Search Results

Have you ever wondered what ControlSet001, ControlSet002, and CurrentControlSet are in your Windows registry? These terms might sound technical, but they're crucial for the way your computer starts up and runs. L What are Control Sets in Windows? Q: What exactly are Control Sets in the Windows registry? A:  Control sets are essentially snapshots of your system’s configuration settings. They’re stored in the registry and used by Windows to manage the boot process and system recovery. You can find them under HKEY_LOCAL_MACHINE\SYSTEM. What are ControlSet001 and ControlSet002? Q: What are ControlSet001 and ControlSet002 used for? A:  ControlSet001 and ControlSet002 are examples of these snapshots: ControlSet001  is often the Last Known Good (LKG) configuration, which is a fallback if your system fails to boot properly. ControlSet002  might be an older configuration or another backup that can be used for troubleshooting. What is CurrentControlSet? Q: What does CurrentControlSet do? A:  CurrentControlSet is a dynamic pointer to the control set that Windows is currently using. This means it maps to one of the actual control sets, like ControlSet001 or ControlSet002, and uses it during runtime for all operations. How Does Windows Use These Control Sets? Q: How does Windows decide which control set to use during boot? A:  During the boot process, Windows chooses a control set based on the success of the last boot and other criteria. This decision is guided by values stored in HKEY_LOCAL_MACHINE\SYSTEM\Select. The chosen control set becomes the CurrentControlSet for that session. Q: How can I check which control set is currently in use? A:  To find out which control set is in use: Open the Registry Editor (regedit.exe). Navigate to HKEY_LOCAL_MACHINE\SYSTEM\Select. Look at the value of Current. If it shows 1, then CurrentControlSet points to ControlSet001. Why Should I Care About Control Sets? Q: Why is it important to understand control sets? A:  Knowing about control sets is useful for troubleshooting. If your system can’t boot, Windows might use the Last Known Good configuration, often stored in ControlSet001, to recover. Understanding how to navigate and modify these settings can help in advanced troubleshooting and system recovery. Q: Can I manually switch control sets? A:  Yes, advanced users can manually switch control sets by editing the registry or using advanced boot options. However, this should be done with caution, as incorrect changes can affect system stability. Conclusion Control sets like ControlSet001, ControlSet002, and CurrentControlSet are vital for your system's startup and recovery processes. They provide a way for Windows to manage configurations and ensure you can recover from boot failures. By understanding these components, you can better troubleshoot issues and maintain your system’s health. Akash Patel

In the world of digital forensics, registry analysis is a crucial task. Today, we’ll dive into RECmd, a powerful command-line tool created by Eric Zimmerman, designed to automate the process of registry analysis. If you’re familiar with Registry Explorer, you’ll find RECmd to be its command-line counterpart, making your work easier and more efficient. What is RECmd? RECmd is essentially the command-line version of Registry Explorer. It allows you to automate the extraction of registry data, which can be incredibly useful during forensic investigations. This tool simplifies the process by using batch files to parse multiple registry keys and output the results in a CSV format. Getting Started with RECmd To begin, you’ll need to locate the  BatchExamples  folder within the RECmd directory. Inside, you’ll find files with the  .reb  extension. These batch files contain multiple registry key locations that RECmd will parse and output in a CSV file. Inside the .reb file: Running RECmd There are several ways to run RECmd, depending on your needs: 1. Running on a Specific Hive If you want to run RECmd on a specific registry hive, use the following command: Recmd.exe --bn BatchExamples\Kroll_Batch.reb -f C:\Users\User\NTUSER.DAT --csv C:\Users\akash\Desktop --csvf recmd.csv --bn  specifies the batch file to run. -f  indicates the specific hive file. --csv  specifies the path where the output will be stored. --csvf  names the output file. You can also use the  -vss  option to parse using shadow copies. 2. Running on All Hives To run RECmd on all hives in a directory, use this command: Recmd.exe --bn BatchExamples\Kroll_Batch.reb -d C:\ --csv C:\Users\akash\Desktop --csvf recmd.csv -d  specifies the directory to search for hives. 3. Running on Collected Hives You can collect all hives (e.g.,  NTUSER.DAT ,  USERASSIST ,  SYSTEM and more ) into one folder and run RECmd on them: Recmd.exe --bn BatchExamples\Kroll_Batch.reb -d C:\Path\To\Hives --csv C:\Users\akash\Desktop --csvf recmd.csv 4. Running on a Mounted Drive Another method is to collect an image or use KAPE to create a drive. Mount the drive and run RECmd: Recmd.exe --bn BatchExamples\Kroll_Batch.reb -d X:\MountedDrive --csv C:\Users\akash\Desktop --csvf recmd.csv Viewing the Output Once RECmd has finished running, you can use Timeline Explorer to view the artifacts. This tool provides a user-friendly interface to analyze the CSV output generated by RECmd. Output Folder: Screenshot of timeline explorer with output: Conclusion RECmd is a versatile and powerful tool for automating registry analysis. By using batch files and command-line options, you can streamline your forensic investigations and quickly extract valuable data from registry hives. Whether you’re working on a single hive or an entire drive, RECmd makes the process efficient and straightforward. Akash Patel

In the realm of incident response (IR), managing investigations can often be a daunting task, especially for new analysts trying to keep pace with complex findings. While experienced teams can still thrive using traditional tools like Excel, Aurora Incident Response (Aurora IR) stands out as a fantastic free and open-source solution for those who need a more structured and user-friendly approach to investigations. Aurora IR centralizes the investigative process, making it easier to track findings, manage cases, and coordinate tasks efficiently. You can download Aurora IR. https://github.com/cyb3rfox/Aurora-Incident-Response/releases Let’s dive into the key features and capabilities of Aurora IR and why it might just be the tool you need. Key Features of Aurora IR 1. Timeline The Timeline  section in Aurora IR serves as the foundation of the investigative process. It collects relevant timing information that helps analysts "tell the story" of the incident. Timelines feed directly into all the visualization capabilities of Aurora, making it easier to see the chronological sequence of events and detect any gaps in the incident response process. 2. Investigated Systems Tracking compromised systems is crucial in any investigation, and Aurora IR makes this easy with the Investigated Systems  tab. It allows analysts to: Track systems that require closer examination. Estimate when triage or forensic results will be available for specific machines. Identify the earliest point of infection on a machine level. This section aids investigators in ensuring that every system gets the attention it needs during the forensic analysis process. 3. Malware/Tools The Malware/Tools  section stores critical information about malware found during the investigation. For newer analysts, this is especially helpful in getting familiar with staging directories, typical malware names, and other facts that more experienced team members might already know. This makes onboarding to an ongoing investigation seamless for any new analyst. 