SANS 508
analyzeMFT.py
- Compares $file_Name to $standard_Information times on NTFS.
WISP
- INDX parser for NTFS against index attributes.
$EXTEND\$OBjID
- index of all object IDs in use. Allow a file to be tracked even if the files get moved, renamed, or deleted.
$SECURE
- index used to track security information for the files on the system. Who owns the file and can open it.
Threadmap
- review threads to identify process hollowing - counter measures.
NTDS.DIT
AD Database with all user and computer hashes(LM/NT). Located \windows\ntds on domain controllers. Often accessed via volume shadow copy. Extracted w/ NTDSXtract.
4720
Account created
4722
Account enabled
Silver Ticket
All-access pass for a single service or computer account. Forged using a dumped computer account hash and can impersonate any user for that system.
ShimCache
App compat tool. Tracks last modified date, file path, and if executed. XP shows last execution time, Server shows executed FLAG. Located in the registry. XP = CCS\Control\SessionManager\AppCompatibility\AppCompatCache(96 Entries), Server = CCS\Control\SessionManager\AppCompatChache\AppCompatCache(1024 Entries) Vista on AppCompatChache reg key doesn't prove execution, but it is likely.
1102
Audit log cleared - Security log
Timestomping
Backdates a file to a time date chosen by attacker. Detected by comparing $STDINFO and $FILENAME timestamps. Might be detected via nanoseconds field being .000
Logon Type 4
Batch
Logon Type 12
Cached Remote interactive, similar to 10
Logon Type 11
Cached creds, offline from DC
Logon Type 13
Cached unlock - similar to 7
Plaso Windows Parsers
Chrome, IE, McAfee logs, Registry, EVT, IIS, Job Files, Prefetch, JumpLists, Lnk ETC
Event Log Deleting & Tampering
Clearing logs, detection can be missing evt log data, gaps
PF
Command line tool that parses .PF files. Outputs app name and path, times executed, last run, prefetch MAC timestamps in CSV.
Defending Credentials (Kerb Tickets)
Cred Guard, Domain Protected Users group, Remote Credential guard, restricted admin, long and complex passwords on service accounts(kerbroasting), group managed service accounts, change krbtgt password yearly
Unallocated Cluster
Data cluster is not being used by a file, Data may or may not exist in a cluster, may contain deleted or unused data. TOOLS : Scalpel, Foremost and bulk extractor can carve unallocated space
$MFT Details
Database-like, 1024 byte records, Every objects gets an entry, saved in MFT zone(first 12.5% of drive for MFT home). If file is small enough to fit, it will reside in the MFT(data resident). Signature for MFT = 0x46 0x49 0x4c 0x45(FILE), Error signature = BAAD. Sequence number = offset 0x10 and is a counter tracking the # of times an MFT record has been reused. Flags at offset 0x16 show file and directory status. Not in use, File in Use , Dir in use etc.
DTB
Directory Table Base
GetSids
Display SIDs for each process. Identifying a process under a user SID is a clue.
DllList
Display loaded DLLs and command line. Specific info on a process w/ -p. load time can be used to detect anomalies like dll injection. File path helpful
Ldrmodules
Dlls are tracked in 3 linked lists in the PEB for each process. Malware can unlink loaded Dlls. Ldrmodules queries each list and displays results for comparison.
FAT TimeStamps - Timestamps based on local device time
Does not have accessed timestamp only accessed date
Data Encryption
Encrypting files they are stealing. Volume shadow copies could be used for detection
Admin Share Dest Artifacts
Event Logs - 4624 - logon type 3, source ip, 4672 - logon user with admin rights, 4776 - NTLM auth for local account. 4768 - TGT granted(on dc), 4769 - Service ticket granted if auth to DC, 5140 - Share access, 5145 - Audit of shared files. Security.evtx File System - Malware/New files created on dest system.
