Section 1.5: Hunting Across the Enterprise Flashcards
Name the three types of scripting Incident Responders have used.
Batching (not recommended), WMI, and Powershell.
What is the name of the script Powershell can run benefit from by running a collection of WMI commands for Incident Response?
PoSh-R2 project on Github.
What is Powershell’s transfer protocol when working remotely and why is it effective?
Powershell uses WS-Management (WSMAN) protocol which uses SOAP, XML, and HTTP listeners to pass through packet inspection devices. Even though it is HTTP, the data transferred is encrypted and credentials are authenticated via Kerberos.
Are credentials cached on the remote system when using Enter-PSSession command?
No.
Name some security features Powershell has that are set as default when remoting.
Tokens are non-delegated by default and it is non-interactive to the remote system which means it does not cache credentials.
Name a method analysts should never use with Powershell.
Dual-hop authentication (jumping from one remote system to another), as it can store credentials via CredSSP. Do not enable CredSSP on Powershell.
What happens if I don’t supply a list of remote systems (targets) to Kansa?
It will query Domain Controllers and build the list automatically.
What is inside the Kansa modules.config file?
Configuration of the modules I want to run and in what order. Consider volatility as priority when doing so.
Kansa’s analysis folder has scripts for conducting basic analysis of the collected data and stacking. What is needed to fully function the scripts?
The binary logparser.exe is needed so place it in this folder. Use -analysis when running Kansa to get analysis output.
What issue do rootkits cause when retrieving live response collections?
It can subvert API functions of the system to return incomplete data. A lot of live tools depend on API functions. To handle combat this, memory and disk forensics is necessary.
Where can I store third party tools inside Kansa?
Place them inside .\Modules\bin
Use- pushbin to use it and -rmbin to remove it. Make sure to add a special comment on the second line of the collector script (#BINDEP).
Name the Kansa modules that depend on third party tools.
Autorunsc, CertStore, FlsBodyfile, Handle, ProcDump, and RekalPslist scripts.
What do the Kansa “Meta” scripts look for?
“Meta” searches for file size indicators or output size deviations.