*This article centres around the crowned queen of the Windows kingdom: LSA (lsass.exe
), a darling among attackers for the sheer power it wields.
Shadow Copies are exactly those pieces of data that get saved on disk when the system restore option is enabled. Once triggered, these files restore the system to the previous state. It’s very useful when you are not an expert in PC and something weird is happening. However, not only ordinary people find this feature useful. Some bad guys might try to cover their tracks which can sometimes be undone with this feature.
*These are created when a user switches a folder to thumbnail mode or views pictures via a slide show. *
This is about … .
Admins would get mad very quickly if they had to physically access every machine they needed to configure or patch. Admin shares are hidden folders to be accessed remotely, typically over SMB.
To carry out nearly any action on a system, one requires an account, which is typically safeguarded by passwords or other credentials. Hence, it is crucial to understand why attackers exhibit such a strong interest in acquiring them.
This is about … .
This is about … .
This article is about credentials, the keys to the realm.
This is about … .
CMD Batch script. Highly limited in functionality and caching all sorts of crap, including credentials.
This is about … .
There are several ways to retrieve this information manually. ipconfig /displaydns Win32_DnsCache from WMI repo (use Kansa to collect and stack this data) 📘 BTFM Stacking, purely manually (no grouping):
Event Logs in Windows provide valuable insights for defenders. They can be forwarded to a central machine to monitor organisational-level activities and detect malicious behaviour effectively.
Every day, the computer loads some programs and a lot of additional crap that comes with it. Every day the same routine over and over again. Being a diligent and responsible guy, it wondered how to improve this process. So, it decides to save the most recently loaded programs and whatever dlls and stuff these programs need so that everything is ready the next time the program is run. Where is this data stored? In Prefetch.
*Memory is the best evidence, although the hardest to preserve. If you recall Frozen II, “Water has memory” - same story. Even if you delete all the evidence, memory silently remembers all that. But it’s so fragile…
Moving accounts and auth policies to the server side. Azure Active Directory is when instead of having a physical server, you have a server in the cloud ⛅️.
In days of yore, there existed a humble batch, whence emerged the WMI, and it didst hold dominion o’er the realm of Windows contraptions for a considerable span until it was entwined with the might of PowerShell.
There are two broad categories of Windows core processes. Processes that initialize system environment and those that initialize the user environment. Whatever is the category, you need to know them well in order to detect abnormal things.