Category: Windows

Don’t Forget about Domain Trusts

I recently was talking to an organization about their security posture and mostly everything I recommended to them, they had already implemented and plus some. The audits I conducted for them seconded what they were saying. I must say, I was thoroughly impressed. There was, however, one gray area that stood out to me and that was Domain Trusts. In their eyes, they didn’t have any but the Domain Controller displayed otherwise.

I’m sure everyone knows how to check via the GUI but did you also know it can be done through PowerShell? If not, let’s proceed.

From within a Domain Controller of a system with Remote System Administration Tools (RSAT) installed, we can utilize the Active Directory module which contains the Get-AdTrust cmdlet. For us to view Trusts, we can do the following:

From the above, we see the trust is with the Multiverse domain. We can also see that the direction is bi-directional, meaning it is a Two-Way Trust. It is also non-transitive, noted by the numerical one listed in the Trust Attributes property.

We can also get this same information using WMI, which we will use on the same server. To do so, we can do the following:

A simple script for this can be found at HERE.

From the above, we see the Trust Attributes property again along with a Trusted Domain property, which depicts the name of the domain we have a trust with. In addition, we see the Trust Direction property with a value of three, which depicts two-way.

For future reference, the meanings for each available value in Trusted Attributes and Trusted Direction are below.

Getting hashes with Microsoft’s File Checksum Integrity Verifier (FCIV)

Are you responding to an incident? Are you trying to hash particular portions of the disk for comparison with a known good hashes? Are you questioning whether or not to trust the binaries on the possibly compromised system disk in order to get said hashes? Well have no fear, Microsoft has a portable program called File Checksum Integrity Verifier (FCIV) that can help and it can be downloaded here. Since it comes from Microsoft, it will by signed by them as well.

The portable program can be executed from a CD\DVD, flash drive, or network share. With it, we can get MD5 and\or SHA1 hashes files on a system by either printing them to screen or outputting them to another file or database. With this in mind, we can feel better about our capture source and method and easily save the day! We can accomplish this using the below.

Recursively capturing hashes from a specified directory.


Mass Import of McAfee Firewall Domains to block

As of late, I’ve been experimenting more and more with the McAfee HIPS Firewall with the McAfee ePO. So far, I think it is decent. It is at least stateful, so that’s a plus. The firewall has a feature to block domains and using the GUI, you can only add them one at a time. There is an option to import them but that would require us to have it in a readable format the McAfee could understand. Thinking outside the box, I decided to put an entry in the firewall and export that policy in order to get a feel for the structure. Once I did that, I was able to take a list of domains from, change some formatting in their file, and fit it into the McAfee format. The result is a perfectly formatted firewall policy ready to import. The workhorse of it all, PowerShell!

In my testing from testing with, I imported over 14000 entries and while McAfee HIPS took it, I don’t think it can handle that much as the server became incredibly slow. Nonetheless, you could now take my script, make some minor adjustments and use it with your malware domain listing of choice. Since we are on the subject, below are a few other sites that are good sources as well.

The code, by the way, is on my github at

Sinkhole Domains Using DNS with the help of PowerShell

Thanks to Jason Fossen, there was no need to create a PowerShell script to input domains to sink. He had already created one called Sinkhole-DNS.ps1 (located here). One of the options in the script is to read in a file with domains listed. I like to frequent for my listing of bad domains and wanted to use that to feed it into the PowerShell script so I fired up ISE and begin knocking out some code. In the end, I developed a script located here that will download from, uncompress it and take only the domain names out, and output them to a file. The file can then be used with the Sinkhole-DNS.ps1 script to import the domains into DNS. The syntax for this is shown below.

Blocking DNS Tunneling at the Host

There was a time where there was an alarming rate at which malware would use some unique port that wasn’t used by other services. The port was usually some ephemeral port. These days though, it is being seen more and more of malware using ports commonly open outbound on a system such as 22, 25, 53, 80, and 443. The one that we will focus on is 53, which is registered for DNS, and blocking it from an attack commonly known as DNS tunneling.

