SANS 508 UPDATED Exam Questions
and CORRECT Answers
PREFETCH - CORRECT ANSWER - Shows what ran, when it ran, how many times.
Used for perf increases. Win10 has compressed .PF files.
C:\Windows\Prefetch\7ZG.EXE-D9AA3A0B.pf
Hash is path of EXE and command line
128 File on Win7, 8+ can have 1024
Prefetch files can be carved from unallocated space using blkls and foremost
Prefetch can be disabled via registry.
Date created is first executed, modified last executed
PF - CORRECT ANSWER - Command line tool that parses .PF files. Outputs app name
and path, times executed, last run, prefetch MAC timestamps in CSV.
PECmd - CORRECT ANSWER - Similar to PF - prefetch parser tool. Can do entire
directory w/ D option. Output in JSON,CSV,HTML
Prefetchparser - CORRECT ANSWER - Part of volatility framework. Will search memory
for prefetch and parse. Good for finding PF data deleted or removed by attackers.
ShimCache - CORRECT ANSWER - App compat tool. Tracks last modified date, file
path, and if executed. XP shows last execution time, Server shows executed FLAG. Located in
the registry. XP = CCS\Control\SessionManager\AppCompatibility\AppCompatCache(96
Entries), Server = CCS\Control\SessionManager\AppCompatChache\AppCompatCache(1024
Entries)
Vista on AppCompatChache reg key doesn't prove execution, but it is likely.
ShimCacheParser.py - CORRECT ANSWER - parses App Compat Shim cache.
,ShimCachemem - CORRECT ANSWER - Volatility plugin that extracts AppCompatCache
from memory images, even items not yet written to disk. Vol.py -f memory shimcachemem |
Less
RecentFileCache.bcf - CORRECT ANSWER - Related to App Compat Cache and contains
references to programs recently copied or downloaded and executed. RecentFileCache is the
short term storage of recent file adds. c:\Windows\AppCompat\Programs\RecentFileCache.bcf.
Small file managed by ProgramDataUpdater task(12:30AM Nightly).
RFC.PL - CORRECT ANSWER - parses .BCF and outputs path and exe name.
Amcache.hve - CORRECT ANSWER - replaces RecentFileCache.bcf in Win8/10.
Program first run and last modification time of key. Includes SHA1 and other program info like
product name and description. C:\Windows\AppCompat\Programs\Amcache.hve. Registry -
amcache.hve\root\file\<Vol GuiD>\##### = Key name after MFT Entry.
AmcacheParser - CORRECT ANSWER - Parses out amcache.hve sha1,full path,MFT,file
size, compile time
Volume Shadow Copies - CORRECT ANSWER - Windows backup of OS or virtual snap
shots. Event Logs, Reg Files, Deleted files. Created at application install, Unsigned driver install,
system updates, System Restore, System Boot(win7,8,10). Stored in System Volume Information
folder.
Vshadowinfo - CORRECT ANSWER - list all shadow snapshots in a disk image - similar
to VSSADMIN list Shadows. -o switch to point to disk offset in NTFS
vshadowmount - CORRECT ANSWER - tool to mount all VSS images in SIFT wks.
Ewfmount PathTo.EO1 /mnt/vss/ -> vshadowmount /mnt/ewf_mount/ewf1 /mnt/vss/ .
Credential Theft Bullets - CORRECT ANSWER - • Managed Service account in 2008R2
and provides frequent password changes. New version is called Group Managed Service
Accounts.
, • Win8 removed CredSSP, TsPkg and Wdigest from memory by default which stopped plaintext
password recovery.
• Win8 local account restrictions in place for network and remote interactive systems.
• Win8 introduced protected LSASS process(off by default)
• Win8 RDP /Restricted Admin
• Win10 Credential Guard isolates hashes and tickets enforced by hardware. Remote credential
guard is updated restricted admin and protects any account during RDP. Device Guard is
application whitelisting.
Credential Availability - CORRECT ANSWER - console logon, RunAs, RDP, PSEXEX w/
Alt Creds,Remote scheduled task, Run As Service - these actions can result in loss of credential
and password hash
Token Stealing - CORRECT ANSWER - User with SeImpersonate privilege can extract
tokens and reuse. Over abused on RDP servers to elevate to Domain Admin.
Incognito,Metasploit, powershell, mimikatz(token:elevate /domainadmin). Mitigate with Domain
Protected Users security group which prevents delegated tokens, Account is sensitive and cannot
be delegated option in AD, restrict admin and other RDP controlls
Cached Credentials - CORRECT ANSWER - stored domain creds to allow logon w/ out
DC-limit 10 logon hashes by default. Must be cracked are salted, can't be used for PTH. Stored
in SECURITY\Cache reg key in mscach2 format. Crack w/ john the ripper, hashcat. Domain
Protected Users don't cache creds
- CORRECT ANSWER - extract cache creds which are domain creds.
Pwdump.py - CORRECT ANSWER -
LSA Secrets - CORRECT ANSWER - creds stored in the registry(security/policy/secrets)
to allow services and tasks to be run w/ user privs. Service accounts, or VPN passwords, auto-
logon creds. Stored in encrypted reg key which admins can decrypt, resulting in plain text
passwords. TOOLS - cain, Metasploit, mimikatz, gsecdump, acehash, creddump, powershell.
Mitigate with Group Managed Service accounts, don't place DA services on low trust systems.
and CORRECT Answers
PREFETCH - CORRECT ANSWER - Shows what ran, when it ran, how many times.
Used for perf increases. Win10 has compressed .PF files.
C:\Windows\Prefetch\7ZG.EXE-D9AA3A0B.pf
Hash is path of EXE and command line
128 File on Win7, 8+ can have 1024
Prefetch files can be carved from unallocated space using blkls and foremost
Prefetch can be disabled via registry.
Date created is first executed, modified last executed
PF - CORRECT ANSWER - Command line tool that parses .PF files. Outputs app name
and path, times executed, last run, prefetch MAC timestamps in CSV.
PECmd - CORRECT ANSWER - Similar to PF - prefetch parser tool. Can do entire
directory w/ D option. Output in JSON,CSV,HTML
Prefetchparser - CORRECT ANSWER - Part of volatility framework. Will search memory
for prefetch and parse. Good for finding PF data deleted or removed by attackers.
ShimCache - CORRECT ANSWER - App compat tool. Tracks last modified date, file
path, and if executed. XP shows last execution time, Server shows executed FLAG. Located in
the registry. XP = CCS\Control\SessionManager\AppCompatibility\AppCompatCache(96
Entries), Server = CCS\Control\SessionManager\AppCompatChache\AppCompatCache(1024
Entries)
Vista on AppCompatChache reg key doesn't prove execution, but it is likely.
ShimCacheParser.py - CORRECT ANSWER - parses App Compat Shim cache.
,ShimCachemem - CORRECT ANSWER - Volatility plugin that extracts AppCompatCache
from memory images, even items not yet written to disk. Vol.py -f memory shimcachemem |
Less
RecentFileCache.bcf - CORRECT ANSWER - Related to App Compat Cache and contains
references to programs recently copied or downloaded and executed. RecentFileCache is the
short term storage of recent file adds. c:\Windows\AppCompat\Programs\RecentFileCache.bcf.
Small file managed by ProgramDataUpdater task(12:30AM Nightly).
RFC.PL - CORRECT ANSWER - parses .BCF and outputs path and exe name.
Amcache.hve - CORRECT ANSWER - replaces RecentFileCache.bcf in Win8/10.
Program first run and last modification time of key. Includes SHA1 and other program info like
product name and description. C:\Windows\AppCompat\Programs\Amcache.hve. Registry -
amcache.hve\root\file\<Vol GuiD>\##### = Key name after MFT Entry.
AmcacheParser - CORRECT ANSWER - Parses out amcache.hve sha1,full path,MFT,file
size, compile time
Volume Shadow Copies - CORRECT ANSWER - Windows backup of OS or virtual snap
shots. Event Logs, Reg Files, Deleted files. Created at application install, Unsigned driver install,
system updates, System Restore, System Boot(win7,8,10). Stored in System Volume Information
folder.
Vshadowinfo - CORRECT ANSWER - list all shadow snapshots in a disk image - similar
to VSSADMIN list Shadows. -o switch to point to disk offset in NTFS
vshadowmount - CORRECT ANSWER - tool to mount all VSS images in SIFT wks.
Ewfmount PathTo.EO1 /mnt/vss/ -> vshadowmount /mnt/ewf_mount/ewf1 /mnt/vss/ .
Credential Theft Bullets - CORRECT ANSWER - • Managed Service account in 2008R2
and provides frequent password changes. New version is called Group Managed Service
Accounts.
, • Win8 removed CredSSP, TsPkg and Wdigest from memory by default which stopped plaintext
password recovery.
• Win8 local account restrictions in place for network and remote interactive systems.
• Win8 introduced protected LSASS process(off by default)
• Win8 RDP /Restricted Admin
• Win10 Credential Guard isolates hashes and tickets enforced by hardware. Remote credential
guard is updated restricted admin and protects any account during RDP. Device Guard is
application whitelisting.
Credential Availability - CORRECT ANSWER - console logon, RunAs, RDP, PSEXEX w/
Alt Creds,Remote scheduled task, Run As Service - these actions can result in loss of credential
and password hash
Token Stealing - CORRECT ANSWER - User with SeImpersonate privilege can extract
tokens and reuse. Over abused on RDP servers to elevate to Domain Admin.
Incognito,Metasploit, powershell, mimikatz(token:elevate /domainadmin). Mitigate with Domain
Protected Users security group which prevents delegated tokens, Account is sensitive and cannot
be delegated option in AD, restrict admin and other RDP controlls
Cached Credentials - CORRECT ANSWER - stored domain creds to allow logon w/ out
DC-limit 10 logon hashes by default. Must be cracked are salted, can't be used for PTH. Stored
in SECURITY\Cache reg key in mscach2 format. Crack w/ john the ripper, hashcat. Domain
Protected Users don't cache creds
- CORRECT ANSWER - extract cache creds which are domain creds.
Pwdump.py - CORRECT ANSWER -
LSA Secrets - CORRECT ANSWER - creds stored in the registry(security/policy/secrets)
to allow services and tasks to be run w/ user privs. Service accounts, or VPN passwords, auto-
logon creds. Stored in encrypted reg key which admins can decrypt, resulting in plain text
passwords. TOOLS - cain, Metasploit, mimikatz, gsecdump, acehash, creddump, powershell.
Mitigate with Group Managed Service accounts, don't place DA services on low trust systems.
