Free MS Virtual Machine Images
- slmgr /ato – will give you 90 day trial
Mackenzie structural people who work at the farm I referred to as consultants regardless of their actual title in The Firm since this was a book on leadership transition however I have used many terminal job titles to facilitate the discussion and give prospective on the success principles yet if you are new to this world the different titles can become confusing that I have created the simple hierarchical structure to answer the question what exactly is each level responsible for basic hierarchical structure business analyst be a good day today on a client project holding a single workstream associate ASC work day today and a client project holding multiple workstreams leadership transition engagement manager p.m. Ddd project teams interaction with multiple client Heads facilitates Mackenzie 80 principles and director involvement associate principal ep attends multiple existing project discussions develops new clients and works as executive apprentice to principles and directors owner transition principal controls over a new and existing client project collaborates with directors gives direction to teams all shares of the film director develops new function and specific industry platforms set from Direction and access covers of The Firm with other directors and organisation model that access the success villa For The Firm consulting sells complex services mckinsey sells the most premium services of a project to take a few months can cost of religion. Public services take more time to sell and require a highly sophisticated salespeople this is true especially for the business to business B2B franchise for it to be successful multiple forces must work together including hi brand value a high performing culture top notch Talent Proprietary knowledge resources a distinctive organisation structure and others entrepreneurs say there is always a reason why your business succeeds that shows in it’s business model how people are able to effectively carry out their given rules for Mackenzie another consulting companies that followed I believe this success has been the result of a beam structure along with it’s unique problem solving method which has been emulated by both other consulting firms and corporation registered for complex services the sales people at the very top instead of at the bottom it’s awkward at first when you realise this dynamic especially when you become the engagement manager to have all the people look to you for specific project ownership and leadership suddenly you must step up more than just a few steps as an engagement manager you are nearly forced into the state of you handle everything and handed the conductor’s baton as you learn more about the floor and the top management consulting industry you realise that this is quite a lean and effective business model it makes sense that highly sophisticated conversations are conducted by the most senior experience and trained communication specialists directors and senior principles are two million dollar hi potentially is a huge opportunity and must be directed by the best that’s consultants never really find out the sales function until the very end of their career and they do so only at it’s most complex for which is not the traditional push sales form but by giving clients a reason to say sounds interesting do you want to send a proposal about the framework or approach you just mention consultancy become Soviet giving the tip of the iceberg answers but not giving a wedding entire glacier or in the clients to ask for more it’s a definite skills necessary for complex services the front range has mental aware communication skills for many years and it is so important that even a person who was a high level senior executive at another company with 15 years of experience should hear she choose to join the phone will need to go through the entire mckinsey learning process from the associate level though it would be in an accelerated way in the mind of every consultant to less experienced training Alliance a deep understanding of how leadership development works first baby thing up your fundamental skills and capabilities in this case problem solving next by holding your listening in communication over many years and finally by profecting your mindset and character in the long run the hardest things to change only then will you have the necessary ability to stand in the circle of leaders although this book is about leadership transition it is important for you to understand how your organisation is structured and how it should work typically learning about what you sell is a great starting point I wish you were an entrepreneur which by definition as founder and CEO entitles you Liberal leadership position and an understanding of your own business model most people will need to claim their way up that you need to figure out what forces are at work and how you can be successful in the given position for example some Mackenzie people leave the front greeting associate principal because they can master or get accustomed to the newly charged sales role did rather look for a prominent mid to Back Office coo leader drone organisation structure to work the people working need to be efficiently utilised some organisations do a poor job and create massive management overhead problems because the structure does not fit the nature of their business for example if your organisation is based on a door to door sales model selling kitchen supplies you don’t need many manager to your people instead you need better training and tools to empower each salesperson and a system that weeds out sales people who are unfit for the job McKenzies organisation model is bound to work given the nature of what it sounds this model also explains why consultants work around the clock it consultant regardless of tenure is tasked with different roles that can be unbounded senior leaders need to keep pushing potential client engagement into the Pipeline suitable only time or harvesting. Engagement managers and below need to help clients justify their cost the only difference is that senior leaders can control their world time as long as they are pulling in their sales quota wait while consultants need to rely on client expectations that are outside their control this is John Haigh from mcgraw-hill prefer thank you for listening
Furthermore, David Cowen in his recent Sunday Funday Challenge over at HECFBlog had posed a similar question regarding evidence of execution. With that as my motivation, I set about to document different artifacts which can be used to evidence program execution (both user attributable and otherwise) as available in various different versions of Windows.
