1
00:00:02,639 --> 00:00:08,590
thank you good morning everybody you

2
00:00:06,370 --> 00:00:11,019
guys all doing well a lot of you

3
00:00:08,590 --> 00:00:12,730
hangover from last night or not because

4
00:00:11,019 --> 00:00:17,110
I'm nearly there

5
00:00:12,730 --> 00:00:18,310
so I don't know how these slides are

6
00:00:17,110 --> 00:00:21,698
going to look up because this this

7
00:00:18,310 --> 00:00:22,270
project is actually quite bright faint

8
00:00:21,699 --> 00:00:24,699
yeah

9
00:00:22,270 --> 00:00:26,800
so my name is Thomas I'm this is I think

10
00:00:24,699 --> 00:00:29,320
the third time I'm speaking at security

11
00:00:26,800 --> 00:00:32,920
the third year so I'm really happy to be

12
00:00:29,320 --> 00:00:35,110
back I have a number of I've been in the

13
00:00:32,920 --> 00:00:36,370
industry for a long time and one of the

14
00:00:35,110 --> 00:00:37,450
things that I do is security

15
00:00:36,370 --> 00:00:39,699
architecture but I also do a lot of

16
00:00:37,450 --> 00:00:41,440
Incident Response and as part of that

17
00:00:39,700 --> 00:00:43,120
incident response process you do a lot

18
00:00:41,440 --> 00:00:47,230
of forensics and investigations and

19
00:00:43,120 --> 00:00:48,910
things like that so you come in on you

20
00:00:47,230 --> 00:00:50,828
go to a customer or you go you're in a

21
00:00:48,910 --> 00:00:52,959
company you're doing your forensics you

22
00:00:50,829 --> 00:00:55,899
come to a site there's no tooling on the

23
00:00:52,960 --> 00:00:58,690
on there on the machines you know like

24
00:00:55,899 --> 00:01:00,910
oh crap what am I going to do it's like

25
00:00:58,690 --> 00:01:01,960
I don't want to install tools because if

26
00:01:00,910 --> 00:01:04,119
I install tools I'm going to ruin

27
00:01:01,960 --> 00:01:06,369
whatever I'm looking for so how do I do

28
00:01:04,119 --> 00:01:07,530
this and then you just end up banging

29
00:01:06,369 --> 00:01:09,700
your head against the wall because

30
00:01:07,530 --> 00:01:12,630
you're thinking oh what am I gonna

31
00:01:09,700 --> 00:01:14,619
do what am I going to do I so I

32
00:01:12,630 --> 00:01:16,509
apologize in advance there might be some

33
00:01:14,619 --> 00:01:18,700
harsh language in my talks because I

34
00:01:16,510 --> 00:01:20,710
usually get really really passionate

35
00:01:18,700 --> 00:01:25,270
about what I'm saying and things just

36
00:01:20,710 --> 00:01:27,520
come out so I said to myself what am I

37
00:01:25,270 --> 00:01:29,590
going to do well simple I'm gonna look

38
00:01:27,520 --> 00:01:30,640
for build a set of requirements all

39
00:01:29,590 --> 00:01:32,560
right you know part of my job is

40
00:01:30,640 --> 00:01:34,720
architecture so I usually build a set of

41
00:01:32,560 --> 00:01:36,490
requirements my requirements was that it

42
00:01:34,720 --> 00:01:38,560
had to be non intrusive I don't want to

43
00:01:36,490 --> 00:01:40,360
mess up anything on the desk or anything

44
00:01:38,560 --> 00:01:42,970
in memory so I don't really want to

45
00:01:40,360 --> 00:01:44,680
change anything I need to be able to

46
00:01:42,970 --> 00:01:46,780
quickly deploy it because if I'm going

47
00:01:44,680 --> 00:01:49,149
on a site and I want to go get ready to

48
00:01:46,780 --> 00:01:53,020
business you know start get ready and

49
00:01:49,149 --> 00:01:55,090
just dump out information and it has to

50
00:01:53,020 --> 00:01:56,289
be in a minimal cost because if you look

51
00:01:55,090 --> 00:01:58,570
at some of the toolkits that you

52
00:01:56,290 --> 00:01:59,890
traditionally use like encase and stuff

53
00:01:58,570 --> 00:02:01,508
like that it's quite becomes quite

54
00:01:59,890 --> 00:02:07,149
expensive so I wanted something easy and

55
00:02:01,509 --> 00:02:09,759
to deploy and easier to use so I also

56
00:02:07,149 --> 00:02:11,830
want something that I can use not only

57
00:02:09,758 --> 00:02:14,369
to do forensics but that I could use to

58
00:02:11,830 --> 00:02:14,370
actually

59
00:02:14,379 --> 00:02:19,010
investigations as well a la fret hunting

60
00:02:17,060 --> 00:02:20,480
so I'm big into fret hunting and I

61
00:02:19,010 --> 00:02:22,730
wanted something that I could use even

62
00:02:20,480 --> 00:02:26,179
for just investigations before I go down

63
00:02:22,730 --> 00:02:29,510
into the deep dark hole of forensics so

64
00:02:26,180 --> 00:02:32,120
I came out with this PowerShell it's

65
00:02:29,510 --> 00:02:33,679
like in a minute it's on Windows 7 it's

66
00:02:32,120 --> 00:02:36,049
on most corporate installations it's on

67
00:02:33,680 --> 00:02:38,299
all Windows servers nowadays it's just

68
00:02:36,049 --> 00:02:39,920
there it's like a really powerful tool

69
00:02:38,299 --> 00:02:41,629
and why is it a really powerful tool

70
00:02:39,920 --> 00:02:44,208
you'd be surprised

71
00:02:41,629 --> 00:02:46,160
it supports reg X so I can do really

72
00:02:44,209 --> 00:02:48,950
complex searches across the desk across

73
00:02:46,160 --> 00:02:51,349
the registry for example because you

74
00:02:48,950 --> 00:02:53,119
have built-in functionality that allows

75
00:02:51,349 --> 00:02:55,940
you to basic to query the registry

76
00:02:53,120 --> 00:02:59,299
directly so you can do like a duck dear

77
00:02:55,940 --> 00:03:04,190
hklm and you get the output of the local

78
00:02:59,299 --> 00:03:07,280
local key machine and then you can also

79
00:03:04,190 --> 00:03:08,870
add stuff to it so you can build objects

80
00:03:07,280 --> 00:03:12,019
you can create data stores you can

81
00:03:08,870 --> 00:03:14,030
create and you can add things like dll's

82
00:03:12,019 --> 00:03:17,810
and modules and so you can extend it

83
00:03:14,030 --> 00:03:20,329
quite efficiently but then I was like ah

84
00:03:17,810 --> 00:03:21,680
crap if I do that I'm gonna have to

85
00:03:20,329 --> 00:03:24,079
write a script I'm gonna have to install

86
00:03:21,680 --> 00:03:25,579
the script and it breaks my initial

87
00:03:24,079 --> 00:03:28,519
principles I don't want to change the

88
00:03:25,579 --> 00:03:29,660
disk I'm like okay there's got to be a

89
00:03:28,519 --> 00:03:32,989
way to get around this this is

90
00:03:29,660 --> 00:03:36,769
ridiculous and thank you our friends an

91
00:03:32,989 --> 00:03:39,680
elite XOR this is a common technique for

92
00:03:36,769 --> 00:03:41,599
malware attacks right where you're

93
00:03:39,680 --> 00:03:43,760
basically downloading a script in

94
00:03:41,599 --> 00:03:44,810
directly into PowerShell memory and

95
00:03:43,760 --> 00:03:47,660
you're running it out of PowerShell

96
00:03:44,810 --> 00:03:51,590
memory so I'm not installing anything on

97
00:03:47,660 --> 00:03:53,959
the disk like yes cool I can do this now

98
00:03:51,590 --> 00:03:56,239
so now I have a tool where I can

99
00:03:53,959 --> 00:03:58,190
actually build pull down things run in

100
00:03:56,239 --> 00:04:02,599
the memory and I can start querying the

101
00:03:58,190 --> 00:04:05,780
system which is really great so awesome

102
00:04:02,599 --> 00:04:07,459
start so I've got a registry access I

103
00:04:05,780 --> 00:04:09,620
can even access the event log with

104
00:04:07,459 --> 00:04:11,629
PowerShell directly I got file system

105
00:04:09,620 --> 00:04:13,609
access I can pump ACLs I can dump a

106
00:04:11,629 --> 00:04:16,190
alternate data streams with PowerShell

107
00:04:13,609 --> 00:04:18,289
it runs in memories and most distain jiz

108
00:04:16,190 --> 00:04:20,358
it's generally available in Windows 7

109
00:04:18,289 --> 00:04:24,530
and lots of cool useful scripts out

110
00:04:20,358 --> 00:04:26,570
there so I started looking around and I

111
00:04:24,530 --> 00:04:28,580
found power forensics

112
00:04:26,570 --> 00:04:29,630
so I've been playing with this for a

113
00:04:28,580 --> 00:04:31,099
quite a number of years now it's been

114
00:04:29,630 --> 00:04:33,500
around I think for about three or four

115
00:04:31,100 --> 00:04:35,240
years essentially what it does is it

116
00:04:33,500 --> 00:04:38,990
gives you a full API to do your typical

117
00:04:35,240 --> 00:04:40,850
disk forensics so you can dump the

118
00:04:38,990 --> 00:04:43,850
prefetch files you can dump things like

119
00:04:40,850 --> 00:04:46,520
ad airstreams event logs the cache is

120
00:04:43,850 --> 00:04:49,820
you can dump the load lock to Timeline

121
00:04:46,520 --> 00:04:54,460
with it so this is really cool ah crap

122
00:04:49,820 --> 00:04:58,159
it needs a DLL to be installed oh my

123
00:04:54,460 --> 00:05:00,770
that breaks my one principles I don't

124
00:04:58,160 --> 00:05:03,710
want to store everything but you know

125
00:05:00,770 --> 00:05:05,180
that's not gonna stop me so really there

126
00:05:03,710 --> 00:05:08,330
is actually a technique in PowerShell

127
00:05:05,180 --> 00:05:11,000
where you can basically dump your file