It is best to think through what systems are needed to be contacted for DNS services. Once you have that in mind, we can begin blocking any other DNS traffic that might be malicious. We will do this with the Windows Firewall.

Configuring the way to block port 53 traffic to a specific IP address and to every IP address except for one can be found HERE.

Understand the DNS traffic can be routed through another port. Unfortunately, the Windows Firewall won’t be able to help with that detection.

Analyzing Various Memory Capture Formats

In a world where there are so many choices for capturing memory and analyzing it, I felt there would be some benefit in compiling a list for quick reference.

FTK Imager
– Outputs to .mem
– Can be analyzed in Volatility –f –profile=

VMWare (.vmem)
– .vmem and .vmsm are created when a VM is suspended
– Can be analyzed with Volatility (.vmem and .vmsm have to be in the same directory) –f –profile=

– Outputs to .raw
– Can be analyzed in Volatility –f –profile=

Hibernation file (hiberfile.sys)
– The File is created when a system is put into hibernation mode
– Located at the root of the C:\
– The file needs to be converted before using. It can be converted to .img using Volatility imagecopy –f hiberfile.sys –O –profile=
– After conversion to .img, it can be analyzed in Redline or Volatility –profile=

Mandiant Memoryze
– Outputs to .img
– Can be analyzed in Redline or Volatility –profile=

Crash Dumps
– Extension will be .dmp
– Will be written to C:\Windows\Minidump or C:\Windows by default
– Dumps can be forced to happen by adding the value called namedCrashOnCtrlScroll with a REG_DWORD value of 0x01 at HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\kbdhid\Parameters. After rebooting the machine, hold down the rightmost CTRL key and press the SCROLL LOCK key twice
– Can be analyzed with Volatility –profile= – Can be analyzed in Redline but must be converted to .img first imagecopy –f –O –profile=

Application Whitelisting with Applocker

If you are a part of defending an infrastructure, then you know defense-in-depth is the name of the game. The more detection systems that can be employed to detect anomalies or malicious actions, the better chance you stand to have a safe network. One of many ways to aid in this endeavor is application whitelisting. While there are many different types of application whitelisting, I’d like to focus on the Windows Applocker.

Applocker does have some cons. For starters, the feature is available in Win7 and Server 2008R2 and up. Applocker is limited to Windows 7 Enterprise and Ultimate along with Server 2008R2 clients. For XP and Vista, you can use Software Restriction Policy to provide some defense but not as much as what Applocker would provide.

To configure it, you need to go to Administrative Tools and open up Group Policy Management console on your Domain Controller. Once you are there, right click on the Default Domain Policy and click Edit to open Group Policy Management Editor. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. You should see the below screen. Take note to the options available on the right pane after click on Applocker and those shown below in the left pane.


The first thing we want to do is setup the rule enforcements by clicking on “Configure Rule Enforcement” in the middle of the right pane. From there we have the option of audit only (logging) or enforcing when a rule of that category is triggered.

The next thing we need to do is add the rules, which are the options under Applocker in the left pane. Below is a quick breakdown of those categories.

Executable Rules: This will contain the rules which apply to executable files.
Windows Installer Rules : This will contain the rules which apply for the windows installer packages with .msi and .msp extensions.
Script Rules : This will contain rules which apply to scripts files with .ps1, .cmd, .vbs, .bat, .js extensions.

Now that we have Applocker configured, we need to turn on the Application Identity service across the domain, in order to do that we will create a GPO. The path to said GPO is Computer Configuration > Windows Settings > Security Settings > System Services> Application Identity.

Extracting Data with Bulk Extractor

When it comes to forensics, styles and methodologies may vary from person to person (or organization). Some methods take longer than others and results may vary. One tool/ technique that I lean to time and time again is using Bulk Extractor. Bulk Extractor is a program that enables you to extract key information from digital media. Its usage is valuable no matter the type of case you may be working. A list of the type of information it can extract is depicted on their webpage at

There is a Windows and Linux variant of the program both capable of running from the command line or GUI. It is 4-8 times faster than other tools like EnCase or FTK due to its multi-threading. The program is capable of handling image files, raw devices, or directories. After it completes, it outputs its findings to an .xml file, which can be read back into Bulk Extractor for analysis. The output will look similar to below.


The scanners that you selected to run against your image file have will out to a report in the reports column. Not all scanners generate their own report as they may bucket the information that they find with another report. The chart above can help you determine where a scanner will output. Also, when a selected scanner doesn’t return any suitable data, you will not see a report for it. When you do select a report, it will output its findings to the middle column. From there you can type in strings to search for our just scroll down to view the data. If you want to go further into it data, just click on one of the findings in the middle column and more output will appear in the image column all the way to the right. The image column by default will display the text and the location of the data in the image file. There is an option though to change the image output from text to hex.


Analyzing Memory in the Wonderful World of Redline

Redline is one of a few memory capture/analyzer programs that I keep in my toolkit. How it works is that the software needs to only be installed on the system that you will be analyzing the data on and from there, you would configure the options you want to include grabbing a copy of live memory and save the custom script from Redline. With said script in hand, you would then run it on the system from which memory will be captured. The output will be saved to the location from where the script ran from. With the output data in hand, you would then take it back to you analyst system and import the data into Redline.

Upon importing the data, you will be presented with a few options to aid you in your investigation and after that, you will be presented with a gui of said data. Redline will also provide an MRI (Malware Risk Index) score based on a multiple factors and if it considers it to be bad or very suspicious, it will have a red circle next to it as seen below.


Redline has the ability to analyze memory captures for Memoryze and other captures in the format of .img. I have tried other memory capture formats with 50/50 results.

Another Layer of Defense… Microsoft Baseline Security Analyzer (MBSA)

Once installed, you can use the program via the GUI or command line. If utilizing the GUI, it is very straightforward as there are only three options available (scan a computer, scan multiple computers, and view existing security reports).

At the conclusion of a scan, a report will be produced at which time you will be presented with an overall assessment and a breakdown of each category analyzed. The score is broken down into four categories, which are depicted below.

• Green checkmark — check passed
• Yellow exclamation — check failed – (non-critical)
• Red “X” — check failed (critical)
• Blue “I” — additional information

An additional benefit is that the program depicts what was scanned, the result details, and how to fix the program. While MBSA shouldn’t be the only defense a user has on their system, it should definitely be in their arsenal.

When a scan is performed, the program reaches out to the Internet to get the latest information, in order to accurately depict the state of the system. There may be cases where an Internet connection is not feasible and in that case, you can use MBSA offline. The offline assessment would then only be able to provide the information it knows about as of the last time it scanned and had Internet access. The use MBSA offline yet still have updated information, you can air-gap a few files over to the system doing the scanning. The files needed to do an offline assessment are

• Security update catalog (, available from the Microsoft website:
• Windows Update Redistribution Catalog (wu at
• Authorization catalog ( for Windows Update site access, available from the Microsoft website or by examining the contents of the file at
• Windows Update Agent standalone installers (if not already installed). The latest versions are available by examining the contents of the file at


Search Exchange 2010 Mailboxes

NOTE: The user you run the script with must have the “Discovery Management” RBAC Role.

This script will search all mailboxes for email with attachments named “document1” and “document2” regardless of the file extension. The script will then copy the email message to the “admin.mailbox” mailbox in a folder called “Search_07102014”. Once the script is complete open “admin.mailbox” in Outlook and you’ll see the “Search_11242015” folder under the Inbox containing all the results.

This modification will search for all “.doc” and “.pdf” files and copy them to the same mailbox and folder.

To search for keywords use this modification.

Under the Wire v2

I just posted v2 of Under to Wire which contains an additional 5 levels to Century. V2 can be found at the link on the right-hand side of the screen or here.

This release will be the last one containing Century and the next variation that the team and I will be working on will be called Cyborg. It will still have the same feel as Century but will be focused primarily on Active Directory, DNS, DHCP and few other random areas that will total somewhere around 20 to 25 levels (like Century).

