Hacknetics
  • Hacknetics
  • Active Directory Management
    • How to Join a Windows 11 PC to a Domain
    • Allow RDP in the domain
  • Active Directory AD Attacks
    • Bloodhound
      • Bloodhound Cypher Queries
    • Impacket-install
    • Kerberos cheatsheet
    • Domain Controllers
    • Overpass The Hash/Pass The Key (PTK)
    • Bloodhound Python
    • Rubeus to Ccache
    • Silver Ticket
    • Golden Ticket
    • Abusing GPO Permissions
    • AppLocker Bypasses
    • SharpView Enumeration
    • DonPapi
    • AD Overview
    • Enumerating Forests
    • NOPAC Priv esc
  • buffer-overflows
    • Buffer Overflows
  • c2-frameworks
    • Sliver
    • Powershell Empire
      • IronPython Empire
    • Metasploit
      • Metasploit Basics
      • Custom MSF Resource Scripts
      • Meterpreter Device Survey
      • Paranoid Mode
    • Pwncat-cs
    • Cobalt Strike
    • Dcrat
      • Modules
      • Builder
      • Dcrat AV Evasion
      • C2 Comms
    • FFM Documentation
  • covering-tracks
    • Evading Logging and Monitoring
    • Linux Logging
    • Tor
    • Windows Log Clearing
    • Ghost Writing Binaries
    • Backdoor Linux Commands
  • Data Exfiltration
  • Exploit Development
    • ROP Finding the vulnerable function
    • Useful Tools for Exploit Dev
    • ropeme
    • Obtaining MSFT Patches for Analysis
    • Mutiny Fuzzer
    • GDB
  • file-transfers
    • Transfering Files
  • lateral-movement
    • Pivoting Enumeration
      • Proxychains and FoxyProxy
      • SSH Tunneling and Port Forwarding
      • Plink.exe
      • socat
      • Chisel
      • SShuttle
  • lin-priv-esc
    • Linux Privilege Escalation
    • Bash Jails
    • ssh agent
  • Things I have Pwn'd before
    • Tomcat
    • Jenkins
  • persistence
    • Linux Persistence
    • Windows Persistence
      • Assign Group Memberships
      • Guest Windows Account Persistence
      • WMI Persist With Event Filters
      • SAM SYSTEM Exfil / Pass The Hash
      • Backdoor Executable
      • Special Privileges and Security Descriptors
      • RID Hijacking
      • Task Scheduler
      • Hijacking File Associations
      • Abusing Services
      • Logon Triggered Persistence
      • MSSQL Enabling xp cmdshell
      • Sticky Keys
      • Using Web Shells
  • recon-enumeration
    • Exploit Research
    • Pentesting DNS
    • Pentesting Kerberos
    • Pentesting FTP
    • Pentesting Email
    • Pentesting SMB
    • Pentesting Redis
    • Banner Grabbing
    • Pentesting Rsync
    • Pentesting MsSql
    • Scanning
    • Pentesting SNMP
    • Pentesting NFS
    • Pentesting LDAP
    • Pentesting Finger
    • User Recon
  • resources
    • resources
    • Youtube / Book List
    • CS/Software Engineer Resources
  • shells
    • Shells
    • web-shells
      • PHP Reverse Shell
      • wwwolf's PHP web shell
  • tool-guides
    • Asymmetric File Encrypt and Decrypt
    • Aws Buckets
    • cewl-crunch
    • Creating a Custom Wordlist
    • evil-winrm
    • Git
    • gobuster
    • Hashcat
    • Hydra User Guide
    • John
    • Linux Basics
    • Mimikatz
    • netcat
    • Nmap
    • nuclei
    • PowerView
    • r2
    • Resources
    • tcpdump
    • T-Shark User Guide
    • tmux
    • ssh
    • Vim
    • Wireshark
    • kwp
    • LAPS
    • KeePass KeeThief
    • FileCryptography.psm1
    • Impacket Pastable Commands
    • crackmapexec Pastable Commands
    • feroxbuster
    • NetExec
    • Ligolo-ng
    • gs-netcat
    • Scarecrow
  • Web Path
    • Testing for LFI
    • Testing for RFI
    • Testing for SQL
    • Testing for XSS
    • Authentication Bypass
    • Cmd Injection
    • Javascript Vulnerabilities
    • SSTI
    • Web Servers
    • JWT Tokens
    • Adobe Coldfusion
    • NoSQL Injection
    • vhost Enumeration
  • Wifi/Bluetooth/ZigBee/SDR/SmartCards
    • Wifi Capture Filters
    • Bluetooth Basics
    • Wifi Overview
    • Bettercap Bluetooth / Wifi
    • Aircrack-ng
    • Airdecap-ng
    • Aireplay-ng
    • RTL-SDR Radio
    • Bluetooth Low Energy
    • Smart Cards
    • Airodump-ng Airgraph-ng
    • gqrx
  • Windows
    • powershell-cheatsheet
    • Windows Privlage Escalation
    • Anti-Virus Evasion
    • Windows Registry
    • exploits
      • printspoofer
    • Windows Kernel Vulnerabilities
    • Windows Defender
    • AMSI Bypasses
    • pktmon Packet Capture Windows
    • Powershell Constrained Language Mode
    • Windows Survey
    • Windows Persistence
    • Windows World Writeable Dirs
  • firewalls
    • iptables
    • ufw
    • netsh advfirewall
  • Malware Analysis
    • Malware Analysis Fundamentals
    • Packer Identification by File section names
    • Analyzing Malicious Documents
    • In Depth Malware Analysis
    • Reversing Malicious Code
  • Infrastructure Development
    • SSL Cert Generation
    • Pfsense
      • OpenVPN Server on Pfsense
    • Proxmox OVA Import
  • Python3 Reference
    • Python3 Cheatsheet
    • Regex Python3
  • EDR
    • Velociraptor EDR
  • Host Forensics
    • Windows Host Forensics
    • Windows NT Versions
    • Windows Logs
  • Cloud
    • AWS
  • OSINT
    • Spiderfoot
    • Shodan Dorks
  • Phishing
  • Random
  • Linux
    • awk
    • cut
    • grep
    • sort
    • Cups CVE2024
  • Windows Malware Development
    • Win32 API
    • Processes Threads Handles
      • Message Box Example (Basic)
      • CreateProcess Example (Basic)
  • Golang
  • Mikrotik
    • Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
    • Cleaner Wrasse
  • Firmware Reversing
Powered by GitBook
On this page
  • Windows CLI Basics
  • Powershell common cmdlets
  • Windows Directories to examine
  • Windows Process with wmic
  • Network Connections
  • Windows Services
  • Registry ASEPs/Registry Persistance
  • Disable RunOnce
  • Common Windows Registry Locations to Check
  • Checking for Malicious Accounts
  • Scheduled Tasks
  • Unusual Log Entries
  • Key Sysinternals tools
  • Dump Windows Memory
  • Volatility
  • Detecting PSEXEC in logs
  • Enable Script Block Logging
  • DLL Search Order Hijacking

