Posts

LSASS.DMP... Attacker or Admin?

When analysing a system for evidence of attacker activity, the presence of a file named LSASS.DMP should pique your interest as an investigator, as it can be an indication of credential theft and possible privilege escalation. However, if there is no other evidence of compromise on the system, or the creation timestamp of LSASS.DMP is outside of your intrusion timeline, you may be left questioning whether the dump relates to this breach, a historical breach, a red team or no breach at all. In this blog I will share an analysis technique which recently helped me ascertain with high confidence that an LSASS.DMP file was generated by an administrator and was not related to the intrusion we were investigating. What is LSASS.DMP? The Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system, such as verifying users during users logons and password changes.  LSASS.DMP is a dump fi

Windows PowerShell Remoting: Host Based Investigation and Containment Techniques

Image
In this blog post I will detail how to perform various incident response techniques using native Windows PowerShell functionality. Each method I explain will be able to be executed remotely to allow for efficient investigation and containment of an individual host . For PowerShell response on mass, I recommend familiarising yourself with the Kansa framework . If you follow my github, you may also notice that many of the techniques listed below are built into my remote powershell triage tool, B2Response , which allows you to perform these actions with ease. Please give it a go and provide feedback! The techniques which I will cover include: 1) Issuing remote command/shell 2) Retrieving/downloading files 3) Checking for running processes 4) Query registry keys 5) PCAP collection 6) Blocking a domain 7) Blocking an IP 8) Quarantining a host Prerequisites All of the techniques listed below utilise PowerShell to remotely manage computers within your IT environment. In order

Free Incident Response Management and Documentation Workbook

Image
Oh no! I've got a potential incident unfolding now and I'm struggling keep track of everything? What do you use for incident documentation? A friend posed this question to me a few days ago and my first thought was "I use TheHive ". This response would have been about as useful as a wet fish to my friend, as at that point in time the last thing he had time to do is learn, deploy and configure a new incident management platform. He needed something now. He needed something without a learning curve and something which would free him up to spend valuable time actually investigating a potential incident. To help him out, I turned to the global backbone of information management... Microsoft Excel. Prior to deploying TheHive, I  built and improved upon an Excel incident management and documentation workbook for a number of years. It doesn't have machine learning, AI or even security automation, so it probably isn't much good. Disregarding these shortfalls,

Implementing Security Compliance as Code in Terraform

Image
Infrastructure as Code (IaC) tools like Terraform have enabled efficient, accountable and rapid infrastructure development and deployment in the cloud. Without the overhead of delivering, installing and maintaining hardware, the speed at which teams can build and release IT solutions brings measurable value to their organisation. Working in the security industry, we need to keep up with this rapid deployment methodology, and insert ourselves into the development pipeline to ensure architects/developers are releasing infrastructure that meets our best practices. This blog post details one way that we as security practitioners can automate compliance with technical security policy as code in Terraform. This method utilises a PowerShell script I wrote called TFCheck . If you would like to learn more about Terraform, please check out their website . How does it work? TFcheck writes the output of the Terraform  show command  to config.out for parsing.  When TFcheck parses co

Using Forensic Artefacts for Penetration Testing

In my last post, OSCP as a Digital Forensics/Incident Response Analyst , I made the comment that DFIR and Penetration Testing skill sets are complimentary. The purpose of this post is for me to investigate how digital forensic knowledge can be practically applied to a penetration test or red team activity to identify valuable data and assist in remaining undetected. Many of the artefacts discussed are not 'secret' or 'advanced' forensic artefacts. In fact, some of the artefacts discussed are incredibly common, such as Windows event logs. These artefacts, whilst common, are a record of user and system activity and can be used to reconstruct events on the system. Knowledge of these artefacts and the data they store can be valuable during forensic investigations. All techniques detailed in this article are executed through native Windows Powershell, and do not rely on any third party forensic tools. It it worth noting that this post is about applying digital forens

OSCP as a Digital Forensic/Incident Response Analyst

Image
As a DFIR analyst, I have predominantly worked on the responsive side of cyber security. I have been lucky enough to work for employers that support good quality training and certification - however training for me has usually been geared towards forensics and incident response in line with my role. With the desire of expanding my offensive knowledge and experience, I decided to take the  Penetration Testing with Kali  course - a lab based penetration testing course. I initially purchased 2 months access. Whilst I had read that it is a difficult course (depending on experience), I did not comprehend the learning curve, fun and frustration of what I had signed up for... A part of this ignorance was derived from the fact that I could not find a write-up of someone with similar experience attempting the OSCP. So here we are. Experience/Education I completed an undergraduate in Cyber Forensics and Networking (double major), following which I have worked in cyber security/DFIR for

Touch Screen Lexicon Forensics (TextHarvester/WaitList.dat)

Image
By Barnaby Skeggs Preamble Since the release of Windows 8, and the ‘Metro’ interface, touch screen input has been implemented in a rapidly rising number of Windows devices including Microsoft Surface Pro/Book, 2-in-1s, convertible laptops and tablets. Microsoft has catered for this trend, implementing conversion between touch/pen handwriting to computer text in software such as OneNote. In this paper I will detail my research into the forensic artefact ‘Waitlist.dat’, which I believe to be associated with this functionality. I identified the ‘WaitList.dat’ artefact while investigating a Windows 8.1 PC for the presence of a known email. I was provided with a copy of this email, and part of the investigation involved identifying whether or not this email ever existed on the custodian’s computer. After processing the .PST and .OST mailbox archives on the PC, I did not identify the existence of the email. I then processed shadow copies, carved and processed for various mailbox stores