4. Compromised Accounts Tracking compromised accounts is made simpler with the Compromised Accounts  tab . This section: Stores accounts used by attackers. Helps you quickly look up the SID for a known breached account. Assists new analysts in identifying accounts of particular interest to the investigation. This prevents missed details and ensures every compromised account is addressed and tracked properly. 5. Network Indicators The Network Indicators  tab is critical for tracking network-based evidence. This section stores all network indicators important for the case and allows investigators to upload indicators to a MISP (Malware Information Sharing Platform) instance for further processing. 6. Exfiltration One of the key goals of attackers is often to exfiltrate sensitive data. The Exfiltration   section in Aurora IR helps t rack all detected data exfiltration activities . Given that attackers may use different machines and sessions to exfiltrate data, this section helps keep track of all operations in one place. 7. OSInt OSInt  (Open-Source Intelligence) is a critical part of most investigations. This tab allows investigators to document external research needed to progress the case . The underlying philosophy here is simple: investigations must not lose momentum due to a change in personnel. Should a lead investigator leave the case, any ongoing thoughts or research efforts are easily preserved. 8. Systems The Systems  tab contains a comprehensive table of hostnames. This integration ensures consistency across tabs by preventing the mistyping of names, which could result in wrongly attributed data. Additionally, this tab helps control the visualization of endpoints in the Lateral Movement  view. Reporting Features in Aurora IR Once you’ve gathered all your evidence, Aurora IR provides excellent reporting functionalities that help you visualize and document the investigation’s progress. 1. Visual Timeline The Visual Timeline  feature is a powerful tool that helps analysts understand the sequence of events. It highlights gaps in the storyline, enabling the team to focus on areas that may need further investigation. 2. Lateral Movement Aurora IR’s Lateral Movement  feature helps visualize an attacker's lateral movement within the network. It identifies "islands" (isolated systems) that may have been compromised but haven’t been linked directly to other parts of the network. 3. Activity Plot An Activity Plot  creates a profile of the attacker’s actions, providing useful insights such as the time zone they may be working in based on when activities occur. This helps analysts better understand the attackers’ behaviors and patterns. Case Management in Aurora IR Managing an incident response investigation involves coordination across teams and tasks. Aurora IR makes this easier with its case management tools. 1. Investigators The Investigators  section allows you to add multiple investigators to a case . You can track both internal and external investigators, such as third-party partners or insurance representatives. 2. Evidence Occasionally, you might receive physical hardware as evidence. Aurora IR’s Evidence  tab helps document this and ensures all pieces of evidence are tracked throughout the investigation. 3. Action Items The Action Items  tab helps track ongoing tasks. You can walk through the to-do list during every status update , ensuring that no critical tasks are missed. 4. Case Notes For information that doesn’t fit neatly into other categories, the Case Notes  section allows you to document all relevant details. This ensures that no useful information slips through the cracks during an investigation. Case Configuration Aurora IR allows you to configure certain case-specific details, ensuring your investigation setup aligns with the tools and resources available to you. 1. General Case Configuration The General  configuration tab allows you to document g eneral information about the case, providing a high-level overview for investigators. 2. MISP Integration Aurora IR integrates seamlessly with MISP. In the MISP  tab, you can set the MISP URL and credentials to upload network indicators. The MISP event must already exist, and you can easily add indicators to it from Aurora. 3. VirusTotal Integration The VirusTotal  integration allows Aurora IR to leverage the VT API to perform malware checks in the “Malware” tab , giving you access to the massive VirusTotal database for malware and malicious files. Conclusion: Why Aurora IR Is a Game-Changer Aurora IR brings structure and efficiency to incident response investigations. Its features cater to both experienced analysts and those new to the field, making it a versatile tool for any organization. With built-in timeline visualization, system tracking, malware analysis, network indicator management, and MISP integration, it significantly enhances the ability to manage investigations from start to finish. Whether you're an experienced IR analyst or just starting your cybersecurity career, Aurora IR is a tool worth exploring for its depth, flexibility, and ease of use Akash Patel

In the ever-evolving world of cybersecurity, bots have emerged as a significant threat, capable of causing widespread disruption and damage. Bots, short for robots, are software programs designed to perform specific tasks automatically, often with little or no human intervention. What Are Bots? Bots are specialized backdoors used for controlling large numbers of systems, ranging from a few dozen to more than a million. These collections of bots, controlled by a single attacker, are known as botnets. The individual controlling the botnet is sometimes referred to as a "botherder." Bots can perform various tasks, including: Maintaining backdoor control : Allowing attackers to access and control a machine remotely. Controlling IRC channels : One of the earliest uses of bots was to manage Internet Relay Chat (IRC) channels. Acting as mail relays : Bots can be used to send spam emails. Providing anonymizing HTTP proxies : Bots can anonymize an attacker's internet activity. Launching denial-of-service attacks : Bots can flood a target with traffic, causing it to become overwhelmed and unresponsive. How Are Bots Distributed? Attackers use multiple methods to distribute bots, often leveraging the same techniques used to spread worms. Here are some common distribution methods: Worms : Many worms carry bots as a payload, spreading the bot to new systems as they replicate. Email Attachments : Attackers send malicious email attachments that, when opened, install the bot. Bundling with Software : Bots can be bundled with seemingly legitimate applications or games, tricking users into installing them. Browser Exploits : Bots can be distributed through vulnerabilities in web browsers, often via "drive-by" downloads from compromised websites. Botnets: The Power Behind Bots Botnets are networks of infected computers controlled by an attacker. These networks can range in size from a few dozen to millions of compromised machines. Botnets are versatile and can be used for various malicious purposes, such as: DDoS Attacks : Distributed Denial-of-Service (DDoS) attacks involve flooding a target with traffic from multiple sources, overwhelming the system and causing it to crash or become unresponsive. Spam Campaigns : Botnets can send large volumes of spam emails, often for phishing or spreading additional malware. Data Theft : Bots can be used to steal sensitive information from infected systems, including login credentials and financial data. How Do Bots Communicate? Attackers need