Forensic artifacts that make you go "Mmm.."

i would like to welcome to the besides tel aviv stage an actual rock star yossi sasi yosi and yasi brought near sias so you'll see the rock star near got his pilot license at age 23 and now he has a skydiving license so he can take the plane up in the air and then jump and bail out if he doesn't go his way so yoshi's been with us beside tel aviv a few years cheers yossi cheers neil i want to really i want you to enjoy this session everybody this is a treat it's a yummy yummy presentation it's things that make you go hmm let's go give it up for them yeah cheers karen thank you hello everybody

good afternoon besides tel aviv so good to be here for the third time and my fourth talk in besides tel aviv in my opinion the best community cyber community event in israel along with me neil and today we're gonna talk to you about uh some forensic artifacts that make you go hmm wow so yeah so a bit about forensic artifacts well they're quite uh different than the ones you would expect goldilocks to live for the three bears right uh i mean she did a fairly good job she didn't evade and bypass too much uh she left a lot of clues on the way uh but what we're gonna talk to you today and especially share

insights and code with emphasis on code and free tools today with you that will be released to github straight after uh is some unique artifacts uh you might know some of them but essentially we took the time from our experience in the field and uh back them up together so you can get things that you don't find today in the in the tools sales toolset that you know uh currently available online so a few words about myself nuettage yeah you'll see i've been with the keyboards for a while with code and everything between it around two decades ago i worked for microsoft and coded tools in windows server but since then doing mainly independent work

i was also fortunate enough to be part of javelin networks with the ex-israeli air force and a guy from 9 900 that we sold to symantec in 2018 doing deception around active directory uh and we're doing a lot of assessments uh essentially just enjoying myself with computers uh for a while and i'll hand over to neo so hello everybody i have the owner to share a stage with yossi usually i'm in the other side of the crowd so who am i in a short description security researcher the head offensive uh of professional services at ten retreat viosi like i was introduced i'm a licensed pilot so i can fly a plane but i can also jump in a plan

from a plan not particularly in that order and not particularly together i'm a former officer in the idf and gcfa forensic analyst from suns it's one of my certificates that is most relevant for today's talk so let's dive in uh first of all i want to put some put the building blocks terms for you to understand the fire and threat hunting df digital forensics so let's paint a picture we are at the bank robbery if the robbery is already left the bank okay we are the police we got to the scene so we are talking df right digital forensics we need to understand what happened it's already finished and we need to understand what happened

in the scene if we are getting to the robbery while the robber is still inside we have hostages we have everything happening the activity is still taking place this is incident response we are uh giving a response to a live event uh now in the digital world it's a little bit more hard to say when it's digital forensics when it's incident response that's why we usually combine them together when we're talking about threat hunting we talking about a proactive forensics approach where we're trying to find evidence of bridge before anything even happen okay it's something that every organization need to do to search actively in his network in the network to try and find some evidence of a breach

now in digital forensics we have two basic approach the live approach and the dead approach the live approach basically everything that is live while the computer is still on that approach everything that lay in the ntfs so that ntfs live equals to ram uh here we're going to just show a little tool cape coral artifact parser and extractor this uh two taking both of the both approaches together and it has the models which responsible for the live approach you will see arp cache all runs dns cache everything that if return of the computer will be lost and the dead approach basically let us take a terabyte of disk into only the two gigs that matters the

two gigs with a forensic value in the end super timeline can be produced from the ntfs drive colored and everything here you can see a tool from eric zimmerman timeline explorer which basically take everything from web history the registry hive event logs everything you can find now this picture our picture from a real incident where we were able to construct the screen of an attacker after he left the the station a week back okay so we're able to reconstruct what he actually did in an rdp session you can see he he approaches sql pro backups you can see the user he was using um now how did we done that bitmap caching so i don't know if you

noticed but when you are initialing an rdp session the general have all the where you want to connect who you're going to connect with but the experience tab have this little check persistent bitmap caching check you can see that when it's checked and by default it's checked you get a lot of cache files a cache file for each rdp session that logs your screen into a small bitmap 64 by 64 pictures now this is a cool evidence but it's very hard to [Music] go in in an event where you have thousands of computer and understand what happened and you'll see how hard it is to construct this 64 and try to attach them into a

screen it takes some time yeah you'll need the you know function or two but uh still yeah so for for that reason we thought about what what will happen if we make something that make this process a little bit automated it so we make a tool that first of all collect the rdp caches from the entire network all the domain computers just give us the rdp cache now after that we take it and parse it we extract the bitmap bitmap 64 by 64 images out of it we format it and scan it with an ocr mechanism just extracting the text out of all the pictures then we take this text and um cross it with an ioc's indication of

