This document provides an overview of Registry Forensics and the Registry Decoder tool. It discusses how the Windows registry can be used to find evidence of data exfiltration, malware infections, and anti-forensics activities. It demonstrates how Registry Decoder allows automated acquisition, analysis and reporting of registry contents. Examples are given of specific registry keys and values that may indicate these types of activities.
44CON London 2015: NTFS Analysis with PowerForensicsJared Atkinson
This workshop was given by Jared Atkinson on September 11th 2015 at 44CON London. The purpose of this workshop was to introduce participants to NTFS Internals and PowerForensics, an open source PowerShell digital forensics platform.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
Slides from workshop delivered at Brucon 2017 Conference in Gent, Belgium.
Data exfiltration is the process of transmitting data from pwned or infected networks back to the attacker while trying to minimize detection.
During this workshop (2 hours) we will go through different network exfiltration methods and techniques (DNS, ICMP, TCP, UDP, HTTP, RDP, Cloud-app based and others). I will explain how they work, how to run them and what differences between are. It is a highly interactive workshop (I have dozen short labs already prepared) where you will be guided through the use of a set of open source tools powered by a short-fast theory.
Joseph Salowey, Tableau Software
Transport Layer Security (TLS) 1.3 is almost here. The protocol that protects most of the Internet secure connections is getting the biggest ever revamp, and is losing a round-trip. We will explore differences between TLS 1.3 and previous versions in detail, focusing on the performance and security improvements of the new protocol as well as some of the challenges we face around securely implementing new features such as 0-RTT resumption.
Slide lists some of the most common tools used for statically analyze Portable Executable(PE) files.
Contents:
REMnux:
Introduction to REMnux
Entropy:
Use of Entropy for malware detection
Un-packing:
UPX
ByteHist
Density Scout
Anomaly Detection:
PEScanner
EXEScan
PEFrame
PEV
Investigation:
Pyew
Bokken
Disassemblers vs Debuggers vs Decompilers:
Commonly used tools
References:
44CON London 2015: NTFS Analysis with PowerForensicsJared Atkinson
This workshop was given by Jared Atkinson on September 11th 2015 at 44CON London. The purpose of this workshop was to introduce participants to NTFS Internals and PowerForensics, an open source PowerShell digital forensics platform.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
Slides from workshop delivered at Brucon 2017 Conference in Gent, Belgium.
Data exfiltration is the process of transmitting data from pwned or infected networks back to the attacker while trying to minimize detection.
During this workshop (2 hours) we will go through different network exfiltration methods and techniques (DNS, ICMP, TCP, UDP, HTTP, RDP, Cloud-app based and others). I will explain how they work, how to run them and what differences between are. It is a highly interactive workshop (I have dozen short labs already prepared) where you will be guided through the use of a set of open source tools powered by a short-fast theory.
Joseph Salowey, Tableau Software
Transport Layer Security (TLS) 1.3 is almost here. The protocol that protects most of the Internet secure connections is getting the biggest ever revamp, and is losing a round-trip. We will explore differences between TLS 1.3 and previous versions in detail, focusing on the performance and security improvements of the new protocol as well as some of the challenges we face around securely implementing new features such as 0-RTT resumption.
Slide lists some of the most common tools used for statically analyze Portable Executable(PE) files.
Contents:
REMnux:
Introduction to REMnux
Entropy:
Use of Entropy for malware detection
Un-packing:
UPX
ByteHist
Density Scout
Anomaly Detection:
PEScanner
EXEScan
PEFrame
PEV
Investigation:
Pyew
Bokken
Disassemblers vs Debuggers vs Decompilers:
Commonly used tools
References:
Pisa is a decentralized block storage distribution and replication framework with the specific goal of simplifying the development of storage back-end services in a distributed environment. Main chararistics of the project are the message security, self-organization cluster and simple setup. Pisa is a subproject of RestFS project and the talk will explain our experience acquired with the development of this subcomponent and the decisions taken in the design of the framework.
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
Power point presentation describes about tools and techniques used for extracting and decoding artifacts from malicious files, forensic discipline in handling infected disk-drives and recovering files from infected images.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi
This tutorial covers variety of tools and techniques to investigate malicious PDF & Doc documents, detecting and extracting Javascript, shellcodes from them and their analysis.
Do rsyslog and the journal cooperate? If so, how? This is the presentation from the LinuxTag 2013 conference. It details the rsyslog team's current position on the journal, how it affected rsyslog, what is being done for integration and some notes about how to configure rsyslog to do things that the journal announcement claimed to be impossible.
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
Anomalies Detection: Windows OS- Part 1 describes in detail about Malware Investigation steps. It focuses on Identifying process anomalies, RootKit detection,
Pisa is a decentralized block storage distribution and replication framework with the specific goal of simplifying the development of storage back-end services in a distributed environment. Main chararistics of the project are the message security, self-organization cluster and simple setup. Pisa is a subproject of RestFS project and the talk will explain our experience acquired with the development of this subcomponent and the decisions taken in the design of the framework.
