Sans book 2 Flashcards

Question

Prefetch: directory

Answer 1

Contains 128 .pf files on Windows 7 and before. 1024 files on Windows 8 and above.

Answer 2

Prefetch file. Captures 8 execution times = 9 run times when added to file system creation time.

Answer 3

Prefetch: Records files and directories for .pf prefetch files.

Answer 4

Combination of .exe file name, a dash, and a hexadecimal representation of a hash of the file's path.

Answer 5

SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management EnablePrefetcher

Answer 6

SYSTEM\CurrentControlSet\Services\SysMain Start

Answer 7

Prefetch: stored in files name Ag*.db (AgAppLaunch.db)

Answer 8

Creation date of .pf file (~-10 seconds)

Answer 9

Last modification date of .pf file (~-10 seconds) + also in the .pf file as last time entry

Answer 10

Tool to parse and audit Prefetch files

Answer 11

Beginning with Windows 10, Windows is now starting and stopping unique instances of services for each user logon. These services are named by adding a Locally Unique Identifier (LUID) to end of the service name. This makes the Security log much more voluminious. As such, it is important to rely on the System log more for malicious services.

Answer 12

> Local administrators, domain administrators, and the local SYSTEM account all have the privileges to clear event logs (admin privs required). > This will generate a ID 1102 event in the Security logs. ID 104 will be generated when any other log is cleared. Clearing from both the Command Line and GUI are captured. > Only writable by LSASS (see Local Security Authority Subsystem). Log clearing is all or nothing.

Answer 13

> Tool used to analyse Windows Event Logs. > True value is ability to filter, normalise, and merge logs at scale from lots of different systems. > It can be run on a live system or a collection of logs and used Xpath map files to synchronise output from lots of event types. Xpath allows us to identify specific parts of XML output. The Map file contains the values of the event type to extract using Xpath filter notation. > It can also analyse Volume Shadow Copies (VSS) when run on live systems.

Answer 14

The standardised fileds that are available for use in maps include: > UserName: > RemoteHost > ExecutableInfo: Used for things like process command line, scheduled task, info from service install. > PayloadData1-6:

Answer 15

> Used to track RDP use on the source system, which is rare in Windows OS. > You can also view the NTUSER\Softare\Microsoft\Terminal Server Client\Servers registry key for info from a source system. RegRipper plugin "rdphint" parses this data.

Answer 16

> TerminalServices-RDPClient/Operational log > NTUSER\Software\Microsoft\Terminal Server Client\Servers registry key > Jump List: mstsc.exe = RDP client > Default.rdp in User Profile. > RDP Bitmap Cache (bmc-tools.py to parse) > Application logs for VNC tools or RMM tools like AnyDesk (C:\ProgramFiles\*)

Answer 17

RDP Client in Jump List

Answer 18

User profile file indicating RDP use

Answer 19

> Active Directory setting "Deny log on through Remote Desktop Services" can be easily set on high valued accoutns. > At the host level, RDP service can be disabled and the Windows firewall can be set to deny inbound RDP connections in parts of the network where RDP isnt required.

Answer 20

> Default shared resources designed to allow administrative programs access to the entire file system. The most commonly abused are the drive volume shares (like C$), the Admin$ share giving access to the Windows folder, and the IPC$ share commonly used by named pipes. > Note that Domain Admin prvileges are now required for access to admin shares.

Answer 21

See Admin shares

Answer 22

> Command line auditing and the use of commands like "net use". > Registry: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 (shows list of systems connected to by user)

Answer 23

Registry key for admin shares (see Admin Shares)

Answer 24

> 4624 Type 3 logons and 5140 share access events. Rebuild SMB sessions using network monitoring.

Answer 25

> Look for PSEXEC.EXE on the source system in Prefetch, ShimCache, BAM/DAM, and Amcache. > Registry key (first run time): NTUSER\Software\SysInternals\PsExec\EulaAccepted > Explicit creds used: EID 4648 "runas" event created. > Command line auditing > PSEXEC.EXE (or renamed binary) in running processes or memory).