to communicate with their bots to issue commands and control the botnet. This communication can occur through various channels: IRC (Internet Relay Chat) : Historically, IRC channels were popular for bot communication due to their ability to facilitate one-to-many communications. HTTP/HTTPS : Bots can communicate with a command-and-control server using standard web protocols, making it harder to detect. DNS : Some bots use DNS to send and receive commands, as DNS traffic is often allowed through network firewalls. Social Media : Attackers can use social media platforms, like Twitter and YouTube, to post commands for their bots. General Bot Functionality Bots are incredibly versatile and can perform a wide range of functions, including: Morphing Code : Bots can change their code to avoid detection by antivirus software. Running Commands : Bots can execute commands with system-level privileges. Starting a Listening Shell : Attackers can open a remote shell on the infected machine. File Sharing : Bots can add or remove file shares on the network. FTP Transfers : Bots can transfer files via FTP. Autostart Entries : Bots can add entries to start themselves automatically when the system boots. Scanning for Vulnerabilities : Bots can scan the network for other vulnerable systems to infect. Advanced Bot Capabilities Modern bots come equipped with even more advanced features, such as: Launching Packet Floods : Bots can initiate various types of packet floods (e.g., SYN, HTTP, UDP) to disrupt services. Creating HTTP Proxies : Bots can create proxies to anonymize the attacker’s web traffic. Starting Redirectors : Bots can redirect traffic through compromised machines, obscuring the attacker's location. Harvesting Email Addresses : Bots can collect email addresses for spam campaigns. Modular Plugins : Bots can load additional functionality via plugins. Detecting Virtualization : Some bots can detect if they are running in a virtual environment and alter their behavior to avoid analysis. Conclusion Bots and botnets represent a significant challenge in cybersecurity due to their ability to operate autonomously and perform a wide range of malicious activities. As bots continue to evolve, they become more sophisticated and harder to detect. Akash Patel

Key Points for Effective Defense Rapid Response Capability Preauthorized Permissions : Ensure you have preapproval to act swiftly during a malware outbreak, including taking down networks or systems if necessary to contain the threat. Risk Analysis : Use documented cases and news articles to demonstrate the risks and potential costs of malware incidents to organizational leadership, supporting the need for preapproved actions. Evolving Threat Techniques Syrian Electronic Army : Employing polymorphic Android malware for surveillance. US CIA : Developing EFI malware like "Sonic Screwdriver" for Apple devices. Russian Hackers : Creating LoJax UEFI malware that persists through OS reinstalls. The job of defenders is increasingly challenging. Be prepared to make quick decisions in the face of imminent threats. Defensive Strategies As per IR Preparation Buffer Overflow Defenses : Implement and configure non-executable stacks to prevent simple stack-based buffer overflow exploits. Patch Management : Develop a process for rapidly identifying, testing, and deploying patches. Application Whitelisting : Use tools like Software Restriction Policies or Applocker to allow only approved software to run. Data Encryption : Encrypt data on hard drives to protect it in case of theft. Tabletop Exercises : Conduct exercises to ensure the organization can respond swiftly and effectively to an attack. Identification Regular Antivirus Updates : Keep antivirus solutions up to date on desktops, mail servers, and file servers. Containment Incident Response : Integrate incident response capabilities with network management to enable real-time network segment isolation if necessary. Eradication and Recovery AV Tools : Use antivirus tools to remove infestations or rebuild systems if necessary. Detailed Defensive Measures System Hardening Implementing non-executable stacks and host-based Intrusion Prevention Systems (IPS) can mitigate many buffer overflow exploits. Thoroughly test security patches before deployment to ensure they do not disrupt critical applications. Encryption Use filesystem encryption tools to secure data on hard drives, ensuring that stolen data cannot be easily read without the encryption key. Antivirus and Application Whitelisting Regularly update antivirus solutions to catch known threats. Employ application whitelisting to prevent unauthorized programs from running, reducing the risk of malware execution. Incident Response and Network Management Include network management personnel in the incident response team to enable swift action in isolating affected network segments during an outbreak. By integrating these defensive strategies and maintaining a state of preparedness, organizations can effectively mitigate the risks posed by worms and bots and respond rapidly to emerging threats.

In the world of cybersecurity, attackers are always looking for ways to compromise systems efficiently and effectively. One method that has been around for decades, but continues to evolve and cause significant damage, is the use of worms. Worms are a type of malicious software that can spread across networks, infecting multiple systems without the need for direct human intervention. What Are Worms? Worms are automated attack tools designed to spread through networks. Unlike traditional malware that requires some form of user interaction, such as opening a malicious email attachment, worms can propagate themselves. Here’s how they typically work: Initial Infection : A worm infects the first vulnerable system it encounters. Scanning : From the compromised system, the worm scans the network for other vulnerable systems. Replication : The worm then copies itself to those systems, repeating the process and spreading further. Each instance of the worm is called a "segment," and as it moves from system to system, it continues to multiply, often at an exponential rate. The History of Worms Worms have been a part of the cybersecurity landscape for decades. One of the earliest and most famous examples is the Morris Worm, created by Robert Tappan Morris, Jr., in 1988. This worm caused significant disruption to the early internet, highlighting the destructive potential of such self-replicating malware. Even before the Morris Worm, researchers at Xerox PARC were exploring the concept of worms for efficiently distributing software across networked computers, though not with malicious intent. Worm Evolution: Getting More Dangerous Worms have significantly evolved over the years, becoming more sophisticated and harder to defend against. Here are some key developments: Multi-Exploit Worms : Early worms typically exploited a single vulnerability. Modern worms, however, can use multiple exploits to infect systems. For example , the Nimda worm from 2001 used about 12 different exploits, including those targeting web servers, email systems, and file sharing. Conficker, another notorious worm, used three main methods to spread: exploiting a Windows vulnerability, copying itself to USB drives, and guessing passwords for network shares. Multiplatform Worms : Initially, worms targeted a single operating system. However, worms like Stuxnet have demonstrated the ability to affect multiple platforms. Stuxnet was primarily aimed at Windows systems but also manipulated industrial control systems, showcasing a significant leap in worm capabilities. Zero-Day Exploit Worms : Zero-day exploits are vulnerabilities that are unknown to the software vendor and the security community at the time of the attack. Worms using zero-day exploits are particularly dangerous because there are no existing patches or defenses against them when they first appear. Stuxnet, for instance, utilized four zero-day exploits, making it extremely difficult to defend against initially. The Threat of Worm Evolution As worms continue to evolve, we need to prepare for even more sophisticated variants. Future worms may: Use multiple exploits across different platforms : This makes patching systems more complex, as organizations need to address vulnerabilities across various operating systems simultaneously. Spread rapidly using zero-day exploits : With no patches available initially, these worms can cause widespread damage before security teams have a chance to respond. Conclusion Worms represent a significant threat in the cybersecurity landscape, continually evolving to become more destructive and harder to defend against. By understanding their behavior and preparing robust defense mechanisms, we can mitigate the risk they pose. Staying vigilant and proactive is key to protecting our networks from these automated and relentless attackers. Akash Patel

In the early days of UNIX and Linux systems, passwords were stored using the DES encryption algorithm, often without the use of a salt. Usernames and passwords were kept in the /etc/passwd file, which was readable by all users. This practice posed a security risk as the passwords were relatively easy to access and crack. Improvements in Password Storage Transition to MD5 and Beyond As security concerns grew, UNIX and Linux systems moved towards stronger hashing algorithms and better storage practices. Passwords began to be hashed using MD5, and later algorithms such as Blowfish, SHA-256, and SHA-512. Along with the stronger algorithms, the use of salt became standard practice. Initially, salts were 4 bytes long, but later expanded to 8 bytes. To improve security further, password hashes were moved to the /etc/shadow file, which has restrictive permissions and is only readable by the root user. Meanwhile, the /etc/passwd file remained world-readable but did not contain sensitive hash data. Password Hashing in /etc/shadow In modern UNIX and Linux systems, the /etc/shadow file contains password hashes in a format that includes the hash type, the salt, and the hashed password, separated by dollar signs ($). The structure is as follows: username:$id$salt$hashed_password $1$ indicates MD5 hashing. $2$ indicates Blowfish hashing. $5$ indicates SHA-256 hashing. $6$ indicates SHA-512 hashing. For example: sec504:$6$1ArFQuUx$qhCcp4hKJvWxf47bm30iFs3CldfvKy/z28wN24GuOwBfcgOF8j2iYgl15eFPyMQ0HzE.PyXrIqE3FpnF4vdPq. This entry shows a SHA-512 hash ($6$), with an 8-byte salt (1ArFQuUx) and the resulting hashed password. Enhancing Password Security Multiple Rounds of Hashing To thwart password-cracking attempts, modern hashing algorithms often use multiple rounds of hashing. For instance: MD5 crypt ($1$) uses 1,000 rounds. SHA-256 ($5$) and SHA-512 ($6$) use 5,000 rounds by default. Multiple rounds slow down the hashing process, making it computationally expensive for attackers to crack passwords using brute force or dictionary attacks. GPU-based Attacks Attackers have adapted by utilizing GPUs to speed up the password-cracking process. GPUs can perform many parallel computations, significantly increasing the number of hashes that can be computed per second. For example, an NVIDIA GeForce RTX 2070 can compute around 768,500 SHA-512 hashes per second. Mitigating Advanced Cracking Techniques To counter GPU-based attacks, more sophisticated hashing algorithms have been developed: PBKDF2 (Password-Based Key Derivation Function 2) : Uses a flexible number of hashing rounds, typically in the thousands or millions. Bcrypt : Incorporates a memory-intensive hashing process, which is difficult for GPUs to optimize. Scrypt : Requires even more memory, making it particularly resistant to GPU-based attacks. Argon2 : The winner of the Password Hashing Competition, designed to be memory-hard and resistant to GPU attacks. Conclusion As attackers become more sophisticated, so too must the mechanisms for securing passwords. Modern UNIX and Linux systems use advanced hashing techniques to ensure that password storage remains as secure as possible. Akash Patel

Gaining access to Windows Domain Controller password hashes is a critical step for attackers aiming to compromise a Windows network. Step 1: Obtain NTDS.dit and SYSTEM Registry Hive Data NTDS.dit  is the database that stores Active Directory (AD) data, including password hashes. To extract these hashes, attackers also need the SYSTEM  registry hive, which contains the keys necessary to decrypt the NTDS.dit file. Using ntdsutil.exe Access ntdsutil.exe : This built-in utility is used to manage AD data, including creating backups. Activate Instance : Set the active instance to "ntds". Create Backup : C:\Users\Administrator> ntdsutil ntdsutil: activate instance ntds Active instance set to "ntds". ntdsutil: ifm ifm: create full c:\ntds This sequence of commands creates a full backup of the AD data in the c:\ntds directory, including the NTDS.dit file and the SYSTEM registry hive. Step 2: Extracting Password Hashes After obtaining the NTDS.dit and SYSTEM files, the next step is to decrypt the NTDS.dit data and extract the password hashes. Using secretsdump.py from Impacket Install Impacket : Ensure that Impacket is installed on the attacker’s machine. Run secretsdump.py: This s c ript reads and decrypts the NTDS.dit file using the SYSTEM registry hive. Command for secretsdump.py: python /usr/share/doc/python-impacket/examples/secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL Output will display the decrypted Hashes: [*]Target system bootKey: 0x7b1c658edfb752594c688e02d4424924 [*] Dumping Domain Credentials (domain\uid: rid: lmhash:nthash) [*] Searching for pekList, be patient. [*] Pek found and decrypted: 0x1e0d9fa12fb2367f15f22517aa31e84d [*] Reading and decrypting hashes from Active Directory/ntds.dit Administrator: 500:aad3b435b51404eeaad3b435b51404ee:9491b24e8c931559455ed4f59476cec2::: Guest: 501:aad3b435b51404eeaad3b435b51404ee:31d2f4f1a07e9fb731e455e0b9a58265::: ksmith: 1000:aad3b435b51404eeaad3b435b51404ee:0d4fa3ed8f51a0d45a7c7fbd0c92b99c::: Minimizing Detection Attackers prefer using built-in tools like ntdsutil because they are less likely to trigger security alerts compared to third-party tools. The built-in utilities are designed for system management and backups, thus their usage might not immediately raise suspicion. Alternative Methods There are other methods to obtain and extract NTDS.dit and SYSTEM data, such as using volume shadow copies or other administrative tools. Detailed methodologies and advanced techniques can be found in various penetration testing blogs and resources, such as the articles by @netbiosX on PentestLab . Conclusion Obtaining and decrypting Windows Domain Controller password hashes involves using built-in utilities to create backups of the necessary files and then employing scripts like secretsdump.py to extract the hashes. Understanding these methods highlights the importance of securing administrative access and monitoring the use of system utilities to prevent unauthorized access to sensitive data. We will continue this in next post............................................................ Akash Patel