I hope you enjoy the additional 5 levels of Century and stay tuned for the release of Cyborg within Under the Wire.

Traffic Generators

These tools will generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it.

• Bit-Twist includes bittwist, to retransmit traffic from a capture file, and bittwiste, to edit a capture file and write the result to another file (GPL, BSD/Linux/OSX/Windows)

• Cat Karat is an easy packet generation tool that allows to build custom packets for firewall or target testing and has integrated scripting ability for automated testing. (Windows)

• D-ITG (Distributed Internet Traffic Generator) is a platform capable to produce traffic at packet level accurately replicating appropriate stochastic processes for both IDT (Inter Departure Time) and PS (Packet Size) random variables (exponential, uniform, cauchy, normal, pareto, …).

• epb (ethernet package bombardier) is a simple CLI tool for generating/converting ethernet packets from plain text/pcap/netmon/snoop files. (BSD like, Linux/Unix)

• Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet.


PowerShell Web Server for Raw Text Transmission

This script will create a temporary web server on the local system and will listen on the host IP and specified port. You will then be able to post some raw data that will be accessible on the network. When running the script you will be asked what port to listen on and what raw data to post. This script does not supporting the posting of files or folders.

The raw data can be accessed one of three ways.

Option 1: PowerShell — Using the below syntax to view it on the screen. It will be in
the raw content section.
Invoke-WebRequest http://<IP_Address>:<port>/default

Option 2: PowerShell — Using the below syntax to save the data to a local file
Invoke-WebRequest http://:/default -OutFile downloaded_data.txt

Option 2: Internet browser — Using the below syntax to view it in the browser

This PowerShell script can be found in my script repo on the right-hand side of the screen.

PowerShell Web Server for File Transmission

This script will deploy a temporary web server on the local system and will listen on the port of your choice. Once it is listening, you will be able to transfer .txt and .html files from the directory in which the script is ran from (not located). The web server will continue to run as long as the script is running.

To execute, run the script and when prompted, input a port to listen on. To access the system and the data in the directory that the script ran from, use the below syntax from another system.

Invoke-WebRequest http:/:/file_in_dir.txt -OutFile downloaded_data.txt

Example: “Invoke-WebRequest http:/ -OutFile passwords.txt”

This PowerShell script can be found in my script repo on the right-hand side of the screen.

PowerShell Network Connection Monitor Script

This script displays the current TCP/IP connections for a local or remote system to include the PID, process name, port, and its current running state (listening, established, etc..). If the port is not yet established, the port number is shown as an asterisk (*). It will also take the initial output and save it to old_state.txt and then sleep for a period of time of your choosing before running again and outputting to new_state.txt. It will then compare the two files and print the output to the screen. Both files will be saved to the directory in which the script was ran from (not located). It will continue to do this process until the script is stopped.

This PowerShell script can be found in my script repo on the right-hand side of the screen.

Disconnect… Making the Internet Safer and More Private One Connection at a Time

Have you ever been browsing the web for a good or service and notice that a totally unrelated site suggests the very same or similar items you were previously searching for? What about browsing the web and it taking forever to load a page? Did you know that some websites not only see what you are doing, but also where your physical location is? What about that some ads contain malware? If you are like most people, you may have answered no to all or some of those questions but now that you know, now what? Well the open-source Disconnect plug-in available in Google Chrome and Mozilla Firefox could help you tremendously in stopping the aforementioned from occurring. Disconnect prides itself on making the Internet safe and private while increasing browsing speeds.

So how does it work? Well, after installation, a Disconnect icon will be visible in your toolbar. Clicking on it will bring up the menu as shown below.



Detecting Alternate Data Streams with PowerShell and DOS

Alternate Data Streams (ADS) are nothing new and there are a few ways to detect them within a NTFS filesystem. My tools of choice for detecting an ADS is LADS (List Alternate Data Streams) by Frank Heyne or SysInternals’ Streams… both of which work rather well. My issue though is that I, much like the customer, normally wants to limit and lessen the amount of external tools that are added to any of their systems. Resident to Microsoft Windows, we have a way to do some detection using one of two ways but one provides a little more capability than the other. Let’s check them both out.

