# Windows Host Forensics

### Windows CLI Basics

| Command                  | Action                          |
| ------------------------ | ------------------------------- |
| dir                      | list files and folders          |
| cd \<dir>                | change to directory             |
| mkdir \<dir>             | make directory                  |
| rmdir \<dir>             | deliete directory               |
| copy \<source> \<target> | copy source to target           |
| move \<source> \<target> | move file from source to target |
| ren \<old> \<new>        | rename form old to new          |
| del \<file>              | delete file                     |
| echo \<text>             | display text to STDOUT          |
| type \<text.txt>         | display contents of file        |
| cls                      | clear screen                    |
| ver                      | Windows Version + Build         |
| \<drive>:                | Change Drive                    |
| ipconfig /all            | get ip address                  |
| sc query state=all       | show services                   |
| tasklist /m              | show services and processes     |
| taskkill /PID \<PID> /F  | force kill process by id        |
| assoc                    | Show file type association      |
| cipher /w:\<dir>         | secure delete file or directory |
| fc \<file> \<file>       | file compare                    |
| netstat -an              | display currently opened ports  |
| pathping                 | displays each hop in ping       |
| tracert                  | displays each hop and time      |
| powercfg                 | change power configuration      |
| chkdsk /f \<drive>       | check and fix disk errors       |
| drivequery /FO list /v   | list of drivers and status      |
| osk                      | on screen keyboard              |
| shutdown -s -t 3600      | schedule shutdown for 1 hour    |

### Powershell common cmdlets

| Command                          | Alias   | Action                                                                   |
| -------------------------------- | ------- | ------------------------------------------------------------------------ |
| Get-Content                      | cat     | get contents of file                                                     |
| Get-Service                      | gsv     | get services                                                             |
| Get-Process                      | gps     | show services and processes                                              |
| Stop-Processes -Id \<PID> -Force | kill    | force kill by pid                                                        |
| Clear-Content                    | clc     | clear contents of file                                                   |
| Get-Command                      | gc      | gets all commands                                                        |
| Compare-Object \<f1> \<f2>       | compare | compare f1 and f2                                                        |
| Copy-Item                        | cp      | copy and item                                                            |
| Get-Member                       | gm      | gets the properties and methods for objects                              |
| Invoke-WMIMethod                 | iwmi    | calls windows management instrumentation methods                         |
| cmd /c \<command                 |         | run command as windows command line                                      |
| Set-Alias                        | sal     | creates or changes an alias                                              |
| Select-Object                    | select  | selects objects or object properties                                     |
| ForEach-Object                   | %       | performs an operation against each item in a collection of input objects |
| Where-Object                     | ?       | selects objects from a collection based on their property values         |

### Windows Directories to examine

```powershell
#dns file
"C:\Windows\System32\drivers\etc\hosts"
#network config file
"C:\Windows\System32\drivers\etc\networks"
#usernames and passwords
"C:\Windows\System32\config\SAM"
#security log
"C:\Windows\System32\config\SECURITY"
#software log
"C:\Windows\System32\config\SOFTWARE"
#windows event logs
"C:\Windows\System32\winevt\*"
#backup of user and password
"C:\Windows\repair\SAM"
#Windows xp all users start up
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*"
#windows xp user startup
"C:\Documents and Settings\User\Start Menu\Programs\Startup"
#windows all user startup
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
#windows user startup
"C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp"
#prefetch files
"C:\Windows\Prefetch"
#amcache.hve
"C:\Windows\AppCompat\Programs\Amcache.hve"
#NTUSER.dat
"C:\Windows\Users\*\NTUSER.dat"
```

###

### Windows Process with wmic

* Get a brief output of running processes

```
wmic process list brief 
```

* Get a large amount of output from running processes

```
wmic process list full
```

* Get specific information about running processes

```
wmic process get name,parentprocessid,processid,commandline
```

* Focus in on a specific process

```
wmic process where processid=pid_number get commandline
```

### Network Connections

* Overview of connections

```
netstat -na
```

* Show the owning process ID and associated exe's / DLLs

```
netstat -naob
```

* Refresh network connections every 5 seconds

```
netstat -naob 5
```

* Examine the built-in firewall settings Windows 7 -- Windows 10

```
netsh advfirewall show currentprofile
```

