SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

DFIR Monterey 2015 Network Forensics Challenge Released

DFIR Monterey 2015


Join us at DFIR Monterey 2015 - a Reverse Engineering Digital Forensics and Incident Response Education (REDFIRE) Event.

This unique Digital Forensics and Incident Response (DFIR) event brings our most popular forensics courses, instructors, and bonus seminars together in one place to offer one of SANS most comprehensive DFIR training experiences. This is a must-attend event for you and your team as our leading experts focus on building the DFIR skills that will take you to that next level.

Network Forensic Challenge


The objective of the ...

How to Track Your Malware Analysis Findings

Introduction


The field of incident response, forensics, and malware analysis is full of thrilling hunts and exciting investigations where you have an opportunity to aggressively pursue the activities of adversaries. While technical acumen certainly supports these efforts, a truly successful execution requires both a well-crafted process and detailed documentation of the journey through that process. Meticulous documentation allows you to easily retrace your analysis flow (particularly important if the work supports any litigation), and it facilitates information sharing so others can benefit from your analysis approach and results. More importantly, if a malware analysis effort continues for any substantial period of time, tracking what you've done and what is yet to be done is difficult without comprehensive notes. Generating documentation is clearly one of the less glamorous parts of malware analysis, but it's absolutely necessary to be an effective analyst.
...

Kerberos in the Crosshairs: Golden Tickets, Silver Tickets, MITM, and More

It's been a rough year for Microsoft's Kerberos implementation. The culmination was last week when Microsoft announced critical vulnerability MS14-068. In short, this vulnerability allows any authenticated user to elevate their privileges to domain admin rights. The issues discussed in this article are not directly related this bug. Instead we'll focus on design and implementation weaknesses that can be exploited under certain conditions. MS14-068 is an outright bug which should be patched immediately. If you haven't patched it yet, I suggest you skip this article for now and work that issue right away. Then come back later for some more Kerberos fun!

Our red-team friends have been quite busy recently dissecting Kerberos and have uncovered some pretty concerning issues along the way. Issues, or attacks, such as the "Golden

...

Protecting Privileged Domain Accounts: Restricted Admin and Protected Users

It's been a while since I've written about this topic, and in that time, there have been some useful security updates provided by Microsoft, as well as some troubling developments with Microsoft's Kerberos implementation. In order to fully cover these topics, I'm going to split the discussion into two articles. This article will cover specific updates Microsoft has provided to help protect user credentials. I'll follow up next week to discuss the Kerberos issues in depth.

As a quick reminder, the major takeaway from my previous articles on this subject are that we can successfully protect our privileged domain accounts by taking these 3 steps:


  1. Avoid interactive logons to untrusted hosts

  2. Disable ...

SANS DFIR Summit 2015 - Call For Papers

Dates:


  • Summit Dates: - July 7-8, 2015

  • Post-Summit Training Course Dates: July 9-14, 2015


Summit Venue:

  • Hilton Austin

  • 500 East 4th Street

  • Austin, TX78701

  • Phone: 512-482-8000