OS Version:
Using triage data that we have extracted from a target machine (typically a cloned copy of the hard drive) to perform forensics, we can determine the OS version from which this data was pulled through the registry. In order to find the OS version, we can use the following registry key:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Current control set:
On a Live system, you will be able to access the registry by using regedit.exe, and you will be greeted with all of the standard root keys as shown below. (insert regedit image here. ) If you are doing Windows Forenesics properly you will be working from a disk image, and you must know where the registry hives are located on the disk. The majority of these hives are located in the C:\Windows\System32\Config directory and are:
The Windows Registry consists of databases that contain system configuration data. This configuration data includes hardware, software, and user information; along with data about recently used files, programs, or devices that are connected to the system. From a forensics standpoint, this data is highly beneficial. We should all learn ways to read this data to identify the required information about the system. Microsoft provides us with a utility, regedit.exe, built-in to Windows to view and edit Structure of the Registry:
The registry on any Windows system contains the following five root keys:
Kerberos is the default authentication service for Microsoft Windows domains. It is intended to be more "secure" than NTLM by using third party ticket authorization as well as stronger encryption. Even though NTLM has a lot more attack vectors to choose from Kerberos still has a handful of underlying vulnerabilities just like NTLM that we can use to our advantage.
Common Terminology -
Windows Active Directory runs more than 90% of the businesses around the globe. AD is notorious for shipping with unpatched vulnerabilities, requiring tedious and time-consuming remediation. Attacktive Directory is a Full-Frontal Assault on a Domain Controller running AD, without the use of Metaspolit.
Our first reconnaisance against the target domain should utilize an nmap scan to determine which common TCP/IP ports are open by utilizing the -Pn switch. (insert image here) A second nmap scan, utilizing the -A switch should provide us with several key information pieces, including the Active Directory domain, any services attached to open ports, and NETBIOS name for the server. (insert image here)
Enumeration
The OSI Model is a conceptual model, 'providing a common basis for the coordination of standards development for the purpose of systems interconnection'{ISO/IEC7498-1:1998}. Numerous models have been tried, but none were as successful at clarifying networking concepts as the OSI Model. This commonly accepted user-friendly framework is an important piece among professionals and non-professionals alike.
The model was first developed in the 1970s to support the diverse computer networks that were emerging and competing for application in the world. This period is known as the Protocol Wars, which culminated in the - Internet-OSI Standards War, ultimately "won" by the - Internet Protocol Suite (TCP/IP). The OSI Model consists of 7 layers (mnemonically known as 'All people Seem To Need Data Processing): Application, Presentation, Session, Transport, Network,
On October 4, 1957 the world changed. The Sovient Union launched Sputnik 1, the first artificial satellite. Then President Eisenhower created two agencies because of this: NASA, The National Aeronautics and Space Administration; and ARPA, Advanced Research Projects Agency (now called DARPA, they added the 'D' for Defense). ARPA fell under the DOD and once of their ideas was for a fault-tolerant global communication network. Out of this Idea, the Internet was born and ultimately gave us the TCP Protocol.
The new RFC for the TCP Protocol, RFC9293 defines TCP as an important layer in the Internet Protocol Stack, and it brings together a number of older RFC's used to describe and update the protocol. A fundamental understanding of TCP is vital, no matter what your role in IT is.
(insert Figure 1--IPv4 IP Header)
The Diagram above is of the IP Header for an IPv4 network. . It is 4 Bytes wide (1 Byte=8 bits, so 32 Bits wide) an
SysMon is a Windows system service and device driver that, once installed, remains resident across system reboots to monitor and log activity to the Windows Event Log. The logs are stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational under the Windows Event Viewer, but you can also create a Custom View by selecting Sysmon as the Event Source.
Sysmon requires a config file (.xml) to run and has twenty-four distinct types of Event ID's that can be monitored. There are numerous settings, and a good starting config is here. It has several settings already configured. There are several forks of that config and an overall 'cheat sheet' for Sysmon is over at the MalwareArchaelology site.
Sysmon has several capabilities built in:
Logs process creation with full command line for both current and parent processes.
Records the hash of process image files using SHA1 (the default), MD5, SHA2
Our third installment is going to cover several proceses__svchost.exe, lsass,exe, lsalso.exe and explorer.exe__. While this three part series isn't comprehensive by any means, it is a good basic primer for anyone troubleshooting windows problems--or looking for Threats/Threat actors. Many of these services have been (and may still be) attacked; knowing what their default behavior should be is key to finding and fixing issues, rather than playing 'whack a mole' with multiple tools.
Our first process, the Windows Service Host (svchost.exe) is used to manage Windows Services (to quickly see a list of running services, use the PowerShell Get-Services command like this: Get-Service |where status -eq "Running" |Out-Gridview). The services are implemented in DLLs, and will be placed in the registry under HKLM\SYSTEM\CurrentControlSet\Services%ServiceName%\parameters. For example, the DCOMLaunch Service (rpcss.dll) would be found under `\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl
In our previous installment, we covered two processes; the System Process (always PID 4), and also SMSS (Session Manager Subsystem). SMSS starts two more processes, CSRSS (Client Server Runtime Process) and WINLOGON.EXE. These are both important processes in windows and can be targeted by malware and malware scammers.
The first of these I'd like to cover is CSRSS. This is a User Mode process that is critical to system operation. Terminating this process will result in system failure. It is started by SMSS at startup in Session 0 (for all services) and Session 1 (for all user processes) and will have no parent process, as each instance of SMSS that starts CSRSS in each session will self terminate.
Abnormal behavior of this process is yet again a clue to possible malware. The parent directory is always %SystemRoot%\system32\ (typically C:\Windows\system32)