Windows Host Forensics

Windows CLI Basics

CommandAction

dir

list files and folders

cd <dir>

change to directory

mkdir <dir>

make directory

rmdir <dir>

deliete directory

copy <source> <target>

copy source to target

move <source> <target>

move file from source to target

ren <old> <new>

rename form old to new

del <file>

delete file

echo <text>

display text to STDOUT

type <text.txt>

display contents of file

cls

clear screen

ver

Windows Version + Build

<drive>:

Change Drive

ipconfig /all

get ip address

sc query state=all

show services

tasklist /m

show services and processes

taskkill /PID <PID> /F

force kill process by id

assoc

Show file type association

cipher /w:<dir>

secure delete file or directory

fc <file> <file>

file compare

netstat -an

display currently opened ports

pathping

displays each hop in ping

tracert

displays each hop and time

powercfg

change power configuration

chkdsk /f <drive>

check and fix disk errors

drivequery /FO list /v

list of drivers and status

osk

on screen keyboard

shutdown -s -t 3600

schedule shutdown for 1 hour

Powershell common cmdlets

CommandAliasAction

Get-Content

cat

get contents of file

Get-Service

gsv

get services

Get-Process

gps

show services and processes

Stop-Processes -Id <PID> -Force

kill

force kill by pid

Clear-Content

clc

clear contents of file

Get-Command

gc

gets all commands

Compare-Object <f1> <f2>

compare

compare f1 and f2

Copy-Item

cp

copy and item

Get-Member

gm

gets the properties and methods for objects

Invoke-WMIMethod

iwmi

calls windows management instrumentation methods

cmd /c <command

run command as windows command line

Set-Alias

sal

creates or changes an alias

Select-Object

select

selects objects or object properties

ForEach-Object

%

performs an operation against each item in a collection of input objects

Where-Object

?

selects objects from a collection based on their property values

Windows Directories to examine

#dns file
"C:\Windows\System32\drivers\etc\hosts"
#network config file
"C:\Windows\System32\drivers\etc\networks"
#usernames and passwords
"C:\Windows\System32\config\SAM"
#security log
"C:\Windows\System32\config\SECURITY"
#software log
"C:\Windows\System32\config\SOFTWARE"
#windows event logs
"C:\Windows\System32\winevt\*"
#backup of user and password
"C:\Windows\repair\SAM"
#Windows xp all users start up
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*"
#windows xp user startup
"C:\Documents and Settings\User\Start Menu\Programs\Startup"
#windows all user startup
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
#windows user startup
"C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp"
#prefetch files
"C:\Windows\Prefetch"
#amcache.hve
"C:\Windows\AppCompat\Programs\Amcache.hve"
#NTUSER.dat
"C:\Windows\Users\*\NTUSER.dat"

Windows Process with wmic

  • Get a brief output of running processes

wmic process list brief

  • Get a large amount of output from running processes

wmic process list full

  • Get specific information about running processes 

wmic process get name,parentprocessid,processid,commandline

  • Focus in on a specific process 

wmic process where processid=pid_number get commandline

Network Connections

  • Overview of connections

netstat -na

  • Show the owning process ID and associated exe's / DLLs

netstat -naob

  • Refresh network connections every 5 seconds

netstat -naob 5

  • Examine the built-in firewall settings Windows 7 -- Windows 10

netsh advfirewall show currentprofile

Windows Services

  • Examine services via GUI built-in

services.msc

  • Examine running services 

net start

  • Get details about each service

sc query | more

  • Map running process to windows services 

tasklist /svc

Registry ASEPs/Registry Persistance

  • Check common problem areas in Windows Registry 

#HKLM
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
#HKCU
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

  • Additional Persistance Keys

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"

Disable RunOnce

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1

Common Windows Registry Locations to Check 

#os information 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion"
#product name 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductName
#data of install 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate
#registered owner
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner
#system root
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v SystemRoot
#time zone
reg query "HKLM\System\CurrentControllerSet\Control\TimeZoneInformation" /v ActiveTimeBias
#mapped network drives
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Explorer\Map Network Drive MRU"
#mounted devices
reg query "HKLM\System\MountedDevices"
#usb devices
reg query "HKLM\System\CurrentControllerSet\Enum\USBStor"
#audit policies
reg query "HKLM\Security\Policy\PolAdTev"
#installed software (machine)
reg query "HKLM\Softwware"
#installed software (user)
reg query "HKCU\Software"
#recent documents
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\RecentDocuments"
#recent user locations
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\ComDlg32\LastVistitedMRU"
#typed urls
reg query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs"
#mru list
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\RunMRU"
#last accessed registry keys
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Applets\RegEdit" /v LastKey

Checking for Malicious Accounts

  • Windows built-in 

lusrmgr.msc

  • List users / view user group membership

net user 
net user <username>
net localgroup Administrators

Scheduled Tasks

  • View using the GUI

schtasks

  • Remember if using the CLI the at command will only show tasked where at was used to set up the task, schtasks shows all tasks.

Unusual Log Entries

  • Suspicious Log entiries to look for, low hanging fruit

Event log services was stopped
Windows File Protection is not active on this system
A member was added to a security-enabled local group
##Several Failed logon attempts##

  • For Win7 -- Win 10

wevtutil qe security /f:text
#Or
Get-EventLog -LogName Security | Format-List -Property *

Key Sysinternals tools

  • Process Explorer Enumerate running processes

  • Autoruns Display a list of Autostart Extensibility Points (ASEP)

  • Process Monitor Show file system, network, registry, and process information in real time

  • TCPView Maps listening and active TCP UDP activity to applications

  • Procdump Capture memory for a running process for analysis

Dump Windows Memory 

winpmem_mini.exe 20221218-ircase#0100.mem

Volatility

  • Best to use a virtual enviroment 

python3 -m venv venv
source venv/bin/activate

General Usage 

./vol.py -f image_name --profile profile_name plugin_name

  • Save off some enviromental variables that will help with command length and typos

export VOLATILITY_LOCATION=file:///path/image
export VOLATILITY_PROFILE=profile

Vol Plugins

  • There are alot of created plugins, view plugins

python vol.py --info

Basic Image Information (Start Here)

  • This provides basic information about the image, will suggest which volatility plugin to use 

./vol.py imageinfo
#OR on windows cmd
ver
#Output 
Microsoft Windows [Version 10.0.20348.1249]
#now search for the build version 
python vol.py --info | grep 20348

Listing Processes

vol.py pslist

Parent and Child Processes 

vol.py pstree

Network Connections

vol.py netscan

UserAssist

  • UserAssist registry keys track any program run from the GUI, create for creating IR timelines

vol.py userassist

Processs Command Line

  • See full command line used to start processes 

vol.py cmdline

Guidelines

  • Suspicious process --> pslist, pstree

  • Network Listener --> netscan, check processes

  • Suspicious program --> userassist , cmdline , processes

  • Others --> hivelist printkey svcscan dllist

Detecting PSEXEC in logs

Get-WinEvent -FilterHashTable @{ Logname='System'; ID='7045'} | where {$_.Message.contains("PSEXEC")}

Enable Script Block Logging

New-Item -Path "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging" -Force
Set-ItemProperty -Path "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 -Force

DLL Search Order Hijacking

  • Windows DLLs will be searched for in this order 

Folder where the application is stored
C:\Windows\System32
C:\Windows\System
C:\Windows
Current Directory
Directories listed in system path #see with env/set
PreviousHost ForensicsNextWindows NT Versions

Last updated