-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfor508-MindMap.html
44 lines (44 loc) · 68.9 KB
/
for508-MindMap.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Markmap</title>
<style>
* {
margin: 0;
padding: 0;
}
#mindmap {
display: block;
width: 100vw;
height: 100vh;
}
</style>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/markmap-toolbar@0.17.2/dist/style.css">
</head>
<body>
<svg id="mindmap"></svg>
<script src="https://cdn.jsdelivr.net/npm/d3@7.8.5/dist/d3.min.js"></script><script src="https://cdn.jsdelivr.net/npm/markmap-view@0.17.2/dist/browser/index.js"></script><script src="https://cdn.jsdelivr.net/npm/markmap-toolbar@0.17.2/dist/index.js"></script><script>(r => {
setTimeout(r);
})(() => {
const {
markmap,
mm
} = window;
const {
el
} = markmap.Toolbar.create(mm);
el.setAttribute('style', 'position:absolute;bottom:20px;right:20px');
document.body.append(el);
})</script><script>((getMarkmap, getOptions, root2, jsonOptions) => {
const markmap = getMarkmap();
window.mm = markmap.Markmap.create(
"svg#mindmap",
(getOptions || markmap.deriveOptions)(jsonOptions),
root2
);
})(() => window.markmap,null,{"content":"Windows Forensics 1/2","children":[{"content":"Malware Persistence","children":[{"content":"AutoStart locations","children":[{"content":"NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run","children":[],"payload":{"lines":"2,3"}},{"content":"NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce","children":[],"payload":{"lines":"3,4"}},{"content":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run","children":[],"payload":{"lines":"4,5"}},{"content":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce","children":[],"payload":{"lines":"5,6"}},{"content":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run","children":[],"payload":{"lines":"6,7"}},{"content":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit","children":[],"payload":{"lines":"7,8"}},{"content":"%AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup","children":[],"payload":{"lines":"8,9"}},{"content":"SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run","children":[],"payload":{"lines":"9,10"}},{"content":"SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce","children":[],"payload":{"lines":"10,11"}},{"content":"SYSTEM\\<CurrentControlSet>\\Services - (if Start == 0x02 -> start at boot)","children":[],"payload":{"lines":"11,12"}}],"payload":{"lines":"1,2"}},{"content":"Service Creation/Replacement","children":[{"content":"HKML\\SYSTEM\\CurrentControlSet\\Services","children":[{"content":"Start with 0x02 : Automatic","children":[],"payload":{"lines":"14,15"}},{"content":"Start with 0x00 : Boot start of a device driver","children":[],"payload":{"lines":"15,16"}}],"payload":{"lines":"13,14"}},{"content":"Links","children":[{"content":"<a href=\"https://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\">Mandiant APT1</a>","children":[],"payload":{"lines":"17,18"}},{"content":"<a href=\"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.23.PEERING_INTO_GLASSRAT/GlassRAT-final.pdf\">Peering into GlassRAT</a>","children":[],"payload":{"lines":"18,19"}},{"content":"<a href=\"https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+-+Part+2/15406\">Stealthy Malware Persistence</a>","children":[],"payload":{"lines":"19,20"}}],"payload":{"lines":"16,17"}}],"payload":{"lines":"12,13"}},{"content":"Scheduled Tasks","children":[{"content":"C:\\Windows\\Tasks","children":[],"payload":{"lines":"21,22"}},{"content":"C:\\Windows\\System32\\Tasks","children":[],"payload":{"lines":"22,23"}},{"content":"C:\\Windows\\Schedlgu.txt - XP only","children":[],"payload":{"lines":"23,24"}},{"content":"If TaskScheduler & a process have the same PPID => process has been launched by the taskscheduler","children":[],"payload":{"lines":"24,25"}}],"payload":{"lines":"20,21"}},{"content":"DLL Hijacking","children":[{"content":"Links","children":[{"content":"<a href=\"https://cloud.google.com/blog/topics/threat-intelligence/malware-persistence-windows-registry/\">Malware Persistence without the Windows Registry</a>","children":[],"payload":{"lines":"27,28"}},{"content":"<a href=\"https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order\">DLL Search order</a>","children":[],"payload":{"lines":"28,29"}},{"content":"<a href=\"https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\">Phantom DLL</a>","children":[],"payload":{"lines":"29,30"}},{"content":"<a href=\"https://web.archive.org/web/20211008221934/https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html\">What The Fxsst</a>","children":[],"payload":{"lines":"30,31"}},{"content":"<a href=\"https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests\">NetTraveler</a>","children":[],"payload":{"lines":"31,32"}},{"content":"<a href=\"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker\">DLL rules in AppLocker</a>","children":[],"payload":{"lines":"32,33"}}],"payload":{"lines":"26,27"}},{"content":"Hunting","children":[{"content":"File System analyse: search .dll/.exe in unusual path","children":[],"payload":{"lines":"34,35"}},{"content":"Memory analyse: search DLL loaded from wrong location","children":[],"payload":{"lines":"35,36"}},{"content":"<a href=\"https://docs.velociraptor.app/blog/2021/2021-02-02-detecting-dll-hijacking-with-vql-e9a735354257/\">Hunting with Velociraptor</a>","children":[],"payload":{"lines":"36,37"}}],"payload":{"lines":"33,34"}}],"payload":{"lines":"25,26"}},{"content":"WMI Event Consumers","children":[{"content":"Info","children":[{"content":"Event Filter + Event Consumer + Binding => WMI","children":[],"payload":{"lines":"39,40"}},{"content":"PowerShell/mofcomp.exe to setup","children":[],"payload":{"lines":"40,41"}}],"payload":{"lines":"38,39"}},{"content":"Hunting","children":[{"content":"SysInternal Autorun","children":[],"payload":{"lines":"42,43"}},{"content":"Kansa PowerShell framework","children":[],"payload":{"lines":"43,44"}},{"content":"PowerShell cmdlet Get-WmiObject","children":[{"content":"Get-WMIObject -Namespace rootSubscription -Class __EventFilter","children":[],"payload":{"lines":"45,46"}},{"content":"Get-WMIObject -Namespace rootSubscription -Class __EventConsumer","children":[],"payload":{"lines":"46,47"}},{"content":"Get-WMIObject -Namespace rootSubscription -Class __FilterToConsumerBinding","children":[],"payload":{"lines":"47,48"}}],"payload":{"lines":"44,45"}}],"payload":{"lines":"41,42"}},{"content":"Links","children":[{"content":"<a href=\"https://learn.microsoft.com/fr-fr/windows/win32/wmisdk/monitoring-events?redirectedfrom=MSDN\">Monitoring Events</a>","children":[],"payload":{"lines":"49,50"}},{"content":"<a href=\"https://www.youtube.com/watch?app=desktop&v=JCJl2uV8u1c\">There's nothing About WMI</a>","children":[],"payload":{"lines":"50,51"}},{"content":"<a href=\"https://trustedsignal.blogspot.com/2014/05/kansa-collecting-wmi-event-consumer.html\">Kansa & WMI Event Consumer</a>","children":[],"payload":{"lines":"51,52"}}],"payload":{"lines":"48,49"}}],"payload":{"lines":"37,38"}},{"content":"More Advanced","children":[{"content":"Local GPO","children":[],"payload":{"lines":"53,54"}},{"content":"MS Office Add-In","children":[],"payload":{"lines":"54,55"}},{"content":"BIOS flashing","children":[],"payload":{"lines":"55,57"}}],"payload":{"lines":"52,53"}}],"payload":{"lines":"0,1"}},{"content":"Credential theft","children":[{"content":"Compromission tools","children":[{"content":"Incognito","children":[],"payload":{"lines":"59,60"}},{"content":"MetaSploit","children":[],"payload":{"lines":"60,61"}},{"content":"Powershell","children":[],"payload":{"lines":"61,62"}},{"content":"Mimikatz","children":[],"payload":{"lines":"62,63"}},{"content":"fgdump","children":[],"payload":{"lines":"63,64"}},{"content":"gsecdump","children":[],"payload":{"lines":"64,65"}},{"content":"AceHash","children":[],"payload":{"lines":"65,66"}},{"content":"PWDumpX","children":[],"payload":{"lines":"66,67"}},{"content":"creddump","children":[],"payload":{"lines":"67,68"}},{"content":"WCE","children":[],"payload":{"lines":"68,69"}},{"content":"Cachedump","children":[],"payload":{"lines":"69,70"}},{"content":"Cain","children":[],"payload":{"lines":"70,71"}},{"content":"Kerberoasting","children":[],"payload":{"lines":"71,72"}},{"content":"ntdsutil","children":[],"payload":{"lines":"72,73"}},{"content":"VSSAdmin","children":[],"payload":{"lines":"73,74"}},{"content":"NTDSXtract","children":[],"payload":{"lines":"74,75"}},{"content":"secretsdump.py","children":[],"payload":{"lines":"75,76"}},{"content":"Bloodhound + Empire with Death Star","children":[],"payload":{"lines":"76,77"}},{"content":"GoFetch","children":[],"payload":{"lines":"77,78"}}],"payload":{"lines":"58,59"}},{"content":"Hunting","children":[{"content":"EventLog 4624","children":[{"content":"<table data-lines=\"80,92\">\n<thead data-lines=\"80,81\">\n<tr data-lines=\"80,81\">\n<th>Admin action</th>\n<th>Logon Type</th>\n<th>Creds on target?</th>\n<th>Notes</th>\n</tr>\n</thead>\n<tbody data-lines=\"82,92\">\n<tr data-lines=\"82,83\">\n<td>Console logon</td>\n<td>2</td>\n<td>Yes*</td>\n<td>* Except when Credential Guard is enabled</td>\n</tr>\n<tr data-lines=\"83,84\">\n<td>Run as</td>\n<td>2</td>\n<td>Yes*</td>\n<td>* Except when Credential Guard is enabled</td>\n</tr>\n<tr data-lines=\"84,85\">\n<td>Remote desktop</td>\n<td>10</td>\n<td>Yes*</td>\n<td>* Except when Credential Guard is enabled</td>\n</tr>\n<tr data-lines=\"85,86\">\n<td>Net Use</td>\n<td>3</td>\n<td>No</td>\n<td>Including /u: parameter</td>\n</tr>\n<tr data-lines=\"86,87\">\n<td>Powershell Remoting</td>\n<td>3</td>\n<td>No</td>\n<td>Invoke-Command or Enter-PSSession</td>\n</tr>\n<tr data-lines=\"87,88\">\n<td>PsExec alternate creds</td>\n<td>3 + 2</td>\n<td>Yes</td>\n<td>-u <username> -p <password></password></username></td>\n</tr>\n<tr data-lines=\"88,89\">\n<td>PsExec w/o explicit creds</td>\n<td>3</td>\n<td>No</td>\n<td></td>\n</tr>\n<tr data-lines=\"89,90\">\n<td>Remote Scheduled Task</td>\n<td>4</td>\n<td>Yes</td>\n<td>Password saved as LSA Secret</td>\n</tr>\n<tr data-lines=\"90,91\">\n<td>Runas service</td>\n<td>5</td>\n<td>Yes</td>\n<td>(w/user account) - Password saved as LSA Secret</td>\n</tr>\n<tr data-lines=\"91,92\">\n<td>Remote registry</td>\n<td>3</td>\n<td>No</td>\n<td></td>\n</tr>\n</tbody>\n</table>","children":[],"payload":{"lines":"80,92"}}],"payload":{"lines":"79,80"}},{"content":"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest with \"UseLogonCredential\" set to 1","children":[],"payload":{"lines":"92,93"}}],"payload":{"lines":"78,79"}},{"content":"Info","children":[{"content":"Hashes","children":[{"content":"Defending","children":[{"content":"Stop remote interactive session with highly priviledged accounts","children":[],"payload":{"lines":"96,97"}},{"content":"Ensure local admin account passwords are unique & not shared","children":[],"payload":{"lines":"97,98"}},{"content":"Proper termination of RDP sessions","children":[{"content":"Win8+: force use of Restricted Admin","children":[],"payload":{"lines":"99,100"}},{"content":"Win10+: deploy Remote Credential Guard","children":[],"payload":{"lines":"100,101"}}],"payload":{"lines":"98,99"}},{"content":"Upgrade to Win10+","children":[{"content":"Credential Guard","children":[],"payload":{"lines":"102,103"}},{"content":"WDigest & TsPkg creds no longer stored by default","children":[],"payload":{"lines":"103,104"}},{"content":"Domain protected users (mitiagte Pass The Hash attacks)","children":[],"payload":{"lines":"104,105"}}],"payload":{"lines":"101,102"}}],"payload":{"lines":"95,96"}},{"content":"Links","children":[{"content":"<a href=\"https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649\">Microsoft Security Advisory Update to Improve credentials Protection</a>","children":[],"payload":{"lines":"106,107"}},{"content":"<a href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408190(v=ws.11)?redirectedfrom=MSDN\">Technet credentials protection & Mgmt</a>","children":[],"payload":{"lines":"107,108"}},{"content":"<a href=\"https://learn.microsoft.com/fr-fr/archive/blogs/secguide/blocking-remote-use-of-local-accounts\">Blocking remote use of local accounts</a>","children":[],"payload":{"lines":"108,109"}},{"content":"<a href=\"https://learn.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)?redirectedfrom=MSDN\">Local Administrator Password solution</a>","children":[],"payload":{"lines":"109,110"}}],"payload":{"lines":"105,106"}}],"payload":{"lines":"94,95"}},{"content":"Token","children":[{"content":"Hunting / Defending","children":[{"content":"Investigate users with SeImpersonate privilege","children":[],"payload":{"lines":"112,113"}},{"content":"Apply same defending actions as hashes password","children":[],"payload":{"lines":"113,114"}},{"content":"Use \"Restricted Admin","children":[],"payload":{"lines":"114,115"}},{"content":"Use \"Protected Users\" security group","children":[],"payload":{"lines":"115,116"}}],"payload":{"lines":"111,112"}},{"content":"Links","children":[{"content":"<a href=\"https://www.sans.org/blog/protecting-privileged-domain-accounts-safeguarding-access-tokens/\">Safeguarding Access Tokens</a>","children":[],"payload":{"lines":"117,118"}},{"content":"<a href=\"https://dl.packetstormsecurity.net/papers/presentations/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf\">Security implications of Windows Acess Token</a>","children":[],"payload":{"lines":"118,119"}},{"content":"<a href=\"https://www.sans.org/blog/monitoring-for-delegation-token-theft/\">Monitoring delegation Token</a>","children":[],"payload":{"lines":"119,120"}},{"content":"<a href=\"https://www.sans.org/blog/protecting-privileged-domain-accounts-safeguarding-access-tokens/\">Safeguarding Access Tokens</a>","children":[],"payload":{"lines":"120,121"}},{"content":"<a href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408190(v=ws.11)?redirectedfrom=MSDN\">Technet credentials protection & mgmt</a>","children":[],"payload":{"lines":"121,122"}},{"content":"<a href=\"https://learn.microsoft.com/fr-fr/archive/blogs/poshchap/security-focus-analysing-account-is-sensitive-and-cannot-be-delegated-for-privileged-accounts\">\"Account is sensitive & cannot be delegated\"</a>","children":[],"payload":{"lines":"122,123"}},{"content":"<a href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)?redirectedfrom=MSDN\">Technet Protected Users Security Group</a>","children":[],"payload":{"lines":"123,124"}}],"payload":{"lines":"116,117"}}],"payload":{"lines":"110,111"}},{"content":"Cached credentials","children":[{"content":"Info","children":[{"content":"Cannot be used for Pass-The-Hash attack","children":[],"payload":{"lines":"126,127"}},{"content":"Cached credentials much be cracked","children":[],"payload":{"lines":"127,128"}},{"content":"Hashes are case-sensitive & salted","children":[],"payload":{"lines":"128,129"}},{"content":"Service accounts & computer accounts are also cached","children":[],"payload":{"lines":"129,130"}}],"payload":{"lines":"125,126"}},{"content":"Hunting/Defending","children":[{"content":"SECURITY\\Cache key","children":[],"payload":{"lines":"131,132"}},{"content":"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon CachedLogonsCount set to 4 (10 => 25 by default)","children":[],"payload":{"lines":"132,133"}},{"content":"Use of Protected Users security groups","children":[],"payload":{"lines":"133,134"}},{"content":"Enforce password length","children":[],"payload":{"lines":"134,135"}}],"payload":{"lines":"130,131"}},{"content":"Links","children":[{"content":"<a href=\"https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information\">Cached logons & CachedLogonsCount</a>","children":[],"payload":{"lines":"136,137"}},{"content":"<a href=\"https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/\">Domain Controller Security Technical Implementation Guide</a>","children":[],"payload":{"lines":"137,138"}}],"payload":{"lines":"135,136"}}],"payload":{"lines":"124,125"}},{"content":"LSA secrets","children":[{"content":"Info","children":[{"content":"Stored in the registry to allow services or tasks to be run with user privileges","children":[],"payload":{"lines":"140,141"}},{"content":"Can store application password like VPN or auto-logon creds","children":[],"payload":{"lines":"141,142"}},{"content":"The password is stored (not a hash)","children":[],"payload":{"lines":"142,143"}}],"payload":{"lines":"139,140"}},{"content":"Hunting/Defending","children":[{"content":"SECURITY\\Policy\\Secrets","children":[],"payload":{"lines":"144,145"}},{"content":"SECURITY\\Policy","children":[],"payload":{"lines":"145,146"}},{"content":"Do not employ services/schedule tasks requiring privileged accounts","children":[],"payload":{"lines":"146,147"}},{"content":"Reduce number of services requiring domain accounts","children":[],"payload":{"lines":"147,148"}},{"content":"Use (Group) Managed Service Accounts","children":[],"payload":{"lines":"148,149"}}],"payload":{"lines":"143,144"}},{"content":"Links","children":[{"content":"<a href=\"https://blog.stangroome.com/2013/07/28/avoid-password-management-with-group-managed-service-accounts/\">Avoid password mgmt with group managed services accounts</a>","children":[],"payload":{"lines":"150,151"}}],"payload":{"lines":"149,150"}}],"payload":{"lines":"138,139"}},{"content":"Tickets","children":[{"content":"Info","children":[{"content":"Tickets are generated by Kerberos","children":[],"payload":{"lines":"153,154"}},{"content":"Tickets are chached in memory and are valid for 10 hours","children":[],"payload":{"lines":"154,155"}},{"content":"Can be used as Pass the Ticket","children":[],"payload":{"lines":"155,156"}},{"content":"DCs can provide ticket with no expiration (Golden ticket)","children":[],"payload":{"lines":"156,157"}}],"payload":{"lines":"152,153"}},{"content":"Kerberos Attacks detail / mitigation","children":[{"content":"<table data-lines=\"158,167\">\n<thead data-lines=\"158,159\">\n<tr data-lines=\"158,159\">\n<th>Attack Name</th>\n<th>Detail</th>\n<th>Mitigation</th>\n</tr>\n</thead>\n<tbody data-lines=\"160,167\">\n<tr data-lines=\"160,161\">\n<td>Pass the ticket</td>\n<td>Steal ticket from memory and pass or import on other systems</td>\n<td>Credential Guard; Remote Credential Guard</td>\n</tr>\n<tr data-lines=\"161,162\">\n<td>Overpass the Hash</td>\n<td>Use NT hash to request a service ticket for the same account</td>\n<td>Credential Guard; Protected Users Group; Disable RC4 authentication</td>\n</tr>\n<tr data-lines=\"162,163\">\n<td>Kerberoasting</td>\n<td>Request service ticket for highly privileged service & crack NT hash</td>\n<td>Long & complex service account passwords; Managed service account</td>\n</tr>\n<tr data-lines=\"163,164\">\n<td>Golden Ticket</td>\n<td>Kerberos TGT for any account with no expiration. Survives full password reset</td>\n<td>Protect domain admin accounts; change KRBTGT password regularly</td>\n</tr>\n<tr data-lines=\"164,165\">\n<td>Silver Ticket</td>\n<td>All-access pass for a single service or computer</td>\n<td>Regular computer account password update</td>\n</tr>\n<tr data-lines=\"165,166\">\n<td>Skeleton Key</td>\n<td>Patch LSASS on domain controller to add backdoor password that works for any domain account</td>\n<td>Protect domain admin accounts; smart card usage for privileged account</td>\n</tr>\n<tr data-lines=\"166,167\">\n<td>DCSync</td>\n<td>Use fake Domain Controller replication to retrieve hashes (and hash history) for any account without login to the DC</td>\n<td>Protect domain admin; audit/limit accounts with replication rights</td>\n</tr>\n</tbody>\n</table>","children":[],"payload":{"lines":"158,167"}}],"payload":{"lines":"157,158"}},{"content":"Defending","children":[{"content":"Change KRBTGT password regularly","children":[],"payload":{"lines":"168,169"}},{"content":"Audit service accounts for unusual activity","children":[],"payload":{"lines":"169,170"}},{"content":"Credential Guard","children":[],"payload":{"lines":"170,171"}},{"content":"Remote Credential Guard","children":[],"payload":{"lines":"171,172"}},{"content":"Long & complex passwords on service accounts","children":[],"payload":{"lines":"172,173"}}],"payload":{"lines":"167,168"}},{"content":"Links","children":[{"content":"<a href=\"https://dfirblog.wordpress.com/2015/12/13/protecting-windows-networks-kerberos-attacks/\">Protecting Windows Networkds - Kerberos Attacks</a>","children":[],"payload":{"lines":"174,175"}},{"content":"<a href=\"https://media.cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf\">Protection from Kerberos Golden ticket</a>","children":[],"payload":{"lines":"175,176"}},{"content":"<a href=\"https://www.cyberark.com/resources/blog/no-more-pass-the-hash-exploring-the-limitations-of-remote-credential-guard\">Exploring the limitations of Remote Credential Guard</a>","children":[],"payload":{"lines":"176,177"}},{"content":"<a href=\"https://github.com/nidem/kerberoast\">Github Kerberoast</a>","children":[],"payload":{"lines":"177,178"}},{"content":"<a href=\"https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/\">Kerberos in the Crosshairs: Golden tickets, Silver iickets, MITM and more</a>","children":[],"payload":{"lines":"178,179"}}],"payload":{"lines":"173,174"}}],"payload":{"lines":"151,152"}},{"content":"NTDS.DIT","children":[{"content":"Info","children":[{"content":"Stored in %SystemRoot%\\NTDS","children":[],"payload":{"lines":"181,182"}},{"content":"Location can be modified in HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters","children":[],"payload":{"lines":"182,183"}}],"payload":{"lines":"180,181"}},{"content":"Links","children":[{"content":"<a href=\"https://github.com/BloodHoundAD/BloodHound\">GitHub - Bloodhound</a>","children":[],"payload":{"lines":"184,185"}},{"content":"<a href=\"https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html\">Automating the Empire with Death Star</a><br>\n-<a href=\"https://github.com/GoFetchAD/GoFetch\">GitHub - GoFetch</a>","children":[],"payload":{"lines":"185,188"}}],"payload":{"lines":"183,184"}}],"payload":{"lines":"179,180"}}],"payload":{"lines":"93,94"}}],"payload":{"lines":"57,58"}},{"content":"Program Execution","children":[{"content":"Prefetch","children":[{"content":"Info","children":[{"content":"The original purpose is to improve system performence","children":[],"payload":{"lines":"191,192"}},{"content":"FileName like : <appname>-<PATH_HASH>.pf</appname>","children":[],"payload":{"lines":"192,193"}},{"content":"Created after first execution of the app","children":[],"payload":{"lines":"193,194"}},{"content":"Logs all files and directories referenced by app","children":[],"payload":{"lines":"194,195"}},{"content":"Logs original path of execution","children":[],"payload":{"lines":"195,196"}},{"content":"Logs the total #of time app has been launched","children":[],"payload":{"lines":"196,197"}},{"content":"Logs the last time of execution","children":[],"payload":{"lines":"197,198"}},{"content":"From 128 files (win7 & before) to 1024 files (Win10 - Win11)","children":[],"payload":{"lines":"198,199"}},{"content":"Logs dates with ~10 seconds of delay","children":[],"payload":{"lines":"199,201"}}],"payload":{"lines":"190,191"}},{"content":"Hunting","children":[{"content":"Files in c:\\Windows\\Prefetch","children":[],"payload":{"lines":"202,203"}},{"content":"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\PrefetchParameters - EnablePrefetcher key","children":[],"payload":{"lines":"203,204"}},{"content":"HKLM\\SYSTEM\\CurrentControlSet\\Services\\SysMain - Start key","children":[],"payload":{"lines":"204,205"}}],"payload":{"lines":"201,202"}},{"content":"Tool","children":[{"content":"Zimmerman's tool: PECmd.exe","children":[],"payload":{"lines":"206,207"}}],"payload":{"lines":"205,206"}},{"content":"Links","children":[{"content":"<a href=\"http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/\">Prefetch Hash Calculator</a>","children":[],"payload":{"lines":"208,209"}},{"content":"<a href=\"https://learn.microsoft.com/en-us/previous-versions/windows/embedded/ms940847(v=winembedded.5)?redirectedfrom=MSDN\">Disabling Prefetch</a>","children":[],"payload":{"lines":"209,210"}},{"content":"<a href=\"https://www.sans.org/blog/what-is-new-in-windows-application-execution/\">Wht's new in Windows Application Execution</a>","children":[],"payload":{"lines":"210,211"}}],"payload":{"lines":"207,208"}}],"payload":{"lines":"189,190"}},{"content":"ShimCache","children":[{"content":"Info","children":[{"content":"Original purpose: identify if an app needs to be shimmed for retro-compatibility","children":[],"payload":{"lines":"213,214"}},{"content":"Tracks Last modification date & file path of the executable file","children":[],"payload":{"lines":"214,215"}},{"content":"Good for proving application was moved, renamed or timestamped","children":[],"payload":{"lines":"215,216"}},{"content":"Most recent events are on top (last OS versions do not record execute time)","children":[],"payload":{"lines":"216,217"}},{"content":"New entries are only written on shutdown (or reboot)","children":[],"payload":{"lines":"217,218"}},{"content":"/ ! \\ Since Vista, the InsertFlag does not guarantee the application was executed","children":[],"payload":{"lines":"218,219"}},{"content":"May be helpful to provide clue of existence of the tool if an attacker removed it & the prefetch file","children":[],"payload":{"lines":"219,220"}}],"payload":{"lines":"212,213"}},{"content":"Hunting","children":[{"content":"SYSTEM\\CurrentControlSet\\Control\\SessionManager\\AppCompatCache\\AppCompatCache (Win7+) - 1024 entries, InsertFlag gives some indication of execution but it is not definitive","children":[],"payload":{"lines":"221,222"}},{"content":"SYSTEM\\CurrentControlSet\\Control\\SessionManager\\AppCompatibility\\AppCompatCache (WinXP-) - 96 entries, (2003 - up to 512)","children":[],"payload":{"lines":"222,223"}}],"payload":{"lines":"220,221"}},{"content":"Links","children":[{"content":"<a href=\"https://web.archive.org/web/20191115211402/http://www.alex-ionescu.com/?p=39\">Secrets of the Aplication Compatibility Database</a>","children":[],"payload":{"lines":"224,225"}},{"content":"<a href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-7/dd837644(v=ws.10)?redirectedfrom=MSDN\">Understanding Shims</a>","children":[],"payload":{"lines":"225,226"}},{"content":"<a href=\"https://web.archive.org/web/20190209113245/https://www.fireeye.com/content/dam/fireeye-www/services/freeware/shimcache-whitepaper.pdf\">Leveraging the application compatibility Cache in forensic investigation</a>","children":[],"payload":{"lines":"226,227"}}],"payload":{"lines":"223,224"}},{"content":"Tools","children":[{"content":"<a href=\"https://github.com/EricZimmerman/AppCompatCacheParser\">Zimmerman's AppCompatCacheParser</a>","children":[],"payload":{"lines":"228,229"}},{"content":"<a href=\"https://github.com/mandiant/ShimCacheParser\">Mandiant's ShimCacheParser</a>","children":[],"payload":{"lines":"229,230"}}],"payload":{"lines":"227,228"}}],"payload":{"lines":"211,212"}},{"content":"AmCache","children":[{"content":"Info","children":[{"content":"Win7+ only","children":[],"payload":{"lines":"232,233"}},{"content":"Tracks installed applications, programs executed, drivers loaded & more","children":[],"payload":{"lines":"233,234"}},{"content":"Provides full path, file size, SHA1 hash, publisher metada & some timestamps of app & driver","children":[],"payload":{"lines":"234,235"}},{"content":"Hash available for app <= 31.4Mo (due to performance), but quite enougth for investigation purpose","children":[],"payload":{"lines":"235,236"}},{"content":"Entries can be due to automated file discovery or program installation.<br>\n=> does not always indicate a program execution","children":[],"payload":{"lines":"236,238"}}],"payload":{"lines":"231,232"}},{"content":"Hunting","children":[{"content":"C:\\Windows\\AppCompat\\Programs\\Amcache.hve","children":[],"payload":{"lines":"239,240"}},{"content":"Can be used as an indication of executable & driver presence on the system","children":[],"payload":{"lines":"240,241"}},{"content":"\"InventoryApplicationFile\" provides some information on the application<br>\nWe then can use the \"ProgramId\" to pivot to \"InventoryApplication\" to get more info","children":[],"payload":{"lines":"241,243"}},{"content":"\"InventoryDriverBinary\" provides info in drivers on the system<br>\nwe can look for anomalies hashes, signature, metadata or modification time (matching suspicious activity timeframe)","children":[],"payload":{"lines":"243,245"}}],"payload":{"lines":"238,239"}},{"content":"Tools","children":[{"content":"<a href=\"https://github.com/EricZimmerman/AmcacheParser\">Zimmerman's AmcacheParser</a>","children":[],"payload":{"lines":"246,247"}},{"content":"<a href=\"https://github.com/mbevilacqua/appcompatprocessor\">appcompatprocessor.py</a>","children":[],"payload":{"lines":"247,248"}},{"content":"<a href=\"https://www.youtube.com/watch?v=-0bYcD3_bBs\">ShimCache & Amcache enterprise-wide hunting</a>","children":[],"payload":{"lines":"248,249"}}],"payload":{"lines":"245,246"}},{"content":"Links","children":[],"payload":{"lines":"249,250"}}],"payload":{"lines":"230,231"}}],"payload":{"lines":"188,189"}},{"content":"Lateral Movement","children":[{"content":"RDP - VNC - TeamViewer","children":[{"content":"Source Artifacts","children":[{"content":"EventLogs","children":[{"content":"Security.evtx: 4648","children":[],"payload":{"lines":"255,256"}},{"content":"Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx: 1024 & 1102","children":[],"payload":{"lines":"256,257"}}],"payload":{"lines":"254,255"}},{"content":"Registry","children":[{"content":"NTUSER\\Siftware\\Microsoft\\Terminal Server Client\\Server - Remote Desktop destinations are tracked per user","children":[],"payload":{"lines":"258,259"}},{"content":"ShimCache SYSTEM - mstsc.exe => Remote Desktop Client","children":[],"payload":{"lines":"259,260"}},{"content":"BAM/DAM SYSTEM - Last time executed","children":[],"payload":{"lines":"260,261"}},{"content":"BAM/DAM - mstsc.exe","children":[],"payload":{"lines":"261,262"}},{"content":"AmCache.hve - mstsc.exe => First Time executed","children":[],"payload":{"lines":"262,263"}},{"content":"UserAssist NTUSER.DAT - mstsc.exe => Last Time & #ofTime executed","children":[],"payload":{"lines":"263,264"}},{"content":"RecentApps NTUSER.DAT - mstsc.exe => Last Time & #ofTime executed","children":[],"payload":{"lines":"264,265"}},{"content":"RecentApps NTUSER.DAT - mstsc.exe => RecentItems => connection destinations & times","children":[],"payload":{"lines":"265,266"}}],"payload":{"lines":"257,258"}},{"content":"File System","children":[{"content":"JumpLists C:\\User<USERNAME>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations{MSTCS-APPID}-automaticDestinations-ms => Destination & times","children":[],"payload":{"lines":"267,268"}},{"content":"Prefetch C:\\Windows\\Prefetch => mstsc.exe-<hash>.pf</hash>","children":[],"payload":{"lines":"268,269"}},{"content":"Bitmap Cache C:\\Users<USERNAME>\\AppData\\Local\\Microsoft\\Terminal Server Client\\Cache - bcache##.bmc","children":[],"payload":{"lines":"269,270"}},{"content":"Bitmap Cache C:\\Users<USERNAME>\\AppData\\Local\\Microsoft\\Terminal Server Client\\Cache - cache####.bmc","children":[],"payload":{"lines":"270,271"}}],"payload":{"lines":"266,267"}}],"payload":{"lines":"253,254"}},{"content":"Destination Artifacts","children":[{"content":"EventLogs","children":[{"content":"security.evtx - EventID 4624 logon type 10 => SourceIP & UserName","children":[],"payload":{"lines":"273,274"}},{"content":"security.evtx - EventID 4778/4779 => SourceIP & UserName","children":[],"payload":{"lines":"274,275"}},{"content":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational.evtx - EventID 131 => Connection attempts (SourceIP)","children":[],"payload":{"lines":"275,276"}},{"content":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational.evtx - EventID 98 => Successful connection","children":[],"payload":{"lines":"276,277"}},{"content":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational.evtx - EventID 1149 => SourceIP & UserName (blank if using sticky key)","children":[],"payload":{"lines":"277,278"}},{"content":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx - EventID 21,22,25 => SourceIP & UserName","children":[],"payload":{"lines":"278,279"}},{"content":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx - EventID 41 => UserName","children":[],"payload":{"lines":"279,280"}}],"payload":{"lines":"272,273"}},{"content":"Registry","children":[{"content":"ShimCache SYSTEM => rdpclip.exe & tstheme.exe","children":[],"payload":{"lines":"281,282"}},{"content":"Amcache.hve - rdpclip.exe & tstheme.exe => First Time executed","children":[],"payload":{"lines":"282,283"}}],"payload":{"lines":"280,281"}},{"content":"File System","children":[{"content":"Prefetch C:\\windows\\Prefetch - rdpclip.exe-<hash>.pf & tstheme.exe-<hash>.pf</hash></hash>","children":[],"payload":{"lines":"284,285"}}],"payload":{"lines":"283,284"}}],"payload":{"lines":"271,272"}}],"payload":{"lines":"252,253"}},{"content":"Windows Admin Sharing","children":[{"content":"Source Artifacts","children":[{"content":"EventLogs","children":[{"content":"security.evtx - EventID 4648 => DestinationIP & DestinationUserName, app","children":[],"payload":{"lines":"288,289"}},{"content":"Mcirosoft-Windows-SMBClient/Security.evtx EventID 31001 (Failed logon to destination) => Destination, UserName, reason why","children":[],"payload":{"lines":"289,290"}}],"payload":{"lines":"287,288"}},{"content":"Registry","children":[{"content":"NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2 - Remotely mapped shares","children":[],"payload":{"lines":"291,292"}},{"content":"Shellbags USRCLASS.DAT - Remote folder accessed inside an interactive session via explorer","children":[],"payload":{"lines":"292,293"}},{"content":"ShimCache SYSTEM - net.exe & net1.exe","children":[],"payload":{"lines":"293,294"}},{"content":"BAM/DAM NTUSER.DAT - net.exe & net1.exe => Last execution time","children":[],"payload":{"lines":"294,295"}},{"content":"AmCache.hve - net.exe & net1.exe => First execution time","children":[],"payload":{"lines":"295,296"}}],"payload":{"lines":"290,291"}},{"content":"File System","children":[{"content":"Prefetch C:\\windows\\Prefetch - net.exe-<hash>.pf & net1.exe-<hash>.pf</hash></hash>","children":[],"payload":{"lines":"297,298"}}],"payload":{"lines":"296,297"}}],"payload":{"lines":"286,287"}},{"content":"Destination Artifacts","children":[{"content":"EventLogs","children":[{"content":"security.evtx - EventID 4624 logon type 3 => SourceIP & UserName","children":[],"payload":{"lines":"300,301"}},{"content":"security.evtx - EventID 4772/4776 => SourceIP & UserName","children":[],"payload":{"lines":"301,302"}},{"content":"security.evtx - EventID 4768/4679 TGT Granted/Service Ticket Granted => SourceIP & UserName","children":[],"payload":{"lines":"302,303"}},{"content":"security.evtx - EventID 5140/5145 => Share Access/Auditing of shared files (noisy)","children":[],"payload":{"lines":"303,304"}}],"payload":{"lines":"299,300"}},{"content":"Registry","children":[{"content":"None","children":[],"payload":{"lines":"305,306"}}],"payload":{"lines":"304,305"}},{"content":"File System","children":[{"content":"File creation - Look for Modified Time before Creation Time","children":[],"payload":{"lines":"307,308"}},{"content":"File creation - Creation Time == Copy Time","children":[],"payload":{"lines":"308,310"}}],"payload":{"lines":"306,307"}}],"payload":{"lines":"298,299"}}],"payload":{"lines":"285,286"}},{"content":"PsExec","children":[{"content":"Source Artifacts","children":[{"content":"EventLogs","children":[{"content":"Security.evtx EventID 4648 => Current logged-on UserName, Altername UserName, DestinationIP, ProcesName","children":[],"payload":{"lines":"313,314"}}],"payload":{"lines":"312,313"}},{"content":"Registry","children":[{"content":"NTUSER\\Software\\SysInternals\\PsExec\\EulaAccepted","children":[],"payload":{"lines":"315,316"}},{"content":"ShimCache SYSTEM - psexec.exe","children":[],"payload":{"lines":"316,317"}},{"content":"BAM/DAM NTUSER.DAT - psexec.exe => Last execution time","children":[],"payload":{"lines":"317,318"}},{"content":"AmCache.hve - psexec.exe => First execution time","children":[],"payload":{"lines":"318,319"}}],"payload":{"lines":"314,315"}},{"content":"File System","children":[{"content":"Prefetch C:\\windows\\Prefetch - psexec.exe-<hash>.pf</hash>","children":[],"payload":{"lines":"320,321"}},{"content":"File Creation psexec.exe => file downloaded & created on local host","children":[],"payload":{"lines":"321,322"}}],"payload":{"lines":"319,320"}},{"content":"Info - TIPS","children":[{"content":"Log activity is more important in destination UNLESS the attacker uses the \"runas\" option (eventID 4648).<br>\nIn that specific case, the source logs more stuff.","children":[],"payload":{"lines":"323,325"}}],"payload":{"lines":"322,323"}}],"payload":{"lines":"311,312"}},{"content":"Destination Artifacts","children":[{"content":"EventLogs","children":[{"content":"Security.evtx EventID 4624/4672 (logon type 3 (&2 if alternative user account used))=> -on UserName, SourceIP","children":[],"payload":{"lines":"327,328"}},{"content":"Security.evtx EventID 5140 => ADMIN$ share used by PsExec","children":[],"payload":{"lines":"328,329"}},{"content":"System.evtx EventID 7045 => Service installation","children":[],"payload":{"lines":"329,330"}}],"payload":{"lines":"326,327"}},{"content":"Registry","children":[{"content":"SYSTEM\\CurrentControlSet\\Services\\PSEXESVC - ('-r' option allows attacker to change service name)","children":[],"payload":{"lines":"331,332"}},{"content":"ShimCache SYSTEM - psexec.exe","children":[],"payload":{"lines":"332,333"}},{"content":"AmCache.hve - psexec.exe => First execution time","children":[],"payload":{"lines":"333,334"}}],"payload":{"lines":"330,331"}},{"content":"File System","children":[{"content":"Prefetch C:\\windows\\Prefetch - psexesvc.exe-<hash>.pf & evil.exe-<hash>.pf</hash></hash>","children":[],"payload":{"lines":"335,336"}},{"content":"File Creation psexesvc.exe => in ADMIN$ by default as well as evil.exe","children":[],"payload":{"lines":"336,337"}},{"content":"User profile structure created unless '-e' option used","children":[],"payload":{"lines":"337,338"}}],"payload":{"lines":"334,335"}},{"content":"Info - TIPS","children":[{"content":"Multiple steps to remotly execute commands:<br>\na. Authenticate to the destination<br>\nb. Name pipe set up between source & destination<br>\nc. ADMIN$ share mount on destination<br>\nd. PsExesvc & binaries copied to destination<br>\ne. Windows service started & cpoied files executed","children":[],"payload":{"lines":"339,345"}},{"content":"If script/binary created very close to the executoin of PSEXESVC.exe, the two are very likely related","children":[],"payload":{"lines":"345,346"}},{"content":"The Metasploit version of PsExec uses a random service name in exchange for Psexesvc, making<br>\nit easy to identify as evil. PsExec will create a user profile on the destination system by default.<br>\nThis presumes a profile doesn't already exist & that the attacker did not include the '-e' option.<br>\nthe creation time of this profile & it corresponding NTUSER.DAT registry data, can be another indicator of the PsExec activity","children":[],"payload":{"lines":"346,350"}},{"content":"RAM analysis can allows us to find named pipes. It may look like this:<br>\n\\<localip>\\pipe\\PSEXESVC-<sourcehostname>-<pid>-stdin<br>\n\\<localip>\\pipe\\PSEXESVC-<sourcehostname>-<pid>-stdout<br>\n\\<localip>\\pipe\\PSEXESVC-<sourcehostname>-<pid>-stderr</pid></sourcehostname></localip></pid></sourcehostname></localip></pid></sourcehostname></localip>","children":[],"payload":{"lines":"350,354"}},{"content":"If attacker can use '-r' option to change the name of PSEXESVC.<br>\nAll artifacts still good but anyway","children":[],"payload":{"lines":"354,356"}}],"payload":{"lines":"338,339"}}],"payload":{"lines":"325,326"}}],"payload":{"lines":"310,311"}},{"content":"Windows Remote Service","children":[{"content":"Source Artifacts","children":[{"content":"EventLogs","children":[{"content":"None","children":[],"payload":{"lines":"359,360"}}],"payload":{"lines":"358,359"}},{"content":"Registry","children":[{"content":"ShimCache SYSTEM - sc.exe","children":[],"payload":{"lines":"361,362"}},{"content":"AmCache.hve - sc.exe => First execution time","children":[],"payload":{"lines":"362,363"}},{"content":"BAM/DAM SYSTEM - sc.exe => Last execution time","children":[],"payload":{"lines":"363,364"}}],"payload":{"lines":"360,361"}},{"content":"File System","children":[{"content":"Prefetch C:\\windows\\Prefetch - sc.exe-<hash>.pf & evil.exe-<hash>.pf</hash></hash>","children":[],"payload":{"lines":"365,366"}}],"payload":{"lines":"364,365"}}],"payload":{"lines":"357,358"}},{"content":"Destination Artifacts","children":[{"content":"EventLogs","children":[{"content":"security.evtx - EventID 4624 logon type 3 => SourceIP & UserName","children":[],"payload":{"lines":"368,369"}},{"content":"security.evtx - EventID 4697 => Service install, if enabled","children":[],"payload":{"lines":"369,370"}},{"content":"system.evtx - EventID 7034 => Service crashed unexpectedly","children":[],"payload":{"lines":"370,371"}},{"content":"system.evtx - EventID 7035 => Service sent a Start/Stop control","children":[],"payload":{"lines":"371,372"}},{"content":"system.evtx - EventID 7036 => Service Started/Stoped","children":[],"payload":{"lines":"372,373"}},{"content":"system.evtx - EventID 7040 => Service Start type changed (Boot, On Request, Disabled)","children":[],"payload":{"lines":"373,374"}},{"content":"system.evtx - EventID 7045 => Service was installed on the system","children":[],"payload":{"lines":"374,375"}}],"payload":{"lines":"367,368"}},{"content":"Registry","children":[{"content":"SYSTEM\\CurrentControlSet\\Services => New service creation","children":[],"payload":{"lines":"376,377"}},{"content":"ShimCache SYSTEM - evil.exe => Records the existence of service executable unless implemented as a service DLL","children":[],"payload":{"lines":"377,378"}},{"content":"Amcache.hv - evil.exe => First execution time","children":[],"payload":{"lines":"378,379"}}],"payload":{"lines":"375,376"}},{"content":"File System","children":[{"content":"File Creation - evil.exe or evil.dll creation on disk","children":[],"payload":{"lines":"380,381"}},{"content":"Prefetch C:\\windows\\Prefetch - evil.exe-<hash>.pf</hash>","children":[],"payload":{"lines":"381,382"}}],"payload":{"lines":"379,380"}}],"payload":{"lines":"366,367"}}],"payload":{"lines":"356,357"}},{"content":"Windows