Windows --------------------------------------------------------------------------------------------------------------------- Enable PowerShell remoting wmic /node:[IP] process call create "powershell enable-psremoting -force" PowerShell Enter-PSSession -ComputerName [IP] Psexec PsExec: psexec \\IP -c cmd.exe --------------------------------------------------------------------------------------------------------------------- To check Users Logged in For command:- net user () C:\WINDOWS\TEMP> (Diasble-localUser -Name " ") (Query session) net localgroup administrators For Powershell:- whoami Get-LocalUser wmic useraccount list wmic sysaccount Checking Physically :- Lusrmgr.msc --------------------------------------------------------------------------------------------------------------------- To check unusual process and services For command:- tasklist tasklist -m (for processes as well as related DLL files) taskkill -PID (kill any task) wmic process list full (this will show all processes, along with detailed information such as their executable path and much more) tasklist /svc (list of all processes along with their corresponding PID, and services that are tied to them) net start (list running network services) sc (SC is a command line program used for communicating with the Service Control Manager and services) --------------------------------------- More about SC while doing investigation: sc query - Enumerates status for active services & drivers sc query type= driver group= NDIS - Enumerates all NDIS drivers sc query type= interact - Enumerates all interactive services sc qprivs (Service name) - Queries the required privileges setting for a service. sc qtriggerinfo (Service name) - Retrieves the trigger information of a service. For Powershell:- Get-WmiObject win32_service | FL Name, DisplayName, PathName, State (retrieves information about Windows services,) Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | FL TimeCreated,Message (New service installed) (Identify Hidden Windows Services) Compare-Object -ReferenceObject (Get-Service | Select-Object -ExpandProperty Name | % { $_ -replace "_[0-9a-f]{2,8}$" } ) -DifferenceObject (gci -path hklm:\system\currentcontrolset\services | % { $_.Name -Replace "HKEY_LOCAL_MACHINE\\","HKLM:\" } | ? { Get-ItemProperty -Path "$_" -name objectname -erroraction 'ignore' } | % { $_.substring(40) }) -PassThru | ?{$_.sideIndicator -eq "=>"} (Common legit service WUDFRd, WUDFWpdFs, WUDFWpdMtp) Checking physically:- taskmgr.exe services.msc --------------------------------------------------------------------------------------------------------------------- To check for unusual application installation For powershell:- wmic product get name,version Get-WmiObject -Class Win32_Product | Select-Object -Property Name, Version (it relies on the Windows Installer database) Get-ItemProperty -Path HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion | Format-Table -AutoSize (this method relies on information stored in the Windows Registry) ---------------------------------------------------------------------------------------------------------------------- To check unusual files and registry keys For command:- reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Local user) reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Current user) reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (Generally those four registry entries will contain startup configurations for specific programs, including malware) reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU (MRU) programs that have been run current user) reg query HKLM\SYSTEM\CurrentControlSet\Services (system’s running drivers and services are found) reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v Start (all services and displays their start types.) 0x0 (Hexadecimal) or 0 (Decimal): Boot start - The service starts during the system boot process. 0x1 (Hexadecimal) or 1 (Decimal): System start - The service starts during the system initialization. 0x2 (Hexadecimal) or 2 (Decimal): Automatic start - The service starts automatically when the system starts. 0x3 (Hexadecimal) or 3 (Decimal): Manual start - The service must be started manually by the user or another program. 