-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdraft
214 lines (143 loc) · 11.6 KB
/
draft
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
Identify Suspicious Processes
-------------------------------
C:\> taskmgr.exe = invokes the Task Manager GUI
C:\> tasklist = Displays a list of currently running processes on the local computer or on a remote computer
C:\> tasklist /v = Displays verbose task information in the output. ( PID , memory usage status, User name)
C:\> tasklist /m = Lists all tasks with PID and DLL modules loaded that match the given pattern name. If the module name is not specified, this option displays all modules loaded by each task.
C:\> tasklist /fi = Specifies the types of processes to include in or exclude from the query.examples below
C:\> tasklist /v /fi "pid eq 555"
C:\> tasklist /m /fi "pid eq 555"
C:\> Tasklist /v | findstr Teams.exe
C:\> Tasklist /m | findstr Teams.exe
Wmic is even more powerful than Tasklist.
C:\> wmic process list brief = brief list of the currently running processes
C:\> wmic process list full = full list of the currently running processes
C:\> wmic process get Name,Commandline,Description,ProcessID,ParentProcessID = specify only which fields you want to grab
C:\> wmic process where processid=600 list full = full info of the process running with pid=600
C:\> wmic process where Name=Teams.exe get ProcessID,ParentProcessID = full list of the process running with Name=teams.exe but return only the Pid and Ppid values
C:\> wmic process where ProcessID=555
Watch out for:
1) Is this a new or unrecognized process? ( ideally you would want to cross reference your findings with a baseline image -if you have. It will make the whole task of identifying what stands out from "normal activity" easier)
2) Is the name of the Process random-looking ( e.g hJoIuG.exe or whatever)
3) Is it running from a non-standard path ( e.g C:\Temp , C:\Downloads , C:\Music etc)
4) Is the parent suspicious ( child process might be legit but parent process not)
5) Is the Parent-Child relationship suspicious? ( e.g lsass.exe spawning a cmd.exe or IEX spawning a Powershell.exe etc)
6) Is the process tied to suspicious activity? ( e.g a process communicating with well known malicious IP/URL/host/domain etc)
7) Encoded in Base64 ?
8) A process can be used for benign and malicious purposes at the same time. ( e.g PSEXEC )
9) Suspicious does not necessarily mean Malicious.
Identifying Suspicious Network Activity
-----------------------------------------
C:\> netstat -abno ( this is pretty much all you need)
C:\> netstat -abno -n 5 = Automatically refresh the output every 5 seconds.
-n = addresses and port numbers are expressed numerically and no attempt is made to determine names.
-a = Displays all active TCP connections and the TCP and UDP ports on which the computer is listening
-b = shows the EXE using that port and the DLLs that it has loaded to interact with that port.
-o = shows the owner ProcessID associated with the port
You can redirect the outpout into a .txt file if it helps you analyze the results better e.g netstat -abno > C:\Users\McL0vin\Desktop\netstat.txt
Watch out for:
1) Network activity that is abnormal for the associated Process (e.g Notepad outbound/inbound connections to a Public IP etc)
2) Network activity that is abnormal for your environment/Business Unit/Organization ( e.g lots of traffic during weekends, late hours, holidays etc, long running HTTP/HTTPS sessions etc) ( 2 ways to spot this kind of activity- either have a baseline image of Business as usual activity or know VERY WELL your environment/org/BU)
3) Network activity from/to well known Malicious IPs/Domains/URLs/Hosts ( leverage Threat Intel & OSINT to identify those IOCs e.g alienvault , abuseipdb , virustotal, hybrid-analysis)
Identifying Suspicious Services
----------------------------------
services.msc = spawns the services control panel GUI . shows various services and their Description, Status, Startup Type, Log on as. shows ALL services (running/not running)
net start = shows a list of ONLY running services.
sc query | more = vast amount of information for each service . can be chaotic. ONLY running services
tasklist /svc = shows which services are running out of each process on your system along with their PIDs. maps running processes to services ( maps services-to-processes)
Watch out for:
1) New services / Deleted services / Stopped Services ( ideally you would want to cross reference your findings with a baseline image -if you have. Otherwise talk with your Sys Admins. )
2) Path to Executable looks abnormal( run services.msc --> right click on a service --> Properties)
Identify Suspicious Registry ASEPs/Autostart Folders
------------------------------------------------------
Windows has numerous registry and file locations that can be used to start software without a user taking a specific action.These locations are called Autostart Extensibility Points (ASEPs)
The majority of malware manipulates the same registry keys in order to establish persistence and survive a reboot.Those are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
C:\> regedit = spawns the Registry Editor -GUI to manually browse through the registry hive/keys
C:\> reg query HKLM\Software\microsoft\windows\currentversion\run = displays the settings for the specified registry key
C:\> taskmgr.exe = Task Manager GUI. go to Startup tab
These registry keys are responsible for executing programs when a system boots up or when a user logs on (Easiest way to establish persistence.Usually attackers map their backdoors there in order to survive reboot)
Autostart folders associated with users.These programs are automatically invoked each time the given user logs on to the system and are sometimes altered by malware
C:\> dir \s \b "C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup = lists the contents of a user's autostart folder
C:\> start msconfig.exe = spawns a small GUI that displays Startup selection, Boot location/options , startup items
C:\> wmic startup list full = displays autostart programs
Right click on Tray bar --> Task Manager --> Startup = displays a GUI with autostart programs and info such as Name, Publisher, Status.
