- Introduction
- Disclaimer
- Artifact locations
- Windows Cheat Sheet
- Order of Volatility
- Memory Files (Locked by OS during use)
- Imaging Live Machines
- Live Windows IR/Triage
- Interact with remote machine
- System information
- Obtain list of all files on a computer
- User and admin information
- Logon information
- NT Domain/Network Client Information
- Firewall Information
- Firewall Changes
- Pagefile information
- Group and access information
- Cookies
- RecentDocs Information
- Startup process information
- Startup process information by path/file name
- Scheduled task/job information
- Remediate malicious scheduled tasks
- UAC Bypass Fodhelper
- Quick overview of persistent locations (AutoRuns)
- Persistence and Automatic Load/Run Reg Keys
- T1015 Accessibility Features
- T1098 Account Manipulation
- T1182 AppCert DLLs
- T1103 AppInit DLLs
- T1138 Application Shimming
- T1197 BITS Jobs
- T1067 Bootkit
- T1176 Browser Extensions
- T1109 Component Firmware
- T1122 Component Object Model (COM) Hijacking
- T1136 Create Account
- T1038 DLL Search Order Hijacking
- T1133 External Remote Services
- T1044 File System Permissions Weakness
- T1158 Hidden Files and Directories
- T1179 Hooking
- T1062 Hypervisor
- T1183 Image File Execution Options Injection
- T1037 Logon Scripts
- T1177 LSASS Driver
- T1031 Modify Existing Service
- T1128 Netsh Helper DLL
- T1050 New Service
- T1137 Office Application Startup
- T1034 Path Interception
- T1013 Port Monitors
- T1504 PowerShell Profile
- T1108 Redundant Access
- T1060 Registry Run Keys / Startup Folder
- T1053 Scheduled Task
- T1180 Screensaver
- T1101 Security Support Provider
- T1505 Server Software Component
- T1058 Service Registry Permissions Weakness
- T1023 Shortcut Modification
- T1198 SIP and Trust Provider Hijacking
- T1019 System Firmware
- T1209 Time Providers
- T1078 Valid Accounts
- T1100 Web Shell
- T1084 Windows Management Instrumentation Event Subscription
- T1004 Winlogon Helper DLL
- Other – Winsock Persistence
- Check disabled task manager (often from malware)
- Review Hivelist
- Locate all user registry keys
- Load all users registry keys from their ntuser.dat file (perform above first)
- Query all users run key
- Unload all users registry keys
- Remediate Automatic Load/Run Reg Keys
- Check Registry for IE Enhanced Security Modification
- Check Registry for disabling of UAC (1=UAC Disabled)
- Review Software Keys for malicious entries
- Scan Registry keys for specified text
- Persistent file locations of interest
- Locate LNK Files with a particular string (Special thanks to the notorious)
- Master File Table
- Determine Timestomping
- Enable Date Accessed Timestamps
- Remove BITSAdmin Persistence
- Check system directories for executables not signed as part of an operating system release
- Locate Possible Trickbot
- Determine if user Trusted a doc/spreadsheet etc and ran a macro
- Check Office Security Settings
- Check Outlook Temporary Files
- Check MS Office Logs for high risk file names
- Prevent CVE-2017-11882, CVE-2018-0802, CVE-2018-0804, CVE-2018-0805, CVE-2018-0806, CVE-2018-0807 (EQNEDT32.EXE) Exploitation
- Determine if user opened a document
- Prevent Executable from Running.
- Show known file extensions and hidden files (excluding OS hidden files)
- Open File Extension (e.g. scripts) with certain application (elevated cmd)
- Disable Command Prompt
- Locate Possible DLL Search Order Hijacking
- Locate Possible Dll Side Loading
- Find files without extensions
- Remediate malicious files
- Detect Persistent WMI Subscriptions
- Remediate Persistent WMI Subscriptions
- Enumerate WMI Namespaces
- Mimikatz/Credential Extraction Detection
- NetNTLM Downgrade Attack Detection
- Putty Detection
- Installed Updates
- Installed Software/Packages
- Process information
- Current Process execution or module loads from temporary directories
- Current Process execution or module loads from temporary directories + hash
- Scan for malware with Windows Defender
- Check Windows Defender for excluded files and default actions
- Delete Windows Defender excluded files
- Check and Set Access Control Lists
- Change ACE for “everyone” on folder and subfiles/folders
- Disable unwanted windows binaries (via Base64 encoding and removal)
- Enable windows binaries (via Base64 decoding and removal)
- Make multiple files visible and remove ‘superhidden’
- Check Security Descriptor Definition Language (SDDL) and Access Control Entries (ACE) for services
- Kill “Unstoppable” Service/Process
- Obtain hash for all running executables
- Obtain hash and established network connections for running executables with dns cache
- Obtain hash and listening network connections for running executables
- Obtain hash and possible tunneled network connections for running executables
- Obtain workstation name for tunneled authentication
- Obtain hash of DLLs currently loaded by processes
- Obtain processes where binaries file version doesn’t match OS Release
- Obtain process binary file external names
- Obtain processes running which are running a DLL
- Obtain hash of unsigned or invalid DLLs currently loaded by processes
- Obtain list of unsigned DLLs currently loaded by processes
- Obtain DLL information ListDLLs
- Obtain unsigned DLL information loaded by processes
- Obtain DLLs in use by processes
- Determine handles on a file
- Verify EternalBlue Patch (MS17-010) is installed – Microsoft
- Obtain TXT records from recently resolved domains
- Check all Appdata files for unsigned or invalid executables
- Check for execuables in Local System User Profile and Files
- Investigate WMI Usage
- Find executables and scripts in Path directories ($env:Path)
- Find files created/written based on date
- Check running executables for malware via VirusTotal
- Scan systems for IOA/IOC (Yara)
- Kill malicious process
- Dump full process memory
- Live Triage of Memory
- Locate Possible Shellcode within process via Injected Thread
- Obtain Possible Shellcode within process as Hex
- Obtain Possible Shellcode within process as Hex
- Basic Memory Analysis via PowerShellArsenal
- Locate Possible Shellcode Address Space
- Find Meterpreter in Process Memory:
- Find Cobalt Strike in Process Memory:
- Network connections
- Routing table and ARP cache
- Contents of DNS resolver
- Enable DNS Logging
- Scan DNS Logs
- Scan DNS Logs and output unique DNS Queries
- Hostname to corresponding IPs from list
- T1074 Data Staging
- Latest system activities
- Driver information
- Process and extra information
- Hosts file and service>port mapping
- Recycle Bin Forensics
- DCOM Information
- Service Information
- Stop and disable/delete malicious service
- Disable Internet Explorer
- cmd history
- Files greater than a 10mb
- Temp files greater than 10mb
- Locate process handles (e.g. files open by process)
- Close process handles (e.g. files open by process)
- Event logs between a timeframe
- Check audit policies
- Set logging on all success/failure events
- Enable logging of process creation
- Scan process creation logs for ‘appdata’
- Check for Windows Security Logging Bypass
- Check group policies
- Obtain mode settings for ports
- Event Logs for offline analysis
- Quickly scan event logs with DeepblueCLI
- Event Tracing for Windows (ETW).
- Setup Custom Log Tracing
- Update trace with wanted providers
- Delete Subscription and Providers
- Event Log/Tracing Tampering Detection
- Timeline Windows Event Logs.
- Super Timeline a host:
- Security log information
- Logon type information
- Special logon information (4672)
- System log information:
- Sysmon log information
- Active Directory Investigation
- Origami-PDF (Malicious PDF Analysis)
- More Malicious PDF/Doc Analysis
- Exiftool (Image Analysis)
- RDP Cache images
- RDP (Terminal Services) Activity
- RDP (Terminal Services) Configuration
- Host Firewall information:
- Model of motherboard and hardware information:
- Monitoring of open files:
- Check Bitlocker Encryption
- List open files
- Display proxy information
- Disconnect open files based on username:
- Powershell Commands
- Service information
- View Named Pipes
- Harden System from Lateral Movement
- Process WMI objects
- Process information
- Baseline processes and services
- View and interact with shadow copies (MUST BE RUN FROM ELEVATED CMD.exe)
- Create Shadow Copy for C: drive
- Other Shadow Copy Techniques
- TCP Connections
- List of IPV4 addresses who have connected (RDP)
- Powershell logs
- Event logs available
- Event Logs per Application Source
- Event Logs per Severity Source
- Live Event Log Filtering
- Find Authenticating user/asset for remote service creation (lateral movement)
- Extract useful fields from Legacy Logs
- Remote Desktop Lateral Movement Detection (Destinations)
- Map Network Shares Lateral Movement Detection (Destinations)
- PsExec Lateral Movement Detection (Destinations)
- Scheduled Tasks Lateral Movement Detection (Destinations)
- Services Lateral Movement Detection (Destinations)
- WMI/WMIC Lateral Movement Detection (Destinations)
- PowerShell Lateral Movement Detection (Destinations)
- Extra Information
- User accounts and logon information
- Share information
- List Alternate Data Streams in current Dir and view them
- List Alternate Data Streams in text files within AppData
- Use Alternate Data Streams to find download location
- General Notes
- Gather artifacts
- Powershell execution log
- Analyse document for macros
- Capture powershell memdump and analyse
- Recent execution of programs
- Programs Accessing Windows Features such as Webcam and Microphone
- USN Journal (any changes to NTFS volume)
- Link File Analysis
- Jump Lists Analysis
- SRUM Analysis
- Background Activity Moderator (BAM/DAM)
- Windows 10 Mail App Forensics
- Capture packets with netsh
- Capture Packets with PowerShell
- Stop Capturing Packets with PowerShell
- Convert ETL File to PCAP
- NTUSER.DAT Important Registry entries:
- SOFTWARE Hive Registry Entries
- Useful Wireshark filters
- All traffic to or from an IP
- All TCP traffic on a port
- All traffic from an IP
- All traffic to an IP
- HTTP or DNS Traffic
- Client>DC traffic filtering noise
- TCP issues (flags)
- TCP protocol flags (present)
- Encrypted Traffic
- Follow TCP Stream
- TCP packets for string
- HTTP codes
- User agent, without/with case sensitivity
- Addresses on subnet by IP/Hostname
- Wireshark Key Tips and Tricks by Brad Duncan
- Decrypting Encrypted Packets
- SYSTEM Hive Registry Entries
- PowerShell Host Based Investigation and Containment Techniques
- PowerForensics
- Google Rapid Response
- Kansa PowerShell IR Framework
- Enable PS Remoting using PsExec
- Confirm trusted hosts list if required
- Quick Remote Response (no audit/logging)
- Setup logging for IR
- Establish Remote Session
- Enter or exit remote session
- Issuing remote command/shell
- Retrieving/downloading files
- Checking for running processes
- Query Registry Keys
- PCAP collection
- Blocking a domain
- Blocking an IP
- Unblocking an IP
- Quarantining a host using Firewall
- Creating an OU to quarantine a host into
- Moving an AD Object into a quarantine OU
- Quarantining a host using DCOM
- Remove a quarantined host
- Disable Admin Shares
- Credentials and Exposure
- Kerberos Tickets and Exposure
- Windows Memory Forensics
- Volatility 2.x Basics
- Find out what profiles you have available
- Find out the originating OS profile to be used from the memory dump.
- Determine what plugins are available for use.
- Check what processes were running.
- Check what commands have been run and their output.
- Dump process files which were running from memory.
- Dump the memory associated with a process file.
- Dump all cached files from memory.
- Check what drivers or kernal modules were unloaded or hidden.
- Check what network connectivity has occurred.
- Check what network connectivity has occurred (Windows XP/Server 2003).
- Check what information exists within registry from memory.
- Scan memory with Yara Rule
- Duplicate image space out as a raw DD file
- Dump timelined artifacts from memory.
- Detect persistence mechanisms using Winesap
- Compare memory dump to known good memory dump.
- Output visual .dot file to view process tree
- Volatility 3.x Basics
- Check Memory Image Information
- Check List of Kernel Drivers
- Check List of Kernel Drivers (incl previously unloaded and hidden)
- Dump List of Kernel Drivers to Files
- Dump List of Running Processes to Files
- Check Process List of Running Processes
- Check Process Tree of Running Processes
- Check Running Processes from EPROCESS blocks
- Check Running Processes for possible shellcode/injection via PAGE_EXECUTE_READWRITE
- Check processes and their command lines
- Check for files which exist in memory
- Volatility 2.x Basics
- Miscellaneous Tools and Notes
- RegRipper
- Kape
- ShimCaheParser
- AppCompatCacheParser
- AmCacheParser
- Windows 10 Timeline Database Parser
- Bulk Extractor
- ForensicDots
- Cyber Chef
- URLScan
- OSQuery
- Velociraptor
- ViperMonkey
- XLM Macro Deobfuscator
- Mounting image files in linux
- Mounting image files in Windows
- Unpack binary packed with UPX
- Scan exchange for phishing emails
- Common DLL Information
- Show processes with networking functions
- Show processes importing the Remote Access API
- Show processes importing the task scheduler API
- Show processes importing the Windows Media Instrumentation API
- Windows Memory Analysis (Example Process with Volatility)
- Linux Cheat Sheet
- Dumping Memory
- Taking Image
- Misc Useful Tools
- Live Triage
- System Information
- Account Information
- Current user
- Last logged on users
- Initialisation Files
- Environment and Startup Programs
- Scheduled Tasks
- SSH Keys and Authorised Users
- Sudoers File (who who can run commands as a different user)
- Configuration Information
- Network Connections / Socket Stats
- IP Table Information
- Network Configuration
- Browser Plugin Information
- Kernel Modules and Extensions/
- Process Information
- Search files recursively in directory for keyword
- Process Tree
- Open Files and space usage
- Pluggable Authentication Modules (PAM)
- Disk / Partition Information
- System Calls / Network Traffic
- Detailed Process Information
- Recover deleted binary which is currently running
- Capture Binary Data for Review
- Binary hash information
- Process Command Line Information
- Process Environment Variables (incl user who ran binary)
- Process file descriptors/maps (what the process is ‘accessing’ or using)
- Process stack/status information (may reveal useful elements)
- Deleted binaries which are still running
- Process Working Directories (including common targeted directories)
- Hidden Directories and Files
- Immutable Files and Directories (Often Suspicious)
- SUID/SGID and Sticky Bit Special Permissions
- File and Directories with no user/group name
- File types in current directory
- Executables on file system
- Hidden Executables on file system
- Files modified within the past day
- Persistent Areas of Interest
- Audit Logs
- Installed Software Packages
- MacOS Cheat Sheet
- Live Mac IR / Triage
- System Information
- Network Connections
- Routing Table
- Network Information
- Open Files
- File System Usage
- Bash History
- User Logins
- Running Processes
- System Profiler
- Persistent Locations
- Disable Persistent Launch Daemon
- Web Browsing Preferences
- Safari Internet History
- Chrome Internet History
- Firefox Internet History
- Apple Email
- Temporary / Cached
- System and Audit Logs
- Specific Log Analysis
- Files Quarantined
- User Accounts / Password Shadows
- Pluggable Authentication Modules (PAM)
- File Fingerprinting/Reversing
- Connected Disks and Partitions
- Disk File Image Information
- User Keychain Information
- Spotlight Metadata
- Live Mac IR / Triage
Introduction
This post is inspired by all the hard working DFIR, and more broadly security professionals, who have put in the hard yards over the years to discuss in depth digital forensics and incident response.
Disclaimer
This page contains a variety of commands and concepts which are known through experience, higher education, tutorials, online blogs, YouTube Videos, professional training, reading the manual, and more. All references to original posts or material will aim to be documented in the ‘Special Thanks’ section.
This is not designed as a manual on how to perform DFIR, and serves only as a quick reference sheet for commands, tools, and common items of interest when performing Incident Response. If you need to undertake Digital Forensics for legal proceedings, seek specialist advice as this requires more rigor around Identification, Preservation, Collection, Examination, Analysis, and Presentation of findings.
Artifact locations
A number of forensic artifacts are known for a number of operating systems.
A large number of these are covered on the Digital Forensics Artifact Repository, and can be ingested both by humans and systems given the standard YAML format.
One action you can take is to parse this for items of interest and then directly spit out areas for investigation. For example if you have the PowerShell ConvertFrom-Yaml module, you can query this directly.
Get an object of forensic artifacts
$WindowsArtifacts=$(curl https://raw.githubusercontent.com/ForensicArtifacts/artifacts/master/data/windows.yaml)
$obj = ConvertFrom-Yaml $WindowsArtifacts.Content -AllDocuments
Now that it is stored within a format we can use the below will give us information at a glance.
$count=0;
foreach ($Artifact in $obj){
$Artifacts = [pscustomobject][ordered]@{
Name = $obj.name[$count]
Description = $obj.doc[$count]
References = $obj.urls[$count]
Attributes = $obj.sources.attributes[$count]
}
$count++;
$Artifacts | FL;
}
Query object for relevant registry keys:
$obj.sources.attributes.keys|Select-String "HKEY"
$obj.sources.attributes.key_value_pairs
Query object for relevant file paths:
$obj.sources.attributes.paths
Windows Cheat Sheet
Order of Volatility
If performing Evidence Collection rather than IR, respect the order of volatility as defined in: rfc3227
- registers, cache
- routing table, arp cache, process table, kernel statistics, memory
- temporary file systems
- disk
- remote logging and monitoring data that is relevant to the system in question
- physical configuration, network topology
- archival media
Memory Files (Locked by OS during use)
Note: To obtain these files while they’re in use you can use a low level file extractor such as RawCopy
hiberfil.sys (RAM stored during machine hibernation)
- %SystemRoot%\hiberfil.sys
pagefile.sys (Virtual memory used by Windows)
- %SystemDrive%\pagefile.sys
swapfile.sys (Virtual memory used by Windows Store Apps)
- %SystemDrive%\swapfile.sys
Binalyze IREC Evidence Collector (GUI or CommandLine)
IREC.exe --license AAAA-BBBB-CCDD-DDDD --profile memory
Note: Can be used as an all in one collector (License required for full collection, free version available).
Belkasoft Live RAM Capturer
RamCapture64.exe "output.mem"
OR for 32 bit OS
RamCapture32.exe "output.mem"
Redline
Excellent resource:
https://resources.infosecinstitute.com/memory-analysis-using-redline/
Memoryze
MemoryDD.bat --output [LOCATION]
Comae DumpIT
DumpIt.exe /O [LOCATION]
- Used for getting a memory crash file (Useful for analysis with both windbg and volatility)
DumpIt.exe /O [LOCATION]\mem.raw /T RAW
- Used for getting a raw memory dump (Considered a legacy format)
These can be bundled with PSEXEC to execute on a remote PC; however, this will copy the file to the remote PC for executing. There’s limitations if the tool requires other drivers or files to execute (such as RamCapture). An example command may be:
psexec \\remotepcname -c DumpIt.exe
Magnet Forensics (Mostly GUI)
Volexity Surge
Microsoft LiveKd
Winpmem
winpmem.exe -o test.aff4 -dd
winpmem.exe -o test.raw --format raw -dd
Imaging Live Machines
FTK Imager (Cmd version, mostly GUI for new versions)
ftkimager --list-drives
ftkimager \\.\PHYSICALDRIVE0 "[Location]\Case" --e01
ftkimager [source] [destination]
ftkimager \\.\PHYSICALDRIVE0 "[Location]\Case" --e01 --outpass securepasswordinsertedhere
DD
dd.exe --list
dd.exe if=/dev/<drive> of=Image.img bs=1M
dd.exe if=\\.\<OSDrive>: of=<drive>:\<name>.img bs=1M --size --progress
(LINUX) sudo dd if=/dev/<OSDrive> of=/mnt/<name>.ddimg bs=1M conv=noerror,sync
X-Ways Imager
Encase Forensic
Tableau Imager
Guymager
Live Windows IR/Triage
CMD and WMIC (Windows Management Instrumentation Command-Line) Note: less information can be gathered by using ‘list brief’.