128
00:05:08,330 --> 00:05:13,310
into as binary put it into a variable or

129
00:05:11,000 --> 00:05:15,200
download the DLL directly into memory

130
00:05:13,310 --> 00:05:17,960
like I did with the script and you can

131
00:05:15,200 --> 00:05:20,060
run it directly from memory so again I

132
00:05:17,960 --> 00:05:21,320
win I'm not installing anything on the

133
00:05:20,060 --> 00:05:23,240
disk yay

134
00:05:21,320 --> 00:05:27,500
see when you drink you've come up with

135
00:05:23,240 --> 00:05:28,340
ideas not necessarily alcohol so I have

136
00:05:27,500 --> 00:05:31,490
my foundations

137
00:05:28,340 --> 00:05:33,020
I've got PowerShell it's good I can

138
00:05:31,490 --> 00:05:35,150
bring in scripts I've got built-in

139
00:05:33,020 --> 00:05:37,370
access to things like registry is Event

140
00:05:35,150 --> 00:05:39,109
log and I can build objects and I can do

141
00:05:37,370 --> 00:05:41,710
things so I can use it for forensics and

142
00:05:39,110 --> 00:05:44,840
I could potentially use it for hunting

143
00:05:41,710 --> 00:05:47,180
so I'm sitting here going ah crap what

144
00:05:44,840 --> 00:05:49,760
am I gonna do now let's go hunting for

145
00:05:47,180 --> 00:05:51,110
some ideas so what else can I do with

146
00:05:49,760 --> 00:05:52,789
this right because now I've got just

147
00:05:51,110 --> 00:05:54,460
basically scripted access and I want to

148
00:05:52,790 --> 00:05:59,540
do something more

149
00:05:54,460 --> 00:06:02,810
so I discover from so what is shrunk

150
00:05:59,540 --> 00:06:04,730
from is Windows system resources usage

151
00:06:02,810 --> 00:06:09,710
manager wanted to kind of remember when

152
00:06:04,730 --> 00:06:13,040
um to a manager essentially it's- was

153
00:06:09,710 --> 00:06:14,570
installed in Windows 8 it started

154
00:06:13,040 --> 00:06:17,060
appearing in Windows 8 and what it does

155
00:06:14,570 --> 00:06:19,700
is it monitors everything that process

156
00:06:17,060 --> 00:06:22,700
and network related that accesses the UI

157
00:06:19,700 --> 00:06:24,590
or runs in the UI so it's continuously

158
00:06:22,700 --> 00:06:26,360
tracking what's going on in the system

159
00:06:24,590 --> 00:06:29,508
right

160
00:06:26,360 --> 00:06:31,669
it's part of the diagnostic policy

161
00:06:29,509 --> 00:06:32,750
service I am going to be able to talk

162
00:06:31,669 --> 00:06:37,969
this morning thank you

163
00:06:32,750 --> 00:06:40,340
and it first appeared in forensics

164
00:06:37,969 --> 00:06:43,520
discussions from a published paper

165
00:06:40,340 --> 00:06:45,859
published by Yogesh Qatari so in March

166
00:06:43,520 --> 00:06:47,419
2015 he wrote a paper in data science

167
00:06:45,860 --> 00:06:50,030
presentation where he talks about using

168
00:06:47,419 --> 00:06:51,409
shrum for forensics purposes which was

169
00:06:50,030 --> 00:06:57,349
wit and it's really interesting it's a

170
00:06:51,409 --> 00:06:59,629
really interesting discussion so back to

171
00:06:57,349 --> 00:07:02,210
the some of the details so it's Windows

172
00:06:59,629 --> 00:07:04,789
8 or above alright so that's pretty

173
00:07:02,210 --> 00:07:06,169
recent that rules out Windows 7 there's

174
00:07:04,789 --> 00:07:08,479
still a lot of companies with Windows 7

175
00:07:06,169 --> 00:07:10,758
running so that's that's a shame it

176
00:07:08,479 --> 00:07:12,740
monitors desktop and windows

177
00:07:10,759 --> 00:07:15,050
applications services network

178
00:07:12,740 --> 00:07:18,919
connections and historical data and it

179
00:07:15,050 --> 00:07:21,080
carries a historical database so I'm

180
00:07:18,919 --> 00:07:22,849
going this is really great I can really

181
00:07:21,080 --> 00:07:23,750
use this this could be really useful so

182
00:07:22,849 --> 00:07:28,039
what can we do with it

183
00:07:23,750 --> 00:07:31,789
so it's always on by default as well and

184
00:07:28,039 --> 00:07:33,979
I'm like oh wow this is cool I'm like

185
00:07:31,789 --> 00:07:35,509
this is really gonna happy helpful in

186
00:07:33,979 --> 00:07:38,750
terms of doing forensics work right

187
00:07:35,509 --> 00:07:40,279
because if you're always on and it's on

188
00:07:38,750 --> 00:07:42,949
by default you're definitely gonna have

189
00:07:40,279 --> 00:07:45,110
some data in there right window

190
00:07:42,949 --> 00:07:46,460
Microsoft had to make some changes a few

191
00:07:45,110 --> 00:07:49,879
years ago where you can actually turn

192
00:07:46,460 --> 00:07:55,000
this thing off because it does collect a

193
00:07:49,879 --> 00:07:58,490
lot of data and a lot of things like

194
00:07:55,000 --> 00:08:01,009
what programs are using and it's got a

195
00:07:58,490 --> 00:08:02,750
lot of personal information like which

196
00:08:01,009 --> 00:08:06,529
networks you log on and things like that

197
00:08:02,750 --> 00:08:09,500
so you don't really so sometimes you

198
00:08:06,529 --> 00:08:10,909
want to turn this off but it does kind

199
00:08:09,500 --> 00:08:12,680
of slow down well it doesn't slow down

200
00:08:10,909 --> 00:08:14,690
but it messes up some of the windows

201
00:08:12,680 --> 00:08:15,979
reporting aspects so if there's

202
00:08:14,690 --> 00:08:18,919
something if you have a bug you don't

203
00:08:15,979 --> 00:08:21,199
get as much information out of it so

204
00:08:18,919 --> 00:08:23,750
essentially SRAM provides us with

205
00:08:21,199 --> 00:08:26,389
application resource usage windows push

206
00:08:23,750 --> 00:08:30,259
notifications energy usage network

207
00:08:26,389 --> 00:08:32,089
connectivity and network data usage so

208
00:08:30,259 --> 00:08:33,649
all of these elements will provide us

209
00:08:32,089 --> 00:08:34,849
information about what's going on on the

210
00:08:33,649 --> 00:08:36,729
system or what's happened

211
00:08:34,849 --> 00:08:39,620
the system because it's historical right

212
00:08:36,729 --> 00:08:41,959
so how does it so what do we get from

213
00:08:39,620 --> 00:08:44,209
the network well from the network we get

214
00:08:41,958 --> 00:08:46,729
an interface type and an ID so we can

215
00:08:44,208 --> 00:08:49,719
pull it back to like a Wi-Fi connection

216
00:08:46,730 --> 00:08:52,699
or a LAN connection or a VPN connection

217
00:08:49,720 --> 00:08:54,079
you have a network profile ID that will

218
00:08:52,699 --> 00:08:56,508
give you things like when you connect to

219
00:08:54,079 --> 00:08:58,969
Wi-Fi and if you collective say Abbott a

220
00:08:56,509 --> 00:09:00,410
university you can pull that out so

221
00:08:58,970 --> 00:09:03,290
you'll know all the Wi-Fi network so

222
00:09:00,410 --> 00:09:05,990
that the machines been on it carries

223
00:09:03,290 --> 00:09:08,660
bytes uploaded and downloaded it carries

224
00:09:05,990 --> 00:09:12,470
the process consuming data including the

225
00:09:08,660 --> 00:09:14,689
users CID right think about that if I

226
00:09:12,470 --> 00:09:16,759
can see which process is doing the most

227
00:09:14,690 --> 00:09:19,670
network activity and I know if it's

228
00:09:16,759 --> 00:09:22,910
associated to user X Y Z I can start

229
00:09:19,670 --> 00:09:25,670
profiling what the users doing or I can

230
00:09:22,910 --> 00:09:27,769
look for non-standard accounts doing

231
00:09:25,670 --> 00:09:29,089
network activity so what's one of the

232
00:09:27,769 --> 00:09:30,470
key things that you're doing with

233
00:09:29,089 --> 00:09:32,630
lateral movement when your X field

234
00:09:30,470 --> 00:09:34,519
training s filtrate as an attacker you

235
00:09:32,630 --> 00:09:36,319
basically try to create an admin user on

236
00:09:34,519 --> 00:09:38,569
your machine you run a bunch of

237
00:09:36,319 --> 00:09:40,910
processes and you start to export rate

238
00:09:38,569 --> 00:09:42,110
data over the network so if I can now go

239
00:09:40,910 --> 00:09:44,750
back and associate that with a

240
00:09:42,110 --> 00:09:46,459
historical data and sieve it that

241
00:09:44,750 --> 00:09:48,410
recently created admin user or a

242
00:09:46,459 --> 00:09:50,768
non-standard admin user for my from way

243
00:09:48,410 --> 00:09:54,769
in my environment starts uploading data

244
00:09:50,769 --> 00:09:57,230
it becomes really interesting it doesn't

245
00:09:54,769 --> 00:09:59,000
provide however endpoint IP addresses it

246
00:09:57,230 --> 00:10:01,220
doesn't provide ports and it doesn't

247
00:09:59,000 --> 00:10:04,759
really specific network activity so you

248
00:10:01,220 --> 00:10:12,259
won't see things like I'm going to wwq

249
00:10:04,759 --> 00:10:13,519
cool calm or I'm going to www-where what

250
00:10:12,259 --> 00:10:14,779
does the application provide the

251
00:10:13,519 --> 00:10:16,009
application provides essentially

252
00:10:14,779 --> 00:10:18,740
everything that you need to know about

253
00:10:16,009 --> 00:10:21,220
an application so CPU cycles context

254
00:10:18,740 --> 00:10:23,269
switches IO reads and reads and writes

255
00:10:21,220 --> 00:10:24,829
number of read operations number of

256
00:10:23,269 --> 00:10:27,860
write operations number of flushes and

257
00:10:24,829 --> 00:10:30,529
it also provides user information so

258
00:10:27,860 --> 00:10:32,839
again if we can associate an application

259
00:10:30,529 --> 00:10:37,279
being run by a user we can see who ran

260
00:10:32,839 --> 00:10:38,120
the application how many I mean I where

261
00:10:37,279 --> 00:10:39,459
you know when you're working in

262
00:10:38,120 --> 00:10:42,680
corporate environment I know some of you

263
00:10:39,459 --> 00:10:44,569
probably run into this is you sitting

264
00:10:42,680 --> 00:10:46,819
there you thought you know some

265
00:10:44,569 --> 00:10:48,290
somebody's run something you're sure

266
00:10:46,819 --> 00:10:49,910
somebody's run something

267
00:10:48,290 --> 00:10:51,349
like now I didn't run this no I didn't

268
00:10:49,910 --> 00:10:54,230
run this with this I can actually

269
00:10:51,350 --> 00:10:56,360
demonstrate me but the use of ran the

270
00:10:54,230 --> 00:10:58,850
program because I can reassociate the

271
00:10:56,360 --> 00:11:01,250
launch of of the malicious program to a

272
00:10:58,850 --> 00:11:03,050
user ID and that becomes really

273
00:11:01,250 --> 00:11:05,209
interesting because you can actually

274
00:11:03,050 --> 00:11:06,229
tell the user wha you did actually run

275
00:11:05,209 --> 00:11:12,170
this so where did you find that

276
00:11:06,230 --> 00:11:14,089
application it doesn't provide memory

277
00:11:12,170 --> 00:11:16,009
type information though so you won't be

278
00:11:14,089 --> 00:11:18,860
able to get anything out of them that's

279
00:11:16,009 --> 00:11:21,199
associated to the memory to number

280
00:11:18,860 --> 00:11:23,540
Fred's number of handles so anything

281
00:11:21,199 --> 00:11:26,810
like DLL injections or reflection

282
00:11:23,540 --> 00:11:28,040
attacks you won't be able to see but I

283
00:11:26,810 --> 00:11:29,479
don't really care about that I just want

284
00:11:28,040 --> 00:11:30,800
to see what the processes have been

285
00:11:29,480 --> 00:11:35,329
running and what processes have happened

286
00:11:30,800 --> 00:11:37,279
they have been used by which user so

287
00:11:35,329 --> 00:11:38,989
there's another aspect to which was the

288
00:11:37,279 --> 00:11:40,639
application history so when you're on

289
00:11:38,990 --> 00:11:42,800
Windows 10 you can actually see this if

290
00:11:40,639 --> 00:11:45,470
you go into the task manager there's a

291
00:11:42,800 --> 00:11:46,819
tab called application history and it

292
00:11:45,470 --> 00:11:48,949
shows you all the applications sort of

293
00:11:46,819 --> 00:11:51,199
run on that system and the interesting

294
00:11:48,949 --> 00:11:54,620
thing is is you have a show history for

295
00:11:51,199 --> 00:11:56,680
all processes and what happens when you

296
00:11:54,620 --> 00:12:00,019
do that is you actually see processes

297
00:11:56,680 --> 00:12:01,729
that have run over time and you can

298
00:12:00,019 --> 00:12:03,829
start to see processes that have been

299
00:12:01,730 --> 00:12:05,420
uninstalled or applications that have

300
00:12:03,829 --> 00:12:08,029
been uninstalled because those are still

301
00:12:05,420 --> 00:12:09,920
those are still in the database but it's

302
00:12:08,029 --> 00:12:12,220
creating so you can see when an

303
00:12:09,920 --> 00:12:15,589
application was installed say like a

304
00:12:12,220 --> 00:12:18,170
dropper gets installed runs and gets

305
00:12:15,589 --> 00:12:21,860
removed so you're going to see that that

306
00:12:18,170 --> 00:12:24,469
process in in in this application

307
00:12:21,860 --> 00:12:26,630
history which is interesting again

308
00:12:24,470 --> 00:12:27,860
because how many times if you do

309
00:12:26,630 --> 00:12:29,300
forensics you like looking for that

310
00:12:27,860 --> 00:12:31,490
freaking application that actually

311
00:12:29,300 --> 00:12:37,130
installed the malware or how they're now

312
00:12:31,490 --> 00:12:41,540
I got onto the box so how does this work

313
00:12:37,130 --> 00:12:42,529
well essentially the Polti Service has a

314
00:12:41,540 --> 00:12:44,660
bunch of dll's

315
00:12:42,529 --> 00:12:46,459
it's like five or six of them so they

316
00:12:44,660 --> 00:12:50,380
all monitor things like data usage

317
00:12:46,459 --> 00:12:54,069
application usage energy usage and

318
00:12:50,380 --> 00:12:57,649
Windows environment information that

319
00:12:54,069 --> 00:12:59,510
pushes stuff into the registry so those

320
00:12:57,649 --> 00:13:01,700
dll's will type the data push it into

321
00:12:59,510 --> 00:13:03,500
registry and then after

322
00:13:01,700 --> 00:13:06,680
amount of time one hour to be precise

323
00:13:03,500 --> 00:13:11,480
it'll be done to to the that file okay

324
00:13:06,680 --> 00:13:14,209
so the first step in this is you have a

325
00:13:11,480 --> 00:13:16,430
registry extension called Windows NT

326
00:13:14,210 --> 00:13:19,570
current versions from extensions so you

327
00:13:16,430 --> 00:13:23,239
actually see you can see that all the

328
00:13:19,570 --> 00:13:25,280
dll's they're all based by greed and

329
00:13:23,240 --> 00:13:29,390
under that you'll also have the

330
00:13:25,280 --> 00:13:30,890
temporary data that's get stored so this

331
00:13:29,390 --> 00:13:32,810
is one part you need to access and I'm

332
00:13:30,890 --> 00:13:34,850
like okay this is good because I can

333
00:13:32,810 --> 00:13:37,400
access this I mean power I can directly

334
00:13:34,850 --> 00:13:40,790
access that the registry so I'm good I'm

335
00:13:37,400 --> 00:13:44,870
still good and it gets written to disk

336
00:13:40,790 --> 00:13:46,730
every 60 minutes 60 minutes the second

337
00:13:44,870 --> 00:13:48,830
part of this is a database so the

338
00:13:46,730 --> 00:13:53,410
database which is thought in windows

339
00:13:48,830 --> 00:13:56,210
system32 s I use SIU DB that is an ESS

340
00:13:53,410 --> 00:13:57,920
extensible storage engine the accessible

341
00:13:56,210 --> 00:14:01,730
storage engine is essentially a database

342
00:13:57,920 --> 00:14:03,620
for Windows started using - with Active

343
00:14:01,730 --> 00:14:04,850
Directory Windows updates it stores all

344
00:14:03,620 --> 00:14:07,520
the information that it needs to

345
00:14:04,850 --> 00:14:09,410
basically run the operating system you

346
00:14:07,520 --> 00:14:12,199
also find it with IE if you if you're

347
00:14:09,410 --> 00:14:15,860
doing IE cache work most of it is stored

348
00:14:12,200 --> 00:14:17,450
in this ESS database format in that ESS

349
00:14:15,860 --> 00:14:20,210
database format you actually have a

350
00:14:17,450 --> 00:14:21,860
bunch of tables one for network

351
00:14:20,210 --> 00:14:24,020
connectivity data one for application

352
00:14:21,860 --> 00:14:26,480
resource usage one for network usage

353
00:14:24,020 --> 00:14:30,829
data windows push notification data and

354
00:14:26,480 --> 00:14:35,300
energy usage so energy usage actually

355
00:14:30,830 --> 00:14:36,920
covers things like how much CPU cycles

356
00:14:35,300 --> 00:14:41,540
and how much power is being drawn

357
00:14:36,920 --> 00:14:44,060
battery life and things like that the

358
00:14:41,540 --> 00:14:47,230
one problem with these data format is

359
00:14:44,060 --> 00:14:51,949
that you actually do have a lot of

360
00:14:47,230 --> 00:14:54,620
fields that have weird formatting so you

361
00:14:51,950 --> 00:14:56,630
have two types of time stamps which is a

362
00:14:54,620 --> 00:14:57,980
pain because you have to mess around

363
00:14:56,630 --> 00:15:00,560
with two times at the types of time

364
00:14:57,980 --> 00:15:01,970
stamps but they're in UTC format which

365
00:15:00,560 --> 00:15:03,530
is nice because usually when you're

366
00:15:01,970 --> 00:15:05,810
doing forensics you want UTC format

367
00:15:03,530 --> 00:15:10,400
anyway you've got a bunch of goo eats

368
00:15:05,810 --> 00:15:12,550
and you've got for the network you

369
00:15:10,400 --> 00:15:14,569
actually have to go back and calculate

370
00:15:12,550 --> 00:15:18,949
you get a

371
00:15:14,570 --> 00:15:20,270
structured data so you need to pull out

372
00:15:18,950 --> 00:15:22,040
the information from that structure data

373
00:15:20,270 --> 00:15:23,270
then we associate it to the registry to

374
00:15:22,040 --> 00:15:25,640
actually find out which network

375
00:15:23,270 --> 00:15:28,970
interface was being used that's a little

376
00:15:25,640 --> 00:15:34,040
bit more complex so what's the forensics

377
00:15:28,970 --> 00:15:35,120
angle to this well in forensics one of

378
00:15:34,040 --> 00:15:36,709
the things you want to do is you

379
00:15:35,120 --> 00:15:38,120
understand what the process activity was

380
00:15:36,710 --> 00:15:39,950
you want to build a process map a

381
00:15:38,120 --> 00:15:41,900
process map over time see which

382
00:15:39,950 --> 00:15:43,940
processes where and when what are the

383
00:15:41,900 --> 00:15:46,670
dependencies how much time was how much

384
00:15:43,940 --> 00:15:48,860
time a process was used you also might

385
00:15:46,670 --> 00:15:50,900
want to see where which network usage

386
00:15:48,860 --> 00:15:52,990
was being used what was being done so

387
00:15:50,900 --> 00:15:56,000
how many times for example Explorer

388
00:15:52,990 --> 00:16:00,290
connected and how much data it uploaded

389
00:15:56,000 --> 00:16:02,660
or downloaded you want to see which apps

390
00:16:00,290 --> 00:16:04,189
have been added or deleted you want to

391
00:16:02,660 --> 00:16:07,550
see which processes run over top over

392
00:16:04,190 --> 00:16:13,130
time how many times have they run for

393
00:16:07,550 --> 00:16:14,689
how long things like that and I was

394
00:16:13,130 --> 00:16:19,060
thinking about this so wait a minute if

395
00:16:14,690 --> 00:16:22,190
I can associate the process with

396
00:16:19,060 --> 00:16:24,859
resource usage specifically power and

397
00:16:22,190 --> 00:16:27,950
CPU cycles I could start looking for

398
00:16:24,860 --> 00:16:29,510
miners you know all these script miners

399
00:16:27,950 --> 00:16:31,130
that you've accidentally get when you go

400
00:16:29,510 --> 00:16:34,520
to certain websites and they start

401
00:16:31,130 --> 00:16:36,020
eating up your CPU cycles well maybe I

402
00:16:34,520 --> 00:16:40,300
could use this to actually see if there

403
00:16:36,020 --> 00:16:43,040
was that kind of incident on a machine

404
00:16:40,300 --> 00:16:45,250
so probably something I need to do I

405
00:16:43,040 --> 00:16:48,560
think about not really a focus because

406
00:16:45,250 --> 00:16:50,990
most of the times yeah unless they

407
00:16:48,560 --> 00:16:53,329
actually drop something like a motet I'm

408
00:16:50,990 --> 00:16:57,020
not too concerned about it but it's

409
00:16:53,330 --> 00:16:59,720
something in the background so typically

410
00:16:57,020 --> 00:17:01,400
when you see attackers one of the things

411
00:16:59,720 --> 00:17:02,840
that I'll do is I'll try to hide when

412
00:17:01,400 --> 00:17:04,190
they've launched an application and the

413
00:17:02,840 --> 00:17:06,260
way they do that is they mess around the

414
00:17:04,190 --> 00:17:08,330
prefetch files essentially what the

415
00:17:06,260 --> 00:17:11,540
prefetch file does is it allows you to

416
00:17:08,329 --> 00:17:14,720
see when an application has been run so

417
00:17:11,540 --> 00:17:16,369
when applications are run from it you

418
00:17:14,720 --> 00:17:17,540
create it but it creates a prefetch file

419
00:17:16,369 --> 00:17:20,510
so you can actually track when that

420
00:17:17,540 --> 00:17:23,839
application was launched by the user but

421
00:17:20,510 --> 00:17:26,930
it only shows the start time now with

422
00:17:23,839 --> 00:17:28,119
Schrom you actually start to see the

423
00:17:26,930 --> 00:17:30,190
visibility because you've got

424
00:17:28,119 --> 00:17:31,929
points of usage you can actually see how

425
00:17:30,190 --> 00:17:33,309
long were windward has actually been

426
00:17:31,930 --> 00:17:35,890
running for example in this chart

427
00:17:33,309 --> 00:17:38,830
example so prefetch will only give you

428
00:17:35,890 --> 00:17:40,300
the last eight start times but SRAM will

429
00:17:38,830 --> 00:17:42,280
actually give you how long that process

430
00:17:40,300 --> 00:17:44,020
has been running which is a lot more

431
00:17:42,280 --> 00:17:47,320
interesting because even if you see it

432
00:17:44,020 --> 00:17:48,670
if you see a malicious app start let's

433
00:17:47,320 --> 00:17:50,590
say the attackers are really bad when he

434
00:17:48,670 --> 00:17:51,940
doesn't delete his prefetch file if you

435
00:17:50,590 --> 00:17:54,129
see it started you also want to know how

436
00:17:51,940 --> 00:17:56,050
long it's been running because it might

437
00:17:54,130 --> 00:17:57,790
start and then just die right because it

438
00:17:56,050 --> 00:18:00,040
doesn't connect to anywhere or it might

439
00:17:57,790 --> 00:18:01,990
it starts and might hide itself and just

440
00:18:00,040 --> 00:18:05,139
continue running until it actually wakes

441
00:18:01,990 --> 00:18:06,520
up and download something else so having

442
00:18:05,140 --> 00:18:09,370
the ability to actually build these

443
00:18:06,520 --> 00:18:10,929
timelines in a more detail well as for

444
00:18:09,370 --> 00:18:12,939
the type nodes for time for that process

445
00:18:10,929 --> 00:18:16,540
has actually been running is a lot more

446
00:18:12,940 --> 00:18:20,110
interesting other things that we can

447
00:18:16,540 --> 00:18:22,330
track is we can map as I said earlier a

448
00:18:20,110 --> 00:18:23,709
process for the user so you can actually

449
00:18:22,330 --> 00:18:27,280
see which users are running which

450
00:18:23,710 --> 00:18:29,650
processes this is helpful again because

451
00:18:27,280 --> 00:18:31,660
one of the tactics is to create a

452
00:18:29,650 --> 00:18:33,100
special you know an admin user so you

453
00:18:31,660 --> 00:18:35,679
can see which admin users of Warnick

454
00:18:33,100 --> 00:18:38,860
running which processes you can map

455
00:18:35,679 --> 00:18:42,179
process the network activity so you can

456
00:18:38,860 --> 00:18:44,290
actually start to look at exfiltration

457
00:18:42,179 --> 00:18:46,210
windings you know one example would be

458
00:18:44,290 --> 00:18:48,540
explorer upload you

459
00:18:46,210 --> 00:18:50,830
copying files or uploading files

460
00:18:48,540 --> 00:18:52,480
creating love network traffic at two

461
00:18:50,830 --> 00:18:53,980
o'clock in the morning most users won't

462
00:18:52,480 --> 00:18:56,920
do that right especially in a corporate

463
00:18:53,980 --> 00:18:58,780
environment and you could use it to do

464
00:18:56,920 --> 00:19:01,030
general program it usage investigation

465
00:18:58,780 --> 00:19:03,010
so you know one of the things i've rent

466
00:19:01,030 --> 00:19:05,620
i ran into my history and my history in

467
00:19:03,010 --> 00:19:07,809
in the corporate environment is that we

468
00:19:05,620 --> 00:19:10,178
weren't really blocking a white listing

469
00:19:07,809 --> 00:19:11,410
applications but the policy said you

470
00:19:10,179 --> 00:19:12,940
weren't allowed to use things like you

471
00:19:11,410 --> 00:19:14,950
taught me you know torrent torrent

472
00:19:12,940 --> 00:19:16,690
downloaders and things like that with

473
00:19:14,950 --> 00:19:19,140
this you can actually track when it uses

474
00:19:16,690 --> 00:19:22,330
being using torrent download azure

475
00:19:19,140 --> 00:19:25,809
non-authorized software which is useful

476
00:19:22,330 --> 00:19:28,409
for many large corporations especially

477
00:19:25,809 --> 00:19:30,149
for especially when you have

478
00:19:28,410 --> 00:19:33,440
users that have admin access to their

479
00:19:30,150 --> 00:19:38,549
machines and they can install anything

480
00:19:33,440 --> 00:19:40,410
so how do we access this data well the

481
00:19:38,549 --> 00:19:42,780
initial thought is you need to access

482
00:19:40,410 --> 00:19:44,490
the from doubt that most of the research

483
00:19:42,780 --> 00:19:48,000
has been done and most of the web has

484
00:19:44,490 --> 00:19:50,419
been done initially and the tool and has

485
00:19:48,000 --> 00:19:53,400
one tool that came from mark baguette

486
00:19:50,419 --> 00:19:57,750
basically they require you to get a copy

487
00:19:53,400 --> 00:19:59,970
of the shrub DB and then download it

488
00:19:57,750 --> 00:20:03,200
dump it into CSV and then process a

489
00:19:59,970 --> 00:20:05,400
bunch of scripts to create into an Excel

490
00:20:03,200 --> 00:20:07,289
mark Baggett's to actually does the

491
00:20:05,400 --> 00:20:10,260
extraction and generates the excels

492
00:20:07,289 --> 00:20:14,039
automatically there's one problem with

493
00:20:10,260 --> 00:20:15,929
that and that's what I don't want to

494
00:20:14,039 --> 00:20:18,390
copy the DB I don't want to have to

495
00:20:15,929 --> 00:20:20,010
process the disk right I want to do this

496
00:20:18,390 --> 00:20:24,750
dynamically I want to be able to do this

497
00:20:20,010 --> 00:20:26,309
fast and wrap it then quickly online if

498
00:20:24,750 --> 00:20:27,990
you need to make a copy of the DB

499
00:20:26,309 --> 00:20:30,658
because it's admin locked and because

500
00:20:27,990 --> 00:20:32,039
continuously usage by the system you

501
00:20:30,659 --> 00:20:34,650
either have to shut down the machine or

502
00:20:32,039 --> 00:20:35,929
you have to do a disk image or you have

503
00:20:34,650 --> 00:20:40,110
to use

504
00:20:35,929 --> 00:20:41,549
VSS to do a shadow copy so your basic to

505
00:20:40,110 --> 00:20:42,750
once you start doing that you're

506
00:20:41,549 --> 00:20:44,429
changing the environment and you're

507
00:20:42,750 --> 00:20:45,750
changing things and you're probably

508
00:20:44,429 --> 00:20:48,840
potentially losing any forensics

509
00:20:45,750 --> 00:20:54,510
evidence which you might want to keep so

510
00:20:48,840 --> 00:21:00,449
I'm like ah God another roadblock so how

511
00:20:54,510 --> 00:21:04,289
am I gonna solve this well hold on a

512
00:21:00,450 --> 00:21:05,460
second my initial thought was I'm gonna

513
00:21:04,289 --> 00:21:10,679
use PowerShell to do all this stuff

514
00:21:05,460 --> 00:21:14,070
right yeah so I'd potentially have a

515
00:21:10,679 --> 00:21:14,460
solution under my hand so how am I gonna

516
00:21:14,070 --> 00:21:19,730
do this

517
00:21:14,460 --> 00:21:22,500
well PowerShell actually supports dotnet

518
00:21:19,730 --> 00:21:24,539
right so you can actually use donate

519
00:21:22,500 --> 00:21:27,510
dotnet api's and donate modules it

520
00:21:24,539 --> 00:21:29,580
directly in PowerShell you can load C

521
00:21:27,510 --> 00:21:32,830
libraries you could actually even

522
00:21:29,580 --> 00:21:36,250
include C code in some versions of

523
00:21:32,830 --> 00:21:39,040
of PowerShell and you can load dll's

524
00:21:36,250 --> 00:21:41,530
directly so all you need to do basically

525
00:21:39,040 --> 00:21:45,159
to add a module or to load a DLL is you

526
00:21:41,530 --> 00:21:47,470
type at you do add that type - path to

527
00:21:45,160 --> 00:21:54,310
the DLL and that loads it as a module

528
00:21:47,470 --> 00:21:56,950
and you have access to your API is there

529
00:21:54,310 --> 00:22:00,909
an API for ESS well from here yes of

530
00:21:56,950 --> 00:22:03,880
course there is right so the good thing

531
00:22:00,910 --> 00:22:08,710
is the DLL is part of dotnet framework

532
00:22:03,880 --> 00:22:10,750
4.0 and as far as I know probably 95% of

533
00:22:08,710 --> 00:22:13,650
all systems actually have got that full

534
00:22:10,750 --> 00:22:16,390
point that the dotnet 4.0 installed

535
00:22:13,650 --> 00:22:19,000
mostly because one of the core MFC

536
00:22:16,390 --> 00:22:21,160
classes it has but has to be an

537
00:22:19,000 --> 00:22:22,600
application in Windows well one of the

538
00:22:21,160 --> 00:22:27,430
baseline applications in Windows will

539
00:22:22,600 --> 00:22:30,610
have that requirement so the exact DLL

540
00:22:27,430 --> 00:22:32,890
is in a really horrible pasture Windows

541
00:22:30,610 --> 00:22:35,649
microsoft.net assembly GAC missile

542
00:22:32,890 --> 00:22:38,650
Microsoft the ASM esn't got interrupt

543
00:22:35,650 --> 00:22:40,600
the 4.0 and and then after the

544
00:22:38,650 --> 00:22:42,010
underscore 10 is actually I think it's

545
00:22:40,600 --> 00:22:44,740
related to the operating system you're

546
00:22:42,010 --> 00:22:47,400
using and the file is called Microsoft

547
00:22:44,740 --> 00:22:50,200
that I send or ES net or interrupt e ll

548
00:22:47,400 --> 00:22:54,700
ok so I have an API to access this

549
00:22:50,200 --> 00:22:59,470
database right yes I'm back to my

550
00:22:54,700 --> 00:23:04,480
success factor right I'm cool no no we

551
00:22:59,470 --> 00:23:07,950
won't get into that um so this is gonna

552
00:23:04,480 --> 00:23:10,570
be hard and let me see if I can actually

553
00:23:07,950 --> 00:23:14,040
let me do something maybe I'll be able

554
00:23:10,570 --> 00:23:14,040
to actually zoom in a bit on this

555
00:23:46,210 --> 00:24:00,440
let's see if this works okay so no no I

556
00:23:49,940 --> 00:24:03,770
can't zoom in now crap that's gonna be I

557
00:24:00,440 --> 00:24:18,170
know what I'll do I'll walk you through

558
00:24:03,770 --> 00:24:20,389
the okay that's a little bit better

559
00:24:18,170 --> 00:24:26,860
right can you guys see that up there is

560
00:24:20,390 --> 00:24:30,770
it better so the first line I basically

561
00:24:26,860 --> 00:24:33,139
I'm going to put the path to my dll into

562
00:24:30,770 --> 00:24:34,100
a in turn em into a variable so for

563
00:24:33,140 --> 00:24:36,650
those of you if you haven't done

564
00:24:34,100 --> 00:24:38,928
PowerShell there's some interesting

565
00:24:36,650 --> 00:24:40,220
things right for those of you done

566
00:24:38,929 --> 00:24:43,250
Python you'll probably recognize some of

567
00:24:40,220 --> 00:24:46,460
this versus done a bash programming you

568
00:24:43,250 --> 00:24:50,780
probably recognize some this dollar env

569
00:24:46,460 --> 00:24:52,429
is a shortcut an alias to the

570
00:24:50,780 --> 00:24:53,660
environment variables so you can

571
00:24:52,429 --> 00:24:55,100
actually reference the environment

572
00:24:53,660 --> 00:24:58,160
variables so here I'm very fitting

573
00:24:55,100 --> 00:25:01,340
system root which is on systems usually

574
00:24:58,160 --> 00:25:04,220
see windows and then you have the path

575
00:25:01,340 --> 00:25:06,620
to your DLL so all that will be expanded

576
00:25:04,220 --> 00:25:11,390
inside the variable next I put the path

577
00:25:06,620 --> 00:25:14,870
of my shrub DB and now I can start

578
00:25:11,390 --> 00:25:17,390
accessing the database so essentially

579
00:25:14,870 --> 00:25:20,300
the database is a jet it's you know it's

580
00:25:17,390 --> 00:25:24,020
you access it with the jet jet file DB

581
00:25:20,300 --> 00:25:27,050
api's so what I'm doing here is I'm

582
00:25:24,020 --> 00:25:29,780
setting up some variables file type and

583
00:25:27,050 --> 00:25:33,820
page size - mine mine and the - one just

584
00:25:29,780 --> 00:25:36,020
says default just ignore this this value

585
00:25:33,820 --> 00:25:39,649
you'll pick it up when when you read the

586
00:25:36,020 --> 00:25:42,560
database so I have ad type path I'm

587
00:25:39,650 --> 00:25:48,070
loading my module right

588
00:25:42,560 --> 00:25:55,540
I then can start to access the database

589
00:25:48,070 --> 00:26:00,560
and so what these hooks right here is

590
00:25:55,540 --> 00:26:03,500
essentially how you access dotnet

591
00:26:00,560 --> 00:26:06,379
classes in PowerShell right so you

592
00:26:03,500 --> 00:26:09,140
basically describe the dotnet class that

593
00:26:06,380 --> 00:26:10,490
you want the function and then you for

594
00:26:09,140 --> 00:26:16,700
this particular thing I'm pulling out

595
00:26:10,490 --> 00:26:19,250
the variable so the first command is to

596
00:26:16,700 --> 00:26:21,140
get the database file info so we know

597
00:26:19,250 --> 00:26:23,680
what database we have a proper database

598
00:26:21,140 --> 00:26:27,860
and then we actually query the database

599
00:26:23,680 --> 00:26:31,160
itself that will do that we'll dump a DB

600
00:26:27,860 --> 00:26:33,439
type if you've got the right file it's a

601
00:26:31,160 --> 00:26:36,290
database the page slot the actual page

602
00:26:33,440 --> 00:26:39,800
size which normally is about 4096 and

603
00:26:36,290 --> 00:26:41,570
the file type as well so then the next

604
00:26:39,800 --> 00:26:43,040
step is like in any database you have to

605
00:26:41,570 --> 00:26:48,320
basically open a session and connect to

606
00:26:43,040 --> 00:26:49,970
it so here a new object basically as a

607
00:26:48,320 --> 00:26:52,550
command in PowerShell allows you to

608
00:26:49,970 --> 00:26:54,350
create a new variable that has an object

609
00:26:52,550 --> 00:26:56,720
structure a variable of an object

610
00:26:54,350 --> 00:26:59,300
structure is essentially is a very is

611
00:26:56,720 --> 00:27:01,100
like it's like a JSON if you want if you

612
00:26:59,300 --> 00:27:02,990
might if you know JSON you know you have

613
00:27:01,100 --> 00:27:05,419
you have very variable name and the

614
00:27:02,990 --> 00:27:07,550
value and it's in a blintz in a block so

615
00:27:05,420 --> 00:27:10,750
you've got that blob with all these data

616
00:27:07,550 --> 00:27:14,810
inside so I'm I'm opening an instance

617
00:27:10,750 --> 00:27:16,160
I'm opening a session ID and then I can

618
00:27:14,810 --> 00:27:20,570
start to pull out some of the system

619
00:27:16,160 --> 00:27:22,130
parameters of that database you know so

620
00:27:20,570 --> 00:27:24,139
I'm putting it into a temp file because

621
00:27:22,130 --> 00:27:25,790
it gives out a value if you ever need to

622
00:27:24,140 --> 00:27:29,120
process the value for for errors and

623
00:27:25,790 --> 00:27:31,399
things like that that's what you do you

624
00:27:29,120 --> 00:27:32,810
can use a temp file so then you have to

625
00:27:31,400 --> 00:27:34,820
create an instance so this is a

626
00:27:32,810 --> 00:27:36,770
particular reality of jet databases is

627
00:27:34,820 --> 00:27:38,540
you're actually creating an instance of

628
00:27:36,770 --> 00:27:40,160
a connection and then you're

629
00:27:38,540 --> 00:27:42,620
initializing that connection and then

630
00:27:40,160 --> 00:27:45,320
you begin your session this is well

631
00:27:42,620 --> 00:27:48,800
documented in Microsoft's documentation

632
00:27:45,320 --> 00:27:51,189
on the jet API once you've done that you

633
00:27:48,800 --> 00:27:53,889
can actually open the database

634
00:27:51,190 --> 00:27:58,270
so I'm opening the database with this

635
00:27:53,890 --> 00:28:00,400
command which gives me a database ID so

636
00:27:58,270 --> 00:28:03,820
from now I can use that database ID to

637
00:28:00,400 --> 00:28:05,830
reference the data I can then attach the

638
00:28:03,820 --> 00:28:08,320
database there's a lot of attaching and

639
00:28:05,830 --> 00:28:10,929
connections in this thing then you can

640
00:28:08,320 --> 00:28:12,760
open the database so now I have a

641
00:28:10,930 --> 00:28:16,750
database idea session and a connect

642
00:28:12,760 --> 00:28:22,360
value and I can actually write that out

643
00:28:16,750 --> 00:28:25,780
so basically this is PS custom object is

644
00:28:22,360 --> 00:28:28,780
is a is another way of initiating an

645
00:28:25,780 --> 00:28:30,760
object the @ symbol also references an

646
00:28:28,780 --> 00:28:32,889
object and then the hooks is actually

647
00:28:30,760 --> 00:28:34,120
the object data structure so you see

648
00:28:32,890 --> 00:28:35,590
I've got instance is equal to dollar

649
00:28:34,120 --> 00:28:37,149
instance session is equal to dollar

650
00:28:35,590 --> 00:28:40,840
session database ID equals dollar base

651
00:28:37,150 --> 00:28:44,040
ID and then the pafter database I'll

652
00:28:40,840 --> 00:28:48,129
show you some of this output in a bit so

653
00:28:44,040 --> 00:28:50,260
then I can get the tables all right so

654
00:28:48,130 --> 00:28:55,780
get tables names now we're back into

655
00:28:50,260 --> 00:28:57,400
more you know standard types of database

656
00:28:55,780 --> 00:28:59,200
manipulation right so we're gonna get

657
00:28:57,400 --> 00:29:00,520
the database tables I can get the

658
00:28:59,200 --> 00:29:04,540
database columns and I can get the

659
00:29:00,520 --> 00:29:08,590
database rows in theory we'll get into

660
00:29:04,540 --> 00:29:10,899
that a little bit so interestingly

661
00:29:08,590 --> 00:29:12,970
enough you know when I first when I

662
00:29:10,900 --> 00:29:14,710
talked when I mentioned that this the

663
00:29:12,970 --> 00:29:17,050
dll's at the beginning and the tables at

664
00:29:14,710 --> 00:29:19,300
the beginning I had like six tables

665
00:29:17,050 --> 00:29:22,590
right when you don't Windows 10 you

666
00:29:19,300 --> 00:29:24,520
actually have a few other tables so

667
00:29:22,590 --> 00:29:26,199
interesting I wonder what data is in

668
00:29:24,520 --> 00:29:27,940
there that's probably one of the things

669
00:29:26,200 --> 00:29:30,100
that's one of the things that small - it

670
00:29:27,940 --> 00:29:32,980
has to do to understand what those extra

671
00:29:30,100 --> 00:29:36,490
tables are so how do I access these

672
00:29:32,980 --> 00:29:39,100
tables well I can put the table name

673
00:29:36,490 --> 00:29:42,580
which is the guiit into a variable and

674
00:29:39,100 --> 00:29:43,510
then I just connect to the table in the

675
00:29:42,580 --> 00:29:45,790
same way that I connected to the

676
00:29:43,510 --> 00:29:48,790
database all right so I'm back my

677
00:29:45,790 --> 00:29:51,820
session ID the database ID and I add the

678
00:29:48,790 --> 00:29:54,520
table name so now I have a reference

679
00:29:51,820 --> 00:29:56,760
pointer to my table and of course I can

680
00:29:54,520 --> 00:30:02,090
connect to multiple tables at once

681
00:29:56,760 --> 00:30:05,760
all right now comes the complicated part

682
00:30:02,090 --> 00:30:08,270
so unlike SQL where you can do select

683
00:30:05,760 --> 00:30:12,360
star from table to get all the imp data

684
00:30:08,270 --> 00:30:17,879
with this API you actually have to pass

685
00:30:12,360 --> 00:30:22,110
each row manually crap and the way you

686
00:30:17,880 --> 00:30:25,070
do that is by column so you have to dump

687
00:30:22,110 --> 00:30:35,580
one column at a time one row at a time

688
00:30:25,070 --> 00:30:37,918
fun I heard the hell wrote this so here

689
00:30:35,580 --> 00:30:40,620
we go I mean might as well do it we're

690
00:30:37,919 --> 00:30:45,240
here now all right so you pull out the

691
00:30:40,620 --> 00:30:49,168
columns get table columns and because

692
00:30:45,240 --> 00:30:52,309
I'm in PowerShell I can do some really

693
00:30:49,169 --> 00:30:55,950
interesting things so try first move

694
00:30:52,309 --> 00:30:57,660
tells the jet API to move to the head of

695
00:30:55,950 --> 00:31:01,230
the database to get to go to the first

696
00:30:57,660 --> 00:31:07,580
row so now I'm gonna do it do a while

697
00:31:01,230 --> 00:31:10,890
loop so do I initiate a temporary row

698
00:31:07,580 --> 00:31:13,918
struck database trip data structure so I

699
00:31:10,890 --> 00:31:16,620
can capture that row and now for each of

700
00:31:13,919 --> 00:31:18,929
the columns in columns so columns is

701
00:31:16,620 --> 00:31:21,719
that the output from their database from

702
00:31:18,929 --> 00:31:23,520
the get columns so dollar column I'm

703
00:31:21,720 --> 00:31:26,400
just basically grabbing one column at a

704
00:31:23,520 --> 00:31:32,280
time I then need to look at the column

705
00:31:26,400 --> 00:31:33,840
type which is really annoying it's okay

706
00:31:32,280 --> 00:31:35,668
because you've got all of these column

707
00:31:33,840 --> 00:31:37,500
types and depending on the Khans hype

708
00:31:35,669 --> 00:31:42,270
you might have to manipulate the data

709
00:31:37,500 --> 00:31:45,059
like down here where basically this will

710
00:31:42,270 --> 00:31:47,790
i've got text unfortunately the text has

711
00:31:45,059 --> 00:31:50,309
a closing zero so you have to remove

712
00:31:47,790 --> 00:31:52,080
that and okay any more characters you've

713
00:31:50,309 --> 00:31:54,389
got currency same thing you have to

714
00:31:52,080 --> 00:31:56,460
remove more characters

715
00:31:54,390 --> 00:31:59,910
then you've got some weird ones where

716
00:31:56,460 --> 00:32:03,690
you basically need to convert a 64-bit

717
00:31:59,910 --> 00:32:07,190
int into a date/time because that's the

718
00:32:03,690 --> 00:32:09,440
what the column does or is referencing

719
00:32:07,190 --> 00:32:15,600
and then sometimes you have columns that

720
00:32:09,440 --> 00:32:17,750
don't have a reference type my knees

721
00:32:15,600 --> 00:32:22,139
thank God

722
00:32:17,750 --> 00:32:25,740
so once I have the information from that

723
00:32:22,140 --> 00:32:30,030
row for all the columns I can add my

724
00:32:25,740 --> 00:32:31,920
data back into my new table so I'm

725
00:32:30,030 --> 00:32:33,930
basically what I'm doing is I'm

726
00:32:31,920 --> 00:32:37,110
essentially copying jet data based data

727
00:32:33,930 --> 00:32:38,760
into a variable in PowerShell and then

728
00:32:37,110 --> 00:32:41,520
you can close that then you can close

729
00:32:38,760 --> 00:32:49,860
the database so that's how you connect

730
00:32:41,520 --> 00:32:51,810
to it I will try to do a demo but I've

731
00:32:49,860 --> 00:32:54,270
been having problems accessing so what I

732
00:32:51,810 --> 00:32:56,310
do have some screenshots so what are the

733
00:32:54,270 --> 00:32:58,560
problems the first problem are an two so

734
00:32:56,310 --> 00:33:02,010
I created my I connected to my database

735
00:32:58,560 --> 00:33:04,679
I got the page size I got the jet I

736
00:33:02,010 --> 00:33:07,410
tried to do the I got the session ID I

737
00:33:04,680 --> 00:33:12,410
got everything done then I did an attach

738
00:33:07,410 --> 00:33:14,970
database and windows just told me that

739
00:33:12,410 --> 00:33:18,360
it actually says the cannot access

740
00:33:14,970 --> 00:33:20,310
file the file is locked so luckily in

741
00:33:18,360 --> 00:33:22,290
PowerShell the window actually tells you

742
00:33:20,310 --> 00:33:24,060
what what account you're using or what

743
00:33:22,290 --> 00:33:27,870
mode you're in I was in my standard user

744
00:33:24,060 --> 00:33:36,139
account so oh no ok let's try it admin

745
00:33:27,870 --> 00:33:41,280
try admin worked so once you do that I

746
00:33:36,140 --> 00:33:46,200
basically now have an instance ID so jet

747
00:33:41,280 --> 00:33:47,790
instance ID session ID a DB ID so DB ID

748
00:33:46,200 --> 00:33:50,760
is one there's only one database in the

749
00:33:47,790 --> 00:33:53,670
here as far as I know and then I the

750
00:33:50,760 --> 00:33:55,030
file path so those are my references to

751
00:33:53,670 --> 00:33:56,910
actually access the database

752
00:33:55,030 --> 00:33:59,670
[Music]

