Windows DFIR Check by MITRE Tactic

T1015 Accessibility Features

1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger"
2
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "Debugger"
3
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AtBroker.exe" /v "Debugger"
4
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "Debugger"
5
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "Debugger"
6
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v "Debugger"
7
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger"
8
sfc /VERIFYFILE=C:\Windows\System32\sethc.exe
9
sfc /VERIFYFILE=C:\Windows\System32\utilman.exe
10
sfc /VERIFYFILE=C:\Windows\System32\AtBroker.exe
11
sfc /VERIFYFILE=C:\Windows\System32\Narrator.exe
12
sfc /VERIFYFILE=C:\Windows\System32\Magnify.exe
13
sfc /VERIFYFILE=C:\Windows\System32\DisplaySwitch.exe
14
sfc /VERIFYFILE=C:\Windows\System32\osk.exe
Copied!

T1098 Account Manipulation

1
N/A
Copied!

T1182 AppCert DLLs

1
reg query "HKLM\System\CurrentControlSet\Control\Session Manager" /v AppCertDlls
Copied!

T1103 AppInit DLLs

1
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
2
reg query "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
3
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
4
reg query "HKU\{SID}\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
5
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='11'} | FL TimeCreated,Message
Copied!

T1138 Application Shimming

1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom"
2
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB"
3
dir %WINDIR%\AppPatch\custom
4
dir %WINDIR%\AppPatch\AppPatch64\Custom
5
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-ShimEngine/Operational';}|FL
Copied!
Note: Some other similar methods exist such as abusing the ‘Command’ value of Windows Telemetry Controller - Special Thanks to TrustedSec.
Hint: Look for a Command not pointing to “CompatTelRunner.exe” or which has ‘-cv’, ‘-oobe’, or ‘-fullsync’ in the command line.
1
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController" /s
Copied!

T1197 BITS Jobs

1
bitsadmin /list /allusers /verbose
2
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Bits-Client/Operational'; Id='59'} | FL TimeCreated,Message
3
ls 'C:\ProgramData\Microsoft\Network\Downloader\qmgr.db'
Copied!

T1067 Bootkit

Note: This exists below the OS in the Master Boot Record or Volume Boot Record. The system must be booted through Advanced Startup Options with a Command Prompt, or through a recovery cd.
1
bootrec /FIXMBR
2
bootrec /FIXBOOT
Copied!
Extra: If your boot configuration data is missing or contains errors the below can fix this.
1
bootrec /REBUILDBCD
Copied!
If you’re thinking of a bootkit more as a rootkit (malicious system drivers) you can go with the below.

General Driver Enumeration

1
gci C:\Windows\*\DriverStore\FileRepository\ -recurse -include *.inf | FL FullName,LastWriteTime,LastWriteTimeUtc
2
gci -path C:\Windows\System32\drivers -include *.sys -recurse -ea SilentlyContinue
3
sc.exe query type=driver state=all
Copied!

Unsigned Drivers

1
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-CodeIntegrity/Operational'; Id='3001'} | FL TimeCreated,Message
2
gci -path C:\Windows\System32\drivers -include *.sys -recurse -ea SilentlyContinue | Get-AuthenticodeSignature | where {$_.status -ne 'Valid'}
Copied!

Previous Unusual Loaded Filter Drivers (Often used by rootkits)

Note: This will likely have false positives, particularly relating to filter drivers which are used by AV products, EDR solutions, or otherwise.
1
$FilterEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName="Microsoft-Windows-FilterManager"} | ForEach-Object {
2
[PSCustomObject] @{
3
TimeCreated = $_.TimeCreated
4
MachineName = $_.MachineName
5
UserId = $_.UserId
6
FilterDriver = $_.Properties[4].Value
7
Message = $_.Message
8
}
9
}
10
echo "Scanning for suspicious filter drivers. Any found will be displayed below:"
11
$FilterEvents | where-object {$_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "WdFilter" -AND $_.FilterDriver -ine "storqosflt" -AND $_.FilterDriver -ine "wcifs" -AND $_.FilterDriver -ine "CldFlt" -AND $_.FilterDriver -ine "FileCrypt" -AND $_.FilterDriver -ine "luafv" -AND $_.FilterDriver -ine "npsvctrig" -AND $_.FilterDriver -ine "Wof" -AND $_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "bindflt" -AND $_.FilterDriver -ine "PROCMON24" -AND $_.FilterDriver -ine "FsDepends"}
Copied!