Interact with remote machine
Enable Powershell remoting:
wmic /node:[IP] process call create "powershell enable-psremoting -force"
Powershell:
Enter-PSSession -ComputerName [IP]
PSExec:
PsExec: psexec \\IP -c cmd.exe
System information
get-computerinfo
echo %DATE% %TIME%
date /t
time /t
reg query "HKLM\System\CurrentControlSet\Control\TimeZoneInformation"
systeminfo
wmic computersystem list full
wmic /node:localhost product list full /format:csv
wmic softwarefeature get name,version /format:csv
wmic softwareelement get name,version /format:csv
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /s
echo %PATH%
(gci env:path|Select -exp Value).split(';')
SET
wmic bootconfig get /all /format:List
wmic computersystem get name, domain, manufacturer, model, numberofprocessors,primaryownername,username,roles,totalphysicalmemory /format:list
wmic timezone get Caption, Bias, DaylightBias, DaylightName, StandardName
wmic recoveros get /all /format:List
wmic os get /all /format:list
wmic partition get /all /format:list
wmic logicaldisk get /all /format:list
wmic diskdrive get /all /format:list
fsutil fsinfo drives
(psinfo requires sysinternals psinfo.exe):
psinfo -accepteula -s -h -d
Obtain list of all files on a computer
tree C:\ /F > output.txt
dir C:\ /A:H /-C /Q /R /S /X
User and admin information
whoami
whoami /user
net users
net localgroup administrators
net group /domain [groupname]
net user /domain [username]
wmic sysaccount
wmic useraccount get name,SID
wmic useraccount list
Logon information
wmic netlogin list /format:List
Get-WmiObject Win32_LoggedOnUser
Get-WmiObject win32_logonsession
query user
qwinsta
klist sessions
klist -li
NT Domain/Network Client Information
wmic ntdomain get /all /format:List
wmic netclient get /all /format:List
nltest /trusted_domains
Firewall Information
netsh Firewall show state
netsh advfirewall firewall show rule name=all dir=in type=dynamic
netsh advfirewall firewall show rule name=all dir=out type=dynamic
netsh advfirewall firewall show rule name=all dir=in type=static
netsh advfirewall firewall show rule name=all dir=out type=static
Firewall Changes
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall';} | FL TimeCreated, Message
Pagefile information
wmic pagefile
Group and access information
(Accesschk requires accesschk64.exe or accesschk.exe from sysinternals):
net localgroup
accesschk64 -a *
Cookies
C:\Users\*\AppData\Local\Microsoft\Windows\INetCookies
C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\Low
RecentDocs Information
*Note: Run with Powershell, get SID and user information with ‘wmic useraccount get name,SID’
$SID = "S-1-5-21-1111111111-11111111111-1111111-11111"; $output = @(); Get-Item -Path "Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" | Select-Object -ExpandProperty property | ForEach-Object {$i = [System.Text.Encoding]::Unicode.GetString((gp "Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" -Name $_).$_); $i = $i -replace '[^a-zA-Z0-9 \.\-_\\/()~ ]', '\^'; $output += $i.split('\^')[0]}; $output | Sort-Object -Unique
More information on recent documents may be found:
C:\Users\[username]\AppData\Local\Microsoft\Windows\FileHistory\Data
gci "REGISTRY::HKU\*\Software\Microsoft\Office\*\Word\Reading Locations\*"
Startup process information
wmic startup list full
wmic startup list brief
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | FL
Startup process information by path/file name
Note: This will search common persistence areas but not all of them, change the $Malware variable value to a term of your choosing.
$Malware = "appdata";
$Processes = gps |?{$_.Path -match $Malware -or $_.Name -match $Malware} | FL Name,Path,Id;
$Tasks = schtasks /query /fo csv /v | ConvertFrom-Csv | ?{"$_.Task To Run" -match $Malware}| FL "Taskname","Task To Run","Run As User";
$Services = gwmi win32_service | ? {$_.PathName -match $Malware}| FL Name,PathName;
$ServiceDLL = reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL" | findstr "$Malware";
$RunKey1 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run*' | ?{$_ -match $Malware};
$RunKey2 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*' | ?{$_ -match $Malware};
$UserProfiles = (gwmi Win32_UserProfile | ? { $_.SID -notmatch 'S-1-5-(18|19|20).*' }); $paths = $UserProfiles.localpath; $sids = $UserProfiles.sid; for ($counter=0; $counter -lt $UserProfiles.length; $counter++){$path = $UserProfiles[$counter].localpath; $sid = $UserProfiles[$counter].sid; reg load hku\$sid $path\ntuser.dat};
$RunKey3 = Get-ItemProperty -Path Registry::HKU\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* | ?{$_ -match $Malware};
$Startup = Select-String -Path 'C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*' -Pattern $Malware | Select Path;
$Startup2 = Select-String -Path 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*' -Pattern $Malware | Select Path;
if ($Processes) {echo "Process Found!";$Processes} else {echo "No Running Processes Found."};
if ($Tasks) {echo "Tasks Found!";$Tasks} else {echo "No Tasks Found."};
if ($Services) {echo "Services Found!";$Services} else {echo "No Services Found."};
if ($ServiceDLL) {echo "ServiceDLL Found!";$ServiceDll} else {echo "No Service Dlls Found."};
if ($RunKey1) {echo "Wow6432Node Run Key Found!";$RunKey1} else {echo "No Local Machine Wow6432Node Run Key Found."};
if ($RunKey2) {echo "Local Machine Run Key Found!";$RunKey2} else {echo "No Local Machine Run Key Found."};
if ($RunKey3) {echo "User Run Key Found!";$RunKey3} else {echo "No User Run Key Found."};
if ($Startup) {echo "AppData Startup Link Found!";$Startup} else {echo "No AppData Startups Found."};
if ($Startup2) {echo "ProgramData Startup Link Found!";$Startup2} else {echo "No ProgramData Startups Found."};
Scheduled task/job information
at (For older OS)
schtasks
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr "Task To Run:"
schtasks /query /fo LIST /v | findstr "appdata"
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "exe"
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "Task"
schtasks /query /fo LIST /v | Select-String "exe" -Context 2,27
gci -path C:\windows\system32\tasks -recurse | Select-String Command | ? {$_.Line -match "EXENAME"} | FL Line, Filename
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)}|Select-String Command|FL Filename,Line
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | where {$_.CreationTime.hour -ge (get-date).hour-2}|Select-String Command|FL Line,Filename
schtasks /query /fo csv /v | ConvertFrom-Csv | ?{"$_.Task To Run" -match "MALICIOUS"}| FL "Taskname","Task To Run"
schtasks /query /fo csv /v | ConvertFrom-Csv | ?{$_.Taskname -ne "TaskName"} | FL "Taskname","Task To Run"
wmic job get Name, Owner, DaysOfMonth, DaysOfWeek, ElapsedTime, JobStatus, StartTime, Status
Powershell:
Get-ScheduledTask
gci -path C:\windows\system32\tasks -recurse | Select-String Command | FL Filename, Line
gci -path C:\windows\system32\tasks -recurse | Select-String Command | ? {$_.Line -match "MALICIOUSNAME"} | FL Filename, Line
Remediate malicious scheduled tasks
schtasks /Delete /TN [taskname] /F
Powershell:
Unregister-ScheduledTask -TaskName [taskname]
Unregister-ScheduledTask -TaskPath [taskname]
UAC Bypass Fodhelper
reg query HKCU\Software\Classes\ms-settings\shell\open\command
reg query HKU\{SID}\Software\Classes\ms-settings\shell\open\command
Quick overview of persistent locations (AutoRuns)
autorunsc.exe -accepteula -a * -c -h -v -m > autoruns.csv
autorunsc.exe -accepteula -a * -c -h -v -m -z 'E:\Windows' > autoruns.csv
Persistence and Automatic Load/Run Reg Keys
Replace: “reg query” with “Get-ItemProperty -Path HK:” in Powershell*
e.g.: Get-Item -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User Registry (NTUSER.DAT HIVE) – Commonly located at:
C:\Users\[username]
*Note: These are setup for querying the current users registry only (HKCU), to query others you will need to load them from the relevant NTUSER.DAT file and then query them.
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f run
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f load
reg query "HKCU\Environment" /v UserInitMprLogonScript
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v RESTART_STICKY_NOTES
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows\Scripts"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RecentDocs"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunMRU"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
reg query "HKCU\SOFTWARE\AcroDC"
reg query "HKCU\SOFTWARE\Itime"
reg query "HKCU\SOFTWARE\info"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\User Shell Folders"
reg query "HKCU\SOFTWARE\Microsoft\Command Processor"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit" /v LastKey
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
reg query "HKCU\SOFTWARE\Microsoft\Windows\currentversion\run"
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKCU\SOFTWARE\Microsoft\Office\[officeversion]\[word/excel/access etc]\Security\AccessVBOM"
reg query "HKCU\SOFTWARE\Microsoft\IEAK\GroupPolicy\PendingGPOs" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Excel\Security\AccessVBOM
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Security\AccessVBOM
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Powerpoint\Security\AccessVBOM
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Access\Security\AccessVBOM
Local Machine (SOFTWARE HIVE)
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f AppInit_DLLs
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Win\Userinit"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" /s
reg query "HKLM\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\policies\explorer\run"
reg query "HKLM\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\run"
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows"
reg query "HKLM\SOFTWARE\Microsoft\Office\[officeversion]\[word/excel/access etc]\Security\AccessVBOM"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug"
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Excel\Security\AccessVBOM
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Word\Security\AccessVBOM
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Powerpoint\Security\AccessVBOM
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Access\Security\AccessVBOM
Don’t be afraid to use “findstr” or ‘/f’ to find entries of interest, for example file extensions which may also invoke malicious executables when run, or otherwise.
reg query "HKLM\SOFTWARE\Classes" | findstr "file"
reg query "HKLM\SOFTWARE\Classes" /f "file"
reg query HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} /s
reg query HKCR\AppID\ /s | findstr "exe"
Local Machine (SYSTEM HIVE)
Note: This not only contains services, but also malicious drivers which may run at startup (these are in the form of “.sys” files and are generally loaded from here: \SystemRoot\System32\drivers)
reg query "HKLM\SYSTEM\CurrentControlSet\Services\[Random_name]\imagePath"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\ /s /f "*.exe"
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /v ImagePath /f "*.exe"
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /v ImagePath /f "*.sys"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute
Get-Service -Name "*MALICIOUSSERVICE*"
gwmi win32_service | ? {$_.PathName -match "MALICIOUSSERVICE"}|FL Name,PathName
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\*" | FL DisplayName,ImagePath,ObjectName
gci -Path C:\Windows\system32\drivers -include *.sys -recurse -ea 0 -force | Get-AuthenticodeSignature
gci -Path C:\Windows\system32\drivers -include *.sys -recurse -ea 0 -force | Get-FileHash
Note: Some useful commands to show relevant service information
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
T1015 Accessibility Features
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AtBroker.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger"
sfc /VERIFYFILE=C:\Windows\System32\sethc.exe
sfc /VERIFYFILE=C:\Windows\System32\utilman.exe
sfc /VERIFYFILE=C:\Windows\System32\AtBroker.exe
sfc /VERIFYFILE=C:\Windows\System32\Narrator.exe
sfc /VERIFYFILE=C:\Windows\System32\Magnify.exe
sfc /VERIFYFILE=C:\Windows\System32\DisplaySwitch.exe
sfc /VERIFYFILE=C:\Windows\System32\osk.exe
T1098 Account Manipulation
N/A
T1182 AppCert DLLs
reg query "HKLM\System\CurrentControlSet\Control\Session Manager" /v AppCertDlls
T1103 AppInit DLLs
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
reg query "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
reg query "HKU\{SID}\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='11'} | FL TimeCreated,Message
T1138 Application Shimming
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB"
dir %WINDIR%\AppPatch\custom
dir %WINDIR%\AppPatch\AppPatch64\Custom
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-ShimEngine/Operational';}|FL
T1197 BITS Jobs
bitsadmin /list /allusers /verbose
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Bits-Client/Operational'; Id='59'} | FL TimeCreated,Message
ls 'C:\ProgramData\Microsoft\Network\Downloader\qmgr.db'
T1067 Bootkit
Note: This exists below the OS in the Master Boot Record or Volume Boot Record. The system must be booted through Advanced Startup Options with a Command Prompt, or through a recovery cd.
bootrec /FIXMBR
bootrec /FIXBOOT
Extra: If your boot configuration data is missing or contains errors the below can fix this.
bootrec /REBUILDBCD
If you’re thinking of a bootkit more as malicious system drivers you can go with the below.
General Driver Enumeration
gci C:\Windows\*\DriverStore\FileRepository\ -recurse -include *.inf | FL FullName,LastWriteTime,LastWriteTimeUtc
gci -path C:\Windows\System32\drivers -include *.sys -recurse -ea SilentlyContinue
sc.exe query type=driver state=all
Unsigned Drivers
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-CodeIntegrity/Operational'; Id='3001'} | FL TimeCreated,Message
gci -path C:\Windows\System32\drivers -include *.sys -recurse -ea SilentlyContinue | Get-AuthenticodeSignature | where {$_.status -ne 'Valid'}
Unload malicious filter driver
fltmc filters
fltmc volumes
fltmc instances
fltmc unload <filtername>
fltmc detach <filtername> <volumeName> <instanceName>
T1176 Browser Extensions
Chrome
Get-ChildItem -path "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions" -recurse -erroraction SilentlyContinue
Get-ChildItem -path 'C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions' -recurse -erroraction SilentlyContinue -include manifest.json | cat
reg query "HKLM\Software\Google\Chrome\Extensions" /s
reg query "HKLM\Software\Wow6432Node\Google\Chrome\Extensions" /s
Firefox
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions" -recurse -erroraction SilentlyContinue
Get-ChildItem -path "C:\Program Files\Mozilla Firefox\plugins\" -recurse -erroraction SilentlyContinue
Get-ChildItem -path registry::HKLM\SOFTWARE\Mozilla\*\extensions
Edge
Get-ChildItem -Path C:\Users\*\AppData\Local\Packages\ -recurse -erroraction SilentlyContinue
Internet Explorer
Get-ChildItem -path "C:\Program Files\Internet Explorer\Plugins\" -recurse -erroraction SilentlyContinue
reg query 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
reg query 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar'
reg query 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks'
reg query 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars'
reg query 'HKU\{SID}\Software\Microsoft\Internet Explorer\Explorer Bars'
reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions'
T1109 Component Firmware
Note: This is incredibly rare, and doesn’t have an easy detection/remediation mechanism. Using the Windows CheckDisk utility, System File Checker, or Deployment Image Servicing and Management may assist but isn’t guaranteed.
chkdsk /F
sfc /scannow
dism /Online /Cleanup-Image /ScanHealth
dism /Online /Cleanup-Image /RestoreHealth
dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase
T1122 Component Object Model (COM) Hijacking
Note: This involves replacing legitimate components with malicious ones, and as such the legitimate components will likely no longer function. If you have a detection based on DLLHost.exe with /Processid:{xyz}, you can match xyz with the CLSID (COM Class Object) or AppID mentioned below to check for any malicious EXE or DLL.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{abc} /v AppID /t REG_SZ /d {xyz}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{abc} /v AppID /t REG_SZ /d {xyz}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{xyz}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\AppID\{xyz}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\AppID\{xyz}
Example analysis:
reg query "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID" /s /f "{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}"
reg query "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{178167bc-4ee3-403e-8430-a6434162db17}" /s
reg query "HKLM\SOFTWARE\Classes\AppID\{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}"
Queries:
reg query HKLM\SOFTWARE\Classes\CLSID\ /s /f ".dll"
reg query HKLM\SOFTWARE\Classes\CLSID\ /s /f ".exe"
reg query HKLM\SOFTWARE\Classes\AppID\ /s /f DllSurrogate
gci -path REGISTRY::HKLM\SOFTWARE\Classes\*\shell\open\command
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f ".dll"
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f ".exe"
gci 'REGISTRY::HKU\*\Software\Classes\CLSID\*\TreatAs'
gci 'REGISTRY::HKU\*\Software\Classes\Scripting.Dictionary'
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\LocalServer32" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\InprocServer32" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\InprocHandler*" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\*Server32" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\ScriptletURL" -ea 0
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f "ScriptletURL"
Get list of all COM Objects
{Original by Jeff Atwood](https://stackoverflow.com/questions/660319/where-can-i-find-all-of-the-com-objects-that-can-be-created-in-powershell)
gci HKLM:\Software\Classes -ea 0| ? {$_.PSChildName -match '^\w+\.\w+$' -and(gp "$($_.PSPath)\CLSID" -ea 0)} | select -ExpandProperty PSChildName
T1136 Create Account
net user
net user /domain
T1038 DLL Search Order Hijacking
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
gci -path C:\Windows\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
gci -path C:\Windows\System32\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
gps | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
gps | ? {$_.Modules -like '*{DLLNAME}*'} | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
$dll = gps | Where {$_.Modules -like '*{DLLNAME}*' } | Select Modules;$dll.Modules;
(gps).Modules.FileName
(gps).Modules | FL FileName,FileVersionInfo
(gps).Modules.FileName | get-authenticodesignature | ? Status -NE "Valid"
T1133 External Remote Services
N/A
T1044 File System Permissions Weakness
Get-WmiObject win32_service | FL name,PathName
get-acl "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" | FL | findstr "FullControl"
T1158 Hidden Files and Directories
dir /S /A:H
T1179 Hooking
Finding EasyHook Injection
tasklist /m EasyHook32.dll;tasklist /m EasyHook64.dll;tasklist /m EasyLoad32.dll;tasklist /m EasyLoad64.dll;
More Material:
T1062 Hypervisor
N/A
T1183 Image File Execution Options Injection
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" /s /f "MonitorProcess"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s /f "Debugger"
T1037 Logon Scripts
reg query "HKU\{SID}\Environment\UserInitMprLogonScript"
T1177 LSASS Driver
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4614';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='3033';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='3063';} | FL TimeCreated,Message
T1031 Modify Existing Service
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
T1128 Netsh Helper DLL
reg query HKLM\SOFTWARE\Microsoft\Netsh
T1050 New Service
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
Get-WmiObject win32_service | FL Name, DisplayName, PathName, State
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | FL TimeCreated,Message
T1137 Office Application Startup
Get-ChildItem -path C:\Users\*\Microsoft\*\STARTUP\*.dotm
reg query "HKU\{SID}\Software\Microsoft\Office test\Special\Perf" /s
reg query "HKLM\Software\Microsoft\Office test\Special\Perf" /s
Get-ChildItem -path registry::HKLM\SOFTWARE\Microsoft\Office\*\Addins\*
Get-ChildItem -path registry::HKLM\SOFTWARE\Wow6432node\Microsoft\Office\*\Addins\*
Get-ChildItem -path registry::HKLM\SOFTWARE\Wow6432node\Microsoft\Office\*\Addins\*
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Microsoft\Templates\*" -erroraction SilentlyContinue
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Microsoft\Excel\XLSTART\*" -erroraction SilentlyContinue
Get-ChildItem -path C:\ -recurse -include Startup -ea 0
ls 'C:\Program Files\Microsoft Office\root\*\XLSTART\*'
ls 'C:\Program Files\Microsoft Office\root\*\STARTUP\*'
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Inbox
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Security
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Today\UserDefinedUrl
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Calendar\URL
Get-WinEvent -FilterHashtable @{ LogName='Microsoft Office Alerts'; Id='300';} | FL TimeCreated,Message
T1034 Path Interception
N/A
T1013 Port Monitors
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" /s /v "Driver"
T1504 PowerShell Profile
ls C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1
ls C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.*Profile.ps1
ls C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.*Profile.ps1
gci -path "C:\Users\*\Documents\PowerShell\Profile.ps1"
gci -path "C:\Users\*\Documents\PowerShell\Microsoft.*Profile.ps1"
T1108 Redundant Access
N/A
T1060 Registry Run Keys / Startup Folder
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute
gci -path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*" -include *.lnk,*.url
gci -path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -include *.lnk,*.url
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Shell-Core/Operational'; Id='9707'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Shell-Core/Operational'; Id='9708'} | FL TimeCreated,Message
T1053 Scheduled Task
gci -path C:\windows\system32\tasks | Select-String Command | FT Line, Filename
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | Select-String Command | FL Filename,Line
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | where {$_.CreationTime.hour -ge (get-date).hour-2}| Select-String Command | FL Line,Filename
gci -path 'registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\'
gci -path 'registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
ls 'C:\Windows\System32\WptsExtensions.dll'
Note: thanks to [Markus Piéton](https://twitter.com/markus_pieton/status/1189559716453801991) for this one.
T1180 Screensaver
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "ScreenSaveActive"
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "SCRNSAVE.exe"
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "ScreenSaverIsSecure"
T1101 Security Support Provider
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig" /v "Security Packages"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages"
T1505 Server Software Component
N/A
T1058 Service Registry Permissions Weakness
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\servicename |FL
T1023 Shortcut Modification
Select-String -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" -Pattern "exe"
Select-String -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" -Pattern "dll"
Select-String -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -Pattern "dll"
Select-String -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -Pattern "exe"
gci -path "C:\Users\" -recurse -include *.lnk -ea SilentlyContinue | Select-String -Pattern "exe" | FL
gci -path "C:\Users\" -recurse -include *.lnk -ea SilentlyContinue | Select-String -Pattern "dll" | FL
T1198 SIP and Trust Provider Hijacking
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg" /s /v "Dll"
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData" /s /v "Dll"
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy" /s /v "`$DLL"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg" /s /v "Dll"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData" /s /v "Dll"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy" /s /v "`$DLL"
T1019 System Firmware
reg query HKLM\HARDWARE\DESCRIPTION\System\BIOS
Confirm-SecureBootUEFI
Get-WmiObject win32_bios
T1209 Time Providers
reg query "HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders" /s /f "Dll"
T1078 Valid Accounts
N/A
T1100 Web Shell
gci -path "C:\inetpub\wwwroot" -recurse -File -ea SilentlyContinue | Select-String -Pattern "runat" | FL
gci -path "C:\inetpub\wwwroot" -recurse -File -ea SilentlyContinue | Select-String -Pattern "eval" | FL
T1084 Windows Management Instrumentation Event Subscription
Get WMI Namespaces
Function Get-WmiNamespace ($Path = 'root')
{
foreach ($Namespace in (Get-WmiObject -Namespace $Path -Class __Namespace))
{
$FullPath = $Path + "/" + $Namespace.Name
Write-Output $FullPath
Get-WmiNamespace -Path $FullPath
}
}
Get-WMINamespace -Recurse
Query WMI Persistence
Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription
Get-WmiObject -Class __EventFilter -Namespace root\subscription
Get-WmiObject -Class __EventConsumer -Namespace root\subscription
T1004 Winlogon Helper DLL
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
reg query "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /s
Other – Winsock Persistence
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Winsock-WS2HELP/Operational'; Id='1'} | FL TimeCreated,Message
Check disabled task manager (often from malware)
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
Review Hivelist
gp REGISTRY::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist | Select *USER*
Locate all user registry keys
$UserProfiles = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*" | Where {$_.PSChildName -match "S-1-5-21-(\d+-?){4}$" } | Select-Object @{Name="SID"; Expression={$_.PSChildName}}, @{Name="UserHive";Expression={"$($_.ProfileImagePath)\ntuser.dat"}}
Load all users registry keys from their ntuser.dat file (perform above first)
Foreach ($UserProfile in $UserProfiles) {If (($ProfileWasLoaded = Test-Path Registry::HKEY_USERS\$($UserProfile.SID)) -eq $false) {reg load HKU\$($UserProfile.SID) $($UserProfile.UserHive) | echo "Successfully loaded: $($UserProfile.UserHive)"}}
Query all users run key
Foreach ($UserProfile in $UserProfiles) {reg query HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run};
Unload all users registry keys
Foreach ($UserProfile in $UserProfiles) {reg unload HKU\$($UserProfile.SID)};
Remediate Automatic Load/Run Reg Keys
reg delete [keyname] /v [ValueName] /f
reg delete [keyname] /f
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f}
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f}
Powershell:
Remove-ItemProperty -Path "[Path]" -Name "[name]"
Check Registry for IE Enhanced Security Modification
gci 'REGISTRY::HKU\*\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap'
gci 'REGISTRY::HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap'
Check Registry for disabling of UAC (1=UAC Disabled)
gci REGISTRY::HKU\*\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
gci REGISTRY::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Review Software Keys for malicious entries
gci registry::HKLM\Software\*
gci registry::HKU\*\Software\*
Scan Registry keys for specified text
Get-ChildItem -path HKLM:\ -Recurse -ea SilentlyContinue | where {$_.Name -match 'notepad' -or $_.Name -match 'sql'}
Get-ChildItem -path HKLM:\ -Recurse -ea SilentlyContinue | get-itemproperty | where {$_ -match 'notepad' -or $_ -match 'sql'}
reg query HKLM\SOFTWARE /s /f ".exe"
reg query HKLM\SYSTEM /s /f ".exe"
reg query HKLM\SECURITY /s /f ".exe"
reg query HKLM /s /f ".exe"
Persistent file locations of interest
%localappdata%\<random>\<random>.<4-9 file ext>
%localappdata%\<random>\<random>.lnk
%localappdata%\<random>\<random>.bat
%appdata%\<random>\<random>.<4-9 file ext>
%appdata%\<random>\<random>.lnk
%appdata%\<random>\<random>.bat
%appdata%\<random>\<random>.bat
%SystemRoot%\<random 4 chars starting with digit>
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*"
%SystemRoot%\System32\<randomnumber>\
%SystemRoot%\System32\tasks\<randomname>
%SystemRoot%\\<randomname>
C:\Users\[user]\appdata\roaming\[random]
C:\Users\[user]\appdata\roaming\[random]
C:\Users\Public\*
You can scan these directories for items of interest e.g. unusual exe, dll, bat, lnk etc files with:
dir /s /b %localappdata%\*.exe | findstr /e .exe
dir /s /b %appdata%\*.exe | findstr /e .exe
dir /s /b %localappdata%\*.dll | findstr /e .dll
dir /s /b %appdata%\*.dll | findstr /e .dll
dir /s /b %localappdata%\*.bat | findstr /e .bat
dir /s /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\" | findstr /e .lnk
dir /s /b "C:\Users\Public\" | findstr /e .exe
dir /s /b "C:\Users\Public\" | findstr /e .lnk
dir /s /b "C:\Users\Public\" | findstr /e .dll
dir /s /b "C:\Users\Public\" | findstr /e .bat
ls "C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" | findstr /e .lnk
Locate LNK Files with a particular string (Special thanks to the notorious)
Select-String -Path 'C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk' -Pattern "powershell" | Select Path
Master File Table
The Master File Table is an incredibly important artifact; however, this can only be read or obtained using low level disk reading. This contains an entry for every file or directory on the filesystem including metadata about these files, and may provide evidence on files which have been removed (MFT entries marked as ‘free’). More information can be found on MS Docs (https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table)
Determine Timestomping
Within the Master File Table (Located at the Win root) there are 2 elements, $STANDARD_INFORMATION and $FILE_NAME, both of which have values for a file being created, modified, accessed and written.
These are known as MACB times (Modified, Accessed, Changed, Birth). The $STANDARD_INFORMATION element can be modified from a malicious process, but the $FILE_NAME element is left intact and cannot without some extra trickery.
These discrepancies generally indicate Timestomping with the $FILE_NAME entry being the source of truth. This can be determined by obtaining the MFT (e.g. using a tool such as Rawcopy), and comparing timestamps on the file (e.g. using a tool such as MFTExplorer).
RawCopy.exe /FileNamePath:C:0 /OutputPath:C:\Audit /OutputName:MFT_C.bin
Enable Date Accessed Timestamps
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /d 0 /t REG_DWORD /f
Remove BITSAdmin Persistence
bitsadmin /reset /allusers
import-module bitstransfer
Get-BitsTransfer -AllUsers | Remove-BitsTransfer
Check system directories for executables not signed as part of an operating system release
gci C:\windows\*\*.exe -File -force |get-authenticodesignature|?{$_.IsOSBinary -notmatch 'True'}
Locate Possible Trickbot
gci -path C:\Users\*\AppData\Roaming\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Windows\System32\config\systemprofile\appdata\roaming -recurse -force -include *.exe
schtasks /query /fo LIST /v | findstr "appdata"
schtasks /query /fo LIST /v | findstr "programdata"
schtasks /query /fo LIST /v | findstr "public"
tasklist /svc | findstr "svchost"
Determine if user Trusted a doc/spreadsheet etc and ran a macro
Note: Don’t forget to load in user hives.
reg query 'HKU\[SID]\Software\Microsoft\Office\[versionnumber]\Word\Security\Trusted Documents\TrustRecords';
gci 'REGISTRY::HKU\*\Software\Microsoft\Office\*\*\Security\Trusted Documents\TrustRecords' -ea 0 | foreach {reg query $_.Name}
Note: This will show the file name/location and metadata in Hex. If the last lot of hex is FFFFFF7F then the user enabled the macro.
Check Office Security Settings
gci REGISTRY::HKU\*\Software\Microsoft\Office\*\*\Security -rec
gci REGISTRY::HKCU\Software\Microsoft\Office\*\*\Security -rec
Check Outlook Temporary Files
gci ((gp REGISTRY::HKU\*\Software\Microsoft\Office\[VerNumber]\Outlook\Security\ -ea 0).OutlookSecureTempFolder)
gci (((gp REGISTRY::HKU\*\Software\Microsoft\Office\*\Outlook\Security\ -ea 0)|select -exp OutlookSecureTempFolder -ea 0))
Check MS Office Logs for high risk file names
Get-WinEvent -FilterHashtable @{ LogName='OAlerts';} |Where { $_.Message -Match 'invoice' }| FL TimeCreated, Message
Prevent CVE-2017-11882, CVE-2018-0802, CVE-2018-0804, CVE-2018-0805, CVE-2018-0806, CVE-2018-0807 (EQNEDT32.EXE) Exploitation
Note: This is the “Equation Editor” exploit, either patch or mitigate. More information on the below process.
64-Bit Windows:
reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
reg delete "HKEY_CLASSES_ROOT\CLSID\{0002CE02-0000-0000-C000-000000000046}"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Equation.3"
32-Bit Windows:
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 /f
reg delete "HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Equation.3" /f
Determine if user opened a document
gci "REGISTRY::HKU\*\Software\Microsoft\Office\*\Word\Reading Locations\*"
Prevent Executable from Running.
Note: Load in hives and add particular SID to prevent users running named files, helps prevent for example your IIS service account from running cmd.exe or powershell.exe
reg ADD "HKU\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisallowRun /t REG_DWORD /d "00000001" /f
reg ADD "HKU\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v malware.exe /t REG_SZ /d "malware.exe" /f
Show known file extensions and hidden files (excluding OS hidden files)
reg ADD "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d "1" /f
reg ADD "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d "0" /f
Stop-Process -processname explorer
Open File Extension (e.g. scripts) with certain application (elevated cmd)
FTYPE Custom=Notepad.exe "%1"
ASSOC .wsf=Custom
Disable Command Prompt
reg ADD "HKCU\SOFTWARE\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 0 /f
Locate Possible DLL Search Order Hijacking
Note: A legitimate clean executable can be used to run malicious DLLs based on how the software searches for them.
More information on Microsoft Docs
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode"
Search order for desktop applications:
If SafeDllSearchMode is enabled (is by default), the search order is as follows:
- The same directory from which the executable is run.
- The System Directory (Usually C:\Windows\System32).
- The 16-bit System Directory.
- The Windows Directory (Usually C:\Windows).
- The Current Directory (From the process which executed the executable).
- The directories that are listed in the PATH environment variable.
If SafeDllSearchMode is disabled (SafeDllSearchMode has a reg value of 0), the search order is as follows:
- The same directory from which the executable is run.
- The Current Directory (From the process which executed the executable).
- The System Directory (Usually C:\Windows\System32).
- The 16-bit System Directory.
- The Windows Directory (Usually C:\Windows).
- The directories that are listed in the PATH environment variable.
Locate Possible Dll Side Loading
Note: A legitimate clean executable can be used to run malicious DLLs based on issues with a manifest file used by the application to load DLLs.
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners"
By placing a malicious DLL in the below locations legitimate binaries may have been used to sideload these malicious DLLs.
- C:\Windows\WinSxS
- C:\Windows\SXS
Unique Sideload DLL hashes (may take some time)
(gci -path C:\Windows\WinSxS -recurse -include *.dll|gi -ea SilentlyContinue|filehash).hash|sort -u
Unsigned or Invalid Sideload DLLs (there will be a lot)
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
Unsigned Sideload DLLs (Less noise)
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -E "NotSigned"
gci -path C:\Windows\WinSxS -recurse -include *.ocx | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
Hash of Unsigned Sideload DLLs
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -E "NotSigned" | Select Path | gi -ea SilentlyContinue | filehash | sort -u
gci -path C:\Windows\WinSxS -recurse -include *.ocx | Get-AuthenticodeSignature | Where-Object Status -NE "Valid" | Select Path | gi -ea SilentlyContinue | filehash | sort -u
Find files without extensions
Get-ChildItem -Path C:\Users\[user]\AppData -Recurse -Exclude *.* -File -Force -ea SilentlyContinue
Remediate malicious files
rmdir %localappdata%\maliciousdirectory\ /s
del /F %localappdata%\maliciousdirectory\malware.exe
Powershell:
Remove-Item [C:\Users\Public\*.exe]
Remove-Item -Path [C:\Users\Public\malware.exe] -Force
Get-ChildItem * -Include *.exe -Recurse | Remove-Item
Detect Persistent WMI Subscriptions
Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription
Get-WmiObject -Class __EventFilter -Namespace root\subscription
Get-WmiObject -Class __EventConsumer -Namespace root\subscription
Remediate Persistent WMI Subscriptions
Get-WMIObject -Namespace root\subscription -Class __EventFilter -Filter "Name='[Name]'" | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter "Name='[Name]'" | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding -Filter "__Path like '%[Name]%'" | Remove-WmiObject
Enumerate WMI Namespaces
Function Get-WmiNamespace ($Path = 'root')
{
foreach ($Namespace in (Get-WmiObject -Namespace $Path -Class __Namespace))
{
$FullPath = $Path + "/" + $Namespace.Name
Write-Output $FullPath
Get-WmiNamespace -Path $FullPath
}
}
Get-WMINamespace -Recurse
Mimikatz/Credential Extraction Detection
The below represent registry keys which make it more difficult for Mimikatz to work. Modification of these keys may indicate an attacker trying to execute Mimikatz within an environment if they were set to their more secure state. Always test prior to changing registry keys such as these in a production environment to ensure nothing breaks.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
- “UseLogonCredential” should be 0 to prevent the password in LSASS/WDigest
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- “RunAsPPL” should be set to dword:00000001 to enable LSA Protection which prevents non-protected processes from interacting with LSASS.
- Mimikatz can remove these flags using a custom driver called mimidriver.
- This uses the command **!+** and then **!processprotect /remove /process:lsass.exe** by default so tampering of this registry key can be indicative of Mimikatz activity.
The Mimikatz Yara rule may also prove useful.
Some techniques may involve loading lsasrv.dll or wdigest.dll to extract credentials and may be caught if this is loaded legitimately using:
tasklist /m wdigest.dll
tasklist /m lsasrv.dll
You may be able to detect changes to the below registry keys which can be used to load an arbitrary DLL and extract credentials, more information from Adam Chester
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS /v LsaDbExtPt
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt
An adversary may also tamper with the number of cached logons a system holds (default of 10).
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount
NetNTLM Downgrade Attack Detection
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RestrictSendingNTLMTraffic
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v NTLMMinClientSec
Putty Detection
reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s
Installed Updates
(WMI Quick Fix Engineering)
wmic qfe
Installed Software/Packages
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ /s /f DisplayName
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ /s /f DisplayName
wmic product get name,version /format:csv
wmic product get /ALL
dism /online /get-packages
Powershell: Full List for all users using uninstall keys in registry
$(Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*; Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*;New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS| Out-Null;$UserInstalls += gci -Path HKU: | where {$_.Name -match 'S-\d-\d+-(\d+-){1,14}\d+$'} | foreach {$_.PSChildName };$(foreach ($User in $UserInstalls){Get-ItemProperty HKU:\$User\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*});$UserInstalls = $null;try{Remove-PSDrive -Name HKU}catch{};)|where {($_.DisplayName -ne $null) -and ($_.Publisher -ne $null)} | Select DisplayName,DisplayVersion,Publisher,InstallDate,UninstallString |FT
Process information
(pslist requires sysinternals pslist.exe):
tasklist -v
wmic process list full /format:csv
wmic process get name,parentprocessid,processid /format:csv
wmic process get ExecutablePath,processid /format:csv
wmic process get name,ExecutablePath,processid,parentprocessid /format:csv | findstr /I "appdata"
wmic process where processid=[PID] get parentprocessid
wmic process where processid=[PID] get commandline
wmic process where "commandline is not null and commandline!=''" get name,commandline /format:csv
gwmi win32_process -Filter "name like 'powershell.exe'" | select name,processId,commandline|FL
gwmi win32_process | select name,processId,path,commandline|FL
gwmi win32_process |FL ProcessID,ParentProcessID,CommandLine,@{e={$_.GetOwner().User}}
gwmi win32_process | Sort-Object -Property ProcessID | FL ProcessID,Path,CommandLine,ParentProcessID,@{n="User";e={$_.GetOwner().User}},@{n="ParentProcessPath";e={gps -Id $_.ParentProcessID|Select -exp Path}}
pslist
PowerShell Module to show Process Tree
import-module .\Get-ProcessTree.ps1
Get-ProcessTree -Verbose | FT Id, Level, IndentedName, ParentId,Path,CommandLine
Current Process execution or module loads from temporary directories
Note: This will likely have some false positives as it’s just a wildcard. So in this case using ‘temp’ can come up in words such as ‘ItemProvider’.