Answer 26

> Steps: user authenticates to destination system, named pipes are set up, the ADMIN$ share is mountsed, and PSEXESVC.exe is copies and run. > Event logs: 4624 Type 3 (and Type 2 if alternate creds used = user profile created), 4672, 5140 (admin$ share used), 7045 (service installation). > Registry: (new service) SYSTEM\CurrentControlSet\Services\PSEXESVC, (Shimcache) psexesvc.exe, (Amcache.hve (psexesvc.exe. > File system: (prefetch) C:\Windows\Prefetch\psexesvc.exe, psexesvc.exe places in ADMIN$ by default, as well as other .exe pushed by the service, (user profile) profile created, unless -e flag used. > Named pipes: used by IPC$ to establish system to system communication.

Answer 27

Numerous Windows commands have remote execution functionlity. > Create and start a remote service: sc \\host create [service], sc \\host start [service] > Remote scheduled task: at \\host 13:00 ".exe", schtask /CREATE /TN [task] > Remote registries: The Remote Registry service (reg.exe) can be run > WinRM: If enabled Windows Remote Management can be used to run a windows remote shell (winrs) session on a remote host.

Answer 28

> Use of legitimate Windows binaries to carry out malicious activity > LOLBASE (Living off the land binaries and scripts): Project collecting LOL techniques. > Common examples: Bitsadminexe and certutil.exe (file download), rundll32.exe (execute code in DLLs) > To determine use of these tools, we need full command line to capture DLLs run by rundll32 for example.

Answer 29

>If enabled on a system, WinRM can be used like PsExec to run remote commands. It can also be turned on by attackers to move laterally. Uses winrs, which starts the winrshost.exe. > Microsoft-Windows-WinRM/Operational log tracks Win?RM connections, which is the primary protocol for PowerShell remoting. This is avaialble on both source and destination systems and records the destination hostname, IP, current logged-on user (Event ID 6) and the source session creation (EID 91) and the authenticating user account (EID 168).

Answer 30

See Windows Remote Management

Answer 31

> Evidence of sc.exe on source system can be seen via application execution artifacts (ShimCache, BAM/DAM, AmCache, Prefetch). > Evidence on Destination system exists in event logs: 4624 Type 3, 4697 service installation and related SYSTEM service logs like 7034. > Registry: CurrentControlSet\Services\ for new service, ShimCache and AmCache hive for malicious exe's. > File system: malicious service executable or service DLL in file creation or Prefetch file of malicious executable.

Answer 32

See page 126 for evidence in Event Logs, Registry, and File System.

Answer 33

> WMI is a flexible remote and local management infrastructure that leverages PowerShell to execute commands. The most common is "process call create", which gives adversaries similar function to PsExec while leaving fewer artifacts. WMI commands are typically not encrypted unless used over WinRM (using PowerShell for example). > On the source system wmic.exe is the only useful artifact (see ShimCache, AmCache, and PreFetch), but command line auditing is required to understand what was run. > On the destination system, you are primarily looking for auth events tied to wmiprvse.exe, which is the core process used for remote wmic actions. But your key resource is the Microsoft-Windows-WMI-Activity/Operational log, which can help identify WMI event consumers. Also evidence of mofcomp.exe or .mof files are strong as they are used ti implement event consumers.

Answer 34

> Remote powershell uses the WinRM protocol to scale tasks. However, note that remote PowerShell needs to be enabled. > The most common comands are Invoke-Command and Enter-PSSession. The later provides an encrypted interactive shell to the remote system similar to SSH. > On the source system, look for powershell.exe in common application execution artifacts. You can also look at Microsoft-Windows-PowerShell/Operational and Microsoft-WinRM/Operational logs. You can also look at ConsoleHost_history.txt on anything later than PowerShell version 5, as it records the last 4096 commands typed. Lastly look for Windows Remote Management (WS-Management) service enabled in environments that dont use it. > On the destination system, look for wsmprovhost.exe following a Type 3 network logon. Then is enabled, Microsoft-Windows-PwerShell/Operational logs capture PowerShell script contents.

Answer 35

> Limit and monitor accounts that have access to patch management or deployment tools > Create unique accounts for this purpose > Control patch management cycle times closely to facilitate malicious activity > Creation and monitoring of test systems to collect and log package deployment. > Note that their may be multiple deployment softwares across network segments, so it is important to make these changes for each one.

Answer 36

Vulnerabilities in Windows can be used for lateral movement. But these vulnerabilities are rare. Much more common are vulnerabilities in custom applications, which are difficult to patch. SANs groups remote access tools like Peterpreter and Cobalt Strike Beacon into these cateogires, as they circumvent the standard authentication process.

Answer 37

> Detecting malware-based lateral movement can be a challenge. > Pay attention to system crashes recorded in event logs > Use threat intelligence to track signatures > Use signatures built into EDR solutions. > Analyse running processes and system memory.

Answer 38

> Because Process Execution tracking is left disabled in most environments, we rely on System and Application logs heavily. > In particular, you are looking for Critical, Error, and Warning events. The best ones are the security tooling alerts that get logged or evidence of system crashes or reboots. > EID 1000 and 1002 report application errors and hands in Windows Error Reporting logs (WER).

Answer 39

> MPLog files are primarily used for diagnostic and troubleshooting purposes. They are in text form and can be opened and viewed using a txt editor. There can be multiple log files, named according to their creation time, but it is rare to see data going back further than a month. > They should be used as a supplment to the primary Windows Defender log. For example, you can sometimes pull SHA1 hashes using this data. They can also be used to uncover renamed files, as the "Origional filename" is sometimes written. > The "tainted" flag is used to track files that have been injected. > You can also use the MPLog to track running processes at a point in time, as this is one of the only places this information is audited. > Again, the data can be overwhelming, so it is to be used as a supplment when IOCs are preferably already known. "detection", "tainted" or SDN Query" are common bad terms.

Answer 40

> Microsoft-Windows-Windows Defender\4Operational.evtx is the primary logs for Defender alerts. It can often provide 6 months of alerting. Use Event IDs 1116-1119 to capture malware detection events, actions taken on those events, and any failures while taking actions. > Microsoft Protection Log (MPLog) found at C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory can also fill in alerting gaps as a supplement to the primary logs. > Don't forget to check the quarentine folder, which may still contain the malicious files (maldump to extract). This can be found at C:\ProgramData\Microsoft\Windows Defender\Quarentine

Answer 41

> EID 4688 (start) and 4689 (stop) in Security logs.

Answer 42

> With Server 2012R2, Microsoft released a new group policy setting to enable recording of full command lines in process reporting: Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation. > This audit requires process creation auditing to be enabled. While this can be voluminous, it can be helpful on critical systems. > Note that EID 4688 now includes the Process name, in addition to the Process ID, which was legacy.

Answer 43

> WMI is Microsoft's implementation of the WBEM standard and is used to help the administration of large enterprise environments. > WMIC.exe is the traditional portal for executing WMI commands, but this has largely been deprecated in favor of PowerShell, which has native WMI support. As such, much of your findings will be found in command line auditing or powershell logging. > It is largely memory only, uses trusted signed binaries, and on the network side, it uses all standard DCOM/PSRemoting traffic, that is sometimes encrypted.

Answer 44

> The most common tool for WMI PrivEsc is "PowerUp.ps1". This leverages WMI to query 20 common misconfigurations that can be used to elevate privs. > These queries hunt for all service paths that have a space, highly privileged processes, unquoted service paths set to auto-start with the service binary not present under a Windows folder.

Answer 45

> wmic process call create: this command can be used to execute code on a remote system. It is essentially a stealthy version of PsExec. > NetEnum/NetAdd commands can also be used to duplicate tokens of logged in users.

Answer 46

> Command line auditing in Security or Sysmon logging makes discovering WMI usage trivial. However, without it investigating WMI use is very difficult. > You would see wmic.exe running on a system. > You may be able to rely on command line auditing from an EDR tool. > You may see evidence in WMI auditing: WMI-Activity/Operational. However, this won't include the command line.

Answer 47

> To set up WMI persistence you need three discreet steps: > 1. An event filter must be created describing a trigger to detect > 2. An event consumer is added with a script and/or executable to run (typically CommandLine or Active Script consumers, PowerShell commands, or scripts/exe). Scrcons is the ActiveScript consumer and wbemcons.dll is the command line event consumer. > 3. The event and consumer are tied together via a binding and the persistence tool is loaded into the WMI repository. > To review this activity, you would rely on the WMI-Activity/Operational log: EID 5861 for new consumers (exe's, PowerShell, or VBScript), EID 5857 to track loaded DLLs, EID 5858 for WMI query errors. You can of course also rely on command line auditing. > You can also run searches for PowerShell, eval, .vbs, .ps1, and ActiveXObject.

Answer 48

Active Script event consumer for WMI persistence

Answer 49

wbemcons.dll

Answer 50

Command line event consumer for WMI persistence

Answer 51

> Audits are recorded as event log entries in Microsoft-Windows-PowerShell/Operational > This happens regardless of whether PowerShell was executed from a command shell, the integrated scripting environment, or via custom hosting of PowerShell components. > Script block logs record the code blocks executed, including dynamically generated script contents, but typically no output. Windows will label events as EID 4104 Warning events. in Powershell/Operational logging.

Answer 52

PowerShell "Core" versions 6 and 7 are rewrites of PowerShell using the .NET Core, allowing the tool to be used across all operating systems. However, these versions are intended to coexists with PowerShell version 5 and not be rplacements. They are installed in seperate locations, have seperate group policy parameters, and have seperate logs. Note that you need to turn on script block logging for all versions independently, but the logs will all come to Microsoft-Windows-PowerShellCore/Operational

Answer 53

> Script block logs can caputre the full command or contents of a script, who executed it, and when it occurred. These are recorded in Microsoft-Windows-PowerShell/Operational. EID 4104 records the Script block contents, but only the first time it was executed. > Although script block logging is not enabled by default, suspicious scripts will still get logged in Microsof-Windows-PowerShell/Operational. > You can also review EID 400 and 800 in the Windows Powershell.evtx log. > Lastly, you should review WinRM logs in Microsoft-Windows-WinRM/Operational for EID 6, 91, 168. WinRM is the primary protocol for PowerShell remoting. > A strong Powershell audit policy should include Module Loggong, PowerShell Script Block Logging, and PowerShell Transcription.

Answer 54

See Script block logs

Answer 55

> Module logging focuses on PowerShell pipeline execution. Almost every command uses several modules or cmdlets and EID 4103 events can include variables, commands, interim output, and even some deobfuscation.

Answer 56

This is done to circumvent logging. V2 has much less logging enabled. Look for EID 400 in Windows PowerShell.evtx. Also look for powershell-Version 2 command in command-line auditing. It is recommended to remove V2 from your environment.

Answer 57

Fileless, memory-less malicious scripts downloaded from the internet.

Answer 58

See Antimalware scanning interface

Answer 59

Can audit code at the point of execution in order to defeat obfuscated powershell codes.

Answer 60

uses feature extraction and character frequency analysis to identify strange looking scripts in PowerShell logs. You can run this against PowerShell/Operation logs.

Answer 61

Two features are most important: this tool is capable of running a local instance of the web app. You can also use the "Magic" decoder, which attempts to intuit the correct recipe for decoding input.

