Skip to content

Latest commit

 

History

History
85 lines (85 loc) · 8.75 KB

dummy.md

File metadata and controls

85 lines (85 loc) · 8.75 KB
Raw

Important artifacts

Live offline Tool
HKEY_LOCAL_MACHINE/SYSTEM C:\Windows\System32\config\SYSTEM Registry Explorer/regrip
HKEY_LOCAL_MACHINE/SOFTWARE C:\Windows\System32\config\SOFTWARE Registry Explorer/regrip
HKEY_USERS C:\Windows\System32\config\SAM Registry Explorer/regrip
HKEY_CURRENT_USER C:\Users<USER>\NTUSER.dat
C:\Users<user>\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat		 Registry Explorer/regrip
Amcache.hve C:\Windows\appcompat\Programs\Amcache.hve RegistryExplorer/regrip
Event viewer -> Windows Logs -> SECURITY C:\Windows\winevt\Logs\Security.evtx Event logs Explorer
Event viewer -> Windows Logs -> SYSTEM C:\Windows\winevt\Logs\SYSTEM.evtx Event logs Explorer
Event viewer -> Windows Logs -> Application C:\Windows\winevt\Logs\Application.evtx Event logs Explorer
Event viewer -> Applications & service logs -> Microsoft -> Windows -> TaskScheduler -> Operational Microsoft-Windows-TaskScheduler%4Operational.evtx Event Log Explorer
Event viewer -> Applications & service logs -> Microsoft -> Windows -> TaskScheduler -> Operational Microsoft-Windows-TaskScheduler%4Operational.evtx Event Log Explorer

System Information

What Where Tool
Windows version and installation date
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • RegistryExplorer
  • regrip
Computer name
  • SYSTEM\ControlSet001\Control\ComputerName\ComputerName
  • RegistryExplorer
  • regrip
Timezone
  • SYSTEM\ControlSet001\Control\TimeZoneInformation
  • RegistryExplorer
  • regrip
Startup and shutdown time
  • SYSTEM\ControlSet001\Control\Windows
  • SYSTEM.evtx 1074 (shutdown type) & 6005/6006 (event logs start/stop)
  • TurnedTimesView

Network Information

What Where Tool
Identify physical cards
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
  • RegistryExplorer
  • regrip
Identify interface configuration
  • SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
  • RegistryExplorer
  • regrip
Connections History
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
  • Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx
  • WifiHistoryView
Network shares
  • SYSTEM\ControlSet001\Services\LanmanServer\Shares
  • Registry Explorer/regrip

Users Information

What Where Tool
Username, creation date ,login date, SID
  • SAM
  • RegistryExplorer
  • regrip
Login, logout, deletion, creation
  • Security.evtx
    • 4624 -> Successful logon event
    • 4625 -> failed logon event
    • 4634 -> Session terminated
    • 4647 -> User initiated logoff
    • 4672 -> Special privilege logon
    • 4648 -> User run program as another user (Runas administrator)
    • 4720/4726 -> Account creation/deletion
  • EventLog Explorer

File activities - what happened?

What Where Tool
File name, path, timestamps, actions (i.e rename)
  • $MFT, $LogFile, $UsnJrnl:$J
  • NTFS Log Tracker
Information about deleted files
  • $I30
  • INDXRipper

File activities - Who did it?