0x4 (Hexadecimal) or 4 (Decimal): Disabled - The service is disabled and cannot be started. reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v DisplayName (list of all services along with their display names) reg query HKLM\SYSTEM\CurrentControlSet\Services\[ServiceName] sc stop [ServiceName] (To Stop service) reg query HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares (Information about shared resources) Net File (if any file being access remotely) For PowerShell:- Get-Item -Path Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Get-Item -Path Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Get-Item -Path Registry::HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Get-Item -Path Registry::HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (registry entries in a more readable form, use (Get-ItemProperty)) Psfile (if any file being access remotely) Unusal file system startup :- (%APPDATA% and %ALLUSERSPROFILE% environment variables represent specific paths on your system. These commands will navigate you to the respective startup folders regardless of their actual path on your computer.) cd %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (User startup folder) cd %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup (system or All user startup folder) or cd C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup> or dir /s /b "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu" (change user name) -------------------------------------------------------------------------------------------------------------------- To Look for unusual network For command:- Net View \\120.0.0.1 (If there are shared folders that are not supposed to be there You can found those here) Net Session (List open SMB session with this machine) Net use (list open smb session with other machine) nbtstat -S (display NetBIOS activity over TCP/IP) netstat -ano (listening and established TCP/IP connections) netstat -ab ***( list of active connections, and the corresponding executable files) netstat -ano | findstr "ESTABLISHED/LISTENING" (You can use find str to look for particular established or listening connection) net statistics workstation (You'll receive output with details about the workstation service's statistics) netsh advfirewall show rule name=all (check window firewall configuration) show currentprofile or show config (older windows version) For Powershell:- Get-NetTCPConnection | findstr "Established" (or -state "Established") (listening and established TCP/IP connections) or Netstat.exe | Select-String 'Established' Get-NetFirewallRule (check window firewall configuration) Get-SmbConnection (List open SMB session with this machine) netsh advfirewall firewall show rule name=all dir=in type=dynamic netsh advfirewall firewall show rule name=all dir=out type=dynamic netsh advfirewall firewall show rule name=all dir=in type=static netsh advfirewall firewall show rule name=all dir=out type=static Firewall changes: Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall';} | FL TimeCreated, Message PS Command :- (displays the netstat output and gives us the name of the process used now by the attacker in a more readable format) netstat -ano | Select-String -Pattern '\s+(TCP|UDP)' | foreach-object { $item = $_.line.split(' ',[System.StringSplitOptions]::RemoveEmptyEntries); if (($item[2] -notmatch '127.0.0.1:|\[::1\]:') -and ($item[2] -ne '*:*') -and ($item[2] -ne '0.0.0.0:0') -and ($item[2] -ne '[::]:0')) { ($item[0]+"`t"+$item[1]+"`t"+$item[2]+"`t"+$item[3]+"`t"+(get-process -id $item[4]).Name) | ft } }' Or netstat -ano | Select-String -Pattern '\s+(TCP|UDP)' | foreach-object { $item = $_.line.split(' ',[System.StringSplitOptions]::RemoveEmptyEntries) if ($item[4] -ne $null -and $item[4] -ne '') { try { $process = Get-Process -Id $item[4] -ErrorAction Stop ($item[0]+"`t"+$item[1]+"`t"+$item[2]+"`t"+$item[3]+"`t"+$process.Name) | ft } catch { Write-Host "Error getting process for ID $($item[4]): $_" } } else { Write-Host "No valid Process ID found." } } ------------------------------------------------------------------------------------------------------------------- To look for unusual start up (or scheduled) tasks For command:- msconfig (displays all startup configurations from services to files in the startup folder) schtasks (displays tasks schedule to run at specific times) wmic startup list full (display all of the services and program that startup) wmic process list brief (Few details about running processes) wmic process list full wmic process get Name,ParentProcessId,ProcessId wmic process where processid= get commandline For Powershell:- (Similar to commmand) wmic process get Name,ParentProcessId,ProcessId (****The following commands can be used to validate that the arbitrary events have been created and the malicious payload/command is stored in the WMI repository***) Note kindly run these command once with root\subscription and once root\Default Get-WMIObject -Namespace root\Subscription -Class __EventFilter Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding (In all 3 if you find any encoded thats suspicious) Get-WMIObject -Namespace root\Subscription -Class __EventConsumer (if you find any encoded can be used a backdoor used by stuxnet) Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | FL ( instances of startup commands) wmic PROCESS WHERE "NOT ExecutablePath LIKE '%\\Windows\\%'" GET ExecutablePath (WMIC command to spot executable running from strange locations) ------------------------------------------------------------------------------------------------------------------ File system viewer For command Dir /Ax (filters all file/folder types that match the given parameter (x)) Dir /AH (Display only hidden files and folders) Dir /Q (who owns each file) Dir /R (alternate data streams for a file) ------------------------------------------------------------------------------------------------------------------ System file checker cmd sfc/scannow/? ------------------------------------------------------------------------------------------------------------------ Check command history(Commands type by attacker) For command doskey /history ------------------------------------------------------------------------------------------------------------------ -------------------------Powershell : Other userfull commands------------------- ** Get-Childltem HKLM:Software | Format-Wide (Direct access to providers like disk and registry) ------------------------------------------------------------------------------------------------------------------ We also have them search for unusually large files by using the system search routine to look for files larger than 10 MB. Such files could contain an attacker's sniffer logs, stolen software, or pornography. FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi Temp files greater than 10mb FOR /R C:\Users\[User]\AppData %i in (*) do @if %~zi gtr 10000000 echo %i %~zi ------------------------------------------------------------------------------------------------------------------- Event IDs you should look for:- 4624 : Successfull Logon 4625 : Failed logon 4634/4647 : Successful logoff 4648 : Logon using explicit(different) credentials (RunAs) (this event ID only recorded on orginating system not on Target system) good example of this is the runas command, or if an application is run as an administrator, and those admin credentials are entered by the user 4672 : Superuser rights (Administrator) 4720/4726 : Account was created/deleted 4722 : A user account was enabled 4724 : An attempt was made to reset an account’s password 4728 : A member was added to a security-enabled global group 4732 : A member was added to a security-enabled local group 4735 : A security-enabled local group was changed 4738 : A user account was changed 4756 : A member was added to a security-enabled universal group 4688|4698 : New process created | process exit (very important*************) Object Access Security (Security)4656, 4660, 4663 (O alerts)300 Time Change (System) 1 (Security)4616 Ext. Devices (System) 200011, (Security)4656,4663,6416 Wireless (WLAN-Config)8001, 8002, 11000 (System)6100 ------------------------------------------------------------------------------------------------------------------------------------------------------- RDP Tracking (Followed 4624 type 7, 4778,4779) 4778 : Session Reconnected 4779 : Session disconnected ""The auxiliary logs Remote Desktop Services—RDPCoreTS(Event ID 131) and TerminalServices-RdpClient(Event id 1024,1102) record complementary info" -------------------------------------------------------------------------------------------------------------------------------------------------- Account Logon events (Privilege LA abuse) (Followed by 4776, 4624 type 3) to detect pass the hash Windows: 4776 : For NTLM, both successful and failed events are recorded (DC Attempted to validate the credentials for account) Kerberos: 4768 : (successful logon) TGT was requested 0x6 (The username doesn’t exist) - Bad username or not yet replicated to DC 0xC (Start time is later than end time - Restricted workstation) 0x12 (Account locked out, disabled, expired, restricted, or revoked etc) 4771 : (failed logon) Pre authentication failed 0x10 - Smart card logon is being attempted and the proper certificate cannot be located. 0x17 - The user’s password has expired. 0x18 - The wrong password was provided. 4769 : (successful authentication to a server resource ). Access to server resource (A Kerberos ticket was requested) -------------------------------------------------------------------------------------------------------------------------------------------------- Tracking reconnaissance : Account and group enumeration 4798 : A user local group membership was enumerated 4799 : A security enabled local group membership was enumerated Tracking Lateral Movement : Network shared (Followed 4624,4672,4776,4768,4769,5140,5145) PsExec(4624,5140) 5140 : Network share was accessed 5142 : track shares that hare been created, modified, or deleted 5144 : track shares that hare been created, modified, or deleted 5145 : shared object accessed Tbe"C$" share is the entire volume mounted at C: . ----------------------------------------------------------------------------------------------------------------------------------------------------- Tracking Lateral Movement : RunAs detection (Followed 4648, 5140) “runas” 4648 events are typically recorded on the originating system instead of the Target system If the attackers used a different set of credentials to accomplish this (like a domain account instead of the local account they may be currently using), we get an indication of lateral movement on the originating system as well! Thus ID 4648 events provide a completely different view of lateral movement than we get from most artifacts To understand originated system: event id 4648 logon was attempted with explit credentials. Subject user(who is in the system), whose credentials is used, than target server. at taget server event id 5140:- subject is user (who credentials were used from originating system, network information(record information with new credentails) -------------------------------------------------------------------------------------------------------------------------------------------------------- Tracking Lateral Movement : Scheduled task (Followed 4624,4672,4698,4699,4700,4701) tool scheduled task created remotely(logon type 3) For task scheduled (106,140,141,200,201) (Security Logs | Task scheduler log) 4698 | 106 : Scheduled Task Created 4699 | 141 : Scheduled Task Deleted 4700 | 4701 : Scheduled Task Enabled |Disabled (Security Log Only 200 | 201 :Scheduled task executed/completed (Task Scheduler Log) 4702 | 140 : Scheduled Task Updated Suspicious services(All system EventID except for 4697)* Security (Followed 4624,4697) Remote service execution System Logs (Followed 7035,7035,7036,7045,7040) Remote service 7034 : Service crashed unexpectedly (Service crashed unexpectadly must be investigated dll/process injection do that) 7035 : Service sent a Start/Stop control 7036 : Service started or stopped 7040 : Start type changed(Boot | On Request |Disabled) 7045 : A new service was installed on the system (Win2008R2+) 4697 : A new service was installed on the system (Security log) (PsExec service starting is always suspicious) Event Log clearing 1102 : Audit log cleared (Security log) 104 : Audit log cleared (Systemlog) --------------------------------------------------------------------------------------------------------------------------------------------------------- WMI Attack (Process call create in command is most suspicious) (Followed 4624,4672,5857,5860,5861) ((uncommon word to identify anomaly :- commandline, activescript, scrcons, wbemcons, eval, .vbs, .ps1, activeXobjective)) LOGS (WMI-operational.evtx) WMI Persistence 5857 : Indicate time of execution 5860,5861 : Registration if temporary and permanent consumer ( 5861 record consumer activity) important to look 5858 : records query error including host and username ------------------------------------------------------------------------------------------------------------------------------------------------------- PowerShell Remoting (PowerShell attacks, look for evidence of wsmprovhost.exe execution) ((commonly abused keywords :- Download, start-process, formbase64string, rundll32, IEX, Invoke-expression,webclient, powershell -version, bitstransfer, http)) Differnet .evtx Security.evtx Followed(4624,4672) ---------------------------------------------------------------------------------------------------------------------------------------------------------- Powershell%operational.evtx Followed(4103,4104,53504) important 4103,4104 : Logs script 4105/4102 : script start/stop (Not recommended) 53504 : logs authenticating user -------------------------------------------------------------------------------------------------------------------------------------------------------- WindowsPowershell.evtx Followed(400,403,800) 400,403 : Indicates start and end of remoting session 800 : Included partial script code --------------------------------------------------------------------------------------------------------------------------------------------------------- WinRM%4operationa.evtx Followed(91,168) 91 : Session creation 168 : record authenticating user ---------------------------------------------------------------------------------------------------------------------------------------------------------- Evidence of Malware execution: (unexpected reboots or crashed systems)********************************************************** 1001 : windows error reporting (System logs) 1000-1002 : application error and hangs (Application logs) (review and co relates system/application) --------------------------------------------------------------------------------------------------------------------------------------------------------- Application logs.evtx (Installation) (Followed 1033,1034, 11707,11708,11724) or (1042,1309) ------------------------------------------------------------------------------------------------------------------------------------------------------- System log information: System: 7030 (Basic Service Operations) System: 7040 (The start type of a service was changed from disabled to auto