Answer 62

Display the contents of the Powershell terminal including inputs and outputs. This is unlike script block logging, which would only capture the script run.

Answer 63

Default module designed to log the last 40,96 commands types I PowerShell console. Output stored in ConsoleHost_history.txt. Only commands that ar types are logged. No timestamps available. Only recorded during interactive sessions explicity using the PowerShell console.

Answer 64

Output of PSReadline PowerShell logging.

Answer 65

> 2: Logon via console (keyboard, server KVM, or virtual client) > 3: Network logon (SMB and some RDP connections such as those using Network Level Authentication) > 4: Batch Logon - Often used by Scheduled Tasks > 5: Windows Service Logon > 7: Credentials used to lock or unlock screen: RDP session reconnect > 8: Network logon sending credentials in cleartext > 9: Different credentials used than logged on user - RusAs/netonly > 10: Remote interactive logon (Remote Desktop Protocol) > 11: Cached credentials used to log on > 12: Cached Remote Interactive (similar to Type 10) > 13: Cached unlock (similar to Type 7)

Answer 66

> Each account session is assigned a unique Logon ID at the time of logon. These can be used to determine Session time, process tracking, object access events, and more granular views of user activit, like screen locking an unlocking.

Answer 67

> Logon Ids can be used to correlate session time, but not that some session types, like SMB, will not work this way.

Answer 68

> Ties the session to the Logon ID of any other authentication events. For exampl, they can link non-admin session to high privilege sessions when both are related.

Answer 69

> Typically indicated by failure codes C0000064 for unknown users and C000006A for bad passwords

Answer 70

> System: This used to be the primary non-user related account prior to Windows 2003. The accounts below were added to provide additional layers of security. > Local Service: Used for services that do not require network access. Cannot authenticate with network resources. > Network Service: Similar to local service but with slightly higher privileges, which allow it to impersonate standard computer accounts and authenticate over the network. Assigned for processes or services that require network access. > $: The computer account provides the means for the computer to be authenticated when communicating with Active Directory and accessing network and domain resources. The account is named according to the system name. > DWM / UMFD: Related to the Windows Manager (DWM) and driver activity (UMFD), but little used. > Anonymous Logon:

Answer 71

Local admins can create local accounts and domain admins can create domain-wide accounts. EID 4720 logs date, time, computer, account used to create.

Answer 72

EID 4624 (Logon Types 3,7,10) are the best indicators of RDP usage. You should also cross reference the RDPCoreTS and TerminalServices-RdpClient logs. EID 131 in RDPCoreTS and EID 1024/1102 in the TerminalServices-RdpClient log record outbound RDP connections and include destination hostname and IP.

Answer 73

> Source: TerminalServices-RDPClient: EID 1024,1102 > Source: Security logs: EID 4648 (if NLA enabled and alternate creds used) > Destination: Security 4624 Type 3,7,10 & 4778/4779 > Destination: Remote Desktop Services-RDPCoreTS: EID 98,131 > Destination: TerminalServices-RemoteConnectionManager: EID 1149 > TerminalServices-LocalSession Manager: EID 21,22,25,41

Answer 74

Login/Logoff activity happening on the actual system being logged into. Stored locally. Note that for local accounts where the auth is happening via the local SAM database, you will see account logon and logon events. This can indicate rouge accounts, as it is rare in an enterprise environment.

Answer 75

Third-party authentication of credentials provided during that logon session. For example, users that need to authenticate via a Domain Controller. Note that before a user can authenticate, their credentials need to be validated by the domain controller using either NTLM or Kerberos. These events are stored on the domain controller. The one exception is local account auth, where an account logon is generated for a local only account (see Logon Events).

Answer 76

> Kerberos works by a user supplying credentials to the authentication server (often the domain controller). If correct, a Tiget Granting Ticket (TGT) is issued to the user for a period of time. This is like a passport. To access resources on another system, such as a server, a "Service Ticket" is requested. > If the auth fails, an EID 4771 will be written to the authentication servers logs. This will include date/time, hostname, client IP address, username, Error Code (see Logon error codes).

