Monday, February 11, 2019

Daily Blog #624: Microsoft Defender ATA Golden Ticket False Positive

Hello Reader,
             I'm writing this post to serve as a bookmark for the future for anyone out there searching for this. If it's late at night and you have Microsoft Defender ATA in your network monitoring your systems and suddenly, you get a High Alert that a golden ticket was in use ... take a deep breath and examine the facts.

First this alert is generated because the kerberos ticket it reported had a time to live larger than group policy for them. This does not mean that this is proof that a ticket is being used right now so take a step away from the fire the missiles button and examine the facts.

Second check the account being used, if the account being used is the Machine account (the computer name with a $ at the end) and not a user then this could be a 'silver ticket' attack or just a system who clock is out of sync.

Third check to see what hosts this ticket is accessing and what the actual time to live is. When I make golden tickets in an attack simulation I give them very long lives (months to years) so I can keep using them going forward. If the ticket is only a couple hours greater than the policy (which it should tell you the policy time) take two steps away from the button.

Fourth check to see (especially if this is between domain controllers) if the machine account being used belongs to a DC being brought online and syncing for the first time. In which case this is probably a false positive.

Now if none of these things match your reported scenario go find out what accounts were effected, where the accesses came from and how long that ticket has to live and start triaging! You might have a real intrusion going on!

Sunday, February 10, 2019

Daily Blog #623: Sunday Funday 2/10/19

Hello Reader
             Keeping up with all of the materials that the community makes based on the work you the reader does in Sunday Funday challenges really makes it all worth it. Let's keep this amazing streaming going with this weeks DeepFreeze challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 2/15/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
When using the latest version of DeepFreeze on Windows 10 what determines newly written datas ability to be recovered after reboot?

Saturday, February 9, 2019

Daily Blog #622: Solution Saturday 2/9/19

Hello Reader,
             This week Oleg Skulkin has come in with another win! Oleg found some interesting results. In Oleg's testing all of his executions were caught by the Amcache, except those programs executed from external storage volumes. Very interesting! I think we will have to go back to Syscache and Amcache again in the near future to find more about what Oleg was seeing!




The Challenge:
What are all the methods of execution you can find that are not recorded in the Amcache hive?

The Winning Answer:
Oleg Skulkin
https://cyberforensicator.com/2019/02/06/amcache-forensics-populated-or-not/


Daily Blog #621: ADFS accounts in SAM hives

Hello Reader,
            I wanted to make a quick post about ADFS (Active Directory Federated Services) and Azure AD. If the Windows system you are examining has a user that is authenticating against Azure AD in any configuration (cloud, hybrid, office 365) then you should be looking for an additional key value that has been around since the original 'Microsoft Account' in Windows 8.

They key value 'InternetUserName' will store the full account name with domain that the user authenticated with. A true local account will not have this value, only those accounts who are being authenticated against cloud hosted domains should contain it. In combination with a 0 logon count this can be used to determine not only that the user was not a local account but the full account name associated. 

Thursday, February 7, 2019

Daily Blog #620: Magnet User Summit 2018 CTFd site is closing

Hello Reader,
              With the 2019 Magnet User Summit coming up and with it the DFIR CTF we are working on for it I think it's time that I close down the 2018 site. You can access it for the month of February here:

https://magnetctf.ctfd.io/

Why shut it dowh?
Well CTFd charges me $100 a month for the hosting and I user registrations have stopped adding and we new/better challenges coming so I'd rather use that money for this years CTF!

So if you haven't tried last years Magnet CTF this is your chance, I will be ending it 3/1/19.

Wednesday, February 6, 2019

Daily Blog #619: SANS DFIR Summit 2019 CFP is open!

Hello Reader,
             A quick reminder that the 2019 SANS DFIR Summit call for presentations is open!

https://www.sans.org/event/digital-forensics-summit-2019/call-for-presentations

Happening in Austin, Texas on July 25-26, 2019 the SANS DFIR Summit has some of the best presentations of the year. We look forward to this event everywhere as usually there is some new tool or research shown here that we can use immediately in our lab.

Also, if selected, not only do you get a free ticket to go to the summit... you also get a free ticket for a friend!

Tuesday, February 5, 2019

Daily Blog #618: Magnet User Summit 2019 CTF is Full

Hello Reader,
          I registered today for the Magnet User Summit (https://magnetusersummit.com/schedule)  and noticed that the CTF that Matt and I are hosting with Magnet and specifically in cahoots with Jessica Hyde is now full!

If you made the cut before it was full, get ready for some stiff competition and some great prizes. If you didn't make it I'm going to reach out to magnet to see what we can do to allow people onsite to play virtually on their own systems.

Matt, Jessica and I are working on something special and fun that is meant to be almost fully solved in the 3 hour period allotted and I can't wait for you guys to see what we have in store for you!

Sunday, February 3, 2019

Daily Blog #617: Sunday Funday 2/3/19

Hello Reader,
           2019 is becoming a pretty great year for responses to these challenges. It's always tough to weight different answers to find the one that is 'most complete' and I appreciate all the hard work all of you put into it. Even if you don't submit an answer and just work on the challenge I think everyone who is playing is winning. Let's continue this streak by building on Blanche Lagny's Amcache research!



The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 2/8/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
What are all the methods of execution you can find that are not recorded in the Amcache hive?

Daily Blog #616: Solution Saturday 2/2/19

Hello Reader,
        I had some great submissions this week as people really got into shellbags research. This week Kevin Pagano managed to edge out a win with the extra work he did in showing the differences in how the data was recorded with different preferences in sorting and other features. The biggest thing that I took away from this is that we can tell the difference between a directory didn't have access to and interacted with one that they did have access to.

Next we did to determine a difference on just clicking on a directory versus opening it.

The Challenge:
Within a single shellbags entry answer the following:
1. What within the shellbags entry would tell you how the user had set their directory viewing preferences (sort order, thumbnail view, standard view)
2. What is the default view if they don't change anything?
3. If a user attempts to access the system volume information directory and a shellbag entry gets created (it should deny them access) what directory viewing settings are left behind

The Winning Answer:
Kevin Pagano
https://www.stark4n6.com/2019/02/shellbags-folder-views-and-windows.html

Friday, February 1, 2019

Daily Blog #615: Forensic Lunch 2/1/19 Blanche Lagney Amcache DFIR Review

Hello Reader,
          We had another Forensic Lunch! This was a great episode and here are the details.

This week we have:
  • Blanche Lagny talking about her paper on Amcache
  • The DFIR Review crew talking about .. DFIR Review!
    • The DFIR Review crew entails:
    • Jessica Hyde
    • Vico Marziale
    • Brett Shavers
    • Tony Knutson
You can watch it here: