Windows DFIR Check by MITRE Tactic

Search…

T1015 Accessibility Features
1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger"
2
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "Debugger"
3
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AtBroker.exe" /v "Debugger"
4
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "Debugger"
5
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "Debugger"
6
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v "Debugger"
7
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger"
8
sfc /VERIFYFILE=C:\Windows\System32\sethc.exe
9
sfc /VERIFYFILE=C:\Windows\System32\utilman.exe
10
sfc /VERIFYFILE=C:\Windows\System32\AtBroker.exe
11
sfc /VERIFYFILE=C:\Windows\System32\Narrator.exe
12
sfc /VERIFYFILE=C:\Windows\System32\Magnify.exe
13
sfc /VERIFYFILE=C:\Windows\System32\DisplaySwitch.exe
14
sfc /VERIFYFILE=C:\Windows\System32\osk.exe
Copied!
T1098 Account Manipulation
1
N/A
Copied!
T1182 AppCert DLLs
1
reg query "HKLM\System\CurrentControlSet\Control\Session Manager" /v AppCertDlls
Copied!
T1103 AppInit DLLs
1
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
2
reg query "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
3
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
4
reg query "HKU\{SID}\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
5
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='11'} | FL TimeCreated,Message
Copied!
T1138 Application Shimming
1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom"
2
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB"
3
dir %WINDIR%\AppPatch\custom
4
dir %WINDIR%\AppPatch\AppPatch64\Custom
5
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-ShimEngine/Operational';}|FL
Copied!
Note: Some other similar methods exist such as abusing the ‘Command’ value of Windows Telemetry Controller - Special Thanks to TrustedSec.
Hint: Look for a Command not pointing to “CompatTelRunner.exe” or which has ‘-cv’, ‘-oobe’, or ‘-fullsync’ in the command line.
1
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController" /s
Copied!
T1197 BITS Jobs
1
bitsadmin /list /allusers /verbose
2
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Bits-Client/Operational'; Id='59'} | FL TimeCreated,Message
3
ls 'C:\ProgramData\Microsoft\Network\Downloader\qmgr.db'
Copied!
T1067 Bootkit
Note: This exists below the OS in the Master Boot Record or Volume Boot Record. The system must be booted through Advanced Startup Options with a Command Prompt, or through a recovery cd.
1
bootrec /FIXMBR
2
bootrec /FIXBOOT
Copied!
Extra: If your boot configuration data is missing or contains errors the below can fix this.
1
bootrec /REBUILDBCD
Copied!
If you’re thinking of a bootkit more as a rootkit (malicious system drivers) you can go with the below.
General Driver Enumeration
1
gci C:\Windows\*\DriverStore\FileRepository\ -recurse -include *.inf | FL FullName,LastWriteTime,LastWriteTimeUtc
2
gci -path C:\Windows\System32\drivers -include *.sys -recurse -ea SilentlyContinue
3
sc.exe query type=driver state=all
Copied!
Unsigned Drivers
1
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-CodeIntegrity/Operational'; Id='3001'} | FL TimeCreated,Message
2
gci -path C:\Windows\System32\drivers -include *.sys -recurse -ea SilentlyContinue | Get-AuthenticodeSignature | where {$_.status -ne 'Valid'}
Copied!
Previous Unusual Loaded Filter Drivers (Often used by rootkits)
Note: This will likely have false positives, particularly relating to filter drivers which are used by AV products, EDR solutions, or otherwise.
1
$FilterEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName="Microsoft-Windows-FilterManager"} | ForEach-Object {
2
	[PSCustomObject] @{
3
		TimeCreated = $_.TimeCreated
4
		MachineName = $_.MachineName
5
		UserId = $_.UserId
6
		FilterDriver = $_.Properties[4].Value
7
        Message = $_.Message
8
	}
9
}
10
echo "Scanning for suspicious filter drivers. Any found will be displayed below:"
11
$FilterEvents | where-object {$_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "WdFilter" -AND $_.FilterDriver -ine "storqosflt" -AND $_.FilterDriver -ine "wcifs" -AND $_.FilterDriver -ine "CldFlt" -AND $_.FilterDriver -ine "FileCrypt" -AND $_.FilterDriver -ine "luafv" -AND $_.FilterDriver -ine "npsvctrig" -AND $_.FilterDriver -ine "Wof" -AND $_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "bindflt" -AND $_.FilterDriver -ine "PROCMON24" -AND $_.FilterDriver -ine "FsDepends"}
Copied!
Unusual Loaded Filter Drivers (No longer present or filtering registry keys)
1
$FilterEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName="Microsoft-Windows-FilterManager"} | ForEach-Object {
2
	[PSCustomObject] @{
3
		TimeCreated = $_.TimeCreated
4
		MachineName = $_.MachineName
5
		UserId = $_.UserId
6
		FilterDriver = $_.Properties[4].Value
7
        Message = $_.Message
8
	}
9
}
10
echo "Scanning for suspicious filter drivers. Any found will be compared against existing services:"
11
$SuspectDrivers = $($FilterEvents | where-object {$_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "WdFilter" -AND $_.FilterDriver -ine "storqosflt" -AND $_.FilterDriver -ine "wcifs" -AND $_.FilterDriver -ine "CldFlt" -AND $_.FilterDriver -ine "FileCrypt" -AND $_.FilterDriver -ine "luafv" -AND $_.FilterDriver -ine "npsvctrig" -AND $_.FilterDriver -ine "Wof" -AND $_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "bindflt" -AND $_.FilterDriver -ine "PROCMON24" -AND $_.FilterDriver -ine "FsDepends"} | select -exp FilterDriver)
12
$SuspectDrivers
13
foreach ($driver in $SuspectDrivers){
14
echo "Checking services for relevant drivers. Any which aren't present may indicate a filter driver which has since been removed, or an active rootkit filtering service registry keys."
15
gci REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\$driver
16
}
Copied!
Safe Boot registry keys
Special Thanks - Didier Stevens, multiple times​
Note: These keys specify what services are run in Safe Mode. Sometimes they’ll be modified by malware to ensure rootkits can still function in Safe Mode.
1
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
2
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal /s
3
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network /s
Copied!
Unload malicious filter driver
1
fltmc filters
2
fltmc volumes
3
fltmc instances
4
fltmc unload <filtername>
5
fltmc detach <filtername> <volumeName> <instanceName>
Copied!
Note: Common legitimate filter drivers include
WdFilter – Windows Defender Filter
storqosflt - Storage QoS Filter
wcifs - Windows Container Isolation File System Filter
CldFlt - Windows Cloud Files Filter
FileCrypt - Windows Sandboxing and Encryption Filter
luafv – LUA File Virtualization Filter (UAC)
npsvctrig – Named Pipe Service Trigger Provider Filter
Wof – Windows Overlay Filter
FileInfo – FileInfo Filter (SuperFetch)
bindflt - Windows Bind Filter system driver
FsDepends - File System Dependency Minifilter
PROCMON24 - Procmon Process Monitor Driver
T1176 Browser Extensions
Chrome
1
Get-ChildItem -path "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions" -recurse -erroraction SilentlyContinue
2
Get-ChildItem -path 'C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions' -recurse -erroraction SilentlyContinue -include manifest.json | cat
3
reg query "HKLM\Software\Google\Chrome\Extensions" /s
4
reg query "HKLM\Software\Wow6432Node\Google\Chrome\Extensions" /s
Copied!
Firefox
1
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions" -recurse -erroraction SilentlyContinue
2
Get-ChildItem -path "C:\Program Files\Mozilla Firefox\plugins\" -recurse -erroraction SilentlyContinue
3
Get-ChildItem -path registry::HKLM\SOFTWARE\Mozilla\*\extensions
Copied!
Edge
1
Get-ChildItem -Path C:\Users\*\AppData\Local\Packages\ -recurse -erroraction SilentlyContinue
Copied!
Internet Explorer
1
Get-ChildItem -path "C:\Program Files\Internet Explorer\Plugins\" -recurse -erroraction SilentlyContinue
2
reg query 'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
3
reg query 'HKLM\Software\Microsoft\Internet Explorer\Toolbar'
4
reg query 'HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks'
5
reg query 'HKLM\Software\Microsoft\Internet Explorer\Explorer Bars'
6
reg query 'HKU\{SID}\Software\Microsoft\Internet Explorer\Explorer Bars'
7
reg query 'HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions'
Copied!
T1109 Component Firmware
Note: This is incredibly rare, and doesn’t have an easy detection/remediation mechanism. Using the Windows CheckDisk utility, System File Checker, or Deployment Image Servicing and Management may assist but isn’t guaranteed.
1
chkdsk /F
2
sfc /scannow
3
dism /Online /Cleanup-Image /ScanHealth
4
dism /Online /Cleanup-Image /RestoreHealth
5
dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase
Copied!
T1122 Component Object Model (COM) Hijacking
Note: This involves replacing legitimate components with malicious ones, and as such the legitimate components will likely no longer function. If you have a detection based on DLLHost.exe with /Processid:{xyz}, you can match xyz with the CLSID (COM Class Object) or AppID mentioned below to check for any malicious EXE or DLL.
1
HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{abc} /v AppID /t REG_SZ /d {xyz}
2
HKLM\SOFTWARE\Classes\CLSID\{abc} /v AppID /t REG_SZ /d {xyz}
3
HKLM\SOFTWARE\Classes\AppID\{xyz}
4
HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{xyz}
5
HKLM\SOFTWARE\WOW6432Node\Classes\AppID\{xyz}
Copied!
Example analysis:
1
reg query "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID" /s /f "{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}"
2
reg query "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{178167bc-4ee3-403e-8430-a6434162db17}" /s
3
reg query "HKLM\SOFTWARE\Classes\AppID\{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}"
Copied!
Queries:
1
reg query HKLM\SOFTWARE\Classes\CLSID\ /s /f ".dll"
2
reg query HKLM\SOFTWARE\Classes\CLSID\ /s /f ".exe"
3
reg query HKLM\SOFTWARE\Classes\AppID\ /s /f DllSurrogate
4
gci -path REGISTRY::HKLM\SOFTWARE\Classes\*\shell\open\command 
5
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f ".dll"
6
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f ".exe"
7
gci 'REGISTRY::HKU\*\Software\Classes\CLSID\*\TreatAs'
8
gci 'REGISTRY::HKU\*\Software\Classes\Scripting.Dictionary'
9
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\LocalServer32" -ea 0
10
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\InprocServer32" -ea 0
11
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\InprocHandler*" -ea 0
12
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\*Server32" -ea 0
13
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\ScriptletURL" -ea 0
14
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f "ScriptletURL"
Copied!
Get list of all COM Objects
​Original by Jeff Atwood​
1
gci HKLM:\Software\Classes -ea 0| ? {$_.PSChildName -match '^\w+\.\w+#x27; -and(gp "$($_.PSPath)\CLSID" -ea 0)} | select -ExpandProperty PSChildName
Copied!
T1136 Create Account
1
net user
2
net user /domain
3
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts" /s
Copied!
T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking
1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
2
gci -path C:\Windows\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
3
gci -path C:\Windows\System32\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
4
gps | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
5
gps | ? {$_.Modules -like '*{DLLNAME}*'} | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
6
$dll = gps | Where {$_.Modules -like '*{DLLNAME}*' } | Select Modules;$dll.Modules;
7
(gps).Modules.FileName
8
(gps).Modules | FL FileName,FileVersionInfo
9
(gps).Modules.FileName | get-authenticodesignature | ? Status -NE "Valid"
Copied!
Locate Possible DLL Search Order Hijacking​
Note: A legitimate clean executable can be used to run malicious DLLs based on how the software searches for them.
More information on Microsoft Docs​
1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
2
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode"
Copied!
Search order for desktop applications:
If SafeDllSearchMode is enabled (is by default), the search order is as follows:
The same directory from which the executable is run.
The System Directory (Usually C:\Windows\System32).
The 16-bit System Directory.
The Windows Directory (Usually C:\Windows).
The Current Directory (From the process which executed the executable).
The directories that are listed in the PATH environment variable.
If SafeDllSearchMode is disabled (SafeDllSearchMode has a reg value of 0), the search order is as follows:
The same directory from which the executable is run.
The Current Directory (From the process which executed the executable).
The System Directory (Usually C:\Windows\System32).
The 16-bit System Directory.
The Windows Directory (Usually C:\Windows).
The directories that are listed in the PATH environment variable.
T1133 External Remote Services
1
N/A
Copied!
T1044 File System Permissions Weakness
1
Get-WmiObject win32_service | FL name,PathName
2
get-acl "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" | FL | findstr "FullControl"
Copied!
T1158 Hidden Files and Directories
1
dir /S /A:H
Copied!
T1179 Hooking
Finding EasyHook Injection
1
tasklist /m EasyHook32.dll;tasklist /m EasyHook64.dll;tasklist /m EasyLoad32.dll;tasklist /m EasyLoad64.dll;
Copied!
More Material:
​GetHooks​
T1062 Hypervisor
1
N/A
Copied!
T1183 Image File Execution Options Injection
1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" /s /f "MonitorProcess"
2
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s /f "Debugger"
Copied!
T1037 Logon Scripts
1
reg query "HKU\{SID}\Environment" /v UserInitMprLogonScript
Copied!
T1177 LSASS Driver
1
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4614';} | FL TimeCreated,Message
2
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='3033';} | FL TimeCreated,Message
3
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='3063';} | FL TimeCreated,Message
Copied!
