├── draft
└── README.md


/draft:
--------------------------------------------------------------------------------
  1 | Identify Suspicious Processes
  2 | -------------------------------
  3 | 
  4 | C:\> taskmgr.exe = invokes the Task Manager GUI
  5 | C:\> tasklist = Displays a list of currently running processes on the local computer or on a remote computer
  6 | C:\> tasklist /v = Displays verbose task information in the output. ( PID , memory usage status, User name)
  7 | C:\> tasklist /m = Lists all tasks with PID and DLL modules loaded that match the given pattern name. If the module name is not specified, this option displays all modules loaded by each task.
  8 | C:\> tasklist /fi = Specifies the types of processes to include in or exclude from the query.examples below
  9 | C:\> tasklist /v /fi "pid eq 555"
 10 | C:\> tasklist /m /fi "pid eq 555"
 11 | C:\> Tasklist /v | findstr Teams.exe
 12 | C:\> Tasklist /m | findstr Teams.exe
 13 | 
 14 | Wmic is even more powerful than Tasklist.
 15 | 
 16 | C:\> wmic process list brief = brief list of the currently running processes
 17 | C:\> wmic process list full = full list of the currently running processes
 18 | C:\> wmic process get Name,Commandline,Description,ProcessID,ParentProcessID = specify only which fields you want to grab
 19 | C:\> wmic process where processid=600 list full = full info of the process running with pid=600
 20 | C:\> wmic process where Name=Teams.exe get ProcessID,ParentProcessID = full list of the process running with Name=teams.exe but return only the Pid and Ppid values
 21 | C:\> wmic process where ProcessID=555
 22 | 
 23 | Watch out for:
 24 | 1) Is this a new or unrecognized process? ( ideally you would want to cross reference your findings with a baseline image -if you have. It will make the whole task of identifying what stands out from "normal activity" easier)
 25 | 2) Is the name of the Process random-looking ( e.g hJoIuG.exe or whatever)
 26 | 3) Is it running from a non-standard path ( e.g C:\Temp , C:\Downloads , C:\Music etc)
 27 | 4)  Is the parent suspicious ( child process might be legit but parent process not)
 28 | 5) Is the Parent-Child relationship suspicious? ( e.g lsass.exe spawning a cmd.exe or IEX spawning a Powershell.exe etc)
 29 | 6) Is the process tied to suspicious activity? ( e.g a process communicating with well known malicious IP/URL/host/domain etc)
 30 | 7) Encoded in Base64 ?
 31 | 8) A process can be used for benign and malicious purposes at the same time. ( e.g PSEXEC ) 
 32 | 9) Suspicious does not necessarily mean Malicious.
 33 | 
 34 | 
 35 | Identifying Suspicious Network Activity
 36 | -----------------------------------------
 37 | 
 38 | C:\> netstat -abno ( this is pretty much all you need)
 39 | C:\> netstat -abno -n 5 = Automatically refresh the output every 5 seconds.
 40 | 
 41 | -n = addresses and port numbers are expressed numerically and no attempt is made to determine names.
 42 | -a = Displays all active TCP connections and the TCP and UDP ports on which the computer is listening
 43 | -b = shows the EXE using that port and the DLLs that it has loaded to interact with that port.
 44 | -o = shows the owner ProcessID associated with the port
 45 | 
 46 | You can redirect the outpout into a .txt file if it helps you analyze the results better e.g netstat -abno > C:\Users\McL0vin\Desktop\netstat.txt
 47 | 
 48 | Watch out for:
 49 | 1) Network activity that is abnormal for the associated Process  (e.g Notepad outbound/inbound connections to a Public IP etc)
 50 | 2) Network activity that is abnormal for your environment/Business Unit/Organization ( e.g lots of traffic during weekends, late hours, holidays etc, long running HTTP/HTTPS sessions etc) ( 2 ways to spot this kind of activity- either have a baseline image of Business as usual activity or know VERY WELL your environment/org/BU)
 51 | 3) Network activity from/to well known Malicious IPs/Domains/URLs/Hosts  ( leverage Threat Intel & OSINT to identify those IOCs e.g alienvault , abuseipdb , virustotal, hybrid-analysis)
 52 | 
 53 | 
 54 | Identifying Suspicious Services
 55 | ----------------------------------
 56 | 
 57 | services.msc = spawns the services control panel GUI . shows various services and their Description, Status, Startup Type, Log on as. shows ALL services (running/not running)
 58 | net start = shows a list of ONLY running services.
 59 | sc query | more = vast amount of information for each service . can be chaotic.  ONLY running services
 60 | tasklist /svc = shows which services are running out of each process on your system  along with their PIDs. maps running processes to services ( maps services-to-processes)
 61 | 
 62 | Watch out for:
 63 | 1) New services / Deleted services / Stopped Services (  ideally you would want to cross reference your findings with a baseline image -if you have. Otherwise talk with your Sys Admins. ) 
 64 | 2) Path to Executable looks abnormal( run services.msc --> right click on a service --> Properties)
 65 | 
 66 | 
 67 | Identify Suspicious Registry ASEPs/Autostart Folders
 68 | ------------------------------------------------------
 69 | 
 70 | Windows has numerous registry and file locations that can be used to start software without a user taking a specific action.These locations are called Autostart Extensibility Points (ASEPs)
 71 | 
 72 | The majority of malware manipulates the same registry keys in order to establish persistence and survive a reboot.Those are: 
 73 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
 74 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
 75 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
 76 | 
 77 | HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
 78 | HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
 79 | HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
 80 | 
 81 | 
 82 | C:\> regedit = spawns the Registry Editor -GUI to manually browse through the registry hive/keys
 83 | C:\> reg query HKLM\Software\microsoft\windows\currentversion\run = displays the settings for the specified registry key
 84 | C:\> taskmgr.exe = Task Manager GUI. go to Startup tab
 85 | 
 86 | These registry keys are responsible for executing programs when a system boots up or when a user logs on (Easiest way to establish persistence.Usually attackers map their backdoors there in order to survive reboot)
 87 | 
 88 | Autostart folders associated with users.These programs are automatically invoked each time the given user logs on to the system and are sometimes altered by malware
 89 | 
 90 | C:\> dir \s \b "C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup = lists the contents of a user's autostart folder
 91 | C:\> start msconfig.exe = spawns a small GUI that displays Startup selection, Boot location/options , startup items
 92 | C:\> wmic startup list full = displays autostart programs
 93 | Right click on Tray bar --> Task Manager --> Startup = displays a GUI with autostart programs and info such as Name, Publisher, Status.
 94 | 
 95 | 
 96 | 
 97 | 
 98 | 
 99 | Watch out for:
100 | 
101 | 1)
102 | 2)
103 | 3)
104 | 4)
105 | 
106 | 
107 | Identify Suspicious Account Activity
108 | --------------------------------------
109 | 
110 | c:\> lusrmgr.msc = spawns a GUI which can be used to check the users and groups defined on the machine
111 | C:\> net user = displays a list of users
112 | C:\> net localgroup administrators = shows who is in the group you specify ( in that case accounts in the administrators group)
113 | 
114 | 
115 | 
116 | Watch out for:
117 | 
118 | 1)
119 | 2)
120 | 3)
121 | 4)
122 | 
123 | 
124 | Identify Suspicious Scheduled Tasks
125 | ------------------------------------
126 | 
127 | C:\> schtasks = shows scheduled tasks and details about them such as Folder, Task Name, Next Run Time and Status (can be chaotic depending on your environment . you can export it to a .txt file for easier reading or use | findstr if you know what you are looking for )
128 | C:\> taskschd.msc = brings up the Task Scheduler GUI.lots of info such as triggers,actions,conditions etc. much easier to work with
129 | PS C:\> Get-ScheduledTask = Powershell commands that lists scheduled taks on the system with info about Taskpath,Taskname,State.
130 | PS C:\> Get-ScheduledTask -TaskName "THIS IS SPARTA" if you know the Taskname of the scheduled task you are looking for, use this
131 | 
132 | Watch out for:
133 | 
134 | 1)Unusual scheduled tasks ( especially those that run as SYSTEM, as a user in administrators group or have a blank username)
135 | 2)Scheduled Tasks
136 | 
137 | 
138 | 
139 | 
140 | Identify Suspicious Log Entries
141 | -------------------------------
142 | 
143 | Cl\>eventvwr.msc = spawns the GUI Event Viewer ( the most eye-friendly way lol)
144 | C:\> wevtutil qe Security /f:text = inspect the Windows EveNt Logs category you specified(in this case Security) . can be chaotic, you can output the content by using > C:\xx\xx\something.txt if you want.
145 | PS C:\> Get-EventLog -LogName Security | Format-List -Property * = the equivalent of the above command but in Powershell this time and with a cooler blue background ( lol)
146 | 
147 | 
148 | Watch out for:
149 | 
150 | 1) Any indication that event log service was stopped
151 | 2) Any indication that Windows File Integrity Checker ( Windows File Protection) was disabled
152 | 3) large number of failed logons about a specific account following a successful logon for that account
153 | 4) Small number of failed logons across many accounts ( Password Spray Attack)
154 | 5) Large number of failed logons for a specific account ( Brute Force Password Attack)
155 | 
156 | 
157 | Identify Suspicious SMB activity
158 | ----------------------------------
159 | 
160 | When your machine is acting as a client and want to see the outbound SMB activity
161 | C:\> net use = displays the target machine and the share to which you are connected
162 | C:\> net use \\192.168.1.1 /del = drops the SMB session
163 | C:\>net use * /del = drops all outbound SMB sessions
164 | 
165 | When your machine is acting as a server and want to see the inbound SMB activity
166 | C:\>net session = list the inbound sessions
167 | C:\>net session \\192.168.1.1 /del = drops the inbound SMB session
168 | 
169 | Watch out for:
170 | 
171 | 1)The ability to drop individual SMB sessions (either inbound or outbound) can be useful because this can temporarily stop an attacker from using the SMB session.
172 | This way you can buy some time or interrupt a data exfiltration in progress
173 | 2) Don't expose your TCP/UDP 135,136,137,138,139,445 ports to the internet. Shut them down or if there is a legit business purpose put them behind firewalls with ACLs enforcing access to authorized IPs only
174 | 3)most of them time SMB traffic is between a client and a Server.if you see client-to-client smb activity or excessive server-to-server smb activity without a valid business purpose,then that should be investigated.
175 | 
176 | 
177 | 
178 | 
179 | 
180 | Regshot = snapshot tool for Windows.Allows you to record a snapshot of the registry and optionally file system at two points in time and then highlights the differences between the two.
181 | Provides a high level summary of the changes,showing registry keys that were added/deleted/modified as wel as any files that were added/deleted/modified
182 | Super easy to run in 5 steps
183 | 1) Start Regshot and configure the options.By default Regshot is not going to record file system.You can specifiy that if you want by checking the Scan dir box and stating the directory you are interested in ( C:\ for example)
184 | 2) Once you are done with the configuration of the tool and you got everything ready take the first snapshot
185 | 3) Run the malware
186 | 4) Use Regshot to take a second snapshot
187 | 5) Once finished , click on Compare and Regshot will give you back the results after a few minutes
188 | 
189 | 
190 | TaskManager
191 | DeepBlueCLI
192 | Procmon / Process Monitor = shows file system,registry,network and process activity in real-time.Ideal for detonating malicious files/scripts in a sandbox and see live the changes on your system
193 | Procexplorer / Process Explorer = gives in depth information about running processes
194 | Strings = extracts and displays bot ASCII and 16-bit little endian Unicode strings
195 | C:\> strings malfile.exe