Unusual Loaded Filter Drivers (No longer present or filtering registry keys)

1
$FilterEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName="Microsoft-Windows-FilterManager"} | ForEach-Object {
2
[PSCustomObject] @{
3
TimeCreated = $_.TimeCreated
4
MachineName = $_.MachineName
5
UserId = $_.UserId
6
FilterDriver = $_.Properties[4].Value
7
Message = $_.Message
8
}
9
}
10
echo "Scanning for suspicious filter drivers. Any found will be compared against existing services:"
11
$SuspectDrivers = $($FilterEvents | where-object {$_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "WdFilter" -AND $_.FilterDriver -ine "storqosflt" -AND $_.FilterDriver -ine "wcifs" -AND $_.FilterDriver -ine "CldFlt" -AND $_.FilterDriver -ine "FileCrypt" -AND $_.FilterDriver -ine "luafv" -AND $_.FilterDriver -ine "npsvctrig" -AND $_.FilterDriver -ine "Wof" -AND $_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "bindflt" -AND $_.FilterDriver -ine "PROCMON24" -AND $_.FilterDriver -ine "FsDepends"} | select -exp FilterDriver)
12
$SuspectDrivers
13
foreach ($driver in $SuspectDrivers){
14
echo "Checking services for relevant drivers. Any which aren't present may indicate a filter driver which has since been removed, or an active rootkit filtering service registry keys."
15
gci REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\$driver
16
}
Copied!

Safe Boot registry keys

Special Thanks - Didier Stevens, multiple times
Note: These keys specify what services are run in Safe Mode. Sometimes they’ll be modified by malware to ensure rootkits can still function in Safe Mode.
1
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
2
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal /s
3
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network /s
Copied!

Unload malicious filter driver

1
fltmc filters
2
fltmc volumes
3
fltmc instances
4
fltmc unload <filtername>
5
fltmc detach <filtername> <volumeName> <instanceName>
Copied!
Note: Common legitimate filter drivers include
  • WdFilter – Windows Defender Filter
  • storqosflt - Storage QoS Filter
  • wcifs - Windows Container Isolation File System Filter
  • CldFlt - Windows Cloud Files Filter
  • FileCrypt - Windows Sandboxing and Encryption Filter
  • luafv – LUA File Virtualization Filter (UAC)
  • npsvctrig – Named Pipe Service Trigger Provider Filter
  • Wof – Windows Overlay Filter
  • FileInfo – FileInfo Filter (SuperFetch)
  • bindflt - Windows Bind Filter system driver
  • FsDepends - File System Dependency Minifilter
  • PROCMON24 - Procmon Process Monitor Driver

T1176 Browser Extensions

Chrome

1
Get-ChildItem -path "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions" -recurse -erroraction SilentlyContinue
2
Get-ChildItem -path 'C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions' -recurse -erroraction SilentlyContinue -include manifest.json | cat
3
reg query "HKLM\Software\Google\Chrome\Extensions" /s
4
reg query "HKLM\Software\Wow6432Node\Google\Chrome\Extensions" /s
Copied!

Firefox

1
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions" -recurse -erroraction SilentlyContinue
2
Get-ChildItem -path "C:\Program Files\Mozilla Firefox\plugins\" -recurse -erroraction SilentlyContinue
3
Get-ChildItem -path registry::HKLM\SOFTWARE\Mozilla\*\extensions
Copied!

Edge

1
Get-ChildItem -Path C:\Users\*\AppData\Local\Packages\ -recurse -erroraction SilentlyContinue
Copied!

Internet Explorer

1
Get-ChildItem -path "C:\Program Files\Internet Explorer\Plugins\" -recurse -erroraction SilentlyContinue
2
reg query 'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
3
reg query 'HKLM\Software\Microsoft\Internet Explorer\Toolbar'
4
reg query 'HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks'
5
reg query 'HKLM\Software\Microsoft\Internet Explorer\Explorer Bars'
6
reg query 'HKU\{SID}\Software\Microsoft\Internet Explorer\Explorer Bars'
7
reg query 'HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions'
Copied!

