Sans 508 Book 1

Six-Step Incident Response Process

1. Preparation

2. Identification and Scoping

3. Containment/Intelligence Development

4. Eradication/Remediation

5. Recovery

6. Lessons Learned/ Threat Intel Consumption

Preparation

Preparation ensures that the right people from the right teams are involved, understand their roles, and know what to do when an incident occurs.

Identification

An alert from a security appliance, an escalated event, or something discovered during threat hunting.

Containment

Responder must identify initial vulnerability or exploit, how the attackers are maintaining persistence and laterally moving in the network, and how C2 is operating.

Eradication

Aims to remove the threat and restore business operations to a normal state. A full scope of the intrusion must be understood before this can take place.

Recovery

Recovery leads the enterprise back to day-to-day business operations. Often divided into near, mid, and long term changes. This should result in some recovery changes.

Follow-up/ Lessons learned

Used to verify the incident has been mitigated and the adversary was removed. This combines additional monitoring, network sweeps, looking for new breaches, and auditing the network.

Eradication change examples

- Block malicious IP addresses

- Blackhole malicious domains

- Rebuild compromised systems

- coordinate with cloud and service providers

- enterprise password changes

- implement validation

Recovery change examples

- improve enterprise authentication model

- enhanced network visibility

- establish comprehensive patch management program

- enforce changes management program

- centralized logging (siem)

- enhance password portal

- establish security awareness training program

- network redesign

A remediation event should...

1. deny access to the environment

2. eliminate the ability for the adversary to react to the remediation

3. remove the persistence of the adversary from the environment

4. degrade the ability for the adversary to return

Remediation consists of 3 steps

1. posture for remediation (scoping the entire issue)

2. execute remediation (execute and follow removal plan)

3. implement and apply additional security controls

Critical remediation controls

1. disconnect from the internet

2. implement strict network segmentation (dont allow subnets to communicate with each other)

3. block ip addresses and domains for c2

4. remove all infected systems

5. restrict access to compromised accounts

6. restrict access to compromised domain admin accounts

7. validate that all these steps are done properly

What is digital forensics?

digital forensics is the process used to analyze systems (host and network data) to identify compromised systems and provide guidance on necessary remediation steps.

Attack Progression/ Kill Chain steps

1. recon - browsings sites, scans, learning internal scructure

2. deliver - sql injection, malicious email, payload delivery

3. exploitation - exploiting vulnerability, social engineering, malware execution

4. persistence - setting up back up entry points, c2 communications, reinfection scheduled tasks etc.

Yara rules

Yara rules are written to match patterns. These can be string based like looking for a word or they can be regular expressions with wildcards and conditions.

Threat hunting detection types

1. systems with active malware

2. systems with dormant malware (not active or cleaned)

3. systems without tools or malware (living off the land)

Threat hunt type: Antivirus and signatures

detect type 1 and 2

Threat hunt type: iocs

type 1, 2, 3

Threat hunt type: automated process anomalies

type 1

Threat hunt type: malware behavior amonalies

type 1 and 2

Threat hunt type: malware persistence

type 1 and 2

Threat hunt type: triage/ edr articfacts and logs

type 1, 2, 3

Threat hunt type: timeline analysis

type 1, 2, 3

Threat hunt type: memory analysis

type 1

Threat hunt type: MFT and file system anomalies

type 1 and 2

Threat hunt type: anti-forensic residue

type 1 and 2

Detecting Compromised endpoints without active malware: Program execution

Look in prefectch, shimcache, amcache, user assist, srum

Detecting Compromised endpoints without active malware: file opening

look in shortcut files, jump lists, shell bags, prefetch, opensaveMRU

Detecting Compromised endpoints without active malware: file knowledge

look in wordwheelquery, last visited MRU, shorcut files, recycle bin, typed paths

Detecting Compromised endpoints without active malware: event logs

look in user logons, rdp usage, run as events, process tracking, powershell logs

Detecting Compromised endpoints without active malware: browser usage

look in history, cookies, cache, session restore, typed urls

Common Malware names

svchost.exe

iexplore.exe

explorer.exe

lsass,exe

win.exe

winlogon.exe

common malware locations

\temp folders

\appdata

\$recycle.bin

\programdata

\windows

\windows\system32

\winsxs

\system volume information

\program files and \programfiles(x86)

LOLBin

this is living off the land bin. LOL attackers commonly use items like at.exe, atbroker.exe, bash.exe, bitsadmin.exe and certutil.exe

at.exe

At.exe is a command line utility in Microsoft Windows that schedules programs and commands to run AT a specific time and date.

deprecated but still present in XP an win7+

logs are recorded in the Schdlhu.txt file

atbroker.exe

Atbroker.exe is a native living off the land binary (LOLBAS) in the Windows operating system that executes code for a new Assistive Technology (AT).

Atbroker.exe executes code defined in the registry for a new AT. To register or modify an existing AT service entry, you must make modifications to the system registry

bash.exe

bash.exe is a shell executable. Its main goal is to process/interpret the commands provided by the user

bitsadmin.exe

Bitsadmin.exe, also known as BITSAdmin, is a command-line tool in Microsoft Windows that allows users to create, monitor, and manage file transfer jobs.

Create jobs: Use the bitsadmin tool to create download or upload jobs

Monitor progress: Use the bitsadmin tool to monitor the progress of jobs

List jobs: Use the command bitsadmin /list /verbose to list all BITS jobs

Transfer files: Use the bitsadmin transfer command to transfer multiple files

an attacker could use BITSAdmin to download a harmful file and create a session from the target machine to the attacker machine.

certutil.exe

Certutil.exe is a command-line program that's part of Windows Certificate Services. It can be used to:

Display certification authority (CA) configuration information

Configure Certificate Services

Back up and restore CA components

Verify certificates, key pairs, and certificate chains

CertUtil can replace PowerShell for specific tasks such as downloading a file from a remote URL and encoding and decoding a Base64 obfuscated payload.

Common Persistence Methods

autostart locations

service creation/ replacement

service failure recovery

scheduled tasks

dll hijacking

wmi eventconsumers

changes to local grp policies, MS office addins, or bios flashing

ASEP

autostart extension points

these are autorun locations in windows.

Most common autostart extensions points locations are:

1. ntuser.dat\software\microsoft\windows\currentversion\run

2. ntuser.dat\software\microsoft\windows\currentversion\runonce

3. software\microsoft\windows\currentversion\runonce

4. software\microsoft\windows\currentversion\policies\explorer\run

5. software\microsoft\windows\currentversion\run

6. appdata\roaming\microsoft\windows\start menu\programs\startup

Windows services start values

0x02 - start automatically

0x00 - boost start of a device driver

IPRIP

Rip listener device

"RIP IP" refers to the "Routing Information Protocol" (RIP) which is a protocol used by routers to exchange information about network routes, essentially determining the best path to reach a specific network based on the number of hops (or "jumps") it takes to get there

Kansa script: get-svcFail.ps1

get-svcFail.ps1 - collects failure recovery information from default ASEP modules. Looking in unusual service crashes and event logs might provide clues to an investigation

Schtasks.exe

Schtasks.exe is a Windows tool that allows users to schedule, run, and manage tasks on a local or remote computer:

Create, delete, and change tasks: Users with administrator rights can create, delete, query, change, run, and end scheduled tasks

Schedule commands and programs: Users can schedule commands and programs to run at a specific time or periodically

Start and stop tasks: Users can start and stop tasks on demand

Display and change scheduled tasks: Users can display and change scheduled tasks

-- activity is logged in the Tasks cheduler and Security logs

DLL search order hijacking

place maicious file ahead of DLL search order

an example is explorer.exe loading bad ntshrui.dll

ntshrui.dll

Ntshrui.dll is a file in the Windows operating system that contains shell extensions for sharing. It's located in the System32 folder by default, but can be used as a target for malware persistence techniques:

DLL search order hijacking: An attacker can place a malicious DLL with the same name as ntshrui.dll in the C:\Windows directory. When the operating system loads DLLs for a process, it searches the current working directory first. If the malicious DLL is found, it will be loaded instead of the legitimate one.

Malware persistence: Malware can use ntshrui.dll to persist without using the Windows Registry.

phantom DLL hijacking

find dlls that applciations attempt to load, but either dont exist or can be replaced.

an example is fxsst.dll (fax service). it exists but can be easily replaced without causing stability issues.

DLL sideloading

winsxs mechanism provides a new version of a legit dll

malware example abusing this are plugx, nettraveler, sakula, and poisonivy

WinSxS

WinSxS, or Windows Side-by-Side, is a system folder in Windows that stores multiple versions of system files. It's a crucial part of the Windows operating system and is located on the system partition.

WinSxS is important for system maintenance and recovery because it:

Ensures compatibility: Allows different applications to use the version of a file that they're compatible with, which helps avoid conflicts and ensures smooth operation

Stores system updates: Downloads system updates onto your system and stores them in the WinSxS folder

Saves different versions of system files: Stores different versions of system files so you can recover your system

Relative path DLL hijacking

copy susceptible .exe and corresponding bad .dll to location of choice

WMI

A WMI event consumer is an application or script that receives notifications from Windows Management Instrumentation (WMI) when specific events occur on a system, allowing it to perform actions based on those events, essentially acting as a listener for system changes and triggering responses accordingly; think of it as a program that is alerted when a certain event happens within the operating system and can then execute a predefined task in response

WMI abuse steps:

1. create an event filter describing a specific trigger to detect (example is to trigger every 20 seconds)

2. an event consumer is added to the system with a script or exe to run. (an example is a PS script to talk to a C2 server)

3. event and consumer are tied together via a binding and the persistence mechanism is loaded into the wmi repository.

Set-WMiInstance or Createinstance

Set-WmiInstance is a Windows PowerShell cmdlet that creates or updates an instance of a Windows Management Instrumentation (WMI) class. The updated or created instance is then written to the WMI repository

Types of event consumers

ActiveScriptEventConsumer

commandlineEventConsumer

LogfileEventConsumer

NTeventLogEventConsumer

SMTPEventConsumer

Custom

Event Consumer: ActiveScriptEventConsumer

Execute a predefined Vb or Jscript

Event Consumer: commandlineEventConsumer

launch an arbitrary process

In computing, an "arbitrary process" refers to a process that can be executed without any specific rules or restrictions, essentially allowing a user or system to run any code or command they choose, often signifying a potential security vulnerability where malicious code can be injected and executed on a system, also known as "arbitrary code execution" (ACE)

Event Consumer: LogfileEventConsumer

write to a text log file

Event Consumer: NTeventLogEventConsumer

log a message to Event Log

Event Consumer: SMTPEventConsumer

Email a message via SMTP

Event Consumer: Custom

Requires a COM object

A COM object, which stands for "Component Object Model" object, is a software component within the Microsoft Windows platform that allows different applications and programs to interact with each other by exposing its functionality through well-defined interfaces

AutorunSC.exe

Autoruns is a free Microsoft tool that identifies and lists programs that automatically start when a Windows device boots up or a user logs in:

What it shows:

Autoruns lists programs and drivers that are configured to run automatically, including those in the startup folder, Run, RunOnce, and other Registry keys. It also reports on Explorer shell extensions, toolbars, browser helper objects, and Winlogon notifications.

Different Powershell remoting methods

1. WinRM Service Required (enabled by default on server 2012+)

2. Enter-PSSession

3. Invoke-Command ( allows one to many Executions)

WinRM Service

The WinRM service, which stands for "Windows Remote Management", is required to enable remote administration of a Windows computer, allowing users to run scripts and manage settings on a machine from another device over the network, essentially providing a way to remotely control a Windows system through tools like PowerShell

Enter-PSSession

Enter-PSSession cmdlet allows you to establish a persistent interactive PowerShell session with a remote computer.

A type 3 logon does not cache creds

Invoke-Command

The Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors.

Examples are IEX(New-Object Net.WebClient).DownloadString, invoke-mimicatz, etc

Kansa tools modules list

get-autorunsc.ps1

get-certstore.ps1

get-FLSbodyfile.ps1

get-handle.ps1

get-procdump.ps1

get-RekalPslist.ps1

Kansa tools: get-autorunsc.ps1

Get-Autorunsc.ps1 is a PowerShell script that runs the Sysinternals Autorunsc.exe utility to gather information about Auto-Start Extension Points (ASEPs) across all user profiles

Kansa tools: get-certstore.ps1

Get-CertificateStore.ps1 is a PowerShell function that retrieves the local computer's Personal certificate store or the current user's Trusted Root Certification Authorities certificate store

Kansa tools: get-FLSbodyfile.ps1

fls lists the files and directory names in a file system

Kansa tools: get-handle.ps1

Get-Handle.ps1 is a PowerShell cmdlet that can: Get open system handles, Filter by process and handle name, and Return open file handles found on the system.

Here are some examples of using the Get-Handle cmdlet:

Get open system handles: Get-Process Notepad | Get-Handle

Close open system handles: Get-Process Notepad | Get-Handle | Close-Handle

Kansa tools: get-RekalPslist.ps1

memory tool to gather information from memory

Kansa tools: get-procdump.ps1

WinPmem

A module of Rekal forensics.

WinPmem is an open-source tool that acquires a machine's volatile memory, creating a snapshot of the system's state

ProcDump

ProcDump is a command-line tool that monitors applications for CPU spikes and generates crash dumps when they occur.

This dump contains program or process crashes, application cpu spikes, unhandled exceptions

-- this is NOT a process list dump. this is a dump of information about a process issue and notifications--

KAPE collection options

tsource - letter drive to search in

target - the target configuration to run

tlist - list of available targets

tdest - directory where files should be copied to- this directory will be created if one doesnt exist

tVSS - find, mount, and search shadow copies volumes

vhdx & vhd - creates vhdx virtual harddrives from the tdest

Credential harvesting notes

Attackers prioritize the collection of credential almost immediately after post-exploitation. They rarely have the level of access they need to move freely throughout a network

Credential harvesting detection notes

Eventlogs: look for 4624 logons, 4720 account creations, 4776 local account auth, and 4672 privilege account usage

Audit new accounts

look for anomolous logons like workstation to workstation and connections to sensitive networks

look for after hours logins

Credential guard

Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.

Credential Guard uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like pass the hash and pass the ticket.

Remote Credential Guard

Remote Credential Guard helps protecting credentials over a Remote Desktop (RDP) connection by redirecting Kerberos requests back to the device that's requesting the connection. If the target device is compromised, the credentials aren't exposed because both credential and credential derivatives are never passed over the network to the target device. Remote Credential Guard also provides single sign-on experiences for Remote Desktop sessions.

Device Guard

Device Guard is a security feature for Windows 10 and Windows 11 that protects devices from malicious code and malware

Device Guard uses virtualization-based security (VBS) and code integrity policies to restrict a device to only running trusted applications. IT can create code integrity policies to allowlist applications and extensions that can run on the device

Hashes: tools to exctract clear text passwords

tspkg, wdigest, and livessp

Actions that store creds on a target

1. PsExec Alernate creds ( -username -pass)

2. Remote Scheduled Task (pass saved as LSA secret)

3. Run as a Service (with user account. pass saved as lsa secret)

4. console logon -- except when cred guard is enabled

5. RunAs -- except when cred guard is enabled

6. remote desktop -- except when REMOTE cred guard is enabled

Actions that DO NOT store creds on a target

1. net use

2. powershell remoting w/o explicit creds

3. remote registry

Best practice defending against cred harvesting

Best way to protect hashes is not to interactively log into system with high privilege accounts. Hashes are only present during interactive logon sessions

update and use credguard

domain protected groups

SeImpersonate privilege

This privilege allows tokens to be copied from processes. These tokens then can be used to authenticate a new user. To do this, the target user or service must be logged on or have running processes

Cached Domain Credentials

Cached domain credentials are stored in the security registry hive in the Security\Cache key. Administrator or System privileges are required to access these saved hashes which are in mscach2 format. these hashes are encrypted

LSA Secrets

LSA stands for Local Security Authority, and it is a component of the Windows operating system that handles security-related tasks. The LSA secrets are a set of encrypted keys that are stored in the registry, which is essentially a database that holds important settings for your computer.

These are encrypted and stored in the Security hive registry key SECURITY/policy/Secrets

Nishang

A redteam tool that has commands to perform certain actions. This has a whole suite of scripts and payloads to attack and gather information

Nishang: get-LSAsecret.ps1

This command requires administrator powershell access. This will attempt to dump the lsa secrets. This works by setting the current process thread token to the same token currently in use by the LSASS process.

Kerberos Attacks list

pass the ticket

overthepass hash

kerberosting

golden ticket

silver ticket

skeleton key

DCsync

Kerberos Attack: pass the ticket

Pass the Ticket is a credential theft technique that enables adversaries to use stolen Kerberos tickets to authenticate to resources

Kerberos Attack: overthepass hash

The Overpass the Hash attack is a post-exploitation technique in which an attacker uses a captured NTLM hash to authenticate to a service or server

Kerberos Attack: kerberosting

Kerberoasting is a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a Service Principal Name ("SPN").

In such an attack, an authenticated domain user requests a Kerberos ticket for an SPN. The retrieved Kerberos ticket is encrypted with the hash of the service account password affiliated with the SPN. (An SPN is an attribute that ties a service to a user account within the AD). The adversary then works offline to crack the password hash, often using brute force techniques.

Once the plaintext credentials of the service account are obtained, the adversary can impersonate the account owner and inherit access to any systems, assets or networks granted to the compromised account

Kerberos Attack: golden ticket

Golden Ticket attacks use a forged Kerberos Ticket Granting Ticket (TGT) to gain unrestricted access to services or resources within an Active Directory domain.

Kerberos Attack: silver ticket

A Silver Ticket Attack exploits weaknesses in Kerberos identity authentication protocol to forge ticket-granting service (TGS) tickets to a specific user.

Kerberos Attack: skeleton key

Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password

Kerberos Attack: DCsync

DCSync is a technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller. This is using a fake domain controller to retrieve hashes for any account logged into the dc

Kerberos Attacks Defense list

pass the ticket - credential. remote guard

overthepass hash - cred/remote guard, protected user grp

kerberosting - long passwords

golden ticket - rotate tickets, protect domain accts

silver ticket - regular comp pass updates

skeleton key - protect domain accts

DCsync - protect domain acct- limit replication rights