└── Readme.md /Readme.md: -------------------------------------------------------------------------------- 1 | # IR Notes 2 | 3 | ## Windows 4 | ### Windows Event IDs and Lateral Movements 5 | 6 | | Scheduled Tasks Log | XP: %SystemRoot%\SchedLgu.txt - 7: %SystemRoot%\Tasks\SchedLgu.txt | | | 7 | |----------------------|---------------------------------------------------------------------|-------------|---------------------------------------------------| 8 | | | 106 | | Task Scheduled | 9 | | | 200 | | Task Executed | 10 | | | 201 | | Task Completed | 11 | | | 141 | | Task Removed | 12 | | Logon Events | 528 | 4624 | Successful Logon | 13 | | | 529 | 4625 | Failed Logon | 14 | | | 538 | 4647 / 4634 | Successful Logoff | 15 | | | 540 | 4624 | Successful Network Logon | 16 | | | | 4672 | Successful Network Logon as Admin | 17 | | RDP | 21 | | RDP logon success | 18 | | | 24 | | RDP user disconnected | 19 | | | 24 | | RDP user reconnected | 20 | | | | 1149 | RDP user authenticated | 21 | | Account Logon Events | 680 | 4776 | Successful / Failed account authentication | 22 | | | 672 | 4768 | TGT was issued (successful logon) | 23 | | | 675 | 4771 | Pre-authentication failed (failed logon) | 24 | | Rogue Local Account | 680 | 4776 | An account successfully authenticated | 25 | | | 540 | 4624 | Successful Network Logon immediately following | 26 | | Share | | 5140 | Share mount | 27 | | Suspicious Services | | 7034 | Service crashed unexpectedly | 28 | | | | 7035 | Service sent a Start/Stop control | 29 | | | | 7036 | Service sent a started or stoped | 30 | | | | 7040 | Start type changed (Boot | On request | Disabled) | 31 | | Clearing Event Logs | 517 | 1102 | | 32 | 33 | ### Normal 34 | 35 | #### System 36 | Image Path: No Image Path 37 | Parent Process: No Parent Process 38 | Number of Instances : One 39 | User account: Local System 40 | Start Time: At boot time 41 | 42 | #### smss.exe 43 | Image Path: %SystemRoot%\System32\smss.exe 44 | Parent Process: System 45 | Number of Instances : One master and another child per session exiting after session is created 46 | User account: Local System 47 | Start Time: Within seconds of boot time for the master instance 48 | 49 | #### wininit.exe 50 | Image Path: %SystemRoot%\System32\wininit.exe 51 | Parent Process: Created by an instane of smss.exe that exists (tools usually don't provide the parent process name) 52 | Number of Instances : One 53 | User account: Local System 54 | Start Time: Within seconds of boot time 55 | 56 | #### taskhost.exe 57 | Image Path: %SystemRoot%\System32\taskhost.exe 58 | Parent Process: services.exe 59 | Number of Instances : One or more 60 | User account: Multiple taskhost.exe processes are normal. Logged-on users and/or local services accounts 61 | Start Time: Within seconds of boot time 62 | 63 | #### lsass.exe 64 | Image Path: %SystemRoot%\System32\lsass.exe 65 | Parent Process: wininit.exe 66 | Number of Instances : One 67 | User account: Local System 68 | Start Time: Within seconds of boot time 69 | 70 | #### winlogon.exe 71 | Image Path: %SystemRoot%\System32\winlogon.exe 72 | Parent Process: Created by an instane of smss.exe that exists (tools usually don't provide the parent process name) 73 | Number of Instances : One or more 74 | User account: Local System 75 | Start Time: Within seconds of boot time for the first instance 76 | 77 | #### csrss.exe 78 | Image Path: %SystemRoot%\System32\csrss.exe 79 | Parent Process: Created by an instane of smss.exe that exists (tools usually don't provide the parent process name) 80 | Number of Instances : Two or more 81 | User account: Local System 82 | Start Time: Within seconds of boot time for the first two instances (Session 0 and 1) 83 | Note: cmd.exe history is stored in these processes' memory 84 | 85 | #### services.exe 86 | Image Path: %SystemRoot%\System32\services.exe 87 | Parent Process: wininit.exe 88 | Number of Instances : One 89 | User account: Local System 90 | Start Time: Within seconds of boot time for the first two instances (Session 0 and 1) 91 | 92 | #### svchost.exe 93 | Image Path: %SystemRoot%\System32\services.exe 94 | Parent Process: services.exe 95 | Number of Instances : Five or more 96 | User account: Depends of the instance : Local System, Network Service or Local Service accounts 97 | Start Time: Within seconds of boot time or later for services launched after