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
Power point presentation describes about tools and techniques used for extracting and decoding artifacts from malicious files, forensic discipline in handling infected disk-drives and recovering files from infected images.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi
This tutorial covers variety of tools and techniques to investigate malicious PDF & Doc documents, detecting and extracting Javascript, shellcodes from them and their analysis.
Do rsyslog and the journal cooperate? If so, how? This is the presentation from the LinuxTag 2013 conference. It details the rsyslog team's current position on the journal, how it affected rsyslog, what is being done for integration and some notes about how to configure rsyslog to do things that the journal announcement claimed to be impossible.
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
Anomalies Detection: Windows OS- Part 1 describes in detail about Malware Investigation steps. It focuses on Identifying process anomalies, RootKit detection,
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
I will be going over a list of definitions, tools that fit each category, and open source variants that fit each (if available). I will be also going over the good, bad, and ugly of new/emerging technology.
I recommend watching the talk. Many notes and context are only verbal not in the slides.
Link for talk.
http://www.irongeek.com/i.php?page=videos/bsidestampa2018/track-206-blue-teams-tool-dump-stop-using-them-term-next-gen-this-isnt-xxcall-of-dutyxx-alex-kot
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
Andrew Brandt, Symantec
Back in 2014 and 2015, the Dyre (sometimes called Dyreza) Trojan was a distinctive crimeware tool for the simple reason that it appeared to employ, and experiment with, a whole range of sophisticated tactics, techniques and procedures: It was the first Trojan which exclusively employed HTTPS for its C2 traffic; It operated on a modular basis with a small cadre of other malware families, such as the Upatre downloader, which seemed to support it exclusively, as well as email address scraping tools and spam mail relayers; and it was at least as interested in profiling the environment it had infected as it was in exfiltrating any data it could find on the victim's machine. Then it disappeared suddenly, but re-emerged this year in the form of a Trojan now called Trickbot (aka Trickybot), completely rewritten but with many of the same features. In the lab, we permit Trickbot samples to persist on infected machines for days to weeks in order to perform man-in-the-middle SSL decryption on their C2 traffic. In this session, attendees will get a detailed forensic analysis of the content of some of this C2 traffic and the endpoint behavior of various machines (virtual and bare-metal) when left infected for an extended period of time. Finally, we will share what we know about the botnet's C2 infrastructure and its historical reputation. By understanding how Trickbot functions, and to where it communicates, we hope we can help identify infections more rapidly and, maybe, interpret the motives of whoever is operating this shadowy botnet to predict its next course of action.
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with OsqueryUptycs
These are the slide's from Guillaume Ross's Uptycs Webinar: Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
The on-demand webinar provides much more context:
https://www.uptycs.com/webinar-registration-attck-osquery
Presentation by Deepen Chapagain, CEO, NepWays, on "Power of Logs: Practices for network security" at "Braindigit 9th National ICT Conference 2013" organized by Information Technology Society, Nepal at Alpha House, Kathmandu, Nepal on 26th January, 2013
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
This is my presentation on "Logs for Information Assurance and Forensics", which was given to 2 of the USMA @ West Point, NY classes in April 2006. It sure was fun! Now I know where all the smart college students are :-)
Об угрозах информационной безопасности, актуальных для разработчика СЗИSelectedPresentations
Качалин Алексей Игоревич, эксперт МОО «АЗИ»
IV Форум АЗИ
«Актуальные вопросы информационной безопасности России»
г. Москва, Конгресс-Центр МТУСИ, 14 апреля 2015 года
2. ► Brief overview registry of background
►
► Use RD to find evidence of
► Data exfiltration
► Malware infection
► Anti-forensics tool use
Agenda
2
3. ► Forensics and incident response goldmine
► Logs a wealth of user and system activity
► Timestamps
► Using Windows backup features (System Restore & VSS), we
can recover historical data going back months or longer
(how?)
► Cool: more evidence
► PITA: how do we process/manage it
► How do you currently use these?
Why is the registry interesting?
