Windows DFIR Checks
Malware Activity
Check disabled task manager (often from malware)
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgrThe below represent registry keys which make it more difficult for Mimikatz to work. Modification of these keys may indicate an attacker trying to execute Mimikatz within an environment if they were set to their more secure state. Always test prior to changing registry keys such as these in a production environment to ensure nothing breaks.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
- “UseLogonCredential” should be 0 to prevent the password in LSASS/WDigest
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- “RunAsPPL” should be set to dword:00000001 to enable LSA Protection which prevents non-protected processes from interacting with LSASS.
- Mimikatz can remove these flags using a custom driver called mimidriver.
- This uses the command **!+** and then **!processprotect /remove /process:lsass.exe** by default so tampering of this registry key can be indicative of Mimikatz activity.The Mimikatz Yara rule may also prove useful.
Some techniques may involve loading lsasrv.dll or wdigest.dll to extract credentials and may be caught if this is loaded legitimately using:
tasklist /m wdigest.dll
tasklist /m lsasrv.dllYou may be able to detect changes to the below registry keys which can be used to load an arbitrary DLL and extract credentials, more information from Adam Chester
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS /v LsaDbExtPt
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPtAn adversary may also tamper with the number of cached logons a system holds (default of 10).
NetNTLM Downgrade Attack Detection
Putty Detection
Locate Possible Trickbot
Check running executables for malware via VirusTotal
Note: VT Has a rate limit for the Public API so this won’t work if you are using the Public API. All 1 liners require VTAPIKey to be set as your VirusTotal API key
This query uses a 15 second timeout to ensure only 4 queries are submitted a minute
This query uses a 15 second timeout to ensure only 4 queries are submitted a minute and only unique hashes are queried
Registry Indicators
Check Registry for IE Enhanced Security Modification
Check Registry for disabling of UAC (1=UAC Disabled)
Review Software Keys for malicious entries
Scan Registry keys for specified text
Suspicious Files
Find files without extensions
Persistent file locations of interest
You can scan these directories for items of interest e.g. unusual exe, dll, bat, lnk etc files with:
Locate LNK Files with a particular string (Special thanks to the notorious)
Master File Table
The Master File Table is an incredibly important artifact; however, this can only be read or obtained using low level disk reading. This contains an entry for every file or directory on the filesystem including metadata about these files, and may provide evidence on files which have been removed (MFT entries marked as ‘free’). More information can be found on Microsoft Docs
Determine Timestomping
Within the Master File Table (Located at the Win root) there are 2 elements, $STANDARD_INFORMATION and $FILE_NAME, both of which have values for a file being created, modified, accessed and written.
These are known as MACB times (Modified, Accessed, Changed, Birth). The $STANDARD_INFORMATION element can be modified from a malicious process, but the $FILE_NAME element is left intact and cannot without some extra trickery.
These discrepancies generally indicate Timestomping with the $FILE_NAME entry being the source of truth. This can be determined by obtaining the MFT (e.g. using a tool such as Rawcopy), and comparing timestamps on the file (e.g. using a tool such as MFTExplorer).
Check system directories for executables not signed as part of an operating system release
Note: Don’t forget tice Utilities load in user hives.
Note: This will show the file name/location and metadata in Hex. If the last lot of hex is FFFFFF7F then the user enabled the macro.
Note: Don’t forget to load in user hives.
Note: This will show the file name/location and metadata in Hex. If the last lot of hex is FFFFFF7F then the user enabled the macro.
Check all Appdata files for unsigned or invalid executables
Check for execuables in Local System User Profile and Files
Find executables and scripts in Path directories ($env:Path)
Find files created/written based on date
Programs specifically set to run as admin
Windows Indexing Service
DNS Logs
Scan DNS Logs
Scan DNS Logs and output unique DNS Queries
WMI
Detect Persistent WMI Subscriptions
These will appear as children spawning from wmiprvse.
Investigate WMI Usage
Note: Requires Strings
WIndows Defender
Check Windows Defender Block/Quarantine Logs
ACLs and ACE
Check and Set Access Control Lists
Change ACE for “everyone” on folder and subfiles/folders
Grant everyone full access
Check Security Descriptor Definition Language (SDDL) and Access Control Entries (ACE) for services
Logging Checks
Check audit policies
Check for Windows Security Logging Bypass
Special thanks to Grzegorz Tworek - 0gtweet
Vulnerability Checks
Verify EternalBlue Patch (MS17-010) is installed - Microsoft
Note: This impacts the SMB 1.0 Server Driver, if you don’t have the below, then it’s not installed. If you do you can use the above to determine patch level.
More information on ACE Strings and the level of access they can provide.