(gps -Module -ea 0).FileName|Select-String "Appdata","ProgramData","Temp","Users","public"|unique
Current Process execution or module loads from temporary directories + hash
$A=((gps -Module -ea 0).FileName|Select-String "Appdata","ProgramData","Temp","Users","public"|sort|unique);foreach ($B in $A) {filehash $B};
$A=((gps).Path|Select-String "Appdata","ProgramData","Temp","Users","public"|sort|unique);foreach ($B in $A) {filehash $B};
Scan for malware with Windows Defender
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\Users\[username]\AppData\Local\Temp
Note: Types are as follows
- 1: Quick scan
- 2: Full system scan
- 3: File and directory custom scan
Check Windows Defender for excluded files and default actions
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions'
Get-MpPreference | Select Exclusion*
Get-MpPreference | Select *DefaultAction
Delete Windows Defender excluded files
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "[RegkeyValue]"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' -Name "Paths"
Check and Set Access Control Lists
Get-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'|FL
Get-Acl -Path [FileWithRequiredAccess] | Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
Change ACE for “everyone” on folder and subfiles/folders
Grant everyone full access
icacls "C:\{DESIREDFOLDERPATH}" /grant everyone:(CI)(OI)F /T
Remove ACE entries for “everyone”
icacls "C:\{DESIREDFOLDERPATH}" /remove everyone /T
Disable unwanted windows binaries (via Base64 encoding and removal)
Note: This is one method, not the only way.
certutil -encode C:\windows\system32\mshta.exe C:\windows\system32\mshta.disabled
Get-Acl -Path C:\windows\system32\mshta.exe | Set-Acl -Path C:\windows\system32\mshta.disabled
takeown /f C:\windows\system32\mshta.exe
icacls C:\windows\system32\mshta.exe /grant administrators:F
rm C:\windows\system32\mshta.exe
Enable windows binaries (via Base64 decoding and removal)
certutil -decode C:\windows\system32\mshta.disabled C:\windows\system32\mshta.exe
Get-Acl -Path C:\windows\system32\mshta.disabled | Set-Acl -Path C:\windows\system32\mshta.exe
takeown /f C:\windows\system32\mshta.disabled
icacls C:\windows\system32\mshta.disabled /grant administrators:F
rm C:\windows\system32\mshta.disabled
Make multiple files visible and remove ‘superhidden’
gci C:\{DESIREDFOLDERPATH} -force -recurse -ea 0 | foreach {$_.attributes = 'Normal'};
attrib -s -h C:\{DESIREDFOLDERPATH}\*.*
Check Security Descriptor Definition Language (SDDL) and Access Control Entries (ACE) for services
sc sdshow <servicename>
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name}
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*DC"}
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*WD"}
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*WO"}
More information on ACE Strings and the level of access they can provide.
Kill “Unstoppable” Service/Process
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{SERVICENAME}\XblAuthManager\Parameters /V start /T reg_dword /D 4 /F
sc.exe sdset {SERVICENAME} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Get-Service -Name {SERVICENAME} | Set-Service -Status Paused
sc.exe config {SERVICENAME} start= disabled
Get-Service -Name {SERVICENAME} | Set-Service -Status Stopped
tasklist /FI "IMAGENAME eq {SERVICEEXENAME}"
taskkill /F /t /IM "{SERVICEEXENAME}"
Obtain hash for all running executables
Issues with spaces in names but supports CMD.exe
FOR /F %i IN ('wmic process where "ExecutablePath is not null" get ExecutablePath') DO certutil -hashfile %i SHA256 | findstr -v : >> output.txt
Powershell (Special thanks Lee Holmes)
(gps|gi -ea SilentlyContinue|filehash).hash|sort -u
My less efficient powershell
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | Format-List}
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}
$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique;$A
Obtain hash and established network connections for running executables with dns cache
Get-NetTCPConnection -State Established | Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry}}|sort|gu -AS|FT
Obtain hash and listening network connections for running executables
Get-NetTCPConnection -State LISTEN | Select LocalAddress, LocalPort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}}|sort|gu -AS|FT
Obtain hash and possible tunneled network connections for running executables
Get-NetTCPConnection -State ESTABLISHED |? LocalAddress -Like "::1" | Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress).Entry}}|sort|gu -AS|FT
Get-NetTCPConnection -State Established |? LocalAddress -Like "127.0.0.1"| Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress).Entry}}|sort|gu -AS|FT
Get-NetTCPConnection -State LISTEN |? LocalAddress -Like "127.0.0.1" | Select LocalAddress, LocalPort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}}|sort|gu -AS|FT
Obtain workstation name for tunneled authentication
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='::';} | FL TimeCreated,Message
Obtain hash of DLLs currently loaded by processes
$A = $(foreach ($dll in gps|select -ExpandProperty modules -ea SilentlyContinue|? FileName -NotLike "C:\Windows\SYSTEM32\*"){Get-FileHash $dll.FileName| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$A
(gps).Modules.FileName | sort -uniq | foreach {filehash $_ -ea 0}
Obtain processes where binaries file version doesn’t match OS Release
gps -FileVersionInfo -ea 0|? {$_.ProductVersion -notmatch $([System.Environment]::OSVersion.Version|Select -exp Build)}
Obtain process binary file external names
gps -FileVersionInfo -ea 0 | sort -uniq | Select OriginalFilename,InternalName,Filename
gps -module -FileVersionInfo -ea 0 | sort -uniq | Select OriginalFilename,InternalName,Filename
gps -module -FileVersionInfo -ea 0 | sort -uniq | FL *name,*version
Obtain processes running which are running a DLL
$A=(gps|select -ExpandProperty modules -ea SilentlyContinue | where {$_.ModuleName -Like 'sechost.dll' -or $_.ModuleName -Like 'ntdll.dll'} | sort -u);if($A[0].Size -ge -1) {foreach ($Module in $A){tasklist /m $Module.ModuleName}};
gps | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
Obtain hash of unsigned or invalid DLLs currently loaded by processes
$A=$(foreach ($dll in gps|select -ExpandProperty modules -ea SilentlyContinue){Get-AuthenticodeSignature $dll.FileName |Where-Object Status -NE "Valid"|Select Path});$B=$(foreach ($dll in $A){Get-FileHash $dll.Path| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$B
Obtain list of unsigned DLLs currently loaded by processes
gps | select -exp modules -ea 0 | Select -exp FileName | Get-AuthenticodeSignature|Where-Object Status -NE "Valid"
gps | select -exp modules -ea 0 | Select -exp FileName | Get-AuthenticodeSignature | ? Status -NE "Valid" | FL Path
Obtain DLL information ListDLLs
listdlls [-r] [-v | -u] [processname|pid]
listdlls [-r] [-v] [-d dllname]
Obtain unsigned DLL information loaded by processes
listdlls -u
Obtain DLLs in use by processes
listdlls -v processname -accepteula
listdlls -v -d dllname.dll -accepteula
listdlls -v PID -accepteula
Determine handles on a file
handle [[-a] [-u] | [-c <handle> [-l] [-y]] | [-s]] [-p <processname>|<pid>> [name]
handle -a -u -s -p exp
handle windows\system
Verify EternalBlue Patch (MS17-010) is installed – Microsoft
Note: This impacts the SMB 1.0 Server Driver, if you don’t have the below, then it’s not installed. If you do you can use the above to determine patch level.
get-item C:\Windows\system32\drivers\srv.sys | FL VersionInfo
get-hotfix -id KB<111111>
Obtain TXT records from recently resolved domains
foreach ($domains in Get-DnsClientCache){Resolve-DnsName $domains.Entry -Type "TXT"|Select Strings|? Strings -NotLike ""};
Check all Appdata files for unsigned or invalid executables
Get-ChildItem -Recurse $env:APPDATA\..\*.exe -ea SilentlyContinue| ForEach-object {Get-AuthenticodeSignature $_ -ea SilentlyContinue} | Where-Object {$_.status -ine "Valid"}|Select Status,Path
Check for execuables in Local System User Profile and Files
Get-ChildItem C:\Windows\*\config\systemprofile -recurse -force -ea 0 -include *.exe, *.dll *.lnk
Investigate WMI Usage
Note: Requires Strings
strings -q C:\windows\system32\wbem\repository\objects.data
Find executables and scripts in Path directories ($env:Path)
Get-Command * -Type Application | FT -AutoSize
Get-Command -Name * | FL FileVersionInfo
Find files created/written based on date
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.CreationTime.Date -match "12/25/2014"}
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.LastWriteTime -match "12/25/2014"}
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.CreationTime.Hour -gt 2 -and $_.CreationTime.Hour -lt 15}
Check running executables for malware via VirusTotal
Note: VT Has a rate limit for the Public API so this won’t work if you are using the Public API. All 1 liners require VTAPIKey to be set as your VirusTotal API key
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Invoke-RestMethod -Method 'POST' -Uri 'https://www.virustotal.com/vtapi/v2/file/report' -Body @{ resource =(Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash); apikey = "[VTAPIKey]"}}
This query uses a 15 second timeout to ensure only 4 queries are submitted a minute
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Invoke-RestMethod -Method 'POST' -Uri 'https://www.virustotal.com/vtapi/v2/file/report' -Body @{ resource =(Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash); apikey = "[VTAPIKey]"};Start-Sleep -Seconds 15;}
This query uses a 15 second timeout to ensure only 4 queries are submitted a minute and only unique hashes are queried
$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique -AsString; foreach ($process in $A) {Invoke-RestMethod -Method 'POST' -Uri 'https://www.virustotal.com/vtapi/v2/file/report' -Body @{ resource =($process); apikey = "[VTAPIKey]"};Start-Sleep -Seconds 15;}
Scan systems for IOA/IOC (Yara)
loki-upgrader.exe
loki.exe -p [Directory]
CrowdResponse -v -i config.txt -o out.xml
IREC.exe --triage-memory
IREC.exe -ad "\\MACHINE\IREC-DIR" --triage-ruleset MyYaraRules --triage-memory
yara32.exe -d filename=[file defined in ruleset.yar] [ruleset.yar] [file to scan]
yara32.exe -d filename=[svchost.exe] [ruleset.yar] -r [directory to scan]
yara64.exe yararule.yar -r C:
yara64.exe yararule.yar -r C: -f 2> $null
Yara Linux
yara rule.yara malware.exe -s
Kill malicious process
wmic process where name="malware.exe" call terminate
wmic process where processid=[PID] delete
taskkill /IM malware.exe
taskkill /PID [PID] /T
Note: Call terminate allows you to specify an exit status in terms of a signed integer or a quoted negative value. Both methods essentially function the same by calling TerminateProcess.
Dump full process memory
(procdump requires systinternals procdump.exe)
procdump -ma [processID]
Live Triage of Memory
Shout-out to Matt Graeber, Jared Atkinson and Joe Desimone for the awesome work that has gone into these scripts. Note: Not all tested, appears to work with a standard Meterpreter payload, and by default with Cobalt Strike.
Locate Possible Shellcode within process via Injected Thread
Import-Module .\Get-InjectedThread.ps1
Get-InjectedThread
Obtain Possible Shellcode within process as Hex
(Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join ''
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join ''
Obtain Possible Shellcode within process as Hex
(Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join '\x'
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join '\x'
Basic Memory Analysis via PowerShellArsenal
import-module .\PowerShellArsenal.psd1
Find-ProcessPEs
Get-ProcessStrings
Get-ProcessMemoryInfo -ProcessID {PID}
Get-VirtualMemoryInfo
Locate Possible Shellcode Address Space
Get-ProcessMemoryInfo {PID} | ? {$_.AllocationProtect -eq "PAGE_EXECUTE_READWRITE"}
Find Meterpreter in Process Memory:
Ref: Meterpreter Wiki
Find-ProcessPEs {PID} | ?{$_.ModuleName -eq "metsrv.dll" -OR $_.ModuleName -eq "ext_server_stdapi.dll" -OR $_.ModuleName -like "ext_server_*.dll"} | FL ProcessID,ModuleName,Imports;
$A=$(gps | Select -exp Id); foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "metsrv.dll"} | FL ProcessID,ModuleName,Imports};
$A=$(gps | Select -exp Id); foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "metsrv.dll" | FL ProcessID,ModuleName,Imports};
$A=$(gps | Select -exp Id); foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "metsrv.dll" -OR $_.ModuleName -eq "ext_server_stdapi.dll" -OR $_.ModuleName -like "ext_server_*.dll"} | FL ProcessID,ModuleName,Imports};
Find Cobalt Strike in Process Memory:
Find-ProcessPEs {PID} | ?{$_.ModuleName -eq "beacon.dll" -OR $_.ModuleName -eq "beacon x64.dll" -OR $_.ModuleName -eq "beacon.x64.dll"} | FL ProcessID,ModuleName,Imports;
$A=$(gps | Select -exp Id); foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "beacon.dll"} | FL ProcessID,ModuleName,Imports};
Network connections
(tcpvcon requires sysintenals tcpvcon.exe):
ipconfig /all
netstat –anob
netstat -ano
Tcpvcon -a
Routing table and ARP cache
route print
arp -a
Get-NetNeighbor
Contents of DNS resolver
(useful for recent web history)
ipconfig /displaydns
Get-DnsClientCache | FT -AutoSize
Enable DNS Logging
wevtutil set-log "Microsoft-Windows-DNS-Client/Operational" /enabled:true
OR
$DNSLogs = 'Microsoft-Windows-DNS-Client/Operational'
$DNSContainer = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName
$DNSContainer.IsEnabled=$true
$DNSContainer.SaveChanges()
Scan DNS Logs
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3010';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3020';} | FL TimeCreated,Message
Scan DNS Logs and output unique DNS Queries
$events=Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3020';};
$output = @();
foreach ($Event in $events){
$data = New-Object -TypeName PSObject;
$XML = [xml]$Event.ToXml();
$query=$XML.Event.EventData.Data|?{$_.Name -eq 'QueryName'} | Select -exp InnerText;
$result=$XML.Event.EventData.Data|?{$_.Name -eq 'QueryResults'} | Select -exp InnerText;
$data `
| Add-Member NoteProperty Query "$query" -PassThru `
| Add-Member NoteProperty QueryResults "$result" -PassThru | Out-Null
$output += $data;
}
$output = $output | sort Query | unique -AsString;
$output
Hostname to corresponding IPs from list
$listofhostnames = cat Hostnames.txt;
foreach ($hostname in $listofhostnames){
try{[System.Net.Dns]::gethostaddresses("$hostname")|FT $hostname, IPAddressToString}catch
{}}
T1074 Data Staging
Note: Examples of some known staging directories, lots of false positives likely.
gci C:\ProgramData\ -recurse -include .* -ea 0 -force | ?{ $_.PSIsContainer }
gci C:\Windows\Temp -recurse -ea 0 -force | ?{ $_.PSIsContainer }
ls C:\ProgramData\tmp\log.log
ls C:\ProgramData\log.log
ls C:\ProgramData\google\
ls C:\ProgramData\Sun\low
ls env:temp\SMB
ls $Recycle.Bin
ls C:\ProgramData\.rnd
ls C:\inetpub\
Latest system activities
(requires Nirsoft’s LastActivityView)
LastActivityView.exe /shtml "LastActivityView.html"
Driver information
wmic sysdriver list brief /format:csv
driverquery
driverquery /FO list /v
driverquery /si
wmic sysdriver list full
Process and extra information
tasklist /m
tasklist /m /fi "pid eq [PID]"
tasklist /svc
wmic process where processid=[PID] get commandline
tasklist /v
Hosts file and service>port mapping
type %SystemRoot%\System32\drivers\etc\hosts
type %SystemRoot%\System32\drivers\etc\services
Recycle Bin Forensics
- Named as $I = Metadata of file (Info)
- Named as $R = The file contents itself (Recovery)
- Located at %SystemRoot%\..\$Recycle.Bin in win vista and later commonly (C:$Recycle.Bin)
- Use dir /a via cmd to show recycle bin SID folders and files
DCOM Information
wmic dcomapp get /all /format:List
Service Information
(psservice requires sysinternals psservice.exe):
wmic service list full
net start
sc query
wmic loadorder
psservice
Stop and disable/delete malicious service
net stop [servicename]
sc config [servicename] start= disabled
sc delete [servicename]
Disable Internet Explorer
dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64
cmd history
doskey /history
Linux Subsystem for Windows 10 may have history in a location such as:
C:\Users\[User]\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\home\[user]
Files greater than a 10mb
FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi
Temp files greater than 10mb
FOR /R C:\Users\[User]\AppData %i in (*) do @if %~zi gtr 10000000 echo %i %~zi
Locate process handles (e.g. files open by process)
Note: Requires handles/handles64.exe from sysinternals
handle64.exe -p [PID/name] -nobanner
handle64.exe -a -p [PID/name] -nobanner
handle64.exe -a -l -p [PID/name] -nobanner
handle64.exe -a -l -u -p keepass -nobanner
Close process handles (e.g. files open by process)
Note: Requires handles/handles64.exe from sysinternals
handle64.exe -c [hexhandleref] -p [PID] -nobanner
handle64.exe -c [hexhandleref] -y -p [PID] -nobanner
Event logs between a timeframe
This tool is useful for gathering all windows events within a given timeframe: Event Finder2
Check audit policies
auditpol /get /category:*
Set logging on all success/failure events
(WARNING THIS WILL PRODUCE A LOT OF NOISE, TAILOR TO YOUR NEEDS)
auditpol /set /category:* /success:enable /failure:enable
Enable logging of process creation
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
Scan process creation logs for ‘appdata’
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4688';}| ? {$_.Message -match 'appdata'}|FL TimeCreated, Message
Check for Windows Security Logging Bypass
Special thanks to Grzegorz Tworek – 0gtweet
reg query HKLM\System\CurrentControlSet\Control\MiniNt
Check group policies
gpresult /Z /SCOPE COMPUTER
gpresult /Z /SCOPE USER
gpresult /R /SCOPE COMPUTER
gpresult /R /SCOPE USER
gpresult /r /z
ls C:\Users\[username]\AppData\Local\GroupPolicy\DataStore
ls C:\Windows\system32\GroupPolicy\DataStore
Obtain mode settings for ports
mode
Event Logs for offline analysis
Event logs can be found: %SystemRoot%\System32\winevt\Logs
wevtutil epl System [Location]\System.evtx
wevtutil epl Security [Location]\Security.evtx
wevtutil epl Application [Location]\Application.evtx
wevtutil epl "Windows PowerShell" [Location]\Powershell.evtx
OR:
esentutl.exe /y /vss C:\Windows\System32\winevt\Logs\Security.evtx /d [Location]\Security.evtx
Copy all event logs:
XCOPY C:\Windows\System32\winevt\Logs [Location] /i
XCOPY C:\WINDOWS\system32\LogFiles\ [Location] /i
Quickly scan event logs with DeepblueCLI
.\DeepBlue.ps1 .\evtx\psattack-security.evtx | FL
Event Tracing for Windows (ETW).