T1031 Modify Existing Service
1
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
2
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
3
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
4
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | foreach {filehash $_.ServiceDll}
5
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | select -uniq ServiceDll -ea 0 | foreach {filehash $_.ServiceDll} | select -uniq -exp hash
Copied!
T1128 Netsh Helper DLL
1
reg query HKLM\SOFTWARE\Microsoft\Netsh
Copied!
T1050 New Service
1
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
2
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
3
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
4
Get-WmiObject win32_service | FL Name, DisplayName, PathName, State
5
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | FL TimeCreated,Message
Copied!
Note: If not examining the registry directly and looking at services in a ‘live’ capacity you may encounter ‘hidden services’ which aren’t shown due to a SDDL applied to them. You can find solely these services using the following (Special thanks - Josh Wright)
1
Compare-Object -ReferenceObject (Get-Service | Select-Object -ExpandProperty Name | % { $_ -replace "_[0-9a-f]{2,8}quot; } ) -DifferenceObject (gci -path hklm:\system\currentcontrolset\services | % { $_.Name -Replace "HKEY_LOCAL_MACHINE\\","HKLM:\" } | ? { Get-ItemProperty -Path "$_" -name objectname -erroraction 'ignore' } | % { $_.substring(40) }) -PassThru | ?{$_.sideIndicator -eq "=>"}
Copied!
Some common legitimate hidden services are:
1
WUDFRd
2
WUDFWpdFs
3
WUDFWpdMtp
Copied!
T1137 Office Application Startup
1
Get-ChildItem -path C:\Users\*\Microsoft\*\STARTUP\*.dotm -force
2
Get-ChildItem -path C:\Users\*\AppData\Roaming\Microsoft\*\STARTUP\* -force
3
reg query "HKU\{SID}\Software\Microsoft\Office test\Special\Perf" /s
4
reg query "HKLM\Software\Microsoft\Office test\Special\Perf" /s
5
Get-ChildItem -path registry::HKLM\SOFTWARE\Microsoft\Office\*\Addins\*
6
Get-ChildItem -path registry::HKLM\SOFTWARE\Wow6432node\Microsoft\Office\*\Addins\*
7
Get-ChildItem -path registry::HKLM\SOFTWARE\Wow6432node\Microsoft\Office\*\Addins\*
8
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Microsoft\Templates\*" -erroraction SilentlyContinue
9
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Microsoft\Excel\XLSTART\*" -erroraction SilentlyContinue
10
Get-ChildItem -path C:\ -recurse -include Startup -ea 0
11
ls 'C:\Program Files\Microsoft Office\root\*\XLSTART\*'
12
ls 'C:\Program Files\Microsoft Office\root\*\STARTUP\*'
13
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Inbox
14
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Security
15
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Today\UserDefinedUrl
16
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Calendar\URL
17
Get-WinEvent -FilterHashtable @{ LogName='Microsoft Office Alerts'; Id='300';} | FL TimeCreated,Message
Copied!
T1034 Path Interception
1
N/A
Copied!
T1013 Port Monitors
1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" /s /v "Driver"
Copied!
T1504 PowerShell Profile
1
ls C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1
2
ls C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.*Profile.ps1
3
ls C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.*Profile.ps1
4
gci -path "C:\Users\*\Documents\PowerShell\Profile.ps1"
5
gci -path "C:\Users\*\Documents\PowerShell\Microsoft.*Profile.ps1"
Copied!
T1108 Redundant Access
1
N/A
Copied!
T1060 Registry Run Keys / Startup Folder
1
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run"
2
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnce"
3
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
4
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
5
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
6
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
7
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
8
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
9
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
10
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
11
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
12
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
13
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
14
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServices"
15
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
16
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
17
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
18
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
19
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows"
20
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute
21
gci -path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*" -include *.lnk,*.url
22
gci -path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -include *.lnk,*.url
23
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Shell-Core/Operational'; Id='9707'} | FL TimeCreated,Message
24
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Shell-Core/Operational'; Id='9708'} | FL TimeCreated,Message
Copied!
T1053 Scheduled Task
1
gci -path C:\windows\system32\tasks | Select-String Command | FT Line, Filename
2
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | Select-String Command | FL Filename,Line
3
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | where {$_.CreationTime.hour -ge (get-date).hour-2}| Select-String Command | FL Line,Filename
4
gci -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\'
5
gci -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
6
ls 'C:\Windows\System32\WptsExtensions.dll'
Copied!
Note: thanks to Markus Piéton for the WptsExtensions.dll one.