Schedule remote tasks dest Artifacts
Event Logs - 4624 logon type 3, 4697 security service install, Security.evtx - 7034, 7035, 7036, 7040, 7045 - service installed etc -system.evtx Registry - system\currentcontrolset\services, shimcache, amcahce.hve for evil.exe. File System - file creation, prefetch of evil.exe
Remote Services Destination Artifacts
Event Logs - 4624 logon type 3, 4697, security.evtx, 7034, 7035, 7036(service started),7040(service start type), 7045 Service installed. System.evtx Registry - system\ccs\services\new service created - shimcache - evil.exe, amcahce.hve evil.exe. File System - evil.exe in prefetch.
Windows remote management tool - Sch Task Source
Event Logs - 4648 - alt creds - security.evtx Registry - ShimCache, AmCache.hve of at, schedtasks.exe File System - Prefetch - c:\windows\prefetch at & schtasks.exe
PsExec Source Artifacts
Event Logs - 4648 - logon with alt creds - Security.evtx Registry - NTUSER.DAT Sysinternals eula accepted, psexec.exe in shimcache, amcache.hve, psexex execute time. File System - Prefetch- psexex.pf
PsExec Source Artifacts
Event Logs - 4648 - logon with alt creds - Security.evtx Registry - NTUSER.DAT Sysinternals eula accepted, psexec.exe in shumcache, amcache.hve, psexex execute time. File System - Prefetch- psexex.pf
Admin Share Source Artifacts
Event Logs - 4648 - logon with alt creds - Security.evtx - 31001 Failed logon to destination - SMB client Security.evtx. Registry - MountPoints2 NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2, ShellBags - Usrclass.dat, ShimCache - Net.exe,Net1.exe, Amcache.hve - net, net1.exe File System - Prefetch - Net,net1.exe
Schedule remote tasks source Artifacts
Event Logs - 4648 logon w/ alt creds, security.evtx Registry - shimcache, amcache.hve for at.exe, schtasks.exe. File System - c:\windows\prefetch\at.exe, schtasks.exe
WMI - Destination System Artifacts
Event logs - 4624 - Logon Type 3, Source IP, 4672 - user w/ admin rights, 5857 - wmiprvse time of install and info on malicious file. 5860,5861 - windows-wmi-activity-operational - Registration of event consumers Registry - ShimCache - system, wmiprvse, evil, mofcomp. Amcache.hve - wmiprvse, evil, mofcomp File System - File create - evil.exe - Prefetch c:\windows\prefetch - mofcomp, wmiprvse
Windows remote management tool - Sch Task Destination
Event logs - 4624 - logon type 3, 4672 user name, admin rights, - 4698 - sched task created, 4702 - sched task updated, 4699 sch task deleted, 4700/4701 sched task edited - security.evtx, 106, 140, 141, 200/201 - sched task, created, updated, deleted, task completed. Windows Task Scheduler Maintenance.evtx Registry - Microsoft\windows\nt\currentversion\schedule\taskcache\tasks, Microsoft\windows\nt\currentversion\schedule\taskcache\tree, shimcache - evil.exe File System - file create evil.exe, .job files in c:\windows\tasks, xml task in windows\system32\tasks, prefetch evil.exe
PowerShell remoting - Source System Artifacts
Event logs - 4624 - logon type 3, source, 4672 - Logon User Name w/ admin Security.evtx -4103,4104 - script block logging, 53504 - auth records - Microsoft Windows Operational - 400/403 - ServerRemoteHost start/end of session, 800- partial script code - Windows Powershell.evtx, 91,168 - Session created, Auth Records - Windows-RM-Operational.evtx Registry - ShimCache - System - wsmprovhost.exe, evil.exe , Software - Microsoft\powershell\1\shellids\microsoft.powershell\executionPolicy, Amcache.hve - wsmprovhost.exe, evil.exe File System - Prefetch - evil.exe, wsmprovhost.exe
RDP Destination Artifacts
Event logs - 4624 - type 10 logon, 4778/4779 - IP Source System and logon user name - Security.evtx - 131, connection source IP, User. 98 - Successful connections. - Remote Desktop Services Rdp Core Operational - 1149 Source IP/Logon user(Blank user=Sticky Keys) TS remote connection manager operational - 21, 22, 25 Source IP User, 41 Logon User - TS Local Session Manager Operational . Registry - rdpclip.exe , tstheme.exe - ShimCache, mstsc.exe,tstheme.exe AmCache.hve. File System - Prefetch c:\windows\prefetch\rdpclip.exe-pf, tstheme.pf
