Dear Blue Team: Proactive Steps to Supercharge your IR

all right guys listen we're gonna kick off track boil super excited I I want to fly in tomorrow say Joe says well coming in hot to another con right after the exhausting painful experience of an RSA for real security practitioners as a things I appreciate Joe doing this the guys don't know Jill was a winner of the CTF in 2017 at derbycon first little engineering incident response and blue team super fabulous talent and I think one of the things that you guys to take away from today everything's putting practice for you right away so without further ado Joe let you take the mic Dicky can everyone hear me okay back in conjunction with speaking to this road

in California and seasonal allergies here and affect my rate of Tennessee for seasonal allergies it's the water so thanks for coming out this is deer blue team it's basically advice from the forensics team for non forensic people to implement to make forensics easier so basically that's the just behind us before I get started the thoughts the data to express or not those by being so why I say this I receive each carry architects an idea 2017 derbycon social eg captured the flag winter I read a lot of blogs I have my podcast advanced persistent security I tapped out a lot Brazilian Jujitsu and supposedly either whether you've learned so I learned a lot this is what I've

heard aside from that I used to navigate submarines in the Navy and of everything in my time so so why this topic and this talk so I took sans forensics 508 which is basically advanced advanced forensics incident response to threat hunting I'm sitting there reflecting on this tough five-alarm of being a little bit too academic for my tastes but that's ok and I'm like you know some of the things this course why are we not doing them early on in the process why are we waiting until things that hit the fan management hair's on fire they're breathing down our throat why are we not doing this so this basically is a result of those thoughts so I mean why are we

so start with a little baseline knowledge just to level the playing field a little bit so basically we want to talk about what it is Daehyun so it's digital forensics and Incident Response digital forensics being the science of figuring out what happened and today response being the holistic approach of the business in terms of how we get back to what is there so then we have to think about the difference between it's their response in incident handle instead handling being a subset of Incident Response again the responses the macro there Emily is a micro segment of the response so basically the handling deals with things like chain of custody and it's the logistics the coordination the

planning the response there's your technical needs right and here I've got the got the sales is in a response process it's commonly referred to as pinecone preparation identification containment eradication recovery and lessons learned this talk focuses on taking things from other phases such as eradication and recovery and shifting them to the left to the preparation phase so that whenever you do end up internets and responsive scenario and you are in identification or another phase you were able to have something to work off of and have a better face line in terms of what is normal and that's important but again you know this this process it's very linear but this at the same time in an

incident response process you may come across something you'll identify something you'll classify that good move to contain it you'll start to move it to the eradication phase and then something else is going to pop up and you're going to find out you didn't properly contain it so then you have to roll back so understand at this process while it is linear' it's also acceptable to roll back and too often we're too focused on just keeping the process progressing forward and that typically makes things worse for everyone slows down the process buddies it angers management probably shuts down the 90s budget so to bring it threat intelligence into the equation if we would hit some buzzwords today sometimes it's cyber for

intelligence I'll just call it CGI but basically president and where does this fit in how we use it right it is it a consumable of forensics innocent response or is it a deliverable of forensics and Incident Response anyone it's correct so basically with that they're not menacing CTI basically enables you to have some concepts to use and some context to look for within your forensic endeavors and they're even more importantly they're you're talking about things like threat hunting because oftentimes when we think through intelligence we think IDs signatures may be yards maybe two sticks taxi whatever but it goes so much further than that so let's talk about the types of forensics very recently we've got the file system

the more disk forensics and I've listed some tools that go alongside this such as sleuth kit autopsy which is the GUI for sleuth kit scalpel and foremost and then of course to some degree volatility even though it's more focused in memory ftk of course in case through there's all the vendor stuff I tried to stick with things that were free it's Bruce my favorite price on the network side you've got like Network minor Wireshark there's a few other tools I'm not really playing too much with but our research to find out that they existed like Bullock and then tcpo of course and then last night I was having a conversation about trying to predict another company's out into a dozen

because it was affecting an adjacent company that was a customer and basically they're like hey why didn't you tell us there under the terms of the Terms of Service and he was like whoa to what level could we monitor this organization to determine when they're about to do this I was like well in a non-intrusive way you could use net flow rate because it's all metadata and the courts already ruled that I mean for NSA the VP postponed it as long as it's metadata you know what they were talking about you just know who was talking to who for how long it when I mean it's the same right but then what we talked about

