Logo
RSS Feed

🪟 Windows Artefacts

🏺 LSA

*This article centres around the crowned queen of the Windows kingdom: LSA (lsass.exe), a darling among attackers for the sheer power it wields.

🫱🏽‍🫲🏾 Shares

Admins would get mad very quickly if they had to physically access every machine they needed to configure or patch. Admin shares are hidden folders to be accessed remotely, typically over SMB.

🏺 Accounts

To carry out nearly any action on a system, one requires an account, which is typically safeguarded by passwords or other credentials. Hence, it is crucial to understand why attackers exhibit such a strong interest in acquiring them.

🏺 Cache

This is about … .

🏺 LNK files

This is about … .

🏺 Credentials

This article is about credentials, the keys to the realm.

🏺 ADS

This is about … .

🏺 CMD and Powershell

CMD Batch script. Highly limited in functionality and caching all sorts of crap, including credentials.

🏺 Crash Files

This is about … .

🏺 DNS Cache

There are several ways to retrieve this information manually. ipconfig /displaydns Win32_DnsCache from WMI repo (use Kansa to collect and stack this data) 📘 BTFM Stacking, purely manually (no grouping):

🏺 Windows Event Log

Event Logs in Windows provide valuable insights for defenders. They can be forwarded to a central machine to monitor organisational-level activities and detect malicious behaviour effectively.

🏺 Windows Registry

🏺 Backups

Volume Shadow Copies and Restore \System Volume Information\ Shadow Copies are exactly those pieces of data that get saved on disk when system restore option is enabled.

🏺 Prefetch

Every day, the computer loads some programs and a lot of additional crap that comes with it. Every day the same routine over and over again. Being a diligent and responsible guy, it wondered how to improve this process. So, it decides to save the most recently loaded programs and whatever dlls and stuff these programs need so that everything is ready the next time the program is run. Where is this data stored? In Prefetch.

🏺 RAM

*Memory is the best evidence, although the hardest to preserve. If you recall Frozen II, “Water has memory” - same story. Even if you delete all the evidence, memory silently remembers all that. But it’s so fragile… img

🏺 Active Directory

Moving accounts and auth policies to the server side. Azure Active Directory is when instead of having a physical server, you have a server in the cloud ⛅️.

🏺 WMI

In days of yore, there existed a humble batch, whence emerged the WMI, and it didst hold dominion o’er the realm of Windows contraptions for a considerable span until it was entwined with the might of PowerShell.

🏺 Windows Core Processes

There are two broad categories of Windows core processes. Processes that initialize system environment and those that initialize the user environment. Whatever is the category, you need to know them well in order to detect abnormal things.