In the ever-evolving landscape of cybersecurity, forensic investigators must be equipped with a diverse set of tools and techniques to identify, analyze, and respond to various threats. This blog delves into several advanced methods for detecting malicious activity, focusing on Sysmon Event ID 1, RDP activity hunting, phishing and maldoc detection, and data exfiltration using the $USNJRL.$J file. 1. Sysmon Event ID 1: Process Creation Sysmon (System Monitor) is a powerful tool that provides detailed information on process creation, network connections, and changes to file creation time, among other data. Sysmon logs, particularly Event ID 1, are invaluable for forensic investigators. Why Sysmon Event ID 1? Comprehensive Process Tracking : Every time a process is created, Sysmon logs the event, capturing crucial details such as the process name, command line, and parent process. Enhanced Visibility : Even if you lack Shimcache or SRUM data, Sysmon’s Event ID 1 can fill the gap by logging all process executions, giving you insight into potential malicious activity. Example Query : To identify potentially malicious processes executed via Office applications (common in phishing attacks), you can use the following query: (source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_path:(*winword.exe OR excel.exe OR powerpnt.exe OR mspub.exe OR visio.exe) 2. Hunting RDP Activity: Remote Logon Events Remote Desktop Protocol (RDP) is a common vector for unauthorized access. Monitoring RDP activities is crucial for identifying potential intrusions. Focus on Logon Events Event ID 4624 : This event logs successful logons , which can be filtered to focus on remote logons (Type 10) with RDP connectivity . IP Address Filtering : Investigate events where the source IP address is external (i.e., not within the local 10.0.0.0/8 range or localhost 127.0.0.1). 3. Identifying Infection Vectors: Phishing and Maldoc Hunting Phishing remains a prevalent attack vector, often delivering malicious documents (maldocs) that execute harmful payloads. Detecting Phishing and Maldocs Office Applications as Parent Processes : When malware is executed via Office applications like Word or Excel , it’s often a sign of phishing. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_path:(*winword.exe OR excel.exe OR powerpnt.exe OR mspub.exe OR visio.exe) ZIP Files Accessed in Windows : ZIP files are commonly used to deliver malicious payloads in phishing emails. Detecting ZIP files opened from temporary locations can indicate phishing activity. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_command_line:"appdata\\local\\temp\\temp1_*" AND process_parent_command_line.keyword:*temp1_* 4. Data Exfiltration Detection: $USNJRL.$J and ZIP Files One of the key challenges in forensic investigations is detecting data exfiltration . Attackers often compress data into ZIP files before exfiltration . The $USNJRL.$J (Update Sequence Number Journal) file in NTFS can be a goldmine for detecting such activity. Using MFTECmd to Analyze $USNJRL.$J Identifying ZIP Files : By parsing the $USNJRL.$J file , you can identify ZIP files created or modified on the system. Example PowerShell Command : $usnzip = Import-Csv -Path 'C:\Users\noransom\Desktop\.csv' | ? Extension -eq '.zip' Detecting Deleted ZIP Files : Attackers might delete ZIP files after exfiltration to cover their tracks. However, traces remain in the $USNJRL.$J file. Example PowerShell Command : $deleted = $usnzip | ? UpdateReasons -like '*Delete*' $deleted | Format-Table -Property Extension,Name,ParentPath,UpdateReasons -AutoSize 5. Additional Techniques for Enhanced Threat Hunting Credential Reads : Event ID 5379 logs when stored credentials are accessed. Monitoring this event can reveal unauthorized access to sensitive information. Example Query : source_name:"Microsoft-Windows-Security-Auditing" AND event_id:5379 AND credentials_read:Microsoft_Windows_Shell_ZipFolder* Outlook Content and Downloads : Detecting file creations within the Outlook cache path can uncover attempts to download and execute malicious attachments. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:11) AND file_name:"microsoft\\windows\\inetcache\\content.outlook\\*" Reviewing the Trust Center : Microsoft Office applications maintain a Trusted Documents list, which can be used to detect when a user has marked a malicious document as trusted. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:13) AND registry_key_path:("Trusted Documents" OR "TrustRecords") Conclusion By leveraging the tools and techniques outlined in this blog, forensic investigators can enhance their ability to detect and respond to sophisticated threats. Whether it's hunting for signs of RDP activity, identifying phishing attempts, or detecting data exfiltration, these methods provide a robust foundation for effective threat hunting and incident response. Akash Patel

Ransomware attacks are among the most devastating incidents an organization can face. They can cripple your operations, lead to significant financial loss, and damage your reputation. When a ransomware campaign is in progress, the clock is ticking, and how you respond in those critical moments can determine the extent of the damage. Immediate Response: The Clock Is Ticking The first thing to understand is that ransomware incidents require immediate action. The sooner you detect the ransomware actor in your network, the better your chances of minimizing damage. Here are the possible scenarios: Immediate Detection Upon Network Access: GREAT!  Work fast! This is the best-case scenario where you can potentially stop the attack before it causes significant harm. Detection After They’ve Been in Your Network for a While: Work faster!  At this point, the attacker may have already exfiltrated data or planted the encryption payload. Time is of the essence. Detection Pre- or Post-Exfiltration, But Before Encryption: If you catch them in this window, you still have a chance to prevent encryption. However, be prepared for the possibility that encryption is imminent. Detection After Encryption: Sadly, this is the most common scenario.  At this stage, the focus shifts to damage control and recovery. In all these scenarios, having a pre-incident response plan is crucial. Without it, your response will be too slow, leading to greater damage. Initial Incident Scoping: Key Considerations When you first identify a ransomware incident, you need to quickly assess the situation. Here's what to consider: How was the incident identified? Did someone notify you? Did you discover a ransom note or a service that stopped functioning? Which hosts and services are impacted? Identify all the systems that have been compromised to understand the scope of the attack. What actions have already been taken? Determine if any containment measures have been initiated and whether they were effective. What are the organization’s expectations? Communicate with leadership to understand their priorities and what they expect from the incident response. What are the “crown jewels” of the organization? Identify critical assets that need immediate protection. Do backups exist, and are they unencrypted? Confirm the availability and integrity of backups, as they will be key to recovery. Do up-to-date network diagrams exist? Accurate network diagrams are essential for understanding how the attack is spreading and for planning your response. Is there an MSSP (Managed Security Service Provider) who can assist? If available, leverage external expertise to enhance your response efforts. Collecting and Preserving Evidence Evidence preservation is critical in a ransomware investigation. Here’s how to approach it: Physical Evidence: Take a physical picture of the ransom note immediately, as it might be encrypted or deleted later. Virtual Machines: If possible, pause virtual