T1180 Screensaver
1
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "ScreenSaveActive"
2
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "SCRNSAVE.exe"
3
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "ScreenSaverIsSecure"
Copied!
T1101 Security Support Provider
1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig" /v "Security Packages"
2
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages"
Copied!
T1505 Server Software Component
1
N/A
Copied!
T1058 Service Registry Permissions Weakness
1
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
2
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\servicename |FL
Copied!
T1023 Shortcut Modification
1
Select-String -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" -Pattern "exe"
2
Select-String -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" -Pattern "dll"
3
Select-String -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -Pattern "dll"
4
Select-String -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -Pattern "exe"
5
gci -path "C:\Users\" -recurse -include *.lnk -ea SilentlyContinue | Select-String -Pattern "exe" | FL
6
gci -path "C:\Users\" -recurse -include *.lnk -ea SilentlyContinue | Select-String -Pattern "dll" | FL
Copied!
T1198 SIP and Trust Provider Hijacking
1
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg" /s /v "Dll"
2
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData" /s /v "Dll"
3
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy" /s /v "`$DLL"
4
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg" /s /v "Dll"
5
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData" /s /v "Dll"
6
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy" /s /v "`$DLL"
Copied!
T1019 System Firmware
1
reg query HKLM\HARDWARE\DESCRIPTION\System\BIOS
2
Confirm-SecureBootUEFI
3
Get-WmiObject win32_bios
Copied!
T1209 Time Providers
1
reg query "HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders" /s /f "Dll"
Copied!
T1078 Valid Accounts
1
net users
2
net group /domain "Domain Admins"
3
net users /domain <name>
Copied!
T1100 Web Shell
Note: The presence of files with these values isn’t necessarily indicative of a webshell, review output.
1
gci -path "C:\inetpub\wwwroot" -recurse -File -ea SilentlyContinue | Select-String -Pattern "runat" | FL
2
gci -path "C:\inetpub\wwwroot" -recurse -File -ea SilentlyContinue | Select-String -Pattern "eval" | FL
Copied!
​ProxyShell - May reveal evidence of mailbox exfil or Web Shell being dropped:
1
Get-WinEvent -FilterHashtable @{LogName='MSExchange Management';} | ? {$_.Message -match 'MailboxExportRequest'} | FL TimeCreated, Message
2
Get-WinEvent -FilterHashtable @{LogName='MSExchange Management';} | ? {$_.Message -match 'aspx'} | FL TimeCreated, Message
Copied!
T1084 Windows Management Instrumentation Event Subscription
Get WMI Namespaces
1
Function Get-WmiNamespace ($Path = 'root')
2
{
3
	foreach ($Namespace in (Get-WmiObject -Namespace $Path -Class __Namespace))
4
	{
5
		$FullPath = $Path + "/" + $Namespace.Name
6
		Write-Output $FullPath
7
		Get-WmiNamespace -Path $FullPath
8
	}
9
}
10
Get-WMINamespace -Recurse
Copied!
Query WMI Persistence
1
Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription
2
Get-WmiObject -Class __EventFilter -Namespace root\subscription
3
Get-WmiObject -Class __EventConsumer -Namespace root\subscription
Copied!
T1004 Winlogon Helper DLL
1
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s
2
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s
3
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
4
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
5
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
6
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
7
reg query "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /s
Copied!
T1574.002 Hijack Execution Flow: DLL Side-Loading
Locate Possible Dll Side Loading​
Note: A legitimate clean executable can be used to run malicious DLLs based on issues with a manifest file used by the application to load DLLs.
1
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners"
Copied!
By placing a malicious DLL in the below locations legitimate binaries may have been used to sideload these malicious DLLs.
C:\Windows\WinSxS
C:\Windows\SXS
Unique Sideload DLL hashes (may take some time)
1
(gci -path C:\Windows\WinSxS -recurse -include *.dll|gi -ea SilentlyContinue|filehash).hash|sort -u
Copied!
Unsigned or Invalid Sideload DLLs (there will be a lot)
1
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
Copied!
Unsigned Sideload DLLs (Less noise)
1
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -E "NotSigned"
2
gci -path C:\Windows\WinSxS -recurse -include *.ocx | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
Copied!
Hash of Unsigned Sideload DLLs
1
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -E "NotSigned" | Select Path | gi -ea SilentlyContinue | filehash | sort -u
2
gci -path C:\Windows\WinSxS -recurse -include *.ocx | Get-AuthenticodeSignature | Where-Object Status -NE "Valid" | Select Path | gi -ea SilentlyContinue | filehash | sort -u
Copied!
​