Answer 77

Part of the Kerberos authentication process. A user granted a TGT when authenticated correctly to an auth server like a domain controller.

Answer 78

Part of the Kerberos authentication process. A user granted a Service Ticket when authenticated correctly to a networked resource.

Answer 79

Although less common than Kerberos, NTLM logons do still occur. For example, local account will record logons as NTLM. Pass-the-hash attacks also rely on NTLM (which will record EID 4776).

Answer 80

> Rely on NTLM logons > Often appear as EID 4624 Type 3 network logon events. > Allows Tas to perform SMB-based actions like mapping shares, executing code with PsExec (this relies on SMB). > Although most modern environment are set up to block this, attackers can modify the LocalAccount TokenFilterPolicy with a one-liner to re-enable the capability.

Answer 81

> TAs commonly deploy tools belonging to attack frameworks like Empire and PowerSploit to enumerate sensitive accounts and groups in an enterprise. Windows have introduced a new series of EID to track this activity. > This is enabled at the GPO level using the "Audit Security Group Management" and "Audit User Account Management" audits. > Although these events can be noisy, you should look out for PowerShell, WMI, or netuse via cmd.exe, as these are not common in an enterprise environment. Services like mmc.exe, services.exe, taskhostw.exe, explorer.exe and VSSSVC.exe are common.

Answer 82

See Tools tab

Answer 83

Network share containing network administration tools such as software patches (this is a legacy way to patch systems).

Answer 84

Inter-Process Communication connection: This share must be authenticated to facilitate communication between two devices on a network. Includes account name, SID, domain, and Logon ID, as well as source IP and port. IPC$ shares cannot be used to move files, it is simply an auth mechanism.

Answer 85

>Logged as EID 4624 Logon Type 9 and EID 4648 "Explicit Credentials" events: Use crdentials not logged in memory (new creds) to impersonate another user to access a resource or service on a network. > These events (runas) are typically recorded on the origionating system instead of the target. This allows us to determine where a user was heading. > You can determine whether a 4648 event was logged on the origional system or a target system by looking at the "Target Server" information: If localhost, it is inbound, if includes IP address, it is outbound. > Can also capture outbound RDP sessions on the source system if network level authentication is enabled. This will include: current logged-on user name, alternate user name, destination host name/IP, process name.

Answer 86

Part of Cobalt Strike and used to create a new logon session using a stolen auth token.

Answer 87

Part of Cobalt Strike and used to create a new logon session using pass the hash.

Answer 88

> Logged in Microsoft-Windows-Task Scheduler/Operational log. Not tracked by default and can be enabled via group policy, the wevutil command-line tool, or the GUI Task Scheduler application. > Scheduled task logging in the Security log requires Object access auditing to be enabled. > Tasks can be scheduled remotely, but the logs do not differentiate. To find remote tasks you must look for Type 3 (network) logon occuring near task creation. > Logged in Security logs and Microsoft-Windows-Task Scheduler/Operational log. Security logs will provide more detail info like trigger info, account name, and full path. > When a task is created, a config (or .job) file is deposited into %SystemRoot%\System32|Tasks or %SystemRoot%\SysWOW64 for 32-bit code (which is rare). You can use these to identfy the account and system name used to schedule the task. Not on XP/Win2003, the .job file is written in binary.

Answer 89

> New PsExec service installations are run each time PsExec is used. > When started as a service, it is obvious to view malicious use, as you will see it being run by a user account rather than SYSTEM or LOCAL SERVICE accounts. > Service name is PSEXESVC on remote system. > Malicious PsExec usage is also typically encoded, such as when deployed via MetaSploit. You can also look for strange service names. > Also see Per-User Service (2.100)

Sans book 2 Flashcards

(125 cards)