Event tracing is how a Provider (an application that contains event tracing instrumentation) creates items within the Windows Event Log for a consumer. This is how event logs are generated, and is also a way they can be tampered with. More information on this architecture can be found below.
A great post by Matt Graeber goes into some depth on how this works and some common ways of interacting with ETW Traces.
List Running Trace Sessions
logman query -ets
List Providers That a Trace Session is Subscribed to
logman query "EventLog-System" -ets
List all ETW Providers
logman query providers
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
View providers process is sending events to
logman query providers -pid {PID}
Setup Custom Log Tracing
Special thanks to Spotless for his crash course
Query Providers Available and their keyword values
logman query providers
logman query providers Microsoft-Windows-WinHttp
Note: Take note of wanted values.
Initiate Tracing Session
logman create trace <TRACENAMEHERE> -ets
logman query <TRACENAMEHERE> -ets
Update trace with wanted providers
Note: the mask is the combined values wanted. For example if a keyword was 0x1 and another 0x16 and you wanted both you’d use 0x17.
logman update <TRACENAMEHERE> -p Microsoft-Windows-WinHttp 0x100000000 -ets
Delete Subscription and Providers
logman update trace <TRACENAMEHERE> --p Microsoft-Windows-WinHttp 0x100000000 -ets
logman stop <TRACENAMEHERE> -ets
Event Log/Tracing Tampering Detection
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v File
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v MaxSize
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v Retention
sc.exe query eventlog
gci REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ -recurse
reg query HKLM\SYSTEM\CurrentControlSet\control\WMI\AutoLogger\ /s /v enable*
Timeline Windows Event Logs.
An easy way to explore Windows event logs is to dump them into a normalized csv format using EvtxExplorer.
EvtxECmd.exe -d "C:\Windows\System32\winevt\Logs" --csv C:\ --csvf AllEvtx.csv
From here you can analyse the CSV using Timeline explorer to view relevant information and group by MAPs.
Super Timeline a host:
This can be done using Plaso (Log2Timeline)
Common IIS logs can often be found in the below locations:
- %SystemDrive%\inetpub\logs\LogFiles
- %SystemRoot%\System32\LogFiles\W3SVC1
- %SystemDrive%\inetpub\logs\LogFiles\W3SVC1
- Note: replace 1 with the number for your IIS website ID
- %SystemDrive%\Windows\System32\LogFiles\HTTPERR
Common Apache logs can often be found in the below locations:
- /var/log
- /var/log/httpd/access.log
- /var/log/apache/access.log
- /var/log/apache2/access.log
- /var/log/httpd-access.log
Other logs can be found in the below, often using the Event Trace Log (ETL) format:
- C:\Windows\System32\LogFiles
- C:\Windows\Panther
ETL format can be parsed using tracerpt which is included in Windows, some examples below.
tracerpt C:\Windows\System32\LogFiles\WMI\Terminal-Services-RPC-Client.etl
tracerpt logfile1.etl logfile2.etl -o logdump.xml -of XML
tracerpt logfile.etl -o logdmp.xml -of XML -lr -summary logdmp.txt -report logrpt.xml
tracerpt logfile1.etl logfile2.etl -o -report
tracerpt logfile.etl counterfile.blg -report logrpt.xml -df schema.xml
tracerpt -rt "NT Kernel Logger" -o logfile.csv -of CSV
Software specific logs are often stored in readable formats at any of the following locations.
%AppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Roaming\[softwarename]\)
%LocalAppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Local\[softwarename]\)
%programfiles%\[softwarename] (e.g. C:\Program Files\[softwarename]\)
%programfiles(x86)%\[softwarename] (e.g. C:\Program Files (x86)\[softwarename]\)
You may also find useful memory crashdumps at the below:
C:\Users\[username]\AppData\Local\CrashDumps
C:\Users\[username]\AppData\Local\Microsoft\Windows\WER\
Security log information
Note: Logs and their event codes have changed over time. Most of the references here are for Windows Vista and Server 2008 onwards rather than Windows 2000,XP,Server 2003. More information on them may be added in the future if required.
(psloglist requires psloglist.exe from systinternals):
wevtutil qe security /f:text
eventquery.vbs /L security
wevtutil qe security /f:text | Select-String -Pattern "Event ID: [EventCode]" -Context 2,20
wevtutil qe security /f:text | Select-String -Pattern "Event ID: [EventCode]" -Context 2,20 | findstr "Account Name:"
psloglist -s -x security
Note: Some suspicious events – “Event log service was stopped”, “Windows File Protection is not active on this system”, “The MS Telnet Service has started successfully”
- Security: 4720 (Account created)
- Security: 4722 (Account enabled)
- Security: 4724 (Password reset)
- Security: 4723 (User changed password)
- Security: 4736 (Account deleted)
- Security: 4781 (Account renamed)
- Security: 4738 (User account change)
- Security: 4688 (A new process has been created)
- Security: 4732 (Account added to a group)
- Security: 4733 (Account removed from a group)
- Security: 1102 (Audit log cleared)
- Security: 4614 (Security System Extension)
- Security: 4672 (Special privileges assigned to new logon)
- Security: 4624 (Account successfully logged on)
- Security: 4698 (Scheduled Task Creation)
- Security: 4702 (Scheduled Task Modified)
- Security: 4699 (Scheduled Task Deleted)
- Security: 4701 (Scheduled Task Disabled)
- Security: 4700 (Scheduled Task Enabled)
- Security: 4697 (Service Installation)
- Security: 4625 (Account failed to log on)
- Security: 4776 (The domain controller attempted to validate credentials for an account)
- Security: 4634 (Account successfully logged off)
- Security: 4740 (A user account was locked out)
- Security: 4767 (A user account was unlocked)
- Security: 4778 (Remote Desktop session reconnected)
- Security: 4779 (Remote desktop session disconnected)
- Security: 4625 (A user account failed to log on)
- Security: 4648 (A logon was attempted using explicit credentials)
- Security: 4768 (A Kerberos authentication ticket (TGT) was requested)
- 0x6 (The username doesn’t exist) – Bad username or not yet replicated to DC
- 0xC (Start time is later than end time – Restricted workstation)
- 0x12 (Account locked out, disabled, expired, restricted, or revoked etc)
- Security: 4769 (A Kerberos service ticket was requested)
- Security: 4770 (A Kerberos service ticket was renewed)
- Security: 4771 (Kerberos pre-authentication failed)
- 0x10 – Smart card logon is being attempted and the proper certificate cannot be located.
- 0x17 – The user’s password has expired.
- 0x18 – The wrong password was provided.
- Security: Greater than 4720 Eand less than 4764 (Account/group modifications)
Logon type information
- Type: 0 (Used only by System account authentications)
- Type: 2 (Interactive Logon)
- User is at the keyboard.
- Type: 3 (Network Authentication/SMB Auth Logon)
- Auth over the network. Note: RDP can fall under this if Network Level Authentication is enabled.
- Type: 4 (Batch Logon)
- More often than not from a Scheduled Task.
- Type: 5 (Service Logon)
- More often than not from a Service.
- Type: 7 (Unlock Logon)
- User is at the keyboard unlocking it after lunch.
- Type: 8 (Network Cleartext Logon)
- Basically Logon Type 3 but creds are in the clear.
- Type: 9 (New Credentials Logon)
- More often than not from using ‘RunAs’ with the ‘/netonly’ parameter.
- Type: 10 (Terminal/RDP Logon Type)
- Logon via Terminal Services/RDP.
- Type: 11 (Cached Interactive)
- Logon when unable to connect to domain (Cached Creds locally).
- Type: 12 (Cached Remote Interactive)
- Same as RemoteInteractive. This is used for internal auditing.
- Type: 13 (Cached Unlock Logon)
- Same as Unlock Logon except with cached creds.
Special logon information (4672)
Privilege Name | Description | Notes |
---|---|---|
SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the primary token of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
SeBackupPrivilege | Back up files and directories | Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. |
SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | With this privilege, the user can set the Trusted for Delegation setting on a user or computer object.The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. |
SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.A user with this privilege can also view and clear the security log. |
SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
System log information:
wevtutil qe system /f:text
eventquery.vbs /L system
Note: Some useful events –
- System: 7030 (Basic Service Operations)
- System: 7040 (The start type of a service was changed from disabled to auto start)
- System: 7045 (Service Was Installed)
- System: 1056 (DHCP Server Oddities)
- System: 10000 (COM Functionality)
- System: 20001 (Device Driver Installation)
- System: 20002 (Remote Access)
- System: 20003 (Service Installation)
Sysmon log information
When installed and running the event log is located at: “Applications and Services Logs/Microsoft/Windows/Sysmon/Operational”
Note: A WMI consumer is a management application or script that interacts with the WMI infrastructure. https://docs.microsoft.com/en-us/windows/desktop/WmiSdk/wmi-architecture
- Sysmon: 1 (Process create)
- Sysmon: 2 (File creation time)
- Sysmon: 3 (Network connection detected)
- Sysmon: 4 (Sysmon service state changed)
- Sysmon: 5 (Process terminated)
- Sysmon: 6 (Driver loaded)
- Sysmon: 9 (Image loaded)
- Sysmon: 10 (Process accessed)
- Sysmon: 11 (File created)
- Sysmon: 12 (Registry object added or deleted)
- Sysmon: 13 (Registry value set)
- Sysmon: 14 (Registry object renamed)
- Sysmon: 15 (File stream created)
- Sysmon: 16 (Sysmon configuration changed)
- Sysmon: 17 (Named pipe created)
- Sysmon: 18 (Named pipe connected)
- Sysmon: 19 (WMI filter)
- Sysmon: 20 (WMI consumer)
- Sysmon: 21 (WMI consumer filter)
- Sysmon: 22 (DNS Query)
Active Directory Investigation
Note: Live information can be found using DSQuery or Netdom.
dsquery computer
dsquery user
dsquery contact
dsquery domainroot -inactive 4
dsquery group
dsquery ou
dsquery site
dsquery server
dsquery quota
dsquery *
- dsquery * -limit 999999999
netdom query fsmo
netdom query trust
netdom query pdc
netdom query DC
netdom query server
netdom query workstation
netdom query OU
NT Directory Services Directory Information Tree File (ntds.dit)
Active Directory Database file containing all schema, domain, configuration information (e.g. users, IP, computers, domain trusts etc)
- %SystemRoot%\NTDS\ntds.dit
- %SystemRoot%\System32\ntds.dit
- File created only when promoting certain OS to a DC, and seldom used.
Edb.log
10MB transaction log used to store temporary data before it is sent to the ntds.dit database.
- %SystemRoot%\NTDS\Edb.log
Edbxxxxx.log
Additional transaction log files if the main edb.log file gets larger than 10MB without being flushed to ntds.dit.
- %SystemRoot%\NTDS\edbxxxxx.log
Edb.chk
Checkpoint file used to determine how much of the transaction logs have been sent to the ntdis.dit database.
- %SystemRoot%\NTDS\edb.chk
Resx.log/Resx.jrs
Reserved log files in case the hard drive fills up, at which point these files will be used (ideally they should never be used).
- %SystemRoot%\NTDS\res1.log
- %SystemRoot%\NTDS\res2.log
Temp.edb
Temporary file to store information during in progress transactions.
- %SystemRoot%\NTDS\temp.edb
Schema.ini
Initialises the ntds.dit file when the domain controller is created, and is then never used again.
- %SystemRoot%\NTDS\schema.ini
Investigation of ntds.dit
Obtaining this file can be done using any of the following and also requires the SYSTEM hive to decrypt (note: ntdsutil may not work on older AD servers).
(Output will be under C:\Audit)
ntdsutil
ntdsutil "activate instance ntds" ifm "create full C:\Audit" quit quit
vssadmin
vssadmin create shadow /for=C:
mkdir C:\Audit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number]\Windows\ntds\ntds.dit C:\Audit\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number]\Windows\System32\config\SYSTEM C:\Audit\SYSTEM
vssadmin delete shadows /shadow=[ShadowCopyID]
Other ‘less legitimate’ replication methods can be found detailed on the AD Security Blog by Sean Metcalf
- Or by using Invoke-NinjaCopy
Repair the file if required:
esentutl /p /o C:\Audit\ntds.dit
Analysing this file offline can be done with tactics such as:
Origami-PDF (Malicious PDF Analysis)
pdfextract malware.pdf
More Malicious PDF/Doc Analysis
pdfid.py malware.pdf
pdfparser.py malware.pdf
pdfparser.py malware.pdf --object [number] --filter --raw --dump file.[extension]
oledump.py file.[extension]
oledump.py file.[extension] --select [number] --vbadecompress
Exiftool (Image Analysis)
exiftool malware.jpeg
RDP Cache images
This can be used to display some fragments of images which a user could see when operating on a server using the Windows RDP. The cache files are located: %USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache\
These can be parsed using BMC-Tools
bmc-tools.py -s ./ -d ./output
bmc-tools.py -s ./ -d ./output -o -b
RDP (Terminal Services) Activity
reg query 'HKU\SID\Software\Microsoft\Terminal Server Client' /s
RDP (Terminal Services) Configuration
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /s
Check if Terminal Services Enabled
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
Check if one session per user has been modified
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser
Check if port number has been modified
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
Host Firewall information:
netsh firewall show config
advfirewall firewall show rule name=all verbose
Model of motherboard and hardware information:
wmic baseboard get product,manufacturer
wmic desktopmonitor get /all /format:list
wmic baseboard get /all /format:list
wmic bios get /all /format:list
wmic cpu get /all /format:list
Monitoring of open files:
openfiles /local on
Check Bitlocker Encryption
manage-bde -status
OR Powershell:
Get-BitLockerVolume
List open files
(this needs to have been enabled first and the PC rebooted, psfiles requires sysinternals psfile.exe)
openfiles /query
psfile
Display proxy information
netsh winhttp show proxy
Disconnect open files based on username:
openfiles /disconnect /a username
Powershell (some with WMI). Note: Namespace is a group of classes belonging to the same management environment. Most important is the CIMV2 child which is the most common.
Powershell Commands
help get-wmiobject
Service information
Get-WmiObject win32_service | select Name, DisplayName, State, PathName
Get-Service
View Named Pipes
[System.IO.Directory]::GetFiles("\\.\\pipe\\")
get-childitem \\.\pipe\
dir \\.\pipe\\
Harden System from Lateral Movement
Note: These may inadvertently break communication of devices and should be tested. It may also require a restart.
Disable remote interaction with services
reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v DisableRemoteScmEndpoints /t REG_DWORD /d 1
Disable remote interaction with scheduled tasks
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule" /v DisableRpcOverTcp /t REG_DWORD /d 1
Disable RDP access
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1
Disable DCOM
reg add "HKLM\SOFTWARE\Microsoft\Ole" /v EnableDCOM /t REG_SZ /d N /f
Disable Admin Shares
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t "REG_DWORD" /d 0
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareServer" /t "REG_DWORD" /d 0
Stop Server Responsible for Inter-process Communication Calls
net stop server
Delete Admin Shares
Note: This may break some application communication and admin functionality. It may also be temporary as Windows has been known to recreate them. Always test.
- C$ = Default share on systems ‘C’ drive.
- IPC$ = Default Inter-process communication share (used by named pipes)
- ADMIN$ = Default share for remote administration (used by PsExec) net share C$ /delete net share IPC$ /delete net share ADMIN$ /delete
Disable Anonymous Access to Named Pipes
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t "REG_DWORD" /d 1
Process WMI objects
get-wmiobject -list | where {$_.name -like "*process*"}
Process information
Get-WmiObject win32_process|select processname,ProcessId,CommandLine
Get-WmiObject win32_process -Filter "name like '%powershell.exe'" | select processId,commandline|FL
Get-Process
Baseline processes and services
(Used to compare new process/services)
Get-Process | Export-Clixml -Path C:\Users\User\Desktop\process.xml
Get-Service | Export-Clixml -Path C:\Users\User\Desktop\service.xml
$edproc = Import-Clixml -Path C:\Users\User\Desktop\process.xml
$edproc1 = Import-Clixml -Path C:\Users\User\Desktop\process1.xml
$edservice = Import-Clixml -Path C:\Users\User\Desktop\service.xml
$edservice1 = Import-Clixml -Path C:\Users\User\Desktop\service1.xml
Compare-Object $edproc $edproc1 -Property processname
Compare-Object $edservice $edservice1 -Property servicename
View and interact with shadow copies (MUST BE RUN FROM ELEVATED CMD.exe)
vssadmin list shadows | findstr "VolumeShadowCopy"
mklink /d shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\
dir shadow
rmdir shadow
With a linked shadow copy we can copy pagefile.sys using the below.
mkdir C:\Audit
robocopy shadow C:\Audit pagefile.sys
attrib -s -h C:\Audit\pagefile.sys
Create Shadow Copy for C: drive
vssadmin create shadow /for=C:
Other Shadow Copy Techniques
In Windows 7 or certain other OS you may not have access to use ‘vssadmin create’. As such some trickery may be required. In Windows 7 we can create a scheduled task (to execute with System privileges) and use it to create a Shadow Copy with Microsoft DLLs, this simulates the activity of creating a ‘System Restore Point’. This can also be done with psexec if you wish to install the psexec service.
schtasks /ru "SYSTEM" /Create /SC DAILY /ST "00:00" /TN "\Microsoft\Windows\SystemRestore\SR" /TR "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" /f
schtasks /run /TN \Microsoft\Windows\SystemRestore\SR
vssadmin list shadows
If you want to remove the scheduled task so it doesn’t run daily, use:
schtasks /delete /TN \Microsoft\Windows\SystemRestore\SR /f
You can also back it up using wbadmin, but it’s a bit more intricate. The below example should backup C drive to E drive.
wbadmin start backup -backupTarget:E: -include:c:
TCP Connections
Get-NetTCPConnection –State Established
List of IPV4 addresses who have connected (RDP)
Get-WinEvent -Log 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' | select -exp Properties | where {$_.Value -like '*.*.*.*' } | sort Value -u
Powershell logs
Get-WinEvent -LogName "Windows Powershell"
Event logs available
Get-EventLog -list
Get-WinEvent -Listlog * | Select RecordCount,LogName
Get-WinEvent -Listlog *operational | Select RecordCount,LogName
wmic nteventlog list brief
Event Logs per Application Source
Get-EventLog Application | Select -Unique Source
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='Outlook'}
Get-WinEvent -FilterHashtable @{ LogName='OAlerts';} | FL TimeCreated, Message
Event Logs per Severity Source
Critical Logs
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='1';}
Error Logs
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='2';}
Warning Logs
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='3';}
Information Logs
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='4';}
Live Event Log Filtering
$Before = Get-Date 01/07/19;
$After = Get-Date 31/05/19;
Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; EndTime=$Before; Id='4624'; Data='127.0.0.1'} | Select -ExpandProperty Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; EndTime=$Before; Id='4624'; Data='127.0.0.1'} | Select TimeCreated,Message | Select-String -Pattern "0x621EFDC", "0x825225F"
Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; EndTime=$Before; Id='4624'; Data='127.0.0.1'} | Select -ExpandProperty Message > [location]\log.txt;
cat [location]\log.txt | Select-String -Pattern "Subject:", "New Logon:", "Process information","Network Information:" -Context 0,4;
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-SmbClient/Connectivity';} | Select Timecreated,LogName,Message | where {$_.message -like "*Failed to establish a network connection*"} |FL
Get-WinEvent -FilterHashtable @{ LogName='*SMB*'; Data="[IP/HostName]"} | Select Timecreated,LogName,Message |FL
Get-WinEvent -FilterHashtable @{ LogName='*SMB*';} | Select Timecreated,LogName,Message | where {$_.message -like "*[IP/Hostname]*"} |FL
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | where {$_.message -match '0x1F260F3E' } | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | where {$_.TimeCreated.ToString() -match ('28/10/2019')}|FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='2'} | where {$_.TimeCreated.ToString() -match ('28/10/2019 11:22')}
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='127.0.0.1'} | where {$_.TimeCreated.ToString() -match ('28/10/2019') -and $_.Message -match 'user' } | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='NTLM';} -MaxEvents 6 | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='127.0.0.1'} | where {$_.TimeCreated -ge (get-date).addDays(-3) -and $_.TimeCreated.ToString() -match ('11:04') -and $_.Message -match 'user' } | FL TimeCreated,Message
Find Authenticating user/asset for remote service creation (lateral movement)
$After = (get-date).addDays(-3);
$Time = Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | ? {$_.Message -match "MALWARE.exe"} | Select -exp TimeCreated;
foreach ($Event in $Time){
$Event;
Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; Id='4624';} | ? {$_.TimeCreated -ge $Event.AddSeconds(-2) -AND $_.TimeCreated -le $Event.AddSeconds(+2)} | FL TimeCreated,Message;
};
Locate possible Kerberoast/Kerberos based attacks
Note: When looking at kerberos listing, RC4-HMAC encryption is generally anomalous and may be indicative of kerberoasting.