Newberry forensics and that's really what this presentation is focused on we have volatility which is probably the first and foremost whenever you're talking memory forensics recall which originally was a fork of the volatility it's now they tape by Google and integrated into Google rapid response which is their agent-based response systems and then you have red line which is a GUI which will we'll look at a little bit later ftk imager doesn't really do forensics in the in the imager light at least but it helps you but whether they were image without an image you can't really do three for instance right we're gonna talk about operating systems and the big fan of sift sands investigated forensic tool kit you can

download it from Sam's website for the for the steep price of 399 for 350 you can also download ribbon from sans coincidentally you can actually install them on top of each other so you can download Santa sift and install Bendix on top of it so that you have the ability to reverse-engineer you malware that you come across in your incident response efforts you can also install it on top of remix if you'd like if you're really lazy you don't change the default passwords I find that the word malware is a lot easier the type that forensics so I would install a sift on top of rednecks because there's your default password if you don't want to go with

the sands ecosystem which some people don't that's ok there's a number called Kate that's a computer-aided investigative network environment to some degree Kali has the capability it has the whole forensics thing I've not tried it out it may work it and basically but I like to kind of keep those things separated you know you don't want to get in to attack them whenever you're trying to figure out the problem there used to be an operating system called mercenary Linux I'm not sure if it truly exists anymore or not appreciates the author I've not heard back so if I don't hear back in a couple of weeks I'm just going to cut that bullet but anyway so to get TQ down our

rabbit hole of buzzwords we hear about thread hunting and we heard proactive digital forensics efforts that may have been what came to mind and you're not wrong but that's not where I'm going with this so basically the tools the techniques it's almost identical to forensics the only difference is in forensics you have some context s in terms of what has happened what am I looking forward to a trigger such an event it's red hunting it's like nothing has happened I'm looking for things that can potentially have been layered so you're relying more heavily on specific indicators of compromise coming from the CTI that you may consume so that's the important piece with that in terms of benefits

it's going to absolutely super turn currents and response efforts because you're proactive State applies a reactive State it might put your budget a little bit but that's okay and in terms of the maturity it's not for everybody if you if you have not that at least the first five Center for Internet security critical security controls really known as the Santa's top 20 I mean realistically should be too much of anything but meeting those first but if you don't have an incident response plan and a mature it's in a response program you have no reason to be threat on to because you're gonna go about it we're gonna find all this stuff but you have no talking about implant what are you

going to do with the stuff you find so the maturity there is definitely a very important and there are automated solutions to some degree a lot of the EDR stuff like carbon black and silence they have that capability to some degree okay it has a product that does that as well I can't really play with them so I can't speak to the efficiency other one so that basically this is a side-by-side comparison of what I was talking about so basically you have very few prerequisites for defeater basically your requisite for true digital forensics in reactive since is an incident that's your prerequisite do you have you have an information system you have an incident something happened

somebody did something stupid all right let's find out it's reactive you may find out via monitoring the feds might compete down your door and say oh and uh by the way I don't think look at this do you mind if we take you over the investigation that's completely day but basically from the business since you're trying to get things up and running quickly right because downtime means the money businesses don't like to lose money so again with threat hunting you have the prerequisites dealing with the maturity the size of the capabilities it is proactive and again it does focus on consuming the threat intelligence that you've received but the thing is this is why I have a few objections to

consulting firms offering threatened hunting as a service it's based around what is normal when I was a consultant and I and is it a response I walked in and I had no clue but we won't because I hadn't been in their system before so in terms of threat hunting it's one of those things they probably need an internal team to do it so if you need to justify this basically my thought would be you have an incident response team while they're not actively responding they're hunting if they don't want to hunt and they're not responding they could research but hunting is going to protect the organization a little bit better and honestly they don't keep

their reactions to a minimum but nevertheless at the same time there's you you don't let the time objective but you don't want to spend four years threat hunting for a seagull's pieces or intelligence I mean in theory I'm going to say we shouldn't be hunting for things like ms 17-0 10 or a Miss Bowie dou 67 but I mean time and time again it's proven that those things are still around so and before we go into the actual fun part of the day Blue team let's go ahead and get the standard talk out of the way so you didn't want do it for most do it with increasing storages you made limiting factor when you're