### Windows Services

* Examine services via GUI built-in

```
services.msc
```

* Examine running services

```
net start
```

* Get details about each service

```
sc query | more
```

* Map running process to windows services

```
tasklist /svc
```

### Registry ASEPs/Registry Persistance

* Check common problem areas in Windows Registry

```
#HKLM
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
#HKCU
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
```

* Additional Persistance Keys

```
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
```

### Disable RunOnce

```
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1
```

### Common Windows Registry Locations to Check

```powershell
#os information 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion"
#product name 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductName
#data of install 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate
#registered owner
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner
#system root
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v SystemRoot
#time zone
reg query "HKLM\System\CurrentControllerSet\Control\TimeZoneInformation" /v ActiveTimeBias
#mapped network drives
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Explorer\Map Network Drive MRU"
#mounted devices
reg query "HKLM\System\MountedDevices"
#usb devices
reg query "HKLM\System\CurrentControllerSet\Enum\USBStor"
#audit policies
reg query "HKLM\Security\Policy\PolAdTev"
#installed software (machine)
reg query "HKLM\Softwware"
#installed software (user)
reg query "HKCU\Software"
#recent documents
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\RecentDocuments"
#recent user locations
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\ComDlg32\LastVistitedMRU"
#typed urls
reg query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs"
#mru list
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\RunMRU"
#last accessed registry keys
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Applets\RegEdit" /v LastKey
```

### Checking for Malicious Accounts

* Windows built-in

```
lusrmgr.msc
```

* List users / view user group membership

```
net user 
net user <username>
net localgroup Administrators
```

### Scheduled Tasks

* View using the GUI

```
schtasks
```

* Remember if using the CLI the `at` command will only show tasked where `at` was used to set up the task, `schtasks` shows all tasks.

### Unusual Log Entries

* Suspicious Log entiries to look for, low hanging fruit

```
Event log services was stopped
Windows File Protection is not active on this system
A member was added to a security-enabled local group
##Several Failed logon attempts##
```

* For Win7 -- Win 10

```
wevtutil qe security /f:text
#Or
Get-EventLog -LogName Security | Format-List -Property *
```

### Key Sysinternals tools

* `Process Explorer` Enumerate running processes
* `Autoruns` Display a list of Autostart Extensibility Points (ASEP)
* `Process Monitor` Show file system, network, registry, and process information in real time
* `TCPView` Maps listening and active TCP UDP activity to applications
* `Procdump` Capture memory for a running process for analysis

### Dump Windows Memory

```
winpmem_mini.exe 20221218-ircase#0100.mem
```

### Volatility

* Best to use a virtual enviroment

```
python3 -m venv venv
source venv/bin/activate
```

#### General Usage

```
./vol.py -f image_name --profile profile_name plugin_name
```

* Save off some enviromental variables that will help with command length and typos

```
export VOLATILITY_LOCATION=file:///path/image
export VOLATILITY_PROFILE=profile
```

#### Vol Plugins

* There are alot of created plugins, view plugins

```
python vol.py --info
```

#### Basic Image Information (Start Here)

* This provides basic information about the image, will suggest which volatility plugin to use

```
./vol.py imageinfo
#OR on windows cmd
ver
#Output 
Microsoft Windows [Version 10.0.20348.1249]
#now search for the build version 
python vol.py --info | grep 20348
```

#### Listing Processes

```
vol.py pslist
```

#### Parent and Child Processes

```
vol.py pstree
```

#### Network Connections

```
vol.py netscan
```

#### UserAssist

* UserAssist registry keys track any program run from the GUI, create for creating IR timelines

```
vol.py userassist
```

#### Processs Command Line

* See full command line used to start processes

```
vol.py cmdline
```

#### Guidelines

* Suspicious process --> `pslist`, `pstree`
* Network Listener --> `netscan`, check processes
* Suspicious program --> `userassist` , `cmdline` , processes
* Others --> `hivelist` `printkey` `svcscan` `dllist`

### Detecting PSEXEC in logs

```
Get-WinEvent -FilterHashTable @{ Logname='System'; ID='7045'} | where {$_.Message.contains("PSEXEC")}
```

### Enable Script Block Logging

```
New-Item -Path "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging" -Force
Set-ItemProperty -Path "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 -Force
```

### DLL Search Order Hijacking

* Windows DLLs will be searched for in this order

```
Folder where the application is stored
C:\Windows\System32
C:\Windows\System
C:\Windows
Current Directory
Directories listed in system path #see with env/set
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/host-forensics/windows-host-forensics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.