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4769'; Data='0x17'} | FL TimeCreated, Message
klist
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v "allowtgtsessionkey"
Extract useful fields from Legacy Logs
$A=Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='127.0.0.1'} | where {$_.TimeCreated -ge (get-date).addDays(-3) -and $_.Message -match 'INSERT DESIRED INFO HERE' };
ForEach ($Event in $A){$Event.TimeCreated;$Event.Message|findstr /i /C:"Logon Type:";$Event.Message|findstr /i /C:"Security ID:";$Event.Message|findstr /i /C:"Account Name:";$Event.Message|findstr /i /C:"Account Domain:";$Event.Message|findstr /i /C:"Process ID:";$Event.Message|findstr /i /C:"Process Name:";$Event.Message|findstr /i /C:"Workstation Name:";$Event.Message|findstr /i /C:"Source Network Address:";$Event.Message|findstr /i /C:"Source Port:";echo "`n";};
Note: You can modify the second string to carve out wanted information, some examples below.
Find User Authenticating
ForEach ($Event in $A){$Event.TimeCreated;$Event.Message|findstr /i /C:"Account Name:";$Event.Message|findstr /i /C:"Account Domain:";echo "`n";};
Find IP/Port Authenticating
ForEach ($Event in $A){$Event.TimeCreated;$Event.Message|(findstr /i /C:"Source Network Address:";$Event.Message|findstr /i /C:"Source Port:";)|findstr -v "-";echo "`n";};
** Note: In the following section filter based on time for reduction of noise Get-Date.
e.g. get something like the below and add them to the FilterHashTable: StartTime=$After; EndTime=$Before;
$Date = (Get-Date).AddDays(-2)
$Before = Get-Date 01/07/19;
$After = Get-Date 31/05/19;
Remote Desktop Lateral Movement Detection (Destinations)
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='10'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4778';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4779';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; Id='98';} | FL Message,ProcessId,TimeCreated
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; Id='131';} | FL Message,ProcessId,TimeCreated
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; Id='21';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; Id='22';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; Id='25';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; Id='41';} | FL TimeCreated,Message
ls C:\Windows\Prefetch\rdpclip.exe*.pf
ls C:\Windows\Prefetch\tstheme.exe*.pf
Map Network Shares Lateral Movement Detection (Destinations)
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4776';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4768';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4769';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140'; Data='\\*\C$'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5145';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140';} | FL TimeCreated,Message
PsExec Lateral Movement Detection (Destinations)
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='2'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140'; Data='\\*\ADMIN$'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045'; Data='PSEXESVC'} | FL TimeCreated,Message
reg query HKLM\SYSTEM\CurrentControlSet\Services\PSEXESVC
reg query HKLM\SYSTEM\CurrentControlSet\Services\
ls C:\Windows\Prefetch\psexesvc.exe*.pf
Scheduled Tasks Lateral Movement Detection (Destinations)
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4698';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4702';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4699';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4700';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4701';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='106';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='140';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='141';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='200';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='201';} | FL TimeCreated,Message
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" /s /v Actions
Get-ChildItem -path 'registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\' | Get-ItemProperty | FL Path, Actions
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree"
gci -path C:\Windows\System32\Tasks\ -recurse -File
Services Lateral Movement Detection (Destinations)
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7034';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7035';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7036';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7040';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | FL TimeCreated,Message
reg query 'HKLM\SYSTEM\CurrentControlSet\Services\'
WMI/WMIC Lateral Movement Detection (Destinations)
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5857';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5860';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5861';} | FL TimeCreated,Message
C:\Windows\System32\wbem\Repository
ls C:\Windows\Prefetch\wmiprvse.exe*.pf
ls C:\Windows\Prefetch\mofcomp.exe*.pf
PowerShell Lateral Movement Detection (Destinations)
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='4103';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='4104';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='53504';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Windows PowerShell'; Id='400';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Windows PowerShell'; Id='403';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; Id='91';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; Id='168';} | FL TimeCreated,Message
ls C:\Windows\Prefetch\wsmprovhost.exe*.pf
Extra Information
**AmCache
- C:\Windows\AppCompat\Programs\Amcache.hve
- Amcache.hve\Root\File{Volume GUID}#######
**ShimCache
- C:\Windows\System32\config\SYSTEM
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
*Prefetch – ls C:\Windows\Prefetch\evil.exe.pf
** Connected Devices Platform (Timelining)
gci C:\Users\*\AppData\Local\ConnectedDevicesPlatform -recurse
User accounts and logon information
Get-WmiObject Win32_UserProfile
Share information
Get-WmiObject Win32_Share
net share
wmic share list brief
wmic netuse get Caption, DisplayType, LocalName, Name, ProviderName, Status
List Alternate Data Streams in current Dir and view them
gi * -s *
gc [FILENAME] -s [ADSNAME]
List Alternate Data Streams in text files within AppData
Get-ChildItem -Recurse -Path $env:APPDATA\..\ -include *.txt -ea SilentlyContinue|gi -s *|Select Stream -ea SilentlyContinue| Where-Object {$_.Stream -ine ":`$DATA"}
Use Alternate Data Streams to find download location
get-item * -stream *|Where-Object {$_.Stream -ine ":`$DATA"}|cat
get-item C:\Users\Username\Downloads\* -stream *|Where-Object {$_.Stream -ine ":`$DATA"}|cat
$a=(gci -rec -path C:\users\user\downloads -ea 0 | gi -s Zone.Identifier -ea 0 | ? {$_.Length -ge '27'});foreach ($b in $a){$b.FileName;$b|cat}
$a=(get-item * -stream Zone.Identifier -ea 0 | ? {$_.Length -ge '27'});foreach ($b in $a){$b.FileName;$b|cat}
gci -Recurse -Path $env:APPDATA\..\ -include *.txt -ea SilentlyContinue |gi -s *| Where-Object {$_.Stream -ine ":`$DATA"}|cat
General Notes
Under %SystemRoot%\System32\config the below registry hives are some of the most important to obtain. Additionally taking these files from within the RegBack directory also assists in comprehensive analysis should any anti-forensics activities have modified these registries.
- DEFAULT
- SAM
- SECURITY
- SOFTWARE
- SYSTEM
Under \Users\name there is also a NTUSER.DAT file which becomes HKEY_CURRENT_USER into the Registry when a user logs on, and this is very important to obtain. There’s also a UsrClass.dat file which can be found: %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat
Gather artifacts
reg save HKLM\SAM [LOCATION]\SAM
reg save HKLM\SYSTEM [LOCATION]\SYSTEM
reg save HKLM\SECURITY [LOCATION]\SECURITY
reg save HKLM\SOFTWARE [LOCATION]\SOFTWARE
Powershell execution log
- Located at: C:\Users[name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
Analyse document for macros
Using olevba
olevba [Document]
Capture powershell memdump and analyse
Using Procdump from sysinternals:
procdump -ma [PowershellPID]
Using powerdump
python power_dump.py
1
ld powershell.exe_mem_dump
2
3
4
Recent execution of programs
- Prefetch Located at : %SystemRoot%\Prefetch\
- RecentFileCache.bcf Located at : %SystemRoot%\AppCompat\Programs\
- Amcache.hve (reg hive) Located at : %SystemRoot%\AppCompat\Programs\
Or query a lot of run programs from program compatibility assistant:
Get-ItemProperty "REGISTRY::HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store"
Get-ItemProperty "REGISTRY::HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"
Windows Indexing Service
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\windows.edb
Programs Accessing Windows Features such as Webcam and Microphone
Special thanks to Zack (svch0st) for his Medium Post
All Windows Features Including Start and Stop Timestamps
$a=$(gci REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\ -recurse | FT -AutoSize | Out-String);$a.replace("#","\")
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\ /s /f LastUsed
Programs Using Webcam
$a=$(gci REGISTRY::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam -recurse | Select PSChildName | Out-String);$a.replace("#","\")
Programs Using Microphone
$a=$(gci REGISTRY::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone -recurse | Select PSChildName | Out-String);$a.replace("#","\")
USN Journal (any changes to NTFS volume)
fsutil usn readjournal C: > USN.txt
Link File Analysis
- LNK Files Located at: C:\Users*\AppData\Roaming\Microsoft\Windows\Recent
Using LECmd to parse Link metadata.
LECmd.exe -f {fileDirectory}\filename.lnk
Of interest is information such as:
- MachineID (NetBIOS name)
- MAC Address
- MAC Vendor
- Timestamps
- Volume Droid
- Volume Droid Birth
- File Droid
- File Droid Birth
Jump Lists Analysis
- Jump List Files Located at: C:\Users*\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
A rough PowerShell 1-liner to gather information on previous opened directories and files is below.
$Files=$(cat C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*Destinations\*.*Destinations-ms);$Files.Split("``")|Select-String "Storage" | findstr -v "1SPSU"|findstr -v "?"
SRUM Analysis
- System Resource Usage Monitor Located at: %systemroot%\System32\sru\SRUDB.dat
Great tool to parse to csv: SRUM-Dump
Background Activity Moderator (BAM/DAM)
reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings" /s
reg query "HKLM\SYSTEM\CurrentControlSet\Services\dam\UserSettings" /s
reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings" /s /v *.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\dam\UserSettings" /s /v *.exe
Windows 10 Mail App Forensics
%LocalAppData%\Comms\Unistore\data\0 - Windows phone data
%LocalAppData%\Comms\Unistore\data\2 - Contact lists
%LocalAppData%\Comms\Unistore\data\3 - Contents/body of email
%LocalAppData%\Comms\Unistore\data\5 - Calendar invitations
%LocalAppData%\Comms\Unistore\data\7 - Email attachments
Capture packets with netsh
Note: You will need to use something like etl2pcapng to convert these captures to a cap file for analysis with Wireshark Download
netsh trace start persistent=yes capture=yes tracefile=c:\temp\packetcapture.etl
netsh trace stop
Capture Packets with PowerShell
New-NetEventSession -Name "Capture" -CaptureMode SaveToFile -LocalFilePath "c:\temp\packetcapture.etl"
Add-NetEventProvider -Name "Microsoft-Windows-TCPIP" -SessionName "Capture"
Add-NetEventPacketCaptureProvider -SessionName "Capture"
Start-NetEventSession -Name "Capture"
Stop Capturing Packets with PowerShell
Get-NetEventSession
Stop-NetEventSession -Name Capture
Remove-NetEventSession
Convert ETL File to PCAP
etl2pcapng.exe c:\temp\packetcapture.etl c:\temp\packetcapture.pcapng
NTUSER.DAT Important Registry entries:
Recent execution of programs (GUI)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
- \RecentDocs (Notes recent files run, most commonly .lnk files)
- \UserAssist (Notes files run and number of times run. Values are ROT13 encoded),
- CEBFF5CD is Executable File Execution
- F4E57C4B is Shortcut File Execution
- \TypedPaths (Notes file locations visited using Windows Explorer address bar)
- \RunMRU (Notes recent commands executed through the ‘run’ program)
- \ComDlg32 (Last file path visited)
- \LastVisitedPidlMRU (Last PID which was ‘Most Recently Used’, e.g. the binaries used to open a file)
- \OpenSavePidlMRU (Last Saved PID file which was ‘Most Recently Used’, location of a file opened by a binary)
- \WordWheelQuery (Keywords searched for from the START menu bar)
- \FeatureUsage\AppBadgeUpdated (Every Time Task Bar Application Gets Notification and Badge Updates)
- \FeatureUsage\AppLaunch (Every Time Task Bar Application Which is Pinned is Launched)
- \FeatureUsage\AppSwitched (Every Time Task Bar Application Left Clicked)
- \FeatureUsage\ShowJumpView (Every Time Task Bar Application Right Clicked)
- \FeatureUsage\TrayButtonClicked (Every Time Relevant Button on Task Bar is Clicked)
You can get the names of recently run files from UserAssist by using ROT13 across them, we can do this quickly in Powershell by using a script from BornToBeRoot and some scriptfu:
$A=$(gci REGISTRY::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count | Select -exp Property);foreach ($B in $A){.\Convert-ROT13.ps1 -Rot 13 $B|Select -exp Text}
Or for those who don’t want to run it over every entry individually.
$A=$(gci REGISTRY::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count | Select -exp Property)|Out-String;.\Convert-ROT13.ps1 -Rot 13 $A|Select -exp Text
Recent Apps/Last Visited MRU
Note: OpenSavePidlMRU is in hex and will need to be decoded
reg query "HKCU\Software\Microsoft\Windows\Current Version\Search\RecentApps"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /s
Execution of Sysinternals Tool
reg query HKCU\Software\Sysinternals\ /s /v EulaAccepted
reg query HKU\SID\Software\Sysinternals\ /s /v EulaAccepted
Recent Internet Explorer History
reg query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs"
C:\Users\username\AppData\Local\Microsoft\Windows\History\Low\History.IE5\
C:\Users\username\AppData\Local\Microsoft\Windows\History\
C:\Users\username\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low
C:\Users\username\AppData\Local\Microsoft\Windows\WebCache\Internet Explorer\WebCacheV01.dat
IE Cache Viewer Browser History Viewer ESE Database View Browsing History View
esentutl.exe /y /vss C:\Users\Username\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat /d C:\Location\WebCacheV01.dat
Recent Chrome History
'C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\history'
Recent Firefox History
C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\*\
Recent Edge History
C:\Users\Username\AppData\Local\Packagaes\Microsoft.MicrosoftEdge_xxxx\AC\#!001\MicrosoftEdge\Cache\
C:\Users\Username\AppData\Local\Packagaes\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftEdge\User\Default\Recovery\Active\
C:\Users\Username\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Check Root Certificate Store
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\
reg query HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\
reg query HKU\{SID}\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\
reg query HKLM\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\
reg query HKCU\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\
reg query HKU\{SID}\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\
Thumbnail Cache
[Thumbcacheviewer](https://github.com/thumbcacheviewer/thumbcacheviewer0Files located at: C:\Users\Username\AppData\Local\Microsoft\Windows\Explorer
Shellbags
Shellbags can be used to verify the previous existance of files which have been deleted. This is used by the OS to store information about a file location’s customisation e.g. look, feel, size, sorting files method, colour etc and resides after files have been deleted. Shellbags Explorer or ShellBagsView can be used to parse this information.
HKCU\SOFTWARE\Microsoft\Windows\Shell
- \BagMRU
- \Bags
BagsMRU contains the database of folders and their saved settings by windows.
UsrClass.dat Shellbags
Additional shellbags files can be found in UsrClass.dat
HKCU\SOFTWARE\Classes
- %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat
USB Information
Using the VolumeGUID found in SYSTEM\MountedDevices, you can find the user that actually mounted the USB device: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2 USB Times:
- First time device is connected
- Last time device is connected
- Removal time
SOFTWARE Hive Registry Entries
Common startup locations
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunonceEx
Network Information
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
- \Signatures
- \Unmanaged
- (record DefaultGatewayMac, DnsSuffix, FirstNetwork(SSID), ProfileGUID)
- \Managed
- \Unmanaged
- \Nla\Cache
- Profiles
- \Signatures
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles{GUID}
- 0x06 = Wired
- 0x17 = Broadband
- 0x47 = Wireless
Gather information via Live Queries:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /s
Gather WiFi Passwords
netsh wlan show profile
netsh wlan show profile name={NAME} key=clear
netsh wlan export profile interface=* key=clear
ls C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\*\* | cat
Networks connected\disconnected to\from and mac address
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-NetworkProfile/Operational'; Id='10000';}|FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-NetworkProfile/Operational'; Id='10001';}|FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DHCP*'; Id='50067';}|FL TimeCreated,Message
Get-WmiObject win32_networkadapterconfiguration | FL description, macaddress
Get host Mac Addresses
getmac
Lookup MAC Address/Organizationally Unique Identifier (OUI)
A number of ways to do this but one of the most accurate is from the IEEE Webpage. You can interact directly with their REST API to get the results you want in JSON format. To do so via PowerShell, just change the ‘text’ top the first 3 digits of the MAC Address (The OUI):
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri "https://services13.ieee.org/RST/standards-ra-web/rest/assignments/?registry=MAC&text=08-00-27&sortby=organization&sortorder=asc&size=10" | Select -exp content;
Useful Wireshark filters
All traffic to or from an IP
ip.addr == {IP}
All TCP traffic on a port
tcp.port == {port}
All traffic from an IP
ip.src == {IP}
All traffic to an IP
ip.dst == {IP}
HTTP or DNS Traffic
http || dns
Client>DC traffic filtering noise
smb || nbns || dcerpc || nbss || dns
TCP issues (flags)
tcp.analysis.flags
TCP protocol flags (present)
tcp.flags.syn == 1
tcp.flags.ack == 1
Encrypted Traffic
(ssh || tls)
Follow TCP Stream
tcp.stream == {StreamNum}
TCP packets for string
tcp contains {String}
HTTP codes
http.response.code == 400
http.response.code == 200
http.response.code == 404
http.response.code == 500
User agent, without/with case sensitivity
http.user_agent matches "firefox"
http.user_agent matches "(?-i)firefox"
Addresses on subnet by IP/Hostname
ip.addr == 172.217.167.78/16
ip.addr eq hostname/24
Wireshark Key Tips and Tricks by Brad Duncan
- General Wireshark Filter Reference
- Full Wireshark Display Filter Reference
- Customizing Wireshark – Changing Your Column Display
- Using Wireshark – Display Filter Expressions
- Using Wireshark: Identifying Hosts and Users
- Using Wireshark: Exporting Objects from a Pcap
- Wireshark Tutorial: Examining Trickbot Infections
- Wireshark Tutorial: Examining Ursnif Infections
Decrypting Encrypted Packets
This can be done in a few ways:
Man-in-the-middle (MITM)
Using the (Pre)-Master-Secret SSLKEYLOGFILE Using an RSA Private Key
SYSTEM Hive Registry Entries
USB Information
- HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices Note: Find Serial # and then look for FriendlyName to obtain the Volume Name of the USB device
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
- Key will ONLY be present if system drive is NOT SSD
- Traditionally used for ReadyBoost
- Find Serial # to obtain the Volume Serial Numberof the USB deviceoThe Volume Serial Number will be in decimal – convert to hex
- You can find complete history of Volume Serial Numbers here, even if the device has been formatted multiple times. The USB device’s Serial # will appear multiple times, each with a different Volume Serial Number generated on each format.
- HKLM\SYSTEM\MountedDevices
- Find Serial # to obtain the Drive Letter of the USB device
- Find Serial # to obtain the Volume GUID of the USB device
Live System HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR (Class ID/Serial Number) HKLM\SYSTEM\CurrentControlSet\Enum\USB (VID/PID) HKLM\SYSTEM\CurrentControlSet\Control\DeviceContainers*
reg query HKLM\SYSTEM\CurrentControlSet\Enum\SWD\WPDBUSENUM\ /s /f FriendlyName
reg query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\ /s /f FriendlyName
reg query HKLM\SYSTEM\CurrentControlSet\Enum\USB\ /s /f FriendlyName
reg query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\
reg query HKLM\SYSTEM\CurrentControlSet\Enum\USB\
reg query HKLM\SYSTEM\CurrentControlSet\Enum\SWD\WPDBUSENUM\
reg query HKLM\SYSTEM\CurrentControlSet\Control\DeviceContainers\ /s /f "USB"
Forensic Image (Determine Control Set Number from HKLM\SYSTEM\Select\ -> Current Value) HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR (Class ID/Serial Number) HKLM\SYSTEM\ControlSet00x\Enum\USB (VID/PID)
Note: VID/PID information can be found online. Subdirectories under USB and USBSTOR provide unique USB identifiers (if the & is near the end), if it is near the start they do not conform to MS standards and it is unique to the given PC only.
- HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USB iSerial#\Properties{GUID}####
- 0064 = First Install
- 0066 = Last Connected
- 0067 = Last Removal
OS Information
- HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
- HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
- HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares
- HKLM\SYSTEM\CurrentControlSet\FileSystem
- NtfsDisableLastAccessUpdate set at 0x1 means that access time stamps are turned OFF by default
Network Information
wmic nic get /all /format:list
wmic nicconfig get /all /format:list
- HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces
- Display interfaces and their IP address configuration (using interface GUID)
Prefetch Information
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
- 0=Disabled
- 1=Application prefetching enabled
- 3=Application and Boot prefetching enabled (default)
PECmd.exe -d "C:\Windows\Prefetch"
PECmd.exe -d "C:\Windows\Prefetch" --csv "c:\temp" --csvf Prefetch.csv
gci C:\Windows\Prefetch\
Superfetch Information
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters /v EnableSuperfetch
- 0=Disabled
- 1=Booting only
- 2=Applications
- 3=Application and Boot
Find relevant files:
gci C:\Windows\Prefetch\ -recurse -include *.db, *.trx
PowerShell Host Based Investigation and Containment Techniques
Note: I thoroughly recommend looking at maintaining an accurate log of all actions taken through the use of PowerShell host based IR and Containment. To do so I recommend reading PowerShell ♥ the Blue Team. This will allow you to log all actions taken through this type of IR Framework. Other alternatives for larger scale response include:
PowerForensics
Google Rapid Response
Kansa PowerShell IR Framework
Google Rapid Response comes in the form of a Server > Client architecture but is very flexible.
Kansa is a modular PowerShell IR Framework which can be used across multiple hosts in parallel.
Enable PS Remoting using PsExec
psexec.exe \\TARGET -s powershell Enable-PSRemoting -Force;
OR for public network setup (less security)
psexec.exe \\TARGET -s powershell Enable-PSRemoting -SkipNetworkProfileCheck -Force;
Confirm trusted hosts list if required
Get-Item WSMan:\localhost\Client\TrustedHosts
Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'ASSET1,ASSET2'
Quick Remote Response (no audit/logging)
Enter-PSSession -ComputerName SERVER -Credential [name]
Setup logging for IR
Note: If you enter a PSSession, the logging won’t persist, so you will need to enable it on the remote host and pull the file back afterwards. Otherwise refer to PowerShell ♥ the Blue Team mentioned above.
Start-Transcript -Path "C:\[location]\investigation-1.log" -NoClobber
Establish Remote Session
$s1 = New-PSsession -ComputerName remotehost -SessionOption (New-PSSessionOption -NoMachineProfile) -ErrorAction Stop
Enter or exit remote session
Enter-PSSession -Session $s1
Exit-PSSEssion
Issuing remote command/shell
Invoke-Command -ScriptBlock {whoami} -Session $s1
Invoke-Command -file file.ps1 -Session $s1
Retrieving/downloading files
Copy-Item -Path "[RemoteHostFilePath]" -Destination "[LocalDestination]" -FromSession $s1
Checking for running processes
Invoke-Command -ScriptBlock {Get-Process} -Session $s1
Query Registry Keys
Invoke-Command -ScriptBlock {Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run} -Session $s1
PCAP collection
*Note: Script and pcap should be located under: C:\Windows\System32 or your user directory.
Invoke-Command -ScriptBlock {ipconfig} -Session $s1
Invoke-Command -ScriptBlock {
$url = "https://raw.githubusercontent.com/nospaceships/raw-socket-sniffer/master/raw-socket-sniffer.ps1"
Invoke-WebRequest -Uri $url `
-OutFile "raw-socket-sniffer.ps1"
PowerShell.exe -ExecutionPolicy bypass .\raw-socket-sniffer.ps1 `
-InterfaceIp "[RemoteIPv4Address]
-CaptureFile "capture.cap"
} -Session $s1
Blocking a domain
Invoke-Command -ScriptBlock { Add-Content C:\Windows\System32\drivers\etc\hosts "`n127.0.0.1 bad.com"} -Session $s1
Blocking an IP
Invoke-Command -ScriptBlock {New-NetFirewallRule -DisplayName "Block_Malicious_IP" -Direction Outbound –LocalPort Any -Protocol TCP -Action Block -RemoteAddress 173.182.192.43} -Session $s1
Unblocking an IP
Invoke-Command -ScriptBlock {Remove-NetFirewallRule -DisplayName "Block_Malicious_IP"} -Session $s1
Quarantining a host using Firewall
Invoke-Command -ScriptBlock {New-NetFirewallRule -DisplayName InfoSec_Quarantine -Direction Outbound -Enabled True -LocalPort Any -RemoteAddress Any -Action Block} -Session $s1
Creating an OU to quarantine a host into
import-module ActiveDirectory
New-ADOrganizationalUnit -Name "Quarantined" -Path "DC=CORP,DC=COM"
Or
dsadd ou "ou=Quarantined,dc=CORP,dc=COM"
Moving an AD Object into a quarantine OU
Move-ADObject -Identity "CN=<USERNAME>,OU=Marketing,DC=CORP,DC=com" -TargetPath "OU=Quarantined,DC=CORP,DC=com"
Quarantining a host using DCOM
Note: Another method which is a little more DANGEROUS is to disable DCOM on this host and restart which will stop something using DCOM to spread TO this host. This will likely break some aspects of it communicating on the domain, and also your ability to respond so it’s not recommended, but this is a possible solution for a host which is to be thoroughly contained before being investigated once an asset is returned (for example for re-imaging). This can be reversed by changing this registry key back to Y.
Invoke-Command -ScriptBlock {reg add HKLM\SOFTWARE\Microsoft\Ole /v EnableDCOM /t REG_SZ /d N /f; shutdown /r /f;} -Session $s1
Remove a quarantined host
Invoke-Command -ScriptBlock {Remove-NetFirewallRule -DisplayName InfoSec_Quarantine} -Session $s1
Disable Admin Shares
Invoke-Command -ScriptBlock {Red add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /V "AutoShareWks" /T "REG_DWORD" /D "0" /F } -Session $s1
Invoke-Command -ScriptBlock {restart-service Lanmanserver -Force} -Session $s1
Credentials and Exposure
When investigating a compromised asset, it’s important to know what remote triage methods leave your credentials on the infected endpoint, and what ones don’t. Reference can be found on Microsoft Documentation
Connection Method | Logon Type | Reusable credentials on destination | Notes |
---|---|---|---|
Logon via console | Interactive | Y | Includes hardware remote access/network KVM/lights-out cards |
RUNAS | Interactive | Y | Nil |
RUNAS/NETWORK | NewCredentials | Y | Clones LSA session, but uses new creds when connecting to network resources. |
Remote Desktop | RemoteInteractive | Y | Nil |
Remote Desktop Failure | RemoteInteractive | N | Only stored briefly |
Net Use * \SERVER | Network | N | Nil |
Net Use * \ SERVER /user | Network | N | Nil |
MMC snap-ins to remote computer | Network | N | Nil |
PowerShell WinRM | Network | N | e.g. Enter-PSSession SERVER |
PowerShell WinRM with CredSSP | NetworkClearText | Y | e.g. New-PSSession SERVER -Authentication Credssp -Credential PWD |
PsExec without explicit creds | Network | N | e.g. PsExec \SERVER cmd |
PsExec with explicit creds | Network&Interactive | Y | PsExec \SERVER -u USER -p PWD cmd |
Remote Registry | Network | N | Nil |
Remote Desktop Gateway | Network | N | Authenticating to Remote Desktop Gateway |
Scheduled Task | Batch | Y | Also saved as LSA secret on disk |
Tools as Service | Service | Y | Also saved as LSA secret on disk |
Vuln Scanners | Network | N | Most use Network logons; however, those that don’t have the risk of creds on destination. |
IIS “Basic Authentication” | NetworkCleartext | Y | Nil |
IIS “Integrated Windows Authentication” | Network | N | NTLM/Kerberos Providers |
Kerberos Tickets and Exposure
Special thanks to Cert EU for this. When comparing Pass-the-Hash to Pass-the-Ticket attacks, the following key differences apply:
- Administrative privileges are required to steal credentials, but NOT to use an obtained Kerberos ticket.
- A password change does NOT make Kerberos tickets invalid. By default Kerberos has a max lifetime of 10hrs before the ticket must be renewed, and a max renewal time of 7 days after being granted.
Due to this disabling accounts may not be enough to prevent ongoing compromise, and you may have to purge the users kerberos ticket. Locate the user in question using ‘sessions’ and purge by specifying the user session prior to logging them off.
klist.exe sessions
klist purge –li 0x2e079217
query user
logoff <session id>
Windows Memory Forensics
Volatility 2.x Basics
(Note: Depending on what version of volatility you are using and where you may need to substitute volatility with vol.py if there’s no alias setup)
Find out what profiles you have available
volatility --info
Find out the originating OS profile to be used from the memory dump.
volatility -f memorydump.mem imageinfo
volatility -f memorydump.mem kdbgscan
Determine what plugins are available for use.
volatility -f memorydump.mem --profile=<profilename> -h
Check what processes were running.
(Note: Any entires for svchost.exe should always have services.exe as a parent process and parameters such as /k should always be present)
volatility -f memorydump.mem --profile=<profilename> pslist
volatility -f memorydump.mem --profile=<profilename> psscan
volatility -f memorydump.mem --profile=<profilename> tree
Check what commands have been run and their output.
volatility -f memorydump.mem --profile=<profilename> cmdscan
volatility -f memorydump.mem --profile=<profilename> consoles
Dump process files which were running from memory.
volatility -f memorydump.mem --profile=<profilename> procdump -p <processid> --dump-dir=./
Dump the memory associated with a process file.
volatility -f memorydump.mem --profile=<profilename> memdump -p <processid> --dump-dir=./
Dump all cached files from memory.
volatility -f memorydump.mem --profile=<profilename> dumpfiles --dump-dir=./
Check what drivers or kernal modules were unloaded or hidden.
volatility -f memorydump.mem --profile=<profilename> modscan
Check what network connectivity has occurred.
volatility -f memorydump.mem --profile=<profilename> netscan
Check what network connectivity has occurred (Windows XP/Server 2003).
volatility -f memorydump.mem --profile=<profilename> connections
volatility -f memorydump.mem --profile=<profilename> conscan
volatility -f memorydump.mem --profile=<profilename> sockets
volatility -f memorydump.mem --profile=<profilename> sockscan
Check what information exists within registry from memory.
volatility -f memorydump.mem --profile=<profilename> hivelist
volatility -f memorydump.mem --profile=<profilename> hivescan
volatility -f memorydump.mem --profile=<profilename> hivedump --dump-dir=./
volatility -f memorydump.mem --profile=<profilename> userassist
volatility -f memorydump.mem --profile=<profilename> shellbags
volatility -f memorydump.mem --profile=<profilename> shimcache
volatility -f memorydump.mem --profile=<profilename> shimcachemem
Scan memory with Yara Rule
volatility -f memorydump.mem --profile=<profilename> yarascan -y rule.yara
Duplicate image space out as a raw DD file
(e.g. dump files such as hiberfil.sys memory from memory).
volatility -f memorydump.mem --profile=<profilename> imagecopy
Dump timelined artifacts from memory.
volatility -f memorydump.mem --profile=<profilename> timeliner
Detect persistence mechanisms using Winesap
- Research Paper
- Volatility Plugin – Winesap
volatility -f memdump.mem --profile=[profile] autoruns volatility --plugins=./winesap/plugin -f memdump.mem --profile=[profile] autoruns volatility --plugins=./winesap/plugin -f memdump.mem --profile=[profile] autoruns --match
Compare memory dump to known good memory dump.
- csababarta plugins volatility -f infected.mem –profile= processbl -B clean.mem -U 2>/dev/null volatility -f infected.mem –profile= servicebl -B clean.mem -U 2>/dev/null volatility -f infected.mem –profile= driverbl -B clean.mem -U 2>/dev/null
Output visual .dot file to view process tree
volatility -f memorydump.mem --profile=<profilename> psscan --output=dot --output-file=psscan.dot
volatility -f memorydump.mem --profile=<profilename> tree --output=dot --output-file=pstree.dot
dot -Tpng pstree.dot -o pstree.png
dot -Tpng pstree.dot -o psscan.png
Volatility 3.x Basics
Note: Version 3 of Volatility was released in November 2019 which changes the Volatility usage and syntax. More information on V3 of Volatility can be found on ReadTheDocs.
A list of common plugins are:
- linux.bash.Bash
- linux.check_afinfo.Check_afinfo
- linux.check_syscall.Check_syscall
- linux.elfs.Elfs
- linux.lsmod.Lsmod
- linux.lsof.Lsof
- linux.malfind.Malfind
- linux.proc.Maps
- linux.pslist.PsList
- linux.pstree.PsTree
- mac.bash.Bash
- mac.check_syscall.Check_syscall
- mac.check_sysctl.Check_sysctl
- mac.check_trap_table.Check_trap_table
- mac.ifconfig.Ifconfig
- mac.lsmod.Lsmod
- mac.lsof.lsof
- mac.malfind.Malfind
- mac.netstat.Netstat
- mac.proc_maps.Maps
- mac.psaux.Psaux
- mac.pslist.PsList
- mac.pstree.PsTree
- mac.tasks.Tasks
- mac.timers.Timers
- mac.trustedbsd.trustedbsd
- windows.cmdline.CmdLine
- windows.dlldump.DllDump
- windows.dlllist.DllList
- windows.driverirp.DriverIrp
- windows.driverscan.DriverScan
- windows.filescan.FileScan
- windows.handles.Handles
- windows.info.Info
- windows.malfind.Malfind
- windows.moddump.ModDump
- windows.modscan.ModScan
- windows.modules.Modules
- windows.mutantscan.MutantScan
- windows.poolscanner.PoolScanner
- windows.procdump.ProcDump
- windows.pslist.PsList
- windows.psscan.PsScan
- windows.pstree.PsTree
- windows.registry.certificates.Certificates
- windows.registry.hivedump.HiveDump
- windows.registry.hivelist.HiveList
- windows.registry.hivescan.HiveScan
- windows.registry.printkey.PrintKey
- windows.registry.userassist.UserAssist
- windows.ssdt.SSDT
- windows.statistics.Statistics
- windows.strings.Strings
- windows.symlinkscan.SymlinkScan
- windows.vaddump.VadDump
- windows.vadinfo.VadInfo
- windows.virtmap.VirtMap
- timeliner.Timeliner
Check Memory Image Information
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.info.Info
Check List of Kernel Drivers
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.modules.Modules
Check List of Kernel Drivers (incl previously unloaded and hidden)
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.modscan.ModScan
Dump List of Kernel Drivers to Files
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.moddump.ModDump
Dump List of Running Processes to Files
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.procdump.ProcDump
Check Process List of Running Processes
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.pslist.PsList
Check Process Tree of Running Processes
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.pstree.PsTree
Check Running Processes from EPROCESS blocks
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.psscan.PsScan
Check Running Processes for possible shellcode/injection via PAGE_EXECUTE_READWRITE
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.malfind.Malfind
Check processes and their command lines
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.cmdline.CmdLine
Check for files which exist in memory
/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.filescan.FileScan
Miscellaneous Tools and Notes
Eric Zimmerman has excellent widely used libraries and tools
RegRipper
rip.pl -r NTUSER.DAT -f ntuser | less.
rip.pl -r SAM -f sam | less
rip.exe -l
rip.exe -r C:\Users\User\ntuser.dat -p userassist
Kape
*Note: Video Tutorial
kape.exe --tsource C --target RegistryHives --tdest "[location]"
kape.exe --tsource \\server\directory --target !ALL --tdest "[location]" --vhdx LOCALHOST
ShimCaheParser
ShimCacheParser.py -h
ShimCacheParser.py -i SYSTEM --BOM
AppCompatCacheParser
AppCompatCacheParser.exe --csv .\ -t
AmCacheParser
AmcacheParser.exe --csv .\ -f .\Amcache.hve
Windows 10 Timeline Database Parser
WxTCmd.exe -f "C:\Users\[username]\AppData\Local\ConnectedDevicesPlatform\L.[username]\ActivitiesCache.db" --csv .
Bulk Extractor
bulk_extractor64.exe -o [outputdir] memdump.mem
ForensicDots
Note: Can be used to determine the Machine Identification Code of a Printer.
Cyber Chef
The Cyber Swiss Army Knife – a web app for encryption, encoding, compression and data analysis. Note: This was created by an analyst at the GCHQ which is part of the UKs National Cyber Security Centre. The source is actively maintained on Github
URLScan
OSQuery
Velociraptor
ViperMonkey
Parse and interpret VBA macros
vmonkey phishing.docm
Faster output
pypy vmonkey.py -s phishing.docm
Less verbose output
vmonkey -l warning phishing.docm
XLM Macro Deobfuscator
Parse and interpret hidden XLM Macros (Excel 4.0 Macros)
xlmdeobfuscator --file malware.xlsm
Note: Using a tool such as BiffView we’re able to view BOUNDSHEET records to find hidden sheets. This is indicated by ‘02 01’ hex values at the 5th and 6th offset.
