Windows Host Forensics

Windows CLI Basics

Command

Action

dir

list files and folders

cd <dir>

change to directory

mkdir <dir>

make directory

rmdir <dir>

deliete directory

copy <source> <target>

copy source to target

move <source> <target>

move file from source to target

ren <old> <new>

rename form old to new

del <file>

delete file

echo <text>

display text to STDOUT

type <text.txt>

display contents of file

cls

clear screen

ver

Windows Version + Build

<drive>:

Change Drive

ipconfig /all

get ip address

sc query state=all

show services

tasklist /m

show services and processes

taskkill /PID <PID> /F

force kill process by id

assoc

Show file type association

cipher /w:<dir>

secure delete file or directory

fc <file> <file>

file compare

netstat -an

display currently opened ports

pathping

displays each hop in ping

tracert

displays each hop and time

powercfg

change power configuration

chkdsk /f <drive>

check and fix disk errors

drivequery /FO list /v

list of drivers and status

osk

on screen keyboard

shutdown -s -t 3600

schedule shutdown for 1 hour

Powershell common cmdlets

Command

Alias

Action

Get-Content

cat

get contents of file

Get-Service

gsv

get services

Get-Process

gps

show services and processes

Stop-Processes -Id <PID> -Force

kill

force kill by pid

Clear-Content

clc

clear contents of file

Get-Command

gets all commands

Compare-Object <f1> <f2>

compare

compare f1 and f2

Copy-Item

copy and item

Get-Member

gets the properties and methods for objects

Invoke-WMIMethod

iwmi

calls windows management instrumentation methods

cmd /c <command

run command as windows command line

Set-Alias

sal

creates or changes an alias

Select-Object

select

selects objects or object properties

ForEach-Object

performs an operation against each item in a collection of input objects

Where-Object

selects objects from a collection based on their property values

Windows Directories to examine

#dns file
"C:\Windows\System32\drivers\etc\hosts"
#network config file
"C:\Windows\System32\drivers\etc\networks"
#usernames and passwords
"C:\Windows\System32\config\SAM"
#security log
"C:\Windows\System32\config\SECURITY"
#software log
"C:\Windows\System32\config\SOFTWARE"
#windows event logs
"C:\Windows\System32\winevt\*"
#backup of user and password
"C:\Windows\repair\SAM"
#Windows xp all users start up
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*"
#windows xp user startup
"C:\Documents and Settings\User\Start Menu\Programs\Startup"
#windows all user startup
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
#windows user startup
"C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp"
#prefetch files
"C:\Windows\Prefetch"
#amcache.hve
"C:\Windows\AppCompat\Programs\Amcache.hve"
#NTUSER.dat
"C:\Windows\Users\*\NTUSER.dat"

Windows Process with wmic

Get a brief output of running processes

wmic process list brief

Get a large amount of output from running processes

wmic process list full

Get specific information about running processes

wmic process get name,parentprocessid,processid,commandline

Focus in on a specific process

wmic process where processid=pid_number get commandline

Network Connections

Overview of connections

netstat -na

Show the owning process ID and associated exe's / DLLs

netstat -naob

Refresh network connections every 5 seconds

netstat -naob 5

Examine the built-in firewall settings Windows 7 -- Windows 10

netsh advfirewall show currentprofile

Windows Services

Examine services via GUI built-in

services.msc

Examine running services

net start

Get details about each service

sc query | more

Map running process to windows services

tasklist /svc

Registry ASEPs/Registry Persistance

Check common problem areas in Windows Registry

#HKLM
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
#HKCU
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Additional Persistance Keys

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"

Disable RunOnce

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1

Common Windows Registry Locations to Check

#os information 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion"
#product name 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductName
#data of install 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate
#registered owner
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner
#system root
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v SystemRoot
#time zone
reg query "HKLM\System\CurrentControllerSet\Control\TimeZoneInformation" /v ActiveTimeBias
#mapped network drives
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Explorer\Map Network Drive MRU"
#mounted devices
reg query "HKLM\System\MountedDevices"
#usb devices
reg query "HKLM\System\CurrentControllerSet\Enum\USBStor"
#audit policies
reg query "HKLM\Security\Policy\PolAdTev"
#installed software (machine)
reg query "HKLM\Softwware"
#installed software (user)
reg query "HKCU\Software"
#recent documents
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\RecentDocuments"
#recent user locations
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\ComDlg32\LastVistitedMRU"
#typed urls
reg query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs"
#mru list
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\RunMRU"
#last accessed registry keys
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Applets\RegEdit" /v LastKey

Checking for Malicious Accounts

Windows built-in

lusrmgr.msc

List users / view user group membership

net user 
net user <username>
net localgroup Administrators

Scheduled Tasks

View using the GUI

schtasks

Remember if using the CLI the at command will only show tasked where at was used to set up the task, schtasks shows all tasks.

Unusual Log Entries

Suspicious Log entiries to look for, low hanging fruit

Event log services was stopped
Windows File Protection is not active on this system
A member was added to a security-enabled local group
##Several Failed logon attempts##

For Win7 -- Win 10

wevtutil qe security /f:text
#Or
Get-EventLog -LogName Security | Format-List -Property *

Key Sysinternals tools

Process Explorer Enumerate running processes
Autoruns Display a list of Autostart Extensibility Points (ASEP)
Process Monitor Show file system, network, registry, and process information in real time
TCPView Maps listening and active TCP UDP activity to applications
Procdump Capture memory for a running process for analysis

Dump Windows Memory

winpmem_mini.exe 20221218-ircase#0100.mem

Volatility

Best to use a virtual enviroment

python3 -m venv venv
source venv/bin/activate

General Usage

./vol.py -f image_name --profile profile_name plugin_name

Save off some enviromental variables that will help with command length and typos

export VOLATILITY_LOCATION=file:///path/image
export VOLATILITY_PROFILE=profile

Vol Plugins

There are alot of created plugins, view plugins

python vol.py --info

Basic Image Information (Start Here)

This provides basic information about the image, will suggest which volatility plugin to use

./vol.py imageinfo
#OR on windows cmd
ver
#Output 
Microsoft Windows [Version 10.0.20348.1249]
#now search for the build version 
python vol.py --info | grep 20348

Listing Processes

vol.py pslist

Parent and Child Processes

vol.py pstree

Network Connections

vol.py netscan

UserAssist

UserAssist registry keys track any program run from the GUI, create for creating IR timelines

vol.py userassist

Processs Command Line

See full command line used to start processes

vol.py cmdline

Guidelines

Suspicious process --> pslist, pstree
Network Listener --> netscan, check processes
Suspicious program --> userassist , cmdline , processes
Others --> hivelist printkey svcscan dllist

Detecting PSEXEC in logs

Get-WinEvent -FilterHashTable @{ Logname='System'; ID='7045'} | where {$_.Message.contains("PSEXEC")}

Enable Script Block Logging

New-Item -Path "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging" -Force
Set-ItemProperty -Path "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 -Force

DLL Search Order Hijacking

Windows DLLs will be searched for in this order

Folder where the application is stored
C:\Windows\System32
C:\Windows\System
C:\Windows
Current Directory
Directories listed in system path #see with env/set

PreviousHost Forensics NextWindows NT Versions

Last updated 2 years ago