T1109 Component Firmware

Note: This is incredibly rare, and doesn’t have an easy detection/remediation mechanism. Using the Windows CheckDisk utility, System File Checker, or Deployment Image Servicing and Management may assist but isn’t guaranteed.
1
chkdsk /F
2
sfc /scannow
3
dism /Online /Cleanup-Image /ScanHealth
4
dism /Online /Cleanup-Image /RestoreHealth
5
dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase
Copied!

T1122 Component Object Model (COM) Hijacking

Note: This involves replacing legitimate components with malicious ones, and as such the legitimate components will likely no longer function. If you have a detection based on DLLHost.exe with /Processid:{xyz}, you can match xyz with the CLSID (COM Class Object) or AppID mentioned below to check for any malicious EXE or DLL.
1
HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{abc} /v AppID /t REG_SZ /d {xyz}
2
HKLM\SOFTWARE\Classes\CLSID\{abc} /v AppID /t REG_SZ /d {xyz}
3
HKLM\SOFTWARE\Classes\AppID\{xyz}
4
HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{xyz}
5
HKLM\SOFTWARE\WOW6432Node\Classes\AppID\{xyz}
Copied!
Example analysis:
1
reg query "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID" /s /f "{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}"
2
reg query "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{178167bc-4ee3-403e-8430-a6434162db17}" /s
3
reg query "HKLM\SOFTWARE\Classes\AppID\{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}"
Copied!
Queries:
1
reg query HKLM\SOFTWARE\Classes\CLSID\ /s /f ".dll"
2
reg query HKLM\SOFTWARE\Classes\CLSID\ /s /f ".exe"
3
reg query HKLM\SOFTWARE\Classes\AppID\ /s /f DllSurrogate
4
gci -path REGISTRY::HKLM\SOFTWARE\Classes\*\shell\open\command
5
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f ".dll"
6
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f ".exe"
7
gci 'REGISTRY::HKU\*\Software\Classes\CLSID\*\TreatAs'
8
gci 'REGISTRY::HKU\*\Software\Classes\Scripting.Dictionary'
9
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\LocalServer32" -ea 0
10
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\InprocServer32" -ea 0
11
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\InprocHandler*" -ea 0
12
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\*Server32" -ea 0
13
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\ScriptletURL" -ea 0
14
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f "ScriptletURL"
Copied!

Get list of all COM Objects

1
gci HKLM:\Software\Classes -ea 0| ? {$_.PSChildName -match '^\w+\.\w+#x27; -and(gp "$($_.PSPath)\CLSID" -ea 0)} | select -ExpandProperty PSChildName
Copied!

T1136 Create Account

1
net user
2
net user /domain
3
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts" /s
Copied!

T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking

1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
2
gci -path C:\Windows\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
3
gci -path C:\Windows\System32\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
4
gps | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
5
gps | ? {$_.Modules -like '*{DLLNAME}*'} | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
6
$dll = gps | Where {$_.Modules -like '*{DLLNAME}*' } | Select Modules;$dll.Modules;
7
(gps).Modules.FileName
8
(gps).Modules | FL FileName,FileVersionInfo
9
(gps).Modules.FileName | get-authenticodesignature | ? Status -NE "Valid"
Copied!

Locate Possible DLL Search Order Hijacking

Note: A legitimate clean executable can be used to run malicious DLLs based on how the software searches for them.
More information on Microsoft Docs
1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
2
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode"
Copied!

Search order for desktop applications:

If SafeDllSearchMode is enabled (is by default), the search order is as follows:
  • The same directory from which the executable is run.
  • The System Directory (Usually C:\Windows\System32).
  • The 16-bit System Directory.
  • The Windows Directory (Usually C:\Windows).
  • The Current Directory (From the process which executed the executable).
  • The directories that are listed in the PATH environment variable.
If SafeDllSearchMode is disabled (SafeDllSearchMode has a reg value of 0), the search order is as follows:
  • The same directory from which the executable is run.
  • The Current Directory (From the process which executed the executable).
  • The System Directory (Usually C:\Windows\System32).
  • The 16-bit System Directory.
  • The Windows Directory (Usually C:\Windows).
  • The directories that are listed in the PATH environment variable.