RDP Source Artifacts
Event logs - 4648 - Security.evtx. 1024 (Dest Host Name), 1102(Dest IP Address) Registry - mstsc.exe in amcache.hve,ShimCache,Userassist,recent apps ntuser\software\microsoft\terminal server client\servers File System - Jumplists, Prefetch, Bitmap Cache(bmc-tools.py)
PowerShell remoting - Source System Artifacts
Event logs - 4648 - logon w/ alt creds, dest host, process - security.evtx, 6 - wsman session created, 8,15,16,33 WSMAN session deinitialization, - WindowsRM-Operational.evtx, 5860,5861 - windows-powershell-operational - 40691,40692 - local initiation of powershell.exe, 8193,8194 - session created. 8197 - session closed Registry - system - shimcache - powershell.exe, amcache.hve powershell File System - prefetch, command history - c:\users\<username>\appdata\roaming\microsoft\windows\powershell\psreadline\consolehost_history.txt
WMI - Source System Artifacts
Event logs - 4648 - logon w/ alt creds, dest host, process. Registry - Shimcache - SYSTEM, WMIC.EXE, AmCache.hve, wmic.exe File System - c:\windows\prefetch\wmic.pf Example - wmic /node:DEST_PC /user: process call create
EPROCESS
Executive Process Blocks
Log2timeline
Extract or collects events from file, mount point, or image file and saved in Plaso storage format. "Front End" to Plaso Log2timeline.py storage file(plaso output), source(source image), -- partition (physical disk partition), - o(offset), -p(preprocessing), -z(timezone - only needed if parsing specific artifact)
4625
Failed logon
FLS
Filesystem metadata only works on HFS, UFS, EXT, FAT/NTFS, CD-ROM. Interacts with forensic images for timelining.
$MFT
First record, number 0 describes the MFT. Provides info to find all other clusters. Volume Boot Record contains pointer to the cluster.
$VOLUME
Friendly name of volume for display in My Computer. NTFS version and mount flags
IRP
IO Request Packets
IAT
Import Address Table
Sequential MFT Entries
Inode and MFT entry address allocations generally are sequential in nature. As new files are created, the following inode or MFT entry is used if available. If you suspect deleted malware, check surrounding Inode and MFT entries.
Golden Ticket
Kerberos TGT for any account w/ no expiration, survives full password reset. Requires domain admin on DCs. NTDS.DIT. Ticket can be created offline.
KDBG
Kernel Debugger Data Block - Key to tools understanding memory image - once found leads to EProcess block by identifying psactiveprocesshead pointer(currently running processes).
kcpr
Kernel Processor Control Region - has pointer to KDBG
Logon Type 2
Local logon
4672
Logon w/ admin rights
4648
Logon w/ explicit creds(RUNAS) - often on originating system
Inode
MFT for NTFS, overall top container for items beneath it. Like clusers inodes can be allocated or unallocated. Allocated = file in use by filesystem - points to a named structure detailing how to find the file. Unallocated = never written to, might contain the inode data of a file recently deleted. When a file is deleted, rarely is its indode data wiped or overwritten.
Contiguous Space
Most File Systems attempt to write data in contiguous clusters. Only when file is too large will the filesystem fragment the file. This is GOOD, means that files will generally be close together, attacker tools, etc.
Win Event log locations
NT, 2000, XP, 2003 server - \windows\sytem32\config - SecEvent, AppEvent, SysEvent. Vista, Win7, Win8, 2008, 2012,Win10,2016 - \windows\system32\winevt\logs - security.evtx, application.evtx,system.evtx
Logon Type 3
Network logon
5140
Network share accessed
4688
New process created/process exited
AmcacheParser
Parses out amcache.hve sha1,full path,MFT,file size, compile time
Prefetchparser
Part of volatility framework. Will search memory for prefetch and parse. Good for finding PF data deleted or removed by attackers.
