From a44b5cfc3e6faee9183c3158d980793a398cbcd8 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Fri, 25 May 2018 19:01:53 +0700 Subject: [PATCH] Remove cache files --- ...-your-metadata-and-protecting-pdf-files.sh | 26 --- files/dfir/beyond-good-ol-run-key.md | 1 - files/dfir/detecting-apt28.md | 6 - files/dfir/detecting-dde.md | 9 - .../windows-privileged-access-reference.md | 185 ------------------ 5 files changed, 227 deletions(-) delete mode 100644 files/anti-forensics/removing-your-metadata-and-protecting-pdf-files.sh delete mode 100644 files/dfir/beyond-good-ol-run-key.md delete mode 100644 files/dfir/detecting-apt28.md delete mode 100644 files/dfir/detecting-dde.md delete mode 100644 files/dfir/windows-privileged-access-reference.md diff --git a/files/anti-forensics/removing-your-metadata-and-protecting-pdf-files.sh b/files/anti-forensics/removing-your-metadata-and-protecting-pdf-files.sh deleted file mode 100644 index b1c592e..0000000 --- a/files/anti-forensics/removing-your-metadata-and-protecting-pdf-files.sh +++ /dev/null @@ -1,26 +0,0 @@ -strip_pdf() { - echo "Original Metadata for $1" - exiftool $1 - - echo "Removing Metadata...." - echo "" - qpdf --linearize $1 striped1-$1 - exiftool -all:all= striped1-$1 - qpdf --linearize striped1-$1 striped2-$1 - rm striped1-$1 - rm striped1-$1_original - - echo "New Metadata for striped2-$1" - exiftool striped2-$1 - echo "" - - echo "Securing striped2-$1...." - password=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 40 | head -n 1) - echo "Password will be: $password" - echo "" - qpdf --linearize --encrypt "" $password 128 --print=full --modify=none --extract=n --use-aes=y -- striped2-$1 striped-$1 - rm striped2-$1 - - echo "Final status of striped-$1" - pdfinfo striped-$1 -} \ No newline at end of file diff --git a/files/dfir/beyond-good-ol-run-key.md b/files/dfir/beyond-good-ol-run-key.md deleted file mode 100644 index a95b985..0000000 --- a/files/dfir/beyond-good-ol-run-key.md +++ /dev/null @@ -1 +0,0 @@ -# Beyond Good ol' Run key diff --git a/files/dfir/detecting-apt28.md b/files/dfir/detecting-apt28.md deleted file mode 100644 index 8e8a8ee..0000000 --- a/files/dfir/detecting-apt28.md +++ /dev/null @@ -1,6 +0,0 @@ -# Detecting APT 28 - -- Using Event ID 4688 with Command Line logging enabled can trigger on Word calling cscript, wscript, and PowerShell as this is NOT normal. -- A DLL is used to infect the system using a batch file to load it which runs `RunDll32`. Alerts on `RunDll32` using 4688 with Command Line logging could trigger on this behavior. -- If using Windows Firewall logging, which does NOT require using the Windows Firewall, Detecting the IPs used to communicate to the C2 server with 5156 events. -- Monitoring changes to well known AutoRun registry locations could detect this behavior using a 4657 event. An Autoruns scanner like LOG-MD can also discover these malicious changes. This payload used the following key: `HKCU\Environment\UserInitMprLogonScrip` diff --git a/files/dfir/detecting-dde.md b/files/dfir/detecting-dde.md deleted file mode 100644 index 5d870ab..0000000 --- a/files/dfir/detecting-dde.md +++ /dev/null @@ -1,9 +0,0 @@ -# Detecting DDE - -Can be done by looking for Windows Event Logs on Microsoft Office category in event 300 which should be contain alerts display that an Office application launched something. By the way, if there is no pop-up displayed during the attack, there will be no alert in logs. In this case, incident responder can catach this attack by looking for new process event which must be configure by the following command. When process auditing turned on, suspicious event can be seen in Microsoft Windows Security auditing, event 4688. - -``` -reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /f /t REG_SZ /v ProcessCreationIncludeCmdLine_Enabled=1 - -auditpol /set /Category:"Detailed Tracking" /subcategory:"Process Creation" /success:enable /failure:enable -``` diff --git a/files/dfir/windows-privileged-access-reference.md b/files/dfir/windows-privileged-access-reference.md deleted file mode 100644 index 463c5bc..0000000 --- a/files/dfir/windows-privileged-access-reference.md +++ /dev/null @@ -1,185 +0,0 @@ -# Windows Privileged Access Reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ConnectionmethodLogon typeReusable credentials on destinationComments
Log on at consoleInteractivevIncludes hardware remote access / lights-out cards and network KVMs.
RUNASInteractivev
RUNAS /NETWORKNewCredentialsvClones current LSA session for local access, but uses new credentials when connecting to network resources.
Remote Desktop (success)RemoteInteractivevIf the remote desktop client is configured to share local devices and resources, those may be compromised as well.
Remote Desktop (failure - logon type was denied)RemoteInteractive-By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised.
Net use * \\SERVERNetwork-
Net use * \\SERVER /u:userNetwork-
MMC snap-ins to remote computerNetwork-Example: Computer Management, Event Viewer, Device Manager, Services
PowerShell WinRMNetwork-Example: Enter-PSSession server
PowerShell WinRM with CredSSPNetworkClearTextvNew-PSSession server-Authentication Credssp-Credential cred
PsExec without explicit credsNetwork-Example: PsExec \\server cmd
PsExec with explicit credsNetwork + InteractivevPsExec \\server -u user -p pwd cmdCreates multiple logon sessions.
Remote RegistryNetwork-
Remote Desktop GatewayNetwork-Authenticating to Remote Desktop Gateway.
Scheduled taskBatchvPassword will also be saved as LSA secret on disk.
Run tools as a serviceServicevPassword will also be saved as LSA secret on disk.
Vulnerability scannersNetwork-Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.
IIS "Basic Authentication"NetworkCleartext(IIS 6.0+)Interactive(prior to IIS 6.0)v
IIS "Integrated Windows Authentication"Network-NTLM and Kerberos Providers.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Logon type#Authenticators acceptedReusable credentials in LSA sessionExamples
Interactive (a.k.a., Logon locally)2Password, Smartcard,otherYesConsole logon;RUNAS;Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)IIS Basic Auth (before IIS 6.0)
Network3Password,NT Hash,Kerberos ticketNo (except if delegation is enabled, then Kerberos tickets present)NET USE;RPC calls;Remote registry;IIS integrated Windows auth;SQL Windows auth;
Batch4Password (usually stored as LSA secret)YesScheduled tasks
Service5Password (usually stored as LSA secret)YesWindows services
NetworkCleartext8PasswordYesIIS Basic Auth (IIS 6.0 and newer);Windows PowerShell with CredSSP
NewCredentials9PasswordYesRUNAS /NETWORK
RemoteInteractive10Password, Smartcard,otherYesRemote Desktop (formerly known as "Terminal Services")
- -