T1133 External Remote Services

1
N/A
Copied!

T1044 File System Permissions Weakness

1
Get-WmiObject win32_service | FL name,PathName
2
get-acl "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" | FL | findstr "FullControl"
Copied!

T1158 Hidden Files and Directories

1
dir /S /A:H
Copied!

T1179 Hooking

Finding EasyHook Injection

1
tasklist /m EasyHook32.dll;tasklist /m EasyHook64.dll;tasklist /m EasyLoad32.dll;tasklist /m EasyLoad64.dll;
Copied!
More Material:

T1062 Hypervisor

1
N/A
Copied!

T1183 Image File Execution Options Injection

1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" /s /f "MonitorProcess"
2
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s /f "Debugger"
Copied!

T1037 Logon Scripts

1
reg query "HKU\{SID}\Environment" /v UserInitMprLogonScript
Copied!

T1177 LSASS Driver

1
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4614';} | FL TimeCreated,Message
2
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='3033';} | FL TimeCreated,Message
3
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='3063';} | FL TimeCreated,Message
Copied!

T1031 Modify Existing Service

1
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
2
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
3
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
4
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | foreach {filehash $_.ServiceDll}
5
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | select -uniq ServiceDll -ea 0 | foreach {filehash $_.ServiceDll} | select -uniq -exp hash
Copied!

T1128 Netsh Helper DLL

1
reg query HKLM\SOFTWARE\Microsoft\Netsh
Copied!

T1050 New Service

1
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
2
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
3
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
4
Get-WmiObject win32_service | FL Name, DisplayName, PathName, State
5
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | FL TimeCreated,Message
Copied!
Note: If not examining the registry directly and looking at services in a ‘live’ capacity you may encounter ‘hidden services’ which aren’t shown due to a SDDL applied to them. You can find solely these services using the following (Special thanks - Josh Wright)
1
Compare-Object -ReferenceObject (Get-Service | Select-Object -ExpandProperty Name | % { $_ -replace "_[0-9a-f]{2,8}quot; } ) -DifferenceObject (gci -path hklm:\system\currentcontrolset\services | % { $_.Name -Replace "HKEY_LOCAL_MACHINE\\","HKLM:\" } | ? { Get-ItemProperty -Path "$_" -name objectname -erroraction 'ignore' } | % { $_.substring(40) }) -PassThru | ?{$_.sideIndicator -eq "=>"}
Copied!
Some common legitimate hidden services are:
1
WUDFRd
2
WUDFWpdFs
3
WUDFWpdMtp
Copied!

T1137 Office Application Startup

1
Get-ChildItem -path C:\Users\*\Microsoft\*\STARTUP\*.dotm -force
2
Get-ChildItem -path C:\Users\*\AppData\Roaming\Microsoft\*\STARTUP\* -force
3
reg query "HKU\{SID}\Software\Microsoft\Office test\Special\Perf" /s
4
reg query "HKLM\Software\Microsoft\Office test\Special\Perf" /s
5
Get-ChildItem -path registry::HKLM\SOFTWARE\Microsoft\Office\*\Addins\*
6
Get-ChildItem -path registry::HKLM\SOFTWARE\Wow6432node\Microsoft\Office\*\Addins\*
7
Get-ChildItem -path registry::HKLM\SOFTWARE\Wow6432node\Microsoft\Office\*\Addins\*
8
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Microsoft\Templates\*" -erroraction SilentlyContinue
9
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Microsoft\Excel\XLSTART\*" -erroraction SilentlyContinue
10
Get-ChildItem -path C:\ -recurse -include Startup -ea 0
11
ls 'C:\Program Files\Microsoft Office\root\*\XLSTART\*'
12
ls 'C:\Program Files\Microsoft Office\root\*\STARTUP\*'
13
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Inbox
14
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Security
15
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Today\UserDefinedUrl
16
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Calendar\URL
17
Get-WinEvent -FilterHashtable @{ LogName='Microsoft Office Alerts'; Id='300';} | FL TimeCreated,Message
Copied!

