SANS 508

analyzeMFT.py

- Compares $file_Name to $standard_Information times on NTFS.

WISP

- INDX parser for NTFS against index attributes.

$EXTEND\$OBjID

- index of all object IDs in use. Allow a file to be tracked even if the files get moved, renamed, or deleted.

$SECURE

- index used to track security information for the files on the system. Who owns the file and can open it.

Threadmap

- review threads to identify process hollowing - counter measures.

NTDS.DIT

AD Database with all user and computer hashes(LM/NT). Located \windows\ntds on domain controllers. Often accessed via volume shadow copy. Extracted w/ NTDSXtract.

4720

Account created

4722

Account enabled

Silver Ticket

All-access pass for a single service or computer account. Forged using a dumped computer account hash and can impersonate any user for that system.

ShimCache

App compat tool. Tracks last modified date, file path, and if executed. XP shows last execution time, Server shows executed FLAG. Located in the registry. XP = CCS\Control\SessionManager\AppCompatibility\AppCompatCache(96 Entries), Server = CCS\Control\SessionManager\AppCompatChache\AppCompatCache(1024 Entries) Vista on AppCompatChache reg key doesn't prove execution, but it is likely.

1102

Audit log cleared - Security log

Timestomping

Backdates a file to a time date chosen by attacker. Detected by comparing $STDINFO and $FILENAME timestamps. Might be detected via nanoseconds field being .000

Logon Type 4

Batch

Logon Type 12

Cached Remote interactive, similar to 10

Logon Type 11

Cached creds, offline from DC

Logon Type 13

Cached unlock - similar to 7

Plaso Windows Parsers

Chrome, IE, McAfee logs, Registry, EVT, IIS, Job Files, Prefetch, JumpLists, Lnk ETC

Event Log Deleting & Tampering

Clearing logs, detection can be missing evt log data, gaps

PF

Command line tool that parses .PF files. Outputs app name and path, times executed, last run, prefetch MAC timestamps in CSV.

Defending Credentials (Kerb Tickets)

Cred Guard, Domain Protected Users group, Remote Credential guard, restricted admin, long and complex passwords on service accounts(kerbroasting), group managed service accounts, change krbtgt password yearly

Unallocated Cluster

Data cluster is not being used by a file, Data may or may not exist in a cluster, may contain deleted or unused data. TOOLS : Scalpel, Foremost and bulk extractor can carve unallocated space

$MFT Details

Database-like, 1024 byte records, Every objects gets an entry, saved in MFT zone(first 12.5% of drive for MFT home). If file is small enough to fit, it will reside in the MFT(data resident). Signature for MFT = 0x46 0x49 0x4c 0x45(FILE), Error signature = BAAD. Sequence number = offset 0x10 and is a counter tracking the # of times an MFT record has been reused. Flags at offset 0x16 show file and directory status. Not in use, File in Use , Dir in use etc.

DTB

Directory Table Base

GetSids

Display SIDs for each process. Identifying a process under a user SID is a clue.

DllList

Display loaded DLLs and command line. Specific info on a process w/ -p. load time can be used to detect anomalies like dll injection. File path helpful

Ldrmodules

Dlls are tracked in 3 linked lists in the PEB for each process. Malware can unlink loaded Dlls. Ldrmodules queries each list and displays results for comparison.

FAT TimeStamps - Timestamps based on local device time

Does not have accessed timestamp only accessed date

Data Encryption

Encrypting files they are stealing. Volume shadow copies could be used for detection

Admin Share Dest Artifacts

Event Logs - 4624 - logon type 3, source ip, 4672 - logon user with admin rights, 4776 - NTLM auth for local account. 4768 - TGT granted(on dc), 4769 - Service ticket granted if auth to DC, 5140 - Share access, 5145 - Audit of shared files. Security.evtx File System - Malware/New files created on dest system.