Was this helpful?

Edit on GitHub
  1. Host Forensics

Windows Host Forensics

Windows CLI Basics

Command
Action

dir

list files and folders

cd <dir>

change to directory

mkdir <dir>

make directory

rmdir <dir>

deliete directory

copy <source> <target>

copy source to target

move <source> <target>

move file from source to target

ren <old> <new>

rename form old to new

del <file>

delete file

echo <text>

display text to STDOUT

type <text.txt>

display contents of file

cls

clear screen

ver

Windows Version + Build

<drive>:

Change Drive

ipconfig /all

get ip address

sc query state=all

show services

tasklist /m

show services and processes

taskkill /PID <PID> /F

force kill process by id

assoc

Show file type association

cipher /w:<dir>

secure delete file or directory

fc <file> <file>

file compare

netstat -an

display currently opened ports

pathping

displays each hop in ping

tracert

displays each hop and time

powercfg

change power configuration

chkdsk /f <drive>

check and fix disk errors

drivequery /FO list /v

list of drivers and status

osk

on screen keyboard

shutdown -s -t 3600

schedule shutdown for 1 hour

Powershell common cmdlets

Command
Alias
Action

Get-Content

cat

get contents of file

Get-Service

gsv

get services

Get-Process

gps

show services and processes

Stop-Processes -Id <PID> -Force

kill

force kill by pid

Clear-Content

clc

clear contents of file

Get-Command

gc

gets all commands

Compare-Object <f1> <f2>

compare

compare f1 and f2

Copy-Item

cp

copy and item

Get-Member

gm

gets the properties and methods for objects

Invoke-WMIMethod

iwmi

calls windows management instrumentation methods

cmd /c <command

run command as windows command line

Set-Alias

sal

creates or changes an alias

Select-Object

select

selects objects or object properties

ForEach-Object

%

performs an operation against each item in a collection of input objects

Where-Object

?

selects objects from a collection based on their property values

Windows Directories to examine

#dns file
"C:\Windows\System32\drivers\etc\hosts"
#network config file
"C:\Windows\System32\drivers\etc\networks"
#usernames and passwords
"C:\Windows\System32\config\SAM"
#security log
"C:\Windows\System32\config\SECURITY"
#software log
"C:\Windows\System32\config\SOFTWARE"
#windows event logs
"C:\Windows\System32\winevt\*"
#backup of user and password
"C:\Windows\repair\SAM"
#Windows xp all users start up
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*"
#windows xp user startup
"C:\Documents and Settings\User\Start Menu\Programs\Startup"
#windows all user startup
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
#windows user startup
"C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp"
#prefetch files
"C:\Windows\Prefetch"
#amcache.hve
"C:\Windows\AppCompat\Programs\Amcache.hve"
#NTUSER.dat
"C:\Windows\Users\*\NTUSER.dat"

