Anthony R. Byrne
Check out my research into this MITER ATTACK persistence technique where I
identify vulnerable pre-installed Windows applications. Creating a PoC exploit for this vulnerability
to inject and execute a Cobalt Strike Beacon in the victim machine's memory. The victim machine was
running Symmantec Endpoint Protection and all traffic was going through Paulo Alto Network's Next
Generation Firewall.
Windows collects a lot of detailed telemetry about the applications you open,
when you open them, how long you spend on them, and the times and names of when you switched from
you work app to YouTube. It also records where and when you copy and pasted. All of this data is
very useful for digital forensics investigators in a corporate setting, or for an attacker to
bypass behavioural analysis when exfiltrating data.
My script will parse your local windows timeline database and generate some CSV files and PDFs to
show you the kinds of data stored here.