3
4. ► Removable device activity
► Including serial number and model name
► See stuxnet
► Typed Internet Explorer URLs
► Recently accessed files (per-file-type)
► Networking information
► Per device, used network shares, and more
► Entered search terms (Windows 7)
►
4
5. ► Autoruns
► Timezone info
► Application launch counts
► Mounted devices
► Services
► System install info
► Folder listings
► Routing info
► Firewall rules
►
5
6. ► Open source Python project
► Initially funded by the National Institute of Justice (NIJ)
► Its goal is to automate the acquisition, analysis, and
reporting of registry contents
► Contains two components:
► A live registry hive acquisition tool
► Pulls hives from live machines
► Both current and backups
► Standalone (no installation) executable
► An offline analysis tool
► Discussed next
Registry Decoder
6
7. ► Performs offline analysis of registry files
► Facilitates comprehensive registry analysis of any number of
files within one graphical interface
► Most features are usable on the command line as well (for scripting,
testing, etc., all will be in next release)
► Supports multiple input types
► Uses a pre-processing phase to make analysis afterwards
much faster
Registry Decoder
7
8. ► Case management
► Hive Browsing
► Advanced Search
► Plugin System
► Path-Based Analysis
► Differencing
► Timelining
► Reporting
Analysis Features
8
9. ► Simple, but useful
► Case name, number
► Investigator
► Comments
► Case directory
► Provides persistence
► Data is only pre-processed once
► Close and re-open case at will
Case Management
9
11. ► Similar to other browsing tools (AccessData, regedit, etc)
► Displays key / value pairs and last write time of chosen key
► Hex view of value data
► Tabbed view allows multiple browse windows open
simultaneously
► Can type path and immediately jump there
Hive Browsing
11
13. ► Good tools for intelligent searching across registry hives?
► RD allows users to quickly search for a single term or a
collection of terms (from a file) across any selected hives in a
case
► Multiple types of search parameters:
► Exact or partial matching
► Wildcard matching (*, ?)
► Key name or value name or data
► Start and end date using last write time of keys
Advanced Search
13
15. ► The plugin system allows for targeted analysis of specific
data within the registry
► Mostly robbed from regripper
► Useful for fixed analysis that must be done repeatedly
► Listing MRU documents
► All plugins are in Python, and have access to all Python built-
ins
► We provide an API designed to make plugin development as
painless as possible
► Many plugins are less than 10 lines of Python and require
very little programming ability
Plugins
15
17. ► Hives can be timelined based on the last write time of keys
► Included keys can be filtered by starting and / or ending
time
► Output can be tab-separated (importable in Excel) or in
Sleuth Kit mactime format
► Multiple input registry files can be processed into the same
output timeline
Timelineing
17
19. ► Is there any evidence of USB devices being used?
►
► Is there any evidence of attempts to bypass network web
filtering?
► Are there any evidence of file upload services in use?
Data Exfiltration
19
22. ► There are several places malware like to hide in the registry,
some old, some new.
► Yes, the very old techniques are still in use because they
still work
► There is no comprehensive list, and I am far from the
foremost expert on such things, but following are a few I find
interesting
► RD Plugins exist for some the interested can view the
plugin source for registry locations
► Those so inclined are also invited to write some new plugins
(more info later)
Malware Analysis / Detection
22
23. ► Run* lists (of which there are many)
► HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRu
n
► HKLMSoftwareMicrosoftWindowsCurrentVersionRun
► HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
► HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
► HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
► HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRu
n
► HKCUSoftwareMicrosoftWindowsCurrentVersionRun
► HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
► HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices
►
Where is the malware?
23
24. ► Browser Helper Objects
► HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrow
ser Helper Objects
► Manipulation of persistent routes
► HKLMSYSTEMCurrentControlSetServicesTcpipParametersPersist
entRoutes
► Running as services
► HKLMSYSTEMCurrentControlSetServices
► ServiceDLL
mechanism
► HKLMSYSTEMCurrentControlSetServices<service>ParamatersSe
rviceDLL
Where is the malware?
24
25. ► Infected file sharing applications
► Limewire
► Infected antivirus solutions
►
► Application Initialization DLLs
► MicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs
► MUICache, Userassist
► Browser toolbars
► Firewall rules
► Etc.
Where is the malware?
25
26. ► Discover what types of malware are installed?
► Browser-based?
► Rootkits?
► Rogue services?
► Malware in plain sight?
► Are there things in the registry which indicate
malware, even though you may not be able to link it
to a specific executable?
► So, I infected this XP box (story)
So, How Do
26
33. ► Some people do not like to get caught and so take
measures to hide things
► This sometimes just gives the investigator more
crumbs to collect
► Crypto
► Truecrypt, Bitlocker
► Timestamp mucking
► Timestomp
►
► Web proxy services
Scenario 3: Anti-Forensics
33
35. ► Evidence of encrypted storage?
► Evidence of attempts to bypass network web filtering?
► File upload services in use?
► Common anti-forensics software installed/in use?
► Other anti-forensics techniques?
► Assume that the system has been timestomped and so
filesystem timelines are made useless. What information
on recent activity can be had from registry timelines?
How DoWe
35
41. ► Registry forensics is a powerful tool
► Particularly good for triage in some cases
► Stores a wide range of interesting information
► Registry Decoder provides a unified, open source system for
registry analysis and research
► Saves considerable time and effort
► Extensible via plugin system
► Useful for things you might not have thought to use it for
before
► Data exfiltration
► Malware detection / analysis
► Anti-anti-forensics
Conclusion
41