Windows Process with wmic

  • Get a brief output of running processes

wmic process list brief

  • Get a large amount of output from running processes

wmic process list full

  • Get specific information about running processes 

wmic process get name,parentprocessid,processid,commandline

  • Focus in on a specific process 

wmic process where processid=pid_number get commandline

Network Connections

  • Overview of connections

netstat -na

  • Show the owning process ID and associated exe's / DLLs

netstat -naob

  • Refresh network connections every 5 seconds

netstat -naob 5

  • Examine the built-in firewall settings Windows 7 -- Windows 10

netsh advfirewall show currentprofile

Windows Services

  • Examine services via GUI built-in

services.msc

  • Examine running services 

net start

  • Get details about each service

sc query | more

  • Map running process to windows services 

tasklist /svc

Registry ASEPs/Registry Persistance

  • Check common problem areas in Windows Registry 

#HKLM
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
#HKCU
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

  • Additional Persistance Keys

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"

Disable RunOnce

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1

Common Windows Registry Locations to Check 

#os information 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion"
#product name 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductName
#data of install 
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate
#registered owner
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner
#system root
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v SystemRoot
#time zone
reg query "HKLM\System\CurrentControllerSet\Control\TimeZoneInformation" /v ActiveTimeBias
#mapped network drives
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Explorer\Map Network Drive MRU"
#mounted devices
reg query "HKLM\System\MountedDevices"
#usb devices
reg query "HKLM\System\CurrentControllerSet\Enum\USBStor"
#audit policies
reg query "HKLM\Security\Policy\PolAdTev"
#installed software (machine)
reg query "HKLM\Softwware"
#installed software (user)
reg query "HKCU\Software"
#recent documents
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\RecentDocuments"
#recent user locations
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\ComDlg32\LastVistitedMRU"
#typed urls
reg query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs"
#mru list
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\RunMRU"
#last accessed registry keys
reg query "HKCU\Software\Microsoft\Windows\Currentversion\Applets\RegEdit" /v LastKey

Checking for Malicious Accounts

  • Windows built-in 

lusrmgr.msc

  • List users / view user group membership

net user 
net user <username>
net localgroup Administrators

Scheduled Tasks

  • View using the GUI

schtasks

  • Remember if using the CLI the at command will only show tasked where at was used to set up the task, schtasks shows all tasks.

Unusual Log Entries

  • Suspicious Log entiries to look for, low hanging fruit

Event log services was stopped
Windows File Protection is not active on this system
A member was added to a security-enabled local group
##Several Failed logon attempts##

  • For Win7 -- Win 10

wevtutil qe security /f:text
#Or
Get-EventLog -LogName Security | Format-List -Property *

Key Sysinternals tools

  • Process Explorer Enumerate running processes

  • Autoruns Display a list of Autostart Extensibility Points (ASEP)

  • Process Monitor Show file system, network, registry, and process information in real time

  • TCPView Maps listening and active TCP UDP activity to applications

  • Procdump Capture memory for a running process for analysis

Dump Windows Memory 

winpmem_mini.exe 20221218-ircase#0100.mem

Volatility

  • Best to use a virtual enviroment 

python3 -m venv venv
source venv/bin/activate

General Usage 

./vol.py -f image_name --profile profile_name plugin_name

  • Save off some enviromental variables that will help with command length and typos

export VOLATILITY_LOCATION=file:///path/image
export VOLATILITY_PROFILE=profile

Vol Plugins

  • There are alot of created plugins, view plugins

python vol.py --info

Basic Image Information (Start Here)

  • This provides basic information about the image, will suggest which volatility plugin to use 

./vol.py imageinfo
#OR on windows cmd
ver
#Output 
Microsoft Windows [Version 10.0.20348.1249]
#now search for the build version 
python vol.py --info | grep 20348

Listing Processes

vol.py pslist

Parent and Child Processes 

vol.py pstree

Network Connections

vol.py netscan

UserAssist

  • UserAssist registry keys track any program run from the GUI, create for creating IR timelines

vol.py userassist

Processs Command Line

  • See full command line used to start processes 

vol.py cmdline

Guidelines

  • Suspicious process --> pslist, pstree

  • Network Listener --> netscan, check processes

  • Suspicious program --> userassist , cmdline , processes

  • Others --> hivelist printkey svcscan dllist

Detecting PSEXEC in logs

Get-WinEvent -FilterHashTable @{ Logname='System'; ID='7045'} | where {$_.Message.contains("PSEXEC")}

Enable Script Block Logging

New-Item -Path "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging" -Force
Set-ItemProperty -Path "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 -Force

DLL Search Order Hijacking

  • Windows DLLs will be searched for in this order 

Folder where the application is stored
C:\Windows\System32
C:\Windows\System
C:\Windows
Current Directory
Directories listed in system path #see with env/set
PreviousHost ForensicsNextWindows NT Versions

Last updated 2 years ago

Was this helpful?