The DOS way depicted below will recursively search a directory (/s), search for ADS (/s), and then look at the string “:DATA”.

The PowerShell way is depicted below. Be advised that the cmdlet used below goes back as far as version 2. The –Stream option was not available until version 4.

If you just executed these commands, you probably noticed how a number of the files might have popped up matching the (more…)

Under the Wire… Windows Shell War Gaming

My boss and I had a conversation a few months ago regarding Over the Wire, a Linux war gaming server. The conversation revolved around how it was a great tool for those trying to build strength in Linux. From that conversation, we had a thought of why there wasn’t a variant on Windows focusing on the command line and from that thought came Under the Wire.

Under the Wire is a Windows Server 2008R2 Core system. The war game focuses on the Windows command line and the hope is that it helps people hone their skills or gain a better understanding for some of the things that can be done with a Windows shell.

It’s not expected for anyone to know everything they will encounter in this game, so please don’t panic, as the purpose of the game is to learn.

The object of the game is to use the hints for each level to find the password for the following level. For example, the password for level 2 is somewhere in level 1 and the password for level 3 is somewhere in level 2. That is the case for all levels, with level 20 being the last one. Once you have successfully logged into level 20, you have successfully completed the game.

The VM, instructions, and change log can be found here -> Under the Wire

General Notes:
• All passwords are lowercase regardless of how they may appear on the screen.

• The username for logging in will be century plus the corresponding level number. For example, the username for level 1 is century1 and for level 2, it would be century2 and so forth.

• The default shell is Powershell but you can switch to command line if you want. You can easily switch back and forth by typing cmd or powershell in the shell. If you wish to have multiple shells open, you can achieve that by doing the below.
1.Type taskmgr in the shell
2. Hit file > New Task (run…)
3. Type powershell or cmd

• You may find that while trying to accomplish a level using one shell it may render an access denied error. If that is the case, please just use the other shell. During testing, at least one of the shells worked for every level.

• You may be warned that this isn’t a genuine copy of windows. That alert is due to not having a product key and the trial period expiring. It does not hinder the game in any way other than the warning popping up. If it appears, simply exit out of it and continue on.

• Some things that may help you in the game are below.
– The Internet
– Get-help
– /?
– The Tab key will help with finishing out commands

Bare Monkey (Volatility)

I’ve been working on Bare Monkey for a few months now. Bare Monkey inputs a Windows memory capture and runs it against all Volatility plugins and outputs them to a text file. Afterwards, it deletes the generated files that are empty and then compresses the files left. It also creates a tarball and a MD5 hash. The README and code can be found on my github at

You will have to change the extension to .sh and chmod 755.

Some of the benefits of the program are that Volatility will no longer be needed after the program runs, you can analyze the output with a text editor, and grep through the data rather quickly.

Splunk vs. ELK Stack

When conversing about log collection and correlation on an Enterprise level, Splunk usually always comes up in the conversation. While I am an avid Splunk fan, outside of the free version, it can be a little expensive. ELK (Elasticsearch, Logstash, and Kibana) is very comparable to Splunk, in my opinion. Through my research and hands-on experience with the two, I’ve formulated the below thoughts and comparison.


Cost (Monetarily):

Splunk: Free up to 500MB a day. The paid version has unlimited indexing per day.

ELK: Free. There is a newer paid version that comes with support.


Cost (Time):

Splunk: One could have it up and running rather quickly. The amount of time already spent on (more…)

Converting a DD image into a VM – pt. 2

This is part 2 of the tutorial to convert a DD image into a VM. The below instruction picks up from the position that one already got a DD image and has it unzipped and uncompressed. To finish the task, please read on.