T1034 Path Interception

1
N/A
Copied!

T1013 Port Monitors

1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" /s /v "Driver"
Copied!

T1504 PowerShell Profile

1
ls C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1
2
ls C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.*Profile.ps1
3
ls C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.*Profile.ps1
4
gci -path "C:\Users\*\Documents\PowerShell\Profile.ps1"
5
gci -path "C:\Users\*\Documents\PowerShell\Microsoft.*Profile.ps1"
Copied!

T1108 Redundant Access

1
N/A
Copied!

T1060 Registry Run Keys / Startup Folder

1
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run"
2
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnce"
3
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
4
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
5
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
6
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
7
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
8
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
9
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
10
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
11
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
12
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
13
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
14
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServices"
15
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
16
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
17
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
18
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
19
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows"
20
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute
21
gci -path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*" -include *.lnk,*.url
22
gci -path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -include *.lnk,*.url
23
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Shell-Core/Operational'; Id='9707'} | FL TimeCreated,Message
24
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Shell-Core/Operational'; Id='9708'} | FL TimeCreated,Message
Copied!

T1053 Scheduled Task

1
gci -path C:\windows\system32\tasks | Select-String Command | FT Line, Filename
2
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | Select-String Command | FL Filename,Line
3
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | where {$_.CreationTime.hour -ge (get-date).hour-2}| Select-String Command | FL Line,Filename
4
gci -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\'
5
gci -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
6
ls 'C:\Windows\System32\WptsExtensions.dll'
Copied!
Note: thanks to Markus Piéton for the WptsExtensions.dll one.

T1180 Screensaver

1
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "ScreenSaveActive"
2
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "SCRNSAVE.exe"
3
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "ScreenSaverIsSecure"
Copied!

T1101 Security Support Provider

1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig" /v "Security Packages"
2
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages"
Copied!

T1505 Server Software Component

1
N/A
Copied!

T1058 Service Registry Permissions Weakness

1
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
2
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\servicename |FL
Copied!

T1023 Shortcut Modification

1
Select-String -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" -Pattern "exe"
2
Select-String -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" -Pattern "dll"
3
Select-String -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -Pattern "dll"
4
Select-String -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -Pattern "exe"
5
gci -path "C:\Users\" -recurse -include *.lnk -ea SilentlyContinue | Select-String -Pattern "exe" | FL
6
gci -path "C:\Users\" -recurse -include *.lnk -ea SilentlyContinue | Select-String -Pattern "dll" | FL
Copied!

T1198 SIP and Trust Provider Hijacking

1
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg" /s /v "Dll"
2
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData" /s /v "Dll"
3
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy" /s /v "`$DLL"
4
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg" /s /v "Dll"
5
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData" /s /v "Dll"
6
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy" /s /v "`$DLL"
Copied!

T1019 System Firmware

1
reg query HKLM\HARDWARE\DESCRIPTION\System\BIOS
2
Confirm-SecureBootUEFI
3
Get-WmiObject win32_bios
Copied!

T1209 Time Providers

1
reg query "HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders" /s /f "Dll"
Copied!

T1078 Valid Accounts

1
net users
2
net group /domain "Domain Admins"
3
net users /domain <name>
Copied!

T1100 Web Shell

Note: The presence of files with these values isn’t necessarily indicative of a webshell, review output.
1
gci -path "C:\inetpub\wwwroot" -recurse -File -ea SilentlyContinue | Select-String -Pattern "runat" | FL
2
gci -path "C:\inetpub\wwwroot" -recurse -File -ea SilentlyContinue | Select-String -Pattern "eval" | FL
Copied!
ProxyShell - May reveal evidence of mailbox exfil or Web Shell being dropped:
1
Get-WinEvent -FilterHashtable @{LogName='MSExchange Management';} | ? {$_.Message -match 'MailboxExportRequest'} | FL TimeCreated, Message
2
Get-WinEvent -FilterHashtable @{LogName='MSExchange Management';} | ? {$_.Message -match 'aspx'} | FL TimeCreated, Message
Copied!