I should highlight up front that some really fantastic blog posts from Harlan Carvey, Andrea Fortuna, Corey Harrell and Mary Singh gave me a significant leg up. This isn’t my first time reading any of those posts and I’m sure it wont be my last. A myriad of other posts assisted in confirming details of specific artifacts and I have referenced those below. The main focus of this post, and particularly the associated table of artifacts, is to serve as a reference and reminder of what evidence sources may be available on a particular system during analysis.
On to the main event. The table below details some of the artifacts which evidence program execution and whether they are available for different versions of the Windows Operating System.
|Too Small?… It’s a hyperlink!|
Cells in Green are where the artifact is available by default, note some artifacts may not be available despite a Green cell (e.g. instances where prefetch is disabled due to an SSD)
Cells in yellow indicate that the artifact is associated with a feature that is disabled by default but that may be enabled by an administrator (e.g. Prefetch on a Windows Server OS) or added through the application of a patch or update (e.g. The introduction of BAM to Windows 10 in 1709+ or back-porting of Amcache to Windows 7 in the optional update KB2952664+)
Cells in Red indicate that the artifact is not available in that version of the OS.
Cells in Grey (containing “TBC”) indicate that I’m not 100% sure at the time of writing whether the artifact is present in a particular OS version, that I have more work to do, and that it would be great if you could let me know if you already know the answer!
It is my hope that this table will be helpful to others. It will be updated and certainly at this stage it may be subject to errors as I am reliant upon research and memory of artifacts without having the opportunity to double check each entry through testing. Feedback, both in the form of suggested additions and any required corrections is very much appreciated and encouraged.
Prefetch has historically been the go to indication of process execution. If enabled, it can provide a wealth of useful data in an investigation or incident response. However, since Windows 7, systems with an SSD installed as the OS volume have had prefetch disabled by default during installation. With that said, I have seen plenty of systems with SSDs which have still had prefetch enabled (particularaly in businesses which push a standard image) so it is always worth checking for. Windows Server installations also have Prefetch disabled by default, but the same applies.
The following registry key can be used to determine if it is enabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher
0 = Disabled
1 = Only Application launch prefetching enabled
2 = Only Boot prefetching enabled
3 = Both Application launch and Boot prefetching enabled
It should be noted that the presence of an entry for an executable within the ShimCache doesn’t always mean it was executed as merely navigating to it can cause it to be listed. Additionally Windows XP ShimCache is limited to 96 entries all versions since then retain up to 1024 entries.
ShimCache has one further notable drawback. The information is retained in memory and is only written to the registry when the system is shutdown. Data can be retrieved from a memory image if available.
Programs executed via Explorer result in MUICache entries being created within the NTUSER.DAT of the user responsible.
Amcache.hve within Windows 8+ and RecentFileCache.bcf within Windows 7 are two distinct artifacts which are used by the same mechanism in Windows to track application compatibility issues with different executables. As such it can be used to determine when executables were first run.
The Microsoft-Windows-TaskScheduler log file (specifically events 200 and 201), can evidence the starting and stopping of and executable which is being run as a scheduled task.
Applicable to Windows XP/Server 2003 only, this artifact is located in the System Registry Hive, these keys can evidence the running of executables which are installed as a service.
Both of these system logs are related to the Application Experience and Compatibility features implemented in modern versions of Windows.
At the time of testing I find none of my desktop systems have the Inventory log populated, while the Telemetry log seems to contain useful information. I have however seen various discussion online indicating that the Inventory log is populated in Windows 10. It is likely that my disabling of all tracking and reporting functions on my personal systems and VMs may be the cause… more testing required.
The Background Activity Monitor (BAM) and (DAM) registry keys within the SYSTEM registry hive, however as it records them under the SID of the associated user it is user attributable. The key details the path of executable files that have been executed and last execution date/time
It was introduced to Windows 10 in 1709 (Fall Creators update).