196 | TCPView = maps listening TCP/UDP port back to owning processes
197 | SRUMdump
198 | FTK Imager /Volexity / Volatility (Remember . Most volatile FIRST = RAM . then everything else follows)
199 | 
200 | 
201 | C:\> certutil -hashfile malfile.exe MD5 = Calculates the MD5 Hash of a file on Windows
202 | PS C:\> Get-FileHash -Algorithm MD5 malfile.exe
203 | C:\> DIR /r = look for alternate data streams
204 | PS :> Get-Item * -Stream * = look for alternate data streams in Blue
205 | PS:> Get-ChildItem -recurse | ForEach { Get-Item $_.Filename -stream * } | Where stream -ne ':$DATA' = search all subdirectories for ADS
206 | 
207 | 
208 | Collect Metadata
209 | exiftool
210 | 
211 | nslookup
212 | 
213 | 
214 | 
215 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Windows Forensic Examination and Threat Hunting
  2 | 
  3 | 1) [Identifying Suspicious Processes](https://github.com/McL0vinn/Windows-Forensic-Examination-and-Threat-Hunting/blob/main/README.md#Identifying-Suspicious-Processes)
  4 | 2) [Identifying Suspicious Network Activity](https://github.com/McL0vinn/Windows-Forensic-Examination-and-Threat-Hunting/blob/main/README.md#Identifying-Suspicious-Network-Activity)
  5 | 3) [Identifying Suspicious Services](https://github.com/McL0vinn/Windows-Forensic-Examination-and-Threat-Hunting/blob/main/README.md#identifying-suspicious-services)
  6 | 4) [Identifying Suspicious Registry ASEPs/Autostart Folders](https://github.com/McL0vinn/Windows-Forensic-Examination-and-Threat-Hunting/blob/main/README.md#identifying-suspicious-registry-asepsautostart-folders)
  7 | 5) [Identifying Suspicious Account Activity](https://github.com/McL0vinn/Windows-Forensic-Examination-and-Threat-Hunting/blob/main/README.md#Identifying-Suspicious-Account-Activity)
  8 | 6) [Identifying Suspicious Scheduled Tasks](https://github.com/McL0vinn/Windows-Forensic-Examination-and-Threat-Hunting/blob/main/README.md#identifying-suspicious-scheduled-tasks)
  9 | 7) [Identifying Suspicious Log Entries](https://github.com/McL0vinn/Windows-Forensic-Examination-and-Threat-Hunting/blob/main/README.md#identifying-suspicious-log-entries)
 10 | 8) [Identifying Suspicious SMB Activity](https://github.com/McL0vinn/Windows-Forensic-Examination-and-Threat-Hunting/blob/main/README.md#identifying-suspicious-smb-activity)
 11 | 9) [Miscellaneous](https://github.com/McL0vinn/Windows-Forensic-Examination-and-Threat-Hunting/blob/main/README.md#miscellaneous)
 12 | 
 13 | Identifying Suspicious Processes
 14 | ----------------------------------------------------------------------------
 15 | 
 16 | 1) C:\> taskmgr.exe = invokes the Task Manager GUI.
 17 | 2) C:\> tasklist = Displays a list of currently running processes on the local computer or on a remote computer.
 18 | 3) C:\> tasklist /v = Displays verbose task information in the output. ( PID , memory usage status, User name)
 19 | 4) C:\> tasklist /m = Lists all tasks with PID and DLL modules loaded that match the given pattern name. If the module name is not specified, this option displays all modules loaded by each task.
 20 | 5) C:\> tasklist /fi = Specifies the types of processes to include in or exclude from the query.examples below
 21 | 6) C:\> tasklist /v /fi "pid eq 555"
 22 | 7) C:\> tasklist /m /fi "pid eq 555"
 23 | 8) C:\> Tasklist /v | findstr Teams.exe
 24 | 9) C:\> Tasklist /m | findstr Teams.exe
 25 | 
 26 | Wmic is even more powerful than Tasklist.
 27 | 
 28 | 1) C:\> wmic process list brief = brief list of the currently running processes
 29 | 2) C:\> wmic process list full = full list of the currently running processes
 30 | 3) C:\> wmic process get Name,Commandline,Description,ProcessID,ParentProcessID = specify only which fields you want to grab
 31 | 4) C:\> wmic process where processid=600 list full = full info of the process running with pid=600
 32 | 5) C:\> wmic process where Name=Teams.exe get ProcessID,ParentProcessID = full list of the process running with Name=teams.exe but return only the Pid and Ppid values
 33 | 6) C:\> wmic process where ProcessID=555
 34 | 
 35 | Watch out for:
 36 | 1) Is this a new or unrecognized process? ( ideally you would want to cross reference your findings with a baseline image -if you have. It will make the whole task of identifying what stands out from "normal activity" easier)
 37 | 2) Is the name of the Process random-looking ( e.g hJoIuG.exe or whatever)
 38 | 3) Does the new/suspicious process has a name that is similar to a legit process? e.g sCvhost instead of sVChost
 39 | 4) Is it unsigned? ( especially for microsoft since the sign pretty much everything)
 40 | 5) Does the process has a digital signature that doesn't match the identified publisher? ( stolen developers digital key)
 41 | 6) Is it running from a non-standard path ( e.g C:\Temp , C:\Downloads , C:\Music etc)
 42 | 7) Is the parent suspicious ( child process might be legit but parent process not)
 43 | 8) Is the Parent-Child relationship suspicious? ( e.g lsass.exe spawning a cmd.exe or IEX spawning a Powershell.exe etc)
 44 | 9) Is the process tied to suspicious activity? ( e.g a process communicating with well known malicious IP/URL/host/domain etc)
 45 | 10) Encoded in Base64 ?
 46 | 11) A process can be used for benign and malicious purposes at the same time. ( e.g PSEXEC ) 
 47 | 12) Suspicious does not necessarily mean Malicious.
 48 | 13) Most processes start by the SYSTEM,LOCAL SERVICE or NETWORK SERVICE accounts.keep that in mind.
 49 | 
 50 | 
 51 | Identifying Suspicious Network Activity
 52 | -----------------------------------------
 53 | 
 54 | 1) C:\> netstat -abno ( this is pretty much all you need)
 55 | 2) C:\> netstat -abno -n 5 = Automatically refresh the output every 5 seconds.
 56 | 
 57 | -n = addresses and port numbers are expressed numerically and no attempt is made to determine names.
 58 | -a = Displays all active TCP connections and the TCP and UDP ports on which the computer is listening
 59 | -b = shows the EXE using that port and the DLLs that it has loaded to interact with that port.
 60 | -o = shows the owner ProcessID associated with the port
 61 | 
 62 | You can redirect the outpout into a .txt file if it helps you analyze the results better e.g netstat -abno > C:\Users\McL0vin\Desktop\netstat.txt
 63 | 
 64 | Watch out for:
 65 | 1) Network activity that is abnormal for the associated Process  (e.g Notepad outbound/inbound connections to a Public IP etc)
 66 | 2) Network activity that is abnormal for your environment/Business Unit/Organization ( e.g lots of traffic during weekends, late hours, holidays etc, long running HTTP/HTTPS sessions etc) ( 2 ways to spot this kind of activity- either have a baseline image of Business as usual activity or know VERY WELL your environment/org/BU)
 67 | 3) Network activity from/to well known Malicious IPs/Domains/URLs/Hosts  ( leverage Threat Intel & OSINT to identify those IOCs e.g alienvault , abuseipdb , virustotal, hybrid-analysis)
 68 | 
 69 | 
 70 | Identifying Suspicious Services
 71 | ----------------------------------
 72 | 
 73 | 1) services.msc = spawns the services control panel GUI . shows various services and their Description, Status, Startup Type, Log on as. shows ALL services (running/not running)
 74 | 2) net start = shows a list of ONLY running services.
 75 | 3) sc query | more = vast amount of information for each service . can be chaotic.  ONLY running services
 76 | 4) tasklist /svc = shows which services are running out of each process on your system  along with their PIDs. maps running processes to services ( maps services-to-processes)
 77 | 
 78 | Watch out for:
 79 | 1) New services / Deleted services / Stopped Services (  ideally you would want to cross reference your findings with a baseline image -if you have. Otherwise talk with your Sys Admins. ) 
 80 | 2) Path to Executable looks abnormal( run services.msc --> right click on a service --> Properties)
 81 | 
 82 | 
 83 | Identifying Suspicious Registry ASEPs/Autostart Folders
 84 | ------------------------------------------------------
 85 | 
 86 | Windows has numerous registry and file locations that can be used to start software without a user taking a specific action.These locations are called Autostart Extensibility Points (ASEPs).
 87 | 
 88 | The majority of malware manipulates the same registry keys in order to establish persistence and survive a reboot.Those are:
 89 | 
 90 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
 91 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
 92 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
 93 | 
 94 | HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
 95 | HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
 96 | HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
 97 | 
 98 | 
 99 | 1) C:\> regedit = spawns the Registry Editor -GUI to manually browse through the registry hive/keys
100 | 2) C:\> reg query HKLM\Software\microsoft\windows\currentversion\run = displays the settings for the specified registry key
101 | 3) C:\> taskmgr.exe = Task Manager GUI. go to Startup tab
102 | 
103 | These registry keys are responsible for executing programs when a system boots up or when a user logs on (Easiest way to establish persistence.Usually attackers map their backdoors there in order to survive reboot)
104 | 
105 | Autostart folders associated with users.These programs are automatically invoked each time the given user logs on to the system and are sometimes altered by malware
106 | 
107 | 1) C:\> dir \s \b "C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup = lists the contents of a user's autostart folder
108 | 2) C:\> start msconfig.exe = spawns a small GUI that displays Startup selection, Boot location/options , startup items
109 | 3) C:\> wmic startup list full = displays autostart programs.
110 | 4) Right click on Tray bar --> Task Manager --> Startup = displays a GUI with autostart programs and info such as Name, Publisher, Status.
111 | 
112 | 
113 | 
114 | Watch out for:
115 | 
116 | 1)
117 | 2)
118 | 3)
119 | 4)
120 | 
121 | 
122 | Identifying Suspicious Account Activity
123 | --------------------------------------
124 | 
125 | 1) c:\> lusrmgr.msc = spawns a GUI which can be used to check the users and groups defined on the machine
126 | 2) C:\> net user = displays a list of users
127 | 3) C:\> net localgroup administrators = shows who is in the group you specify ( in that case accounts in the administrators group)
128 | 
129 | 
130 | 
131 | Watch out for:
132 | 
133 | 1)
134 | 2)
135 | 3)
136 | 4)
137 | 
138 | 
139 | Identifying Suspicious Scheduled Tasks
140 | ------------------------------------
141 | 
142 | 1) C:\> schtasks = shows scheduled tasks and details about them such as Folder, Task Name, Next Run Time and Status (can be chaotic depending on your environment . you can export it to a .txt file for easier reading or use | findstr if you know what you are looking for )
143 | 2) C:\> taskschd.msc = brings up the Task Scheduler GUI.lots of info such as triggers,actions,conditions etc. much easier to work with
144 | 3) PS C:\> Get-ScheduledTask = Powershell commands that lists scheduled taks on the system with info about Taskpath,Taskname,State.
145 | 4) PS C:\> Get-ScheduledTask -TaskName "THIS IS SPARTA" if you know the Taskname of the scheduled task you are looking for, use this
146 | 
147 | Watch out for:
148 | 
149 | 1)Unusual scheduled tasks ( especially those that run as SYSTEM, as a user in administrators group or have a blank username)
150 | 2)Scheduled Tasks
151 | 
152 | 
153 | 
154 | 
155 | Identifying Suspicious Log Entries
156 | -------------------------------
157 | 
158 | 1) Cl\>eventvwr.msc = spawns the GUI Event Viewer ( the most eye-friendly way lol)
159 | 2) C:\> wevtutil qe Security /f:text = inspect the Windows EveNt Logs category you specified(in this case Security) . can be chaotic, you can output the content by using > C:\xx\xx\something.txt if you want.
160 | 3) PS C:\> Get-EventLog -LogName Security | Format-List -Property * = the equivalent of the above command but in Powershell this time and with a cooler blue background ( lol)
161 | 
162 | 
163 | Watch out for:
164 | 
165 | 1) Any indication that event log service was stopped
166 | 2) Any indication that Windows File Integrity Checker ( Windows File Protection) was disabled
167 | 3) Large number of failed logons about a specific account following a successful logon for that account
168 | 4) Small number of failed logons across many accounts ( Password Spray Attack) ( usually between 1-3 password tries per account to avoid account lockout threshold)
169 | 5) Large number of failed logons for a specific account ( Brute Force Password Attack)
170 | 
171 | 
172 | Identifying Suspicious SMB activity
173 | ----------------------------------
174 | 
175 | *When your machine is acting as a client and want to see the outbound SMB activity*
176 | 
177 | 1) C:\> net use = displays the target machine and the share to which you are connected
178 | 2) C:\> net use \\192.168.1.1 /del = drops the SMB session
179 | 3) C:\>net use * /del = drops all outbound SMB sessions
180 | 
181 | *When your machine is acting as a server and want to see the inbound SMB activity*
182 | 
183 | 1) C:\>net session = list the inbound sessions
184 | 2) C:\>net session \\192.168.1.1 /del = drops the inbound SMB session
185 | 
186 | 
187 | *Alternatively you can run via cmd compmgmt.msc -> navigate to "Shared forlders" and there you can see Shares,Sessions and Open files*
188 | 
189 | Watch out for:
190 | 
191 | 1) The ability to drop individual SMB sessions (either inbound or outbound) can be useful because this can temporarily stop an attacker from using the SMB session.