Remote ScheduledTask","children":[{"content":"Source Artifacts","children":[{"content":"EventLogs","children":[{"content":"security.evtx EventID 4648 => DestinationIP, ProcessName & UserNames","children":[],"payload":{"lines":"385,386"}}],"payload":{"lines":"384,385"}},{"content":"Registry","children":[{"content":"ShimCache SYSTEM - at.exe & schtasks.exe","children":[],"payload":{"lines":"387,388"}},{"content":"AmCache.hve - at.exe & schtasks.exe => First execution time","children":[],"payload":{"lines":"388,389"}},{"content":"BAM/DAM SYSTEM - at.exe & schtasks.exe => Last execution time","children":[],"payload":{"lines":"389,390"}}],"payload":{"lines":"386,387"}},{"content":"File System","children":[{"content":"Prefetch C:\\windows\\Prefetch - schtasks.exe-<hash>.pf & at.exe-<hash>.pf</hash></hash>","children":[],"payload":{"lines":"391,392"}}],"payload":{"lines":"390,391"}}],"payload":{"lines":"383,384"}},{"content":"Destination Artifacts","children":[{"content":"EventLogs","children":[{"content":"security.evtx - EventID 4624 logon type 3 => SourceIP & UserName","children":[],"payload":{"lines":"394,395"}},{"content":"security.evtx - EventID 4672 => UserName, adminRights?, Requirement for default shares such as C$ or ADMIN$","children":[],"payload":{"lines":"395,396"}},{"content":"security.evtx - EventID 4698 => Scheduled Task created","children":[],"payload":{"lines":"396,397"}},{"content":"security.evtx - EventID 4702 => Scheduled Task updated","children":[],"payload":{"lines":"397,398"}},{"content":"security.evtx - EventID 4699 => Scheduled Task deleted","children":[],"payload":{"lines":"398,399"}},{"content":"security.evtx - EventID 4700/4701 => Scheduled Task Enabled/Disabled","children":[],"payload":{"lines":"399,400"}},{"content":"Microsoft-Windows-TaskScheduler/Operational.evtx EventID 106 => Scheduled Task created","children":[],"payload":{"lines":"400,401"}},{"content":"Microsoft-Windows-TaskScheduler/Operational.evtx EventID 140 => Scheduled Task updated","children":[],"payload":{"lines":"401,402"}},{"content":"Microsoft-Windows-TaskScheduler/Operational.evtx EventID 141 => Scheduled Task deleted","children":[],"payload":{"lines":"402,403"}},{"content":"Microsoft-Windows-TaskScheduler/Operational.evtx EventID 200/201 => Scheduled Task Executed/Completed","children":[],"payload":{"lines":"403,404"}}],"payload":{"lines":"393,394"}},{"content":"Registry","children":[{"content":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks","children":[],"payload":{"lines":"405,406"}},{"content":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\Tree","children":[],"payload":{"lines":"406,407"}},{"content":"ShimCache SYSTEM - evil.exe","children":[],"payload":{"lines":"407,408"}},{"content":"Amcache.hv - evil.exe => First execution time","children":[],"payload":{"lines":"408,409"}}],"payload":{"lines":"404,405"}},{"content":"File System","children":[{"content":"File Creation - evil.exe creation on disk","children":[],"payload":{"lines":"410,411"}},{"content":"Job Files Creation in C:\\Windows\\Tasks","children":[],"payload":{"lines":"411,412"}},{"content":"XML Task Files Creation in C:\\Windows\\System32\\Tasks","children":[],"payload":{"lines":"412,413"}},{"content":"Prefetch C:\\windows\\Prefetch - evil.exe-<hash>.pf</hash>","children":[],"payload":{"lines":"413,414"}}],"payload":{"lines":"409,410"}}],"payload":{"lines":"392,393"}}],"payload":{"lines":"382,383"}},{"content":"Windows Remote WMI","children":[{"content":"Source Artifacts","children":[{"content":"EventLogs","children":[{"content":"security.evtx EventID 4648 => DestinationIP, ProcessName & UserNames","children":[],"payload":{"lines":"417,418"}}],"payload":{"lines":"416,417"}},{"content":"Registry","children":[{"content":"ShimCache SYSTEM - wmic.exe","children":[],"payload":{"lines":"419,420"}},{"content":"AmCache.hve - wmic.exe => First execution time","children":[],"payload":{"lines":"420,421"}},{"content":"BAM/DAM SYSTEM - wmic.exe => Last execution time","children":[],"payload":{"lines":"421,422"}}],"payload":{"lines":"418,419"}},{"content":"File System","children":[{"content":"Prefetch C:\\windows\\Prefetch - wmic.exe-<hash>.pf</hash>","children":[],"payload":{"lines":"423,424"}}],"payload":{"lines":"422,423"}}],"payload":{"lines":"415,416"}},{"content":"Destination Artifacts","children":[{"content":"EventLogs","children":[{"content":"security.evtx - EventID 4624 logon type 3 => SourceIP & UserName","children":[],"payload":{"lines":"426,427"}},{"content":"security.evtx - EventID 4672 => UserName, adminRights?","children":[],"payload":{"lines":"427,428"}},{"content":"Microsoft-Windows-WMI-Activity/Operational.evtx EventID 5857 => Time of wmiprvse execution & path to provider DLL","children":[],"payload":{"lines":"428,429"}},{"content":"Microsoft-Windows-WMI-Activity/Operational.evtx EventID 5860/5861 => Registration of temporaty/permanent event consumer","children":[],"payload":{"lines":"429,430"}}],"payload":{"lines":"425,426"}},{"content":"Registry","children":[{"content":"ShimCache SYSTEM - scrcons.exe, mofcomp.exe, winprvse.exe, evil.exe","children":[],"payload":{"lines":"431,432"}},{"content":"Amcache.hve - scrcons.exe, mofcomp.exe, winprvse.exe, evil.exe => First execution time","children":[],"payload":{"lines":"432,433"}}],"payload":{"lines":"430,431"}},{"content":"File System","children":[{"content":"File Creation - evil.exe & evil.mof creation on disk","children":[],"payload":{"lines":"434,435"}},{"content":"Prefetch C:\\windows\\Prefetch - evil.exe-<hash>.pf, scrcons.exe-<hash>.pf, mofcomp.exe-<hash>.pf, winprvse.exe-<hash>.pf</hash></hash></hash></hash>","children":[],"payload":{"lines":"435,436"}},{"content":"Unauthorized changes to C:\\windows\\System32\\wbem\\Repository","children":[],"payload":{"lines":"436,437"}}],"payload":{"lines":"433,434"}}],"payload":{"lines":"424,425"}}],"payload":{"lines":"414,415"}},{"content":"Windows Remote PowerShell","children":[{"content":"Source Artifacts","children":[{"content":"EventLogs","children":[{"content":"security.evtx EventID 4648 => DestinationIP, ProcessName & UserNames","children":[],"payload":{"lines":"440,441"}},{"content":"Microsoft-Windows-WMI/Operational.evtx EventID 6 => Session created, DestionationIP, UserName","children":[],"payload":{"lines":"441,442"}},{"content":"Microsoft-Windows-WMI/Operational.evtx EventID 8,15,16,33 => Session closed, DestionationIP, UserName","children":[],"payload":{"lines":"442,443"}},{"content":"Microsoft-Windows-PowerShell/Operational.evtx EventID 40691/40692 => Local initiation of powershell & associated account","children":[],"payload":{"lines":"443,444"}},{"content":"Microsoft-Windows-PowerShell/Operational.evtx EventID 8193/8194 => Session created","children":[],"payload":{"lines":"444,445"}},{"content":"Microsoft-Windows-PowerShell/Operational.evtx EventID 8197 Connect => Session closed","children":[],"payload":{"lines":"445,446"}}],"payload":{"lines":"439,440"}},{"content":"Registry","children":[{"content":"ShimCache SYSTEM - powershell.exe","children":[],"payload":{"lines":"447,448"}},{"content":"AmCache.hve - powershell.exe => First execution time","children":[],"payload":{"lines":"448,449"}},{"content":"BAM/DAM SYSTEM - powershell.exe => Last execution time","children":[],"payload":{"lines":"449,450"}}],"payload":{"lines":"446,447"}},{"content":"File System","children":[{"content":"Prefetch C:\\windows\\Prefetch - powershell.exe-<hash>.pf => ps1 file will be tracked</hash>","children":[],"payload":{"lines":"451,452"}},{"content":"C:\\Users<USERNAME>\\AppData\\Roaming\\Microsoft\\Windows\\Powershell\\PSReadline\\ConsoleHost_history.txt => last 4096 commands launched by user","children":[],"payload":{"lines":"452,453"}}],"payload":{"lines":"450,451"}}],"payload":{"lines":"438,439"}},{"content":"Destination Artifacts","children":[{"content":"EventLogs","children":[{"content":"security.evtx - EventID 4624 logon type 3 => SourceIP & UserName","children":[],"payload":{"lines":"455,456"}},{"content":"security.evtx - EventID 4672 => UserName, adminRights?","children":[],"payload":{"lines":"456,457"}},{"content":"Microsoft-Windows-WinRM/Operational.evtx EventID 91 => Session created","children":[],"payload":{"lines":"457,458"}},{"content":"Microsoft-Windows-WinRM/Operational.evtx EventID 168 => Recodes the authenticating user","children":[],"payload":{"lines":"458,459"}},{"content":"Microsoft-Windows-PowerShell/Operational.evtx EventID 400/403 => Indicate start/end of remoting session","children":[],"payload":{"lines":"459,460"}},{"content":"Microsoft-Windows-PowerShell/Operational.evtx EventID 800 => Include partial script code","children":[],"payload":{"lines":"460,461"}}],"payload":{"lines":"454,455"}},{"content":"Registry","children":[{"content":"ShimCache SYSTEM - wsmprovhost.exe, evil.exe","children":[],"payload":{"lines":"462,463"}},{"content":"Amcache.hve - wsmprovhost.exe, evil.exe => First execution time","children":[],"payload":{"lines":"463,464"}},{"content":"SOFTWARE\\Microsoft\\PowerShell\\1\\shellIds\\Microsoft.PowerShell\\ExecutionPolicy => May changed by attacker to reduce restriction","children":[],"payload":{"lines":"464,465"}}],"payload":{"lines":"461,462"}},{"content":"File System","children":[{"content":"File Creation - evil.exe creation on disk","children":[],"payload":{"lines":"466,467"}},{"content":"File Creation - User profile directory (is 'Enter-PSSession' is used)","children":[],"payload":{"lines":"467,468"}},{"content":"Prefetch C:\\windows\\Prefetch - evil.exe-<hash>.pf, wsmprovhost.exe-<hash>.pf</hash></hash>","children":[],"payload":{"lines":"468,469"}}],"payload":{"lines":"465,466"}}],"payload":{"lines":"453,454"}}],"payload":{"lines":"437,438"}},{"content":"Other","children":[{"content":"Application Deployment Software","children":[{"content":"Patch/application deployment tool are legitimate tools.<br>\nIt implies that accounts & systems used in the patch deployment process must be heavily monitored","children":[],"payload":{"lines":"471,473"}}],"payload":{"lines":"470,471"}},{"content":"Vulnerability Exploitation","children":[{"content":"Patch it !!!","children":[],"payload":{"lines":"474,475"}}],"payload":{"lines":"473,474"}}],"payload":{"lines":"469,470"}},{"content":"Links","children":[{"content":"<a href=\"https://github.com/ANSSI-FR/bmc-tools\">RDP Bitmap Cache parser</a>","children":[],"payload":{"lines":"476,478"}}],"payload":{"lines":"475,476"}}],"payload":{"lines":"251,252"}},{"content":"(Native) EventLogs","children":[{"content":"<table data-lines=\"479,493\">\n<thead data-lines=\"479,480\">\n<tr data-lines=\"479,480\">\n<th>What</th>\n<th>EvtxName</th>\n<th>EventID</th>\n</tr>\n</thead>\n<tbody data-lines=\"481,493\">\n<tr data-lines=\"481,482\">\n<td>Logons</td>\n<td>Security</td>\n<td>4624, 4625, 4634, 4647<br>4648, 4672, 4720, 4726</td>\n</tr>\n<tr data-lines=\"482,483\">\n<td>Account Logon</td>\n<td>Security</td>\n<td>4768, 4769, 4771, 4776</td>\n</tr>\n<tr data-lines=\"483,484\">\n<td>RDP</td>\n<td>Security<br>RDPCLient<br>RDPCoreTS<br>RemoteConnectionManager</td>\n<td>4624, 4625, 4778, 4779<br>1024, 1102<br>98, 131<br>1149</td>\n</tr>\n<tr data-lines=\"484,485\">\n<td>Network Shares</td>\n<td>Security</td>\n<td>5140-5145</td>\n</tr>\n<tr data-lines=\"485,486\">\n<td>Sceduled Tasks</td>\n<td>Security<br>Task Scheduler</td>\n<td>4698<br>106, 140-141, 200-201</td>\n</tr>\n<tr data-lines=\"486,487\">\n<td>Installation</td>\n<td>Application</td>\n<td>1033, 1034, 11707, 11708, 11724</td>\n</tr>\n<tr data-lines=\"487,488\">\n<td>Services</td>\n<td>System<br>Security</td>\n<td>7034-7036, 7040, 7045<br>4697</td>\n</tr>\n<tr data-lines=\"488,489\">\n<td>Log Clearing</td>\n<td>Security<br>System</td>\n<td>1102<br>104</td>\n</tr>\n<tr data-lines=\"489,490\">\n<td>Malware Execution</td>\n<td>Security<br>System<br>Application</td>\n<td>4688<br>1001<br>1000-1002</td>\n</tr>\n<tr data-lines=\"490,491\">\n<td>Anti-Malware Log</td>\n<td>Windows-Defender/Operational</td>\n<td>1116-1119</td>\n</tr>\n<tr data-lines=\"491,492\">\n<td>Command Lines</td>\n<td>Security<br>PowerShell/Operational</td>\n<td>4688<br>4103-4104</td>\n</tr>\n<tr data-lines=\"492,493\">\n<td>WMI</td>\n<td>WMI-Activity/Operational</td>\n<td>5857-5861</td>\n</tr>\n</tbody>\n</table>","children":[],"payload":{"lines":"479,493"}}],"payload":{"lines":"478,479"}},{"content":"Memory analysis","children":[{"content":"Acquisition","children":[{"content":"Live System","children":[{"content":"<a href=\"https://github.com/Velocidex/c-aff4/releases\">WinPMEM</a>","children":[],"payload":{"lines":"497,498"}},{"content":"<a href=\"https://magnetforensics.com/free-tool-magnet-ram-capture\">MagnetForensics RAM Capture</a>","children":[],"payload":{"lines":"498,499"}},{"content":"<a href=\"https://forensic.belkasoft.com/en/ram-capturer\">Belkasoft Live RAM Capturer</a>","children":[],"payload":{"lines":"499,500"}},{"content":"<a href=\"https://www.f-response.com\">F-Response</a>","children":[],"payload":{"lines":"500,501"}}],"payload":{"lines":"496,497"}},{"content":"Dead System","children":[{"content":"Hibernation files - %SystemDrive%\\hiberfil.sys - Contains a compressed RAM Image","children":[],"payload":{"lines":"502,503"}},{"content":"Pages & Swap files - %SystemDrive%{pagefile.sys, swapfile.sys} - swapfile.sys => Win8+/2012+","children":[],"payload":{"lines":"503,504"}},{"content":"Kernel-Mode dump files - %SystemRoot%\\MEMORY.DMP","children":[],"payload":{"lines":"504,505"}},{"content":"SYSTEM\\CurrentControlSet\\Control\\CrashControl","children":[],"payload":{"lines":"505,506"}},{"content":"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management","children":[],"payload":{"lines":"506,507"}}],"payload":{"lines":"501,502"}},{"content":"Links/Info","children":[{"content":"MemProcFS can analyse these page files<br>\n-<a href=\"https://github.com/Velocidex/c-aff4\">PMEM Memory acquisition suite</a><br>\n-<a href=\"https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files\">Varieties of Kernel-Mode Dump files</a><br>\n-<a href=\"https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options\">Overview of memory dump file options for Windows</a><br>\n-<a href=\"https://learn.microsoft.com/en-us/archive/blogs/supportingwindows/windows-8-windows-server-2012-the-new-swap-file\">Win8/2012: the new swap file</a>","children":[],"payload":{"lines":"508,513"}}],"payload":{"lines":"507,508"}}],"payload":{"lines":"495,496"}},{"content":"Hibernation file tools","children":[{"content":"Decompress to raw","children":[{"content":"Volatility v2's imagecopy plugin","children":[],"payload":{"lines":"515,516"}},{"content":"Volatility v3's layerwriter plugin","children":[],"payload":{"lines":"516,517"}},{"content":"hibr2bin.exe (not updated, so far, can't use on win10+)","children":[],"payload":{"lines":"517,518"}},{"content":"Arsenal's Hibernation Recon tool","children":[],"payload":{"lines":"518,519"}}],"payload":{"lines":"514,515"}},{"content":"Analyse natively","children":[{"content":"BulkExtractor","children":[],"payload":{"lines":"520,521"}},{"content":"Magnet AXIOM","children":[],"payload":{"lines":"521,522"}},{"content":"Volatility","children":[],"payload":{"lines":"522,523"}},{"content":"Passware","children":[],"payload":{"lines":"523,524"}}],"payload":{"lines":"519,520"}}],"payload":{"lines":"513,514"}},{"content":"Performing Memory Analysis","children":[{"content":"Identify Rogue Processes","children":[{"content":"Artifacts","children":[{"content":"Image name: legitimate process, spelled correctly, matches system context","children":[],"payload":{"lines":"527,528"}},{"content":"Full path: appropriate path for tsystem executable, running from user/temp directory","children":[],"payload":{"lines":"528,529"}},{"content":"Parent process: is it the parent process expected, Orphan process","children":[],"payload":{"lines":"529,530"}},{"content":"Command line: executable matches image name, do arguments make sense","children":[],"payload":{"lines":"530,531"}},{"content":"Start time: was the process started at boot, processes started near time of known attack","children":[],"payload":{"lines":"531,532"}},{"content":"security ID: do the security identifiers make sense, why would a system process use a user account SID","children":[],"payload":{"lines":"532,533"}}],"payload":{"lines":"526,527"}},{"content":"Volatility commands","children":[{"content":"windows.pslist: print all running processes within the EPROCESS doubly linked list","children":[],"payload":{"lines":"534,535"}},{"content":"windows.psscan: scan physical memory for EPROCESS pool allocation (can identify ended processes)","children":[],"payload":{"lines":"535,536"}},{"content":"windows.pstree: printprocess list as a tree showing parent relationships (using EPROCESS doubly linked list)","children":[],"payload":{"lines":"536,537"}},{"content":"Memory Baseliner: compare processes & loaded DLLs with a baseline image","children":[],"payload":{"lines":"537,538"}}],"payload":{"lines":"533,534"}}],"payload":{"lines":"525,526"}},{"content":"Analyze