Schedule remote tasks dest Artifacts

Event Logs - 4624 logon type 3, 4697 security service install, Security.evtx - 7034, 7035, 7036, 7040, 7045 - service installed etc -system.evtx Registry - system\currentcontrolset\services, shimcache, amcahce.hve for evil.exe. File System - file creation, prefetch of evil.exe

Remote Services Destination Artifacts

Event Logs - 4624 logon type 3, 4697, security.evtx, 7034, 7035, 7036(service started),7040(service start type), 7045 Service installed. System.evtx Registry - system\ccs\services\new service created - shimcache - evil.exe, amcahce.hve evil.exe. File System - evil.exe in prefetch.

Windows remote management tool - Sch Task Source

Event Logs - 4648 - alt creds - security.evtx Registry - ShimCache, AmCache.hve of at, schedtasks.exe File System - Prefetch - c:\windows\prefetch at & schtasks.exe

PsExec Source Artifacts

Event Logs - 4648 - logon with alt creds - Security.evtx Registry - NTUSER.DAT Sysinternals eula accepted, psexec.exe in shimcache, amcache.hve, psexex execute time. File System - Prefetch- psexex.pf

PsExec Source Artifacts

Event Logs - 4648 - logon with alt creds - Security.evtx Registry - NTUSER.DAT Sysinternals eula accepted, psexec.exe in shumcache, amcache.hve, psexex execute time. File System - Prefetch- psexex.pf

Admin Share Source Artifacts

Event Logs - 4648 - logon with alt creds - Security.evtx - 31001 Failed logon to destination - SMB client Security.evtx. Registry - MountPoints2 NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2, ShellBags - Usrclass.dat, ShimCache - Net.exe,Net1.exe, Amcache.hve - net, net1.exe File System - Prefetch - Net,net1.exe

Schedule remote tasks source Artifacts

Event Logs - 4648 logon w/ alt creds, security.evtx Registry - shimcache, amcache.hve for at.exe, schtasks.exe. File System - c:\windows\prefetch\at.exe, schtasks.exe

WMI - Destination System Artifacts

Event logs - 4624 - Logon Type 3, Source IP, 4672 - user w/ admin rights, 5857 - wmiprvse time of install and info on malicious file. 5860,5861 - windows-wmi-activity-operational - Registration of event consumers Registry - ShimCache - system, wmiprvse, evil, mofcomp. Amcache.hve - wmiprvse, evil, mofcomp File System - File create - evil.exe - Prefetch c:\windows\prefetch - mofcomp, wmiprvse

Windows remote management tool - Sch Task Destination

Event logs - 4624 - logon type 3, 4672 user name, admin rights, - 4698 - sched task created, 4702 - sched task updated, 4699 sch task deleted, 4700/4701 sched task edited - security.evtx, 106, 140, 141, 200/201 - sched task, created, updated, deleted, task completed. Windows Task Scheduler Maintenance.evtx Registry - Microsoft\windows\nt\currentversion\schedule\taskcache\tasks, Microsoft\windows\nt\currentversion\schedule\taskcache\tree, shimcache - evil.exe File System - file create evil.exe, .job files in c:\windows\tasks, xml task in windows\system32\tasks, prefetch evil.exe

PowerShell remoting - Source System Artifacts

Event logs - 4624 - logon type 3, source, 4672 - Logon User Name w/ admin Security.evtx -4103,4104 - script block logging, 53504 - auth records - Microsoft Windows Operational - 400/403 - ServerRemoteHost start/end of session, 800- partial script code - Windows Powershell.evtx, 91,168 - Session created, Auth Records - Windows-RM-Operational.evtx Registry - ShimCache - System - wsmprovhost.exe, evil.exe , Software - Microsoft\powershell\1\shellids\microsoft.powershell\executionPolicy, Amcache.hve - wsmprovhost.exe, evil.exe File System - Prefetch - evil.exe, wsmprovhost.exe

RDP Destination Artifacts

Event logs - 4624 - type 10 logon, 4778/4779 - IP Source System and logon user name - Security.evtx - 131, connection source IP, User. 98 - Successful connections. - Remote Desktop Services Rdp Core Operational - 1149 Source IP/Logon user(Blank user=Sticky Keys) TS remote connection manager operational - 21, 22, 25 Source IP User, 41 Logon User - TS Local Session Manager Operational . Registry - rdpclip.exe , tstheme.exe - ShimCache, mstsc.exe,tstheme.exe AmCache.hve. File System - Prefetch c:\windows\prefetch\rdpclip.exe-pf, tstheme.pf

RDP Source Artifacts

Event logs - 4648 - Security.evtx. 1024 (Dest Host Name), 1102(Dest IP Address) Registry - mstsc.exe in amcache.hve,ShimCache,Userassist,recent apps ntuser\software\microsoft\terminal server client\servers File System - Jumplists, Prefetch, Bitmap Cache(bmc-tools.py)

PowerShell remoting - Source System Artifacts

Event logs - 4648 - logon w/ alt creds, dest host, process - security.evtx, 6 - wsman session created, 8,15,16,33 WSMAN session deinitialization, - WindowsRM-Operational.evtx, 5860,5861 - windows-powershell-operational - 40691,40692 - local initiation of powershell.exe, 8193,8194 - session created. 8197 - session closed Registry - system - shimcache - powershell.exe, amcache.hve powershell File System - prefetch, command history - c:\users\<username>\appdata\roaming\microsoft\windows\powershell\psreadline\consolehost_history.txt

WMI - Source System Artifacts

Event logs - 4648 - logon w/ alt creds, dest host, process. Registry - Shimcache - SYSTEM, WMIC.EXE, AmCache.hve, wmic.exe File System - c:\windows\prefetch\wmic.pf Example - wmic /node:DEST_PC /user: process call create

EPROCESS

Executive Process Blocks

Log2timeline

Extract or collects events from file, mount point, or image file and saved in Plaso storage format. "Front End" to Plaso Log2timeline.py storage file(plaso output), source(source image), -- partition (physical disk partition), - o(offset), -p(preprocessing), -z(timezone - only needed if parsing specific artifact)

4625

Failed logon

FLS

Filesystem metadata only works on HFS, UFS, EXT, FAT/NTFS, CD-ROM. Interacts with forensic images for timelining.

$MFT

First record, number 0 describes the MFT. Provides info to find all other clusters. Volume Boot Record contains pointer to the cluster.

$VOLUME

Friendly name of volume for display in My Computer. NTFS version and mount flags

IRP

IO Request Packets

IAT

Import Address Table

Sequential MFT Entries

Inode and MFT entry address allocations generally are sequential in nature. As new files are created, the following inode or MFT entry is used if available. If you suspect deleted malware, check surrounding Inode and MFT entries.

Golden Ticket

Kerberos TGT for any account w/ no expiration, survives full password reset. Requires domain admin on DCs. NTDS.DIT. Ticket can be created offline.

KDBG

Kernel Debugger Data Block - Key to tools understanding memory image - once found leads to EProcess block by identifying psactiveprocesshead pointer(currently running processes).

kcpr

Kernel Processor Control Region - has pointer to KDBG

Logon Type 2

Local logon

4672

Logon w/ admin rights

4648

Logon w/ explicit creds(RUNAS) - often on originating system

Inode

MFT for NTFS, overall top container for items beneath it. Like clusers inodes can be allocated or unallocated. Allocated = file in use by filesystem - points to a named structure detailing how to find the file. Unallocated = never written to, might contain the inode data of a file recently deleted. When a file is deleted, rarely is its indode data wiped or overwritten.

Contiguous Space

Most File Systems attempt to write data in contiguous clusters. Only when file is too large will the filesystem fragment the file. This is GOOD, means that files will generally be close together, attacker tools, etc.

Win Event log locations

NT, 2000, XP, 2003 server - \windows\sytem32\config - SecEvent, AppEvent, SysEvent. Vista, Win7, Win8, 2008, 2012,Win10,2016 - \windows\system32\winevt\logs - security.evtx, application.evtx,system.evtx

Logon Type 3

Network logon

5140

Network share accessed

4688

New process created/process exited

AmcacheParser

Parses out amcache.hve sha1,full path,MFT,file size, compile time

Prefetchparser

Part of volatility framework. Will search memory for prefetch and parse. Good for finding PF data deleted or removed by attackers.