Changing 02 to 00 makes these hidden spreadsheets visible without having to run any macros.
Mounting image files in linux
mkdir /mnt/windows
imageMounter.py
ImageMounter.py -s <imagefile> /mnt/windows
cd /mnt/windows
OR
mkdir /mnt/windows
sudo apt install libguestfs-tools
sudo virt-list-filesystems <vhdx file>
sudo guestmount -a <vhdx file> -m /dev/<filesystemabove> -r /mnt/windows -o allow_other
Mounting image files in Windows
Unpack binary packed with UPX
upx -d PackedProgram.exe
Scan exchange for phishing emails
Disclaimer: Always test before running against live systems. For those running Office365 this documentation may be more useful.
# This is used to authenticate yourself and connect to the exchange server
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://EXCHANGEHOSTFQDN/PowerShell/ -Credential $UserCredential
Import-PSSession $Session -DisableNameChecking
# This is used to confirm the mailboxes accessible and modules available
Get-Mailbox
Get-Module
# This is used to remove emails from a mailbox and move them to an administrator mailbox as a backup
Search-Mailbox -Identity "NAME" | Search-Mailbox -SearchQuery 'Subject:"SUBJECT LINE"' -TargetMailbox "ADMINBACKUPMAILBOX" -TargetFolder "BACKUPFOLDER" -DeleteContent
# This is used to run a report on anyone who received an email with a malicious attachment and log this information in an administrator mailbox
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:trojan* -TargetMailbox "ADMINBACKUPMAILBOX" -TargetFolder "BACKUPFOLDER" -LogOnly -LogLevel Full
# This is used to disconnect from the established powershell session
Remove-PSSession $Session
Common DLL Information
DLL | Description |
---|---|
Kernel32.dll | (Windows Kernel) This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware. |
Advapi32.dll | (Advanced API) This DLL provides access to advanced core Windows components such as the Service Manager and Registry. |
Ntdll.dll | (NT Layer) This DLL is the interface to the Windows kernel. Executables rarely import this file directly, although it is always imported indirectly by Kernel32.dll. If an executable deliberately imports this, it means that the author wanted to use functionality not normally available to Windows programs. Some tasks, such as hiding functionality or manipulating processes, will use this interface. |
User32.dll | (Windows User) This DLL contains all the user interface components, such as buttons, scroll bars, and components for controlling and responding to user actions. |
Wininet.dll | (Windows Internet API) This DLL contains high level networking functions. These implement protocols such as FTP, HTTP, and NTP. |
Gdi32.dll | (Graphics Device Interface) This DLL contains functions used for displaying and manipulating graphics. |
WSock32.dll and Ws2_32.dll | (Windows Sockets API) These are networking DLLs. A program that accesses either of these will likely connect to a network or perform network related tasks. |
- When analysing a binary, small amount of strings present and minimal imported functions help confirm that it is a packed binary.
Show processes with networking functions
tasklist /m WSock32.dll
tasklist /m Ws2_32.dll
tasklist /m Wininet.dll
tasklist /m winhttp.dll
gps | ?{$_.Modules -like '*WSock32.dll*' -OR $_.Modules -like '*Ws2_32.dll*' -OR $_.Modules -like '*Wininet.dll*' -OR $_.Modules -like '*winhttp.dll*' }|FL Id, ProcessName
Show processes importing the Remote Access API
tasklist /m RASAPI32.dll
Show processes importing the task scheduler API
tasklist /m taskschd.dll
tasklist /m mstask.dll
Show processes importing the Windows Media Instrumentation API
tasklist /m wbem*
tasklist /m wmi*
Windows Memory Analysis (Example Process with Volatility)
Identify memory OS information
volatility -f memorydump.mem imageinfo
Identify suspicious running processes
volatility -f memorydump.mem --profile=<profilename> pstree
Show suspicious running processes based on names.
volatility -f memorydump.mem --profile=<profilename> pstree | egrep 'winlogon|lsass|services'
volatility -f memorydump.mem --profile=<profilename> psscan
Show any malicious or suspicious processes requiring investigation
volatility -f memorydump.mem --profile=<profilename> malfind
Show any Process Hollowing (Hollow Process Injection)
volatility -f memorydump.mem --profile=<profilename> hollowfind
Dump suspicious process executables from memory
volatility -f memorydump.mem --profile=<profilename> procdump -p <processid> --dump-dir=./
Parse the Master File Table
volatility -f <memoryDump> mftparser -C --output-file=output.txt
Reassemble raw hex of file under $DATA back into original file from dump.raw file.
xxd -r dump.raw > <filename.originalextension>
Compare hashes with known detections e.g. VirusTotal.
sha256 <filename>
https://www.virustotal.com
Create a timeline of events.
volatility -f memorydump.mem --profile=<profilename> timeliner
volatility -f memorydump.mem --profile=<profilename> timeliner --hive=SECURITY
volatility -f memorydump.mem --profile=<profilename> timeliner --type=Registry
Windows Memory Analysis using Windbg
Using Comaeio SwishDbgExt you are able to better analyse Windows Crash (DMP) files using Windbg. To do this, download the latest release, run windbg, load the correct dll and then run a command. At the time of writing there are:
!load X:\FullPath\SwishDbgExt.dll
!help - Displays information on available extension commands
!ms_callbacks - Display callback functions
!ms_checkcodecave - Look for used code cave
!ms_consoles - Display console command's history
!ms_credentials - Display user's credentials (based on gentilwiki's mimikatz)
!ms_drivers - Display list of drivers
!ms_dump - Dump memory space on disk
!ms_exqueue - Display Ex queued workers
!ms_fixit - Reset segmentation in WinDbg (Fix "16.kd>")
!ms_gdt - Display GDT
!ms_hivelist - Display list of registry hives
!ms_idt - Display IDT
!ms_lxss - Display lsxx entries
!ms_malscore - Analyze a memory space and returns a Malware Score Index (MSI) - (based on Frank Boldewin's work)
!ms_mbr - Scan Master Boot Record (MBR)
!ms_netstat - Display network information (sockets, connections, ...)
!ms_object - Display list of object
!ms_process - Display list of processes
!ms_readkcb - Read key control block
!ms_readknode - Read key node
!ms_readkvalue - Read key value
!ms_regcheck - Scan for suspicious registry entries
!ms_scanndishook - Scan and display suspicious NDIS hooks
!ms_services - Display list of services
!ms_ssdt - Display service descriptor table (SDT) functions
!ms_store - Display information related to the Store Manager (ReadyBoost)
!ms_timers - Display list of KTIMER
!ms_vacbs - Display list of cached VACBs
!ms_verbose - Turn verbose mode on/off
!ms_yarascan - Scan process memory using yara rules
Normal Process Relationship Hierarchy (Geneology)
Old:
System
- smss.exe
- winlogon.exe (upon smss.exe exiting)
- userinit.exe
- explorer.exe (upon userinit.exe exiting)
- userinit.exe
- wininit.exe (upon smss.exe exiting)
- lsass.exe
- services.exe
- svchost.exe
- taskhost.exe
- crss.exe
- winlogon.exe (upon smss.exe exiting)
Windows 10:
System
- smss.exe
- winlogon.exe (upon smss.exe exiting)
- userinit.exe
- explorer.exe (upon userinit.exe exiting)
- userinit.exe
- wininit.exe (upon smss.exe exiting)
- lsass.exe
- lsaiso.exe (credential guard only)
- services.exe
- svchost.exe
- taskhostw.exe
- runtimebroker.exe
- svchost.exe
- crss.exe
- winlogon.exe (upon smss.exe exiting)
Extra notes
Be mindful of the below:
- svchost.exe should always have services.exe pid as ppid and a service associated with it.
- there should never be more than 1 lsass.exe process.
- lsass.exe should always have a parent of winlogon.exe (WinXP and older) or Wininit.exe (Vista or newer).
- pslist and pstree follow a ‘Double Linked List’ which malware can ‘unlink’ itself from thus hiding the process.
- psscan looks instead for ‘EPROCESS blocks’ which is memory associated with a windows process.
- Discrepencies between these 2 areas can indicate the process hollowing has occurred.
- VAD = Virtual Address Descriptor which lives in kernel memory.
- PEB = Process Environment Block which lives in process memory.
- PAGE_EXECUTE_READWRITE protection indicates memory marked as executable, which may indicate potential shellcode was used or injected.
- Process hollowing essentially pauses and duplicates a legitimate process, replaces the executable memory with something malicious, and then resumes the process. Process Injection on the other hand injects malicious code into an already running process which causes that process to execute the code.
Linux Cheat Sheet
Dumping Memory
dd if=/dev/kmem of=/root/kmem
dd if=/dev/mem of=/root/mem
sudo insmod ./lime.ko "path=./Linmen.mem format=raw"
Taking Image
fdisk -l
dd if=/dev/sda1 of=/[outputlocation]
Misc Useful Tools
python ./fastIR_collector_linux.py
./linenum.sh
./linenum.sh -t
Live Triage
System Information
date
uname –a
hostname
cat /proc/version
lsmod
Account Information
cat /etc/passwd
cat /etc/shadow
cat /etc/sudoers
cat /etc/sudoers.d/*
cut -d: -f1 /etc/passwd
getent passwd | cut -d: -f1
compgen -u
Current user
whoami
who
Last logged on users
last
lastb
cat /var/log/auth.log
Initialisation Files
cat /etc/bash.bashrc
cat ~/.bash_profile
cat ~/.bashrc
Environment and Startup Programs
cat /etc/profile
ls /etc/profile.d/
cat /etc/profile.d/*
Scheduled Tasks
ls /etc/cron.*
ls /etc/cron.*/*
cat /etc/cron.*/*
cat /etc/crontab
SSH Keys and Authorised Users
cat /etc/ssh/sshd_config
Note: This specifies where the SSH daemon will look for keys. Generally this will be as below.
ls /home/*/.ssh/*
cat /home/*/.ssh/id_rsa.pub
cat /home/*/.ssh/authorized_keys
Sudoers File (who who can run commands as a different user)
cat /etc/sudoers
Configuration Information
ls /etc/*.d
cat /etc/*.d/*
Network Connections / Socket Stats
netstat
netstat -apetul
netstat -plan
netstat -plant
ss
ss -l
ss -ta
ss -tp
IP Table Information
ls /etc/iptables
cat /etc/iptables/*.v4
cat /etc/iptables/*.v6
iptables -L
Network Configuration
ifconfig -a
Browser Plugin Information
ls -la ~/.mozilla/plugins
ls -la /usr/lib/mozilla/plugins
ls -la /usr/lib64/mozilla/plugins
ls -la ~/.config/google-chrome/Default/Extensions/
Kernel Modules and Extensions/
ls -la /lib/modules/*/kernel/*
Process Information
ps <simple | list | output | threads | misc | all>’ |
ps -s
ps -l
ps -o
ps -t
ps -m
ps -a
top
Search files recursively in directory for keyword
grep -H -i -r "password" /
Process Tree
ps -auxwf
Open Files and space usage
lsof
du
Pluggable Authentication Modules (PAM)
cat /etc/pam.d/sudo
cat /etc/pam.conf
ls /etc/pam.d/
Disk / Partition Information
fdisk -l
System Calls / Network Traffic
strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;
strace -f -e trace=network -s 10000 -p <PID>;
Note: Below material with thanks to Craig Rowland – Sandfly Security
Detailed Process Information
ls -al /proc/[PID]
Note:
- CWD = Current Working Directory of Malware
- EXE = Binary location and whether it has been deleted
- Most Common Timestamp = When process was created
Recover deleted binary which is currently running
cp /proc/[PID]/exe /[destination]/[binaryname]
Capture Binary Data for Review
cp /proc/[PID]/ /[destination]/[PID]/
Binary hash information
sha1sum /[destination]/[binaryname]
md5sum /[destination]/[binaryname]
Process Command Line Information
cat /proc/[PID]/cmdline
cat /proc/[PID]/comm
Note:
- Significant differences in the above 2 outputs and the specified binary name under /proc/[PID]/exe can be indicative of malicious software attempting to remain undetected.
Process Environment Variables (incl user who ran binary)
strings /proc/[PID]/environ
cat /proc/[PID]/environ
Process file descriptors/maps (what the process is ‘accessing’ or using)
ls -al /proc/[PID]/fd
cat /proc/[PID]/maps
Process stack/status information (may reveal useful elements)
cat /proc/[PID]/stack
cat /proc/[PID]/status
Deleted binaries which are still running
ls -alr /proc/*/exe 2> /dev/null | grep deleted
Process Working Directories (including common targeted directories)
ls -alr /proc/*/cwd
ls -alr /proc/*/cwd 2> /dev/null | grep tmp
ls -alr /proc/*/cwd 2> /dev/null | grep dev
ls -alr /proc/*/cwd 2> /dev/null | grep var
ls -alr /proc/*/cwd 2> /dev/null | grep home
Hidden Directories and Files
find / -type d -name ".*"
Immutable Files and Directories (Often Suspicious)
lsattr / -R 2> /dev/null | grep "\----i"
SUID/SGID and Sticky Bit Special Permissions
find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;
File and Directories with no user/group name
find / \( -nouser -o -nogroup \) -exec ls -lg {} \;
File types in current directory
file * -p
Executables on file system
find / -type f -exec file -p '{}' \; | grep ELF
Hidden Executables on file system
find / -name ".*" -exec file -p '{}' \; | grep ELF
Files modified within the past day
find / -mtime -1
Persistent Areas of Interest
/etc/rc.local
/etc/initd
/etc/rc*.d
/etc/modules
/etc/cron*
/var/spool/cron/*
Audit Logs
ls -al /var/log/*
ls -al /var/log/*tmp
utmpdump /var/log/btmp
utmpdump /var/run/utmp
utmpdump /var/log/wtmp
Installed Software Packages
ls /usr/bin/
ls /usr/local/bin/
MacOS Cheat Sheet
IMPORTANT NOTE: This section is still in its early stages of documentation and testing. I strongly suggest checking out Sarah Edwards, who is an industry leader in this space, as she has many excellent resources and this section for the most part is reiterating the hard work she has put in. Other excellent resources include the Mac OS X Forensics Wikis and shared spreadsheet containing Forensics Artifacts.
- Sarah Edwards
- Mac4n6
- SANS FOR518 Reference Sheet
- Mac OS X 10.9 Forensics Wiki
- Mac OS X 10.11 Forensics Wiki
- Mac OS X Forensics Artifacts Spreadsheet
Live Mac IR / Triage
System Information
date
sw_vers
uname –a
hostname
cat /System/Library/CoreServices/SystemVersion.plist
cat /private/var/log/daily.out
cat /Library/preferences/.Globalpreferences.plist
Network Connections
netstat –an
netstat –anf
lsof -i
Routing Table
netstat –rn
Network Information
arp –an
ndp -an
ifconfig
Open Files
lsof
File System Usage
sudo fs_usage
sudo fs_usage [process]
sudo fs_usage -f network
sudo fs_usage pid [PID]
Bash History
cat ~/.bash_history
history
User Logins
who -a
w
last
Running Processes
ps aux
System Profiler
system_profiler -xml -detaillevel full > systemprofiler.spx
Persistent Locations
Quick Overview (KnockKnock)
./KnockKnock.app/Contents/MacOS/KnockKnock -whosthere > /path/to/some/file.json
XPC Services
ls Applications/<application>.app/Contents/XPCServices/
cat Applications/<application>.app/Contents/XPCServices/*.xpc/Contents/Info.plist
ls ~/System/Library/XPCServices/
Launch Agents & Launch Daemons
ls /Library/LaunchAgents/
ls /System/Library/LaunchAgents/
ls /System/Library/LaunchDaemons/
ls /Library/LaunchDaemons/
ls /users/*/Library/LaunchAgents/
ls /users/*/Library/LaunchDaemons/
LoginItems
cat ~/Library/Preferences/com.apple.loginitems.plist
ls <application>.app/Contents/Library/LoginItems/
Disable Persistent Launch Daemon
sudo launchctl unload -w /Library/LaunchDaemons/<name>.plist
sudo launchctl stop /Library/LaunchDaemons/<name>.plist
Web Browsing Preferences
cat ~/Library/Preferences/com.apple.Safari.plist
ls ~/Library/Application Support/Google/Chrome/Default/Preferences
ls ~/Library/Application Support/Firefox/Profiles/********.default/prefs.js
Safari Internet History
cat ~/Library/Safari/Downloads.plist
cat ~/Library/Safari/History.plist
cat ~/Library/Safari/LastSession.plist
ls ~/Library/Caches/com.apple.Safari/Webpage Previews/
sqlite3 ~/Library/Caches/com.apple.Safari/Cache.db
Chrome Internet History
ls ~/Library/Application Support/Google/Chrome/Default/History
ls ~/Library/Caches/Google/Chrome/Default/Cache/
ls ~/Library/Caches/Google/Chrome/Default/Media Cache/
Firefox Internet History
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/places.sqlite
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/downloads.sqlite
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/formhistory.sqlite
ls ~/Library/Caches/Firefox/Profiles/********.default/Cache
Apple Email
cat ~/Library/Mail/V2/MailData/Accounts.plist
ls ~/Library/Mail/V2/
ls ~/Library/Mail Downloads/
ls ~/Downloads
cat ~/Library/Mail/V2/MailData/OpenAttachments.plist
Temporary / Cached
ls /tmp
ls /var/tmp
ls /Users/<user>/Library/Caches/Java/tmp
ls /Users/<user>/Library/Caches/Java/cache
/Applications/Utilities/Java Preferences.app
System and Audit Logs
ls /private/var/log/asl/
ls /private/var/audit/
cat /private/var/log/appfirewall.log
ls ~/Library/Logs
ls /Library/Application Support/<app>
ls /Applications/
ls /Library/Logs/
Specific Log Analysis
bzcat system.log.1.bz2
system.log.0.bz2 >> system_all.log
cat system.log >> system_all.log
syslog -f <file>
syslog –T utc –F raw –d /asl
syslog -d /asl
praudit –xn /var/audit/*
sudo log collect
log show
log stream
Files Quarantined
ls ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents.V2
ls ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
User Accounts / Password Shadows
ls /private/var/db/dslocal/nodes/Default/users/
ls /private/var/db/shadow/<User GUID>
Pluggable Authentication Modules (PAM)
cat /etc/pam.d/sudo
cat /etc/pam.conf
ls /etc/pam.d/
File Fingerprinting/Reversing
file <filename>
xxd <filename>
nm -arch x86_64 <filename>
otool -L <filename>
sudo vmmap <pid>
sudo lsof -p <pid>
xattr –xl <file>
Connected Disks and Partitions
diskutil list
diskutil info <disk>
diskutil cs
ap list
gpt –r show
gpt -r show -l
Disk File Image Information
hdiutil imageinfo *.dmg
User Keychain Information
security list-keychains
security dump-keychains -d <keychain>
Spotlight Metadata
mdimport –X | -A
mdls <file>