DFIR Blog
  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity

Windows Forensics

Evidence of Execution - Shimcache

6/23/2019

 
Shimcache/Amcache is also know is AppCompatCache. There are certain application which are build to work on the historical version of the OS.  Usually if an application needs 'shimming' - windows looks at AppCompatKey registry key to figure out if an application needs shimming or not.

When a program is shimmed, a registry key is updated to notify the system.
Picture
Use tools like RegRipper to parse it.
Forensics Value:
If you are dealing with an Anti-forensics kind of situation. The adversary might have deleted the logs from prefetch and the file itself.  The amcache entries will show if the app existed on the system.

Key things to remember:
  • Recent entries are on the top.
  • Entries are written on shutdown

Shimcache/Amcache and Prefetch is a very powerful combination for identification of the execution.

Things to keep in mind during shimcache analysis:
1) Each time an exe is modified or renamed - it'll create a new shimcache entry
2) Cannot determine the last time of execution via Shimcache.

Kerberos Primer and Cyber Attacks

6/5/2019

 
Picture

​Kerberos is a network authentication protocol inspired by the greek work for a a three heaed dog Cerberus. Couple of key points to remember about the protocol
  • Uses Ticket for Authentication
  • Avoid sending password over the network
  • Uses Symmetric key encryption
​

Picture
Source: ​https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication

Kerberos Attacks

#Pass the ticket:
  • Pass the ticket is used to perform "lateral movement” by leveraging Kerberos Authentication System.
  • The Attacker will extract Kerberos TGT (Ticket Granting Ticket) from LSASS memory.
  • The obtained ticket is used to request Kerberos Service Ticket to get access to network.
  • Kerberos TGT Expires in 10 Hours by default 
  • Tools like Mimikatz, Rubeus are used to perform this kind of attack
    • Phase-1 is to Monitor via tools looking for 4624 Logon events
    • Once any user logs in - the tools will go & grab the ticket.

Ways to investigate Pass the ticket Attack
  • Get access to the host and analyze the logon sessions
  • Use kList command to inspect the Kerberos Tickets associated with the session
  • Looks for Kerberos tickets that do not match the user associated with the session
Basically you’ll look for all the current user login session and see corresponding tickets associated with it. If you notice any anomaly that will be indicative to suspicious activity on the host.
Countermeasures:
  • Credentials Guard is Hypervisor based isolation to restrict access to the hashes and the tickets. Watch this video - https://www.youtube.com/watch?v=urqXgBbVyWY​
  • Multi-factor Authentication (MFA) is one of the good ways to handing Pass the Ticket Attacks along the standard cybersecurity practices.
#Overpass the hash:
In overpass-the-hash, the attacker will try to capture NTLM hash for the account it wishes to compromise using tools like Mimikatz etc.
Using this command in mimikatz: 
Sekurlsa::pth /user:[USER] /domain:[DOMAIN] /ntlm:[NTLM HASH]
The NTML hash was passed into Kerberos authentication provider using RC4 Encryption

#Kerberoasting:
The focus of this attack is to compromise a service account. It request a ticket for a highly privileged service account. Capture the hash for it and crack it offline.

#Golden Ticket:
This is generated with a Ticket Granting Ticket for any account with my expiration is generated.

​
Majority of the Active Directory based attacks can be detected by implementing Microsoft Advanced Threat Analytics.
https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata

Windows Forensics Basics

3/3/2018

 
Windows Forensics:
Cache Memory and History Analysis:
IE:
  • Content.IE5 Files – Temporary internet files
  • AppData Folders – Contain Cookies
  • History Folder
IE Cookies View Tool – for Analysis
Firefox:
Md5 Hash
  • 32 digit -128 bit Message digest
  • Non collision resistant
  • Checks the integrity of the tool
Recycle Bin:
  • File is deleted – Sub Directory is created
  • Recycler
  • Remember Convention for Recycler <Drive Name – Hash>
  • Info2 contains the records related to the data.
Restore Points:
  • RP.Log filename
Change.log.x files
  • Format: Axxxxx.ext
  • X is sequence number and ext is extension of the file.
Prefetch:
  • Prefetch files leaves traces and can collect data from it.
Shortcut Files
  • Use .lnk files
File Signature Analysis:
  • Collect information from first 20 bytes of a file
  • Mac Time Stamp: Modification, Access and Change time. Managed by OS  in UTC Format
Static Analysis
  • You’ll not open the file- Just open it in some application and review the data.
Dynamic Analysis:
  • You'll execute the file in order to analyze it.
  • Create a Test Environment and Process of Testing malware
Meta Data investigation:
  • Data about data
  • Descriptive Metadata
  • Structural Metadata
Windows Events:
  • Logs Day to day  Events
  • Event log maintains this data.
  • Command – wevtutil
  • Events files are databases- related to System, Security and Application
  • Storage location: SysEvent.evt
Popular event ID:
  • Event ID 4902 – Modification of Audit Policy
ISS Log:
  • Exyymmdd.log
  • Ex refers to extended format
DHCP Server Logs:
  • Format
Firewall Logs:
                Pfirewall.log
Windows Password:
Active Directory - NTDS.DID –
For a System is SAM (System Account Manager) File – System32 Config, Additional Copy in repair folder.
  • Password is stored in HASH format
LMNAM –it’s outdates
NTLM V2 is the latest version used by windows:
Sigverif:  Shows unsigned drivers
  • CurrPorts – Similar to NetStat -a

 
 
​

    Archives

    September 2019
    August 2019
    July 2019
    June 2019
    March 2019
    March 2018

    Categories

    All
    ATA
    Detection
    Forensics
    Microsoft
    Rules
    Windows
    Windows Foreniscs

    RSS Feed

  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity