FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting - My training experience

I got the chance to attend the SANS 508 training last week. A big thanks to the company I work for for letting me attend the training. It is an expensive training and I definitely would not have been able to pay for it on my own.

I thoroughly enjoyed the training. I had some familiarity with the tools that were discussed and also with some of the forensic and incident response techniques. I learned these reading books, blogs and incidents I have responded to at work. However, I was totally blown away by what I learned in the 6 days of the training.

For me the things that stood out and made me write about it are -

1. The trainers Nick Klein and Josh Lemon were amazing. They brought so much experience and were able to talk about how different tools and the artifacts that we look at helped them in real cases. Real world examples make a big difference (at least for me) as they help me remember the tool or the artifact. 
2. There is a lot of stress on the process or methodology and not the tool. The training discusses the different tools available to extract and examine a particular artifact, but came back to a select core tools that were used to their full effect throughout the course. 
3. The challenge on the last day was really tough. For me it highlighted areas that I was strong in and areas that I need to practice more. I was good at timeline analysis and analysing the memory forensics tool output. But when it came to extracting contents, dumping files and volume shadow copies, etc. I fell short. All these were things I had read about but I had never used the techniques until the course.
4. The other students at the course came from different backgrounds and they all had different ways of approaching the incident. It was good to see and hear how others are approaching incidents and the different tools and techniques that they are applying.

At the end of each day of the training my head hurt from all the things covered during the day. At the end the course after completing the challenge (which is the first I have ever attempted) I am confident that I have the skills to apply a good process that will definitely help the organisation I work for currently and any other organisation I work for in the future.

Audit Weak Passwords

To enable SSO, many organisations expose their ADFS proxy servers to the internet. These ADFS proxies can be used to brute force domain accounts. Based on your lockout policies, this will lockout users. But what if someone tries only a few attempts per day to ensure that the accounts are not locked out. 

Users will choose passwords that will conform with your password policy but which are easy to remember. In a recent password audit using the DSInternals powershell module, I found that some of the most common passwords that meet the password policy can be easily guessed. 

The standard password policy which requires three of the following four requirements is pretty common - 

• uppercase 
• lowercase
• number
• special character
• minimum 8 characters

Passwords such as Winter17, Summer17, Monday01, Monday02 conform to the above policy. These are also very easy to guess. The ones I found most common are Monday##. This could be because most users start their employment on a Monday and its easy to increment the last number whenever you need to change the password next. The other common passwords are a variation of the initial password that the service desk may set. Unless the service desk uses some random password and you have a mechanism to stop such easy passwords, expect users to use them. 

Your awareness sessions may talk about passphrases or similar options to create longer passwords which are easy the remember and difficult to guess. It may help a handful of users who read the newsletter and like the idea. For the others, auditing the accounts regularly and letting users know that they are using poor passwords is the only option. 

Some things that you should do before you go down the path the password cracking - 

• Make sure you have permission to do this activity
• Figure out what you intend to do once you discover weak passwords - do you have a standard email template to use? 
• Raise the awareness or ensure you have first sent out information on how to create strong passwords or turn on MFA if that is an option. Its easier to point users to this information later.
• If you can use tools like DSInternals to crack passwords on the network then others can as well (if they have the right permissions). Can you detect when someone uses tools like these? See what events are generated on your DC when you run these tools and then make sure you have alerts whenever these events occur.

There was a specific need for the initial password audit, but seeing how common weak passwords are, I think its prudent to do this activity regularly.

Patch Management

Some learnings from recent patching exercise

.net - If your wsus and sccm do not show any patches that your vulnerability scanner says are missing, its probably because the .net version is EOL.

Java - make sure you remove old versions of Java before deploying the latest version. The vulnerability scanner will keep reporting on the older versions.

Also check if SCCM or any other patch deployment tools has both the 32 bit and the 64 bit version incase you have a fix of these in your environment.

It is faster to use powershell to check file versions that your vulnerability scanner checks to classify a machine as vulnerable. Running scans can be time consuming

....need to upload sample powershell check for file versions...

Malware Analysis Script - Based on "Know your processes or die trying"

I am trying to build a script to automate the excellent work done on the sysforensics.org blog and also based on the "know good find evil" SANS poster.

The script can be run on a remote machine where the user has admin privileges. I have used wmi. Save the script as a .bat file and pass it the computer name to run it against.

echo ********SUSPICIOUS SMSS*******
wmic /node:%1 process where 'name="smss.exe" and parentprocessid!="4"' get executablepath,processid,parentprocessid 2>nul
 
::echo Check for wininit running with non zero sessionid - There should not be any!
echo ********SUSPICIOUS WININIT*******
wmic /node:%1 process where 'name="wininit.exe" and sessionid!="0"' get executablepath,processid,parentprocessid 2>nul
 

echo ********SUSPICIOUS SERVICES.EXE*******
::echo Check for services.exe running with non zero sessionid - There should not be any!
wmic /node:%1 process where 'name="services.exe" and sessionid!="0"' get executablepath,processid,parentprocessid 2>nul
 
::wmic process where 'name="services.exe" and sessionid="0"' get executablepath,processid,parentprocessid
 
echo ********SUSPICIOUS SVCHOST.EXE*******
::echo Check for svchost.exe not running under C:\WINDOWS\system32\svchost.exe  - There should not be any!
wmic /node:%1 process list full | findstr "ExecutablePath" | findstr "svchost" | findstr /i /v ExecutablePath=C:\WINDOWS\system32\svchost 2>nul
 

 
echo ********Is ParentProcessID of svchost same as the processid of Services.exe*******
for /F "tokens=2" %%i in ('tasklist /S %1 /NH /FI "imagename eq services.exe"') do SET ppid=%%i
wmic /node:%1 process where "ExecutablePath like '%%svchost%%' and parentprocessid!=%ppid%" get ParentProcessID 2>nul

I will update this as I find time to test and build upon this.

Security Awareness

I think security awareness programs can be made effective if the following options are included and the security team has the bandwidth (time and money) to execute them -

 

Visual Awareness

 

The simplest and yet very effective awareness option to cover a single security topic each month via newsletters, posters and small articles not more than 3-4 lines. An example would be a "Do you know" paragraph in departmental newsletters or reports.

 

Interactive Awareness Sessions

 

To make the awareness sessions interactive and engage the employees, the Security Team can utilyse the following two approaches – 

Team Meeting Presentation: Attend team meetings (1-2 per year for each team) for roughly 8-10 minutes to present a security topic and have interactive session to raise awareness. This can be tailored to topics that teams are interested in.
Phishing Campaigns: Run a phishing campaigns across different teams to see effectiveness of the training imparted.

Computer Based Targeted Training

 

SANS has excellent CBTs for targeted training for different user groups. The following are from the SANS website and target different user groups -
 

Engineers – SANS “STH.Engineer” focuses on security behaviours for individuals who interact with, operate, or support Industrial Control Systems. This computer-based training solution provides an introduction to ICS, details types of ICS attacks, covers basic system and network defence approaches, and reviews ICS governance and policy best practices.

Developers – SANS “STH.Developer” educates everyone involved in the software development process including developers, architects, managers, testers, business owners, and partners. This reduces the chance that our organization will become a victim of today's data security threats and ensure our team can properly build defensible applications from the start.

All IT staff – SANS “End.User” training covers different aspects of security using the SANS 20 critical controls. Awareness of these controls will help the all the teams and especially the Infrastructure teams to make security conscious decisions.

But the most effective approach is to engage the teams for the day to day processes and also while resolving pentest or audit items. Instead of just asking to fix the issues highlighted, working with the teams, explaining them the impact of the issue and also showing them how to check if the issue is fixed will raise a more awareness and also build ties between the security team and the other IT teams.

Useful NMAP tips

Useful options

--open will only show results for open ports.

-iL serverIP.txt will take IP input from a file and scan them

To check SSL ciphers supported by website

nmap -sT -PN -p 443 www.domain.com --script ssl-enum-ciphers.nse

nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.domain.com

Windows Malware Analysis hints

These are some of the more common directories in which malware will install itself on
Microsoft Windows (multiple versions)
 %ApplicationData%\Microsoft\
 %System%\[FileName].dll
 %Program Files%\Internet Explorer\[FileName].dll
 %Program Files%\Movie Maker\[ FileName].dll
 %All Users Application Data%\[ FileName].dll
 %Temp%\[ FileName].dll
 %System%\[ FileName].tmp
 %Temp%\[ FileName].tmp

