Basics of Examining The Windows OS - cfloquetprojects/homelab GitHub Wiki

Introduction

  • Indicators of compromise are often the first and best step to take as a incident responder to understand if or how a given workstation or system became compromised.
  • Ultimately many of the strategies employed by enterprise security controls involve baselining, which involves leveraging some or all of the tools and checks we will discuss to get a better understanding of what is benign (normal), so we can begin to identify anomalous activity which is often tied to something malicious.
  • We will not be discussing how to create baselines or best practices to take for that specifically, but it's important to remember that baselining is often considered a critical task in preparation.

Pre-Flight Check

  • You must have either a dedicated workstation built for the purpose of testing these commands, or a Windows 10 VM that has atleast 4gb of RAM and 40gb HDD for minimal operations.
  • While most of the utilities we will leverage in this lab are native to Windows (built-in), a seperate tool that we will be using to test the attribution level of our controls is [Netcat], which can be downloaded and saved to netcat.exe file in your chosen directory with the following:

curl https://raw.githubusercontent.com/int0x33/nc.exe/master/nc.exe > netcat.exe

Overview

  • Below is an idea of what we are trying to accomplish in this lab:
    • Create a process for listening on specified port using netcat
    • Show listening ports, including listening port with netcat
    • Auditing accounts and groups within the local system
    • What network shares have been mapped to the local system
    • Identifying and examining registry keys
    • Looking for anomalous files

Monitoring Network Usage & Connections:

  • Microsoft Windows comes with a natively integrated network activity utility called 'netstat' read more about netstat here if you're curious about all the different flags, but for right now I'll just describe a couple ones I find useful.
  • Let's start by opening an escalated command prompt, which done easily by searching for cmd and right clicking to Run as Administrator, as shown in the screenshot below:

[1]

  • Once you have an escalated (or privileged) command prompt open, you can run the following command to display all active TCP and UDP connections on the local system.

💡 The flags used in the command below specify netstat to listen on all active TCP and UDP connections (-a) displayed only in numerical format (with no attempt to resolve the addresses listed) (-n), and finally with their associated process numbers listed (-o).

netstat -ano

  • Let's test this by using widely used netcat to open a listening port on our local system, and see if netstat is able to detect it and provide some useful information.

💡 Netcat allows us to specify certain functions by using different flags, the ones we leverage here include the flag for listening (-l) as well as choosing a specific port to listen on (-p).

netcat -l -p 8787

  • Now, open a separate escalated command prompt, keeping the old one with the netcat listener active, this time we run the same netstat utility, but include the flag for including process name (-b).

netstat -noab

[4]

Hunting Strange or Anomalous Processes:

  • While GUI based tools exist for this such as Task Manager, I prefer to use the wmic process command since it's extremely robust but also very granular in terms of the detail it can provide, let's start by just displaying a list of running processes with the command below:

💡 The "Handle Count" refers to the number of open files/resources being used by the given process, and "Working Set Size" refers to the amount of memory allocated to a given process in bytes.

wmic process list brief

  • We can further narrow the scope by leveraging where and get clauses within the wmic process command to specify what information we'd like to display.

💡 Using this command a bevy of useful information returned in regards to the running processes is very useful, but if you're looking for more even more information we can replace brief with full.

wmic process where processid=1924 get name,commandline,processid,parentprocessid

  • Now that we have the parent process ID as well as the original command line entry that was used to launch the process in question, we can get more information about the parent process with the following:

tasklist /svc /FI "PID eq 6260"

Hunting for Anomalous Services