boot 98 | Note: On Win7+ all services bin are signed by Microsoft 99 | 100 | #### lsm.exe 101 | Image Path: %SystemRoot%\System32\lsm.exe 102 | Parent Process: wininit.exe 103 | Number of Instances : One 104 | User account: Depends of the instance : Local System 105 | Start Time: Within seconds of boot time 106 | Note: Handled terminal services including RDP and Fast user switching 107 | 108 | #### explorer.exe 109 | Image Path: %SystemRoot%\explorer.exe 110 | Parent Process: userinit.exe that exists (tools usually don't provide the parent process name) 111 | Number of Instances : One per logged-on user 112 | User account: logged-user 113 | Start Time: Starts when the ownser's interactive session logon begins 114 | 115 | #### Reference 116 | https://digital-forensics.sans.org/media/Poster_2016_Find_Evil.pdf 117 | 118 | ### Artifacts 119 | To-Do 120 | 121 | | File Download | Open/Save MRU | E-mail Attachments | Skype History | Index.dat/ Places.sqlite | Downloads.sqlite | 122 | |---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 123 | | | This key tracks files that have been opened or saved within a Windows shell dialog box | E-mail Attachments | Skype history | Not directly related to “File Download”. Details stored for each local user account. Records number of times visited (frequency) | Firefox has a built-in download manager application which keeps a history of every file downloaded by the user | 124 | | | XP: NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\ComDlg32\OpenSaveMRU | XP: %USERPROFILE%\Local Settings\Application Data\ Microsoft\Outlook | XP: C:\Documents and Settings\\Application\Skype\ | XP: IE: %userprofile%\Local Settings\History\ History.IE5 FF: %userprofile%\Application Data\Mozilla\ Firefox\ Profiles\.default\places.sqlite | XP: %userprofile%\Application Data\Mozilla\ Firefox\ Profiles\.default\downloads.sqlite | 125 | | | Win7: NTUSER.DAT\Software\Microsoft\Windows\,CurrentVersion\Explorer\ComDlg32\ OpenSavePIDlMRU | Win7: %USERPROFILE%\AppData\Local\Microsoft\ Outlook | Win7: C:\Users\\AppData\Roaming\ Skype\ | Win7: IE: %userprofile%\AppData\Local\Microsoft\Windows\History\History.IE5 %userprofile%\AppData\Local\Microsoft\Windows\History\Low\History.IE5 FF: %userprofile%\AppData\Roaming\Mozilla\ Firefox\Profiles\.default\places.sqlite | Win7: %userprofile%\AppData\Roaming\Mozilla\ Firefox\ Profiles\.default\downloads.sqlite | 126 | | | The “*” key – This subkey tracks the most recent files of any extension input in an OpenSave dialog .??? (Three letter extension) – This subkey stores file info from the OpenSave dialog by specific extension | MS Outlook data files found in these locations include OST and PST files. One should also check the OLK and Content.Outlook folder, which might roam depending,on the specific version of Outlook used. | Each entry will have a date/time value and a Skype username associated with the action. | Many sites in history will list the files that were opened from remote sites and downloaded to the local system. History will record the access to the file on the website,that was accessed via a link. | Downloads sqlite will include: Filename, Size, and Type Download from and Referring Page File Save Location Application Used to Open File Download Start and End Times | 127 | 128 | | Program Execution | UserAssist | LastVisited MRU | RunMRU Start->Run | AppCompact Cache | Win7 Jump Lists | Prefetch | Service Events | 129 | |-------------------|-----------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------| 130 | | | GUI-based programs launched from the desktop are tracked in the launcher on a Windows System. | Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was accessed by that application. | Whenever someone does a Start -> Run command, it will log the entry for the command they executed. | Windows Application Compatibility database. Tracks the executable file names, file size, last modified time and in XP the last update time | | Utilized to know an application was executed on a system. | Analyze logs for suspicious services | 131 | | | NTUSER.DAT\Software\Microsoft\Windows\ Currentversion\Explorer\UserAssist\{GUID}\Count | XP: NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\ComDlg32\ LastVisitedMRU Win7: NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\ComDlg32\,LastVisitedPidlMRU | NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU | XP: SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\ Win7: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache | Win 7: C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent\ AutomaticDestinations | C:\Windows\Prefetch | | 132 | | | | Tracks the application executables used to open files in OpenSaveMRU and the last file path used. | The order in which the commands are executed is listed in the RunMRU list value. The letters represent the order in which the commands were executed. | Tool: MANDIANT’s ShimCacheParser | Creation Time = First time item added to the AppID file. Modification Time = Last time item added to the AppID file. | Each .pf will include last time of execution, number of times run, and device and file handles used by the program Date/Time file by that name and path was first executed - Creation Date of .pf file (-10 seconds), Date/Time file by that name and path was last executed - Embedded last execution time of .pf file - Last modification date of .pf file (-10 seconds) | | 133 | 134 | 135 | #### Reference 136 | http://digital-forensics.sans.org/media/poster_fall_2013_forensics_final.pdf 137 | 138 | ### Windows Time Rules 139 | 140 | #### $STDINFO 141 | 142 | | File Rename | Local File Move | Volume File Move | File Copy | File Access | File Modify | File Creation | File Deletion | 143 | |----------------------|----------------------|----------------------|----------------------|-----------------------------------------|----------------------|--------------------|----------------------| 144 | | Modified – No Change | Modified – No Change | Modified – No Change | Modified – No Change | Modified – No Change | Modified – Change | Modified – Change | Modified – No Change | 145 | | Access – No Change | Access – No Change | Access – Change | Access – Change | Access – Change No Change on Vista/Win7 | Access – No Change | Access – Change | Access – No Change | 146 | | Creation – No Change | Creation – No Change | Creation – No Change | Creation – Change | Creation – No Change | Creation – No Change | Creation – Change | Creation – No Change | 147 | | Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – No Change | 148 | 149 | #### $FILENAME 150 | 151 | | File Rename | Local File Move | Volume File Move | File Copy | File Access | File Modify | File Creation | File Deletion | 152 | |----------------------|----------------------|--------------------|--------------------|----------------------|----------------------|--------------------|----------------------| 153 | | Modified – No Change | Modified – Change | Modified – Change | Modified – Change | Modified – No Change | Access – No Change | Modified – Change | Modified – No Change | 154 | | Access – No Change | Access – No Change | Access – Change | Access – Change | Access – No Change | Access – No Change | Access – Change | Access – No Change | 155 | | Creation – No Change | Creation – No Change | Creation – Change | Creation – Change | Creation – No Change | Creation – No Change | Creation – Change | Creation – No Change | 156 | | Metadata – No Change | Metadata – Changed | Metadata – Changed | Metadata – Changed | Metadata – No Change | Metadata – No Change | Metadata – Changed | Metadata – No Change | 157 | 158 | 159 | ### Mass Registry analysis with RegRipper 160 | 161 | $ find path_to_the_files/ -type f -exec ./wrapper.sh {} \; 162 | 163 | wrapper.sh 164 | ./rip.exe -r "$1" -p user_run >> results.txt 165 | 166 | 167 | ### Procmon filters 168 | Operation is WriteFile 169 | Operation is RegSetValue 170 | Details containts Desired Access: Generic Write 171 | 172 | ### Domain users' SIDs 173 | 174 | vol.py -f memdump.mem --profile=Win7SP1x64 getsids > getsids_output.txt 175 | grep 'S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-' getsids_output.txt | egrep '[A-Z][0-9]{6}' -o | sort -u 176 | 177 | ## OS X ## 178 | List process related to port XXXX (bash) 179 | 180 | $ process=`lsof -n -i4TCP:XXXX | grep -v COMMAND | cut -d' ' -f1` ; for i in $process; do ps aux | grep $i | cut -d' ' -f 39- ; done 181 | 182 | ## Linux ## 183 | List process related to port XXXX 184 | 185 | $ process=`sudo netstat -anp | egrep ":XXXX\s" | cut -d/ -f 1 | rev | cut -d' ' -f1 | rev` ; for i in $process; do ps aux | grep $i | grep -v grep; done 186 | --------------------------------------------------------------------------------