Windows Incidents Response (Practical - 11 Steps )
Windows Incidents Response (Practical - 11 Steps )
When a system encounters an incident, the common reaction among most
people will be to panic and jump straight into the system to find out the cause
and hopefully try to get it back to normal working condition as soon as possible. In most cases, not all systems can afford the downtime to carry a full
investigation before knowing the most possible cause (SANS).
In this post, I will elaborate basics steps might be will help you in Windows Incidents Response (IR) to expedite IR. I have summarized the process in 11 steps.
Let us assume that a machine named Desktop-ABC connected to the ABC domain was compromised and as the lead incident responder on your system admin team, your task is to use incident response methodologies to determine what happened, identify any malicious files found on the system, and take the appropriate steps to resolve the issue.
Let us start, After connected to Desktop-ABC follow the below steps :
1-Look at Event Viewer
To access Event Viewer > Run and type in eventvwr. Next, click on Windows Logs and you will then see five different log types.
The Event Viewer is a tool in Windows that displays detailed information about significant events on your computer. You have to all go with all logs an all categories (Error, Warning Information, SuccessAudit, and FailureAudit). However, it is not necessary to check all the logs in event viewer to get information about indecent, it depends on the type of attack, WinVer, Tech expertise...etc. the one who had deep-knowledge and solid experience in Windows troubleshooting can narrow down search scope in the logs. Try always to take attention in Security logs the first thing then check other.
As you know hackers nowadays have become more intelligent/clever than before, so most of the new malware leave minimal-footprint on the resources, It's not necessarily Event viewer will help you in your IR.
2- Check for New Users or Groups
Malicious software may attempt to escalate privileges by adding users or groups onto a workstation. Open a command line by right-clicking the Windows icon, selecting Run and typing in cmd. Inside the command line run net users.
Net user is a command-line tool that is built into Windows. To run net user, open a command prompt, type net user with the appropriate parameters, and then press ENTER (Microsoft).
You have to make sure if there is a user in Local administrator group, you can use the below command :
Net localgroup administrators
If you found the user in admin group, note down these users. Surly you will use these accounts during the investigation.
3- Look at Scheduled Tasks
Once an attacker gets access to a box, he will attempt to find ways to persist on the system - allowing for continued operations in the future. To maintain persistence is to schedule the execution of an infected program or owned service or to set it to run whenever the computer boot.
Two areas we can check on a Windows machine are :
1- Task Scheduler
The Task Scheduler enables you to automatically perform routine tasks on a chosen computer. The Task Scheduler does this by monitoring whatever criteria you choose to initiate the tasks (referred to as triggers) and then executing the tasks when the criteria is met (Microsoft).
You can run command schtasks to check all the task list are currently configured in this machine to ensure there are no unknown tasks are listed.
2- MSConfig
MSConfig is a good, versatile tool for managing the startup process on your computer.
Open run type MSConfig then click on Open Task Manager check all lists are currently configured in this machine to ensure there is no unknown applications are listed.
4- Check Networking Information :
1-ARP
arp -a
2- Netstat
Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections (Microsoft).
Use the below command to view active network connections.
Open CMD then type netstat -ano
5- Review the Hosts File
The hosts' file is one of several system facilities that assists in addressing network nodes in a computer network. Check the host file might you fill find redirection to a suspicious website.
Path of host file : %SystemRoot%\System32\drivers\etc\hosts
6- View Running Services
Check my old post about suspicious services in Win.
7 - Verify File Signatures
Windows provides users with a useful utility that scans critical Windows files and examines them for their digital signature. Any critical files or device drivers that are modified/added and not signed are flagged as suspicious
Microsoft has a tool in place in Windows 10/8/7 and Windows Vista called sigverif.exe or the File Signature Verification Tool which helps you identify unsigned drivers.
Open CMD then type sigverif
8- Identify Recently Added Files
Here you will look for newly created files and directories which were added to a specific (and popular) system critical directory - the Windows\System32 directory. At the command prompt, enter the following command:
dir /a/o-d/p %SystemRoot%\System32\
In the result, You will obverse any suspicious directory has created recently under System32 folder.
9- Perform Static Analysis on File (Strings Tool) .
This is offline activity, If you found any suspicious exe file you can use 3rd party tool to analysis the exe file. there is tool called Strings. It is a utility which will allow you to query Unicode or ASCII strings found inside of a file, executable or otherwise.
Take the exe file and copied in isolated machine and perform your static analysis :
Example to use Strings tool, open CMD and type below command (Let assume you have found suspicious exe file called ABX.exe :
strings -n 5 C:\Users\user\Desktop\ABX\ABX.exe > Output.txt
Might you will not find details in the output file, if the executable file is packed.
more information about string tool
10- Perform Static Analysis on File (Regshot) .
(This is offline activity) Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compares it with a second one - done after doing system changes or installing a new software product.
Since the Registry is a popular avenue to hide in and set up persistence on Windows systems we will be using a popular tool named RegShot to watch for Registry modifications, while we run the suspicious code you discovered. Click on the Regshot icon found in the taskbar (icon with three blocks).
Click on 1st shot then run suspicious exe file then after awhile click on 2nd shot then click on compare to see the difference in registry files before/after running exe file, this task might require a good technical knowledge in registry structure.
11 - Use Wireshark to capture TCP traffic :
Use Wireshark to capture and see if there are other suspicious events. In the filter bar, type TCP and press the Enter button - this will filter out all but the TCP packets. Scroll through the traffic and look for any attempts to query outside websites.
You have to run exe file "ABX.exe" and leave Wireshark capture traffic for a while then stop capturing and start analysis the traffic. There are many filters in Wireshark it will help you to narrow down traffic analyzing
End.
Please note that in Windows IR these steps are not standard or limited to. but I have shared these steps because I'm sure it will help system admin while responding to incidents.
Good luck.
Good luck.
Comments
Post a Comment