Skeleton Key
Patch LSASS on DC with Mimikatz or other to add a backdoor password that works for any domain account.
4771
Pre-Auth fail - Kerberos
PEB
Process Environment Blocks - each process has its own to host data structures for the process - points to VAD
Logon Type 10
RDP
Remote Services Source Artifacts
Registry - sc.exe in ShimCache, Amcache.hve. File System - sc.exe in prefetch
RecentFileCache.bcf
Related to App Compat Cache and contains references to programs recently copied or downloaded and executed. RecentFileCache is the short term storage of recent file adds. c:\Windows\AppCompat\Programs\RecentFileCache.bcf. Small file managed by ProgramDataUpdater task(12:30AM Nightly).
Kerberoasting
Requesting a service ticket for a high priv service and crack NT hash. Cracked off-line so no failed logon attempts.
NTFS
Robust filesystem, built-in security, 4KB clusters by default = less slack, Multiple Versions - 1, 1.1,1.2,3.0,3,1
4769
Service Ticket granted - (access to server resource) - Kerberos
4778
Session connected/reconnected
4779
Session disconnected
5145
Shared object accessed (file audit)
PREFETCH
Shows what ran, when it ran, how many times. Used for perf increases. Win10 has compressed .PF files. C:\Windows\Prefetch\7ZG.EXE-D9AA3A0B.pf Hash is path of EXE and command line 128 File on Win7, 8+ can have 1024 Prefetch files can be carved from unallocated space using blkls and foremost Prefetch can be disabled via registry. Date created is first executed, modified last executed
PECmd
Similar to PF - prefetch parser tool. Can do entire directory w/ D option. Output in JSON,CSV,HTML
Pass The Ticket
Steal Kerb ticket from memory and pass or import to other systems. Requires admin permissions.
Metadata Layer
Structure information - Ext2/3/4, FAT, NTFS - Each is addressable. Contains data that describes files. Pointers for MAC Times, Permissions, Data Layer for file content - Each given and address
4635/4647
Successful logoff
4624
Successful logon
SSDT
System Service Descriptor Table
4768
TGT granted - success logon - Kerberos
IDT
Table of addresses to functions handling interrupts and exceptions
Tickets
Tickets issued to auth users than can be reused without additional authentication. Tickets cached in memory, valid for 10 hours. TOOLS: Mimikatz, WCE, Kerbroast. ATTACKS: Pass The Ticket, Pass The Hash, Kerbroasting, Golden Ticket, Silver Ticket, Skeleton Key
$LOGFILE
Transactional logging to maintain integrity of File System. Journaling. At offset 0x8
Overpass the Hash
Use NT hash to request a service ticket for the same account. Uses Kerberos for auth and often used when NTLM hash mitigations are in place, such as limits on NTLM auth via remote network.
Token Stealing
User with SeImpersonate privilege can extract tokens and reuse. Over abused on RDP servers to elevate to Domain Admin. Incognito,Metasploit, powershell, mimikatz(token:elevate /domainadmin). Mitigate with Domain Protected Users security group which prevents delegated tokens, Account is sensitive and cannot be delegated option in AD, restrict admin and other RDP controlls
VAD
Virtual Address Descriptors Tree - tracks every memory section(memory pages) assigned to a process. Used to double check and compare vs what lists say are present. List of memory belonging to the process Kernel modules/drivers
ShimCachemem
Volatility plugin that extracts AppCompatCache from memory images, even items not yet written to disk. Vol.py -f memory shimcachemem | Less
Volume Shadow Copies
Windows backup of OS or virtual snap shots. Event Logs, Reg Files, Deleted files. Created at application install, Unsigned driver install, system updates, System Restore, System Boot(win7,8,10). Stored in System Volume Information folder.
4738
account was changed
4756
added to universal group
PSLIST
all running processes by following eprocess linked list, cannot find unlinked malicious process from Rootkits
$BOOT
allows the VBR to be accessed via normal IO operations
Data Layer - Clusters
are mode up of 1 or more sectors. Cluster is the smallest usable data block in a partition.
Sectors
are the smallest addressable data block on a device. Typically 512 or 4096 bytes. Can be allocated or unallocated.