machines rather than shutting them down. Pausing a VM typically saves its memory state, which can be valuable for investigation. Memory Capture: Capture a memory image from compromised systems to analyze for forensic evidence. Backup Protocols: Review and Invoke When ransomware hits, you may lose access to critical protocols needed for response. Here’s what to do: Active Directory (AD) Availability: Be prepared for AD to be down, which is common in ransomware cases. Have alternative methods to navigate the network and access machines. Local Accounts and Cached Domain Credentials: Ensure that machines have local accounts or cached credentials to maintain access. Deployment Methods for Data Collection: If you need to install tools for data collection, ensure you have a deployment method available. Out-of-Band Communication: Establish secure communication channels that are not dependent on the compromised network. Securing Backups: Protecting the Crown Jewels Your backup servers must be secured immediately: On-Prem Backup: Disconnect from the network to prevent ransomware from spreading to backups. Cloud-Based Backup: Consider disconnecting, depending on the situation, to protect your data. “Going Dark” – Cutting Internet Access If the threat actor is still active in your environment and you suspect imminent encryption, you may need to cut internet access: Major Decision with Far-Reaching Consequences: This decision is not to be taken lightly and should be made by top leadership. While it might prevent encryption, it will disrupt business operations. Pre-Plan Policies: Ensure you have pre-planned policies in place for such scenarios. Create pinholes for essential services like VPN, EDR, and remote IR connectivity. Disabling Shares, Sync Agents, and Accounts Admin Shares: Disabling admin shares can thwart threat actors but may disrupt services. Conduct a risk analysis beforehand. Network Shares and Distributed File Systems: Consider taking these down to protect them from encryption. Credential Remediation: Reset credentials and disable accounts to prevent the threat actor from regaining access. Recovery from Backup Recovering from backups is a critical step, but timing is everything: Hold Off Restoral Until You’re Sure: Ensure you know the exact date(s) to fall back to for recovery. Restoring from a compromised backup could reinfect your network. Edge Devices: Firewalls and VPNs may have been exploited. Consider updating and restoring them to factory state to eliminate persistence mechanisms. Post-Incident: Turning a Crisis into an Opportunity A ransomware attack, while devastating, can also be an opportunity for your security team to gain the attention and support it needs: Increased Support and Funding: Use the incident as leverage to secure more resources for your security team. Staff Augmentation: Advocate for additional staffing to prevent future incidents. Final Thoughts: Learn, Plan, and Prepare Ransomware incidents are complex and require swift, decisive action. Preparation is key. Learn from each incident, refine your response plans, and ensure that your organization is better prepared for the next attack. Akash patel

Ransomware attacks have become increasingly sophisticated, and the “Impact” phase represents the final, most destructive part of the attack campaign. During this phase, after threat actors have achieved their initial objectives, including data exfiltration, they may deploy a ransomware cryptor to encrypt your data. To maximize their leverage, these actors often tamper with your backup and recovery mechanisms, aiming to make recovery difficult and squeeze you into paying the ransom. Securing Your Backup Systems Your backups are one of the most critical assets to secure in your organization. Threat actors often target backup servers to disable or delete backups before deploying ransomware . Here are some essential steps to secure your backups: Monitor All Logins to Backup Servers : Ensure that every login attempt to your backup servers is monitored and logged. This includes successful logins as well as failed attempts. Implement the Principle of Least Privilege : Only designated accounts should have the necessary permissions to access and perform administrative actions on backup servers. Restrict access as much as possible to minimize the attack surface. Scanning for Backup Services : Ransomware affiliates frequently scan for backup services by checking for open ports on well-known systems. To prevent this: Review Documentation : Refer to your backup system’s documentation to understand which ports are used for various services. Set Up Alerts : Monitor these ports and set up alerts for any suspicious activity. Volume Shadow Copy Service (VSS) Many organizations rely on Microsoft’s Volume Shadow Copy Service (VSS) for backups. While VSS can be a convenient way to back up critical files, it can also pose a security risk. VSS keeps copies of essential system files, such as registry hives, in an unlocked state, making them vulnerable to threat actors. Commands Used to Delete Shadow Copies : Ransomware operators may use the following commands to delete VSS shadow copies, thereby eliminating one of your recovery options: vssadmin.exe delete Shadows /all /quiet wmic shadowcopy delete /nointeractive Get-WmiObject Win32_ShadowCopy | % { $_.Delete() } Get-WmiObject Win32_ShadowCopy | Remove-WmiObject Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_Delete(); } Get-CimInstance Win32_ShadowCopy | Remove-CimInstance By deleting these shadow copies, the attackers remove a significant recovery option, making it crucial to protect and monitor VSS on your systems. Tampering with Recovery Mechanisms Threat actors often disable built-in recovery components using native tools, making it difficult for organizations to recover from an attack. They may use tools like bcdedit , which manipulates Boot Configuration Data (BCD) settings , or wbadmin , which configures settings for Windows Backup. Commands Used to Disable Recovery Mechanisms : bcdedit /set {default} recoveryenabled no bcdedit /set {default} bootstatuspolicy ignoreallfailures wbadmin delete catalog –quiet wbadmin delete systemstatebackup -keepversions:0 Preventing IT Response In addition to tampering with backup and recovery mechanisms, threat actors may also prevent IT teams from responding to the attack by weaponizing security mechanisms. They may disable Remote Desktop Protocol (RDP) or block inbound connectivity via Windows Firewall. Common Commands Used : Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled True New-NetFirewallRule -DisplayName "Block PORTS1" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Block New-NetFirewallRule -DisplayName "Block PORTS2" -Direction Inbound -LocalPort 443 -Protocol TCP -Action Block netsh advfirewall set currentprofile state on netsh advfirewall set allprofiles state on netsh advfirewall firewall add rule name="Block PORTS6" protocol=TCP dir=in localport=80 action=block netsh advfirewall firewall add rule name="Block PORTS7" protocol=TCP dir=in localport=443 action=block These measures make it extremely difficult for IT teams to access affected hosts and respond to the threat, emphasizing the need for robust monitoring and proactive defense mechanisms. Clearing Windows Event Logs Threat actors often clear Windows Event Logs to cover their tracks. Unfortunately, this is a simple task in Windows, especially if logs are not being forwarded to a SIEM, log aggregator, or syslog server. The command Clear-EventLog is commonly used for this purpose. Commands to Clear Event Logs : Get-EventLog -LogName Security | Clear-EventLog Clear-EventLog -LogName Application, Security, System