Windows_CLI
Windows_Processes
Virtualization /Registry
System Hardening, Auditing, & Logs
Networking / Tactical Survey
100

What is a Sysinternals tool to see pointers to DLL/objects?


Handle
100

What is the first phase of the Pre-boot process?




(BONUS +50points) - What is a Botnet and Bot Herder?

POST: Power on self test

                    -- RAM (at least 1MB), Processor, Display

                                            ---

Bot Herder - Person in control of the botnet

Botnet - Multiple machines infected and controlled by a bot herder


100

What are the 5 Primary Hive (Root) Keys?



(BONUS +50points) - What are the Forensically Relevant Keys?

HKCU  -  Current User,  HKU    -   Users,  HKCR  -  Classes Root, HKLM  -  Local Machine,  HKCC -  Current Config

HKLM\Run, HKLM\RunOnce, HKU\Run, HKLM\Tasks, HKLM\Services, HKLM\USBSTOR, HKU\TypedURLS, HKLM\Profiles


100
What firewall command will show the state for all profiles?


(BONUS +50points) - What is Windows Resource Protection?

netsh advfirewall show allprofiles

                                      ---

-With TrustedInstaller, WRP protects files; it keeps a copy of every file.

Protects system files and folders from unauthorized changes

Copies files critical to system boot to a clean cache copy

.dll, .exe, .dat, .sys

100
What is the importance of baselining and what should you baseline?
Baselining can be used to help predict future system requirements and to detect anomalies.
-Baseline processes, services, but typically the registry isn't baselined, due to the dynamic parts of the registry.

200

List 4 native commands to view running services?




sc query state = all

CLI: tasklist /svc

WMIC: wmic service list brief

Powershell - Get-Service

200

What is the second phase of the Pre-boot process?


(BONUS +50points)- What happens during this phase?

MBR (Master Boot Record)

           -Master Boot Code

           -boot.ini ****<-this is for win NT? We need BCD.dat

           -First sector that contains boot file

           -First 512 byte sector on hard disk


200
What is a registry?

(BONUS +50points) - What are two types of Virtualized Host?

Hierarchical database of critical system configurations

--Persistent: User settings are saved and appear each time, More storage and backup

--Non-persistent: At end of session, desktop reverts back to its original state, Better security, Less storage

200
What is NTFS and provide two commands/GUI to show the output?



(BONUS +50points) - What is UAC?

A proprietary file system developed by Microsoft.

--GUI
Right click, select Properties, select Security tab
--Command Line
icacls.exe (Windows Server 2003 SP2+)
--Powershell
Get-Acl C :\Windows\System32\notepad.exe | Format-List
--Sysinternals
accesschk C:\Windows\System32\notepad.exe

User Account Control limits the privileges of user run applications, even when run as Administrator, to prevent the modification of system files, resources, or settings.  Requesting elevated privileges requires explicit acknowledgement from the user.


200
Users authenticate locally with what database?

SAM (Security Account Manager) database where credentials are stored locally. 

300
List 4 native commands/GUI to view running processes?


(BONUS) +50points - List 3 Sysinternal tools to view running processes?
PS: Get-process
WMIC: wmic process list brief
CLI: tasklist
GUI: taskmgr

(BONUS) +50points - procmon, pslist, procexp.
300

What are Threads?




(BONUS +50points)- What are handles?

Threads - Basic unit to which the OS allocates processor time.

                -Csrss maintains a list of threads

Handles - Objects are data structures representing a system resource (file, thread, etc.)

                -Applications can’t access objects directly, must obtain a handle. Tracked in a table known as the Object Manager

300

What are registry locations that can be utilized for persistence?


HKLM\Software\Microsoft\Windows\Run

HKU\<SID>\Software\Microsoft\Windows\Run

HKLM\BCD00000000 <-- Replacement of old boot.ini file

HKLM\SAM\SAM


300

Identify 3 kinds of events that get audited and what they mean.



(BONUS +50points) -What is the basis for InfoSec?

-System, Application, Security



- CIA Triad
300
Provide 4 features of Active Directory.

-Centralized Data Storage

-Scalability, Extensibility, Manageability

-Integration with DNS

-Client Configuration Management

-Policy-Based Administration

-Replication of Information

-Flexible, Secure Authentication and Authorization

-Security Integration

-Directory-enabled Applications and Infrastructure

-Interoperability with Directory Services

-Signed and Encrypted LDAP Traffic

400

What is a wmic command to list logs?

wmic nteventlog list brief

400

What are the Process States?


(BONUS +50points) - What are the Thread States?

Process States - Start, Ready, Running, Waiting, Terminated/Exit


Thread States - Ready, Deferred Ready, Standby, Running, Waiting, Transition, terminated, Initialized

400

What are 5 of the 12 Data types available?


(BONUS +50points) - Define a virtual machine.

