The Most/Recent Articles

Showing posts with label syscache. Show all posts
Showing posts with label syscache. Show all posts
syscache

Daily Blog #603: Sunday Funday 1/20/19 - Server 2008 R2 System Challenge

Server 2008 R2 System Challenge by David Cowen - Hacking Exposed Blog



Hello Reader,
            Last week's challenge brought out some great research and new tools. I hope that this streak of great responses continues through 2019! Let's switch focus back to the Syscache hive for this weeks challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 1/25/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On a Server 2008 R2 system make 4 copies of mimikatz (your choice of versions) 64 bit and 32 bit versions. Run them from 4 locations (of your choice) and determine what criteria determines when and if the executable gets logged in the Syscache hive and what dates are associated with the registry keys. 


Also Read: Daily Blog #602
Read More
test kitchen

Daily Blog #599: Forensic Lunch Test Kitchen 1/16/19 Syscache Server 2008 R2 Mimikatz

Forensic Lunch Test Kitchen 1/16/19 Syscache Server 2008 R2 Mimikatz hosted by David Cowen.


Hello Reader,
   Tonight we just had a short testing session (8 minutes of actual testing) were we checked in on last nights test. Here is what we learned:

  • The time delay did not effect our results
  • A shutdown/power on did not add a new entries
  • The registry explorer and hasher entries still had no hash
  • We still saw no entries for the other mimikatz executables
On the next broadcast we will be testing the same behavior in Windows 7 and parsing the whole MFT and Syscache rather than individual records to make sure we aren't missing anything.

You can watch the video here:


Also Read: Daily Blog #598
Read More
test kitchen

Daily Blog #598: Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2

Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2 Hosted by David Cowen


Hello Reader,
       Tonight we returned to the test kitchen to try to solve the mystery of the Multiple mimikatz executables now showing up in the Syscache

Tonight we learned:

  • Syscache does not appear to duplicate entries by hash
  • We got some entries to appear without a hash
  • We are giving the VM enough time to run its background processes to get the Syscache full written to with a new test tomorrow night
  • The last write time does not appear to be updated when the program is executed again
  • 64bit and 32bit executables are being recorded
You can watch the video here:



Also Read: Daily Blog #597 

Read More
test kitchen

Daily Blog #594: Forensic Lunch Test Kitchen 1/11/19 Server 2008 R2 Syscache Mimikatz

Tonight on request from a viewer we are looking to see what Mimikatz leaves behind in the Syscache hive on Windows Server 2008 R2.



Hello Reader,
  Tonight on request from a viewer we are looking to see what Mimikatz leaves behind in the Syscache hive on Windows Server 2008 R2.

Here is what we learned:

  • The Syscache hive did not appear to log the 64 bit mimikatz executable from the first execution
  • It did log the 32 bit mimikatz executable on first execution
  • It did log the 64 bit mimikatz executable on the desktop
  • It did not appear to log the 64 bit mimikatz executable in the documents directory
  • The sha-1 16 bit hashes were correctly searched by Virustotal identifying mimikatz

We are going to leave the VM running over the weekend to see if the other 64 bit executables show up, see you next week. In the mean time tomorrow come back to see this weeks Sunday Funday winner with the new contest posted this Sunday.

You can watch the video here:

  

Also Read: Syscache and SHA 16bit hashes

Read More
syscache

Daily Blog #592: Syscache and SHA 16bit hashes

Syscache and SHA 16bit hashes Explained by David Cowen - Hacking Exposed Blog

Hello Reader,
          Tonight I'm applying my Syscache research in some casework and while testing things out I realized something that I don't think was properly documented before. The Syscache SHA-1 hashes appear to be base16 hashes not base32 hashes. So before you begin looking for that malicious executable make sure you've generated the correct hash!

Read More
syscache

Daily Blog #588: Solution Saturday 1/5/19 - Syscache.hve Challenge Winner Announcement



Syscache.hve Challenge Winner Announcement by David Cowen




Hello Reader,
       Sometimes you have a winning entry that exceeds all of your expectations. This week is that week for me. Maxhim Suhanov has come through with some pretty thorough testing to show what processes write to the Syscache hive and what dll's reference it. This is great work and I look forward to trying out the application registry monitoring method he found.

The Challenge:
What processes update the Syscache.hve file on Windows Server 2008 R2?

The Winning Answer:



Also Read: Daily Blog #587
Read More
syscache

Daily Blog #583: Sunday Funday 12/30/18 - Syscache.hve File Challenge

Syscache.hve File Challenge by David Cowen - Hacking Exposed Computer Forensics Blog


Hello Reader,
      This will be the first Sunday Funday for 2019 since when the submissions are received and judged the winner will be announced in 2019. Let's see what your system monitoring/debugging skills are like.

The Prize:

$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 1/4/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:

What processes update the Syscache.hve file on Windows Server 2008 R2?

Also Read: Daily Blog #582
Read More
syscache

Daily Blog #581: Forensic Lunch Test Kitchen 12/28/18 Syscache Applocker and Server 2012

Forensic Lunch Test Kitchen 12/28/18 Syscache Applocker and Server 2012 by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
         Tonight we booted up a server 2012 VM which is in line with Windows 8.1 looking to see if we could find a syscache hive with and without applocker configured. So far no such luck but we will keep trying.

If you want to watch the video you can do so here:


Also Read: Applocker and Windows 10

Read More
Subscribe to: Comments ( Atom )