What Where Tool
Failed/Succesful object access
  • Securit.evtx
    • 4656 -> User tried to access an object
    • 4660 -> object was deleted
    • 4663 -> User accessed the object successfuly
    • 4658 -> the user closed the opened object (file)
  • EventLog Explorer
Recently used files/folders
  • NTUSER.dat
    • Software\Microsoft\Office\15.0<Office application>\File MRU
    • Software\Microsoft\Office\15.0<Office application>\Place MRU
    • Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU*
    • Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    • Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
    • Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • RegistryExplorer
  • regrip
Accessed folders
  • ShellBags
    • NTUSER.dat
    • USRCLASS.dat
  • Shellbags Explorer
Accessed files, its path, metadata, timestamps, drive letter
  • LNK files
    • C:\Users<User>\Appdata\Roaming\Microsoft\Windows\Recent
    • C:\Users<User>\Desktop
    • C:\Users<User>\AppData\Roaming\Microsoft\Office\Recent\
  • LECmd
Frequently accessed files
  • JumpLists
    • C:\Users<User>\AppData\Roaming\Microsoft\ Windows\Recent\AutomaticDestinations
    • C:\Users<User>\AppData\Roaming\Microsoft\ Windows\Recent\CustomDestinations
  • JumpLists Explorer

Connected devices

What Where Tool
Vendor ID, Product ID, Serial Number, Device name
  • SYSTEM\ControlSet001\Enum\USB
  • RegistryExplorer
  • regrip
Serial Number, First connection time, last connection time, last removal time
  • SYSTEM\ControlSet001\USBSTOR
  • RegistryExplorer
  • regrip
USB Label
  • SYSTEM\ControlSet001\Enum\SWD\WPDBUSENUM
  • RegistryExplorer
  • regrip
GUID, TYPE, serial number
  • SYSTEM\ControlSet001\Control\DeviceClasses
  • RegistryExplorer
  • Regrip
VolumeGUID, Volume letter, serial number
  • SYSTEM\MountedDevices
  • SOFTWARE\Microsoft\Windows Portable Devices\Devices
  • SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
  • RegistryExplorer
  • regrip
Serial number, first connection time
  • setupapi.dev.log
  • notepad++
Serial number, connections times, drive letter
  • SYSTEM.evtx
    • 20001 -> a new device is installed
  • Security.evtx
    • 6416 -> new externel device recognized
  • Microsoft-Windows-Ntfs%4Operational.evtx
  • EventLog Explorer
Automation
  • Registry
  • EventLogs
  • setupapi.dev.log
  • USBDeviceForensics
  • USBDetective

Execution activites

What Where Tool
Windows Services executable, date added
  • SYSTEM\CurrentControlSet\Services
  • RegistryExplorer
  • regrip
Service installation time, Service crashed, stop/start service event
  • Security.evtx
    • 4697 -> service gets installed
  • SYSTEM.evtx
    • 7034 -> Service crashed
    • 7035 -> start/stop requests
    • 7036 -> service stoppped/started
  • Eventlog Explorer
Autorun applications
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
  • SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • RegistryExplorer
  • regrip
Frequently run programs, last time, number of execution
  • UserAssist
    • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  • UserAssist by didier steven
Run of older applications on newer system
  • SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
  • ShimCache parser
files path, md5 & sha1 hash
  • Amcache.hve
  • Amcache parser
Background applications
  • BAM & DAM
    • SYSTEM\ControlSet001\Services\bam\State\UserSettings
  • RegistryExplorer
  • regrip
Filename, size, run count, each run timestamp, path
  • Prefetch
  • C:\Windows\Prefetch
  • WinPrefetchView
Program network usage, memory usage
  • SRUM
  • C:\Windows\System32\sru\SRUDB.dat
  • SrumECmd
Scheduled task
  • C:\Windows\Tasks
  • Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks
  • Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree
  • Microsoft-Windows-TaskScheduler%4Operational.evtx
  • Task Scheduler Viewer

Memory analysis

What plugin
List processes windows.pslist
Scan image for hidden processes windows.psxview
List network connections windows.netscan
List files loaded in memory windows.filescan
Look for malicious codes in memory windows.malfind

Wireshark filters cheatsheet

What filter
Source IP ip.src == "127.0.0.1"
Destination IP ip.dst == "127.0.0.1"
Protocol http - ftp - dns - etc.
Source port tcp.srcport == "80" - udp.srcport == "80"
Destination port tcp.dstport == "80" - udp.dstport == "80"