talking about log source you want to do it somewhere else you put logs on the same host and you don't ship it somewhere else whether it be to another host within your organization or into the cloud what's going to happen that the attacker just goes in and hits it with I mean it's on can't afford sex per se with a tool called SRM which before it deletes it it's going to overwrite it several times if you should make it somewhere else I don't care if you overwrite it overwrite it all day I'll see those events - great thanks but at the same time blogging will make you a breaking the number of times I've walked on to the clients

in response I said hey we see a lot of what that kind thanks and what a bid Savannah this specific line that I have in mind had not just paid $32,000 Bitcoin because they had an RDP server hanging out on the public internet with a four-character administrator password someone walked in and with Samson and they call that file those rats man mm-hmm yep Darwin exists in it2 but you need a it Victoria everything right if you look at the six critical security controls number one and number two identify authorized and unauthorized hardware that's number one software that's number two okay how do we enjoy this video okay we have all these tools that do all this

cool stuff vulnerability scanning they'll pick up on a lot of that I mean you can if you're in a Windows environment there's a PowerShell script called consulate ks8 that will actually go and interrogate all your windows hosts and extract this information for you it's beautiful but you have to update this frequently because you don't do an annual inventory and say yeah we got an inventory what happens when Steve the executive who's an early adopter I mean he had different glasses one let's go with this brings his new IOT to begin to work and because he's an executive IT when you tell them nobody could stone the network next thing you know somebody's record buying a car and they find it dance with the CP

piece now all your base are there's active have some sort of network time if you're in a single office you can play get away without having NTP or something like that but you need something you need uniform time to make sure that when you're looking at log data you're looking at time aren't you looking at artifacts you're not having to do the math from your head and saying okay well this is Kansas City office this happened in the New York City office and then something else happened at the person in Australia office what's the time zone difference yeah send it to one time whether it be GMT whether it be one time or another headquarters time it doesn't

matter do pick whatever time one know what's going to punish you if you take the less than one time but said something so you know it's just something to look at baseline I'm going to get into that in exhaustive detail very shortly but it's just something that we always here have a baseline have a baseline okay well what does baseline consistent have a baseline it's like so are you for the Cardinals or the Royals that's the equivalents in the dance room with yes polka dots totally so here's some softer skills you need to think of we deal with incident response and this should definitely go into your incident response plan and with this I'm going to get it on a very

small high horse prayer I'll call it a high pony because it's not a true high horse Theresa planning for a very short period of time but basically when you're defining incident response type stuff you need to let people know who to notify don't just say notify I see okay because we're gonna call the helpdesk and there try turning it off and back on again it's red okay again try turning it off and back on again be ready no really it's ransomware how do you go to find them I'll give you a hint someone clicks a fish probably don't want to report any of them in fact emails probably think at least preferred method period I like the idea of text in

person via phone carrier pigeon smoke signals Morse code campbell soup cans on a rope whatever you want I would say stay out of email so I look for the fact of you run the risk of an attacker having access team though seeing what your next moves in are and then bypassing everything every time it's basically pointing again with cat naps and we've all seen Tom and Jerry Tom never wins so what actions we want someone to take when something fishy's happen happening other computers do we want them to turn it off unplug it from the wall unplug it from the network log off restart do nothing what I can't tell you the right answer presentment of a forensic posture there

there are felicitations that deal with each of those actions and in that sense that's something that you in the organization have to define so that you can tell people what to properly do because the vast majority of our organizations and our security people unless you work for a security company and even then you're dealing with on security people as an industry this is the high pony but especially on Twitter we can on this whole rampage of blaming the user the users are stupid and it's I hear that all the time and it just absolutely burns me up for his executives okay as a social engineer you're saying that your clients employees are stupid the same employees

that sign the contract for you to come in and fish it so does that mean they're stupid for hiring and there are stupid people in the world I don't disagree with that but the thing is as an industry we need to take the burden off the user we need to enable the user to do what they need to do in a secure manner and we need to have that relationship with it so they can report things to us because that's what we need if so many reports that they clicked on the fish and they get beat over the head with a book suspended or fired what's going to happen to the next person to close information they're not going to

report it you're going to find out when you're having a dick it's just the reality of things so we just need to enable them to do their job and we need to have a clear understanding of how to report things something I really like so when I was in the military we had these papers we cite every single fund that I ever talked on in the military except for the sound categories and this article thing and basically there's a bomb threat worksheet someone calls in a bomb threat here are the questions you ask here are the things you try to find out why do we not do that for Incident Response why do we not have a worksheet

next to every single computer saying you think you have an incident what time was it what's your hosted this was so forth and so on so when they call the report something were they they shake the Campbell Soup came to get you put it up to your ear they tell you everything that you want to know within reason another thing I love all the colors of cat5e or cat6 cable I love long here's the thing you need to use one single color in your organization and I don't recommend black because you could very easily say if you want people to disconnect from the network when something happens say unplug the yellow cable in the back of your computer

my mom is tech illiterate totally gonna plug that yellow cable she can unplug me he'll gate if you say oh plug their network cable there's a good chance that power cables going because it's gonna be the easiest to our plugins you don't want them to take certain actions just like that client that had the Sam Sam with the the poor character admin password they deleted the VM so when I came in to do I are like let me see the you see the host it's gone which I mean in hindsight we could have went through it and actually done a file system for easy to recover to Dana Carvey but they didn't have that many billable hours so that's just the

reality of it you can only get your policies and procedures it all depends on what you want to do like an action not to take maybe don't inform law enforcement because there are pros and cons to informing law enforcement you might get a lot of high-end help you might get a lot of insight you would otherwise have but they may also take over your investigation throughout the process out as opposed to getting you back up and running like you want so keep that in mind don't change the password for compromised account because that would guarantee if you try to think that's where it's going to have a hard time building up respect the chain of

custody it's going to be paramount because that's one of the main overlapping things between security professionals and lawyers we both understand the chain of custody so it's getting to the middle so memory forensics so we have several tools like ftk imager recall or DD so forth and so on again we have recalled and palatability to do the assessment from the command line and then you have it's a fire end product called a red line that does it for the 3000 foot Q is a GUI I will caution you you do not want to use anything above version 1.2 0 they took away this really cool feature called the MRI the malware risk index so I use version 1.1 for it's the last one

before it's beautiful and you'll see why shortly so basically what we're trying to do is we're trying to see what's running on a live system this could be this might not be in the logs yet this may not be in the file system and then they do some process hollowing and do some side Channel stuff to a TLO you'll see tracks and that otherwise you can find it using memory forensics in some cases so basically you know when you say oh I knew forensics oh yeah how about memory I just deal with laws as kind of forensics I guess but you might not you might see more content outside of that or if I told you

volatility could replace the system terminal sweet almost everything that it does ultimately has a plug in for it there are a few examples of there like pokémon proc dump you can use those instead if you have some network information you could run something like net skin and confirm the data out of memory you can confirm that with file system for it to closely you can even create a timeline via a body v which apply file is basically something that you're going it's the output of something like sleuth kit the output of something like volatility holds ability you're going to use a tool like log to Timeline python to execute it create a timeline and CSV format for you to go

down the line you can create in all of those and what I like to do is I like to look at each of them individually but I like to attend them all together on a host base and on the massive scale that just go down the line and you can see where somebody pivots how how it happened excuse me so basically you can assess the processes so we hear all this talk of nation-states and how how invasive they can be and how else stealthy they are what I'm about to say might not be applicable then but for most other persistent adversaries boom you can actually find when a registry key was installed and that is truth

you can modify what the registry key says you might be able to sample with locks you can do time stomping but within volatility you don't find the registry key creation aid and that is truth you can also there are several plugins that actually deal with analysis bounce this rock now find this couple right off the bat it's going to look at things like file headers and then the consistency of how the process is drivers handles and strings are associated so when we look at this here are a few capabilities of volatility modules and I've got the modules in parenthesis so for example you can use meaty cats and volatility to jump every password if you want the hashes you can

do that to your defined group wrote processes there's the process stuff PS tunnel is amazing it actually creates a top pilot you convert to an image and it'll actually color code things that you should probably look at because they don't add up it's beautiful look at the network so net scan if you're dealing with anything after XP it's a net scan before they got like con scan connections and sockets all that fun stuff you get to your level you can even carve processes card the process let's go to virus total carp the process get the hash drop it in threat minor great crowd Oh TX IBM x-force threat exchange whatever find out when things really

happen that's that registry key creation that I was telling you about the timeline no malware there's those processes as well so basically this right here if there's nothing else you want to take for this this is what you want to do so you need a golden image you need to go to the image for your organization you need one for each role in your organization is HR DS different software than IT and then accounting then help us then

