Hello Reader,
Today I decided to do a live demonstration of how the AWS CloudTrail Downloader v2 from our FOR509 class works! So I fired it up and showed off all the new features like AWS profile support and most importantly resume functionality! I hope you like it!
Hello Reader,
It's always great when new people start blogging, and Evan Anderson has started a new blog! His blog Offensive Context is all about offensive security techniques and applied leanings. Evan and I have known each other for a long time and have done National CCDC redteaming together for over 15 years. So if you are looking to learn more about how threat actors actually work Evan's blog is a great place to learn!
https://www.offensivecontext.com/abusing-dns-part-1-how-does-dns-do-what-it-do/
Hello Reader,
I’m often surprised by how many effective open source DFIR tools are overlooked. One of my favorites is page_brute. This tool tackles a tricky problem: parsing logical data chunks from the page file without accidentally merging memory segments from different programs.
Page_brute accomplishes this elegantly by carving the page file into segments equal to a single memory page. It then applies YARA rules to categorize each chunk. I mainly use it to recover AJAX fragments and other temporary web objects that never make it to disk. Since the content I’m after is usually small enough to fit within one memory page, this approach works exceptionally well for webmail investigations.
If you’re looking for a reliable method to recover and categorize page file contents, I highly recommend giving page_brute a try: GitHub - matonis/page_brute.
Hello, Reader,
The bonus question in this challenge asked where Windows stores the biometric data used for facial recognition or fingerprint authentication. It turns out that this information is kept in a database located at:
\Windows\System32\WinBioDatabase
Inside this folder, you’ll find files named with GUIDs and a .DAT extension, for example:
DC576DA6-D676-4A15-906D-C0CEAF949543.DAT
These files contain an encrypted and hashed version of a user’s identity that Windows uses for system authentication. This process is part of the Windows Biometric Framework. For more details, check out the Biometric Framework Overview on Microsoft Learn.
The encryption key being used remains unclear, and it’s possible that these keys are stored in a TPM chip. I’ll take a closer look at this file in my next post to see if the Data Protection API is also being utilized.
Stay tuned!
Hello Readers,
Believe it or not, I recently purchased a Windows Hello-compatible fingerprint reader purely to test its capabilities and examine the logs it generates. I’m pleased to report that the investment paid off—there’s now an event log entry in Microsoft-Windows-Biometrics that confirms a successful fingerprint-based authentication.
Here’s the log entry it's event id 1004:
The Windows Biometric Service successfully identified
<hostname>\<username>(S-1-5-21-3400467401-1001) using sensor: VeriMark DT Fingerprint Key (USB\VID_047D&PID_00F2&MI_01\7&163AA6B8&0&0001).
Much like facial recognition, this distinct log entry clearly indicates that a person (or someone who managed to spoof the sensor) was present at the keyboard.
Hello Reader,
It's Sunday! This week's challenge is all about whats left behind when someone is able to get a temporary access key from an IAM role in AWS. Let's see who is able to build out the best detection set!
AWS IAM Roles are often targeted by threat actors after they get access to a running virtual machine. While AWS IMDS v2 may prevent some attacks the functionality is still there and is being actively exploited to get credentials and act as a service or role. In this challenge I want you to try the following and document what logs are left that could be used to detect or determine these actions occurred.
1. Retrieve a temporary AWS access key credential from IMDS v1
2. Retrieve a temporary AWS access key credential from IMDS v2
3. Use the temporary access key within an AWS vm
4. Use the temporary access key from outside of AWS
From all four scenarios determine what logs are created.
bonus: Try and document other scenarios of theft and use and additional sources of evidence.
Hello Reader,
It's always a surprise to me what gets lots of entries and what just gets a few dedicated researchers. This week we have another winning answer from Ilya Kobzar. Ilya took the time to research Windows 11 shell bags and we can test this in an upcoming test kitchen!
The Challenge:
Test what causes a shell bag to be created or updated based on the following actions:
1. A directory created in the command line
2. A file being copy and pasted
3. A folder being copy and pasted
4. A file being cut and pasted
5. a folder being cut and pasted
6. A directory being opened from file explorer
7. A directory being opened from the desktop
8. A directory being clicked on from file explorer
9. A directory being clicked on from the desktop
The Winning Answer:
Hello Reader,
It's Valentines Day! Make sure to take a moment to let the ones you love know you care. Here is a little card from Chat GPT 4o and me.
