Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
πŸ“œ Artefacts DB

πŸͺŸ Windows Artefacts

🏺 CMD and Powershell

CMD

Batch script. Highly limited in functionality and caching all sorts of crap, including credentials.

PowerShell

Anatomy

Authentication cons:

  1. Traffic is encrypted
  2. Kerberos is used for authentication
  3. Credentials are not cached on the remote system (not AS).

PowerShell gives you the power of WMI, .NET and COM at once. It provides a unified interface to interact with data types such as the registry, file volumes, Active Directory etc.

❗️The output of most of the ps commands are not strings but objects that can be piped into other commands.

🏺 Crash Files

This is about … .

🏺 DNS Cache

There are several ways to retrieve this information manually.

  1. ipconfig /displaydns
  2. Win32_DnsCache from WMI repo (use Kansa to collect and stack this data)

πŸ“˜ BTFM

Stacking, purely manually (no grouping):

Get-ChildItem -Filter "*-DNSCache.csv" | ForEach-Object { Import-Csv $_.FullName } | Export-Csv -Path "DNSCacheStack.csv" -NoTypeInformation

Stacking, purely manual, with grouping (basically, the same results as with Get-LogparserStack.ps1 but the case is ignored):

$csvFiles = Get-ChildItem -Path ".\*DNSCache.csv"
$result = @()

foreach ($csvFile in $csvFiles) {
    $data = Import-Csv -Path $csvFile.FullName
    $result += $data
}

$groupedData = $result | Group-Object -Property Name | Select-Object Count, Name, @{Name="PC"; Expression={$_.Group.'PSComputerName'}} # the column contains spaces but the script will see no spaces, so, it's not a typo
$groupedData | Export-Csv -Path "result2.csv" -NoTypeInformation

Stacking, Kansa script:

🏺 Windows Event Log

Event Logs in Windows provide valuable insights for defenders. They can be forwarded to a central machine to monitor organisational-level activities and detect malicious behaviour effectively.

🏺 Windows Registry

🏺 Prefetch

Every day, the computer loads some programs and a lot of additional crap that comes with it. Every day the same routine over and over again. Being a diligent and responsible guy, it wondered how to improve this process. So, it decides to save the most recently loaded programs and whatever dlls and stuff these programs need so that everything is ready the next time the program is run. Where is this data stored? In Prefetch.

🏺 RAM

*Memory is the best evidence, although the hardest to preserve. If you recall Frozen II, “Water has memory” - same story. Even if you delete all the evidence, memory silently remembers all that. But it’s so fragile… img

🏺 Active Directory

Moving accounts and auth policies to the server side. Azure Active Directory is when instead of having a physical server, you have a server in the cloud ⛅️. Defines a set of rules to restrict users’ access to resources. PCs that are part of AD usually don’t have full access to the systems.

AD DS store contains db files and processes that manage directory information for users, services and applications. Consists of Ntds.dit file, at %SystemRoot%\ NTDS folder on all DC. Is only accessible thtough the DC’s processes and protocols.

🏺 WMI

In days of yore, there existed a humble batch, whence emerged the WMI, and it didst hold dominion o’er the realm of Windows contraptions for a considerable span until it was entwined with the might of PowerShell.

🏺 Windows Core Processes

There are two broad categories of Windows core processes. Processes that initialize system environment and those that initialize the user environment. Whatever is the category, you need to know them well in order to detect abnormal things.