SANS 508 Book 2

Windows Prefetch

Windows Prefetch is a memory management feature that speeds up the startup of applications and the boot process of Windows. When an application is launched, Windows caches the files it needs in RAM. This reduces the number of times the disk is accessed and speeds up the loading process.

provides:

executable name

execution time

execution count

Located in c:\windows\prefetch

prefetch file format: exename-hash.pf

-hash is calculated on dir path and commandline arguments

-Windows 7 and below limited 128 file

-windows 8+ allow 1024 files

-windows 10+ compress prefetch files

- normal to have multiple prefetch files for svchost

Windows prefetch: hosting application

Windows hosting apps that include commandline arguments that change the hash in the file name: svchost, dllhost, backgroundtaskhost, rundll32

it is normal to have multiple prefetch files for svchost.exe because it is ran with a lot of different commandline arguments.

Windows prefetch: enable to disable settings

1: system\currentcontrollerset\control\session manager\memory management\prefetchparameters

0= disabled

1= application launch prefetch enabled

2=boot prefetching enabled

3= application launch and boot enabled

2: system\currentcontrolerset\services\sysmain

0-2= automatic start

3= manual start

4= disabled

Windows prefetch: First/last executed

- Date created is the "first time" it was last known to be executed

- - 10 seconds delay because writing takes time

- Date modified is the last time it may have been executed.

- if an application has not been recently executed, it could age out of the file and it will get a new creation date

- just because a .pf file was created, it does not mean that the program was successful in execution.

Windows prefetch: PECmd

PECmd (prefetch explorer) is a command line tool that analyzes Windows Prefetch files (.pf) to identify information such as: Volume information, Files and directories referenced, Execution time, and Total execution count

PECmd can pull executable name, prefetch hash, filze size, and prefetch version

Prefetch file metadata includes a run count, last run timestamp, or up to 8 last run timestamps

AppCompat Shimcache

"AppCompat Shimcache," also simply called "Shimcache," is a feature within the Windows operating system that acts as a cache to track application compatibility information, essentially recording which applications have been executed on a system, allowing the OS to optimize loading older applications on newer Windows versions by managing compatibility issues; it's considered a valuable forensic artifact for investigating potential malware activity due to its ability to log application execution details.

-Appcompat tracks executable last modification date and file path. it DOES NOT do file size or last execution time after windows XP

-anything after windows xp will show file path, last modified date and insert flag.

- windows 7+ allows 1024 entries

-insert flag does not guarantee that the application executed

AppCompat Shimcache more notes

-appcompatcache entries are only written on system shutdown

- prior to shutdown or reboot, the applications that have been shimmed only existed in only memory.

- if an attacker had removed their tools from the system and was also careful to delete the corresponding .pf file, appcompatchache entries might provide some of the only clues the application existed.

Appcompatcache: AppcompatCacheParser

AppCompatCacheParser is a command line tool that examines Windows ShimCache files to identify information such as executable filepaths and the last execution timestamp. It was developed by Eric Zimmerman and is also known as ShimParser

AmCache.hve

Amcache.hve is a Windows registry file that stores information about programs that have been run on a system

The AmCache. hve stores metadata information about executables, including their full path, last modification time, SHA1 hash, and in some versions, file information such as version, product name, company name, and description. For programs installed via an installer, associated entries can be found in the Amcache.

What it stores: Information about applications, such as creation and modification timestamps, the application name, and the execution file path

-important notes is it store metadata about programs. This replaced the RecentFileCache.bcf.

- the file size limit is 31.4mb

-uses registry keys and values to store information on applications and drivers on the system

AmCache.hve: Inventory application File

This file contains subkeys names per application. in these pages, it has sha1 hash, pe header compilation time, full path, file size, and a program ID that can be cross referenced to the inventory application folder.

This has two different files: one is associated and the other is unassociated. The unassociatedfileEntries contains information on exe present on the system that may not have been part of an installation package

AmCache.hve: Inventory Driver Binary

this contains sha1 hash, modification time of the driver, driver signature=1, and product version

AmcacheParser

The amcacheparser will grab:

sha1

full path

file size

file version number

file description and publisher

last modified date

compilation time

and language id

Living off Land common abused tools

psexesvc.exe

wmic.exe

scrcons.exe

certutil.exe

rar.exe

wsmpfrovhost.exe

whoami.exe

Appcompatprocessor.py

parses both appcompatcache (aka shimcache) and amcache artifacts and places them in a sql database

Eventlog Types

Security

system

application

custom

Eventlog: Security

Records events based on auditing criteria provided by the local group policies.