Skeleton Key

Patch LSASS on DC with Mimikatz or other to add a backdoor password that works for any domain account.

4771

Pre-Auth fail - Kerberos

PEB

Process Environment Blocks - each process has its own to host data structures for the process - points to VAD

Logon Type 10

RDP

Remote Services Source Artifacts

Registry - sc.exe in ShimCache, Amcache.hve. File System - sc.exe in prefetch

RecentFileCache.bcf

Related to App Compat Cache and contains references to programs recently copied or downloaded and executed. RecentFileCache is the short term storage of recent file adds. c:\Windows\AppCompat\Programs\RecentFileCache.bcf. Small file managed by ProgramDataUpdater task(12:30AM Nightly).

Kerberoasting

Requesting a service ticket for a high priv service and crack NT hash. Cracked off-line so no failed logon attempts.

NTFS

Robust filesystem, built-in security, 4KB clusters by default = less slack, Multiple Versions - 1, 1.1,1.2,3.0,3,1

4769

Service Ticket granted - (access to server resource) - Kerberos

4778

Session connected/reconnected

4779

Session disconnected

5145

Shared object accessed (file audit)

PREFETCH

Shows what ran, when it ran, how many times. Used for perf increases. Win10 has compressed .PF files. C:\Windows\Prefetch\7ZG.EXE-D9AA3A0B.pf Hash is path of EXE and command line 128 File on Win7, 8+ can have 1024 Prefetch files can be carved from unallocated space using blkls and foremost Prefetch can be disabled via registry. Date created is first executed, modified last executed

PECmd

Similar to PF - prefetch parser tool. Can do entire directory w/ D option. Output in JSON,CSV,HTML

Pass The Ticket

Steal Kerb ticket from memory and pass or import to other systems. Requires admin permissions.

Metadata Layer

Structure information - Ext2/3/4, FAT, NTFS - Each is addressable. Contains data that describes files. Pointers for MAC Times, Permissions, Data Layer for file content - Each given and address

4635/4647

Successful logoff

4624

Successful logon

SSDT

System Service Descriptor Table

4768

TGT granted - success logon - Kerberos

IDT

Table of addresses to functions handling interrupts and exceptions

Tickets

Tickets issued to auth users than can be reused without additional authentication. Tickets cached in memory, valid for 10 hours. TOOLS: Mimikatz, WCE, Kerbroast. ATTACKS: Pass The Ticket, Pass The Hash, Kerbroasting, Golden Ticket, Silver Ticket, Skeleton Key

$LOGFILE

Transactional logging to maintain integrity of File System. Journaling. At offset 0x8

Overpass the Hash

Use NT hash to request a service ticket for the same account. Uses Kerberos for auth and often used when NTLM hash mitigations are in place, such as limits on NTLM auth via remote network.

Token Stealing

User with SeImpersonate privilege can extract tokens and reuse. Over abused on RDP servers to elevate to Domain Admin. Incognito,Metasploit, powershell, mimikatz(token:elevate /domainadmin). Mitigate with Domain Protected Users security group which prevents delegated tokens, Account is sensitive and cannot be delegated option in AD, restrict admin and other RDP controlls

VAD

Virtual Address Descriptors Tree - tracks every memory section(memory pages) assigned to a process. Used to double check and compare vs what lists say are present. List of memory belonging to the process Kernel modules/drivers

ShimCachemem

Volatility plugin that extracts AppCompatCache from memory images, even items not yet written to disk. Vol.py -f memory shimcachemem | Less

Volume Shadow Copies

Windows backup of OS or virtual snap shots. Event Logs, Reg Files, Deleted files. Created at application install, Unsigned driver install, system updates, System Restore, System Boot(win7,8,10). Stored in System Volume Information folder.

4738

account was changed

4756

added to universal group

PSLIST

all running processes by following eprocess linked list, cannot find unlinked malicious process from Rootkits

$BOOT

allows the VBR to be accessed via normal IO operations

Data Layer - Clusters

are mode up of 1 or more sectors. Cluster is the smallest usable data block in a partition.

Sectors

are the smallest addressable data block on a device. Typically 512 or 4096 bytes. Can be allocated or unallocated.

