Friday, February 22, 2019

Daily Blog #629: Coreanalytics Update

Hello Reader,
         Back in July of 2018 Crowdstrike wrote a very interesting post all about Core Analytics a service that runs by default on OSX that tracks aggregate daily data about executables run on the system for a month. You can read their original work here: https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/

I've noticed that most of the writeups that I've seen about OSX artifacts don't list Core Analytics which seems strange to me. Outside of KnowledgeC there isn't many other execution artifacts that I'm aware of on OSX. So in checking Mojave on a couple of systems I can report that Core Analytics is still alive and kicking in one of two directories.

If the user when setting up their Mac opted to send data to Apple then the month worth of data will be found under:
/Library/Logs/DiagnosticReports/Retired

If the user opted out of sending data to Apple the data will be found under:
/Library/Logs/DiagnosticReports/

Otherwise all the data is in place and Crowdstrike's script still works. 

Tuesday, February 19, 2019

Daily Blog #628: DFIR in 120 Seconds

Hello Reader,
           I know many of you are looking to get a better understanding of many of the fundamentals of DFIR. In most of my daily writing I focus on new things that I'm researching or find interesting but I don't typically take the time to cover the basics. Luckily Mathias Fuchs has started a video series called DFIR in 120 seconds to try to create consumable chunks of DFIR knowledge which good illustrations and explanations. While the videos will sometimes creep over 120 seconds they are always concise and explain key concepts in quick order.

Go check it out here: https://www.cyberfox.blog/dfir-in-120-seconds/

Daily Blog #627: Deep Freeze and DFIR

Hello Reader,
            While I didn't have any winners for last week's Sunday Funday I did want to draw your attention to the answers that were already present, from 8 years ago. Lance Mueller who wrote/writes the ForensicKB blog did his own Deep Freeze testing 8 years ago. Jessica Hyde reminded me of this while I was doing my own testing and it appears that Lance went even farther than I did in my first couple of tests.

So if you were looking for the answers to how Deep Freeze is writing data and discarding it between reboots I would suggest brushing up on Lance's research below:

http://www.forensickb.com/2010/10/forensic-analysis-of-frozen-hard-drive.html

Sunday, February 17, 2019

Daily Blog #626: Sunday Funday 2/17/19

Hello Reader,
         Let's reevaluate challenges again. Last week I either asked for too much or went to Niche so let's open it up again. The point of these challenges is to get you the larger DFIR community to get involved in your own research and testing so you can surprise yourself and help others in their work. So with that, here is this week's challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 2/22/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On a OSX Mojave system what are the different places that record that a program has executed?

Saturday, February 16, 2019

Daily Blog #625: Solution Saturday 2/16/19

Hello Reader,
             I was wondering 6 months ago what would make miss a day of blogging, it turns out the answer is moving! So now that things are settling down I should be back on schedule. Speaking of things that were missed, this weeks contest had no qualifying submissions that I saw. So tune in for this weeks Sunday Funday and your chance to take a $100 amazon giftcard for some DFIR research.

The Challenge:
When using the latest version of DeepFreeze on Windows 10 what determines newly written datas ability to be recovered after reboot?

The Winning Answer:
No one!

Monday, February 11, 2019

Daily Blog #624: Microsoft Defender ATA Golden Ticket False Positive

Hello Reader,
             I'm writing this post to serve as a bookmark for the future for anyone out there searching for this. If it's late at night and you have Microsoft Defender ATA in your network monitoring your systems and suddenly, you get a High Alert that a golden ticket was in use ... take a deep breath and examine the facts.

First this alert is generated because the kerberos ticket it reported had a time to live larger than group policy for them. This does not mean that this is proof that a ticket is being used right now so take a step away from the fire the missiles button and examine the facts.

Second check the account being used, if the account being used is the Machine account (the computer name with a $ at the end) and not a user then this could be a 'silver ticket' attack or just a system who clock is out of sync.

Third check to see what hosts this ticket is accessing and what the actual time to live is. When I make golden tickets in an attack simulation I give them very long lives (months to years) so I can keep using them going forward. If the ticket is only a couple hours greater than the policy (which it should tell you the policy time) take two steps away from the button.

Fourth check to see (especially if this is between domain controllers) if the machine account being used belongs to a DC being brought online and syncing for the first time. In which case this is probably a false positive.

Now if none of these things match your reported scenario go find out what accounts were effected, where the accesses came from and how long that ticket has to live and start triaging! You might have a real intrusion going on!

Sunday, February 10, 2019

Daily Blog #623: Sunday Funday 2/10/19

Hello Reader
             Keeping up with all of the materials that the community makes based on the work you the reader does in Sunday Funday challenges really makes it all worth it. Let's keep this amazing streaming going with this weeks DeepFreeze challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 2/15/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
When using the latest version of DeepFreeze on Windows 10 what determines newly written datas ability to be recovered after reboot?