process objects","children":[{"content":"Artifacts","children":[{"content":"DLLs: Dynamic Linked Libraries (shared code)","children":[],"payload":{"lines":"540,541"}},{"content":"Handles - files: open files or I/O devices","children":[],"payload":{"lines":"541,542"}},{"content":"Handles - directories: lists of names used for access to kernel objects","children":[],"payload":{"lines":"542,543"}},{"content":"Handles - registry: access to a key within the windows registry","children":[],"payload":{"lines":"543,544"}},{"content":"Handles - mutexes/semaphore: control/limit access to an object","children":[],"payload":{"lines":"544,545"}},{"content":"Handles - events: notifications that help threads communicate and organize","children":[],"payload":{"lines":"545,546"}},{"content":"Threads: smallest unit of execution; the workhorse of a process","children":[],"payload":{"lines":"546,547"}},{"content":"Memory section: shared memory areas used by a process","children":[],"payload":{"lines":"547,548"}},{"content":"Sockets: network port and connection information within a process","children":[],"payload":{"lines":"548,549"}},{"content":"SIDs: system processes should not be run with user's SID because they shouldn't start under user context","children":[],"payload":{"lines":"549,550"}},{"content":"Mutants: (or Mutexes) they control or limit access to a resource. Attackers sometimes use them to mark territory or avaoid reinfection","children":[],"payload":{"lines":"550,551"}}],"payload":{"lines":"539,540"}},{"content":"Volatility commands","children":[{"content":"windows.dlllist: print list of DLLs for each process","children":[],"payload":{"lines":"552,553"}},{"content":"windows.cmdline: display commandline args for each process","children":[],"payload":{"lines":"553,554"}},{"content":"windows.getsids: extract the ownership SIDs for each process","children":[],"payload":{"lines":"554,555"}},{"content":"windows.handles: print list of open handles for each process","children":[],"payload":{"lines":"555,556"}}],"payload":{"lines":"551,552"}}],"payload":{"lines":"538,539"}},{"content":"Review network artifacts","children":[{"content":"Artifacts","children":[{"content":"Process communicating over port 80, 443 or 8080 that is not a browser","children":[],"payload":{"lines":"558,559"}},{"content":"Browser communicating over other port than 80, 443 or 8080","children":[],"payload":{"lines":"559,560"}},{"content":"Connection to unexlained internal/external IP addresses","children":[],"payload":{"lines":"560,561"}},{"content":"Web requests directly to an IP address rather than domain name","children":[],"payload":{"lines":"561,562"}},{"content":"RDP connections (port 3389), particularly if originating from odd/external IP","children":[],"payload":{"lines":"562,563"}},{"content":"DNS requests for unusual domain name","children":[],"payload":{"lines":"563,564"}},{"content":"Workstation to workstation connections","children":[],"payload":{"lines":"564,565"}}],"payload":{"lines":"557,558"}},{"content":"Volatility commands","children":[{"content":"windows.netstat","children":[],"payload":{"lines":"566,567"}},{"content":"windows.netscan","children":[],"payload":{"lines":"567,568"}}],"payload":{"lines":"565,566"}}],"payload":{"lines":"556,557"}},{"content":"Look for evidence of code injection","children":[{"content":"Artifacts","children":[{"content":"DLL introduced using the Windows loarder (API)","children":[],"payload":{"lines":"570,571"}},{"content":"Identify unusual executable memory locations","children":[],"payload":{"lines":"571,572"}},{"content":"Uncover kernel and userland process inconsistencies","children":[],"payload":{"lines":"572,573"}},{"content":"VAD => (MappedPath, Base address)","children":[],"payload":{"lines":"573,574"}},{"content":"PEB => (Inload, InInit & InMem)","children":[],"payload":{"lines":"574,575"}}],"payload":{"lines":"569,570"}},{"content":"Volatility/MemProcFS/Live Analysis commands","children":[{"content":"windows.ldrmodules","children":[],"payload":{"lines":"576,577"}},{"content":"windows.malfind","children":[],"payload":{"lines":"577,578"}},{"content":"windows.hollowfind (vol2)","children":[],"payload":{"lines":"578,579"}},{"content":"windows.ptemaldinf(vol3)","children":[],"payload":{"lines":"579,580"}},{"content":"findevil (MemProcFS)","children":[],"payload":{"lines":"580,581"}},{"content":"Moneta (Live Analysis)","children":[],"payload":{"lines":"581,582"}},{"content":"Hollow hunter (Live Analysis)","children":[],"payload":{"lines":"582,583"}}],"payload":{"lines":"575,576"}}],"payload":{"lines":"568,569"}},{"content":"Audit drivers and rootkit detection","children":[],"payload":{"lines":"583,584"}},{"content":"Dump suspicious processes & drivers","children":[],"payload":{"lines":"584,585"}}],"payload":{"lines":"524,525"}},{"content":"Links/Info","children":[{"content":"<a href=\"https://moyix.blogspot.com/2008/04/finding-kernel-global-variables-in.html\">Finding Kernel Global Variables</a>","children":[],"payload":{"lines":"586,587"}},{"content":"<a href=\"https://blog.onfvp.com/post/volatility-cheatsheet/\">Volatility CheatSheet</a>","children":[],"payload":{"lines":"587,588"}},{"content":"<a href=\"https://github.com/csababarta/volatility_plugins/blob/master/baseline.py\">Memory baseliner</a>","children":[],"payload":{"lines":"588,589"}},{"content":"<a href=\"http://www.tekdefense.com/news/2013/12/23/analyzing-darkcomet-in-memory.html\">DarkCommat in memory</a>","children":[],"payload":{"lines":"589,590"}},{"content":"<a href=\"https://learn.microsoft.com/fr-fr/windows-server/identity/ad-ds/manage/understand-security-identifiers\">Well known Security Identifier</a>","children":[],"payload":{"lines":"590,591"}},{"content":"<a href=\"https://learn.microsoft.com/fr-fr/windows/win32/secauthz/access-tokens?redirectedfrom=MSDN\">Access Token</a>","children":[],"payload":{"lines":"591,592"}},{"content":"<a href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783557(v=ws.10)?redirectedfrom=MSDN\">How Access Tokens work</a>","children":[],"payload":{"lines":"592,593"}},{"content":"CobaltStrike often use the same NamedPipe names: MSSE-####-server","children":[],"payload":{"lines":"593,594"}},{"content":"CobaltStrike often use the same NamedPipe names: msagent_##","children":[],"payload":{"lines":"594,595"}},{"content":"CobaltStrike often use the same NamedPipe names: status_##","children":[],"payload":{"lines":"595,596"}},{"content":"CobaltStrike often use the same NamedPipe names: postex_ssh_####","children":[],"payload":{"lines":"596,597"}},{"content":"CobaltStrike often use the same NamedPipe names: \\.\\pipe####### (from 7 to 10 #)","children":[],"payload":{"lines":"597,598"}},{"content":"CobaltStrike often use the same NamedPipe names: postex_####","children":[],"payload":{"lines":"598,599"}},{"content":"<a href=\"https://github.com/ufrisk/MemProcFS\">MemProcFS tool</a>","children":[],"payload":{"lines":"599,600"}},{"content":"<a href=\"https://www.dc414.org/wp-content/uploads/2011/01/242.pdf\">Harmony security Reflective DLL injection</a>","children":[],"payload":{"lines":"600,601"}},{"content":"<a href=\"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/\">Analyzing Malware Hollow process</a>","children":[],"payload":{"lines":"601,602"}},{"content":"<a href=\"https://cysinfo.com/detecting-deceptive-hollowing-techniques/\">Detecting deceptiv hollowing techniques</a>","children":[],"payload":{"lines":"602,603"}},{"content":"<a href=\"https://github.com/kslgroup/threadmap/blob/master/threadmap%20documentation.pdf\">Threadmap</a>","children":[],"payload":{"lines":"603,604"}},{"content":"<a href=\"https://insinuator.net/2021/12/release-of-pte-analysis-plugins-for-volatility-3/\">PTEMalfind</a>","children":[],"payload":{"lines":"604,605"}},{"content":"<a href=\"https://github.com/JLospinoso/gargoyle\">Gargoyle memory scanning evasion technique</a>","children":[],"payload":{"lines":"605,606"}},{"content":"<a href=\"http://github.com/forrest-orr/moneta\">Moneta Github</a>","children":[],"payload":{"lines":"606,607"}},{"content":"<a href=\"https://github.com/hasherezade/hollows_hunter\">Hollow Hunter</a>","children":[],"payload":{"lines":"607,608"}},{"content":"<a href=\"https://www.dc414.org/wp-content/uploads/2011/01/242.pdf\">Harmony security Reflective DLL injection</a>","children":[],"payload":{"lines":"608,609"}}],"payload":{"lines":"585,586"}}],"payload":{"lines":"494,495"}}]},{"colorFreezeLevel":2,"initialExpandLevel":2})</script>
</body>
</html>