Malware will attempt to hook system and user processes in order to operate behind the
scenes and also attempt to prevent the victim from quickly identifying its activity. These are typical system and user processes affected by malware found.
 explorer.exe
 services.exe
 svchost.exe


Here are some of most common Registry locations where malware will install itself on a victim‟s computer in order
to execute and propagate.
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\

BOOT PROCESS
Power – When the system is switched on, power reaches the motherboard
through SMPS
BIOS – BIOS present on the motherboard is activated; Does the POST check;
then check for devices connected and passes control to the relevant device
(boot device) for the next stage of booting.
MBR – MBR of the boot device gets activated and checks for any boot loaders
or active partitions. If a boot loader is present, control is passed to it.
Else the control is passed to the active partition specified.
Active Partition BR – The boot loader of the active partition is activated
when it gets control.
MS WINDOWS
NTLDR (NT Boot Loader) in the system volume is loaded and passed the control
[SYSPART:\ntldr]

NTLDR reads the ‘boot.ini’ in C drive. If more than one OS is present, a choice is requested. Else
it continues booting from the boot partition as found in the boot.ini file. [SYSPART:\boot.ini]

Then NTDETECT from the system partition is loaded which is device detection program.
[SYSPART:\NTDETECT.COM]

It then loads NTOSKRNL (Kernel), HAL (Hardware Abstraction Layer) from the boot partitions.
[%systemroot%\system32\ntoskrnl.exe and %systemroot%\system32\hal.dll]

Then SYSTEM Hive is loaded and all boot drivers is loaded.
[%systemroot%\system32\config\system]

After that the boot loader (NTLOADER) passes control to Kernel (NTOSKRNL)
Kernel then loads the logo screen and initializes the sub-system

It then loads SMSS (Session Manager Subsystem Service) with priority 11 and passes control to it.
[%systemroot%\system32\smss.exe]

SMSS initializes the pagefile and other registry hives.

Starts the 32bit windows kernel (WIN32K.SYS)
[%systemroot%\system32\win32k.sys]

Starts CSRSS (Client Server Runtime Sub System) with priority 13.
[%systemroot%\system32\csrss.exe]

Then it starts WINLOGON with priority 13 and passes control to it.
[%systemroot%\system32\winlogon.exe]

WINLOGON then starts LSASS [Local Security Authorization Subsystem Service] with priority 9.
[%systemroot%\system32\lsass.exe]

WINLOGON then loads MSGINA (Graphical user Identification aNd Authentication), which presents the
login screen to the user.
[%systemroot%\system32\msgina.dll]

It then loads SERVICES (Services Controller) with priority 9.
[%systemroot%\system32\services.exe]

Once the user logs in, SERVICES takes control and loads all the necessary ‘automatic’ services for that user.

https://social.technet.microsoft.com/search/en-US/feed?query=windows%20server&rn=Microsoft%20Security%20Guidance&rq=site:blogs.technet.com/b/secguide/&format=RSS

Sysinternals
Process Explorer
Pink - Services
Blue - same security context as process explorer
Purple - Image is packed (malware commonly use packing/compressed)

process explorer can also check hits on virustotal.

Malware hides in common processes - rundll32.exe and svchost
It does this via an autostart or DLL injection

Sigcheck - image verification is it digitally signed
sigcheck -e -u -s c:\
recursive scan also subdirectories - scan all executables
-u only shows unsigned executables

Sigcheck can also check virustotal for hits

sigcheck -v -s -c c:\

-v : check hash on virustotal (but does not upload file if hash is not present

-c csv output

-vs together submits the sample to virustotal

-----

If you don't have direct access to the internet, you'll need to specify a proxy. Unfortunately, it won't take IE's proxy setting, you'll need to set it via netsh:

backup your settings:
netsh winhttp show proxy

set the proxy
netsh winhttp set proxy :

Don't forget to reset your proxy settings when you are done:
netsh winhttp reset proxy (or the appropriate command from your backup)

-----
Check all unsigned images especially in \Windows and \Users\\Appdata

Listdlls - scan running processes for unsigned DLLs
listdlls -u



Well-Known Domain-Relative RIDs
Description
500 Administrator
501 Guest
502 Krbtgt
512 Domain Admins
513 Domain Users
514 Domain Guests
515 Domain Computers
516 Domain Controllers
544 Built-In Administrators
545 Built-In Users
546 Built-In Guests

One possible use case is using the domain admins RID for detecting domain admins activity using a SIEM