Watch out for:
1)
2)
3)
4)
Identify Suspicious Account Activity
--------------------------------------
c:\> lusrmgr.msc = spawns a GUI which can be used to check the users and groups defined on the machine
C:\> net user = displays a list of users
C:\> net localgroup administrators = shows who is in the group you specify ( in that case accounts in the administrators group)
Watch out for:
1)
2)
3)
4)
Identify Suspicious Scheduled Tasks
------------------------------------
C:\> schtasks = shows scheduled tasks and details about them such as Folder, Task Name, Next Run Time and Status (can be chaotic depending on your environment . you can export it to a .txt file for easier reading or use | findstr if you know what you are looking for )
C:\> taskschd.msc = brings up the Task Scheduler GUI.lots of info such as triggers,actions,conditions etc. much easier to work with
PS C:\> Get-ScheduledTask = Powershell commands that lists scheduled taks on the system with info about Taskpath,Taskname,State.
PS C:\> Get-ScheduledTask -TaskName "THIS IS SPARTA" if you know the Taskname of the scheduled task you are looking for, use this
Watch out for:
1)Unusual scheduled tasks ( especially those that run as SYSTEM, as a user in administrators group or have a blank username)
2)Scheduled Tasks
Identify Suspicious Log Entries
-------------------------------
Cl\>eventvwr.msc = spawns the GUI Event Viewer ( the most eye-friendly way lol)
C:\> wevtutil qe Security /f:text = inspect the Windows EveNt Logs category you specified(in this case Security) . can be chaotic, you can output the content by using > C:\xx\xx\something.txt if you want.
PS C:\> Get-EventLog -LogName Security | Format-List -Property * = the equivalent of the above command but in Powershell this time and with a cooler blue background ( lol)
Watch out for:
1) Any indication that event log service was stopped
2) Any indication that Windows File Integrity Checker ( Windows File Protection) was disabled
3) large number of failed logons about a specific account following a successful logon for that account
4) Small number of failed logons across many accounts ( Password Spray Attack)
5) Large number of failed logons for a specific account ( Brute Force Password Attack)
Identify Suspicious SMB activity
----------------------------------
When your machine is acting as a client and want to see the outbound SMB activity
C:\> net use = displays the target machine and the share to which you are connected
C:\> net use \\192.168.1.1 /del = drops the SMB session
C:\>net use * /del = drops all outbound SMB sessions
When your machine is acting as a server and want to see the inbound SMB activity
C:\>net session = list the inbound sessions
C:\>net session \\192.168.1.1 /del = drops the inbound SMB session
Watch out for:
1)The ability to drop individual SMB sessions (either inbound or outbound) can be useful because this can temporarily stop an attacker from using the SMB session.
This way you can buy some time or interrupt a data exfiltration in progress
2) Don't expose your TCP/UDP 135,136,137,138,139,445 ports to the internet. Shut them down or if there is a legit business purpose put them behind firewalls with ACLs enforcing access to authorized IPs only
3)most of them time SMB traffic is between a client and a Server.if you see client-to-client smb activity or excessive server-to-server smb activity without a valid business purpose,then that should be investigated.
Regshot = snapshot tool for Windows.Allows you to record a snapshot of the registry and optionally file system at two points in time and then highlights the differences between the two.
Provides a high level summary of the changes,showing registry keys that were added/deleted/modified as wel as any files that were added/deleted/modified
Super easy to run in 5 steps
1) Start Regshot and configure the options.By default Regshot is not going to record file system.You can specifiy that if you want by checking the Scan dir box and stating the directory you are interested in ( C:\ for example)
2) Once you are done with the configuration of the tool and you got everything ready take the first snapshot
3) Run the malware
4) Use Regshot to take a second snapshot
5) Once finished , click on Compare and Regshot will give you back the results after a few minutes
TaskManager
DeepBlueCLI
Procmon / Process Monitor = shows file system,registry,network and process activity in real-time.Ideal for detonating malicious files/scripts in a sandbox and see live the changes on your system
Procexplorer / Process Explorer = gives in depth information about running processes
Strings = extracts and displays bot ASCII and 16-bit little endian Unicode strings
C:\> strings malfile.exe
TCPView = maps listening TCP/UDP port back to owning processes
SRUMdump
FTK Imager /Volexity / Volatility (Remember . Most volatile FIRST = RAM . then everything else follows)
C:\> certutil -hashfile malfile.exe MD5 = Calculates the MD5 Hash of a file on Windows
PS C:\> Get-FileHash -Algorithm MD5 malfile.exe
C:\> DIR /r = look for alternate data streams
PS :> Get-Item * -Stream * = look for alternate data streams in Blue
PS:> Get-ChildItem -recurse | ForEach { Get-Item $_.Filename -stream * } | Where stream -ne ':$DATA' = search all subdirectories for ADS
Collect Metadata
exiftool
nslookup