start) System: 7045 (Service Was Installed) System: 1056 (DHCP Server Oddities) System: 10000 (COM Functionality) System: 20001 (Device Driver Installation) System: 20002 (Remote Access) System: 20003 (Service Installation) ------------------------------------------------------------------------------------------------------------------------------------------------------ Sysmon log information: When installed and running the event log is located at: “Applications and Services Logs/Microsoft/Windows/Sysmon/Operational” Sysmon: 1 (Process create) Sysmon: 2 (File creation time) Sysmon: 3 (Network connection detected) Sysmon: 4 (Sysmon service state changed) Sysmon: 5 (Process terminated) Sysmon: 6 (Driver loaded) Sysmon: 9 (Image loaded) Sysmon: 10 (Process accessed) Sysmon: 11 (File created) Sysmon: 12 (Registry object added or deleted) Sysmon: 13 (Registry value set) Sysmon: 14 (Registry object renamed) Sysmon: 15 (File stream created) Sysmon: 16 (Sysmon configuration changed) Sysmon: 17 (Named pipe created) Sysmon: 18 (Named pipe connected) Sysmon: 19 (WMI filter) Sysmon: 20 (WMI consumer) Sysmon: 21 (WMI consumer filter) Sysmon: 22 (DNS Query) Sysmon: 23 (File Delete) Sysmon: 24 (Clipboard Changed) Sysmon: 25 (Process Tampering) Sysmon: 26 (File Delete) -------------------------------------------------------------------------------------------------------------------------------------------------------- Command :- (Analyzing these events in succession might indicate a potential remote attack). get-eventlog -log security | where-object { $_.TimeGenerated -gt (get-date).adddays(-5) -AND $_.EntryType -eq 'SuccessAudit' -AND (($_.EventID -eq "5145" -AND $_.Message -match "\\\\\*\\ADMIN\$|\\\\\*\\C\$|\\\\\*\\IPC\$" -AND $_.Message -match "\%\%4417") -OR ($_.EventID -eq "4674" -AND $_.Message -match "SeTakeOwnershipPrivilege|SeDebugPrivilege|SeTcbPrivilege") -OR ($_.EventID -eq "4688" -AND $_.Message -match "\%\%1936|\%\%1937"))} | sort-object -property TimeGenerated ---------------------------------------------------------------------------------------------------------------- Network Logon IDs 2 : Log on via a console (keyboard, server KVM, or virtual client like VNC) 3 : Network logon (often using something like SMB for drive mapping) 4 : Batch logon (Scheduled Tasks)—non-interactive 5 : Windows Service Logon—non-interactive 7 : Lock or unlock of screen (reconnecting to an existing RDP session can also use this Logon Type) 8 : Network logon sending credentials in cleartext (potentially indicative of a downgrade attack or older admin tool) 9 : Different credentials used to authenticate other than those currently logged on with (“RunAs /netonly” command or similar) 10 : Remote interactive logon (Terminal Services/Remote Desktop Protocol) 11 : Cached credentials used to log on instead of domain controller authentication 12 : Cached credentials used for a remote interactive logon (RDP). Previously rare, but now being seen when Microsoft “live” accounts are used for authentication on standalone workstations 13 : Cached credentials used for an unlock operation ---------------------------------------------------------------------------------------------------------------- Logon Error code 0x6 : Invalid/non-existent user account. This can also be caused by replication issues between Active Directory servers. 0x7 : Requested server not found. This can also be caused by replication issues between Active Directory servers. OxC : Policy restriction prohibited logon; client system restricted from accessing resource or restricted based on time date. 0x12 : Account locked, disabled, or expired. 0x17 : Expired password. 0x18 : Invalid password. 0x25 : Clock values between server and client are skewed too greatly; Kerberos relies on a timing system to invalidate old TGTs. 0xC0000064 : Non-existent account username 0xC000006A : Incorrect password (username correct) 0xC000006F : Account not allowed to log on at this time 0xC0000070 : Account not allowed to log on from this computer 0xC0000071 : Expired password 0xC0000072 : Disabled account 0xC0000193 : Expired account 0xC0000234 : Account locked ----------------------------------------------------------------------------------------------------------------- SYSTEM Most powerful local account; unlimited access to system Limited privileges similar to authenticated user account; can access only LOCAL SERVICE network resources via null session Slightly higher privileges than LOCAL SERVICE; can access network NETWORKSERVICE resources similar to authenticated user account $ Every domain-joined Windows system has a computer account DWM Desktop window manager\Window manager group UMFD Font driver host account ANONYMOUS LOGON Null session w/o credentials used to authenticate with resource --------------------------------------------------------------------------------------------------------------------