Slide deck from my session at : “The hacker : How to think and like a cybercriminal to reduce

Tools from the session

Here you can find the most important tools I used during the session!

>> Get the tools from this session <<

Session Summary

Thank you for attending the Microsoft Ignite precon delivered by Paula Januszkiewicz. Couple of words of summary regarding what Paula has been talking about 

Precon was devided into 4 parts:

  1. Forensics and evidence hiding and finding
  2. Code execution techniques and prevention techniques
  3. Advanced monitoring techniques
  4. Automation and network attacks

During the precon we have focused on the importance of each of the subjects and techniques as during penetration tests we see that they are the ones that pretty much always work!

Here is a bit of a sneak peak of what was shown regarding the Windows Indexing Service during the precon.

  • How to create shadowcopy on the client?

$s1 = (gwmi -List Win32_ShadowCopy).Create(“C:”, “ClientAccessible”)
$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID }
$d  = $s2.DeviceObject + “”
cmd /c mklink /d C:shadowcopy “$d”

  • Windows Indexing Service is in C:ProgramDataMicrosoftSearchDataApplicationsWindows, in our case we need to go to the same folder but from c:shadowcopy created earlier:C:shadowcopyProgramDataMicrosoftSearchDataApplicationsWindows
  • Now we need to copy Windows.edb and open it inESEDataBaseView, you can download it from
  • From the listbox, chooseSystemIndex_Gthrand review the results! If you had some exe in the indexed locations, use Ctrl+F in the Gthr table.

If you have any questions, please post them in the section below.


Source link


Please enter your comment!
Please enter your name here