Tuesday, January 22, 2019

Daily Blog #605: CTI Summit 2019

Hello Reader,
             Between calls and work I got to watch some of the CTI Summit this week in DC prior to my class that starts tomorrow. I will admit that I look at CTI mainly from the outside trying to understand how it really works and what is real vs marketing. Prior to the CTI Summit I have read Scott Roberts and Rebekah Brown's book Intelligence Driven Incident Response:
 https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary/dp/1491934948 and I've talked to the CTI instructors about what they do in FOR578. ,

All of that though was just a foundation to understand the edges of the world of threat intelligence. Here where the words I heard repeated today:

  • Bias 
  • Cognitive Bias
  • ATT&CK
  • Pyramid of Pain
  • Peer Review
  • Threat actor
Each time I heard these major terms it came with a different perspective, one that would turn how the idea of 'product' for the 'consumer' was to be judged. 

As someone who focuses on the solid remnants of an incident the idea of this large grey area was outside of my comfort zone. I'm very comfortable when I can test and recreate an action to determine a prior action, but the idea of assembling possibilities and 'dossiers' based on events, actors and threats makes me very glad that there are other people who have found their passion in this.

So I salute you CTI professionals, I think we are both glad to be looking at each other over the fence between us in the widening world that is DFIR. 

Monday, January 21, 2019

Daily Blog #604: New Amcache Resarch Paper you really should read

Hello Reader,
      If you've been following the blog and the test kitchens you would have seen that both myself and Maxim Suhanov have been testing and talking alot about the Amcache which lead to our findings about the Syscache hive. Well, it looks like we are not alone in our quest to truely understand this artifact since Blanche Lagny of the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) aka the French National Cybersecurity Agency has released today atleast a years worth of research into not only the Amcache structure but also:

  • What processes populate the Amcache
  • What determines the format of the Amcache data (dll versions not windows versions)
  • What determines the behavior of the Amcache storage (again its dll versions)
  • and much more

If you are at all interested in the Amcache and want to understand it at a deeper level I would highly recommend you read this:

Please note as with any other paper Lagny has both timing and scope limitations so this paper doesn't include every possible facet of the Amcache,  such as what it does not log or how the latest version of Windows 10 populates it. It's not that she is not aware of the other data points its that they are hopefully going to be covered by future papers. 

Sunday, January 20, 2019

Daily Blog #603: Sunday Funday 1/20/19

Hello Reader,
            Last week's challenge brought out some great research and new tools. I hope that this streak of great responses continues through 2019! Let's switch focus back to the Syscache hive for this weeks challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 1/25/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
On a Server 2008 R2 system make 4 copies of mimikatz (your choice of versions) 54 bit and 32 bit versions. Run them from 4 locations (of your choice) and determine what criteria determines when and if the executable gets logged in the Syscache hive and what dates are associated with the registry keys. 

Saturday, January 19, 2019

Daily Blog #602: Solution Saturday 1/19/19

Hello Reader,
        This weeks' challenge has an interesting twist, I have two answers but neither was submitted before the deadline. So I thought I would post the two answers for everyone's benefit so it's not lost to the twitter timeline.

The Challenge:
In Windows 10 what behavior appears to determine if a program will show up in the UserAssist entries with 0 run count versus actually tracking a run count and last execution date

The Answers:
Matt Seyer: 

Matt worked up and tested three hypotheses for conditions where the UserAssist value did not get set or updated. Matt also released a really neat tool that will allow you to monitor UserAssist values in real time which will make testing much easier.

Maxim Suhanov:

Maxim tested a different method, he noticed that if GUI apps were executed from the command line (which should include exec scenarios within other programs) that the same behavior occurs. 

The common thread that I can find between all of these tests is that UserAssist is tracking executions outside of the direct user context now. This means ... you guessed it ... more testing! I think this helped leap forward quite a bit but I look forward to really pushing this out over the next week. 

Friday, January 18, 2019

Daily Blog #601: Live registry triage and testing

Hello Reader,
          Well I attempted to do a test kitchen tonight but VMWare Workstation didn't want to cooperate. What I wanted to show is summarized in the below blog post from Eric Zimmerman:


Eric has added the ability for his registry tools and the MFT explorer to be able to access the locked live files running on the live system. This means you can now access shellbag data with dates, view and search registries, parse amcache hives, run registry plugins and parse MFTs all without imaging or extracting files from the live system.

This is a pretty big step and it will require running the programs as the administrator in order to access the raw disk. I hope you take a moment to give them a spin as I will when I get a VM to boot!

Thursday, January 17, 2019

Daily Blog #600: Windows 10 Search Artifacts are going to change again

Hello Reader,
            I saw this article over on the verge:

In this article they describe how Cortana is going to be separated from the search function. Currently we find the Windows 10 search artifacts in the NTUSER registry under the \software\microsoft\windows\current version\search. So keep an eye out for this change as we expect changes in how this data is stored and possibly new entries for cortana.

This is interesting since Cortana has been rapidly changing artifact wise and a return to more locally stored Cortana artifacts would be welcome. 

Wednesday, January 16, 2019

Daily Blog #599: Forensic Lunch Test Kitchen 1/16/19 Syscache Server 2008 R2 Mimikatz

Hello Reader,
   Tonight we just had a short testing session (8 minutes of actual testing) were we checked in on last nights test. Here is what we learned:

  • The time delay did not effect our results
  • A shutdown/power on did not add a new entries
  • The registry explorer and hasher entries still had no hash
  • We still saw no entries for the other mimikatz executables
On the next broadcast we will be testing the same behavior in Windows 7 and parsing the whole MFT and Syscache rather than individual records to make sure we aren't missing anything.

You can watch the video here: