Wednesday, December 02, 2015


NTFS Tools
A while back, David and his cohorts released NTFS TriForce, a great tool that allowed you to correlate several NTFS data sources...the MFT, $LogFile, and the USN change journal, using various data elements as "pivot points" to join tables within the database.  The folks over at StrozFriedberg came out with their own version of a similar tool called NTFS-Linker.

Program Execution
Not 'new' (this one is from earlier this year), but Chad recommended that if you're looking for artifacts of program execution, you should consider taking a look at SuperFetch artifacts.  This is another artifact to add to the category, given information such as can be found here.

The folks over at CodeReversing have an interesting post on "Stealth Techniques: Hiding Files in the Registry".  This is not new...about 15 years ago, I developed a proof of concept tool that downloaded an executable file that had been renamed as a *.gif file, and parsed up the file into discrete sections, putting those sections in the Registry.  The second half of the PoC re-assembled the file in the Recycle Bin and launched the executable.

Don't get me wrong...just because something isn't new doesn't mean that it's not relevant.  I see that in pretty much ever targeted threat response engagement that I'm involved in, either directly or peripherally...the adversary or intruder uses some technique that are really very simple, so much so that it's overlooked; the Sleeper Agent blog post is a great example of that.

Reminder: The OFFICIAL (re: only) location of RegRipper is GitHub.  Do not send me emails about the Google Code site, or about the Wordpress page.

I caught something in the archives for one of the mailing lists I access...someone had reached to the list about the plugin, saying that it wasn't working for them.  Well, I hadn't touched that plugin since I wrote it, and it was intended for Windows XP and 2003 systems, due to the fact that those were the only systems on which I had documentation.

Well, someone responded with a link to a PDF document that illustrates how to parse the audit configuration for Vista+ systems.  I renamed the current plugin to, and updated the plugin to work for Windows 7 and 10 systems ONLY, because I don't have data from other systems available for testing.

Again, the new plugin has only been tested against Windows 7 and Windows 10 systems, and only one Security hive from each platform.  What it does is allow you to see the effective audit policy on the system, or the equivalent of running:

auditpol /get /category:*

Both plugins are in the Github repository; however, again, I do not maintain the RegRipper profiles, so as plugins are added to the repository, I am not updating the profiles to remain current based on the available plugins.

On Sharing
I'm a huge proponent for sharing; sharing information or intel, even just engaging and asking questions.  I recently came across this article on sharing that just sort of reinforced my thoughts on the subject.

No comments: