GCFA flash cards Questions and Answers graded A+
how do you defend against cached credentials?
limit number of cached logon accounts on microsoft/windowsnt/currentversion/winlogon (cachedlogonscount value
enforce password length
domain protected users security group
what is lsa secre...
how do you defend against cached credentials? - answer limit number of cached
logon accounts on microsoft/windowsnt/currentversion/winlogon (cachedlogonscount
value
enforce password length
domain protected users security group
what is lsa secrets - answer credentials stored in registry for things like email service
accounts and vpn passwords and autologin credentials (passwords are plaintext)
how to guard against lsa secrets attacks - answer do not employ services or
scheduled tasks requiring privileged accounts on low trust systems
reduce services that require domain accounts to execute
group managed service accounts
kerberos tickets are normally valid for how many hours - answer 10
what is a pass the ticket attack - answer steal the ticket from memory and pass or
import on other systems
what is an overpass the hash attack - answer use nt hash to request a service ticket
for the same account
what is kerberoasting attack - answer request service ticket for highly privileged
service and crack the nt hash (this can be used in tandem with lsasecrets attack using
service password to authenticate the ticket)
was is a golden ticket attack - answer kerberos TGT for any account with no
expiration. survives a full password reset
what is a silver ticket attack - answer all access pass for a single service or computer
what is a skeleton key - answer patch LSASS on domain controller to add backdoor
password that works for any domain account
,how do you defeat ticket attacks - answer credential guard (domain protected users
group win8+)
remote credential guard (win 10+) for windows 8 restricted admin
long and complex passwords for service accounts to prevent kerberoasting
change krbtgt regularly
how do you mitigate pass the ticket - answer credential guard
how do you mitigate overpass the hash (use nt hash to request a service ticket for the
same account) - answer credential guard, protected users group, disable rc4
authentication
how do you mitigate kerberoasting - answer long and complex passwords
how do you mitigate golden ticket attack - answer protect domain admin accounts
and change krbtgt passwords regularly
how do you mitigate silver ticket attacks - answer regularly update computer account
passwords
how do you mitigate skeleton key attacks - answer protect domain admin accounts,
smart card usage for privilege accounts
where is windows ntds.dit located (holds all ad domain service database and lm/nt in
domain. encrypted but easy to defeat. - answer located in \windows\ntds on dc. file is
locked so either need admin or volume shadow copy service.
what is the prefetch - answer pre loads pages (for performance) they are
compressed since windows 10. it shows what ran, when it ran, and how many times.
Also commonly found in unallocated space.
what is a prefetch hash based off of: - answer where it ran from and command line
invocation arguments
how many of last executions are stored in the prefetch for windows 8 and 10 - answer
last 8 times executed with times
what is PECmd look like - answer pecmd -f e:\c:\windows\prefectch\prefetchfile.pf
how does the prefetch work - answer does not change creation time. reads original
prefetch entry or prefetch entry before it then writes to new cluster location. 1-2 2-3 in
unallocated space.
,how can an adversary kill a prefetch - answer use sdelete or a file overwriter (catch
is the wiper shows is in use and creates own residue so you might not be able to delete
wipers prefetch) Also only wiped current prefetch not previous iterations
where are 32 bit programs executed from - answer SYSWOW64 **
where are 64 bit programs executed from - answer system32
what is a rule for a 32 bit child process - answer must also be 32 bit process
becuase its parent ivoke is 32 bit
What does AppCompatCache track? (shimcache) - answer a files last modification
date, file path, and if it executed (files are re shimmed if the application is moved
renamed or time stomped)
what is the location of the shim cache (1024 entries) - answer system\
currentcontrolset\control\sessionmanager\appcompatcache\appcompatcache
when are files shimmed - answer when it touches file system, when it first runs, and
when it is browsed on a usb or network share for a .exe
what is some confusing parts of the shim cache - answer the shim entries show
modified time not actual shimmed time. They are shimmed in order of run though. Files
are only shimmed on reboot...
What is the Amcache location? - answer C:\windows\appcompat\programs\
amcache.hve
What does the amcache contain? - answer Executed programs full path,
files $Standard_info,
Last modification time, and the volume the executeable was run from (programs first
run time=last mod time of key)
also contains a sha-1 hash of executable
what is wsmprovhost.exe an indicator of? - answer remote desktop
what is wmiprvse.exe an indicator of - answer remote wmi commands
what is net.exe and net1.exe - answer used to map network shares
what can sorting in the shim cache by modification time show us (after a reboot) -
answer if .exe had the same modification date they were probably renamed (same
file)
, Where is system registry hive file located in a windows environment - answer
windows\system32\config
where is the ntuser.dat - answer c:\users\
where are the event logs on a windows 10 system - answer system32\winevt\logs
logs for earlier systems its system32\config (xp, server 03)
What does the security event log record - answer user authentication and logon
user behavior and actions
file/folder/share access
security settings modifications
what process updates the security log - answer only LSASS (third party applications
cannot insert events)
what are recorded categories in security event log - answer
What is 4624 - answer successful logon
What is logon code type 2 - answer logon via console (keyboard, kvm etc)
what is logon code type 3 - answer network logon
what is logon type 4 - answer Batch logon (used by scheduled task)
what is logon type 5 - answer windows service logon
what is logon type 7 - answer credentials used to lock or unlock screen : rdp session
reconnect
what is logon type 8 - answer network logon sending credentials via cleartext
what is logon code type 9 - answer different credentials used than logged on user -
runas / netonly
what is logon code type 10 - answer remote interactive logon (RDP)
what is logon code type 11 - answer cached credentials used to logon
what is logon code type 12 - answer cached remote interactive (similar to 10)
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Pogba119. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.99. You're not tied to anything after your purchase.