compromise so let's say we have some station uh so you can see the locks collected from other computers so let's say we have a station um where the mimikatz was was made okay a mimikatz executable was clicked maybe they passed all the antivirus all the edr xdr solutions but this text from the screen is still in the logs okay so we made a little tool you can see me right now playing the attacker side connecting with the bitmap caching checked by default connecting to a remote station using the user.net while i started the connection you can see the cache file creates i'm going to take a malicious tool malicious tool that we all agree upon mimikatz and i'm going to run this

mimikatz in elevated privileges it doesn't really matter i can run it however i want now while everything is on the screen all these texts going to be recorded into the bmc files okay so i'm going to make it as short as i can just open the mimikat and close it but you will see that even a short period of time where the executable was live okay so now i'm running mimi cuts so you can see the mimikat's strings on the screen so even for a short period of time while this screen was recorded to the cache we'll be able to construct evidence so i finished my malicious intentions closed everything you can see 24 megabytes

of cache file creates on one of the station in the domain now let's move our to our tool our tool first of all collect then parse the bmc the bin file then search for the iocs the iocs are defined in this text file okay the ioc and what the ioc equivalent for and the clients that we are going to run upon so imagine we put all the clients in the domain put our indication of compromise and let it run while while it runs basically like we said collects all the evidence from all the computers the bmc and bin files becomes a small bmp tiny pictures these tiny pictures then you can see the text extracted from all

the pictures you can also see some of the collages yeah we try to construct it to a screen it doesn't it's very hard to see it when you actually examining thousands of computers but when using this tool it's simply easy so client o1 found with iocs for the user annette mimikatz and gentle kiwi were found so we have traces of mimikats client on two found to be clean and that's about it that's pretty cool integration right it's the collection parsing of the files uh making the collage so the ocr tool can work properly on them ocring them according to ioc's that you can determine you can feed it with any type of strings that you want

and actually uh understanding those forensics and many thanks to autumn lipovic and doramit which were also part of this research with us thank you yeah so a special thanks for them is also in our git repository you will get the git everything on git everything on it yeah okay so the second artifact i want to examine with you is the prefetch prefetch is really the 101 of every forensic artifact right that's how we get what was executed on our station so windows prefetch uh first introduced in windows xp okay since windows xp they have some involvement but it's basically like every artifact in windows it doesn't mean to track your moves on the operating system but just to

speed up and make things more efficient so the prefetch try to make a portable executable that load to memory more efficient the prefetch can give us the eight less time of execution so if you execute some executable a couple of times we'll get the eight less execution times we'll get the first execution the last execution the path from where this file was executed if it's a key logger for say let's take it to the malicious part we'll get even maybe the file where the key logger logs your typing your keyboard typing so this is prefetch prefetch has a little bit of involvement like i said from windows xp to windows 8.1 it was let's say a uncompressed or

just in his natural form scca was the header exa 53 43 43 41. in windows 10 there's express huffman get into the scene we compress all the preface files so we make it a little bit harder they are no longer in clear text in memory if it's the ram or the ntfs and now the header is mum 4d41404 so every time you click on executable a prefetch is made the second time you will click on the same executable the first prefetch go to unallocated space on the ntfs and the second prefetch takes its place with all the data he had and everything and you will keep going and every prefetch just go and left in memory so if an executable runs at

least twice a dot pf file will float in the ntfs unallocated data we take these assumptions and we want to demonstrate it so first of all run mimikats once run mimikatz twice that's all now we're going to use s delete as delete from sysinternals run over the memory it's not just deleting the link to the file but actually run it we run the memory 10 times in these scenarios to make it extremely emphasize the fact that it's no longer in memory now we take a tool called ftk imager to load our ntfs to see all the hidden files and all the uh the files exist so opening and you can see the unallocated data space

now just traveling and clicking one random you can see the mom header so this is a compress prefetch in memory in unallocated space something we already removed when we execute another file now we will just take them and export them to the file system

we are concentrating here about the small ones because they are more likely to be prefetches also they are the the the one that adds less so we just taking we don't know which one of them going to be our prefetch our destined preference the mimikatz perfect but one of them if i didn't lie to you earlier should be the size is good enough indication anyway so yeah the size is good enough indication and this is a poc we will talk a little bit about what we saw so here i'm just trying some powershell to make the extension of the file i extracted a dot pf because it's necessary to run pecmd again a tool by eric zimmerman that let

us just check a directory and it will parse it for us so if it's not a prefetch it will not parse it if it's a prefetch it will decompress it and parse it and give us the answers and you can see that we had 73 files and voila so the first one was mimikat you see the run count is one okay it makes sense right the first run was uh same in windows prefetch the second one was moving to the unallocated space and took her place uh okay and that's a little bit about it that's very cool and that's something thank you very much and keep in mind that uh while in volatility for example in other cool frameworks you

can get it uh from memory from ram uh you don't have an option to do it on disk right and in this way we managed by matching the the uh the right hex uh addresses to just fetch that uh quite easily living off the land most importantly yeah thanks so much nir so moving on to other interesting uh forensic artifacts uh let's speak about active directory uh really something i've spent uh two and a half decades with this technology and it still keeps keeps to amaze me and everyone all of us around here from zero logo on through uh whatever print nightmare and uh etc and active directory is something very hard to uh put your hands and and your full grasp

around it it's a it's a huge attack surface it's exposed by design and really the lack of knowledge and deep understanding of uh the multiple technologies related there right ldap dns kerberos wmi rpc dcom summer adsi all adb interfaces adws i'm not even warming up so uh active directory forensics can be quite tricky uh first of all it's uh it's popular uh in the microsoft windows networks like tcp is in the world of networking it's a very uh it's a perfect target central authentication access control management all the authorization of the network and it is exposed by design in a 90s uh kind of design especially before cloud before virtualization before a lot of vectors were uh

abused and exploited as they are a lot of misconfigurations excessive permissions tools like bloodhound and the likes that know to explode those those vectors and those graphs and essentially when we come to an event we want to try understand who did what and when so to build the timeline based around the entities meaning identities user accounts and computer accounts and to understand the around reconnaissance lateral movement and all types of credential theft and to see if there are back doors left in the ad infrastructure so one source of knowledge can be of course logs uh especially all types of not only files but etw event racing for windows all kinds of event logs but many of those events are not turned

on by default and even if they are in events like ransomware and others uh thinkably they can be wiped so we see a lot this event logs being wiped you can also get the approach of a sensor right to to essentially get a pickup to sniff the packets on the domain controllers and some commercial companies actually do that but it is very very challenging still to understand what happened in the environment once it's compromised we tend to go for a built-in artifact called called the replication metadata and linked values so this property replica property metadata exists on each and every object in active directory right and this actually saves a replication information that was exchanged between domain controllers

and it saves it on the objects so it's it sits directly on the ntds did on the ad database file the physical file on the snapshot of system backup and it has nothing to do with the logs and also anything that happens in communication wise will be saved to this dog so wouldn't it be nice if we had a tool that can actually look back in time even if we have no domain controller online all our domain controllers got their security logs wiped or they got ransomed and we just have a backup let's say from the myers incident we just got a backup from one dc in africa and from that we have to reconstruct the network

but we still want the forensic evidence so would be nice right but there is no such tool until today so what we're going to do in this scenario we're not i'm not going to show you a code i'm just going to go through the scenarios but i'm going to share that we are going to share the code with you afterwards on github so we're going to search for interesting strings in your active directory which i suggest you'll do right after this talk you might be surprised then we're going to find some renamed accounts suspiciously named same account names then we're going to discover all the logs were wiped and we don't really have a seam or we lack some

the right artifacts in the right logs in the seams are not collected and then we have that either application metadata to the rescue with an automated script that is shared online so we're going to begin to hunt for that user annette which we saw in the bitmap cache hunter bmc cash hunter and we're just going to query it from ad but oops we don't have a username the net that's weird because we have other tacit forensic evidence from the computer from the rdp cache that we had the user so first of all i encourage you if you didn't do so already to enable 80 recycle bin i don't know if all of you are aware of it but for a

while now around the decade we had a feature uh that can keep deleted objects and reanimate them uh when we want the first script that we'll share with you is a script that essentially very simply searches for any string you want in the entire active directory object tree so this looks for a match [Music] everywhere in all the properties of all the objects in the italian tree recursively so for example this you know b9 string and 9210 from beverly hills this is a file time uh password last set attribute if we look uh for this uh for example for the world password try to do it at home on your network so you'll see some benign results like

password replication policy or perhaps maybe a lapse enabled computer from the local administrator password solution etc but on the way we find something interesting about the password reset by username the net and that happened in june that's not not too long ago right so something is fishy here uh if we want to just separate uh this specific finding using the same script so we'll just gonna search for our net and show this match details uh so there you go so that that's that's some evidence that maybe something was renamed annette there so the we're going to look for renamed users what this script does is it looks for specific events where the same account name was renamed

this is quite an unusual step right if if you know a bit and you're managing networks you know renaming the user logon name essentially it's not something that happens every day only when it's uh you change the prefix etc and we see the user annette previous m accountant was annette but now it's called jnd essentially jane doe and so we're gonna look and for example in this case we find also in the logs we can see the user annette got renamed to jnd so now we know we have to hunt for the current entity named jd inside the active directory application metadata so this simple script again leaving of the land no dependencies no special permission

you can run it from any machine it doesn't require any specific special model we run it directly with the native apis you can see all the changes that happened to this user since it was created since its birth essentially so you could see it was created back in 2016. you can see the password was reset you can see the assignment of the different semi-account type you can see it got populated uh with some attributes essentially we see it was an automated script because you see the timestamp everything happened in the same timestamp essentially a human cannot change the company name department etc but more interestingly the last evidence we see sorted but or isn't originating

change time it was a privileged user admin count one means that this user was in the past or still is a member of a privileged user group in active directory account operators and and we also see it has a cd story populated usually but you see the read the relative id is 500 means it has a cd story perhaps for migration maybe legitimate but that's something that should have been cleaned after the 80 migration took place and 500 always is suspicious so now we're going to run a different tool and this tool get ad group changes essentially yet another open source powershell tool we're going to query uh the group membership changes for this user jnt

and when we query the changes we we're gonna see exactly when this action occurred in time and pay attention this happens regardless of your logs you don't need to collect anything right this is directly from the raw ntds sdit file in active directory so we can see it was a member of backup operators for two hours which is suspicious enough that it was added and removed the last action was removed and we can see exactly on what date it happened and this can help us tie out and tie down uh the timeline of the attack now we're gonna output to a grid uh all the membership changes additions removals of uh domain admins right so in this group quite interesting

and known group we see there is a user named terry now this user last action last change that happened to him in this group it was removed but we can see that the member admin count attribute was reset now that's peculiar because if uh and the last change it was it happened 145 days ago so if a sysadmin did that as a maintenance thing whatever so that's okay but if nobody in the i.t department knows about that and and it was removed that means you don't have evidence about that in the log the user was a member of a privileged group it was removed and the attribute that indicates it was a privileged user was

maliciously removed just before uh getting it out of the machine so and and we're going to query again terry and we see exactly this evidence also directly uh from the tool from the command line so in this case until now we created live data we're just squaring an online dc a domain controller that answers our requests and and we get all this metadata back from the meta replica replication metadata but what we're going to do now is essentially we're going to move to a windows 10 machine we're going to work offline so until now we worked with the live domain right you see the distinguished name of the domain we've worked at and we have a like local

logon server blah blah blah we go out of the vm we work on a windows 10 machine right this is an offline machine uh there you go and what we're going to do is we're going to use the same tool get ad group changes to query an offline database file so either you take it from a system state backup or a snapshot in ntds util uh all we need is the ntds did right the dit file the ntds directory information tree and now we're gonna query this file offline this is very useful because you can use this offline backup either when uh you need to query the information for forensic evidence outside of the customer premise

or maybe the network is down maybe you cannot access those domain controllers that's another scenario oh maybe all the domain consoles got wiped and while the other team is focusing on dr on recovery so you can do forensics and as you can see we're specifying the parameters the switch for using an offline ad backup giving it's the uh location uh from from our standalone workstation we can query that you can see what the tool does it essentially loads the database in memory as an ldap server looking for a an available port and now we're requiring essentially a running instance a live instance of this of your ad server in an offline environment and requiring all this forensic data

directly from this on flying environment uh we're gonna dive a bit more and uh look in this case for example we're gonna use the existing offline db instance for performance and we're going to take out a report of all group membership data as essentially what we're going to get is all the changes removals privileged users or not of that were done in these domains sense its creation so everything that happened in this domain whether you you have some tools that do that or do that partially or etc so now you have this free tool that does all this for you so you can run it just to monitor changes in your environment or god forbid if you have to do it

during an incident response or an investigation open source powershell no dependencies you don't have to install any module we worked quite hard on that no special permissions right you just square it in ldap and this data is available read-only or if you're offline we made sure that the instance by default it's created for admins only we removed the token so you can query it from a normal user and this grid living off the land so you can just filter it and you get any results you want by any name you know any username any machine and whatsoever and that's just up on github as we speak thank you always fun so to sum up uh very cool this world of forensic

artifacts but some of those artifacts are really far from getting them out of the box not all of them are turned on by default and attackers can essentially wipe your logs or try to do really sophisticated stuff yet with some knowledge and and essentially insight and integration of sources you can really come up uh with useful tools for yourself we encourage you in this cat and mouse chase uh i come especially uh more heavily uh from the offensive side and with the ears i try to help the blue team as much as i can playing this in and out because it's a an unfair battlefield and trying to give a fair chance for the defenders

so try to practice a before during and after approach meaning don't wait for the incident to have the tools and knowledge and mindset just read about take those tools the one we mentioned also in this talk there there is a bunch more that is very useful and free driven by the community during the event know what to do about that and after the event make sure in the post ir that you don't leave any uh stones unturned you know any backdoors or persistence mechanisms whether it's in the host level or in the network level and check out our gits from the tools that we just uploaded you won't get disappointed you won't be seeing cheers thank you