Just in time for the holidays, we have a new update to the SANS Memory Forensics Cheatsheet! Plugins for the Volatility memory analysis project are organized into relevant analysis steps, helping the analyst walk through a typical memory investigation. We added new plugins like hollowfind and dumpregistry, updated plugin syntax, and now include help for those using the excellent winpmem and DumpIt acquisition tools. The cheatsheet includes nearly everything you need to spend a relaxing evening at home analyzing memory dumps. Enjoy!
UPDATE: I am excited to announce that SANS FOR408 is now FOR500. Over the last few years, we have continued to add more technical content to the class while ageing out some of the more basic material. While the class still provides an excellent framework for conducting Windows forensic analysis, the course difficulty level has shifted to the SANS “5” level. It gives us the freedom to teach some of the more complex forensic artifacts and techniques while still staying true to keeping it a “foundational” forensics course. See for yourself: FOR500.pdf
Rob Lee put together a webcast discussing some of the class updates and changes: https://www.sans.org/webcasts/103377
With the major expansion of forensic curriculum at the SANS Institute, I frequently get questions about what class(es) to take. If you are trying to decide between FOR408 (Windows Forensics) and FOR508 (Advanced Forensics and Incident Response), this is the best comparison I have seen online.
I found the following quote particularly insightful: “508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.”
— Chad Tilbury (@chadtilbury) May 23, 2013
The team at FIRST (Forum of Incident Response and Security Teams) reached out to talk about my upcoming presentation on Windows credential attacks at their annual conference. We spoke about why enterprise credential protection is so important and some of the recent Microsoft updates to help minimize the attack surface. The entire Windows credential infrastructure has been under unceasing attack over the last couple of years, and amazingly things are about to get far worse. New tools like Bloodhound and Death Star are using graph databases to effortlessly map account permissions and sessions, greatly magnifying poor credential hygiene. At the moment, it is hard to imagine a larger threat to the enterprise. Podcast:
Note: This article originally appeared on the CrowdStrike blog. Look here for additional context.
Detecting reconnaissance activity is something that few blue teams spend time on. Networks are barraged with a near continuous stream of scanning, and determining targeted activity versus Internet noise can be exceedingly difficult. However, there are a few things you can do to counter activity in this early stage of an attack.
Self-Recon is the Best Recon
Knowing that reconnaissance is ubiquitous, your best defense is to get ahead of the game and scan your own networks. Schedule regular asset identification and vulnerability scans, and prioritize vulnerability patching. If someone on your team is regularly testing for SQL injection vulnerabilities in your critical web applications, you won’t have to spend your weekends remediating sqlmap pwnage. The same preparatory actions can help mitigate both active and passive reconnaissance activity. Our team regularly helps clients conduct open-source data collection to identify unnecessary information leakage by company or employee assets. This is exactly what a red team should be doing – helping the organization anticipate attacks and limit their attack surface.
PowerShell is becoming ubiquitous in the Microsoft ecosystem, and, while it simplifies administration, it opens up a nearly unprecedented suite of capabilities for attackers. Nearly every malicious activity imaginable is possible with PowerShell: privilege escalation, credential theft, lateral movement, data destruction, persistence, data exfiltration, and much more. Malicious PowerShell is being used in the wild, and CrowdStrike has seen an uptick in the number of advanced adversaries employing it during breaches. Dmitri Alperovitch wrote about one of these actors, Deep Panda, in his article “Deep in Thought: Chinese Targeting of National Security Think Tanks.” Attackers are leaning more on PowerShell because it is readily available and gets the job done with an added bonus of leaving behind almost no useful forensic artifacts. Jaron Bradley and I previously tackled the subject of command-line auditing in the CrowdCast, “What Malware? Hunting Command Line Activity”. I am pleased to report that there have been some significant upgrades to command line logging since that webcast.