4724

attempt to rest accounts password

104

audit log cleared - System log

AUTORUNS

autostart extensibility points and map persistence o -v show everything o -t TYPE of search = autorun, services, appinit, winlogon, tasks, activesetup

Kdbgscan

can identify build string from Win10 updates. Use if other plug-ins give garbage data

Cmdscan and consoles

carves our full command line histories and text output from memory o Cmdscan - provides info from command history buffer o Consoles - prints commands (inputs)+screen buffer (outputs) o Active and closed sessions!

$EXTEND\$USNJRNL

change journal, index listing all of the files that have changed on the system and why,

Detecting Anti-Forensic Time Stomping Anomalies

check to see if $file_name time is after the $standard_information time. $standard_Information lacking any sub-second precision such as 18:29:52:00000 instead of 18:29:52:123464

PeScan

command-line tool to scan PE files for info on how they are constructed. Compile and MACB time, 32 vs 64 bit, 509 cert, abnormality score(high score bad), MD5, SHA1

Baseline

compare objects found in suspect image to know good image using Processbl, servicebl, driverbl.

Credential Availability

console logon, RunAs, RDP, PSEXEX w/ Alt Creds,Remote scheduled task, Run As Service - these actions can result in loss of credential and password hash

$index_root & $index_allocation

contains a structured index that lists the contents of the directory. Just like files, directories can be resident or non-resident. Named $I30 at 0x30.

Imagecopy

convert crash dumps and hibernation files to raw memory images. Uncompress hiber files, crashdumps to raw, vmware and virtual box support. -O output

Mactime

converts standard "body" file output from mactime into plaso format - Log2timeline.py -parsers "mactime" plaso.dump timeliner.body

LSA Secrets

creds stored in the registry(security/policy/secrets) to allow services and tasks to be run w/ user privs. Service accounts, or VPN passwords, auto-logon creds. Stored in encrypted reg key which admins can decrypt, resulting in plain text passwords. TOOLS - cain, Metasploit, mimikatz, gsecdump, acehash, creddump, powershell. Mitigate with Group Managed Service accounts, don't place DA services on low trust systems.

PSXVIEW

cross-view analysis using 7 different process listing plugins to visually identify hidden processes o -R - limit false positives w/ Known Good Rules o Example anomalies - SMSS, CSRSS run early in boot process and will show in CSRSS column o Termed process may show only in PSSCAN column o If False in PSLIST column and not CSRSS prob malware

Dumpfiles

default will attempt to extract ALL files currently mapped in memory. More effective than other methods. o -d or -dump-dir option o -Q = using physical offset o -r = regular expression o -n = original file name o Complement to filescan - might be able to recover documents, logs, exes etc.

$ATTRDEF

defines NTFS attributes for version on NTFS used on drive.

File Delete/Wiping

deleting and/or over writing malware and other artifacts. Usually by a 3rd party tool such as sdelete. What wipes the wiper?

Densityscout

detects obfuscation and run-time-packing. Calculates density of each file. Entropy. Densityscout -s cpl,exe,dll,ocx,sys,scr -p 0.1 -o results.txt c:\windows\system32

Logon Type 9

different creds specified - runas

Istat

displays stats about a given file metadata structure. Allocated data, local time zone, permissions,size, allocation status, all attributes for ntfs files. -z =specify timezeon, -s system time skew.

HASHDUMP

dump SAM db hashes for all users on system o Offset of system reg -y o Offset of SAM -s o Sister plugin LSADUMP extract LSA secrets

Memdump

dump data from every memory section owned by a process in a single file

Procdump

dumps a process to an EXE memory sample

Get-LsaSecrets.ps1(Nishang Powershell PenTest framework)

dumps and decrypts LSA secrets

Audit Logon Events

each instance of a user logging on or off a computer. Tracks logon to a specific server.

Dlldump

extracts DLL files belonging to a specific process or group of processes

Filename Layer

filenames stored in 2 places. File System Metadata - MFT Entry, Fat directory entry, UNIX - DOES NOT store filename in metadata. Directory file - Contains list of file in that directory. Filenames point to metadata address.

