Professional Documents
Culture Documents
Analyze Develop
Identify leads Collect Data
timeline IOCs
Data Sources
netstat -r
netstat -ano
Processes
● Process Explorer
● TaskManager
● tasklist /v
● Pslist (pstools)
● pslist -x
● PowerShell
Persistence
● AutoRuns
● Service Creation/Replacement
● Service Failure Recovery
● Scheduled Tasks
● DLL Hijacking
● WMI Event Consumers
● Local Group Policies, MS Office Addons etc.
Applications Execution Traces
● Registry
○ Amcache (%SystemRoot%\AppCompat\Programs\Amcache.hve)
○ Shimcache
■ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
■ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache
● Prefetch
● Windows Logs
● WMI Recent Used Apps
Prefetch
psloggedon
logonsessions
net sessions
Windows Logs
Application:%SYSTEMROOT%\system32\winevt\Logs\Application.evtx
Security:%SYSTEMROOT%\system32\winevt\Logs\Security.evtx
System: %SYSTEMROOT%\system32\winevt\Logs\System.evtx
Security and policy changes Driver loads and unloads User applications events
Application/Service logs
● OS sub-components
○ App locker
○ PowerShell
○ Task Scheduler
○ Remote Desktop
○ Microsoft Office
● Logging levels
○ Operational
○ Admin
○ Debug
○ Analytic
Windows Logs Improvement
/var/log/*
/var/www/*/logs/
cat
grep
less
tail
Lateral Movement Traces
● Credentials Harvesting
● RDP
● Windows Admin Shares
● PsExec
● Windows Remote Management Tools
● PowerShell / WMIC
● Vulnerabilities
Hashing
● IP addresses
● Domains
● Hostnames
● Emails
● URLs
● Hashes
● File Paths
● MUTEX names
ToolSet
● RedLine (https://www.fireeye.com/content/dam/fireeye-www/services/freeware/sdl-redline.zip)
● Eric Zimmeman Tools (https://ericzimmerman.github.io/#!index.md)
● Sysinternals Autoruns (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)
● https://williballenthin/python-registry/blob/master/samples/amcache.py
● ShimCacheParser (https://github.com/mandiant/ShimCacheParser)