Clearing event logs can make post-incident analysis extremely difficult, highlighting the importance of having log forwarding in place. Payload Deployment Methods Ransomware payloads are often deployed via Group Policy Objects (GPOs). Unfortunately, many organizations do not audit GPO deployment, and admin accounts are often overprivileged. This lack of oversight can allow threat actors to create and deploy GPOs without constraint, leading to widespread ransomware deployment across a domain or forest. Threat actors may also use existing deployment methods such as SCCM, PDQ, or SolarWinds to deliver ransomware payloads. In addition, they commonly use native Windows tools like PSExec, WMIC, and BITS to execute processes remotely . Background Intelligent Transfer Service (BITS) : BITS is a Windows service that transfers data in the background, often used by Microsoft to download updates . It’s an intelligent service that minimizes impact on user experience by managing bandwidth effectively. However, threat actors can exploit BITS to transfer malicious payloads. Detection Methods : EDR, Event IDs 4688/4689 | Sysmon IDs 1/5 : Monitor for bitsadmin.exe and review PowerShell logs for related cmdlets. Event ID 7036 : Monitor for service state changes in the System log. Event ID 60 : BITS has stopped transferring a file. Look for temporary files named BITFxxxx.tmp created in the target transfer directory. Example Using Sysmon Event ID 11 : Monitor file creation events for BITS temporary files. file_path.keyword:/.*\\BITF[0-9]+\.tmp/ Encryption Key Usage in Ransomware Modern ransomware typically uses asymmetric key encryption, also known as public key cryptography. The public key, embedded within the ransomware payload, encrypts the victim's data. The private key, which is necessary for decryption, remains with the attacker, and victims must pay the ransom to obtain it. File Write Methods: Overwrite vs. Copy/Delete Ransomware payloads use two general file write methods: Overwrite/Rename:  Opens the original file, replaces its contents with encrypted data, and renames the file. Copy/Delete:  Creates a new file with encrypted data, then deletes the original file. From a forensic perspective, the Overwrite/Rename method might leave evidence in the $UsnJrnl or $LogFile , while the Copy/Delete method might allow recovery of "deleted" files from unallocated disk space using tools like Bulk Extractor and PhotoRec. I already have a blog recoverying evidence using Photorec do check it out: https://www.cyberengage.org/post/digital-evidence-techniques-for-data-recovery-and-analysis Detecting Encryption and Ransom Notes Monitoring for file creation events using Sysmon/EDR can help detect ransomware activity. Sysmon Event ID 2, for instance, logs file creation time changes, which can be indicative of ransomware encryption. To understand how a specific ransomware payload encrypts files, reverse engineers and malware analysts often disassemble or decompile the ransomware's code using tools like IDA Pro and Ghidra. Detailed write-ups on ransomware samples are valuable resources for incident response. The VX-Underground team maintains extensive collections of malware samples, including ransomware families, which can be instrumental for analysis. https://for528.com/vxug-samples The team also maintains an archive with various builders, including ransomware builders! https://vx-underground.org/ Importance of Backing Up Encrypted Files Backing up encrypted files is crucial because: Partially Encrypted Files:  May still contain recoverable data. Future Decryption Possibilities:  Decryption keys or tools may become available in the future. If using a decryptor, exercise caution. Some decryptors may be flawed, ineffective, or even malicious. Always perform malware analysis on any decryptor before use. Free decryptors for some ransomware variants are available at No More Ransom’s site, which also offers the “Crypto Sheriff” tool for identifying ransomware strains and checking for available decryption resources. https://www.nomoreransom.org/en/decryption-tools.html https://www.nomoreransom.org/crypto-sheriff.php?lang=en Efficiency Issues with Decryptors Decryptors, even those provided by attackers after paying the ransom, are not always efficient. They may be slow, non-multithreaded, or otherwise poorly designed . For example, the decryptor provided by DarkSide ransomware during the Colonial Pipeline attack was notoriously slow, leading responders to develop a custom tool using the provided decryption key. Remember:  Always back up encrypted data before attempting decryption to avoid potential data loss. Conclusion By understanding the methodologies and tactics employed during the "Impact" phase of a ransomware attack, organizations can better prepare their defenses, respond more effectively, and mitigate the risks associated with these increasingly sophisticated threats. Akash Patel

When it comes to detecting malicious activity and potential security threats, analyzing the right data sources is crucial. Whether you are working with SIEM tools, conducting threat hunting, or performing forensic analysis, the following queries can be invaluable. The logic behind these queries remains consistent, though the format may need to be adjusted based on the platform you are using, such as Timesketch, Kibana, or other log management systems. 1. Detecting System Configuration and Host Information CurrentControlSet This query extracts information about the CurrentControlSet, which can help in understanding the system's boot configuration. Query: parser:winreg AND key_path:"HKEY_LOCAL_MACHINE\\System\\Select*" Host Network Interfaces Identify network interfaces configured on the host to monitor network-related configurations and potential unauthorized changes. Query: parser:winreg AND key_path:"*Parameters\\Interfaces*" Hostname Retrieve the hostname of the system, which can be used for identification in multi-host environments. Query: parser:winreg AND key_path:"*Control\\ComputerName\\ComputerName*" Network Shares Monitor network shares on the host, which can reveal potentially exposed resources or unauthorized access. Query: parser:winreg AND key_path:"*Lanmanserver\\Shares*" AND NOT message:*empty* Software-SysInternals Tool Usage Indicator Detect usage of SysInternals tools, which are often used by both administrators and attackers. This query checks for evidence that the tools have been executed. Query: parser:"winreg" AND key_path:"*Software\\Sysinternals\\*" AND values:"*EulaAccepted*" 2. Monitoring Remote Desktop Protocol (RDP) Activity T1021.001 - AV Scanning Disabled for Attachments This query identifies registry modifications related to the disabling of antivirus scanning for RDP attachments. Query: parser:winreg AND (key_path:"*Microsoft\\Terminal Server Client\\Default*" OR key_path:"*Microsoft\\Terminal Server Client\\Servers*") T1021.001 - RDP Activity Ended Monitor for events that indicate the end of an RDP session, which could signify the end of a potential unauthorized access. Query: (parser:"winevtx" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager" AND ((event_identifier:24 AND NOT xml_string:"*Address>LOCAL*") OR event_identifier:39 OR event_identifier:40 OR event_identifier:23)) OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4779) T1021.001 - RDP Activity Started Detect when an RDP session starts, focusing on non-local connections that may indicate remote access attempts. Query: (parser:"winevtx" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager" AND ((event_identifier:21 AND NOT xml_string:"*Address>LOCAL*") OR (event_identifier:22 AND NOT xml_string:"*Address>LOCAL*") OR (event_identifier:25 AND NOT xml_string:"*Address>LOCAL*"))) OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4624 AND xml_string:"*LogonType\">10*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4778) 3. Identifying Potential Lateral Movement T1021.002 - Potential SMB Lateral Movement (Source) Track SMB connections that might indicate lateral movement attempts, particularly focusing on connections over port 445. Query: parser:winevtx AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4648 AND xml_string:"*IpPort\">445*" 4. Monitoring Task and Script Execution T1053.005 - Scheduled Tasks Scheduled tasks can be used by attackers to persist on a system. This query helps detect such tasks, excluding common Microsoft tasks. Query: parser:winreg AND key_path:"*CurrentVersion\\Schedule\\TaskCache\\Tree*" AND NOT key_path:"*CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft*" AND NOT message:"*SD: [REG_BINARY] (220 bytes)*" T1059 - PowerShell Web Request Detect the use of PowerShell for web requests, which is a common technique in fileless malware attacks. Query: parser:"winevtx" AND (event_identifier:"4104" OR event_identifier:"4688" OR event_identifier:"1") AND (message:"*Invoke-WebRequest*" OR message:"*iwr*" OR message:"*wget*" OR message:"*curl*" OR message:"*Net.WebClient*" OR message:"*Start-BitsTransfer*") T1059.001 - PowerShell Configuration Monitor changes to PowerShell settings, which might indicate an attacker attempting to modify execution policies or script logging. Query: parser:"winreg" AND key_path:"*Microsoft\\PowerShell*" AND (message:*EnableScript* OR message:*ExecutionPolicy* OR message:*EnableModuleLogging*) 5. Security Monitoring and Defense Evasion T1070.001 - Windows Log Cleared This query detects the clearing of Windows event logs, a common technique used by attackers to cover their tracks. Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Eventlog" AND event_identifier:"1102" T1078 - Windows Account Activity Monitor for changes in user accounts, such as enabling, disabling, or modifying permissions. Query: parser:"winevtx" AND (event_identifier:"4722" OR event_identifier:"4724" OR event_identifier:"4728" OR event_identifier:"4634" OR event_identifier:"4672" OR event_identifier:"4733") T1078.003 - Query for a Blank Password for An Account Detect attempts to query or check for blank passwords on accounts, which may indicate password-guessing attacks. Query: parser:"winevtx" AND event_identifier:"4797" 6. Detecting Suspicious Network Activity and Proxy Configurations T1090 - Proxy Config Identify modifications to proxy settings, which may indicate the presence of proxy-aware malware or unauthorized network changes. Query: parser:"winreg" AND key_path:"HKEY_LOCAL_MACHINE\\Software\\*\\Microsoft\\Windows\\CurrentVersion\\Internet Settings*" AND (values:*AutoDetect* OR values:*ProxyServer* OR values:*ProxyOverride* OR values:*ProxyEnable*) T1110 - SQL Server Failure Monitor SQL Server authentication failures, which may indicate brute-force or dictionary attacks. Query: parser:winevtx AND display_name:"*Logs\\Application\.evtx" AND event_identifier:"18456" T1110 - Suspicious Logon Failures Track multiple failed login attempts across different accounts, which may be indicative of password spraying or brute force attacks. Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND (event_identifier:"4625" OR event_identifier:"4767" OR event_identifier:"4740" OR event_identifier:"4776") T1197-Suspicious BitsTransfer Activity Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Bits-Client" AND event_identifier:"59" AND (strings:"*\.ps1*" OR strings:"*\.bat*" OR strings:"*\.exe*" OR strings:"*\.dll*" OR strings:"*\.zip*" OR strings:"*\.rar*" OR strings:"*\.7z*" OR strings:"*\.tar*") T1204-Execution Query: (parser:"winreg" AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (parser:"winevtx" AND event_identifier:"4688") OR (parser:"winreg" AND key_path:"*LastVisitedPidlMRU*") OR (parser:"winreg" AND key_path:"*LastVisitedMRU*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500") T1204-Execution of a Binary via BAM Query: parser:"bam" AND binary_path:*exe T1204-Execution or Existence of a File Query: parser:"appcompatcache" AND (path:*exe* OR path:*cpl* OR path:*ps1* OR path:*msi* OR path:*dll* OR path:*bat*) T1204-User Execution or Shortcut Query: parser:"userassist" AND (value_name:*lnk* OR value_name:*exe*) T1543-Installation or Execution of a Windows Service Query: parser:"winevtx" AND (event_identifier:"7045" OR event_identifier:"4697") AND NOT message:"*svchost.exe -k*" T1546.003-WMI CommandLine Consumer Query: tag:Execution AND message:*wmiprvse* T1547.001-Windows Autorun Query: parser:"windows_run" AND (message:*exe* OR message:*.dll* OR message:*.bat* OR message:*.ps1*) T1548.002-UAC Disabled in Registry Query: parser:"winreg" AND key_path:"*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" AND message:"*DisplayType: [REG_DWORD_LE] 0*" T1560 or T1083-File Save or Discovery Query: parser:"winreg" AND key_path:*OpenSave*MRU* AND message:*Shell* T1560.001-Archived Files Query: (data_type:"windows:lnk:link" OR data_type:"windows:shell_item:file_entry" OR data_type:"olecf:dest_list:entry" OR data_type:"windows:registry:mrulistex") AND (message:*.zip* OR message:*.7z* OR message:*.tar.gz* OR message:*.tar* OR message:*.gz*) T1562.001-Win Defender Disabled Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Windows Defender" AND (event_identifier:"5001" OR event_identifier:"5010" OR event_identifier:"5012") T1562.001-Windows Defender Disabled Registry Key Query: parser:"winreg" AND key_path:"*Microsoft\\Windows Defender*" AND (values:"*DisableRealtimeMonitoring: \[REG_DWORD_LE\] 1*" OR values:"*DisableAntiSpyware: \[REG_DWORD_LE\] 1*" OR values:"*DisableAntiVirus: \[REG_DWORD_LE\] 1*" OR values:"*DisableBehaviorMonitoring: \[REG_DWORD_LE\] 1*" OR values:"*DisableIOAVProtection: \[REG_DWORD_LE\] 1*" OR values:"*DisableOnAccessProtection: \[REG_DWORD_LE\] 1*" OR values:"*DisableScanOnRealtimeEnable: \[REG_DWORD_LE\] 1*" OR values:"*DisableEnhancedNotifications: \[REG_DWORD_LE\] 1*" OR values:"*DisableBlockAtFirstSeen: \[REG_DWORD_LE\] 1*") T1562.001-Windows Defender Disabled via PS Query: parser:"winevtx" AND message:"*Set-MpPreference*" AND (message:"*Disable*" OR message:"*Reporting*" OR message:"*SubmitSamplesConsent*" OR message:"*DefaultAction*") T1562.001-Windows Defender Exclusions Query: (parser:"winreg" AND key_path:"*Windows Defender\\Exclusions\*" AND NOT message:*empty*) OR (parser:"winevtx" AND event_identifier:"5007" AND message:*Exclusions*) T1562.004-Windows Firewall Disabled Query: parser:"winreg" AND (display_name:*SOFTWARE OR display_name:*SYSTEM) AND (message:"*EnableFirewall: [REG_DWORD] 0x00000000*" OR message:"*EnableFirewall: [REG_DWORD_LE] 0*") T1562.004-Windows Firewall Rules Query: (parser:"winreg" AND key_path:"*FirewallRules*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Windows Firewall With Advanced Security" AND event_identifier:"2005") Timezone Query: parser:"winreg" AND key_path:"*Control\\TimeZoneInformation*" Windows Network Adapter Details Query: parser:"winreg" AND key_path:"*Tcpip/Parameters/Interfaces*" AND NOT message:*empty* Windows OS Version Query: parser:"winreg" AND data_type:"windows:registry:installation" Windows Patch Installation Success Query: parser:"winevtx" AND source_name:"Microsoft-Windows-WindowsUpdateClient" AND display_name:"*System\\.evtx" AND event_identifier:"19" Windows User Profiles Query: parser:"winreg/winreg_default" AND key_path:"*ProfileList*" These queries form the backbone of effective threat detection and forensic analysis. Happy hunting! Akash Patel