REKALL

fork of original volatility code o Focus on speed and perf, auto detection of kernel, faster OS support o Live analysis capability with - - live option o Recall -f remory-img pssscan o Mac, linux, mac o Yarascan with .yara file

DeviceTree

gives a visual view about the chaining or layering of drivers

$EXTEND\$QUOTA

how much allocated space a user is allow to use.

Hollowfind

identify evidence of known process hollowing techs. Compares info in PEB with should match the VAD.

$EXTEND\$REPARSE

index of all reparse points - items like symbolic links. Mounts to other volumes.

Imageinfo

info about captured memory image - when image captured, can take time, interrogates KDBG. Give you Profile to use on other volatility searches - volatility_profile. Give offset to KDBG structure.

Pinfo

info about how and when the collection took place. Shows what is stored in the storage container. -v shows dump of windows services. Info on metadata and parsers used. Pinfo.py - v plaso.dump | less

Audit Account Logon Events

instance of user logging on or off from another computer in which this computer is used to validate account. Track what Domain controller auth'ed to if domain logon.

Vshadowinfo

list all shadow snapshots in a disk image - similar to VSSADMIN list Shadows. -o switch to point to disk offset in NTFS

Sockets

list of active, available sockets[xp/2003]

Handles

list of handles opened by process, -p PID, -s suppress unnamed, -t type (process, thread, directory, file, mutex(mutants) etc) Page 80 for more info. Mutex to catch cozyduke.

Connections

lists active, open TCP connections[xp/2003]

4735

local group was changed

$BITMAP

long string of binary data, but for each cluster in the volume. Cluster with corresponding bit will be set to either 1 or 0 depending on the cluster is allocated to a file. Tracks clusters in used or not.

PSSCAN

looks at EPROCESS pool allocations. Scans all of memory process blocks and not just items in EPROCESS linked list. Can find hidden processes and potentially locate processes that are no longer running.

4728

member added to global group

4732

member added to local group

Logon Type 8

network w/ cleartext creds

Malfind

o Save extracted files -dump-dir o -p for process, -o offset o Shows assembly code - makes it easy to find MZ header - MZ 4d 5a 90 00 o Looking for Page_Execute_ReadWrite o Push EMP, MOV EBP, ESP - assembly denotes a working function o Garbage assembly could be FP - ADD[EAX], AL - over and over example.

VOLUTILITY

o Web gui for volatility, unified front end for plugins o Web and mongo db o String and yara tool

SSDT Plugin

o | egrep -v '(ntoskrnl\.exe | win32k\.sys)' o Will show as owned by a malware process not Window core processes o Typical hooked functions - NTENUMERATEKEY, NTENUMERATEKEYVALUEKEY, NTQUERYDIRECTORYFILE. o If found next step MODDUMP

Fileless Malware

often powershell running from memory only.

RFC.PL

parses .BCF and outputs path and exe name.

ShimCacheParser.py

parses App Compat Shim cache.

Psort

post-processing to filter, sort, and process plaso storage file

Alternate Data Streams(ADS)

presence of a second $data attribute.

PSTREE

prints process tree list. Use -V verbose switch to get image path and command line. Relied on eprocess linked list so may miss unlinked processes. Good for finding malware via unusual parent process

4689

process exited

Modules

provides contents of linked list identifying currently loaded drivers. Used in tools such as driverbl - image baseline tool.

$EXTEND

record number 11 to hold the new system files.

File System Journal

records file system metadata changes, purpose is to return file system to working state if needed, can be used to see prior state of files. Can be limited info based on system activity. NTFS, EXT3/4,HFS - recorded in $logfile with a max size of 64 MB. Github tool LogFileParser

Amcache.hve

replaces RecentFileCache.bcf in Win8/10. Program first run and last modification time of key. Includes SHA1 and other program info like product name and description. C:\Windows\AppCompat\Programs\Amcache.hve. Registry - amcache.hve\root\file\<Vol GuiD>\##### = Key name after MFT Entry.