Records security-related events like user logins, access attempts, file modifications (shares and access), and system changes.

- this is updated by the LSASS process

It contains the following:

account logon

account mgmt (password changes, user account, groups)

directory service (attempted directory access)

logon events

object access

policy changes

privilege use

process tracking (process start, exit, handles, object access etc.)

system events

Eventlog: System

A Windows event log is a record of system events that occur on a Windows computer. Think system components, drivers, resources, service stopped, system rebooted

Event logs contain information such as:

The date and time of the event

A description of the event

The severity of the event

The application or process involved

A code to identify the event

Other relevant information, like IP addresses or user names

Eventlog: Application

contains software events unrelated to the operating system. An example is SQL server fails to access a database

Eventlog: Custom

Contains Custom application logs. Things like Taskscheduler, terminal services, powershell, wmi, firewall, dns

Security Relevant Event IDs

4624 - successful logon

4625 - failed logon

4634 / 4647 - successful logoff

4648 - logon using explicit creds (RunAs)

4672 - Account logon with Admin rights

4720 / 4726 - account create, account delete

- windows doesnt always record logoffs, this is why we look at 4634 and 4647

-logon events are not recorded when backdoors, remote exploits, or other non standard methods of system access

4624

4624 - successful logon

4625

4625 - failed logon

4634

4634 / 4647 - successful logoff

4647

4647 - successful logoff

4648

4648 - logon using explicit creds (RunAs)

4672

4672 - Account logon with Admin rights

4720

4720 - account created

4726

4726 - account deleted

EventViewer: 5 important fields

1. event id

2. account

3. logon type

4. timestamp

5. computer

logon type codes

2- logon via console (keyboard, server, virtual client)

3- Network Logon (smb and some rdp connections)

4- batch logon (used by scheduled tasks)

5- windows service logon

7- credentials used to lock or unlock screen - RDP session reconnect

8- network logon sending cleartext creds

9- different credentials used than logged on user (runas)

10- remote interactive logon (rdp)

11- cached credential logon

12- cached remote interactive (similar to 10)

13- cached unlock (similar to 7)

logon type codes: 2

2- logon via console (keyboard, server, virtual client)

logon type codes: 3

3- Network Logon (smb and some rdp connections)

typically seen in activity like share mapping

logon type codes: 4

4- batch logon (used by scheduled tasks)

logon type codes: 5

5- windows service logon

logon type codes: 7

7- credentials used to lock or unlock screen - RDP session reconnect

logon type codes: 8

8- network logon sending cleartext creds

logon type codes: 9

9- different credentials used than logged on user (runas)

logon type codes: 10

10- remote interactive logon (rdp)

logon type codes: 11

11- cached credential logon

logon type codes: 12

12- cached remote interactive (similar to 10)

logon type codes: 13

13- cached unlock (similar to 7)

Logon Session notes

- Each account is assigned a unique logon ID at the time of logon. This can be used to determine the time a user spent on the system

- using a logon id for a 4624 and a 4647 and comparing the times will give time spent

- session length is useful for interactive logons like 2,10,11,13. Other logon types like 3 and 5 are very short.

- type 3 is an smb share and it will have a very short time

- logon id can tie together special privileges sessions (two logs with the same logon ID, but one account name is one user and the other account name is another user

- type 3 events are usually smb, but there can be type 3 logs for rdp password spray attacks

Bruteforce attack notes

Log Status codes:

C0000064 - Indicates an unknown user

C000006A - Bad password was tried on an existing account

Windows account types

system - most powerfull account

local service - limited privileges similar to a user account

network service - slightly higher privileges than local service. can access network resources like a user account

hostname $ - every domain joined windows system has a computer account signified by the $

dwm - desktop windows manager

umfd - front driver host account

anonymous logon - null session w/o creds used to authenticate to a resource

Windows account types: system

system - most powerfull account and is used for non-user related actions.