1. Copy the target_image from your linux forensics system to your Windows forensics system

2. To convert the raw file into a virtual machine using Live View, change the extension of the targetimage raw file to .dd

3. Create a folder on the desktop of your Windows forensics system for which we will put the VM after conversion.

4. Open Live View 0.8 short cut on desktop

5. When the program opens, make the following changes. Once complete, your screen should look like the below.

– Ram size: 1024 (default is 512)

– Operating system: Linux


Memory Capture with FTK Imager

I previously wrote about using DumpIt for Windows memory captures. If all you need from a system is to capture memory, it fits the bill rather well. There have been some times where it’s given me some issue grabbing memory over 8GB. Nonetheless, what if you need to do more? Let’s say you need to get a binary image also, DumpIt can’t help you there. FTK Imager will do both and more. Today I’ll speak on the memory capture piece and will visit the binary image capture at a later time. To get a capture, follow the below very simple directions.

1. Download FTK Imager from their official site at

2. Once downloaded and installed, open the program.

3. Click ‘File’ and select ‘Capture Memory’ as depicted in the below picture.



Parse and Extract PST and OST Mailboxes

Libpff is a powerful mail examination tool. The tool will allow you to examine and extract data without having to attach the PST to Outlook and has the ability to view emails that are encrypted. In my example below, I will be using the tool via the SANS SIFT workstation as it is already installed. If you want to the program on a different distribution, the source code can be found at While I have an example below of parsing the information, I encourage you to check out the man pages as it is pretty short and straightforward.

Note: the PST I am using is called target_pst.pst

1) Export the PST.

2) Verify that a target.pst.export, target.pst.orphans, and target.pst.recovered directory are now present.

Parsing Metadata with ExifTool

Its one thing to have a piece of data but its another thing to be able to get the metadata about said data. ExifTool ( is a tool that will allow just that. Its command line based but there is a GUI version as well called pyExifTool ( The tool not only allows you to read the metadata but also change it, if necessary. A person could also add his or her own custom tags as well. Below is an example of using the program.

Note: My JPG file name is called pic11.jpg

1) Examine the file using ExifTool


Windows Memory Capture using DumpIt

One of the simplest tools for capturing memory from a Windows system is DumpIt. The program is very portable and saves the capture to wherever the program is ran from. Most people will run it from a flash drive but depending on your company’s security policy that may not be an option so one can run it from a network share as well. It is advised not to save the program to the system you want to capture from and run it from I was going to document the steps but there is no need, it is just that simple. Below is the link for the software and if need be, there is a video depicting the steps.

Memory Capture via Hibernation File

If you are having a hard time getting a memory capture using commercial tools, have no fear, Microsoft to the rescue! Starting with Win2K, each version of Windows has supported OS hibernation. When you put a system into hibernation, it creates a hiberfil.sys file on the root of the filesystem (in most cases, C:\). That in itself is a capture of memory. The only problem is that you can’t just right-click and copy the file as it is locked. You could possibly copy by booting into safe mode (I haven’t tried it), slave the hard drive to another system and copy that way, or use some third-party program. The one that I recommend is X-ways WinHex. There is a free version of the software but due to the size of the hibernation file, you will need the licensed version, which costs $222.

Assuming you have the licensed version, below are the steps to copy the hibernation file.

1) Verify there is a hiberfil.sys file on the root of your filesystem (most likely c:\). If the file is not there, ensure hibernation is enabled and then put your system into hibernation. Once powered off, turn it back on and check again.


Display Credentials For All Previous Wireless Networks Connected To

I was at a friend’s house and needed to connect my laptop to his network. My friend was reluctant to give me password to his network and decided to type it in himself. In his mind, he was just doing his part to provide some security to his home network, so I don’t blame him but it did spark my curiosity as to was there a way to pull the password. So I fired up PowerShell and began pegging away. The below code will return SSID and passwords for all systems the computer it is read from his connected to.

Determining what profile to use when analyzing Windows memory in Volatility

No need to guess or experiment with different profiles, let Volatility figure that out for you. In testing, this worked with all formats that Volatility supports. If you were the one to do the memory dump or if the file was labeled OS information, this wouldn’t be a concern or a needed step. To let the magic happen, follow the below.

This analyzes the memory capture metadata and displays which profile is suggested to be used.

The output will be something similiar to this: