Slide deck from my session at Microsoft Ignite 2017: “The hacker playbook: How to think and act like a cybercriminal to reduce risk”
Tools from the session
Here you can find the most important tools I used during the session!
>> Get the tools from this session <<
Session Summary
Thank you for attending the Microsoft Ignite precon delivered by Paula Januszkiewicz. Couple of words of summary regarding what Paula has been talking about
Precon was devided into 4 parts:
- Forensics and evidence hiding and finding
- Code execution techniques and prevention techniques
- Advanced monitoring techniques
- Automation and network attacks
During the precon we have focused on the importance of each of the subjects and techniques as during penetration tests we see that they are the ones that pretty much always work!
Here is a bit of a sneak peak of what was shown regarding the Windows Indexing Service during the precon.
- How to create shadowcopy on the client?
$s1 = (gwmi -List Win32_ShadowCopy).Create(“C:\”, “ClientAccessible”)
$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID }
$d = $s2.DeviceObject + “\”
cmd /c mklink /d C:\shadowcopy “$d”
- Windows Indexing Service is in C:\ProgramData\Microsoft\Search\Data\Applications\Windows, in our case we need to go to the same folder but from c:\shadowcopy created earlier:C:\shadowcopy\ProgramData\Microsoft\Search\Data\Applications\Windows
- Now we need to copy Windows.edb and open it inESEDataBaseView, you can download it from http://www.nirsoft.net/utils/ese_database_view.html
- From the listbox, chooseSystemIndex_Gthrand review the results! If you had some exe in the indexed locations, use Ctrl+F in the Gthr table.
If you have any questions, please post them in the section below.