Windows_CLI
What is a Sysinternals tool to see pointers to DLL/objects?
What is the first phase of the Pre-boot process?
(BONUS +50points) - What is a Botnet and Bot Herder?
POST: Power on self test
-- RAM (at least 1MB), Processor, Display
---
Bot Herder - Person in control of the botnet
Botnet - Multiple machines infected and controlled by a bot herder
What are the 5 Primary Hive (Root) Keys?
(BONUS +50points) - What are the Forensically Relevant Keys?
HKCU - Current User, HKU - Users, HKCR - Classes Root, HKLM - Local Machine, HKCC - Current Config
HKLM\Run, HKLM\RunOnce, HKU\Run, HKLM\Tasks, HKLM\Services, HKLM\USBSTOR, HKU\TypedURLS, HKLM\Profiles
netsh advfirewall show allprofiles
----With TrustedInstaller, WRP protects files; it keeps a copy of every file.
Protects system files and folders from unauthorized changes
Copies files critical to system boot to a clean cache copy
.dll, .exe, .dat, .sys
List 4 native commands to view running services?
sc query state = all
CLI: tasklist /svc
WMIC: wmic service list brief
Powershell - Get-Service
What is the second phase of the Pre-boot process?
(BONUS +50points)- What happens during this phase?
MBR (Master Boot Record)
-Master Boot Code
-boot.ini ****<-this is for win NT? We need BCD.dat
-First sector that contains boot file
-First 512 byte sector on hard disk
Hierarchical database of critical system configurations
--Persistent: User settings are saved and appear each time, More storage and backup
--Non-persistent: At end of session, desktop reverts back to its original state, Better security, Less storage
A proprietary file system developed by Microsoft.
--GUI
Right click, select Properties, select Security tab
--Command Line
icacls.exe (Windows Server 2003 SP2+)
--Powershell
Get-Acl C :\Windows\System32\notepad.exe | Format-List
--Sysinternals
accesschk C:\Windows\System32\notepad.exe
User Account Control limits the privileges of user run applications, even when run as Administrator, to prevent the modification of system files, resources, or settings. Requesting elevated privileges requires explicit acknowledgement from the user.
SAM (Security Account Manager) database where credentials are stored locally.
What are Threads?
(BONUS +50points)- What are handles?
Threads - Basic unit to which the OS allocates processor time.
-Csrss maintains a list of threads
Handles - Objects are data structures representing a system resource (file, thread, etc.)
-Applications can’t access objects directly, must obtain a handle. Tracked in a table known as the Object Manager
What are registry locations that can be utilized for persistence?
HKLM\Software\Microsoft\Windows\Run
HKU\<SID>\Software\Microsoft\Windows\Run
HKLM\BCD00000000 <-- Replacement of old boot.ini file
HKLM\SAM\SAM
Identify 3 kinds of events that get audited and what they mean.
(BONUS +50points) -What is the basis for InfoSec?
-Centralized Data Storage
-Scalability, Extensibility, Manageability
-Integration with DNS
-Client Configuration Management
-Policy-Based Administration
-Replication of Information
-Flexible, Secure Authentication and Authorization
-Security Integration
-Directory-enabled Applications and Infrastructure
-Interoperability with Directory Services
-Signed and Encrypted LDAP Traffic
What is a wmic command to list logs?
wmic nteventlog list brief
What are the Process States?
(BONUS +50points) - What are the Thread States?
Process States - Start, Ready, Running, Waiting, Terminated/Exit
Thread States - Ready, Deferred Ready, Standby, Running, Waiting, Transition, terminated, Initialized
What are 5 of the 12 Data types available?
(BONUS +50points) - Define a virtual machine.
REG_SZ .
REG_BINARY . Binary data
REG_DWORD . 32 bit integer. Max 7FFF,FFFF or 2,147,483,647.
REG_LINK . Symbolic links- A link that will take you to the actual location of the data
REG_MULTI_SZ . Multi-String values- Multiple strings that are terminated with "\0". Example: "abc\0def\0"
REG_QWORD . 64 bit integer. Max 7FFF,FFFF,FFFF,FFFF or 9,223,372,036,854,775,807.
- A virtual machine is a software computer that, like a physical computer, runs an operating system and applications. The hypervisor serves as a platform for running virtual machines and allows for the consolidation of computing resources.
Signature Based Detection --
-Device/Software maintains a database of previously identified attack signatures. Compares activities and binaries to this database to determine if they are a match.
-Only capable of catching previously identified attacks
-Signatures require constant updating
-Small changes to a binary could bypass the signature
Heuristic Based Detection--
-Device/Software develops a baseline of the system, then looks for anomalous activity
-Has potential to catch 0-day attacks (Good Luck)
-Larger number of false positives vs detection based (Job Security)
Order of volatility is important when making decisions about how to respond to a potentially compromised system. A system shutdown is sometimes the worst option forensically. Beginning with the most volatile data list 5 of 7...
1.) Registers, cache
2.) Routing table, arp cache, process table, kernel statistics, memory
3.) Temporary file systems
4.) Disk and other storage media
5.) Remote logging and monitoring data that is relevant to the system in question
6.) Physical configuration, network topology
7.) Archival media
Users → net user, wmic useraccount
Group → net localgroup, wmic group
Net → ipconfig, netstat, wmic nicconfig
System → systeminfo
What is the difference between Static and Dynamic Analysis?
(BONUS +50points) - Describe the 3 phases of the Windows Boot Process? (Refer to slides for Answer)
Static analysis - examines malware without actually running it.
-- Strings, Searching for DLLs the strings output, OSINT (Open Source Research), Hash the file and check the hash to see if there is anything online about it.
Dynamic Analysis - Watching the malware while it is running in a SANDBOX enviroment.
ProcMon, Task Manager, Procexep, TCPView, Reg Shot (tool or custom look at keys), WireShark
---
PRE-BOOT - BIOS, OS Loader
BOOT - Kernel Initialization, Session Initialization, Explorer Initialization
POST-BOOT - Userinit
Provide 4 Benefits and Risks from a Defensive Perspective of Virtualization.
(BONUS +50points) - What command opens the registry GUI?
Host-Based -- Firewall, AV
Network-Based -- Firewall, VPN
- -
Whitelisting: only allowing specific applications to run
Blacklisting: only blocking specific applications
Phases of Incident Response (Sans, NIST, 6-phase model):
1.) Preparation (always happening)
Documentation (SOP, Policies and Procedures), train, identify necessary tools/items
Make contact with POCs like Incident response team
Make sure supported organizations have baselines
2.) Identification
Figure out what happened, was it an incident (violation of security/privacy policy) or an event (observable occurrence)?
High traffic volumes, external devices, unusual activity/logons, anomalous activity/configs
SCOPE AND MAGNITUDE
3.) Containment
Limit the damage caused to systems, prevent further damage
Remove from network (sandbox VLAN), quarantine
Capture bit-for-bit copy of the system for analysis
Patch/Hotfix -Add Firewalls
4.) Investigation
Determine priority, scope and root cause of the incident
Who caused it? How? What was compromised?
How vulnerable is the network/system/other systems?
Detect indicators of compromise
Static and dynamic forensic analysis
5.) Eradication
Get rid of the bad stuff
<presence> of the attacker, not the attacker themselves (due to legal stuffs)
Investigation uncovers IOCs that help you find what to remove
Reimage to known-good and rotate crypto keys
6.) Recovery
Bring affected systems back into production environment
Remove VLANS
Return network to normal
Lessons Learned
Update SOP, AAR
Continually Monitor (Leaving sensors behind to be access remotely)