753
00:33:56,910 --> 00:34:02,310
then I can dump columns so this is one

754
00:33:59,670 --> 00:34:05,610
of the new day one in new files data

755
00:34:02,310 --> 00:34:10,799
tables inside we come with Windows 10

756
00:34:05,610 --> 00:34:14,159
and if you look at the field names the

757
00:34:10,800 --> 00:34:18,540
column names so you've got app ID you've

758
00:34:14,159 --> 00:34:22,020
got audio in audio in timeline audio out

759
00:34:18,540 --> 00:34:26,870
audio out time line then you got auto

760
00:34:22,020 --> 00:34:30,330
Inc ID mmm com2 right dirty

761
00:34:26,870 --> 00:34:33,149
comp dirty timeline so there's a lot of

762
00:34:30,330 --> 00:34:37,580
information in here right and in this

763
00:34:33,149 --> 00:34:41,370
table hat this table has like 25 columns

764
00:34:37,580 --> 00:34:44,159
this is the network usage 1 this is a

765
00:34:41,370 --> 00:34:46,918
lot easier so I've got an app ID I've

766
00:34:44,159 --> 00:34:49,220
got an auto ink ID and I've got the

767
00:34:46,918 --> 00:34:52,859
bytes received bytes sent the interface

768
00:34:49,219 --> 00:34:54,870
the LT profile the the connection

769
00:34:52,860 --> 00:34:57,780
profile ID the time stamp and the user

770
00:34:54,870 --> 00:35:00,089
ID and this is what's interesting right

771
00:34:57,780 --> 00:35:02,640
so I could not so say it an app a user a

772
00:35:00,090 --> 00:35:07,740
time step and the amount of data that

773
00:35:02,640 --> 00:35:10,609
the cop that I'm pulling in and out so

774
00:35:07,740 --> 00:35:14,009
this is the application usage our table

775
00:35:10,610 --> 00:35:16,740
so that so once you've run that horrible

776
00:35:14,010 --> 00:35:18,870
while loop you basically get this data

777
00:35:16,740 --> 00:35:21,870
right so I've got the name of the column

778
00:35:18,870 --> 00:35:23,700
and a value and because there's 64-bit

779
00:35:21,870 --> 00:35:25,650
values of the background psycorps time

780
00:35:23,700 --> 00:35:28,919
so that's like so you need to kind of

781
00:35:25,650 --> 00:35:33,660
figure that one out so a lot of

782
00:35:28,920 --> 00:35:38,310
information that can process so how does

783
00:35:33,660 --> 00:35:40,020
this fit into hunting well if I have

784
00:35:38,310 --> 00:35:41,759
applications and I know which ones being

785
00:35:40,020 --> 00:35:44,550
used and I know which ones are running

786
00:35:41,760 --> 00:35:47,640
and I know who's running them I can kind

787
00:35:44,550 --> 00:35:51,570
of do application profiling on the fly

788
00:35:47,640 --> 00:35:53,520
if I know network usage I can start to

789
00:35:51,570 --> 00:35:56,610
look for needle with network patterns

790
00:35:53,520 --> 00:35:58,560
right if I baseline my environment and I

791
00:35:56,610 --> 00:36:00,540
know that this I'm in the corporate

792
00:35:58,560 --> 00:36:02,100
environment and most machines don't do

793
00:36:00,540 --> 00:36:03,960
any network activity of it entering the

794
00:36:02,100 --> 00:36:05,339
night and I starts and I pick up a

795
00:36:03,960 --> 00:36:07,170
machine and it's doing network activity

796
00:36:05,340 --> 00:36:08,060
over not during the night becomes

797
00:36:07,170 --> 00:36:12,570
interesting

798
00:36:08,060 --> 00:36:15,420
so essentially what I've come up what

799
00:36:12,570 --> 00:36:18,150
I'm getting to is like a mini EDR tool

800
00:36:15,420 --> 00:36:21,060
or a MIDI or like a PowerShell version

801
00:36:18,150 --> 00:36:23,400
of OS query to a certain extent which is

802
00:36:21,060 --> 00:36:25,140
fun I mean you know I don't need to

803
00:36:23,400 --> 00:36:26,970
install anything I don't need I can just

804
00:36:25,140 --> 00:36:31,170
use these commands and just start

805
00:36:26,970 --> 00:36:36,600
dumping Dana off a Windows box fun the

806
00:36:31,170 --> 00:36:38,670
good and the bad and the ugly so this is

807
00:36:36,600 --> 00:36:40,410
still that I haven't had as much time as

808
00:36:38,670 --> 00:36:41,430
I wanted to really work on this so I'm

809
00:36:40,410 --> 00:36:42,629
gonna have to automate the data

810
00:36:41,430 --> 00:36:46,919
processing right now I'm doing it

811
00:36:42,630 --> 00:36:48,600
manually just to a lot of extent I want

812
00:36:46,920 --> 00:36:51,420
to create you see how I can do this

813
00:36:48,600 --> 00:36:54,480
remotely right you can actually connect

814
00:36:51,420 --> 00:36:55,830
power shall remotely using win or M but

815
00:36:54,480 --> 00:36:57,390
that means that you have written have to

816
00:36:55,830 --> 00:37:00,600
have winner in it enabled in your

817
00:36:57,390 --> 00:37:02,580
environment and I want to build a module

818
00:37:00,600 --> 00:37:04,680
which I can automatically just pull and

819
00:37:02,580 --> 00:37:07,380
download and install which I haven't

820
00:37:04,680 --> 00:37:10,890
been able to get to you module building

821
00:37:07,380 --> 00:37:13,320
is almost like building a you know an

822
00:37:10,890 --> 00:37:14,400
API library form so you have to give its

823
00:37:13,320 --> 00:37:17,310
own structure you have to give it

824
00:37:14,400 --> 00:37:19,020
certain commands and once you've done

825
00:37:17,310 --> 00:37:20,610
that you reinsert it as a module and you

826
00:37:19,020 --> 00:37:24,980
have in your at your essentially adding

827
00:37:20,610 --> 00:37:24,980
commands to PowerShell

828
00:37:25,309 --> 00:37:29,490
there are implications on powershell

829
00:37:27,569 --> 00:37:30,750
versions so most of the commands I'm

830
00:37:29,490 --> 00:37:36,078
using won't work if you have a

831
00:37:30,750 --> 00:37:38,849
powershell given 3.0 the windows service

832
00:37:36,079 --> 00:37:42,059
does run a diagnostic policy services

833
00:37:38,849 --> 00:37:45,900
but i have yet to figure out where the

834
00:37:42,059 --> 00:37:47,250
from DB is there's a specific switch you

835
00:37:45,900 --> 00:37:49,890
need to turn on in Windows so as to

836
00:37:47,250 --> 00:37:51,990
actually get this from DB to work and

837
00:37:49,890 --> 00:37:53,368
I'm still working on that one and that's

838
00:37:51,990 --> 00:37:55,200
probably I probably gonna run into a

839
00:37:53,369 --> 00:38:01,859
whole bunch of other issues over time

840
00:37:55,200 --> 00:38:03,390
right so I will publish this code at

841
00:38:01,859 --> 00:38:06,000
some time right now it's a private repo

842
00:38:03,390 --> 00:38:07,799
because it's really ugly and there's a

843
00:38:06,000 --> 00:38:09,930
lot of mistakes in it so I'm not gonna

844
00:38:07,800 --> 00:38:13,260
if you want access to it you can come

845
00:38:09,930 --> 00:38:16,078
and see me I can provide you access but

846
00:38:13,260 --> 00:38:18,119
that's the URL that's how you can get in

847
00:38:16,079 --> 00:38:20,040
touch with me now I want to see if I can

848
00:38:18,119 --> 00:38:26,940
do a demo which is going to be

849
00:38:20,040 --> 00:38:29,058
interesting you have to bear with me for

850
00:38:26,940 --> 00:38:29,059
a bit

851
00:39:06,120 --> 00:39:09,210
[Music]

852
00:41:19,300 --> 00:41:25,450
okay so I don't think this is gonna work

853
00:41:22,640 --> 00:41:25,450
but we'll try anyway

854
00:41:37,090 --> 00:41:50,870
so for us I've loaded the DLL into you

855
00:41:46,850 --> 00:42:06,620
cancel it okay I thought I'm a big

856
00:41:50,870 --> 00:42:10,330
enough but I'll make it bigger matter so

857
00:42:06,620 --> 00:42:24,759
first I loads of I basically loaded the

858
00:42:10,330 --> 00:42:24,759
DLL into a variable so now I'm going to

859
00:42:25,120 --> 00:42:29,680
put the database into a path as well

860
00:42:32,440 --> 00:42:50,660
okay I'm gonna set my variables and pull

861
00:42:44,420 --> 00:42:58,100
them up let the my joint the DLL into

862
00:42:50,660 --> 00:42:59,390
the memory so now I can connect to the

863
00:42:58,100 --> 00:43:01,960
date at what I can get the database

864
00:42:59,390 --> 00:43:01,960
following for

865
00:43:02,040 --> 00:43:05,139
[Music]

866
00:43:10,440 --> 00:43:18,069
what am I missing

867
00:43:12,010 --> 00:43:34,780
ah it's a problem when you're doing this

868
00:43:18,069 --> 00:43:39,420
remotely okay so now the database that

869
00:43:34,780 --> 00:43:39,420
the DLL and the API loaded into memory

870
00:43:42,690 --> 00:43:48,099
so now I've base so what I've done right

871
00:43:45,670 --> 00:43:50,740
now is I'm querying the database file to

872
00:43:48,099 --> 00:44:00,700
see what the page size is so I can

873
00:43:50,740 --> 00:44:02,410
actually do though the page size so just

874
00:44:00,700 --> 00:44:05,049
by typing the variable name I can get it

875
00:44:02,410 --> 00:44:09,578
the output so I know the page size is

876
00:44:05,049 --> 00:44:11,559
4096 it's not really pertinent to what

877
00:44:09,579 --> 00:44:13,200
we need to do but it's useful to have it

878
00:44:11,559 --> 00:44:15,819
means you connect into the database and

879
00:44:13,200 --> 00:44:16,990
you also need the information later when

880
00:44:15,819 --> 00:44:22,200
you want actually connect to the

881
00:44:16,990 --> 00:44:22,200
database itself and get the file type

882
00:44:24,100 --> 00:44:27,250
[Music]

883
00:44:27,720 --> 00:45:05,000
like a start all over again sorry

884
00:44:47,360 --> 00:45:11,840
living in okay so we got page size 4096

885
00:45:05,000 --> 00:45:29,120
file type of one and now I can open my

886
00:45:11,840 --> 00:45:31,580
jet my database session okay so I do

887
00:45:29,120 --> 00:45:40,240
have I have a session open now so if I

888
00:45:31,580 --> 00:45:43,009
do a dollar session so actually I don't

889
00:45:40,240 --> 00:45:46,430
so basically the dollar session when you

890
00:45:43,010 --> 00:45:48,560
look at it gives you a value of true or

891
00:45:46,430 --> 00:45:49,640
false is that is invalid so when it's

892
00:45:48,560 --> 00:45:50,870
when it's true

893
00:45:49,640 --> 00:45:52,009
it means you can't you're not connected

894
00:45:50,870 --> 00:45:54,799
to the database so you can't connect to

895
00:45:52,010 --> 00:45:56,530
the database for some reason so we're

896
00:45:54,800 --> 00:46:05,840
not going to go very far

897
00:45:56,530 --> 00:46:14,750
unfortunately if I can connect me and

898
00:46:05,840 --> 00:46:21,540
see on this one so any questions while

899
00:46:14,750 --> 00:46:31,050
this tries to connect was it too

900
00:46:21,540 --> 00:46:32,099
this early in the morning I've been

901
00:46:31,050 --> 00:46:34,230
working with it

902
00:46:32,099 --> 00:46:35,640
but I haven't found anything yeah

903
00:46:34,230 --> 00:46:37,500
because most of the images what I've

904
00:46:35,640 --> 00:46:41,310
been looking at we're essentially clean

905
00:46:37,500 --> 00:46:42,150
so I need to improve the demo on this so

906
00:46:41,310 --> 00:46:44,369
probably what I'll do is I'll actually

907
00:46:42,150 --> 00:46:46,470
infect a few machines and then pull out

908
00:46:44,369 --> 00:46:47,820
the data and do it that way one of the

909
00:46:46,470 --> 00:46:50,040
biggest problems I'm having right now is

910
00:46:47,820 --> 00:46:52,650
actually processing the data because as

911
00:46:50,040 --> 00:46:55,560
you saw on that screen shot earlier it's

912
00:46:52,650 --> 00:46:57,630
a lot of data and it's historical data

913
00:46:55,560 --> 00:47:00,299
you've if the things been running

914
00:46:57,630 --> 00:47:02,910
properly you've basically got data all

915
00:47:00,300 --> 00:47:05,760
the way from the start of the

916
00:47:02,910 --> 00:47:08,819
installation of that Windows 10 box for

917
00:47:05,760 --> 00:47:12,630
example so you can have a massive amount

918
00:47:08,820 --> 00:47:15,240
of data so processing it becomes more

919
00:47:12,630 --> 00:47:17,760
complex plus you have to kind of I'm

920
00:47:15,240 --> 00:47:19,828
still working on pulling out the right

921
00:47:17,760 --> 00:47:21,570
information to then associate it back to

922
00:47:19,829 --> 00:47:23,849
the registry keys because for example

923
00:47:21,570 --> 00:47:26,040
like the user ID you have to associate

924
00:47:23,849 --> 00:47:27,630
it back to the user which is an index

925
00:47:26,040 --> 00:47:29,040
inside the registry key so you have to

926
00:47:27,630 --> 00:47:31,710
go into the registry key pull out the

927
00:47:29,040 --> 00:47:33,569
user yeah you have to index it into the

928
00:47:31,710 --> 00:47:36,839
registry key in the user under the user

929
00:47:33,569 --> 00:47:38,790
profiles to get the actual user ID so

930
00:47:36,839 --> 00:47:40,828
there's a lot of mini relations that you

931
00:47:38,790 --> 00:47:42,029
have to do in the background and that's

932
00:47:40,829 --> 00:47:44,460
where some of my scripts are failing

933
00:47:42,030 --> 00:47:46,170
because i'm ivan pointing to the wrong

934
00:47:44,460 --> 00:47:48,630
place or I'm just not referencing it

935
00:47:46,170 --> 00:47:51,270
properly and just it's taking me time to

936
00:47:48,630 --> 00:47:52,770
actually I basically want to have to do

937
00:47:51,270 --> 00:47:56,280
1 days just draw it outright draw the

938
00:47:52,770 --> 00:48:00,119
links and draw the lines together map it

939
00:47:56,280 --> 00:48:13,660
out but time constraints have basically

940
00:48:00,119 --> 00:48:17,360
let me down yeah

941
00:48:13,660 --> 00:48:17,359
[Music]

942
00:48:24,490 --> 00:48:40,089
yeah so some of the question is can I

943
00:48:38,329 --> 00:48:43,400
pull all the information together to

944
00:48:40,089 --> 00:48:45,440
kind say baseline your environment to

945
00:48:43,400 --> 00:48:49,010
look for indicators or to pull out

946
00:48:45,440 --> 00:48:53,480
indicators that is a really interesting

947
00:48:49,010 --> 00:48:55,490
question and probably very hard to do

948
00:48:53,480 --> 00:48:58,099
and I'll explain what because you're

949
00:48:55,490 --> 00:49:00,109
actually tracking application usage like

950
00:48:58,099 --> 00:49:02,720
you might use Word and PowerPoint and

951
00:49:00,109 --> 00:49:05,598
Excel one way is the person to your

952
00:49:02,720 --> 00:49:08,118
right may not write it may use it in a

953
00:49:05,599 --> 00:49:09,710
different way or may never use Excel so

954
00:49:08,119 --> 00:49:11,930
how do you baseline that across an

955
00:49:09,710 --> 00:49:13,490
organization or across a pool of the

956
00:49:11,930 --> 00:49:14,569
computers you can't really because

957
00:49:13,490 --> 00:49:19,759
you're never going to have the same

958
00:49:14,570 --> 00:49:21,380
usage patterns so what the idea I had in

959
00:49:19,760 --> 00:49:22,640
the back of my mind once I figured out

960
00:49:21,380 --> 00:49:24,980
all the data problems and all the

961
00:49:22,640 --> 00:49:26,390
associations and how to actually pull

962
00:49:24,980 --> 00:49:27,970
this dynamic because I'm having problems

963
00:49:26,390 --> 00:49:30,529
with the database connectivity as well

964
00:49:27,970 --> 00:49:32,118
it likely can timeout especially when

965
00:49:30,530 --> 00:49:33,349
I'm trying to pull out the data I was

966
00:49:32,119 --> 00:49:35,960
running it yesterday on one of my

967
00:49:33,349 --> 00:49:37,130
machines and it been running for like an

968
00:49:35,960 --> 00:49:40,040
hour and it was still processing the

969
00:49:37,130 --> 00:49:41,329
rows okay so it's not very efficient so

970
00:49:40,040 --> 00:49:44,150
I need to find a way to make it more

971
00:49:41,329 --> 00:49:47,030
efficient but long term the idea would

972
00:49:44,150 --> 00:49:49,420
be to maybe do something like you know

973
00:49:47,030 --> 00:49:52,640
like yarrow and have a set of set of

974
00:49:49,420 --> 00:49:54,380
prefix data so I can point it to point

975
00:49:52,640 --> 00:49:56,299
to the script and the script will

976
00:49:54,380 --> 00:49:58,099
actually go looking for those those

977
00:49:56,300 --> 00:50:00,490
types of indicators right but you

978
00:49:58,099 --> 00:50:00,490
wouldn't have

979
00:50:01,240 --> 00:50:05,890
you could essentially build it because

980
00:50:04,119 --> 00:50:08,050
you can you can use PowerShell to pull

981
00:50:05,890 --> 00:50:10,020
out hashes so you could actually look

982
00:50:08,050 --> 00:50:13,750
for a process with a certain hash and

983
00:50:10,020 --> 00:50:15,490
then go and dive into this database and

984
00:50:13,750 --> 00:50:17,140
see how many times it's run or see when

985
00:50:15,490 --> 00:50:19,569
it's run how long it's run and what the

986
00:50:17,140 --> 00:50:20,890
network activity was on it but it's a

987
00:50:19,570 --> 00:50:23,980
very it's again it's a very complex

988
00:50:20,890 --> 00:50:39,460
process and to a certain extent would

989
00:50:23,980 --> 00:50:46,000
require crapload of development and but

990
00:50:39,460 --> 00:50:47,380
the point is to search you missed the

991
00:50:46,000 --> 00:50:50,860
point you can't build a baseline on

992
00:50:47,380 --> 00:50:52,600
application usage on user application

993
00:50:50,860 --> 00:50:54,070
users this user application usage you

994
00:50:52,600 --> 00:50:55,990
can't build a baseline because no use it

995
00:50:54,070 --> 00:50:57,790
unless you're wrote in this we're

996
00:50:55,990 --> 00:51:03,700
talking about a bunch of robots you're

997
00:50:57,790 --> 00:51:10,390
never going to get the same usage are we

998
00:51:03,700 --> 00:51:12,970
still so essentially that's my there's

999
00:51:10,390 --> 00:51:14,730
many directions this could go in but I

1000
00:51:12,970 --> 00:51:17,049
need to optimize the initial code first

1001
00:51:14,730 --> 00:51:18,430
until I optimize that initial code and

1002
00:51:17,050 --> 00:51:20,230
actually have a module that I can just

1003
00:51:18,430 --> 00:51:22,540
pull in when I need it to actually do

1004
00:51:20,230 --> 00:51:25,030
that that's search to do that query I'm

1005
00:51:22,540 --> 00:51:27,040
what I I'm not even thinking about the

1006
00:51:25,030 --> 00:51:29,770
possibilities to be honest but I'll note

1007
00:51:27,040 --> 00:51:41,140
it down and all right and I'll keep it

1008
00:51:29,770 --> 00:51:43,930
in mind you could so the question is why

1009
00:51:41,140 --> 00:51:45,640
why search in PowerShell why not drop it

1010
00:51:43,930 --> 00:51:47,560
to something like Spock ourselves or

1011
00:51:45,640 --> 00:51:50,290
upload it to your sim and things like

1012
00:51:47,560 --> 00:51:52,990
that you can actually so in the same way

1013
00:51:50,290 --> 00:51:54,250
that I can pull stuff often laughs that

1014
00:51:52,990 --> 00:51:57,399
often there I can actually create a

1015
00:51:54,250 --> 00:52:00,790
connection and do you know query an API

1016
00:51:57,400 --> 00:52:04,090
or post things to an API the idea was I

1017
00:52:00,790 --> 00:52:06,160
wanted something I mean let's be honest

1018
00:52:04,090 --> 00:52:08,440
Allah Oh is query right where basically

1019
00:52:06,160 --> 00:52:10,270
you have the ability to run some kind of

1020
00:52:08,440 --> 00:52:12,190
script or some kind of shell and you

1021
00:52:10,270 --> 00:52:14,890
could just querying dynamically on live

1022
00:52:12,190 --> 00:52:17,829
on that system because I'm I

1023
00:52:14,890 --> 00:52:20,019
it was more about finding things rather

1024
00:52:17,829 --> 00:52:21,489
than keeping a constant baseline or

1025
00:52:20,019 --> 00:52:24,578
keeping a constant inventory of what was

1026
00:52:21,489 --> 00:52:26,169
running on the machine because then you

1027
00:52:24,579 --> 00:52:31,499
mean in Europe you get into certain

1028
00:52:26,169 --> 00:52:35,650
shady areas on on privacy issues right

1029
00:52:31,499 --> 00:52:38,319
but you can detect things like browsers

1030
00:52:35,650 --> 00:52:41,140
running right talk connections you can

1031
00:52:38,319 --> 00:52:43,989
find the VPN connection will show up as

1032
00:52:41,140 --> 00:52:45,640
an interface in a network profile so if

1033
00:52:43,989 --> 00:52:49,779
anybody creates a VPN you can actually

1034
00:52:45,640 --> 00:53:02,739
see it I think we have time for maybe

1035
00:52:49,779 --> 00:53:04,689
one more two more questions top I've

1036
00:53:02,739 --> 00:53:06,279
probably just got I'm going to write

1037
00:53:04,689 --> 00:53:10,239
them I'm going to eventually write a

1038
00:53:06,279 --> 00:53:12,519
module but that so let me back up the

1039
00:53:10,239 --> 00:53:16,029
question was will I publish this module

1040
00:53:12,519 --> 00:53:17,109
on power on power shot gallery I'm going

1041
00:53:16,029 --> 00:53:18,429
to rather powers from module I'm

1042
00:53:17,109 --> 00:53:20,679
probably gonna leave it in github

1043
00:53:18,429 --> 00:53:22,299
because I don't I I want it to be

1044
00:53:20,679 --> 00:53:23,979
maintaining that way and if you look at

1045
00:53:22,299 --> 00:53:25,209
a lot of the stuff Microsoft is actually

1046
00:53:23,979 --> 00:53:27,729
doing around PowerShell it's all in

1047
00:53:25,209 --> 00:53:33,069
github now as well even you can I

1048
00:53:27,729 --> 00:53:36,189
actually so so for those of you who

1049
00:53:33,069 --> 00:53:43,169
can't you haven't seen maybe before I

1050
00:53:36,189 --> 00:53:43,169
actually work on a pixel book this weird

1051
00:53:43,589 --> 00:53:49,479
crappy so on the pixel book now you have

1052
00:53:46,659 --> 00:53:52,829
you have like an Ubuntu VM I actually

1053
00:53:49,479 --> 00:53:54,879
have PowerShell install on this because

1054
00:53:52,829 --> 00:54:11,340
Microsoft has open source powershell

1055
00:53:54,880 --> 00:54:13,320
version 6 and so if I go so I've got

1056
00:54:11,340 --> 00:54:16,530
how shall sex on this machine and it's a

1057
00:54:13,320 --> 00:54:20,880
pixel book right so they've done a lot

1058
00:54:16,530 --> 00:54:22,110
of that work is now in get hub and I'm

1059
00:54:20,880 --> 00:54:24,990
just gonna leave it there to be honest

1060
00:54:22,110 --> 00:54:29,010
so then people can use it the way they

1061
00:54:24,990 --> 00:54:31,439
want to use it cut well thanks everybody

1062
00:54:29,010 --> 00:54:34,310
for coming I hope you didn't get too

1063
00:54:31,440 --> 00:54:37,420
scared of you like the top

1064
00:54:34,310 --> 00:54:37,420
[Applause]