I've been talking about Windows investigation last time with EVTX. Since then, I've been reading about investigations in Windows environment and warming up my Powershell.
On TryHackMe, there are a 3 "Investigating Windows" boxes (one, two, three ) and I thought it could be cool to go there. Those notes are more notes taken during the investigation than a write up. There are write ups online for the first box but they just give you the answer which really doesn't help you at all.
Information gathering
The first questions are about quick gathering of information, I've updated the commands used in my field manual.
A quick triage can be done with those common commands used in local reconnaissance:
hostname
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Then go gather information about users and their login time:
net users
net localgroup users
net localgroup administrators
net user <NAME> | findstr /B /C:"Last logon"
And some powershell magic for the latter part:
ForEach ($user in Get-LocalUser) {echo $user.Name $user.Lastlogon}
It is also possible to look in the Event Viewer and search manually for those login information. I did it, it awfully slow, too much noise and prone to errors. The Event Viewer is a really strong and powerful tool, but as long as you look for really quick information, Powershell seems to be enough.
The next step, as it is to look for scheduled tasks that could link to persistence of some malwares.
You can open the task scheduler manager (check this link for some information on how to use it in forensics) or try to go through the command line:
Get-ScheduledTask
# in the first box there are a bunch of suspicious files in "\"
Get-ScheduledTask -TaskPath "\"
Get-ScheduledTask -TaskPath "<NAME>" | Get-ScheduledTaskInfo
# check what kind of actions is ran for each task to find malicious scripts:
Get-ScheduledTask -TaskPath "\" | Select-Object -Property TaskName -ExpandProperty Actions
You should also look into AutoRuns at startup:
Get-CimInstance Win32_StartupCommand | Select-Object name, command, location, user | Format-List
Attack context
Now, you should have a general overview of the attack on those machines. Writing notes really helped me remembering the steps and from now I will do it each time. It's of utmost important to be really attentive to each details you see and try to get in the head of the attacker. Especially not to loose yourself in a rabbit hole of logs.
You should have a general idea of the system you are in, the amount and levels of users, a potential time of infection and which user was breached. The scheduled tasks found are persistence. Check this files as well as the other files in that directory to answer further questions. You have a potential: what, when and how.
You can look into logs with Get-EventLogs (check that documentation, it rocks) and the information you gathered so far. I did the exercise again and I found it really hard to get there again without notes. I had to redo the entire thought process and it was quite painful. Especially as the first time, I got lucky and the second I got lost in the rabbit hole.
From my beginner understanding, you should look for a specific pattern with your first clues and not just "something suspicious". Those are simple exercises and it's already easy to get lost in there.
# Check the available logs
Get-Eventlogs -List
Get-EventLog -LogName "Security" -After "MM/DD/YYYY HH:MM:SS" -Before "MM/DD/YYYY HH:MM:SS" -Message "*Special*"
Get-EventLog -LogName "Security" -After "MM/DD/YYYY HH:MM:SS" -Before "MM/DD/YYYY HH:MM:SS" -InstanceId 4672 | Format-List
Event ID 4672 is: special privileges assigned to new logon.
For network, check the host file:
Get-Content $env:SystemRoot\System32\Drivers\etc\hosts
You can look with netsh and netstat for more information, but here it isn't useful so I won't get more into those.
Registry keys
The Windows Registry is a hierarchical database of system configuration. You will find there "keys" that set up the configuration. As here there is a user compromise, you might try to look for "HKCU" (HKEY_CURRENT_USER) for modifications.
You can filter the events like to those keys with the Process Monitor.
Windows Management Instrumentation (WMI)
WMI "consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification." (Wikipedia)
I am so far not really familiar with those. But you can monitor those processes with this and that.
And for these exercises it should do the trick.
First stop
Ok, so far, you've conducted most of the investigation and I think those resources will help you answer the majority of questions.
For the Yara and Loki questions, you might want to refer to the Yara Room. It isn't too hard and most of the information are there.
I tried to understand each of those tools or at least, feel comfortable in searching and working with those. I will be looking for automation scripts or write my own in the future.
I hope you enjoyed these notes and I'll get to the 3rd box right away!
Top comments (0)