Process Creation Events
Starting with Server 2012R2, Microsoft released a new group policy setting to enable the recording of full command lines in Process Tracking audit events. Continue Reading…
It wasn’t that long ago that every report I read containing Windows prefetch artifacts included only the basics: executable name, first and last time executed (now eight timestamps in Win8), and number of executions. There is much more information stored in prefetch files, but until recently there were few tools to easily parse and provide it to the examiner. Mark McKinnon wrote one of the first prefetch parsers to include full path names for additional files accessed within the first ten seconds of application launch. TZWorks’ pf tool now also provides this information. Depending on case type, this information could be overkill, but imagine a prefetch file tracking execution of a malicious binary while also identifying a related malicious DLL loaded, or the location of keylog output. A lot of files are accessed within the first ten seconds of execution, so you may find evidence of specific documents opened in the prefetch file for the Microsoft WinWord application or in the case of Figure 1, files accessed within zip archives via a 7zip prefetch file.
With the release of Internet Explorer 10, Microsoft made a radical departure from the way previous browser artifacts were stored. The perennial Index.dat records were replaced with a centralized meta-data store for the browser using the proven “JET Blue” Extensible Storage Engine (ESE) database format. While many forensic examiners have remained blissfully unaware of the ESE format, it has been increasingly used throughout Microsoft products for Exchange, NTDS.DIT, the Windows search database, Windows Live Messenger contacts, and Internet Explorer (IE). With the introduction of an enterprise-grade database hosting network artifacts, it is now time for every Windows investigator to understand how the database works and what data they may be missing. Remember that even if a user never opens Internet Explorer, there may still be valuable records in their IE database including files opened on the local system, network shares, and removable devices. It may also hold evidence of malicious activity including HTTP connections initiated on behalf of malware or suspicious sites visited via links clicked in email clients. Internet Explorer and its supporting libraries are deeply tied to the Windows operating system and WinINet API functions often interact with IE databases. Thus IE history, and the WebCache database in particular, continues to be a rich data source during many forensic examinations. Continue Reading…
One of the great pleasures of performing Windows forensics is there is no shortage of application execution artifacts. Application execution tells us what has run on a system and is often the pivot point that reveals important activity on the system. Why was FTP run on this workstation? Is it normal to see execution of Winsvchost.exe? Why was a privacy cleaning tool used for the first time during the system owner’s last week of work? While undoubtedly useful, our adversaries are more forensic-aware than ever and often take steps to eliminate application execution artifacts. At CrowdStrike we routinely encounter nation-state groups that attempt to delete Prefetch. Even the popular CCleaner anti-forensics tool defaults to clearing Prefetch and UserAssist data. Hence having additional sources of data can often mean the difference between an easy examination and a long, painful one.
The third release of the free CrowdResponse incident response collection tool is now available! This time around we are including plugins facilitating collection of Windows registry data. Our inspiration for this release was one of those vulnerabilities that just won’t die, Windows Sticky Keys, and we’ll show how to identify this attack while demonstrating the new additions.
RegDump recursively extracts Windows registry key and value data.
-d Nested output format
-s Recursive dump
<reg key> Registry key to start dump from
Valid registry hive names are: HKLM, HKCU, HKCR, HKU, and HKAU (pseudo key representing all users)
RegFile searches for registry string values (REG_SZ and REG_EXPAND_SZ) and identifies file path data. If the file exists on disk, file information, hash, and digital signature details are recorded. Continue Reading…
My recent webcast with Jaron Bradley was recorded and a link is available below. If you have been looking for an excuse to get more familiar with Windows PowerShell, have a look.
What Malware? Hunting Command Line Activity
There is a reason hackers use the command line, and it isn’t to impress you with their prowess. Throughout the history of Windows, the command line has left far fewer forensic artifacts than equivalent operations via the GUI. To make matters worse, the transition to Windows 7 and 8 has spread PowerShell throughout the enterprise. While it makes our lives easier as defenders, it does the same for our adversaries. Every time you marvel at the capabilities of PowerShell, you should fear how your adversaries may use that power against you.
In this CrowdCast we have collected tips and tricks from our incident responders describing how they are countering the command line threat. Learn to identify when it is in play, extract commands from memory and network packets, and see what is new on the horizon from Microsoft to make tracking command line activity easier.