Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
πŸ”Ž Investigation Tactics Techniques and Procedures

πŸ€” Analysis Tips and Cheatsheets

πŸ€” How do I check for remote connections?

How to check if the system was accessed remotely? What sort of remote connections is the attacker likely to be using?

Devices Attached

*Are we looking for USB storage media activity or all USB devices? Like, cameras πŸ“Έ? Headphones 🎧? As for the timestamps, you’ll usually have first (setupapi log) and last connected. There are also OS specific timestamps, like first or last install, first connect since reboot etc. Windows USB artifacts, macOS. See Event Manager’s codes 20001 and 20002 for USB events for verification or if the registry was updated. Look at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\ and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\<hardware id>\<instance id>\Device Parameters. More.

πŸ€” How Do I Audit Management Tools?

Admins on payroll and those “magnanimous volunteers” often tread the very same path, albeit guided by different compasses of motivation. Once our cunning adversary ascends to the lofty heights of respect usually reserved for the admin on payroll, the misuse of these management tools becomes bound only by the limits of their mischievous imagination.

πŸ€” How To Investigation Terminal Activity?

Think of the terminal as a magic wand πŸͺ„ of the attacker. The beauty for them is that they can do all sorts of nasty things remotely, but their beauty also lies with their forensics perks: one can review the history of this activity.

πŸ€” How Do I Check For Logs Clearing?

Windows

❗️These techniques require admin or higher privileges. ❗️Common with ransomware

When the Security trail is deleted, 1102 is usually created afterwards. When all other trails are deleted, 104 EID is generated in the System trail.

Event logs are NOT designed to be deleted selectively, all or none. However, some tools are capable of circumventing this and can actually partially clear the logs.

  1. πŸ› οΈ Mimikatz - πŸ“• event::drop can stop the event log process from writing Security events. It can’t restart it through, so, obvious.
  2. πŸ› οΈ DanderSprite - (leaked by ShadowBrokers) change the pointers to the next events in the headers. So, the events are not deleted but are not visible either. Deep dive forensics to help here.
  3. πŸ› οΈ Invoke-Phant0m - kill the threads of event logs.

One can also suspend the event log process or make changes in RAM. However, all of these actions require πŸ‘‘.

πŸ€” How Do I Check For Malicious Autostarts?

Windows

Tasks

Event logs

Two trails are of use are Microsoft-Windows-TaskScheduler/Operational πŸ‡ (disabled by default on the newer systems) and Security πŸ›‘οΈ.

πŸ‡ πŸ›‘οΈ Info
106 4698 Task created
140 4702 updated
141 4699 Deleted
200/201 - executed and completed
- 4700/4701 enabled and disabled

✍🏻 On older Win πŸ‘΄πŸΌ it’s 602 event. Also, config files are in bin format with .job extension and can be parsed by a jobparser.py script.

πŸ€” How Do I Check For Reconnaisance Activity?

Windows

Event logs

Monitoring for these events will cause a lot of noise and false positives. You need to do it in a smart way:

  1. Filter for sensitive groups
  2. Whitelist those processes performing such activity legitimately: mmc.exe, services.exe, taskhost.exe, explorer.exe, vsssvc.exe. Presume everything else to be unusual.
  3. What accounts are NOT supposed to do recon?
  4. What group was queried? Administrators group (or other groups with higher privileges) is the most desirable piece of the pie.

4798 - user’s local group membership enum. 4799 - security-enabled local group membership enum.

πŸ€” How do I check program execution?

Windows

You can use Prefetch which is the most reliable source. However, if the program is NOT there, it doesn’t mean it wasn’t executed.

Another artefact of use is AmCache. What’s great about it is that it stores hashes among all. Although it’s not proof of the program being executed, it can show the PRESENCE of files (exe and drivers) on the system.

ShimCache

It is ok to collect artefacts like that manually, but it’s better to do so at scale. Some tools were designed to process these artefacts and put everything in an SQL database.

πŸ€” How Do I Check System Information?

Windows

Registry, of course.

AmCache, Registry πŸ—„οΈ

You can see firmware, hardware and OS info there. Although the artefact has proved to be highly “volatile”, it might change from update to update.

macOS

Linux

iOS

Backups

πŸ“‚ /Users/username/Library/Application\ Support/MobileSync/Backup/<UDID>/: Info.plist, Manifest.plist, Status.plist.

Lockdown files

πŸ“‚ /private/var/db/lockdown W-Fi MAC Address for the connected iPhone

References

Expand… Something here

πŸ€” How Do I Find Malicious or Compromised Accounts?

Windows

Event logs

πŸ“‚ %system root%\System32\config\SecEvent.evt πŸ“‚ %system root%\System32\winevt\logs\Security.evtx

img

It starts with the event 4720 (account created) and multiple 4732 events (member added to some security-enabled group). This account must be enabled (4722) before it can be used. You might see 4738 (account was changed) or even 4724 (password reset attempt).

✍🏻 4728 - member was added to a security-enabled global group.

✍🏻 4732 - member was added to a security-enabled local group.