REG_SZ .

REG_BINARY . Binary data

REG_DWORD . 32 bit integer. Max 7FFF,FFFF or 2,147,483,647.

REG_LINK . Symbolic links- A link that will take you to the actual location of the data

REG_MULTI_SZ . Multi-String values- Multiple strings that are terminated with "\0". Example: "abc\0def\0"

REG_QWORD . 64 bit integer. Max 7FFF,FFFF,FFFF,FFFF or 9,223,372,036,854,775,807.

- A virtual machine is a software computer that, like a physical computer, runs an operating system and applications. The hypervisor serves as a platform for running virtual machines and allows for the consolidation of computing resources.

400
What is Signature Based Detection and Heuristic Based Detection?

Signature Based Detection --

-Device/Software maintains a database of previously identified attack signatures.  Compares activities and binaries to this database to determine if they are a match.
-Only capable of catching previously identified attacks
-Signatures require constant updating
-Small changes to a binary could bypass the signature

Heuristic Based Detection--

-Device/Software develops a baseline of the system, then looks for anomalous activity
-Has potential to catch 0-day attacks (Good Luck)
-Larger number of false positives vs detection based (Job Security)

400

Order of volatility is important when making decisions about how to respond to a potentially compromised system. A system shutdown is sometimes the worst option forensically. Beginning with the most volatile data list 5 of 7...

1.) Registers, cache

2.) Routing table, arp cache, process table, kernel statistics, memory

3.) Temporary file systems

4.) Disk and other storage media

5.) Remote logging and monitoring data that is relevant to the system in question

6.) Physical configuration, network topology

7.) Archival media


500
IOT gain SA on a mission list commands to gather the following information.
Users:
Group:
Network:
System:

Users         → net user, wmic useraccount

Group           → net localgroup, wmic group

Net             → ipconfig, netstat, wmic nicconfig

System      → systeminfo


500

What is the difference between Static and Dynamic Analysis?



(BONUS +50points) - Describe the 3 phases of the Windows Boot Process? (Refer to slides for Answer)

 

Static analysis - examines malware without actually running it.

-- Strings, Searching for DLLs the strings output, OSINT (Open Source Research), Hash the file and check the hash to see if there is anything online about it.

Dynamic Analysis - Watching the malware while it is running in a SANDBOX enviroment.

ProcMon, Task Manager, Procexep, TCPView, Reg Shot (tool or custom look at keys), WireShark

                                           ---

PRE-BOOT - BIOS, OS Loader

BOOT - Kernel Initialization, Session Initialization, Explorer Initialization

POST-BOOT - Userinit

https://social.technet.microsoft.com/wiki/contents/articles/11341.the-windows-7-boot-process-sbsl.aspx

500

Provide 4 Benefits and Risks from a Defensive Perspective of Virtualization.


(BONUS +50points) - What command opens the registry GUI?

Benefits: Efficiency, Low Cost, Lower Risk (by snapshots), Manageability, Provides Fault Tolerance, Attacker persistence is greatly mitigated (via reverting)

Risks: Shared memory (resources), Single Point of Failure, Upfront Cost/Planning, Compatibility,

(BONUS +50points) - regedit.exe
500
List 2 Host-Based, and 2 Network-Based Hardening Techniques.

(BONUS +50points) - What is application whitelisting and blacklisting?

Host-Based -- Firewall, AV

Network-Based -- Firewall, VPN


- -

Whitelisting: only allowing specific applications to run

Blacklisting: only blocking specific applications


500

Phases of Incident Response (Sans, NIST, 6-phase model):






1.) Preparation (always happening)

Documentation (SOP, Policies and Procedures), train, identify necessary tools/items

Make contact with POCs like Incident response team

Make sure supported organizations have baselines

2.) Identification

Figure out what happened, was it an incident (violation of security/privacy policy) or an event (observable occurrence)?

High traffic volumes, external devices, unusual activity/logons, anomalous activity/configs

SCOPE AND MAGNITUDE

3.) Containment

Limit the damage caused to systems, prevent further damage

Remove from network (sandbox VLAN), quarantine

Capture bit-for-bit copy of the system for analysis

Patch/Hotfix         -Add Firewalls

4.) Investigation

Determine priority, scope and root cause of the incident

Who caused it? How? What was compromised?

How vulnerable is the network/system/other systems?

Detect indicators of compromise

Static and dynamic forensic analysis

5.) Eradication

Get rid of the bad stuff

<presence> of the attacker, not the attacker themselves (due to legal stuffs)

Investigation uncovers IOCs that help you find what to remove

Reimage to known-good and rotate crypto keys

6.) Recovery

Bring affected systems back into production environment

Remove VLANS

Return network to normal

Lessons Learned

Update SOP, AAR

Continually Monitor (Leaving sensors behind to be access remotely)