters; scripts are unusually large for a key.

Answer 422

A

Use the –vss option; looks at all 3 versions, dedups, and catalogs them.

Answer 423

A

the Volume Shadow copies. Usually have overlap with each other.

Answer 424

A

about 3-5% of the hard drive.

Answer 425

A

For servers, daily

For workstations, 3-6 that cover about a week; triggered on installation of software, reboots, events

Answer 426

A

Convert to VHD for analysis
use iSCSI and mount it to SIFT
vshadowinfo, vshadowmount

Answer 427

A

SIFT; it does a better job of ignoring permissions, seeing everything. (Windows APIs respect windows permissions)

Answer 428

A

ewfmount to see the mount points/ vshadowmount to mount them

Answer 429

A

Attach the remote system drie
vshadowmount /dev/sdc2 /mnt/vss
Make a for loop, mount every individual VSS “drive” to a Linux file point

Answer 430

A

The O/S hides them. (Truly hidden) if you mount a disk imagine on Linux, it will ignore those MSFT rules and expose them.

Answer 431

A

You have to look at it on a non-windows (Linux) machine, mount the drive for analysis, and it’s there, BUT NOT EXPOSED BY LS command?!

Answer 432

A

A backup copy of the MFT. Only contains the first 4 records.

Answer 433

A

Transactional logging file

Answer 434

A

Contains the volume name, NTFS version number, and a “dirty flag”

Answer 435

A

Contains the attribute definitons

Answer 436

A

Tracks allocations (in-use versus free) of each cluster in the volume

Answer 437

A

Something that tracks bad/defective clusters so NTFS won’t use them

Answer 438

A

Tracks all the security information for files on the volume (Security manifest)

Answer 439

A

A directory containing $UsnJrnl, ObjId, $Quota, $Reparse

Answer 440

A

Metadata catalog; think of it as a Dewey Decimal Card Catalog. (where is book stored, when was it last checked out, etc)

contains data that describes files. Pointers to data layer for files, MACB times, permissions. Everything has a numeric address.

Answer 441

A

Shows where stuff lives on the disk; what cluster. It’s an index number. If the drive is fragmented, what fragment does the data/file live on. What’s the starting number for the volume, what’s the end number.

Answer 442

A

1024 bytes. Databases.

Answer 443

A

For NTFS volumes, those records get a bit flipped that it’s “allocated space” and now is “unallocated space”

Those entries remain until they’re overwritten by new entries.

Answer 444

A

Files are recorded in the MFT by inode in alphabetical order, typically. Items that were added to directories like System32 (core Windows files) will show up as far outliers. (Or be grouped with the non-native programs)

Answer 445

A

Sequentially. Since the MFT records them contiguously into the catalog, it can be used to find values that are close to each other, representing related files or malware in two separate places.

Answer 446

A

creates a hash dump of a files contents, so you can view magic numbers and such

“When you’re trying to make sense of a binary file format, a good hex viewer or hex editor is an invaluable tool. As shown in “Ultima 1 Reverse Engineering: Decoding Savegame Files“, a typical workflow involves viewing a hex dump of the binary data, making some small change, taking a second hex dump, and comparing the differences. If you’re lucky, you might even be able to observe patterns in the data directly.”

Answer 447

A

the “FILE” signature: 46 49 4c 45, where the entry starts. (can see FILE0 in the readout)

Can see the sequence number, node entry number.

Answer 448

A

$STANDARD_INFORMATION
$FILE_NAME (long and/or short)
$DATA

Answer 449

A

What type of file it is
MACB times

ARCANE RULES OF NTFS timestamps

Answer 450

A

Unicode name of the file, what folder is it found in.

Answer 451

A

Using MFTcmd and running the timestamp anomaly engine. Will find lack of sub second precision, differences in timestamps.
Can run a scatterplot of times things were created, inode creation time.

Answer 452

A

It should show you a sequence of all the binaries/dll installed at the same time (install!) and then the outliers.

Answer 453

A

the Data run: starting location, and length, of a data section on a cluster.

Is Resident will tell you whether the data lives in a space on cluster, or (isResident) is stored on the MFT itself.

Answer 454

A

It’s a flag marked in the MT, in the MFT, as an evidence of download. It’s marked as data that was downloaded from the internet.

Answer 455

A

itstat

Shows the SID of the file, nanosecond-accuracy MACB metadata inode number, etc.

Answer 456

A

Does wipe as much as you think: it overwrites the content of the file, and scramble the MFT entry. It does NOT, however, get the second language of the MFT info, which is the directory. (just the file, which shows as zzzzzzzz in the metadata, but the directory folder has the file name/MACB timestamp)

Answer 457

A

i30

Directory folder; shows the file data and the deleted file information. FTK imager shows this! The slack space of a directory file will contain the file name and file metadata.

File system metadata is another place to look.

Answer 458

A

….the file name and file metadata for files in it.

Answer 459

A

Stored in an index called $I30

Answer 460

A

$I30
INDEX_ROOT: directly in the MFT
INDEX_ALLOCATION: Stored as separate index chunks for large directory listings, like System32

Answer 461

A

It’s all stored as per-record list of files, with the MACB time stamp.

Answer 462

A

WISP windows Slack Parser

Directory file extraction timeline, with MACB values of the files.

Answer 463

A

the Journal; can be used to identify the prior state of files. Like VSS, it’s a time machine.

Answer 464

A

USN System journal; can be combined with the MFT and $Logfile transactions to find files and what happened when

Answer 465

A

changes to the volume.
$Max - pointers that tell the system where to start reading the disk
$J - enteries for each file that has changed since log was started

Answer 466

A

MFTECmd (Zimemrman tool)
ANJP (Advanced NTFS Journal Parser)
jp (Journal parser)

Answer 467

A

ANJP (Advanced NTFS Journal Parser)

Answer 468

A

It automatically flags things like open outlook attachments, Skype downloads, disk wiper artifacts, etc. (The email attachment is hard to see anywhere else)

Answer 469

A

Volume Shadow or disk, MFTs, using ANJP to see the access to the file/action.

Answer 470

A

$Bitmap is scanned for a cluster to write to
$MFT record created
$Bitmap updated to show where clusters are allocated.
$I30 of parent directory is updated.
$USNJrnl updated
$logfile updated with this transaction.

Answer 471

A

Data clusters marked as unallocated in $Bitmap, but data is intact until the cluster is reused

Slack space
MFT record flags, $LogFile/UsnJrnl still have a record
$FILE_NAME attribute is preserved until overwritten
$I30 index entry

Brainscape's Knowledge GenomeTM

Disk Flashcards

Brainscape's Knowledge Genome^TM