How to check if the system was accessed remotely? What sort of remote connections is the attacker likely to be using?
*Are we looking for USB storage media activity or all USB devices? Like, cameras 📸? Headphones 🎧? As for the timestamps, you’ll usually have first (setupapi log) and last connected. There are also OS specific timestamps, like first or last install, first connect since reboot etc. Windows USB artifacts, macOS. See Event Manager’s codes 20001 and 20002 for USB events for verification or if the registry was updated. Look at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\<hardware id>\<instance id>\Device Parameters. More.
Admins on payroll and those “magnanimous volunteers” often tread the very same path, albeit guided by different compasses of motivation. Once our cunning adversary ascends to the lofty heights of respect usually reserved for the admin on payroll, the misuse of these management tools becomes bound only by the limits of their mischievous imagination.
Think of the terminal as a magic wand 🪄 of the attacker. The beauty for them is that they can do all sorts of nasty things remotely, but their beauty also lies with their forensics perks: one can review the history of this activity.
Windows ❗️These techniques require admin or higher privileges. ❗️Common with ransomware When the Security trail is deleted, 1102 is usually created afterwards.
Windows Tasks Event logs Two trails are of use are Microsoft-Windows-TaskScheduler/Operational 🍇 (disabled by default on the newer systems) and Security 🛡️.
Windows Event logs Monitoring for these events will cause a lot of noise and false positives.
Windows You can use Prefetch which is the most reliable source. However, if the program is NOT there, it doesn’t mean it wasn’t executed.
Windows Registry, of course. AmCache, Registry 🗄️ You can see firmware, hardware and OS info there.
Windows Event logs 📂 %system root%\System32\config\SecEvent.evt 📂 %system root%\System32\winevt\logs\Security.evtx It starts with the event 4720 (account created) and multiple 4732 events (member added to some security-enabled group).
Windows Event Logs There is a fine line between logon and account logon events, and that line is not just one word.
Windows Event logs There will be no shortage of 4625 events (unsuccessful login) showing up in the logs.
Windows Sysmon logs, 25. References Expand… Something here