Monday, February 11, 2019

Daily Blog #624: Microsoft Defender ATA Golden Ticket False Positive

Hello Reader,
             I'm writing this post to serve as a bookmark for the future for anyone out there searching for this. If it's late at night and you have Microsoft Defender ATA in your network monitoring your systems and suddenly, you get a High Alert that a golden ticket was in use ... take a deep breath and examine the facts.

First this alert is generated because the kerberos ticket it reported had a time to live larger than group policy for them. This does not mean that this is proof that a ticket is being used right now so take a step away from the fire the missiles button and examine the facts.

Second check the account being used, if the account being used is the Machine account (the computer name with a $ at the end) and not a user then this could be a 'silver ticket' attack or just a system who clock is out of sync.

Third check to see what hosts this ticket is accessing and what the actual time to live is. When I make golden tickets in an attack simulation I give them very long lives (months to years) so I can keep using them going forward. If the ticket is only a couple hours greater than the policy (which it should tell you the policy time) take two steps away from the button.

Fourth check to see (especially if this is between domain controllers) if the machine account being used belongs to a DC being brought online and syncing for the first time. In which case this is probably a false positive.

Now if none of these things match your reported scenario go find out what accounts were effected, where the accesses came from and how long that ticket has to live and start triaging! You might have a real intrusion going on!

Sunday, February 10, 2019

Daily Blog #623: Sunday Funday 2/10/19

Hello Reader
             Keeping up with all of the materials that the community makes based on the work you the reader does in Sunday Funday challenges really makes it all worth it. Let's keep this amazing streaming going with this weeks DeepFreeze challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 2/15/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
When using the latest version of DeepFreeze on Windows 10 what determines newly written datas ability to be recovered after reboot?

Saturday, February 9, 2019

Daily Blog #622: Solution Saturday 2/9/19

Hello Reader,
             This week Oleg Skulkin has come in with another win! Oleg found some interesting results. In Oleg's testing all of his executions were caught by the Amcache, except those programs executed from external storage volumes. Very interesting! I think we will have to go back to Syscache and Amcache again in the near future to find more about what Oleg was seeing!

The Challenge:
What are all the methods of execution you can find that are not recorded in the Amcache hive?

The Winning Answer:
Oleg Skulkin

Daily Blog #621: ADFS accounts in SAM hives

Hello Reader,
            I wanted to make a quick post about ADFS (Active Directory Federated Services) and Azure AD. If the Windows system you are examining has a user that is authenticating against Azure AD in any configuration (cloud, hybrid, office 365) then you should be looking for an additional key value that has been around since the original 'Microsoft Account' in Windows 8.

They key value 'InternetUserName' will store the full account name with domain that the user authenticated with. A true local account will not have this value, only those accounts who are being authenticated against cloud hosted domains should contain it. In combination with a 0 logon count this can be used to determine not only that the user was not a local account but the full account name associated. 

Thursday, February 7, 2019

Daily Blog #620: Magnet User Summit 2018 CTFd site is closing

Hello Reader,
              With the 2019 Magnet User Summit coming up and with it the DFIR CTF we are working on for it I think it's time that I close down the 2018 site. You can access it for the month of February here:

Why shut it dowh?
Well CTFd charges me $100 a month for the hosting and I user registrations have stopped adding and we new/better challenges coming so I'd rather use that money for this years CTF!

So if you haven't tried last years Magnet CTF this is your chance, I will be ending it 3/1/19.

Wednesday, February 6, 2019

Daily Blog #619: SANS DFIR Summit 2019 CFP is open!

Hello Reader,
             A quick reminder that the 2019 SANS DFIR Summit call for presentations is open!

Happening in Austin, Texas on July 25-26, 2019 the SANS DFIR Summit has some of the best presentations of the year. We look forward to this event everywhere as usually there is some new tool or research shown here that we can use immediately in our lab.

Also, if selected, not only do you get a free ticket to go to the summit... you also get a free ticket for a friend!

Tuesday, February 5, 2019

Daily Blog #618: Magnet User Summit 2019 CTF is Full

Hello Reader,
          I registered today for the Magnet User Summit (  and noticed that the CTF that Matt and I are hosting with Magnet and specifically in cahoots with Jessica Hyde is now full!

If you made the cut before it was full, get ready for some stiff competition and some great prizes. If you didn't make it I'm going to reach out to magnet to see what we can do to allow people onsite to play virtually on their own systems.

Matt, Jessica and I are working on something special and fun that is meant to be almost fully solved in the 3 hour period allotted and I can't wait for you guys to see what we have in store for you!