T1084 Windows Management Instrumentation Event Subscription

Get WMI Namespaces

1
Function Get-WmiNamespace ($Path = 'root')
2
{
3
foreach ($Namespace in (Get-WmiObject -Namespace $Path -Class __Namespace))
4
{
5
$FullPath = $Path + "/" + $Namespace.Name
6
Write-Output $FullPath
7
Get-WmiNamespace -Path $FullPath
8
}
9
}
10
Get-WMINamespace -Recurse
Copied!

Query WMI Persistence

1
Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription
2
Get-WmiObject -Class __EventFilter -Namespace root\subscription
3
Get-WmiObject -Class __EventConsumer -Namespace root\subscription
Copied!

T1004 Winlogon Helper DLL

1
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s
2
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s
3
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
4
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
5
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
6
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
7
reg query "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /s
Copied!

T1574.002 Hijack Execution Flow: DLL Side-Loading

Locate Possible Dll Side Loading

Note: A legitimate clean executable can be used to run malicious DLLs based on issues with a manifest file used by the application to load DLLs.
1
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners"
Copied!
By placing a malicious DLL in the below locations legitimate binaries may have been used to sideload these malicious DLLs.
  • C:\Windows\WinSxS
  • C:\Windows\SXS

Unique Sideload DLL hashes (may take some time)

1
(gci -path C:\Windows\WinSxS -recurse -include *.dll|gi -ea SilentlyContinue|filehash).hash|sort -u
Copied!

Unsigned or Invalid Sideload DLLs (there will be a lot)

1
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
Copied!

Unsigned Sideload DLLs (Less noise)

1
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -E "NotSigned"
2
gci -path C:\Windows\WinSxS -recurse -include *.ocx | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
Copied!

Hash of Unsigned Sideload DLLs

1
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -E "NotSigned" | Select Path | gi -ea SilentlyContinue | filehash | sort -u
2
gci -path C:\Windows\WinSxS -recurse -include *.ocx | Get-AuthenticodeSignature | Where-Object Status -NE "Valid" | Select Path | gi -ea SilentlyContinue | filehash | sort -u
Copied!
Copy link
Contents
T1015 Accessibility Features
T1098 Account Manipulation
T1182 AppCert DLLs
T1103 AppInit DLLs
T1138 Application Shimming
T1197 BITS Jobs
T1067 Bootkit
General Driver Enumeration
Unsigned Drivers
Previous Unusual Loaded Filter Drivers (Often used by rootkits)
Unusual Loaded Filter Drivers (No longer present or filtering registry keys)
Safe Boot registry keys
Unload malicious filter driver
T1176 Browser Extensions
Chrome
Firefox
Edge
Internet Explorer
T1109 Component Firmware
T1122 Component Object Model (COM) Hijacking
Get list of all COM Objects
T1136 Create Account
T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking
Locate Possible DLL Search Order Hijacking
Search order for desktop applications:
T1133 External Remote Services
T1044 File System Permissions Weakness
T1158 Hidden Files and Directories
T1179 Hooking
Finding EasyHook Injection
T1062 Hypervisor
T1183 Image File Execution Options Injection
T1037 Logon Scripts
T1177 LSASS Driver
T1031 Modify Existing Service
T1128 Netsh Helper DLL
T1050 New Service
T1137 Office Application Startup
T1034 Path Interception
T1013 Port Monitors
T1504 PowerShell Profile
T1108 Redundant Access
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task
T1180 Screensaver
T1101 Security Support Provider
T1505 Server Software Component
T1058 Service Registry Permissions Weakness
T1023 Shortcut Modification
T1198 SIP and Trust Provider Hijacking
T1019 System Firmware
T1209 Time Providers
T1078 Valid Accounts
T1100 Web Shell
T1084 Windows Management Instrumentation Event Subscription
Get WMI Namespaces
Query WMI Persistence
T1004 Winlogon Helper DLL
T1574.002 Hijack Execution Flow: DLL Side-Loading
Locate Possible Dll Side Loading
Unique Sideload DLL hashes (may take some time)
Unsigned or Invalid Sideload DLLs (there will be a lot)
Unsigned Sideload DLLs (Less noise)
Hash of Unsigned Sideload DLLs