his warehouse wasn't I'll use that example so basically we have that we have to version so when you create this standard image you execute the image and you capture the memory remember that basically think I mentioned there it is you have baseline memory which is more important than file names file versions hashes it's more important than any of that those things play a role don't get me wrong but they're more important another example prefetch within this you can use prefinished parser basically a came about in XP and in which the prefix files tells you it is final executed if you can also use that to determine what something was downloaded it's beautiful system when there's the prefetch it

means one of two things it wasn't configured or it went by if it went bye-bye then you're going to want to go try to recover that using file system forensics something to look at the shim cache also known as the application compatibility cache basically because systems don't like to play nice with each other this checks for compatibility every time something execute so you can find out subsequent executions of applies you can find things like standard information or just beautiful full file path the file size you need the process execution flags last update time it's always beautiful so processes okay so i want i like anxious so there are some things that are trojan 2x4 in the air for common

file games like SBC aires does so if you see SVC host and it's executing somewhere besides windows system32 and it does not have the - k switch try the limit technicals her look so Ashley in this equation I recommend that you script with say a for statement to go and get an md5 of every filed the to consider fire maybe your C windows or C West windows system32 basically all the fun stuff so get an md5 will be recorded in a file store that file for that system somewhere I mean you can zip it up and put it with the memory image and take it a step further there's a thing called fuzzy actually which is

byte by byte hashing you're going to use a tool called an SSD so when you see something you checked into five the md5 doesn't match if you can check the SSD would say this is where it changed what changed is this based on the windows update or did somebody come in and alter something it's a registry keys take it back into that hash that as well if you're not updating software for the most part a few exceptions exist the vast majority of the registry will be changing too often you can you can even script these things with regular expressions whether it be version numbers registry keys whatever take the time to do it because these are all things that's going to

make your life easier when something hits the fan and the thing is you don't want to think of if it hits the fan it's winning it to the fan because it happens so with the baselines we have that memory image what do we do with the with the current image well volatility has plugins that you can actually do process driver and service baselines you can compare those two images and it will basically do the equivalent of a div and tell you the difference okay these are something want to look at okay so they run Windows Update on this and we just didn't get the image on it okay checks hello here's SPC toast again wait what's this executive in here that

process isn't supposed to be there so basically you can do it of every single host you do it of every single image for the sake of being realistic I say every single master image when you talk about it every single host you're talking some massive flyout sizes your system has 12 gigs of ram well you take a bigger image that's a 12 gig 5 your VM has 12 gigs of ram if it's VMware it's 12 games grant if it's VirtualBox that's never happening whatever the size is that's actually currently being used so something to keep in mind but you can script it and pass it off to a cloud instance or an integral server whatever you'd like

there you could you could script it it could the storage of the problem because storage bringing it back to that it's kind of paint story whether you're paying in from the cloud through an s3 helping your buckets not leaking but you know you're paying for that you're paying for the hardware within your organization to store something at the end of the day storage is money so let's take a quick look I'm going to skip the demo for a moment and I'm just going to hit one more slide and we'll get to the demo piece I'm going to get deep into memory forensics but this is a single slide that could probably here too so to take pcaps asylums

hospital most sins will allow you to script this so something suspicious happens you're getting it a peek at I like that ending of a neck don't like that idea I don't like that idea because the sim has to know something's going wrong that means you're probably to miss the header of the fire that's the unfortunately it's also a storage nightmare integrate with yourself look at things like that flow have your logs do your pcap send your vulnerability data because for the most part learner ability data is indicative of some things that happened I'm not going to say that a poner ability caused everything but oftentimes it does with your pcaps you can use like network miner Wireshark

to carve them car files out say hey this is what's going on here cool so that makes that we're going to shut the screen do a little bit of dinner so just shift into duplicates I forgot to open ftk I think it's in this directory

so I'll execute that and it's doing its thing I'm gonna go ahead and open a previous analysis from students so just hoping in this analysis this is a steward lands file which is what red line saves the file is that dude and it's basically had a memory image that's been imported into it so right here we're seeing the processes right here's the MRI so that whole red dot that goes away after version 1.2 or after it zero later but we could do those sorts of things so we can even look at the hierarchical process so we can see what triggered what so let's go back look at 6404