Connscan

scan for tcp connections, including closed or unlinked[xp/2003]

PSTOTAL

scan memory for EPROCESS pool allocations and produces a "Hidden" column to show processes found in psscan only. Quick compare of psscan & pslist. Can produce data graph .dot files.

SVCSCAN

scan memory image for windows service records - info on associated processes and drivers o -V shows service DLLs and Image path o Don't forget servicebl helps find malicious service by baseline comparison

Sockscan

scans for sockets open, closed, or unlinked [xp/2003]

Malprocfind

scans for system anomalies. Use -x to get exited processes. Only checks common system processes such as svchost, services etc. process hollowing(phollow), spath(strange path),session (session 0)

Printkey

search memory mapped reg hives for presence of a key and display all subkeys o -K key to print o -o search hive at offset o Stable or Volatile flags(only in mem).

Filescan

searches for FILE_OBJECT sig in memory. o Returns physical offset where FILE_OBJECT exists. o Identifies files in memory even when no handles o Can get MFT o -Q to recover

$MFTMIRROR

second record contains a backup of the primary $MFT..

4799

security group local group membership enumerated

Plaso Windows Registry Parsers

shellbags, appcompatchache, mountpoints, run, typedurls, userassist, task scheduler. etc

$Data

signature 0x80 or 128 in decimal, after 24 byte header will contain file content or info needed to find clusters containing the data. Data runs consist of a series of entries that show the starting point and length of each segment in the file.

Zone.Identifier ADS evidence

since xp sp2 internet downloaded files via browser to NTFS contain an alternate data stream called zone.identifier. nozone=-1, mycomputer=0,intranet=1, trusted=2, internets=3,untrusted=4.

Netscan

sockets, connections for vista and above OS

Cached Credentials

stored domain creds to allow logon w/ out DC-limit 10 logon hashes by default. Must be cracked are salted, can't be used for PTH. Stored in SECURITY\Cache reg key in mscach2 format. Crack w/ john the ripper, hashcat. Domain Protected Users don't cache creds

4776

success/fail NTLM account Auth

vshadowmount

tool to mount all VSS images in SIFT wks. Ewfmount PathTo.EO1 /mnt/vss/ -> vshadowmount /mnt/ewf_mount/ewf1 /mnt/vss/ .

Change Journal $USNJRNL -

tracks changes to volume and reason, two named $data attributes. $MAX - pointer to tell system where $J is located /$J - entries for each file changed since log enabled. USN is offset into $J. Tool Windows Journal Parser(JP).

Logon Type 7

unlocked screen

$UPCASE

upper/lowercase Unicode letters

Moddump

used to extract kernel drivers from memory

4798

users Local group membership enumerated

Timeliner

volatility plugins to grab time line info from memory - processes, threads, PE files, Network sockets, Registry, Evt Logs - vol32.py -f memory.img timeliner -profile=Win7SP1x86

MODSCAN

walks linked list to identify kernel drivers loaded; looking for loaded, unloaded, and unlinked kernel modules(modscan) o List of loaded drivers, size, and location o May need to combine info w/ hooks and baseline plugin data

Logon Type 5

windows service logon

Network Config

wmic /node:10.1.1.1 nicconfig get

Remote process list

wmic /node:10.1.1.1 process get

Get auto-start processes

wmic /node:10.1.1.1 startup list full

Prebuilt WMIC scripts

wmic_lr_remote.cmd

NTFS TimeStamps - stored in UTC form in $filename attribute

• M - Data content change time • A - Data last access time • C - Metadata Change Time • B - Metadata Creation Time - Created in volume/directory B = Birth

Credential Theft Bullets

• Managed Service account in 2008R2 and provides frequent password changes. New version is called Group Managed Service Accounts. • Win8 removed CredSSP, TsPkg and Wdigest from memory by default which stopped plaintext password recovery. • Win8 local account restrictions in place for network and remote interactive systems. • Win8 introduced protected LSASS process(off by default) • Win8 RDP /Restricted Admin • Win10 Credential Guard isolates hashes and tickets enforced by hardware. Remote credential guard is updated restricted admin and protects any account during RDP. Device Guard is application whitelisting.