Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
πŸ”Ž Investigation Tactics Techniques and Procedures

πŸ€” Analysis Tips and Cheatsheets

πŸ€” How do I check for remote connections?

How to check if the system was accessed remotely? What sort of remote connections is the attacker likely to be using?

Devices Attached

*Are we looking for USB storage media activity or all USB devices? Like, cameras πŸ“Έ? Headphones 🎧? As for the timestamps, you’ll usually have first (setupapi log) and last connected. There are also OS specific timestamps, like first or last install, first connect since reboot etc. Windows USB artifacts, macOS. See Event Manager’s codes 20001 and 20002 for USB events for verification or if the registry was updated. Look at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\ and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\<hardware id>\<instance id>\Device Parameters. More.

πŸ€” How Do I Audit Management Tools?

Admins on payroll and those “magnanimous volunteers” often tread the very same path, albeit guided by different compasses of motivation. Once our cunning adversary ascends to the lofty heights of respect usually reserved for the admin on payroll, the misuse of these management tools becomes bound only by the limits of their mischievous imagination.

πŸ€” How To Investigation Terminal Activity?

Think of the terminal as a magic wand πŸͺ„ of the attacker. The beauty for them is that they can do all sorts of nasty things remotely, but their beauty also lies with their forensics perks: one can review the history of this activity.

πŸ€” How Do I Check For Logs Clearing?

Windows ❗️These techniques require admin or higher privileges. ❗️Common with ransomware When the Security trail is deleted, 1102 is usually created afterwards.

πŸ€” How Do I Check For Malicious Autostarts?

Windows Tasks Event logs Two trails are of use are Microsoft-Windows-TaskScheduler/Operational πŸ‡ (disabled by default on the newer systems) and Security πŸ›‘οΈ.

πŸ€” How Do I Check For Reconnaisance Activity?

Windows Event logs Monitoring for these events will cause a lot of noise and false positives.

πŸ€” How do I check program execution?

Windows You can use Prefetch which is the most reliable source. However, if the program is NOT there, it doesn’t mean it wasn’t executed.

πŸ€” How Do I Check System Information?

Windows Registry, of course. AmCache, Registry πŸ—„οΈ You can see firmware, hardware and OS info there.

πŸ€” How Do I Find Malicious or Compromised Accounts?

Windows Event logs πŸ“‚ %system root%\System32\config\SecEvent.evt πŸ“‚ %system root%\System32\winevt\logs\Security.evtx It starts with the event 4720 (account created) and multiple 4732 events (member added to some security-enabled group).

πŸ€” How Do I investigate logon events?

Windows Event Logs There is a fine line between logon and account logon events, and that line is not just one word.

πŸ€” How Do I Spot Bruteforcing Activity?

Windows Event logs There will be no shortage of 4625 events (unsuccessful login) showing up in the logs.

πŸ€” How Do I Spot Injections?

Windows Sysmon logs, 25. References Expand… Something here