192 | This way you can buy some time or interrupt a data exfiltration in progress.
193 | 2) Don't expose your TCP/UDP 135,136,137,138,139,445 ports to the internet. Shut them down or if there is a legit business purpose put them behind firewalls with ACLs enforcing access to authorized IPs only.
194 | 3) most of them time SMB traffic is between a client and a Server.if you see client-to-client smb activity or excessive server-to-server smb activity without a valid business purpose,then that should be investigated.
195 | 
196 | 
197 | 
198 | Miscellaneous
199 | ---------------------------------------------------------------------
200 | 
201 | *Get hashes*
202 | 1) C:\> certutil -hashfile malfile.exe MD5 = Calculates the MD5 Hash of a file on Windows.
203 | 2) PS C:\> Get-FileHash -Algorithm MD5 malfile.exe - Calculates the MD5 hash of a file on Windows leveraging powershell.
204 | 
205 | *Detect alternate data streams*
206 | 1) C:\> DIR /r = look for alternate data streams.
207 | 2) PS :> Get-Item * -Stream * = look for alternate data streams with Powershell.
208 | 3) PS:> Get-ChildItem -recurse | ForEach { Get-Item $_.Filename -stream * } | Where stream -ne ':$DATA' = search all subdirectories for ADS.
209 | 
210 | 
211 | *Collect Metadata on files*
212 | 
213 | Use exiftool for Windows.Watch out for Size,Timestamps ( Access,Creation,Modification),File type and File Type extension(It's pretty common for attackers to change the extension of their scripts into something trivial such as .bmp / .jpg etc in order to avoid detection),File permissions etc
214 | 
215 | *DeepBlueCLI*
216 | 
217 | DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs. It can work with the below Windows event logs:
218 | * Windows Security
219 | * Windows System
220 | * Windows Application
221 | * Windows PowerShell
222 | * Sysmon
223 | * More info see: 
224 | https://github.com/sans-blue-team/DeepBlueCLI
225 | 
226 | Regshot = snapshot tool for Windows.Allows you to record a snapshot of the registry and optionally file system at two points in time and then highlights the differences between the two.
227 | Provides a high level summary of the changes,showing registry keys that were added/deleted/modified as wel as any files that were added/deleted/modified
228 | Super easy to run in 5 steps
229 | 1) Start Regshot and configure the options.By default Regshot is not going to record file system.You can specifiy that if you want by checking the Scan dir box and stating the directory you are interested in ( C:\ for example)
230 | 2) Once you are done with the configuration of the tool and you got everything ready take the first snapshot
231 | 3) Run the malware
232 | 4) Use Regshot to take a second snapshot
233 | 5) Once finished , click on Compare and Regshot will give you back the results after a few minutes
234 | 
235 | 
236 | TaskManager
237 | Procmon / Process Monitor = shows file system,registry,network and process activity in real-time.Ideal for detonating malicious files/scripts in a sandbox and see live the changes on your system
238 | Procexplorer / Process Explorer = gives in depth information about running processes
239 | Strings = extracts and displays bot ASCII and 16-bit little endian Unicode strings
240 | C:\> strings malfile.exe
241 | TCPView = maps listening TCP/UDP port back to owning processes
242 | SRUMdump
243 | FTK Imager /Volexity / Volatility (Remember . Most volatile FIRST = RAM . then everything else follows)
244 | 


--------------------------------------------------------------------------------