4724
attempt to rest accounts password
104
audit log cleared - System log
AUTORUNS
autostart extensibility points and map persistence o -v show everything o -t TYPE of search = autorun, services, appinit, winlogon, tasks, activesetup
Kdbgscan
can identify build string from Win10 updates. Use if other plug-ins give garbage data
Cmdscan and consoles
carves our full command line histories and text output from memory o Cmdscan - provides info from command history buffer o Consoles - prints commands (inputs)+screen buffer (outputs) o Active and closed sessions!
$EXTEND\$USNJRNL
change journal, index listing all of the files that have changed on the system and why,
Detecting Anti-Forensic Time Stomping Anomalies
check to see if $file_name time is after the $standard_information time. $standard_Information lacking any sub-second precision such as 18:29:52:00000 instead of 18:29:52:123464
PeScan
command-line tool to scan PE files for info on how they are constructed. Compile and MACB time, 32 vs 64 bit, 509 cert, abnormality score(high score bad), MD5, SHA1
Baseline
compare objects found in suspect image to know good image using Processbl, servicebl, driverbl.
Credential Availability
console logon, RunAs, RDP, PSEXEX w/ Alt Creds,Remote scheduled task, Run As Service - these actions can result in loss of credential and password hash
$index_root & $index_allocation
contains a structured index that lists the contents of the directory. Just like files, directories can be resident or non-resident. Named $I30 at 0x30.
Imagecopy
convert crash dumps and hibernation files to raw memory images. Uncompress hiber files, crashdumps to raw, vmware and virtual box support. -O output
Mactime
converts standard "body" file output from mactime into plaso format - Log2timeline.py -parsers "mactime" plaso.dump timeliner.body
LSA Secrets
creds stored in the registry(security/policy/secrets) to allow services and tasks to be run w/ user privs. Service accounts, or VPN passwords, auto-logon creds. Stored in encrypted reg key which admins can decrypt, resulting in plain text passwords. TOOLS - cain, Metasploit, mimikatz, gsecdump, acehash, creddump, powershell. Mitigate with Group Managed Service accounts, don't place DA services on low trust systems.
PSXVIEW
cross-view analysis using 7 different process listing plugins to visually identify hidden processes o -R - limit false positives w/ Known Good Rules o Example anomalies - SMSS, CSRSS run early in boot process and will show in CSRSS column o Termed process may show only in PSSCAN column o If False in PSLIST column and not CSRSS prob malware
Dumpfiles
default will attempt to extract ALL files currently mapped in memory. More effective than other methods. o -d or -dump-dir option o -Q = using physical offset o -r = regular expression o -n = original file name o Complement to filescan - might be able to recover documents, logs, exes etc.
$ATTRDEF
defines NTFS attributes for version on NTFS used on drive.
File Delete/Wiping
deleting and/or over writing malware and other artifacts. Usually by a 3rd party tool such as sdelete. What wipes the wiper?
Densityscout
detects obfuscation and run-time-packing. Calculates density of each file. Entropy. Densityscout -s cpl,exe,dll,ocx,sys,scr -p 0.1 -o results.txt c:\windows\system32
Logon Type 9
different creds specified - runas
Istat
displays stats about a given file metadata structure. Allocated data, local time zone, permissions,size, allocation status, all attributes for ntfs files. -z =specify timezeon, -s system time skew.
HASHDUMP
dump SAM db hashes for all users on system o Offset of system reg -y o Offset of SAM -s o Sister plugin LSADUMP extract LSA secrets
Memdump
dump data from every memory section owned by a process in a single file
Procdump
dumps a process to an EXE memory sample
Get-LsaSecrets.ps1(Nishang Powershell PenTest framework)
dumps and decrypts LSA secrets
Audit Logon Events
each instance of a user logging on or off a computer. Tracks logon to a specific server.
Dlldump
extracts DLL files belonging to a specific process or group of processes
Filename Layer
filenames stored in 2 places. File System Metadata - MFT Entry, Fat directory entry, UNIX - DOES NOT store filename in metadata. Directory file - Contains list of file in that directory. Filenames point to metadata address.
REKALL
fork of original volatility code o Focus on speed and perf, auto detection of kernel, faster OS support o Live analysis capability with - - live option o Recall -f remory-img pssscan o Mac, linux, mac o Yarascan with .yara file
DeviceTree
gives a visual view about the chaining or layering of drivers
$EXTEND\$QUOTA
how much allocated space a user is allow to use.
Hollowfind
identify evidence of known process hollowing techs. Compares info in PEB with should match the VAD.
$EXTEND\$REPARSE
index of all reparse points - items like symbolic links. Mounts to other volumes.
Imageinfo
info about captured memory image - when image captured, can take time, interrogates KDBG. Give you Profile to use on other volatility searches - volatility_profile. Give offset to KDBG structure.
Pinfo
info about how and when the collection took place. Shows what is stored in the storage container. -v shows dump of windows services. Info on metadata and parsers used. Pinfo.py - v plaso.dump | less
Audit Account Logon Events
instance of user logging on or off from another computer in which this computer is used to validate account. Track what Domain controller auth'ed to if domain logon.
Vshadowinfo
list all shadow snapshots in a disk image - similar to VSSADMIN list Shadows. -o switch to point to disk offset in NTFS
Sockets
list of active, available sockets[xp/2003]
Handles
list of handles opened by process, -p PID, -s suppress unnamed, -t type (process, thread, directory, file, mutex(mutants) etc) Page 80 for more info. Mutex to catch cozyduke.
Connections
lists active, open TCP connections[xp/2003]
4735
local group was changed
$BITMAP
long string of binary data, but for each cluster in the volume. Cluster with corresponding bit will be set to either 1 or 0 depending on the cluster is allocated to a file. Tracks clusters in used or not.
PSSCAN
looks at EPROCESS pool allocations. Scans all of memory process blocks and not just items in EPROCESS linked list. Can find hidden processes and potentially locate processes that are no longer running.
4728
member added to global group
4732
member added to local group
Logon Type 8
network w/ cleartext creds
Malfind
o Save extracted files -dump-dir o -p for process, -o offset o Shows assembly code - makes it easy to find MZ header - MZ 4d 5a 90 00 o Looking for Page_Execute_ReadWrite o Push EMP, MOV EBP, ESP - assembly denotes a working function o Garbage assembly could be FP - ADD[EAX], AL - over and over example.
VOLUTILITY
o Web gui for volatility, unified front end for plugins o Web and mongo db o String and yara tool
SSDT Plugin
o | egrep -v '(ntoskrnl\.exe | win32k\.sys)' o Will show as owned by a malware process not Window core processes o Typical hooked functions - NTENUMERATEKEY, NTENUMERATEKEYVALUEKEY, NTQUERYDIRECTORYFILE. o If found next step MODDUMP
Fileless Malware
often powershell running from memory only.
RFC.PL
parses .BCF and outputs path and exe name.
ShimCacheParser.py
parses App Compat Shim cache.
Psort
post-processing to filter, sort, and process plaso storage file
Alternate Data Streams(ADS)
presence of a second $data attribute.
PSTREE
prints process tree list. Use -V verbose switch to get image path and command line. Relied on eprocess linked list so may miss unlinked processes. Good for finding malware via unusual parent process
4689
process exited
Modules
provides contents of linked list identifying currently loaded drivers. Used in tools such as driverbl - image baseline tool.
$EXTEND
record number 11 to hold the new system files.
File System Journal
records file system metadata changes, purpose is to return file system to working state if needed, can be used to see prior state of files. Can be limited info based on system activity. NTFS, EXT3/4,HFS - recorded in $logfile with a max size of 64 MB. Github tool LogFileParser
Amcache.hve
replaces RecentFileCache.bcf in Win8/10. Program first run and last modification time of key. Includes SHA1 and other program info like product name and description. C:\Windows\AppCompat\Programs\Amcache.hve. Registry - amcache.hve\root\file\<Vol GuiD>\##### = Key name after MFT Entry.
Connscan
scan for tcp connections, including closed or unlinked[xp/2003]
PSTOTAL
scan memory for EPROCESS pool allocations and produces a "Hidden" column to show processes found in psscan only. Quick compare of psscan & pslist. Can produce data graph .dot files.
SVCSCAN
scan memory image for windows service records - info on associated processes and drivers o -V shows service DLLs and Image path o Don't forget servicebl helps find malicious service by baseline comparison
Sockscan
scans for sockets open, closed, or unlinked [xp/2003]
Malprocfind
scans for system anomalies. Use -x to get exited processes. Only checks common system processes such as svchost, services etc. process hollowing(phollow), spath(strange path),session (session 0)
Printkey
search memory mapped reg hives for presence of a key and display all subkeys o -K key to print o -o search hive at offset o Stable or Volatile flags(only in mem).
Filescan
searches for FILE_OBJECT sig in memory. o Returns physical offset where FILE_OBJECT exists. o Identifies files in memory even when no handles o Can get MFT o -Q to recover
$MFTMIRROR
second record contains a backup of the primary $MFT..
4799
security group local group membership enumerated
Plaso Windows Registry Parsers
shellbags, appcompatchache, mountpoints, run, typedurls, userassist, task scheduler. etc
$Data
signature 0x80 or 128 in decimal, after 24 byte header will contain file content or info needed to find clusters containing the data. Data runs consist of a series of entries that show the starting point and length of each segment in the file.
Zone.Identifier ADS evidence
since xp sp2 internet downloaded files via browser to NTFS contain an alternate data stream called zone.identifier. nozone=-1, mycomputer=0,intranet=1, trusted=2, internets=3,untrusted=4.
Netscan
sockets, connections for vista and above OS
Cached Credentials
stored domain creds to allow logon w/ out DC-limit 10 logon hashes by default. Must be cracked are salted, can't be used for PTH. Stored in SECURITY\Cache reg key in mscach2 format. Crack w/ john the ripper, hashcat. Domain Protected Users don't cache creds
4776
success/fail NTLM account Auth
vshadowmount
tool to mount all VSS images in SIFT wks. Ewfmount PathTo.EO1 /mnt/vss/ -> vshadowmount /mnt/ewf_mount/ewf1 /mnt/vss/ .
Change Journal $USNJRNL -
tracks changes to volume and reason, two named $data attributes. $MAX - pointer to tell system where $J is located /$J - entries for each file changed since log enabled. USN is offset into $J. Tool Windows Journal Parser(JP).
Logon Type 7
unlocked screen
$UPCASE
upper/lowercase Unicode letters
Moddump
used to extract kernel drivers from memory
4798
users Local group membership enumerated
Timeliner
volatility plugins to grab time line info from memory - processes, threads, PE files, Network sockets, Registry, Evt Logs - vol32.py -f memory.img timeliner -profile=Win7SP1x86
MODSCAN
walks linked list to identify kernel drivers loaded; looking for loaded, unloaded, and unlinked kernel modules(modscan) o List of loaded drivers, size, and location o May need to combine info w/ hooks and baseline plugin data
Logon Type 5
windows service logon
Network Config
wmic /node:10.1.1.1 nicconfig get
Remote process list
wmic /node:10.1.1.1 process get
Get auto-start processes
wmic /node:10.1.1.1 startup list full
Prebuilt WMIC scripts
wmic_lr_remote.cmd
NTFS TimeStamps - stored in UTC form in $filename attribute
• M - Data content change time • A - Data last access time • C - Metadata Change Time • B - Metadata Creation Time - Created in volume/directory B = Birth
Credential Theft Bullets
• Managed Service account in 2008R2 and provides frequent password changes. New version is called Group Managed Service Accounts. • Win8 removed CredSSP, TsPkg and Wdigest from memory by default which stopped plaintext password recovery. • Win8 local account restrictions in place for network and remote interactive systems. • Win8 introduced protected LSASS process(off by default) • Win8 RDP /Restricted Admin • Win10 Credential Guard isolates hashes and tickets enforced by hardware. Remote credential guard is updated restricted admin and protects any account during RDP. Device Guard is application whitelisting.