Introduced in Windows 8, this Windows features maintains a record of all sorts of interesting information concerning applications and can be used to determine when applications were running.
In Windows 10 1803 (April 2018) Update, Microsoft introduced the Timeline feature, and all forensicators did rejoice. This artifact is a goldmine for user activity analysis and the associated data is stored within an ActivitiesCache.db located within each users profile.
Event IDs 592 (Windows XP/2003) and 4688 (everything since) are recorded within the Security log on process creation, but only if Audit Process Creation is enabled.
Event ID 7035 within the System event log is recorded by the Service Control Manager when a Service starts or stops. As such it can be an indication of execution if the associated process is registered as a service.
Within each users NTUSER.DAT the UserAssist key tracks execution of GUI applications.
The RecentApps key is located in the NTUSER.DAT associated with each user and contains a record of their… Recent Applications. The presence of keys associated with a particular executable evidence the fact that this user ran the executable.
Implemented in Windows 7, Jumplists are a mechanism by which Windows records and presents recent documents and applications to users. Located within individual users profiles the presence of references to executable(s) within the ‘Recent\AutomaticDestinations’ can be used to evidence the fact that they were run by the user.
The RunMRU is a list of all commands typed into the Run box on the Start menu and is recorded within the NTUSER.DAT associated with each user. Commands referencing executables can be used to determine if, how and when the executable was run and which user account was associated with running it.
|Group name||Reconnaissance||Credential harvesting|
|Tick||whoami, procdump, VBS||WCE, Mimikatz, gsecdump|
|Waterbug||systeminfo, net, tasklist, gpresult||WCE, pwdump|
|Suckfly||tcpscan, smbscan||WCE, gsecdump, credentialdumper|
|Fritillary||PowerShell, sdelete||Mimikatz, PowerShell|
|Destroyer||Disk usage, event log viewer||kerberos manipulator|
|Chafer||network scanner, SMB bruteforcer||WCE, Mimikatz, gsecdump|
|Greenbug||Broutlook||WCE, gsecdump, browdump|
|Buckeye||os info, user info, smb enumerator||pwdump, Lazagne, chromedump|
|Billbug||ver, net, gpresult, systeminfo, ipconfig||–|
|Appleworm||net, netsh, query, telnet, find||dumping SAM|
Published 17 July 2018 – ID G00319345 – 23 min read
Recording of context-rich endpoint event and state information.
Pricing of EDR solutions remains at a premium.
Incident data collection and analysis occur post-event with limited incident response automated capabilities.
Option to store collected data on endpoints themselves, centralized servers, the cloud or as a hybrid of these.
Requires the installation, management and updating of yet another agent.
EDR provides very limited to no contextual insight outside of the endpoint data it collects, requiring manual intervention to correlate data with such external sources as firewalls, CASB, etc.
Data retention periods can support the operational needs of different organizations.
Support of EDR capabilities varies by platforms and versions of operating systems.
Knowledgeable staffs with EDR experience are extremely difficult to find and come at a premium.
Ability to search collected data to identify issues on one or many endpoints at a time.
Requires staff with strong knowledge of endpoint operations to obtain benefits.
Vendors and managed service providers offer staff augmentation, but capabilities and costs vary dramatically.
Currently available solutions now appeal to a broad segment of organizations with differing technical abilities.
AI and machine learning remain mostly marketing terms rather than actual product capabilities.
Contrary to many clients’ understanding of the products, EDR does not resolve fundamental security and operational issues within organizations, nor does it eliminate the need for basic hygiene and patching.
The System Integrity Management Platform (SIMP) is an Open Source framework designed around the concept that individuals and organizations should not need to repeat the work of automating the basic components of their operating system infrastructure.
The technology industry is renowned for innovation, disruption and the fast pace of change. And yet, an old approach to sales lingers after almost 30 years. Fortunately, solution selling is in its twilight years. It’s dying. And so will any technology vendor that persists with solutions as its primary focus.
A new generation of technology vendors has moved past solution selling. They’ve learned that solving a problem doesn’t guarantee the business result the customer needs. They’re focusing their considerable skill on enabling that business result, not just solving a current problem. This is the third generation of technology sales.
The first generation of technology sales began in the 70s as software packages appeared. Customers would evaluate software packages using long lists of features and functions they thought they needed. The package with the most ticks would win the deal. Sadly, the correlation between the number of ticks and the ability to deliver business results for the customer wasn’t strong.
Software packages matured over the next decade or two. The features and functions became more similar in each package. It became more difficult for vendors to win deals based on their features and functions.
In the late 80s, the second generation of technology sales appeared. Vendors asked customers about the problems they experienced. The vendors then showed customers how they could solve those problems. And because they had solved the same problems in other companies, they could often provide insight. They could show new ways to address the problems.
Customers started to buy from vendors they felt could best solve their problems. This second generation of vendors crushed the generation one vendors. Demonstrating features and functions just didn’t stack up against a competitor that zeroed in on customer pain points and showed how they could be solved. The technology industry rapidly adopted solution selling. Lots of different sales methodologies appeared. Strategic Selling, Solution Selling, SPIN Selling, Target Account Selling and many more were launched. More recently, The Challenger Sale has become popular.
An implicit assumption underpinned the solution-selling approach – if the customer solves their current problems, they’ll achieve the business results they need. The third generation of technology vendors knows they can no longer make this assumption.
The pace of change in business has had a profound effect. Few people doubt that business changes more rapidly than ever before. And that the pace of change will continue to increase. The technology industry itself has been a major driver of this rapid change. The problem for customers lies in the time it takes for a second-generation approach. It takes too long to analyse current problems, evaluate alternative approaches, evaluate different vendors, implement the vendor’s products and wait for the positive effect on business results. By the time this process is finished, a whole new set of problems has arisen. The customers remain in catch-up mode.
Customers need to focus directly on the future business results they need to achieve. And they want a vendor who can show them how to get there.
Other factors affect the achievement of the customer’s business results. The quality of implementation leads the list. Failed implementations leave the customer with significant expenses, poor results and deep anger. The vendor usually has some culpability. But, so does the customer. Lots of factors affecting the implementation are owned by the customer. The quality of the new processes the customer wants, for example. Or how the technology will be used. For the project itself, the quality of the customer’s project team, the amount of resources committed, the involvement of senior executives, the decision-making process and the quality of change management deeply affect the results. The customer decides on all these things.
But, a big problem has emerged for vendors. Subscription pricing means a failed implementation has a major impact on future revenue. The customer may cancel their subscription. Or, they just don’t grow their usage because of the poor results. Either way, the vendor’s revenue suffers.
The third generation of technology vendors has learned they can no longer leave those other factors up to the customer. There’s too much risk to the vendor’s revenue. The vendor needs to play a proactive role on all factors affecting the customer’s business results.
The third generation of vendors can provide new insight. The second generation provided insight on problems, helping customers see issues they didn’t realise they had. The third generation can provide insight on business results the customer didn’t know were possible. They can describe a new to-be state or ongoing business result. They have insight into results achieved by other companies and into the ability of technology to enable these new business results.
These vendors attract the attention of customers with their insights. And they win deals by selling their ability to enable them.
These vendors are crystal clear about the business results needed by their customers. And in many cases, they provide insight into a new to-be state or business result the customer can aspire to. They’re thriving because they build their business around enabling those business results.
Subscription pricing means a failed implementation has a much bigger effect on future revenue. These vendors have become experts at everything required to achieve the needed business results. And they proactively help the customer with all of them.
The second generation of vendors sold their ability to solve a set of problems. The third generation sells their ability to enable the customer’s business results. And they differentiate by providing new insight into what results are possible.
It starts by developing crystal clarity about the business results you can help your customers achieve. And, like Steve Jobs, don’t ask the customers first. Work out what they need, tell them and then see if your new insight resonates.
Next, work out how to sell the business results. Your methodology may not change much, but what you’re selling will be different.
Then, work out the other things you need to do to enable the business results you’re selling.
Finally, develop a plan to evolve to your new model. Just as the move from generation one to generation two did not take place overnight, the move from generation two to generation three will be more of an evolution than a revolution. It will take some time.
There’s a good chance you’ve already started this journey. But you don’t want to be like the generation one vendors who didn’t evolve to generation two – and were crushed!