Windows account types: local service

local service - limited privileges similar to a user account and is used for services that do not require network access. It has no ability to authenticate to the network and must use network service or null (anonymous) sessions

Windows account types: network service

network service - slightly higher privileges than local service. can access network resources like a user account

Windows account types: Hostname $

hostname $ - every domain joined windows system has a computer account signified by the $. the account provides the means for the computer to be authenticated when communicating with AD and domain resources.

Windows account types: dwm

dwm - desktop windows manager

Windows account types: anonymous logon

anonymous logon - null session w/o creds used to authenticate to a resource. This is commonly used by windows networks to facilitate things like file print sharing and browse network list.

Event IDs second set

4722- user account enabled

4724 - an attempt was made to reset an account password

4728 - member added to security enabled global group

4732 - member added to security enable local group

4735 - a security enabled local group was changed

4738 - a user account was changed

4756 - member added to security enabled universal group

Event IDs: RDP

4778 - session reconnected

4779 - session disconnected

4778 and 4778 include ip address and the host name of THE SYSTEM THAT ESTABLISH THE CONNECTION.

- the hostname provided to the rdp client wherever that client is running which can often be the attackers machine

event ids: rdp outbound

131 with RDPcoreTS log and 1024 and 1102 in the Terminal servicesrdp-client log record outbound rdp connections with dest hostname and ip address

Microsoft-windows-terminalservices-RDPclient/operational

Microsoft-windows-terminalservices-RDPclient/operational - this log is recorded on the source system and can help tell where the attacker moved to

- note that TERMINAL services RDP client is the only one that records on the source device

Login/logoff vs logon

login and logoff happens when the actual system is being logged into. logon refers to third parts authentication of credentials provided during the session

Logon Error Code reasons

EID 4771:

0xC0000064 - invalid username

0070 - logon from unauthorized workstation

0234 - account locked, disabled, or expired

0071 - password expired

006A - password invalid

Events ids: enumeration 4798 and 4799

4798 - users local group membership was enumerated

4799 - a security enabled local group membership was enumerated

Event ids: lateral movement 5140 and 5145

5140 - network share accessed

5145 - shared object accessed (provides detail on individual files accessed

IPC$

IPC$ is a special share in Windows Server that allows anonymous users to perform certain actions, such as listing domain accounts and network shares. It's also known as a null session connection. This is names pipe which is requires for programs to talk to each other

Event ids: lateral movement runas 4624 log 9 and 4648

4624 log type9 - logon using different credentials and runas

4648 - logon using explicit credentials

Lateral movement notes

- eid 4648 is logged on the originating system

- eid 4648 tells us where the attacker was headed because it logs the dest device

- if the target server is localhost, it means it was recording inbound activity.

- if the target server information includes a remote ip, it means it was recording outbound activity

- explicit credentials mean a tool used new credentials to auth instead of using those already present in memory

Event ids: task scheduler security logs

4698 - sch task created

4699 - sch task deleted

4700 - sh task enabled

4701 - sch task disabled

4702 - sch task updated

Events ids: task scheduler log ids

106 - sch task created

140 - sch task update

141 - sch task deleted

200 - sch task executed

4700 - sch task enabled/ disabled

- to find remote tasks you must look for type 3(network) logons and 4624 logon ids close together near the time of task creation

Events id: log clearing

1102 - audit log SECURITY cleared

104 - Audit log SYSTEM log was cleared

event ids: suspicious services

7034 - service unexpectedly crashed

7035 - service sent a start/stop

7036 - service started/stopped

7040 - start type changed (boot, on request, disabled)

7045 - a new service was installed on system

4697 - a new service was installed on the system

EvtxECmd

EvtxEcmd is a Windows Event Log (evtx) parser, that can parse a single event log file or a directory recursively.

RDP Source artifacts: Event logs Security.evtx

4648 - logon using explicit creds

contains:

-current logged on username

-alternate user name

-dest host name/ip

-process name

RDP Source artifacts: Event logs rdpclient operational

1024 - dest host name

1102 - dest ip address

RDP Source artifacts: Registry

- RDP destinations are tracked per user

- Shimcache- mstsc.exe remote desktop client

RDP Source artifacts: Registry Bam/Dam

System - last time executed

RDP Source artifacts: User assist NTUser.dat

mstsc.exe remote desktop execution

- contains last time executed

- contains number of times executed

Jumplists

A jump list is a menu that provides quick access to recently used documents, tasks, or applications. It appears when a user right-clicks a program in the taskbar or on the Start menu.

this tracks remote desktop connection destination and times

MSTSC.exe

MSTSC.exe is the Microsoft Terminal Services Client, a command line interface that allows users to connect to remote computers or Remote Desktop Session Host (RDSH) servers. It's included in every professional version of Microsoft Windows from Windows XP onwards.

MSTSC.exe can be used to:

Establish a remote connection to another computer

Edit existing Remote Desktop Connection (.rdp) configuration files

Connect to a remote PC using single sign-on with Microsoft Entra

"Bam/Dam"

"Bam/Dam" refers to "Background Activity Monitor (Bam)" and "Desktop Activity Moderator (Dam)," which are system components that track the activity of background applications and desktop processes respectively, essentially recording information about which programs have been run and when they were last executed

Rdpclip.exe

Rdpclip.exe, or Remote Desktop Clipboard, is a system process that manages the clipboard in remote desktop sessions. It allows users to copy and paste text, images, and files between their local and remote computers

TsTheme.exe

TsTheme.exe is a native windows process. It is in charge of the Windows theme during a RDP session

MountPoints2

MountPoints2 is a registry key in Windows that stores information about remotely mapped drives:

What it contains: Each subkey under MountPoints2 represents a unique device, such as a drive, and contains information about it. This information can include the drive letter, volume label, and other properties.

How to find it: The key is located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2.

PSEXEC.EXE and PSExesvc.exe

psexec.exe send data over and PSexesvc.exe is the one that executes.

-psexesvc.exe is on the DESTINATION device

Wmic.exe

Wmic.exe is a command-line tool that allows users to access Windows Management Instrumentation (WMI):

What it does

Wmic.exe is a command-line interface that allows users to perform WMI operations, such as querying the operating system for information, running management tasks, and executing other programs

- the most common command for lateral movement is the "process call create"

WmiPrvse.exe

WmiPrvse.exe, also known as the Windows Management Instrumentation (WMI) Provider Host, is a critical process in the Windows operating system that acts as an intermediary between system hardware and software:

Function

WmiPrvse.exe allows applications to access system information, collects and supplies system information to applications, and helps manage devices in the network

Scrcons.exe

Scrcons.exe is a legitimate Windows process file that executes Windows Script Host (WSH) code in response to an event:

What it does: Scrcons.exe is a WMI Standard Event Consumer that executes WSH code, such as JScript and VBScript, when triggered by an event. It's the parent of any ActiveScript consumers

Mofcomp.exe

Mofcomp.exe is the Managed Object Format (MOF) compiler, which is a tool that parses MOF files and adds the classes and instances defined in the file to the WMI repository.

MOF files are ASCII text files that use the MOF language to describe CIM objects, which are computer models of managed resources like printers, disk drives, and CPUs. Mofcomp.exe can be used to compile MOF files locally or remotely.

Lateral movement: powershell commands

- invoke-command -computername host -scriptblock {start process evil.exe}

- enter-pssession - computername host -credential user

Consolehost_history.txt

This logs all of the commands typed per user on a source system.

This records the last 4096 commands

Wsmprovhost.exe

Wsmprovhost.exe is a legitimate Windows process that manages Windows Management Instrumentation (WMI), a core Windows component that allows applications to manage the system. Wsmprovhost.exe is also used to host the active remote session on a target computer.

this process is executed on the receiving end of a powershell remoting session

Report.WER (windows error reporting)

This report errors in exes and lists information about the application and its processes

- lists sha1 hash and a list of loaded dll modules

MPLog

this is a microsoft defender log. its contains:

-processes executed with full paths and process ids

-potential code injections

-files and folders related to the exe

-sha1 hash

-ORIGINAL filename meta data from PE header

Event IDs: security

4688 - new process created

4689 - process exit

these contain full path, execution time, account information and full command line

WMI Attacks - Recon list

wmic process get csname, description, exe path, processid

wmic useraccount list full

wmic group list full

wmic netsure list full

wmic qfe get caption, description, hotfixid, installed on

wmic startup get caption, command, location, user

WMI-activity/ Operational log

eid 5861 - new permanent consumers

- This log DOES NOT contain wmic command lines

5857 - tracks loaded provider dlls

5858 - includes hostname and username

Powershell Transcript logs

transcript logs provide the exact contents of what was displayed in the powershell terminal. this is both input commands and what was displayed after the commands