they should show oh right here it is oh there's PS exec what's going on here there's been locked out Exe as well something else to look at so we could go a little bit further and under the processes we can even look at what ports are being used and again this isn't the 30,000 foot view and I have a memory image I like to start here and then work my way into volatility and get deep in the weeds so here we see what's running and where we don't have the MRI on this one but basically we could see the remote addresses and what port the status and everything else that is something important because if you

have a Moose's be getting out to something you're going to get a little context around it which is definitely important as well so you can go a little bit further you can look at a timeline you can look at the acquisition history when it streams even memory sections if you like but this will take a look

it's a resource operator I think so I tried to get this talking to be sent to Orlando earlier this month in three slides had blue screen of death that's why I'm thought that we'll talk but I think it's because I had too many processes right so I cut my VM size down for four gigs to two kids and then do it that way so if you want to take a memory image with ftk imager light this is free the whiteboard so you just go here if you say capture memory the thing is you don't have to install this on the system either so you can have it on a thumb drive I don't use two thumpers and they

don't let them drive get the memory of it on the other if it's a server you might give an external hard drive instead of a thumb drive because when you're anytime you're dealing with memory for forensics you want to have 110 percent or more of the capacity so you have a tip kick hard drive you need at least 11 games so but anyway you give it a destination had to give it a fine line you can collect the page file and so on and then you just say capture and it's off to the races was it's done you have it you can go off you can do your analysis and put it into redline get

imported into volatility whatever kind of lucky it because it's off your standard image it's definitely an option as well so that's that so then within this is sift so right here I have to I have brand image info on the system so I now know what it is we have the ktg beam over here we know how many processors all of that stuff you know it's act 1 so right here the suggestive profiles windows 7 service pack 0 or service pack 1 here you'll see I've exported the profile into service pack 1 so that's just going to make my command line a little bit easier so we will give it the file I should have if I you can

set this up as an export as well and let's just do Netscape so we'll see the network connections that's a good place to start and it takes a minute to do it and while it's doing that over here and network miner I'm going to import a peak M let's peek at your fun

a lot of pcap seriously so we'll just look at something over estimating so well that's important we're seeing some data here notice that the bottom if I do not have pudding running it's going to be important in a moment but he isn't buddy is there but it is not running okay well that's something minutes thing all through the network side so basically we see the week within this capture we have two nodes we have one session some parameters here nothing too big within these notes we can expand it and I apologize I can't blow this up anymore it doesn't zoom in or out and again this is a free tool if you want to pay

version it's like 1,300 bucks you get a little bit more capability and I mean I like things that are free whether it be for the attack side the forensic side our social engineering or riot or CID stuff I don't like to pay for things there are tools out there or something but anyway we have some day that here you're like how many packets were sending the file size to receive the sessions all that fun stuff so let's look at this there's a fire look what it is it's 90 MC so with this we can calculate the hashes so like with malware we could take these hashes put it in our our indicators for compromise we can put it in fires to a direct route

throughout mine whatever we want as we have that we can also open the folder which is basically going to show us the file right here you can upload that straight to virustotal as well if you don't click it though it takes malware you double click here to get power to them but anyway you have that site but everybody's not running it is now so just pull the executable straight out of it so we'll take a look at another

I would say we really didn't want to grab it I'll be honest to get secretly working with that there's just not a lot of interesting stuff let's look at nutria we see there's a lot more vials here but let's look at that hoses so here we see all these domains okay my first reaction is I'm going to go and see if these are going to be threat intelligence feeds okay then I'm going to write some sort of regular expression for a URL to go see where else other systems online in my environment connecting with these hosts both of the hosts and the IP level so other things that we can find out here again there's

an ID there's the Mac the vendor hostname and go a little bit further host details right here as we see it's a web web server with engine X so there's some information for you as well so definitely important we have a lot of parameters here that we could look at all kinds of stuff so user agent path if you have the time to sit through this you get a lot of stuff out of it again though it takes time here's the sessions there's a credential that's passed so then we can even copy that username and password the one so anyone here that's on the attacks I need you probably use this for malice too if you like but here

we have five files I always like to look by file size who there's a shockwave file mmm so you can look at the hash even compare it I'll give you a hint I will turn it on all the stuff yeah bits there I uploaded the file it's there I didn't execute the final but you could use this for an example to see like when you see like a two gig HTML file probably indicative of a little bit more than meets the eye there but when you things like file size file distances where was going where came from these are all things that are important so that's pretty much the end up Network minor now let's go back to

volatility here are other network connections of that host so we can even go further and it's going to take longer but we need to we can pipe this to grep commands so we can say Egret minus V in exclude ticks or we can grip for only established connections or only close to connections who are only connections on port 80 so you can go so far with it I saw on Twitter today that there was a statement that things would get hacked today so I'm contributing to my red team effort right here by running maybe cannons so just going to contribute to the cause oh there's the passwords black widow bank dumb bang hail Hydra this is an actual passphrase and then

there's a lot there on that W wks user account so you know you can you can see patterns here maybe I wait a minute we don't have a user in Active Directory let's take a closer look there's a lot of other things you can do with it unfortunately with fall it's only a lot of your time to spit wait so we're just going to read these two for the time being presentation

that's okay other stuff the demo piece so paying homage to the original founder for one of the founders of by local DEF CON chapter TC a65 hatred snob resume you may know him he can now clearly see the rain is gone because of this information the context behind this is he was an intersect world at some vigor at an hour and he had his picture made with the outer wall his hand is doing his impression of the our understanding that emphasized what we like to mock you to like to read each other so this is the official not the mean was not but that picture is the official logo DC 865 now so if you want to contact then there's

my contact information I'll have it on a later slide as well but in the last few minutes of the presentation I'm going to talk about a mentorship program that I've put together in coordination with catalyst it's called - the hacking class basically we know we have academia we know we have certifications we know that neither of them fills everything basically what I'm trying to do is get qualified mentors and ambitious mentees together to learn and do things in between those two things activated certification so basically it's a five by five five rules five levels of difficulty it's more than a seats yet because the mentor will do things like a psychic reading and writing assignments because little

spacer writing is a cool part of what we do whether you like it or not I don't care if you're a pen tester that's here a researcher on our helpdesk view my reports even if you're in the stock but then you to labs and then you can put it to the range the range is a linear process that starts out we'll have someone come in and harden the system and then pass it off after that phases over someone's going to be monitoring as someone is attacking after that phases late someone will come in and do it and their response on it and then all that stuff will be passed to someone else to create threat intelligence it's not

going to get published to the public because we don't want people's like people who are not doing malicious things we don't want their public IP being included direct elfies but something to that effect you get a report card as a mentee you get a report card to show a potential employer women will have the feedback from your mentor and from the team from their range the levels of difficulty single system two to five systems small office Home Office homogeneous Enterprise heterogeneous enterprise we're working with leaders to get in if our license it's not for resale licenses so you can actually use enterprise and stuff and then the other side of the coin because I have a

certain love hate relationship with salespeople we're gonna allowing salespeople to solicit mentors with mid-teens if a mentor mentee gives them their information that's on them and you're totally you can do some of people learn more about the product anything that vendors allowed the well the only thing I'm what vendors are allowed to give you with the technical documentation and technical training no Sam's documentation no sales pitches no pre sales training only technical stuff period and will probably miss out on a few dinners for that but I think that it's more important than getting people harassed I mean it's just the way it is there's the contact information for it here's my upcoming speaking engagements I am collecting for punishment if you

haven't noticed already the wooden bowl at social engineering Island I've got an eight-hour social engineering workshop that's what this shirt is actually forced with what the shut the links there I don't get any money off the shirt but it's 45 bucks and with se RI the courses through AC council and get the Sharia middle class it's pretty fun I just finished writing it but that's everything coming up and with before you or questions anyone wants a free ticket to hacker alter their sub coupon codes I can 125 percent off training there's a coupon code for that

and any questions

all right I'm sorry we hearing memory capture consumed by things like latency because different things are going on memories changing why doing the capture is a possibility vehicle both were they capture is not a vengeance on the end so it's just going to be a point I'm just like anything it's a point in time but the nature of the beast that comes with that we could in terms of latency that's why I'm advocating thumb drives or something maybe not doing it over there yes

it's it's just our presence it's like saying you're not winning his County it stood in Paris any other questions

that's that apparently I don't really have a lot of experience with it personally but I mean what image I don't want to say that was much bigger than the other and the thing is volatility you can actually do the image copy and change the format as well you do the same thing with my prediction file okay other questions thank you for your time and here's the information people talk or anything else [Applause] [Music]